Difference between pages "Word Document (DOC)" and "JTAG Samsung Galaxy S3 (SGH-I747M)"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Extracting Strings)
 
 
Line 1: Line 1:
The '''Word Document (DOC) file format''' has the '''.doc''' extension. This file type originates from [[Microsoft Word]]. However, other word processing software can be used to display these files as well. These include:
+
== JTAG Samsung Galaxy S3 (SGH-I747M) ==
* [[WordPad]]
+
* [[WordPerfect]]
+
* [[OpenOffice]]
+
* [[AbiWord]]
+
  
The Word DOC file format should not be confused with [[DOCX]].
+
The Samsung Galaxy S3 is an Android based smartphone.  At the time of this writing (2014JAN22), I am unaware of any method other than JTAG to acquire a physical image of the NAND on this device.
  
== MIME types ==
+
For the purpose of this document, a Samsung Galaxy S3 was disassembled, read via JTAG, and reassembled.
  
The following [[MIME types]] apply to this [[file format]]:
+
=== Getting Started ===
  
* application/msword
+
What you need to dump the NAND:
* application/doc
+
* appl/text
+
* application/vnd.msword
+
* application/vnd.ms-word
+
* application/winword
+
* application/word
+
* application/x-msw6
+
* application/x-msword
+
* zz-application/zz-winassoc-doc
+
  
== File signature ==
+
# A RIFF Box [[http://www.riffbox.org/|RIFF Box]]
 +
# Soldering skills and small tip soldering iron (a JTAG jig may be available).
 +
# A DC Power supply capable of supplying 3.8V/2.1A output.  The power supply used for this was an [[http://www.home.agilent.com/agilent/product.jspx?pn=u8002a&cc=CA&lc=eng|Agilent U8002A DC Power Supply]].
  
[[Microsoft Word]] documents of version 97-2003 use the [[OLE Compound File]] (OLECF). These files therefore have the OLECF file signature
+
=== NAND Dump Procedure ===
  
The object stream of the OLECF containing a Word document contains the string "Word.Document" with some version.
+
# Disassemble the phone down to the PCB.
 +
# Connect the RIFF Box to the PC via USB.
 +
# Connect the RIFF Box to the PCB via the JTAG pins.
 +
# Connect the PCB to the DC power supply.
 +
# Start the "RIFF Box JTAG Manager" software.
 +
# Enable the power on the DC power supply.
 +
# Power the phone via the power button.
 +
# Dump the NAND via the RIFF Box software.
  
== Word 97-2003 documents ==
+
Instructions for disassembly can be found on Internet but it can be summarized as follows:
  
The Word Binary File format is stored in the OLECF using multiple streams:
+
* Remove the rear cover and battery.
* WordDocument stream
+
* Remove the 10 x Phillips screws.
* Table stream (0Table, 1Table)
+
* Remove the rear plate using a case opening tool (guitar pick).
* Data stream
+
  
== Encryption ==
+
{| border="1" cellpadding="2"
 +
|-
 +
| [[File:1-samsung-s3-sgh-i747m-front.jpg | 600px]]
 +
| [[File:2-samsung-s3-sgh-i747m-back.jpg | 600px]]
 +
|-
 +
| [[File:3-samsung-s3-sgh-i747m-disassembly-screws.jpg | 600px]]
 +
| [[File:4-samsung-s3-sgh-i747m-disassembly-bezel.jpg | 600px]]
 +
|-
 +
|}
  
Versions 97/2000 encrypt documents with a very weak algorithm. This password scheme can be broken easily by several different products and it is possible to decrypt the contents without discovering the password. This is done by testing all 1,099,511,627,776 possible keys. Ultimate Zip Cracker by VDGSoftware is one utility that can perform this decryption.
+
* Once the phone has been disassembled, you can see the JTAG connection port located closed to the edge of the PCB near the ribbon cable.
== See Also==
+
  
[http://download.microsoft.com/download/0/B/E/0BE8BDD7-E5E8-422A-ABFD-4342ED7AD886/Word97-2007BinaryFileFormat(doc)Specification.pdf Word 97-2007 Binary File Format by Microsoft]
+
{| border="1" cellpadding="2"
 +
|-
 +
| [[File:5-samsung-s3-sgh-i747m-disassembly-final.jpg | 1000px]]
 +
|-
 +
|}
  
== Extracting Strings ==
+
* The JTAG pinouts are as follows.
  
On a unix-like machine try this command to extract strings from a .doc file:
+
{| border="1" cellpadding="2"
 +
|-
 +
| [[File:6-samsung-s3-sgh-i747m-jtag-header.jpg | 1000px]]
 +
|-
 +
|}
  
<code>
+
* Solder the JTAG connector to the JTAG port as follows. I used 0.040 gauge magnet wire, connected to breadboard pins, which were inserted into the 20 pin ribbon cable supplied with the RIFF box.
cat /tmp/test.doc | tr -d \\0 | strings | more
+
</code>
+
  
(where /tmp/test.doc is the path to your .doc file)
+
{| border="1" cellpadding="2"
 +
|-
 +
| [[File:7-samsung-s3-sgh-i747m-jtag-solder.jpg | 500px]]
 +
|-
 +
|}
  
Note that a Word 97 and later document can contain both extended ASCII with codepage 1252 and UTF-16 little-endian text. So using basic Unix string is not worth much. Use the sleuthkit strings or EnCase instead.
+
* Connect the PCB battery terminal connections to the DC power supply.  The positive (+) connection is the outermost pin (1) and the negative (-) pin is pin (3). You can configure your power supply to match the battery specifications which in this case is 3.8V and 2.1A but do not apply power at this time.
  
[[Category:File Formats]]
+
{| border="1" cellpadding="2"
 +
|-
 +
| [[File:8-samsung-s3-sgh-i747m-jtag-power.jpg | 1000px]]
 +
|-
 +
|}
 +
 
 +
* Now we can start the RIFF JTAG software, configure it, and connect the phone to the RIFF box.  See the picture below for more detail.
 +
 
 +
'''NOTE:''' In the picture, the "JTAG TCK Speed" has been changed from "Sample at MAX" to "Sample at 9MHz".  This was done in attempt to eliminate disconnects between the RIFF Box and the phone mid-read.  Leave this setting at "Sample at MAX" unless you experience this problem.
 +
 
 +
{| border="1" cellpadding="2"
 +
|-
 +
| [[File:9-samsung-s3-sgh-i747m-jtag-manager.jpg | 1000px]]
 +
|-
 +
|}
 +
 
 +
Apply power to the DC power supply and turn the phone on using the button on the side of the PCB.  After powering the phone on, select "READ" under the "DCC Read/Write" tab.  If all goes well the "READ" button will become the "STOP" button and the phone will begin reading...if not the RIFF software provides troubleshooting steps that should be taken to assist in diagnosing some of the issues you may experience.
 +
 
 +
'''NOTE:''' In the event of read errors the RIFF software keeps track of where the failure occurred and gives you option to restart the read where it left off.  If this occurs, you can adjust the "JTAG TCK Speed" and lower it to 9MHz (or lower) which can stabilize the read.
 +
 
 +
* Once the acquisition is complete the resulting image can be saved and forensic analysis can take place using the tool of your choosing.
 +
 
 +
== References ==
 +
 
 +
* http://android-forensics.com/android-forensics-study-of-password-and-pattern-lock-protection/143
 +
* http://forensics.spreitzenbarth.de/2012/02/
 +
* http://www.ccl-forensics.com/Software/other-software-a-scripts.html

Latest revision as of 18:50, 23 January 2014

JTAG Samsung Galaxy S3 (SGH-I747M)

The Samsung Galaxy S3 is an Android based smartphone. At the time of this writing (2014JAN22), I am unaware of any method other than JTAG to acquire a physical image of the NAND on this device.

For the purpose of this document, a Samsung Galaxy S3 was disassembled, read via JTAG, and reassembled.

Getting Started

What you need to dump the NAND:

  1. A RIFF Box [Box]
  2. Soldering skills and small tip soldering iron (a JTAG jig may be available).
  3. A DC Power supply capable of supplying 3.8V/2.1A output. The power supply used for this was an [U8002A DC Power Supply].

NAND Dump Procedure

  1. Disassemble the phone down to the PCB.
  2. Connect the RIFF Box to the PC via USB.
  3. Connect the RIFF Box to the PCB via the JTAG pins.
  4. Connect the PCB to the DC power supply.
  5. Start the "RIFF Box JTAG Manager" software.
  6. Enable the power on the DC power supply.
  7. Power the phone via the power button.
  8. Dump the NAND via the RIFF Box software.

Instructions for disassembly can be found on Internet but it can be summarized as follows:

  • Remove the rear cover and battery.
  • Remove the 10 x Phillips screws.
  • Remove the rear plate using a case opening tool (guitar pick).
1-samsung-s3-sgh-i747m-front.jpg 2-samsung-s3-sgh-i747m-back.jpg
3-samsung-s3-sgh-i747m-disassembly-screws.jpg 4-samsung-s3-sgh-i747m-disassembly-bezel.jpg
  • Once the phone has been disassembled, you can see the JTAG connection port located closed to the edge of the PCB near the ribbon cable.
5-samsung-s3-sgh-i747m-disassembly-final.jpg
  • The JTAG pinouts are as follows.
6-samsung-s3-sgh-i747m-jtag-header.jpg
  • Solder the JTAG connector to the JTAG port as follows. I used 0.040 gauge magnet wire, connected to breadboard pins, which were inserted into the 20 pin ribbon cable supplied with the RIFF box.
7-samsung-s3-sgh-i747m-jtag-solder.jpg
  • Connect the PCB battery terminal connections to the DC power supply. The positive (+) connection is the outermost pin (1) and the negative (-) pin is pin (3). You can configure your power supply to match the battery specifications which in this case is 3.8V and 2.1A but do not apply power at this time.
8-samsung-s3-sgh-i747m-jtag-power.jpg
  • Now we can start the RIFF JTAG software, configure it, and connect the phone to the RIFF box. See the picture below for more detail.

NOTE: In the picture, the "JTAG TCK Speed" has been changed from "Sample at MAX" to "Sample at 9MHz". This was done in attempt to eliminate disconnects between the RIFF Box and the phone mid-read. Leave this setting at "Sample at MAX" unless you experience this problem.

9-samsung-s3-sgh-i747m-jtag-manager.jpg

Apply power to the DC power supply and turn the phone on using the button on the side of the PCB. After powering the phone on, select "READ" under the "DCC Read/Write" tab. If all goes well the "READ" button will become the "STOP" button and the phone will begin reading...if not the RIFF software provides troubleshooting steps that should be taken to assist in diagnosing some of the issues you may experience.

NOTE: In the event of read errors the RIFF software keeps track of where the failure occurred and gives you option to restart the read where it left off. If this occurs, you can adjust the "JTAG TCK Speed" and lower it to 9MHz (or lower) which can stabilize the read.

  • Once the acquisition is complete the resulting image can be saved and forensic analysis can take place using the tool of your choosing.

References