Difference between pages "AFF Development Task List" and "JTAG Forensics"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (Medium Priority)
 
m (Procedures)
 
Line 1: Line 1:
AFFLIB has been depreciated. As a result, this page is now obsolete.
+
== Definition ==
 +
=== From Wikipedia ([http://en.wikipedia.org/wiki/Joint_Test_Action_Group http://en.wikipedia.org/wiki/Joint_Test_Action_Group ]): ===
  
== High Priority ==
+
Joint Test Action Group (JTAG) is the common name for what was later standardized as the IEEE 1149.1 Standard Test Access Port and Boundary-Scan Architecture. It was initially devised for testing printed circuit boards using boundary scan and is still widely used for this application. Today JTAG is also widely used for IC debug ports. In the embedded processor market, essentially all modern processors support JTAG when they have enough pins. Embedded systems development relies on debuggers talking to chips with JTAG to perform operations like single stepping and breakpointing. Digital electronics products such as cell phones or a wireless access point generally have no other debug or test interfaces.
  
* When afinfo -a is run on a non-AFF file, it notes it is a "Raw" file, but continues to attempt to process segments. It should exit if it does not find valid AFF segments. For example, running it against a raw image of a 40GB disk created with aimage, afinfo -a reported 2,386 segments then finished with the error message "Cannot calculate missing pages."
+
=== Forensic Application ===
  
* The library does not compile on 64-bit versions of Fedora Core 7 Linux.
+
JTAG forensics is an acquisition procedure which involves connecting to the Standard Test Access Port (TAPs) on a device and instructing the processor to transfer the raw data stored on connected memory chips. Jtagging supported phones can be an extremely effective technique to extract a full physical image from devices that cannot be acquired by other means.
  
* Create man pages and/or documentation for AFF toolkit. To wit:
+
== Tools and Equipment ==
  
* [[aimage]]
+
* [[JTAG and Chip-Off Tools and Equipment]]
* [[ident]]
+
* [[afcat]]
+
* [[afcompare]]
+
* [[afconvert]]
+
* [[affix]]
+
* [[affuse]]
+
* [[afinfo]]
+
* [[afstats]]
+
* [[afxml]]
+
* [[afsegment]]
+
  
* Add a usage description to [[afcat]]. When run with no arguments the output should say what the program does.
+
== Procedures ==
  
* Create man pages and/or documentation for AFF library functions (e.g. ,<tt>af_open</tt>, <tt>af_get_imagesize</tt>)
+
* [[JTAG HTC Wildfire S]]
 
+
* [[JTAG Huawei TracFone M865C]]
* Build library as a shared library using libtool. This will allow developers using the library to just link to the AFF. Without it, developers must link to the static library and the individual libraries necessary <em>on that machine</em>. There is no good way to determine those extra libraries.
+
* [[JTAG Huawei TracFone H866C]]
 
+
* [[JTAG Huawei U8655]]
* Document that <tt>af_write</tt> may not be called without first setting the <tt>image_pagesize</tt> value inside of the <tt>AFFILE</tt> structure. Not doing so causes a divide by zero error. Perhaps we should 1. Check that <tt>image_pagesize</tt> is not zero and 2. Set <tt>image_pagesize</tt> to a known good default value when opening a new AFF file for writing.
+
* [[JTAG Huawei Y301-A1 Valiant]]
 
+
* [[JTAG LG L45C TracFone]]
* Check aimage ability to write a file of 1,073,741,825 bytes ((2**30)+1). Correctly reported reading/writing a file that was a 1,073,741,824 random byte stream, but did not pick up the extra byte when it was added to the file. ls -la correctly shows the size with the extra byte. Also, added 42 additional bytes which were not apparently read or written.  UPDATE - With 511 bytes added, still didn't read/write full file, however, adding 512 bytes did cause the whole file (1,073,742,336 bytes) to be read/written.
+
* [[JTAG LG P930 (Nitro HD)]]
 
+
* [[JTAG LG E960 (Nexus 4)]]
== Medium Priority ==
+
* [[JTAG Samsung Galaxy Centura (SCH-S738C)]]
 
+
* [[JTAG Samsung Galaxy S4 (SGH-I337)]]
* Is there a set of segment names that must be defined to have a ''valid'' AFF file?
+
 
+
* Document that <tt>af_open</tt> (when writing a file) does more than a standard <tt>fopen</tt> command. The command writes an AFF stub of some kind to the output file. Users should be cautioned not to use this function as a test, lest they overwrite data.
+
 
+
* Does <tt>af_open</tt> refuse to open a file for writing if it already exists? If so, what kind of error does it return?
+
 
+
* Document how to programmatically enumerate all segments and values in a file. That is, explain how to get the output of <tt>$ afinfo -a</tt>.
+
 
+
== Low Priority ==
+
 
+
* Add library function to open standard input. Perhaps:
+
 
+
<pre>AFFILE * af_open_stdin(void);</pre>
+

Revision as of 19:35, 23 December 2013

Definition

From Wikipedia (http://en.wikipedia.org/wiki/Joint_Test_Action_Group ):

Joint Test Action Group (JTAG) is the common name for what was later standardized as the IEEE 1149.1 Standard Test Access Port and Boundary-Scan Architecture. It was initially devised for testing printed circuit boards using boundary scan and is still widely used for this application. Today JTAG is also widely used for IC debug ports. In the embedded processor market, essentially all modern processors support JTAG when they have enough pins. Embedded systems development relies on debuggers talking to chips with JTAG to perform operations like single stepping and breakpointing. Digital electronics products such as cell phones or a wireless access point generally have no other debug or test interfaces.

Forensic Application

JTAG forensics is an acquisition procedure which involves connecting to the Standard Test Access Port (TAPs) on a device and instructing the processor to transfer the raw data stored on connected memory chips. Jtagging supported phones can be an extremely effective technique to extract a full physical image from devices that cannot be acquired by other means.

Tools and Equipment

Procedures