Difference between pages "Upcoming events" and "JTAG Samsung Galaxy S3 (SGH-I747M)"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Conferences)
 
 
Line 1: Line 1:
<b>PLEASE READ BEFORE YOU EDIT THE LISTS BELOW</b><br>
+
== JTAG Samsung Galaxy S3 (SGH-I747M) ==
Events should be posted in the correct section, and in date order.  An event should NEVER be listed in more than one section (i.e. Ongoing/Continuous events should not be listed in Scheduled Training).  When events begin the same day, events of a longer length should be listed first.  New postings of events with the same date(s) as other events should be added after events already in the list. If a provider offers the same event at several locations simultaneously, the listing should have a single (ONE) entry in the list with the date(s) and ALL locations for the event. Please use three-letter month abbreviations (i.e. Sep, NOT Sept. or September), use two digit dates (i.e. Jan 01 NOT Jan 1), and use date ranges rather than listing every date during an event(i.e. Jan 02-05, NOT Jan 02, 03, 04, 05).<br>
+
<i>Some conferences or training opportunities may be <u>limited</u> to <b>Law Enforcement Only</b> or to a specific audience.  Such restrictions should be noted when known.</i>
+
  
This is a BY DATE listing of upcoming conferences and training events relevant to [[digital forensics]].  It is not an all inclusive list, but includes most well-known activitiesSome events may duplicate events on the generic [[conferences]] page, but entries in this list have specific dates and locations for the upcoming event.
+
The Samsung Galaxy S3 is an Android based smartphoneAt the time of this writing (2014JAN22), I am unaware of any method other than JTAG to acquire a physical image of the NAND on this device.
  
This listing is divided into four sections (described as follows):<br>
+
For the purpose of this document, a Samsung Galaxy S3 was disassembled, read via JTAG, and reassembled.
<ol><li><b><u>Calls For Papers</u></b> - Calls for papers for either Journals or for Conferences, relevant to Digital Forensics (Name, Closing Date, URL)</li><br>
+
<li><b><u>Conferences</u></b> - Conferences relevant for Digital Forensics (Name, Date, Location, URL)</li><br>
+
<li><b><u>On-Going / Continuous Training</u></b> - Training opportunities that are either always available online/distance learning format (start anytime) or that are offered the same time every month (Name, date-if applicable, URL)</li><br>
+
<li><b><u>[[Scheduled Training Courses]]</u></b> - Training Classes/Courses that are scheduled for specific dates/locations.  This would include online (or distance learning format) courses which begin on specific dates, instead of the "start anytime" courses listed in the previous section. (Name, Date(s), Location(s), URL) (''note: this has been moved to its own page.'')<br></li></ol>
+
  
The Conference and Training List is provided by the American Academy of Forensic Sciences (AAFS) Digital and Multimedia Sciences Section Listserv. 
+
=== Getting Started ===
<i> (Subscribe by sending an email to listserv@lists.mitre.org with message body containing SUBSCRIBE AAFS-DIGITAL-MULTIMEDIA-LIST)</i>
+
Requests for additions, deletions or corrections to this list may be sent by email to David Baker <i>(bakerd AT mitre.org)</i>.
+
  
== Calls For Papers ==
+
What you need to dump the NAND:
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
 
|- style="background:#bfbfbf; font-weight: bold"
+
# A RIFF Box [[http://www.riffbox.org/|RIFF Box]]
! Title
+
# Soldering skills and small tip soldering iron (a JTAG jig may be available).
! Due Date
+
# A DC Power supply capable of supplying 3.8V/2.1A output.  The power supply used for this was an [[http://www.home.agilent.com/agilent/product.jspx?pn=u8002a&cc=CA&lc=eng|Agilent U8002A DC Power Supply]].
! Website
+
 
 +
=== NAND Dump Procedure ===
 +
 
 +
# Disassemble the phone down to the PCB.
 +
# Connect the RIFF Box to the PC via USB.
 +
# Connect the RIFF Box to the PCB via the JTAG pins.
 +
# Connect the PCB to the DC power supply.
 +
# Start the "RIFF Box JTAG Manager" software.
 +
# Enable the power on the DC power supply.
 +
# Power the phone via the power button.
 +
# Dump the NAND via the RIFF Box software.
 +
 
 +
Instructions for disassembly can be found on Internet but it can be summarized as follows:
 +
 
 +
* Remove the rear cover and battery.
 +
* Remove the 10 x Phillips screws.
 +
* Remove the rear plate using a case opening tool (guitar pick).
 +
 
 +
{| border="1" cellpadding="2"
 
|-
 
|-
|6th Australian Digital Forensics Conference
+
| [[File:1-samsung-s3-sgh-i747m-front.jpg | 600px]]
|Oct 11, 2008
+
| [[File:2-samsung-s3-sgh-i747m-back.jpg | 600px]]
|http://scissec.scis.ecu.edu.au/conferences2008/callforpapers.php?cf=2
+
 
|-
 
|-
|5th Annual IFIP WG 11.9 International Conference on Digital Forensics
+
| [[File:3-samsung-s3-sgh-i747m-disassembly-screws.jpg | 600px]]
|Oct 15, 2008
+
| [[File:4-samsung-s3-sgh-i747m-disassembly-bezel.jpg | 600px]]
|http://www.ifip119.org/Conferences/WG11-9-CFP-2009.pdf
+
 
|-
 
|-
|ShmooCon 2009
+
|}
|Dec 01, 2008
+
 
|http://www.shmoocon.org/cfp.html
+
* Once the phone has been disassembled, you can see the JTAG connection port located closed to the edge of the PCB near the ribbon cable.
 +
 
 +
{| border="1" cellpadding="2"
 
|-
 
|-
|Security Opus
+
| [[File:5-samsung-s3-sgh-i747m-disassembly-final.jpg | 1000px]]
|Dec 01, 2008
+
|http://www.securityopus.com/SORpapers.php
+
 
|-
 
|-
|3rd Edition of Small Scale Digital Device Forensics Journal
+
|}
|Jan 31, 2009
+
 
|http://www.ssddfj.org/Call.asp
+
* The JTAG pinouts are as follows.
|-
+
 
|4rd International Workshop on Systematic Approaches to Digital Forensic Engineering
+
{| border="1" cellpadding="2"
|Feb 01, 2009
+
|http://conf.ncku.edu.tw/sadfe/sadfe09/
+
 
|-
 
|-
|2009 ADFSL Conference on Digital Forensics, Security and Law
+
| [[File:6-samsung-s3-sgh-i747m-jtag-header.jpg | 1000px]]
|Feb 20, 2009
+
|http://www.digitalforensics-conference.org/callforpapers.htm
+
 
|-
 
|-
 
|}
 
|}
  
== Conferences ==
+
* Solder the JTAG connector to the JTAG port as follows. I used 0.040 gauge magnet wire, connected to breadboard pins, which were inserted into the 20 pin ribbon cable supplied with the RIFF box.
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
 
|- style="background:#bfbfbf; font-weight: bold"
+
{| border="1" cellpadding="2"
! Title
+
! Date/Location
+
! Website
+
 
|-
 
|-
|4th International Conference on IT Incident Management & IT Forensics
+
| [[File:7-samsung-s3-sgh-i747m-jtag-solder.jpg | 500px]]
|Sep 23-25, Mannheim,  Germany
+
|http://www.imf-conference.org/
+
 
|-
 
|-
|Open Web Application Security Project (OWASP) AppSec 2008 Conference
+
|}
|Sep 24-25, New York City, NY
+
 
|http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference
+
* Connect the PCB battery terminal connections to the DC power supply. The positive (+) connection is the outermost pin (1) and the negative (-) pin is pin (3). You can configure your power supply to match the battery specifications which in this case is 3.8V and 2.1A but do not apply power at this time.
|-
+
 
|VB2008 anti-malware conference
+
{| border="1" cellpadding="2"
|Oct 01-03, Ottawa, Canada
+
|http://www.virusbtn.com/conference/vb2008/
+
|-
+
|ENFSI Forensic IT Working Group meeting Limited to law enforcement
+
|Oct 01-03, Madrid, Spain
+
|http://www.enfsi.eu/page.php?uid=2
+
|-
+
|ANZFSS - 19th International Symposium on the Forensic Sciences
+
|Oct 06-09, Melbourne, Australia
+
|http://www.anzfss2008.org.au/
+
|-
+
|13th European Symposium on Research in Computer Security
+
|Oct 06-08, Malaga, Spain
+
|http://www.isac.uma.es/esorics08/
+
|-
+
|Economic and High Tech Crime Summit 2008
+
|Oct 07-08, Memphis, TN
+
|http://summit.nw3c.org/
+
|-
+
|3rd International Conference on Malicious and Unwanted Software
+
|Oct 07-08, Alexandria, VA
+
|http://isiom.wssrl.org/index.php?option=com_docman&task=cat_view&gid=45&Itemid=53
+
|-
+
|First Eurasian Congress of Forensic Sciences
+
|Oct 08-11, Istanbul, Turkey
+
|http://www.adlitip2008.com/indexen.asp
+
|-
+
|3nd International Annual Workshop on Digital Forensics & Incident Analysis
+
|Oct 09, Malaga, Spain
+
|http://www.icsd.aegean.gr/wdfia08/
+
|-
+
|Anti-Phishing Working Group eCrime Researchers Summit
+
|Oct 15-16, Atlanta, GA
+
|http://www.ecrimeresearch.org/
+
|-
+
|2008 HTCIA International Training Conference
+
|Oct 22-28, Atlantic City, NJ
+
|http://www.htcia.org/conference.shtml
+
|-
+
|2008 International Video Evidence Symposium and Training Conference
+
|Oct 22-24, Orlando, FL
+
|http://leva.org/index.php?option=com_content&task=view&id=56&Itemid=98
+
|-
+
|Hack in the Box Security Conference 2008
+
|Oct 27-30, Malaysia
+
|http://conference.hitb.org/hitbsecconf2008kl/
+
|-
+
|Paraben Forensics Innovation Conference
+
|Nov 09-12, Park City, UT
+
|http://www.pfic2008.com/
+
|-
+
|DeepSec 2008
+
|Nov 11-14, Vienna, Austria
+
|https://deepsec.net/
+
|-
+
|6th Australian Digital Forensics Conference
+
|Dec 01-03, Mount Lawley, WA, Australia
+
|http://scissec.scis.ecu.edu.au/conferences2008/index.php?cf=2
+
|-
+
|Digital Forensics Forum Arabia 2008
+
|Dec 15-17, Manama, Bahrain
+
|http://dff-worldwide.com/index.php?page=dff-arabia-2008-conference&hl=en_US
+
|-
+
|e-Forensics 2009
+
|Jan 19-21, Adelaide, Australia
+
|http://www.e-forensics.eu/
+
|-
+
|2009 DoD Cyber Crime Conference
+
|Jan 24-30, St. Louis, MO
+
|http://www.dodcybercrime.com/
+
|-
+
|5th Annual IFIP WG 11.9 International Conference on Digital Forensics
+
|Jan 25-28, Orlando, FL
+
|http://www.ifip119.org/Conferences/
+
|-
+
|ShmooCon 2009
+
|Feb 06-08, Washington, DC
+
|http://www.shmoocon.org/
+
|-
+
|American Academy of Forensic Sciences Annual Meeting
+
|Feb 16-21, Denver, CO
+
|http://www.aafs.org/default.asp?section_id=meetings&page_id=aafs_annual_meeting
+
|-
+
|24th Annual ACM Symposium on Applied Computing - Computer Forensics Track
+
|Mar 08-12, Honolulu, HI
+
|http://www.acm.org/conferences/sac/sac2009
+
|-
+
|ARES 2009 Conference
+
|Mar 16-19, Fukuoka, Japan
+
|http://www.ares-conference.eu/conf/
+
|-
+
|Security Opus
+
|Mar 17-18, San Francisco, CA
+
|http://www.securityopus.com
+
|-
+
|Fourth International Workshop on Systematic Approaches to Digital Forensic Engineering
+
|May 22, Oakland, CA
+
|http://conf.ncku.edu.tw/sadfe/sadfe09/
+
|-
+
|ADFSL 2009 Conference on Digital Forensics, Security and Law
+
|May 20-22, Burlington, VT
+
|http://www.digitalforensics-conference.org
+
|-
+
|2009 Techno Security Conference
+
|May 31- Jun 03, Myrtle Beach, SC
+
|http://www.techsec.com/index.html
+
|-
+
|Mobile Forensics World 2009
+
|Jun 03 - Jun 06, Chicago, IL
+
|http://www.mobileforensicsworld.com
+
|-
+
|IEEE ICC Communication and Information Systems Security (CISS) Symposium
+
|Jun 14-18, Dresden, Germany
+
|http://www.ieee-icc.org/2009/
+
|-
+
|Digital Forensic Research Workshop
+
|Aug 17-19, Montreal, Quebec, Canada
+
|http://www.dfrws.org
+
 
|-
 
|-
|Triennial Meeting of the European Academy of Forensic Science
+
| [[File:8-samsung-s3-sgh-i747m-jtag-power.jpg | 1000px]]
|Sep 08-11, Glasgow, Scotland, UK
+
|http://www.eafs2009.com/
+
 
|-
 
|-
 
|}
 
|}
  
== On-going / Continuous Training ==
+
* Now we can start the RIFF JTAG software, configure it, and connect the phone to the RIFF box.  See the picture below for more detail.
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
 
|- style="background:#bfbfbf; font-weight: bold"
+
'''NOTE:''' In the picture, the "JTAG TCK Speed" has been changed from "Sample at MAX" to "Sample at 9MHz".  This was done in attempt to eliminate disconnects between the RIFF Box and the phone mid-read.  Leave this setting at "Sample at MAX" unless you experience this problem.
! Title
+
 
! Date/Location or Venue
+
{| border="1" cellpadding="2"
! Website
+
 
|-
 
|-
| ----DISTANCE LEARNING----
+
| [[File:9-samsung-s3-sgh-i747m-jtag-manager.jpg | 1000px]]
|-
+
|Basic Computer Examiner Course - Computer Forensic Training Online
+
|Distance Learning Format
+
|http://www.cftco.com
+
|-
+
|Linux Data Forensics Training
+
|Distance Learning Format
+
|http://www.crazytrain.com/training.html
+
|-
+
|SANS On-Demand Training
+
|Distance Learning Format
+
|http://www.sans.org/ondemand/?portal=69456f95660ade45be29c00b0c14aea1
+
|-
+
| ----RECURRING TRAINING----
+
|-
+
|MaresWare Suite Training
+
|First full week every month, Atlanta, GA
+
|http://www.maresware.com/maresware/training/maresware.htm
+
|-
+
|Evidence Recovery for Windows Vista&trade;
+
|First full week every month, Brunswick, GA
+
|http://www.internetcrimes.net
+
|-
+
|Evidence Recovery for Windows Server&reg; 2003 R2
+
|Second full week every month, Brunswick, GA
+
|http://www.internetcrimes.net
+
|-
+
|Evidence Recovery for the Windows XP&trade; operating system
+
|Third full week every month, Brunswick, GA
+
|http://www.internetcrimes.net
+
|-
+
|Computer Forensics Training and CCE&trade; Testing for Litigation Support Professionals
+
|Third weekend of every month (Fri-Mon), Dallas, TX
+
|http://www.md5group.com
+
 
|-
 
|-
 
|}
 
|}
  
==[[Scheduled Training Courses]]==
+
Apply power to the DC power supply and turn the phone on using the button on the side of the PCB.  After powering the phone on, select "READ" under the "DCC Read/Write" tab.  If all goes well the "READ" button will become the "STOP" button and the phone will begin reading...if not the RIFF software provides troubleshooting steps that should be taken to assist in diagnosing some of the issues you may experience.
 +
 
 +
'''NOTE:''' In the event of read errors the RIFF software keeps track of where the failure occurred and gives you option to restart the read where it left off.  If this occurs, you can adjust the "JTAG TCK Speed" and lower it to 9MHz (or lower) which can stabilize the read.
 +
 
 +
* Once the acquisition is complete the resulting image can be saved and forensic analysis can take place using the tool of your choosing.
 +
 
 +
== References ==
 +
 
 +
* http://android-forensics.com/android-forensics-study-of-password-and-pattern-lock-protection/143
 +
* http://forensics.spreitzenbarth.de/2012/02/
 +
* http://www.ccl-forensics.com/Software/other-software-a-scripts.html

Latest revision as of 17:50, 23 January 2014

JTAG Samsung Galaxy S3 (SGH-I747M)

The Samsung Galaxy S3 is an Android based smartphone. At the time of this writing (2014JAN22), I am unaware of any method other than JTAG to acquire a physical image of the NAND on this device.

For the purpose of this document, a Samsung Galaxy S3 was disassembled, read via JTAG, and reassembled.

Getting Started

What you need to dump the NAND:

  1. A RIFF Box [Box]
  2. Soldering skills and small tip soldering iron (a JTAG jig may be available).
  3. A DC Power supply capable of supplying 3.8V/2.1A output. The power supply used for this was an [U8002A DC Power Supply].

NAND Dump Procedure

  1. Disassemble the phone down to the PCB.
  2. Connect the RIFF Box to the PC via USB.
  3. Connect the RIFF Box to the PCB via the JTAG pins.
  4. Connect the PCB to the DC power supply.
  5. Start the "RIFF Box JTAG Manager" software.
  6. Enable the power on the DC power supply.
  7. Power the phone via the power button.
  8. Dump the NAND via the RIFF Box software.

Instructions for disassembly can be found on Internet but it can be summarized as follows:

  • Remove the rear cover and battery.
  • Remove the 10 x Phillips screws.
  • Remove the rear plate using a case opening tool (guitar pick).
1-samsung-s3-sgh-i747m-front.jpg 2-samsung-s3-sgh-i747m-back.jpg
3-samsung-s3-sgh-i747m-disassembly-screws.jpg 4-samsung-s3-sgh-i747m-disassembly-bezel.jpg
  • Once the phone has been disassembled, you can see the JTAG connection port located closed to the edge of the PCB near the ribbon cable.
5-samsung-s3-sgh-i747m-disassembly-final.jpg
  • The JTAG pinouts are as follows.
6-samsung-s3-sgh-i747m-jtag-header.jpg
  • Solder the JTAG connector to the JTAG port as follows. I used 0.040 gauge magnet wire, connected to breadboard pins, which were inserted into the 20 pin ribbon cable supplied with the RIFF box.
7-samsung-s3-sgh-i747m-jtag-solder.jpg
  • Connect the PCB battery terminal connections to the DC power supply. The positive (+) connection is the outermost pin (1) and the negative (-) pin is pin (3). You can configure your power supply to match the battery specifications which in this case is 3.8V and 2.1A but do not apply power at this time.
8-samsung-s3-sgh-i747m-jtag-power.jpg
  • Now we can start the RIFF JTAG software, configure it, and connect the phone to the RIFF box. See the picture below for more detail.

NOTE: In the picture, the "JTAG TCK Speed" has been changed from "Sample at MAX" to "Sample at 9MHz". This was done in attempt to eliminate disconnects between the RIFF Box and the phone mid-read. Leave this setting at "Sample at MAX" unless you experience this problem.

9-samsung-s3-sgh-i747m-jtag-manager.jpg

Apply power to the DC power supply and turn the phone on using the button on the side of the PCB. After powering the phone on, select "READ" under the "DCC Read/Write" tab. If all goes well the "READ" button will become the "STOP" button and the phone will begin reading...if not the RIFF software provides troubleshooting steps that should be taken to assist in diagnosing some of the issues you may experience.

NOTE: In the event of read errors the RIFF software keeps track of where the failure occurred and gives you option to restart the read where it left off. If this occurs, you can adjust the "JTAG TCK Speed" and lower it to 9MHz (or lower) which can stabilize the read.

  • Once the acquisition is complete the resulting image can be saved and forensic analysis can take place using the tool of your choosing.

References