Difference between pages "ADF Solutions" and "JTAG LG P930 (Nitro HD)"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Contact)
 
 
Line 1: Line 1:
ADF Solutions is a Maryland-based company that develops automated tools for forensic investigation.
+
== JTAG LG P930 (Nitro HD) ==
  
=Contact=http://www.forensicswiki.org/w/skins/common/images/button_headline.png
+
The LG P930 (Nitro HD) is an Android based smartphone. At the time of this writing (2013FEB07), I am unaware of any method to bypass the PIN, password, or pattern locks on a LG P930 that is not rooted and does not have ADB enabled. JTAG to the rescue! Using JTAG, a copy of the NAND can be extracted, and the pin or pattern lock decoded from it.
ADF Solutions, Inc.<br>
+
7910 Woodmont Ave. Suite 260<br>
+
Bethesda, MD 20814<br>
+
http://www.adfsolutions.com/
+
  
=Overview=
+
For the purpose of this document, a LG P930 with a gesture pattern lock was disassembled, read via JTAG, reassembled, and the pattern lock removed.
<p> [http://www.adfsolutions.com Advanced Digital Forensic Solutions, Inc.](ADF Solutions, Inc., or ADF Solutions) is a privately held, minority-owned small business based in Bethesda, Maryland. The company was founded in 2005 by J.J. Wallia and Raphael Bousquet. </p>
+
<p>ADF Solutions develops tools for media exploitation (MEDEX) and [[digital forensics]] triage. These tools scan computers and digital devices and rapidly extract intelligence and evidence to identify individuals who are a threat to public safety or national security. They are used in digital forensic labs and used by field operatives in defense, intelligence, law enforcement, border security, and other government agencies worldwide. </p>
+
  
=ADF Products=
+
=== Getting Started ===
<p>ADF offers [http://http://www.adfsolutions.com/products/ three main products]: Triage-G2, Triage-Examiner, and Triage-Responder. </p>
+
<p>[http://www.adfsolutions.com/products/triage-g2 Triage-G2] is a media exploitation ([[MEDEX]]) tool used by field operatives to extract intelligence from computers and peripheral devices. Triage-G2 was specifically designed to be used by nontechnical operators and deployed using a small, portable triage key (a 32GB USB drive) that doesn’t require a computer or other heavy equipment for field deployment. The keys can be prepared in advance at the base or in the field by using one click to select mission-specific search criteria. Triage-G2 is used by several U.S. defense and intelligence agencies. </p>
+
<p>[http://www.adfsolutions.com/products/triage-examiner Triage-Examiner] is used by forensic examiners to scan suspect computers and prioritize the computers for full forensic examinations. Triage-Examiner is used by [[Law Enforcement]] agencies worldwide. Triage-Examiner Lab Add-On is an additional software component that works with Triage-Examiner for examiners who need to run the software on their laptops or forensic workstations to scan drive images, physical drives, DVDs, CDs, and other removable media that are connected to the workstation. </p>
+
<p>[http://www.adfsolutions.com/products/triage-responder Triage-Responder ]is designed for nontechnical law enforcement investigators in the field to scan suspect computers for evidence of a crime. This tool also uses lightweight USB deployment and provides detailed field reporting capabilities. This tool was developed in partnership with the U.S. Department of Homeland Security Science and Technology Directorate. </p>
+
  
=Discontinued Products=
+
What you need to extract the lock from the device:
• Triage-ID® <br>
+
• Triage-Lab® <br>
+
• Triage-Investigator®
+
  
=ADF Patented Technology=
+
# A Octoplus JTAG Box with the latest Octoplus JTAG Manager software. The Octoplus JTAG Box used for this was purchased from GSM Server on eBay. Update: This device is now supported by the RIFF Box as well.
ADF Solutions has been granted two U.S. patents (#7,941,386 and #8,219,588) for its SearchPak® technology.
+
# Soldering skills and ultra-fine tip soldering iron (a JTAG jig may be available).
 +
# A DC Power supply capable of supplying 3.8V/1.83A output. The power supply used for this was an Agilent U8002A DC Power Supply.
 +
# PatternLockScripts from CCL Forensics ('GenerateAndroidGestureRainbowTable.py' and 'Android_GestureFinder.py').
  
=SearchPak®=
+
=== NAND Dump Procedure ===
<p>The SearchPak is a container of forensic search intelligence. It allows analysts and operators to precisely describe the forensic search or data exploitation to be conducted on a target system. As a secure container, the SearchPak can be used to automate recurring data exploitation jobs and can be shared among agencies or between operators.
+
SearchPaks can be user-defined and are encrypted with an AES 256-bit [[encryption]] key. </p>
+
<p>Agencies can create their own SearchPaks and share them among examiners, teams, and other operators.</p>
+
  
<p>SearchPaks can be generic or mission-specific: </p>
+
# Disassemble the phone down to the PCB.
Examples of Generic SearchPaks <br>
+
# Connect the Octoplus JTAG Box to the PC via USB.
<blockquote>• Collect all pictures, videos, and documents accessed in the past six months on a target machine. <br>
+
# Connect the Octoplus JTAG Box to the PCB via the JTAG pins.
• Detect any installed application that can facilitate hiding data. <br>
+
# Connect the PCB to the DC power supply.
• Collect all iPhone backup files. </blockquote>
+
# Start the "Octoplus JTAG" software.
Examples of Mission-Specific SearchPaks <br>
+
# Power the PCB.
<blockquote>• Collect files that match a set of known hash values. <br>
+
# Dump the NAND.
• Collect all documents, text files, or emails that contain the keyword “Operation Kandahar.”</blockquote>
+
  
=DHS S&T First Responder Cyber Forensic Field Kit=
+
Instructions for disassembly can be found on Internet but it can be summarised as follows:
In 2010, ADF Solutions was selected by the U.S. Department of Homeland Security Science and Technology Directorate to develop a universal forensic triage field kit that would aid law enforcement officers in extracting information and evidence from computers and other devices being examined in active criminal or terrorist investigations. Once extracted, the data can immediately be viewed, so investigators can take appropriate action while saving the data for future forensic analysis.
+
<p>As the result of this DHS initiative, ADF Solutions released Triage-Responder in 2012. The tool is being deployed to federal, state, and local law enforcement agencies throughout the U.S.</p>
+
  
=Media Exploitation=
+
# Remove the rear cover and battery.
ADF Solutions focuses on digital forensic triage and can be applied to document and media exploitation. Triage-G2 has features designed specifically for media exploitation. <p>
+
# Remove the 9 x Phillips screws.
According to technopedia.com, document and media exploitation is defined as the extraction, translation, and analysis of physical and digital documents and media to generate useful and timely information. Also known as DOMEX, it is a very similar discipline to computer forensics or digital forensics.</p> 
+
# Split the phone case using a case opening tool (guitar pick).
  
=Company Timeline=
+
{| border="1" cellpadding="2"
 +
|-
 +
| [[ File:lg-p930-nitro-hd-front.png | 400px ]]
 +
| [[ File:lg-p930-nitro-hd-back.png | 400px ]]
 +
|-
 +
|}
  
2005: ADF Triage-ID® field forensic triage tool is released <br>
+
Once the phone has been disassembled, you can see the JTAG connection port near the microUSB header. The connector used on the PCB is a microminiature board-to-board Molex connectors. Molex sells the mating heading under the brand name "SlimStack" however sourcing these headers in small quantities can be difficult. In some cases, JTAG adapter jigs can be purchased from companies such as multi-com.pl however based on the cost and amount of time it takes to receive said items, it can be faster to solder lead wires off this header. Note: A decent microscope is mandatory for this step as soldering these connections without one is extremely difficult.
2006: ADF Triage-Lab® forensic triage tool for laboratory is released <br>
+
2008: ADF Solutions releases Triage-Live®, a forensic triage tool to scan a powered-on computer <br>
+
2009: ADF Solutions granted U.S. patent for forensic triage technology <br>
+
2010: Complete ADF Triage platform released: Triage-Examiner® and Triage-G2® <br>
+
2010: ADF Solutions granted another U.S. patent for forensic triage technology <br>
+
2011: ADF awarded contract from the U.S. Department of Homeland Security to build triage “First Responder Cyber Forensic Field Kit” <br>
+
2012: ADF releases Triage-Responder®, a forensic triage tool designed specifically for first responders and nontechnical investigators <br>
+
  
=News=
+
{| border="1" cellpadding="2"
<p>Digital forensic triage and/or ADF Solutions has been described or highlighted in many different publications:</p>
+
|-
• [http://www.adfsolutions.com/about/driving-efficiencies-npia-pilot-program-is-a-major-success-describes-article "NPIA Pilot Program Is a Major Success"] <br>
+
| [[ File:lg-p930-nitro-hd-disassembled-1.png | 350px ]]
• [http://www.adfsolutions.com/about/success-of-npia-eforensics-pilot-set-to-help-forces-bring-more-offenders-to-justice-quicker Success of NPIA e-Forensics pilot set to help forces bring more offenders to justice quicker (NPIA Press Release)]<br>
+
| [[ File:lg-p930-nitro-hd-disassembled-2.png | 350px ]]
[http://www.scmagazine.com/adf-solutions-triage-examiner/review/3645/ SC Magazine Issues 5-Star Rating of Triage-Examiner 3.3]<br>
+
| [[ File:lg-p930-nitro-hd-disassembled-3.png | 350px ]]
[http://f-interviews.com/2012/03/01/interview-with-harry-parsonage/ Insights into Digital Forensics: Interview with Harry Parsonage]<br>
+
|-
• [http://www.nottinghamshire.police.uk/newsandevents/news/2012/february/13/software_helps_capture_online_paedophiles/ Digital Forensic Triage Gets Tangible Results, Secures Convictions]<br>
+
|}
• [http://www.publicservice.co.uk/news_story.asp?id=18041 Police to speed up e-forensics to bring offenders to justice]<br>
+
• [http://www.popularmechanics.com/technology/military/news/the-special-operations-forensic-tool-kit-metal-tec-1400#slide-10 Popular Mechanics: The Special Operations Forensic Tool Kit]<br>
+
• [http://www.thisisnottingham.co.uk/New-software-help-police-catch-web-paedophiles/story-12264526-detail/story.html New software to help police catch web paedophiles (Nottingham Post)]<br>
+
[http://cyberspeak.libsyn.com/cyber-speak-november-1-2010http-adfsolutions-com- ADF on CyberSpeak’s Podcast]<br>
+
[http://www.dfinews.com/article/parameters-selecting-triage-tool DFI News: Parameters for Selecting a Triage Tool]<br>
+
• [http://www.adfsolutions.com/about/graduates-find-incubators-help-breed-success Graduates Find Incubators Help Breed Success]<br>
+
• [http://www.adfsolutions.com/about/uk-force-has-cut-huge-backlog-using-new-triage-id-scanning-software UK force has cut huge backlog using new Triage-ID scanning software]<br>
+
• [http://www.adfsolutions.com/about/uk-police-we-need-crime-breathalysers-for-pcs UK police: ‘We need crime breathalysers for PCs’]<br>
+
[http://www.adfsolutions.com/about/smart-software-helps-secure-quick-conviction Smart software helps secure quick conviction]<br>
+
[http://www.adfsolutions.com/wp/wp-content/uploads/notts-police-leads-uk-in-chil1.pdf Notts Police Lead UK in Child Porn Fight]<br>
+
• [http://www.adfsolutions.com/wp/wp-content/uploads/times-colonist-digital-times-colonist-23-apr-2007.pdf Child porn scanner averts cop burnout]<br>
+
• [http://www.adfsolutions.com/wp/wp-content/uploads/ICYA2006Finalists.pdf Finalists Selected for 2006 Maryland Incubator Company of the Year Awards]<br>
+
• [http://www.washingtonpost.com/wp-dyn/content/article/2006/03/26/AR2006032600808.html Washington Post – Start-Up section]<br>
+
• [http://www.adfsolutions.com/wp/wp-content/uploads/mips_r37_release1.pdf New Cancer Test, Arthritis Treatment, Digital Forensic Tool Among 14 Announced University of Maryland MIPS Research Projects]
+
  
=Social Media and other Websites=
+
With the phone now disassembled you can solder on your 0.040 gauge lead wires to the JTAG test points. Also, connect the PCB battery terminal connections to the DC power supply. The negative (-) connection is the innermost pin and the positive (+) pin is the outside pin. You can configure your power supply to match the battery specifications which in this case is 3.8V and 1.830A but do not apply power at this time.
<H4>Social media</H4>
+
<p>[http://www.facebook.com/adfsolutions Facebook]<br>
+
[https://twitter.com/adfsolutions Twitter]<br>
+
[http://www.linkedin.com/company/247174?goback=%2Efcs_GLHD_adf+solutions_false_*2_*2_*2_*2_*2_*2_*2_*2_*2_*2_*2_*2&trk=ncsrch_hits LinkedIn]<br>
+
[http://www.youtube.com/user/ADFSolutionsInc You Tube]<br>
+
[https://plus.google.com/u/0/116499277699076435840/posts Google+]</p>
+
<H4>Other Websites</H4>
+
[http://www.adfsolutions.com ADF Solutions]<br>
+
[http://www.forensictriage.com Forensic Triage]<br>
+
[http://www.mediaexploitation.com Media Exploitation]
+
  
  
[[category:ADOMEX]]
+
{| border="1" cellpadding="2"
 +
|-
 +
| [[ File:lg-p930-nitro-hd-connected-via-jtag-1.png | 350px ]]
 +
| [[ File:lg-p930-nitro-hd-connected-via-jtag-2.png | 350px ]]
 +
| [[ File:lg-p930-nitro-hd-connected-via-jtag-3.png | 350px ]]
 +
|-
 +
|}
 +
 
 +
Now we can start the Octoplus JTAG software and configure it. See the picture for more detail.
 +
 
 +
 
 +
{| border="1" cellpadding="2"
 +
|-
 +
| [[ File:octoplus-settings.png | 600px ]]
 +
|-
 +
|}
 +
 
 +
Apply power to the DC power supply and turn the phone on using the button on the side of the PCB (you will feel the phone vibrate after 3-5 seconds of holding the button). After powering the phone on, connect via JTAG to the phone by hitting the "Connect" button in the Octoplus JTAG software, you should receive a "Connect Successful" message in the bottom pane. Now click on the "Read" button to start the read and name the output file accordingly. In this case I named the file "lg-p930-jtag-x0000000_x06BC000.bin" to reflect the memory range I am extracting.
 +
 
 +
If you receive errors that the PCB could not be connected to, try the following:
 +
 
 +
* Confirm that the PCB is receiving power from the DC power supply.  If you can measure current draw of the PCB, you should see that the PCB is pulling about 0.04A.  If the PCB is pulling more current, it is likely already booted and the read may fail.
 +
* Power off the PCB, power it back on, and immediately connect then start the JTAG read.
 +
* Check all of your PCB to JTAG connections under a microscope.  Inspect for shorts or incorrect connections.
 +
* Upon receiving a successful JTAG dump you can process the file with the CCL Forensics Android scripts to extract the gesture or pin lock.
 +
 
 +
==== Notes ====
 +
 
 +
This exhibit gave us some issue when reading ~100MB mark and the read kept disconnecting around that memory range.  We opted to read the device with multiple reads by reading from 0MB-96MB, skipping over data, then reading from 192MB-EOF.  This captured enough data to acquire the password hash which was located around the 1.3GB range on this particular phone.
 +
 
 +
== References ==
 +
 
 +
* http://android-forensics.com/android-forensics-study-of-password-and-pattern-lock-protection/143
 +
* http://forensics.spreitzenbarth.de/2012/02/
 +
* http://www.ccl-forensics.com/Software/other-software-a-scripts.html

Latest revision as of 09:32, 18 August 2013

JTAG LG P930 (Nitro HD)

The LG P930 (Nitro HD) is an Android based smartphone. At the time of this writing (2013FEB07), I am unaware of any method to bypass the PIN, password, or pattern locks on a LG P930 that is not rooted and does not have ADB enabled. JTAG to the rescue! Using JTAG, a copy of the NAND can be extracted, and the pin or pattern lock decoded from it.

For the purpose of this document, a LG P930 with a gesture pattern lock was disassembled, read via JTAG, reassembled, and the pattern lock removed.

Getting Started

What you need to extract the lock from the device:

  1. A Octoplus JTAG Box with the latest Octoplus JTAG Manager software. The Octoplus JTAG Box used for this was purchased from GSM Server on eBay. Update: This device is now supported by the RIFF Box as well.
  2. Soldering skills and ultra-fine tip soldering iron (a JTAG jig may be available).
  3. A DC Power supply capable of supplying 3.8V/1.83A output. The power supply used for this was an Agilent U8002A DC Power Supply.
  4. PatternLockScripts from CCL Forensics ('GenerateAndroidGestureRainbowTable.py' and 'Android_GestureFinder.py').

NAND Dump Procedure

  1. Disassemble the phone down to the PCB.
  2. Connect the Octoplus JTAG Box to the PC via USB.
  3. Connect the Octoplus JTAG Box to the PCB via the JTAG pins.
  4. Connect the PCB to the DC power supply.
  5. Start the "Octoplus JTAG" software.
  6. Power the PCB.
  7. Dump the NAND.

Instructions for disassembly can be found on Internet but it can be summarised as follows:

  1. Remove the rear cover and battery.
  2. Remove the 9 x Phillips screws.
  3. Split the phone case using a case opening tool (guitar pick).
Lg-p930-nitro-hd-front.png Lg-p930-nitro-hd-back.png

Once the phone has been disassembled, you can see the JTAG connection port near the microUSB header. The connector used on the PCB is a microminiature board-to-board Molex connectors. Molex sells the mating heading under the brand name "SlimStack" however sourcing these headers in small quantities can be difficult. In some cases, JTAG adapter jigs can be purchased from companies such as multi-com.pl however based on the cost and amount of time it takes to receive said items, it can be faster to solder lead wires off this header. Note: A decent microscope is mandatory for this step as soldering these connections without one is extremely difficult.

Lg-p930-nitro-hd-disassembled-1.png Lg-p930-nitro-hd-disassembled-2.png Lg-p930-nitro-hd-disassembled-3.png

With the phone now disassembled you can solder on your 0.040 gauge lead wires to the JTAG test points. Also, connect the PCB battery terminal connections to the DC power supply. The negative (-) connection is the innermost pin and the positive (+) pin is the outside pin. You can configure your power supply to match the battery specifications which in this case is 3.8V and 1.830A but do not apply power at this time.


Lg-p930-nitro-hd-connected-via-jtag-1.png Lg-p930-nitro-hd-connected-via-jtag-2.png Lg-p930-nitro-hd-connected-via-jtag-3.png

Now we can start the Octoplus JTAG software and configure it. See the picture for more detail.


Octoplus-settings.png

Apply power to the DC power supply and turn the phone on using the button on the side of the PCB (you will feel the phone vibrate after 3-5 seconds of holding the button). After powering the phone on, connect via JTAG to the phone by hitting the "Connect" button in the Octoplus JTAG software, you should receive a "Connect Successful" message in the bottom pane. Now click on the "Read" button to start the read and name the output file accordingly. In this case I named the file "lg-p930-jtag-x0000000_x06BC000.bin" to reflect the memory range I am extracting.

If you receive errors that the PCB could not be connected to, try the following:

  • Confirm that the PCB is receiving power from the DC power supply. If you can measure current draw of the PCB, you should see that the PCB is pulling about 0.04A. If the PCB is pulling more current, it is likely already booted and the read may fail.
  • Power off the PCB, power it back on, and immediately connect then start the JTAG read.
  • Check all of your PCB to JTAG connections under a microscope. Inspect for shorts or incorrect connections.
  • Upon receiving a successful JTAG dump you can process the file with the CCL Forensics Android scripts to extract the gesture or pin lock.

Notes

This exhibit gave us some issue when reading ~100MB mark and the read kept disconnecting around that memory range. We opted to read the device with multiple reads by reading from 0MB-96MB, skipping over data, then reading from 192MB-EOF. This captured enough data to acquire the password hash which was located around the 1.3GB range on this particular phone.

References