How we do a ‘Chip-Off’ Forensic Data Recovery on a Mobile Phone

Forensic data recovery and mobile phone investigation is the process of salvaging data from failed storage devices such as mobile phones or hard drives. We offer our services across a wide range of devices. Here we will look at our mobile phone side of the company, more specifically what is known as a chip-off operation. Chip off is a useful technique especially in forensic data recovery, also known as digital discovery, or eDiscovery: these are methods of data investigation used by police forces and insurance underwriters. Data Clinic Ltd are experts in recovering data from damaged phones and hard drives.

With any mobile phone or tablet, we initially attempt to inspect the phone, we determine if the failure is with the peripheral components such as batteries, charging ports and screens. If this is the case, then we wouldn’t need to go any further. For a lot of ediscovery data investigations cases however, this option serves as a process of elimination and if this first attempt of recovering the data is unsuccessful then we look at the more advanced options available to us. This is typically in the form of advanced micro soldering, JTAG or a Chip-Off operation.

So, what is a ‘Chip-Off’?

A Chip-off is the process of de-soldering the Flash Memory chip from the failed phone / tablet in the hope that we will successfully read its raw data independent of the device.

How do we do a Chip-Off recovery?

In order to complete a forensic data recovery on a mobile phone it’s first necessary to determine that a Chip-Off on a phone / tablet is needed then the next step is preparation. The phone must be fully dismantled, including the removal of any protective metal heat shields. When this is done we identify the eMMC (or NAND) memory chip place the PCB into a special holder underneath our stereo microscope as shown here.

What is now needed to remove any underfill from around the memory chip and add specialist flux to the chip. The Flux we typically use is Amtech Tacky Flux – the idea with this is to dispense it all around the chip then apply heat to it.

The main heat application we use is a Quick 861DA heat gun (image below). This is a station that offers a wide range of options when it comes to applying heat. We make sure to select a correct temperature, airflow and nozzle to do the job properly.

Once the chip has been lifted from the board after carefully applying the correct amount of heat we get the de-soldered chip, we then proceed to cleaning and re-balling the chip. This is a meticulous process whereby we need to ensure that each of the 100+ solder contacts have clean solder. It is a manual process that you need skill in precision soldering and a keen eye under the microscope to do.

Once each pin has been successfully and soldered in a uniform manner, it is time to clean it up with specialist chemical solutions. This ensures that the contacts are as clean as they can be and thus the read of the chip should also be good!

There are a lot of readers and programmers available worldwide that you can use to read the raw data of an eMMC NAND memory chip. The honest answer is they all have different capabilities for different chips. Its not a case of one is the best. Here are some samples of these available ‘boxes’. When it comes to data discovery and mobile phone investigation the phone data is fully dumped to a binary image file, we then analyse and decode the raw data. Once reconstructed we can send our customer a summary to let them know the recovery statistics as shown below.

This data can then easily be transferred to another storage device (typically a memory stick) and returned to the customer.

To Summarise

A chip-off is one of the procedures that really is a last resort. Chip-off cases are applicable when:

  • The logic board is too severely damaged to repair

  • ediscovery / digital discovery / forensic phone data recovery is required.
  • The lock on a phone if it is not known and there is no method of bypassing it via software

  • Corrosion cannot be decontaminated

  • For deleted data

The art of performing a chip-off is something that we pride ourselves on being able to achieve, we have recovered the data from many phones where this was the only option and are still carrying out these procedures today.

You can find Data Clinic at The Pavilions, Bridge Hall Lane, Bury, Greater Manchester BL9 7NX

Read More

Digital Evidence Investigation – Data Recovery and E-Discovery

As more of our lives are stored digitally, so more of this digital information is often seen as evidence. Maybe a phone contains images from a crime scene, or perhaps a hard drive contains an important email that warrants a forensic investigation of the data. One term for this is forensic data recovery.

Most data recovery companies are able to examine data forensically. Digital evidence examination basically looks at the data on a digital storage device in an attempt to discover if there is any pertinent information detailing illegal activity.

Enquiries for e-discovery (or ‘data discovery’) as it is widely known vary. Here are a few examples from clients wanting a forensic examination of their hard drives and mobile phones.

Linux ext4 formatted 2TB WD HDD that is fairly new. Will not initialise or mount. Has 1TB of films I need back as the online backup has, incredibly, failed at the same time. I have a spare drive to move the data to. I’m interested in having this data examined forensically – I think the phrase is e-discovery or examination of digital evidence.

My Seagate External Hard drive has stopped working, and the light will not light up. However it does ask for me to initialize the disk, and makes a clicking, beeping noise.

Over christmas I took a lot of video footage on my phone to make into a short movie – i put my SD card into my laptop and transferred the videos onto my desktop or iCloud, i also made folders for them on my SD card, now when i came to open the folder it has turned into an exec file which now it won’t open my videos and i fear i may have lost them! i tried to download a free software to try recover the data but it only recovered the audio and even then it was broken, i believe that the footage is still there i just need a way to bring it back, now my Mac is not recognising my SD and i don’t want to keep trying unless i cause further damage. It is only now that I realise that some of the footage may contain digital evidence of wrong doing and it may be necessary to reproduce this in a legal case. What facilities exist to examine the hard drive, SD card and phone forensically? Can you examine each of them and produce a forensic report as the what activity has taken place on each?

Read More