Hardware-based Forensic Analysis¶
Hardware-based Forensic Analysis¶
- JTAG Forensics
- Chip Off Forensics
- Bootloader Exploitation
Why we cant obtain Physical bit by bit Image in modern mobile phones?
1. Hardware Security and Encryption
- Modern Android and iOS devices use file-based encryption tied to hardware keys stored in the secure element (e.g., Android’s TEE, Apple’s Secure Enclave).
- Even if you somehow copy the raw NAND memory, you’d just get encrypted — not readable data.
- The encryption key is derived from user credentials and hardware-bound secrets, so it can’t be extracted by imaging alone.
2. Locked Bootloaders and Secure Boot
- To perform a physical acquisition, you normally need low-level access (e.g., boot into a custom recovery, or use JTAG/Chip-off).
- But modern phones have verified boot, which only allows signed firmware to run.
- Unless the bootloader is unlocked (which wipes data) or an exploit is used, forensic tools can’t load a custom image for physical capture.
3. Unlocking is an OS-level unlocking, not giving raw chip access
- “Unlocked” usually means the user entered the PIN/password, so the OS can mount and decrypt data for apps and users.
- That does not mean you can access the low-level flash raw areas. Access to raw devices is restricted by the kernel, SELinux, and vendor policies — and often requires root/privileged kernel code.
4. Root/jailbreak required for raw device access — but problematic
- To read raw blocks from inside the OS you need kernel privileges (root) and kernel support. Rooting/jailbreaking may not be possible (or may alter evidence), and many rooting methods require exploits that are device- and firmware-specific.
- Even with root, the flash may be using FBE (file-based encryption) with keys only available via the keystore bound to secure hardware; root still might not let you decrypt raw data.
Permanent root vs Temporary root
In permanent - changes persist even on reboot (Kingo Root, One click root)
Manufacturer provide packages and third party apps are available
In temporary - changes are lost once device reboots. (Preferred in Forensics)
Tools such as UFED, XRY, Magnet Verakey use exploits for temporary rooting by pushing script in the RAM of the phone – the exploit is not part of phone memory (only RAM) thus does not alter the integrity of evidence.