Recover data forensically for use in court (UK)

With legal cases involving digital evidence that goes to court in the UK, it’s important that the contentious data is extracted forensically. This means following ‘chain of custody‘ procedures that ensure that the recovered data is admissible in a UK court of law. The following are examples of cases where it’s been necessary to preserve data that has been acquired forensically. This digital data has been acquired from either mobile phones or computer hard drives. Forensic data recovery is also possible from CCTV and DVR too – run a Google search for forensic ‘data recovery companies in London’ or ‘data recovery companies in Manchester’ to find a company that provides this service.

Forensic data recovery of iPhone

forensic data recovery service in the UKI’m trying to find a company that can assist in the forensic data recovery of files from an iPhone. A few days ago went to update my iphone 6s to ios 11.2.5 from the phone. It updated fine but whenever I went into photos or notes it would give me a blank page for 1 minute then disappear, the rest of the phone was fine. I asked a friend for advice and he told me to connect to my macbook while holding home and power button then let go of power button. He told me to click update software (again) and it would overwrite the update and fix my problem. The update loaded half way then crashed, now stuck in recovery mode and will not come out of it. I have tried updating again and again but keeps coming up with error code (14). I do not want to restore the phone as I don’t have a backup saved besides a few small things in icloud dating back several months, instead I want to forensically recover the phone’s data as I’m involved in an ongoing legal case and the data is to be used in court. I have 7 years worth of memories on this phone that I have transferred from phone to phone over the years. The main bit missing would be my photos between 2016 and now. Really distraught as all of my cherished photos from family, holidays and the whole past 2 years are not on icloud. I do not want to restore and wipe the phone without someone trying to recover my current pictures first. I know that the photos were there after my initial faulty update as when I force pressed the photos album I could see the most recent photo. Now phone is stuck in recovery mode and continuously failing to update or change screen. I have spoken to multiple people including the apple store team who tried on their own laptops and could not help me. PLEASE tell me these can be recovered somehow and you can get through the encryption to access the data??????

Forensic data recovery of external hard disk

Hi – do you provide a forensic data recovery service from an external hard drive? My Lexar external drive failed on me yesterday, it was flashing red when I entered it into my laptop and not being detected. I tried a few online fixes which said to change the drive letter, this helped slightly as the laptop can now detect the USB but there’s no data on it. It’s of paramount importance that I forensically retrieve the files from this device as they form part of the evidence in a court case. I tested out a few data recovery programs but they only recover deleted data from 8th of Jan and before; none of the programs I tried can retrieve data after Jan 8th specifically my dissertation which I was writing up yesterday and saved on my flash drive. Please can you help me as I tried nearly everything to recover my recent data but only recovers old data that I don’t need.

Read More

How we do a ‘Chip-Off’ Forensic Data Recovery on a Mobile Phone

Forensic data recovery and mobile phone investigation is the process of salvaging data from failed storage devices such as mobile phones or hard drives. We offer our services across a wide range of devices. Here we will look at our mobile phone side of the company, more specifically what is known as a chip-off operation. Chip off is a useful technique especially in forensic data recovery, also known as digital discovery, or eDiscovery: these are methods of data investigation used by police forces and insurance underwriters. Data Clinic Ltd are experts in recovering data from damaged phones and hard drives.

With any mobile phone or tablet, we initially attempt to inspect the phone, we determine if the failure is with the peripheral components such as batteries, charging ports and screens. If this is the case, then we wouldn’t need to go any further. For a lot of ediscovery data investigations cases however, this option serves as a process of elimination and if this first attempt of recovering the data is unsuccessful then we look at the more advanced options available to us. This is typically in the form of advanced micro soldering, JTAG or a Chip-Off operation.

So, what is a ‘Chip-Off’?

A Chip-off is the process of de-soldering the Flash Memory chip from the failed phone / tablet in the hope that we will successfully read its raw data independent of the device.

How do we do a Chip-Off recovery?

In order to complete a forensic data recovery on a mobile phone it’s first necessary to determine that a Chip-Off on a phone / tablet is needed then the next step is preparation. The phone must be fully dismantled, including the removal of any protective metal heat shields. When this is done we identify the eMMC (or NAND) memory chip place the PCB into a special holder underneath our stereo microscope as shown here.

What is now needed to remove any underfill from around the memory chip and add specialist flux to the chip. The Flux we typically use is Amtech Tacky Flux – the idea with this is to dispense it all around the chip then apply heat to it.

The main heat application we use is a Quick 861DA heat gun (image below). This is a station that offers a wide range of options when it comes to applying heat. We make sure to select a correct temperature, airflow and nozzle to do the job properly.

Once the chip has been lifted from the board after carefully applying the correct amount of heat we get the de-soldered chip, we then proceed to cleaning and re-balling the chip. This is a meticulous process whereby we need to ensure that each of the 100+ solder contacts have clean solder. It is a manual process that you need skill in precision soldering and a keen eye under the microscope to do.

Once each pin has been successfully and soldered in a uniform manner, it is time to clean it up with specialist chemical solutions. This ensures that the contacts are as clean as they can be and thus the read of the chip should also be good!

There are a lot of readers and programmers available worldwide that you can use to read the raw data of an eMMC NAND memory chip. The honest answer is they all have different capabilities for different chips. Its not a case of one is the best. Here are some samples of these available ‘boxes’. When it comes to data discovery and mobile phone investigation the phone data is fully dumped to a binary image file, we then analyse and decode the raw data. Once reconstructed we can send our customer a summary to let them know the recovery statistics as shown below.

This data can then easily be transferred to another storage device (typically a memory stick) and returned to the customer.

To Summarise

A chip-off is one of the procedures that really is a last resort. Chip-off cases are applicable when:

  • The logic board is too severely damaged to repair

  • ediscovery / digital discovery / forensic phone data recovery is required.
  • The lock on a phone if it is not known and there is no method of bypassing it via software

  • Corrosion cannot be decontaminated

  • For deleted data

The art of performing a chip-off is something that we pride ourselves on being able to achieve, we have recovered the data from many phones where this was the only option and are still carrying out these procedures today.

You can find Data Clinic at The Pavilions, Bridge Hall Lane, Bury, Greater Manchester BL9 7NX

Read More