Difference between pages "Disk Imaging" and "Chip-Off BlackBerry Curve 9300"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Also see)
 
 
Line 1: Line 1:
{{expand}}
+
== Tear Down ==
 +
# Remove the back panel.
 +
# Remove the SIM and SD Memory Card.
 +
# Using a torx-6 screw driver remove the 2 visible screws on the back of the phone.
  
Disk imaging is the process of making a bit-by-bit copy of a disk. Imaging (in more general terms) can apply to anything that can be considered as a bit-stream, e.g. a physical or logical volumes, network streams, etc.
+
{| border="1" cellpadding="2"
 +
|-
 +
| [[File:1-ScrewRemoval.jpg| 300px ]]
 +
|-
 +
|}
  
The most straight-forward disk imaging method is reading a disk from start to end and writing the data to a [[:Category:Forensics_File_Formats|Forensics image format]].
+
<ol start="4">
This can be a time consuming process especially for disks with a large capacity.
+
    <li>Remove the screen protector using a plastic shim or guitar pick.</li>
 +
</ol>
  
== Disk Imaging Solutions ==
+
{| border="1" cellpadding="2"
See: [[:Category:Disk Imaging|Disk Imaging Solutions]]
+
|-
 +
|[[File:2-PlasticScreen.jpg| 300px ]]
 +
|-
 +
|}
 +
<ol start="5">
 +
    <li>Use the shim to detach the top-plate/cover from the device.</li>
 +
</ol>
 +
{| border="1" cellpadding="2"
 +
|-
 +
| [[File:3-TopPlate.jpg| 300px ]]
 +
|-
 +
|}
 +
<ol start="6">
 +
    <li>Remove 4 additional torx-6 screws.</li>
 +
</ol>
 +
{| border="1" cellpadding="2"
 +
|-
 +
| [[File:4-ScrewRemoval.jpg| 300px ]]
 +
|-
 +
|}
 +
<ol start="7">
 +
    <li>Detach vendor plate and remove 2 more torx-6 screws.</li>
 +
</ol>
 +
{| border="1" cellpadding="2"
 +
|-
 +
| [[File:5-ScrewRemoval.jpg| 300px ]]
 +
|-
 +
|}
 +
<ol start="8">
 +
    <li>Separate back plate from the main board.</li>
 +
</ol>
 +
{| border="1" cellpadding="2"
 +
|-
 +
| [[File:6-SeperateBoard.jpg| 300px ]]
 +
|-
 +
|}
 +
<ol start="9">
 +
    <li>The tear down is now complete</li>
 +
</ol>
 +
{| border="1" cellpadding="2"
 +
|-
 +
| [[File:7-TearDownComplete.jpg| 300px ]]
 +
|-
 +
|}
  
== Common practice ==
+
== NAND Removal ==
It common practice to use a [[Write Blockers|Write Blocker]] when imaging a pyhical disk. The write blocker is an additional measure to prevent write access to the disk.
+
# Peel off the vendor sticker on the back side of the main circuit board
 +
# The NAND is located beneath the heat shield directly above the Micro SD card slot.
  
Also see: [[DCO and HPA|Device Configuration Overlay (DCO) and Host Protected Area (HPA)]]
+
{| border="1" cellpadding="2"
 +
|-
 +
| [[File:8-NAND-Location.jpg| 300px ]]
 +
|-
 +
|}
 +
<ol start="3">
 +
    <li>Place the main board in a stand or holder and position it under a heat gun or device the blows super hot air. We use a Wagner "model XYZ" positioned approximately 2 1/2" - 3" inches away from the main board.</li>
 +
</ol>
 +
{| border="1" cellpadding="2"
 +
|-
 +
| [[File:9-Positioning.jpg| 300px ]]
 +
|-
 +
|}
 +
<ol start="4">
 +
    <li>Monitoring the temperature the heat shield will come off easily between 190-200 Centigrade.</li>
 +
</ol>
  
== Error tolerance and recovery ==
+
{| border="1" cellpadding="2"
...
+
|-
 +
| [[File:10-Temperature.jpg| 300px ]]
 +
| [[File:11-HeatSheildRemoved.jpg| 300px ]]
 +
|-
 +
|}
 +
<ol start="5">
 +
    <li>Continue working under the high heat. In the 9300's I've worked on there is typically a black epoxy that has been applied to the NAND. Using a razor under the high heat this epoxy can be easily cut into. Once the epoxy has been cut and with the temperature around 215 Centigrade the NAND will be easily removed from the main board.</li>
 +
</ol>
  
== Smart imaging ==
+
{| border="1" cellpadding="2"
Smart imaging is a combination of techniques to make the imaging process more intelligent.
+
|-
* Compressed storage
+
| [[File:12-NANDRemoval.jpg| 300px ]]
* Deduplication
+
|-
* Selective imaging
+
|}
* Decryption while imaging
+
<ol start="6">
 +
    <li>The BlackBerry Curve 9300 uses a stacked die 152 pin BGA, this includes a NAND stacked on a controller which is soldered to the main board. We are interested in the NAND and therefore must separate it from the controller. This is accomplished with the use of high heat (heat gun), a 20 x 20 x 0.5cm steel plate and a 10cm razor blade.</li>
 +
</ol>
  
=== Compressed storage ===
+
* Position the steel plate under the heat gun. The plate will heat up and hold the heat, try not to burn yourself.
 +
* Transfer the NAND+Controller to the plate and allow the chip to take in some heat ~1min
 +
* Using long tweezers to hold the chip and the 10cm razor begin slicing away the epoxy that is surrounding the chip with a sharp razor the epoxy will slice easily allowing you to see a tiny gap between the NAND and the controller.
  
A common technique to reduce the size of an image file is to compress the data. Where the compression method should be [http://en.wikipedia.org/wiki/Lossless_data_compression lossless].
+
{| border="1" cellpadding="2"
On modern computers, with multiple cores, the compression can be done in parallel reducing the output without prolonging the imaging process.
+
|-
Since the write speed of the target disk can be a bottleneck in imaging process, parallel compression can reduce the total time of the imaging process.
+
| [[File:13-3-EpoxyCleanup.jpg| 300px ]]
[[Guymager]] was one of the first imaging tools to implement the concept of multi-process compression for the [[Encase image file format]]. This technique is now used by various imaging tools including [http://www.tableau.com/index.php?pageid=products&model=TSW-TIM Tableau Imager (TIM)]
+
| [[File:13-4-EpoxyCleanup.jpg| 300px ]]
 +
| [[File:13-5-EpoxyCleanup.jpg| 300px ]]
 +
|-
 +
|}
  
Other techniques like storing the data sparse, using '''empty-block compression''' or '''pattern fill''', can reduce the total time of the imaging process and the resulting size of new non-encrypted (0-byte filled) disks.
+
{| border="1" cellpadding="2"
 +
|-
 +
| [[File:13-1-EpoxyCleanup.jpg| 450px ]]
 +
| [[File:13-2-EpoxyCleanup.jpg| 450px ]]
 +
|-
 +
|}
  
=== Deduplication ===
+
* The razor can then be used to separate the two.
Deduplication is the process of determining and storing data that occurs more than once on-disk, only once in the image.
+
{| border="1" cellpadding="2"
It is even possible to store the data once for a corpus of images using techniques like hash based imaging.
+
|-
 +
| [[File:14-Separation.jpg| 450px ]]
 +
| [[File:15-Separated.jpg| 450px ]]
 +
|-
 +
|}
  
=== Selective imaging ===
+
<ol start="7">
Selective imaging is a technique to only make a copy of certain information on a disk like the $MFT on an [[NTFS]] volume with the necessary contextual information.
+
    <li>Using liquid flux, or flux paste and a soldering iron scrape the remaining epoxy off the NAND and clean it up real nice to prep for a NAND read.</li>
 
+
</ol>
[[EnCase]] Logical Evidence Format (LEF) is an example of a selective image; although only file related contextual information is stored in the format by [[EnCase]].
+
{| border="1" cellpadding="2"
 
+
|-
=== Decryption while imaging ===
+
| [[File:16-1-SolderCleanup.jpg| 300px ]]
Encrypted data is worst-case scenario for compression. Because the encryption process should be deterministic a solution to reduce the size of an encrypted image is to store it non-encrypted and compressed and encrypt it on-the-fly if required. Although this should be rare since the non-encrypted data is what undergoes analysis.
+
| [[File:16-2-SolderCleanup.jpg| 300px ]]
 
+
| [[File:17-AllClean.jpg| 300px ]]
== Also see ==
+
|-
* [[:Category:Forensics_File_Formats|Forensics File Formats]]
+
|}
* [[Write Blockers]]
+
* [[Piecewise hashing]]
+
 
+
== External Links ==
+
* [http://www.tableau.com/pdf/en/Tableau_Forensic_Disk_Perf.pdf Benchmarking Hard Disk Duplication Performance in Forensic Applications], by [[Robert Botchek]]
+
 
+
=== Hash based imaging ===
+
* [http://www.dfrws.org/2010/proceedings/2010-314.pdf Hash based disk imaging using AFF4], by [[Michael Cohen]], [[Bradley Schatz]]
+
 
+
[[Category:Disk Imaging]]
+

Revision as of 01:50, 8 August 2013

Tear Down

  1. Remove the back panel.
  2. Remove the SIM and SD Memory Card.
  3. Using a torx-6 screw driver remove the 2 visible screws on the back of the phone.
1-ScrewRemoval.jpg
  1. Remove the screen protector using a plastic shim or guitar pick.
2-PlasticScreen.jpg
  1. Use the shim to detach the top-plate/cover from the device.
3-TopPlate.jpg
  1. Remove 4 additional torx-6 screws.
4-ScrewRemoval.jpg
  1. Detach vendor plate and remove 2 more torx-6 screws.
5-ScrewRemoval.jpg
  1. Separate back plate from the main board.
6-SeperateBoard.jpg
  1. The tear down is now complete
7-TearDownComplete.jpg

NAND Removal

  1. Peel off the vendor sticker on the back side of the main circuit board
  2. The NAND is located beneath the heat shield directly above the Micro SD card slot.
8-NAND-Location.jpg
  1. Place the main board in a stand or holder and position it under a heat gun or device the blows super hot air. We use a Wagner "model XYZ" positioned approximately 2 1/2" - 3" inches away from the main board.
9-Positioning.jpg
  1. Monitoring the temperature the heat shield will come off easily between 190-200 Centigrade.
10-Temperature.jpg 11-HeatSheildRemoved.jpg
  1. Continue working under the high heat. In the 9300's I've worked on there is typically a black epoxy that has been applied to the NAND. Using a razor under the high heat this epoxy can be easily cut into. Once the epoxy has been cut and with the temperature around 215 Centigrade the NAND will be easily removed from the main board.
12-NANDRemoval.jpg
  1. The BlackBerry Curve 9300 uses a stacked die 152 pin BGA, this includes a NAND stacked on a controller which is soldered to the main board. We are interested in the NAND and therefore must separate it from the controller. This is accomplished with the use of high heat (heat gun), a 20 x 20 x 0.5cm steel plate and a 10cm razor blade.
  • Position the steel plate under the heat gun. The plate will heat up and hold the heat, try not to burn yourself.
  • Transfer the NAND+Controller to the plate and allow the chip to take in some heat ~1min
  • Using long tweezers to hold the chip and the 10cm razor begin slicing away the epoxy that is surrounding the chip with a sharp razor the epoxy will slice easily allowing you to see a tiny gap between the NAND and the controller.
13-3-EpoxyCleanup.jpg 13-4-EpoxyCleanup.jpg 13-5-EpoxyCleanup.jpg
13-1-EpoxyCleanup.jpg 13-2-EpoxyCleanup.jpg
  • The razor can then be used to separate the two.
14-Separation.jpg 15-Separated.jpg
  1. Using liquid flux, or flux paste and a soldering iron scrape the remaining epoxy off the NAND and clean it up real nice to prep for a NAND read.
16-1-SolderCleanup.jpg 16-2-SolderCleanup.jpg 17-AllClean.jpg