What is JTAG forensics?
JTAG (Joint Test Action Group) forensics is an advanced level data acquisition method which involves connecting to Test Access Ports (TAPs) on a device and instructing the processor to transfer the raw data stored on connected memory chips. When supported, jtagging is an extremely effective technique that Binary Intelligence utilizes to extract a full physical image from devices that cannot be acquired with normal tools.
When is it appropriate to JTAG an evidence device?
When commercial forensic extraction options cannot acquire a physical image or when a device is logically damaged or “bricked”. The majority of our JTAG engagements involve Android phones which are pattern locked and cannot be bypassed by other means. We also regularly JTAG prepaid cell phone models (such as TracFone, Net10 and Virgin) which have their data ports intentionally disabled by the carrier.
What are the basic steps of a JTAG forensic examination?
Step 1 – identify TAPs by researching documented devices. When TAPs are unknown, inspect the device PCB for potential TAPs and manually trace or probe to pinpoint appropriate connector pins.
Step 2 – solder wire leads to the correct connector pins or utilize a solderless jig.
Step 3 – connect wire leads to an appropriate JTAG emulator with support for the exhibit device.
Step 4 – read the flash memory after selecting the appropriate device profile or manually configuring the correct processor/memory settings.
Step 5 – analyze the extracted data using industry standard forensic tools and custom utilities.
How long is the turnaround time for a JTAG forensic extraction?
Our lab performs numerous JTAG forensic extractions and is constantly upgrading our JTAG toolkit with the latest technologies. When a device is supported, we attempt to complete JTAG engagements in seven to ten days and, when requested, we may be able to provide rush services in one to three days.
What type of devices can be extracted with the JTAG process?
Like chip-offs, the majority of our JTAG engagements involve cellular phones; however, forensic jtagging can be employed with any device that contains embedded flash memory, a supported processor and has working TAPs. In addition to cell phones, the JTAG method can commonly be used to extract data from video gaming systems, tablets and network devices.
Here are some actual case examples involving JTAG forensic examinations:
- Workplace harassment – in support of a corporate employee relations investigation, a JTAG extraction was performed on a standard GSM phone which had only limited commercial forensic tool support (file-system only). Important deleted SMS text messages, call logs and pictures were identified by searching the memory image.
- Homicide – a basic prepaid “throw down” phone with a disabled data port was acquired via JTAG and several threatening text messages were recovered from unallocated portions of the physical memory image.
- Suicide –the family of a suicide victim desired access to a pattern locked Android phone. A JTAG extraction was completed and the appropriate unlock pattern was extracted and provided.