Cell phones and Chip-off Forensics

About a month ago I started looking into what it would take to have a simple solution for dealing with USB thumb drives, cell phones and other devices with flash memory chips in them when the device was damaged. While this isn’t a hugely common issue, it does happen often enough to be something that is a concern in the forensics community.

The first obvious target was USB thumb drives. A while back these were constructed on a printed circuit board with a small number of chips on it, the big important one being a flash memory chip. If the PC board was damaged it seemed to be a simple matter to get the chip off the board and with the right hardware be able to read it. Well, it turns out that thumb drives are now encapsulated devices without any PC board and completely enclosed in something like epoxy. Whereas before it was a simple matter to get at the flash memory chip today it is mostly impossible. Scratch that target.

The next sort of device is a damaged cell phone. Yes, there is a flash chip in there that could be removed from the PC board. While cell phones are pretty common, they haven’t yet reached the point where they are encapsulated devices like the thumb drives are. This means that if you have a cell phone it would be possible to remove the flash memory chip and read it separately from the phone. That would give you some basics, like text message content, very easily but it is also possible to take this information into tools like Cellebrite and Katana.

Our product Flash Retriever Forensic Edition is something that should be able deal with a chip programmer directly or at least the output files of that sort of device. With the addition of some tools for removing chips and a programmer we should be good to go forward with this, right?

In order to check out the state of things with cell phones I managed to collect up a bunch of fairly simple phones. I started out with the understanding that “smartphones” – Blackberry, iPhone and Android – were going to be excluded from this anyway. So with my nice toolkit, I set down to take some phones apart.

The first phone I got apart was the cheapest Tracphone I could get my hands on. It is made by Samsung and it is an SGH-S125G, if you are interested. It took a bit of work to get it apart without damaging it, but the mission was certainly accomplished – the flash chip was identified and is a BGA-type chip.

I took a couple of other phones apart and until I got to a very old Nokia 5165 every phone had a BGA-type flash chip in it.

A Quad Flat Package type of chip

You are probably asking what is special about a BGA-type flash chip… Let me explain. There are two basic types of chips in use today: those with tiny pins or legs and those without. The ones without are called BGA or ball grid array and have all of the connections on the bottom of the chip.

As you can see from the picture at the right, a BGA type of chip is quite a bit different when it comes to soldering the connections or unsoldering them. While a chip with visible pins, like the QFP chip shown above, can be soldered with an ordinary soldering pencil a BGA chip requires a hot air system in order to melt the solder indirectly. This can be very tricky to do properly without damaging the chip.

A ball grid array type of chip

It needs to be said that today’s consumer electronic devices are manufactured using specialized machines which place the chips on the boards robotically and use large ovens to do the soldering properly. The result is the boards that are produced have an extremely high reliability with failures less than 1% of the output. However, what suffers is repairability – it is extremely difficult to properly remove and replace chips on such boards so a bad chip generally dooms the entire device. It is cheaper to buy a new board (if not the whole device) than it is to try to repair it.

Well, what we are trying to do is remove chips, not repair them. With QFP and similar chips where the pins are visible it is a fairly simple matter to remove these chips. With a minimum of training and trial-and-error someone can successfully remove such chips.

With BGA-type chips it is a completely different matter. It can be an extremely delicate operation and without great care it is very easy to destroy the chip by using too much heat. Just in looking around I found one organization offering a five-day class in BGA chip removal for forensics. And this probably is just the beginning – if you do this all day every day for six months you would be quite good at it, but if it is something you do once or twice a month it is always going to be a very difficult task with lots of destroyed chips.

Because of the difficulties in dealing with BGA type chips and their prevalence in cell phones it looks like we aren’t going to be putting together a package for doing simplistic chip-off forensics. At least not in the next couple of months. The next release of the Flash Retriever Forensic Edition will have the ability to read .HEX files which are output from chip programmers directly – and can then take this file and save it as a raw image file for use with other forensic tools.

I believe there is probably a simple to use BGA chip removal tool out there and all we have to do is find it. It isn’t such an easy task considering that most of the tools are heavily focused on removing a bad chip and then soldering in a new chip and for forensic purposes we aren’t going to consider the much more difficult task of mounting and soldering a BGA chip at all.

If you have any questions about this or chip-off forensics in general, please feel free to email me or add a comment to this topic.