Skip to content

Hardware-based Forensic Analysis

Hardware-based Forensic Analysis

  • JTAG Forensics
  • Chip Off Forensics
  • Bootloader Exploitation

Why we cant obtain Physical bit by bit Image in modern mobile phones?

1. Hardware Security and Encryption

  • Modern Android and iOS devices use file-based encryption tied to hardware keys stored in the secure element (e.g., Android’s TEE, Apple’s Secure Enclave).
  • Even if you somehow copy the raw NAND memory, you’d just get encrypted — not readable data.
  • The encryption key is derived from user credentials and hardware-bound secrets, so it can’t be extracted by imaging alone.

2. Locked Bootloaders and Secure Boot

  • To perform a physical acquisition, you normally need low-level access (e.g., boot into a custom recovery, or use JTAG/Chip-off).
  • But modern phones have verified boot, which only allows signed firmware to run.
  • Unless the bootloader is unlocked (which wipes data) or an exploit is used, forensic tools can’t load a custom image for physical capture.

3. Unlocking is an OS-level unlocking, not giving raw chip access

  • “Unlocked” usually means the user entered the PIN/password, so the OS can mount and decrypt data for apps and users.
  • That does not mean you can access the low-level flash raw areas. Access to raw devices is restricted by the kernel, SELinux, and vendor policies — and often requires root/privileged kernel code.

4. Root/jailbreak required for raw device access — but problematic

  • To read raw blocks from inside the OS you need kernel privileges (root) and kernel support. Rooting/jailbreaking may not be possible (or may alter evidence), and many rooting methods require exploits that are device- and firmware-specific.
  • Even with root, the flash may be using FBE (file-based encryption) with keys only available via the keystore bound to secure hardware; root still might not let you decrypt raw data.

Permanent root vs Temporary root

In permanent - changes persist even on reboot (Kingo Root, One click root)
Manufacturer provide packages and third party apps are available
In temporary - changes are lost once device reboots. (Preferred in Forensics)
Tools such as UFED, XRY, Magnet Verakey use exploits for temporary rooting by pushing script in the RAM of the phone – the exploit is not part of phone memory (only RAM) thus does not alter the integrity of evidence.