Now more than ever, there is an expanding need for the law enforcement community to ensure the reliability of digital forensic tools. As technology and security continue to advance beyond what we thought possible, so too must these tools. Anticipating this need, NIST created the Computer Forensics Tool Testing Program (CFTT) in 1999 to establish a methodology for testing forensic software tools. Since inception, the project has evaluated a wide array of digital forensic tools. In fact, forensic labs around the country use CFTT reports to ensure the quality of their work.
Most recently, NIST computer scientists Rick Ayers and Jenise Reyes-Rodriguez conducted a study to assess two extraction methods and eight software tools that acquire data from damaged mobile phones. Both extraction methods rely on the small metal taps found on circuit boards that manufacturers use to test the boards. The first method, JTAG, involves soldering wires onto the taps to extract data, while the second method, chip-off, works by gently plucking the chips off the board and seating them into chip readers.
Forensic® published an article last Friday detailing the experiment, and spoke to Ayers about these specific methods, data extraction, and the growing field of mobile forensics.
Forensic®: While you found both the JTAG and chip-off methods successful, what are the pros and cons of each method?
Ayers: Both JTAG and chip-off return byte-for-byte memory extractions, they do not require specific data cables for various models of mobile phones, and they increase the chances of recovering data from phones that have suffered liquid, thermal or structural damage. The JTAG technique is non-destructive. Once the data extraction has been completed, the phone can be put back together, which is impossible using chip-off. A downside to JTAG is that the method is tedious and requires specialized expertise in soldering, as well as an understanding of the inner working components of the printed circuit board for a given device. Chip-off is useful if JTAG is not supported, or damage has occurred on the printed circuit board that would prevent JTAG, but the memory chips are still intact. However, it requires costly, specialized equipment and additional training. As mentioned, the chip-off method is destructive. After you’ve done this, there’s no putting the phone back together.
Forensic®: What considerations went into choosing the eight different forensic software tools evaluated in your latest experiment?
Ayers: We chose a mixture of traditional forensic software tools that can be used with many different kinds of devices and tools that were tailored specifically for commonly used mobile devices. Also, we have a Law Enforcement Steering Committee that lets us know what tool testing would be most helpful to the digital forensics community.
Forensic®: Which type of information is the hardest to extract and accurately interpret?
Ayers: Third-party applications, like social media apps, are extremely difficult for vendors to keep up with given the rate of newly released app versions.
Forensic®: In terms of extracting/interpreting data, does the type of phone make a difference, such as iPhone versus Android? What about the model of the phone- are brand new phones harder to analyze than models two or three years older?
Ayers: Data extraction from one model of a phone compared to another doesn’t necessarily factor into the level of difficulty of a data extraction. Newer devices, however, tend to be more difficult than older models as toolmakers will have to update software to properly decode the filesystem and return the data in a readable format.
Forensic®: What other digital forensic tools do you plan to test in the upcoming months?
Ayers: For the remaining 2020 year, we are looking at testing around 10 additional mobile forensic tools. Looking beyond mobile, we also plan to test string searching tools, media sanitization tools and possibly hardware write blocking tools.
Forensic®: What are your thoughts on the future of digital forensics industry?
Ayers: Over the past 15 years of testing digital forensic tools there has been consistent improvement in the accuracy, sophistication and usability of tools. But, tool makers have an ongoing challenge to maintain their software as technology continues to evolve. New devices and new third-party applications are constantly hitting the market and keeping up with these changes is a huge challenge.
Photo: Computer Scientist Rick Ayers working on a mobile phone data extraction at the National Institute of Standards and Technology (NIST) on January 30, 2020. Credit: Rich Press/NIST.