Difference between pages "How to image an IDE disk with aimage and FreeBSD" and "JTAG Forensics"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(See Also)
 
(Procedures)
 
Line 1: Line 1:
Here is a photo of my disk imaging system:
+
== Definition ==
 +
=== From Wikipedia ([http://en.wikipedia.org/wiki/Joint_Test_Action_Group http://en.wikipedia.org/wiki/Joint_Test_Action_Group ]): ===
  
[[Image:ImagingStationx4.jpg|320px|Photo of an open computer with 4 hard drives connected.]]
+
Joint Test Action Group (JTAG) is the common name for what was later standardized as the IEEE 1149.1 Standard Test Access Port and Boundary-Scan Architecture. It was initially devised for testing printed circuit boards using boundary scan and is still widely used for this application. Today JTAG is also widely used for IC debug ports. In the embedded processor market, essentially all modern processors support JTAG when they have enough pins. Embedded systems development relies on debuggers talking to chips with JTAG to perform operations like single stepping and breakpointing. Digital electronics products such as cell phones or a wireless access point generally have no other debug or test interfaces.
  
Key elements of the disk imaging system:
+
=== Forensic Application ===
* You need to have an internal IDE card which is not used for anything but disk imaging;
+
* You need to have an external hard drive power supply, so that you can power the IDE drives without using your computer's power supply (if you use your computer's power supply, you can easily crash your computer when attaching or detaching the power supply);
+
  
=Imaging Checklist=
+
JTAG forensics is an acquisition procedure which involves connecting to the Standard Test Access Port (TAPs) on a device and instructing the processor to transfer the raw data stored on connected memory chips. Jtagging supported phones can be an extremely effective technique to extract a full physical image from devices that cannot be acquired by other means.
# [[How To Set Up a Disk Imaging Station|Set up a disk imaging station]];
+
# You should have a 50-pin IDE ribbon cable going from your IDE controller to the desktop;
+
# Do not connect your imaging drive yet!
+
# Boot the computer into [[FreeBSD]];
+
# Attach the IDE hard drive to the ribbon cable FIRST;
+
# Now, attach power to the IDE drive;
+
# You need to determine which ATA port the IDE drive is now connected to. In all likelihood it is <tt>ata0, ata1, ata2</tt> or <tt>ata3</tt>. If you have an internal hard drive on an IDE interface, then the internal interface is probably <tt>ata0</tt> and <tt>ata1</tt> and the external is probably on <tt>ata2</tt> or <tt>ata3</tt>;
+
# You also need a place to store the [[AFF]] files you are going to be creating. I usually put them in <tt>/usr/affs</tt> which is a directory you will need to create;
+
# Log in as ''root'';
+
# mkdir /usr/affs
+
# Now, try to image the drive with this command:
+
  aimage ata2 /usr/affs/disk1.aff
+
# If this doesn't work, try:
+
  aimage ata3 /usr/affs/disk1.aff
+
# If it works, you'll see the [[aimage]] program running.
+
  
=What can go wrong=
+
== Tools and Equipment ==
* ''[[aimage]]'' may not be installed. If you get the error message "aimage: command not found" then you need to install [[AFFLIB]] and then make sure that the ''aimage'' command (usually installed in ''/usr/local/bin'') is in your ''PATH''. You can check this out by running ''/usr/local/bin/aimage'' instead of ''aimage'';
+
* Your source drive can be broken, ''[[aimage]]'' should tell you this;
+
* You can run out of disk space. You need a LOT of disk space to store disk images — figure 30GB to image a 60GB drive.
+
  
=What to do after you have made your images=
+
* [[JTAG and Chip-Off Tools and Equipment]]
Once you have made a few images, you'll need to put them somewhere. Typically this means uploading them to a server.
+
 
=See Also=
+
== Procedures ==
[[How To Set Up a Disk Imaging Station]]
+
 
[[How To Ship Images]]
+
* [[JTAG HTC Wildfire S]]
[[Category:Howtos]]
+
* [[JTAG LG P930 (Nitro HD)]]
 +
* [[JTAG Samsung Galaxy S4 (SGH-I337)]]
 +
* [[JTAG Huawei TracFone M865C]]

Revision as of 20:18, 11 September 2013

Definition

From Wikipedia (http://en.wikipedia.org/wiki/Joint_Test_Action_Group ):

Joint Test Action Group (JTAG) is the common name for what was later standardized as the IEEE 1149.1 Standard Test Access Port and Boundary-Scan Architecture. It was initially devised for testing printed circuit boards using boundary scan and is still widely used for this application. Today JTAG is also widely used for IC debug ports. In the embedded processor market, essentially all modern processors support JTAG when they have enough pins. Embedded systems development relies on debuggers talking to chips with JTAG to perform operations like single stepping and breakpointing. Digital electronics products such as cell phones or a wireless access point generally have no other debug or test interfaces.

Forensic Application

JTAG forensics is an acquisition procedure which involves connecting to the Standard Test Access Port (TAPs) on a device and instructing the processor to transfer the raw data stored on connected memory chips. Jtagging supported phones can be an extremely effective technique to extract a full physical image from devices that cannot be acquired by other means.

Tools and Equipment

Procedures