Extracting data from damaged mobile devices

by

For the last few years we have successfully extracted data from various mobile device, such as cell phones, smartphones, tablets, etc. Among devices to be examined, we came across defective mobile devices (damaged mechanically, by fire or due to being stored in harsh or hostile environmental conditions) from which digital evidence should also be extracted. We have developed several approaches to examining damaged mobile devices which we would like to share with our colleagues.

 

img001

Fig. 1. A phone with a broken display.

img002

Fig. 2. Nokia C1 that has been exposed to high temperatures.

 img003

Fig. 3. A phone that has been stored in harsh environmental conditions. The red indicator shows that the phone has water inside or has been stored in high humidity conditions.

img004

Fig. 4. A phone with mechanical damage (© Aleksey Yakovlev).

 

Before examining a damaged mobile device, a forensic investigator must determine what exactly is damaged in the device. It is not necessary at all to desolder a memory chip at once and perform any further manipulations on it. Experience has proven that there are usually simpler solutions for extracting data from damaged mobile devices.

 

Let’s take a look at them.

 

The most common defect in mobile devices received for forensic examination is a broken display. That is, a mobile device is operational but, because of a broken display, doesn’t show any data. The examination of such mobile devices presents no problems. To examine mobile devices with a broken display, we use UFED (Cellebrite Mobile Synchronization LTD) and .XRY (Micro Systemation). We create a physical memory dump of a mobile device and extract data (a phone book, calls, SMS messages, graphic files, videos, etc.) from it. Sometimes, when available equipment doesn’t support creating a physical memory dump of a mobile device, we perform a logical extraction of data. In this case, a lot of forensic programs for mobile device analysis can be used. For example, Oxygen Forensic Suite (Oxygen Software Company). Moreover, you can always replace a damaged display with a new one. This makes the examination more expensive and time-consuming, but it is often the only possible solution (for example, when examining an Android device with USB Debugging system option disabled).

 

In some cases, to extract data, we use specialized flasher tools (RIFF Box, Medusa Box, etc.) designed for repairing mobile devices. Such flasher tools use JTAG interface for their work. Using specialized flasher tools, you can extract data from mobile devices which have damaged system software or information protected with a PIN.

 

Chip swapping. The method consists in extracting a memory chip from a damaged mobile device and installing it into an identical good device. In doing so, you solve several complex problems which would have to be faced should you decide to use a “Chip-Off” technique: there is no need to know the type of a controller used by the device to process memory chip data, the format of memory pages on the chip, the type and features of a file system used by the device, the format in which data is stored (Oh, as soon as you have to manually decode a physical memory dump, you’ll see what we mean!), etc. The drawbacks of the method include the need for a device (preferably two devices) which is identical to the one received for examination. Desoldering a chip is a very complex and laborious task. There is a risk of destroying data due to heat or mechanical damage to the chip. You may also need equipment for reballing. For example, JOVY SYSTEMS JV-RKC – a kit for reballing BGA chips.

 

When using this method, you cannot rule out the possibility that, after the chip is swapped in the device, all the data on the memory chip will be erased. This often happens when a memory chip controller is installed on the system board as a separate chip. As a rule, structurally it looks like a sandwich: on the one side of the system board there is a memory chip, on the other – a memory controller chip.

Therefore, if you have two identical devices which you can use as “donors”, try to swap their memory chips and look at the device behaviour before examining the device.

 

In cases where memory chip swapping results in data loss, you should place both the memory chip and the memory chip controller from the damaged device into the donor device.

 

When examining a damaged device, you should pay attention to the construction of its system board. We examined a Motorola V3 phone which had spent two years in the ground. The phone looked awful. Various oxides had damaged its housing and system board. It was out of order. However, after the phone had been disassembled, it was found that the system board consisted of several parts. A part of the system board, with a memory chip on it, had suffered from environmental exposure the least. To extract the data from this phone, we bought an identical one at an online auction. We swapped a part of the system board with a memory chip in the purchased phone for the part extracted from the damaged phone and read the data.

 

If none of the above described methods has helped, you’ll have to use a Chip-Off technique.

 

An investigator who wants to extract data from a mobile device memory chip must follow four main steps:

 

1)     Chip extraction.

2)     Extracting data from the memory chip.

3)     Flash translation layer (FTL) reconstruction.

4)     Dump decoding.

 

Let’s take a closer look at these steps:

 

Step 1. Chip extraction.

 

Chip extraction is a rather simple task: it is sufficient to heat the chip with a hot air stream from a soldering station and separate the chip from the system board. On this step, it is very important not to overheat the chip (this will result in data erasure) and damage it mechanically. Gradually rise the temperature of the hot air.

 

Step 2. Extracting data from the memory chip.

 

Our colleagues sometimes ask us, “What flasher tool should be used to extract data from a memory chip of a <mobile device model>?” The question is incorrect. Mobile phone manufacturers can change a chipset of mobile devices even when producing a single batch. That is, when we have two mobile devices from the same batch, we cannot say with confidence that they use identical memory chips. That is why, not knowing what particular chip is used in the mobile device to be examined, you cannot answer the question about the flasher tool, even if you are aware of the phone model. Another piece of bad news is that a mobile device can have several memory chips. You must find all of them.

 

This step is not difficult provided that you have a flasher tool with an adapter for a necessary type of BGA chip form factor. However, to find such a flasher tool is a great problem. We’ve had a lot of discussions with colleagues about what flasher tool to buy for a Chip-Off technique. A good flasher tool with a large number of adapters for various form factors of BGA chips can cost a fortune. It is unprofitable to spend so much on a device which you will not often use. As a result, we have reached a consensus that, if necessary, we’ll rent such equipment from huge service centres that specialize in electronics repair.

 

We’d also like to draw colleagues’ attention to the products EPOS FlashExtractor, from the Ukrainian company EPOS, and PC-3000 Flash, from the Russian company ACE Lab. These equipment kits contain adapters for connecting memory chips of various form factors. But you’ll have to solder chips in adapters provided by EPOS and ACE Lab. It is a very complex and laborious task.

 

Step 3. Flash translation layer (FTL) reconstruction.

 

FTL reconstruction consists in excluding service areas from memory pages and joining these pages correctly. The above mentioned products, EPOS FlashExtractor (EPOS) and PC-3000 Flash (ACE Lab), help a lot in solving tasks on this step. They have large knowledge bases about data storage structure in various types of memory chips and about various controllers used to manage data stored on chips. Using them, you can also perform FTL reconstruction manually.

 

We use the following test to assess the dump received at this stage. Any mobile device contains graphics files. These can be files created by users or files used by programs. We think FTL reconstruction has failed if we cannot recover graphics files (or image fragments) larger than 2 KB from the dump.

 

Step 4. Dump decoding.

 

Dump decoding is a complex task. Basics of dump decoding are taught at training courses (for example, provided by Cellebrite Mobile Synchronization LTD). However, you shouldn’t think that you’ll handle a physical dump of the phone to be examined as easily as you do a training dump. If XRY (Micro Systemation) or UFED Physical Analyzer (Cellebrite Mobile Synchronization LTD) supports decoding a physical dump for the device you are examining, then you can try to decode the extracted dump using these programs. It is easier to use UFED Physical Analyzer (Cellebrite Mobile Synchronization LTD), as it allows to customize action sequence when processing a physical dump and to write custom modules in Python for physical dump analysis. In addition, investigator’s work on this step is made much easier by the following programs: RevEnge (Sanderson Forensics), Phone Image Carver (GetData Pty Ltd), Cell Phone Analyzer (BKForensics).

 

With this, we finish the summary of methods and tools used to extract data from damaged phones. We hope this article has been useful for you.

 

 

About the Author: Igor Mikhaylov

Independent law enforcement professional from Russian FederationInterests:Computer, Cell Phone & Chip-Off ForensicsContacting the Author:http://linkedin.com/in/igormikhaylovcfSite: http://www.weare4n6.com/

 

50 thoughts on “Extracting data from damaged mobile devices”

  1. Nice and a good article, I was quite surprise that data still could recover from mobile devices that had been exposed to a high temperature level, which it gave me a perception of the damage mobile device might have a low recovery rate.

  2. Good article. We are doing exactly the same steps using eg UFED PA, Mobile Phone Carver, .XRY and python scripts to extract and decoding data from damage chips. We use Elnec programmator and adaptors in our Adaya LAB

  5. Heya just came upon your blog via Google after I typed in, “Extracting data from damaged mobile devices ”
    or perhaps something similar (can’t quiite
    remember exactly). Anyways, I’m relieved I found it simply because
    your content is exactly what I’m looking for (writing a university
    paper) and I hope youu don’t mind if I gather some material from here and Iwill of course credit you
    as thhe reference. Thank you.

  6. Good article. Mine Samsung Galaxy Smartphone got damaged due to water and service center says cant recover my data. I want to recover my important photos and images. Do you have any facility in India so that I could get my Data recover.

      • Hello Igor, I am desperately in need of recovery services to get the only photos of my 2 month old son from a hardware-damaged HTC One M7 (Sprint version). Please e-mail me or reply here and let me know how to contact you. I have seen similar services available in a google search, but I do not know which of these companies are legitimate or not. Thank you so much for this hopeful writeup about data recovery on an android device.. you really seem to know your stuff!

      • hello igor Mikhaylov, i’ve had an xperia Z1 that got water damaged and was flashing red light when connected to charger and computer(the pc doesn’t even read the device) , it never powered on and my photos and videos are saved on in the internal memory.

        do you think you can recover my files?

    • Igor,

      This is a great article, very imformative. I have a Galaxy S5 that has been snapped into 2 pieces and I have some very important pictures on it that I’d really like to get pulled off of the internal memory chip. I don’t trust myself to try this. Could you do this for me?

      Thanks,
      Andrew

  11. Hi igor, I recently saw this article and it seems to be what I need. My lgg4 randomly stopped turning on past the reboot screen and unfortunately all my contacts and important data is stored on the internal storage.
    Would there be a way you could let me know if it’s possible to recover the data?
    Thank you

  12. Hi igor, I was wondering if you could help me with recovering my data from my Lgg4 android. It shut off and is now apparently defective and won’t go past the reboot screen. All of my contacts, important pictures and information are stored in its internal memory. Any help would be greatly appreciated!

  13. I have a chocolate mint phone that has pictures i would like to get off of it. It still charges and the screen is fine. But the reader doesnt work at all to tranafer. And it wont tranfer to an sd card either. I tried to put service on it to email it to myself but it wont let me do that either because i have to save it first. Any help would be greatly appreciated!!

  17. Hello GOR MIKHAYLOV! Very important information you have shared. Thanks for sharing. This definitely helps me a lot in my business as well as in my career. We at BEST prepare PCB repair tool kits and materials thats helps in fast repair and modification of lands, traces, contact fingers, SMT pads, plated hole connections and PCB base board material. Our others products are BGA Stencils , Reballing Preform etc. For more visit our website.

  18. Igor, my Sony Experia Z3 recently had a run in with a coral reef I have pictures and videos of my son on there is this something you could extract data from?

  21. Hi Igor,
    I have a hanged LG V10 phone that I need to recover my data from very desperately, would you please be able to do so, I started to loss hope but I’m keeping some faith on professionals like you.
    Please Email me as I’m looking for someone to help me out here.

    Thanks Igor.
    Mimmo

  22. Hi Igor….. I have a samsung galaxy s6 edge plus. My phone was broke in half by someone but the motherboard looks fine. Is there any way to retrieve the photos? They are very important to me and would like to know if there’s anywhere I can take my phone.
    Thanks in advance,
    Shannon

  23. I have an old Sony Erikson that was cracked in half. There are images and videos on it that are literally out of this world, and I do mean literally out of thus world. The images I believe are in the internal memory of ths phone. I am in need of an experts opinion on this as I dont want to risk losing the data.What is the best and safest way to extract these images and videos from my phone? Who should I contact to do this job accurately and also can time dimish their accessibility?Look forward to your response.

  25. Hello Igor, I am desperately in need of recovery services to get the only photos of my 8 month old son from samsung galaxy J7 Display is not working and when i connect to the system it showing Folder empty .Please e-mail me or reply here and let me know how to contact you. I have seen similar services available in a google search, but I do not know which of these companies are legitimate or not. Thank you so much for this hopeful writeup about data recovery on an android device.. you really seem to know your stuff!

  26. Hi Igor my name is Nancy. The reason I am writing is I am in dire need of extracting pictures off of the internal memory of a older style Sony Ericsson phone that I have been holding on to since 2008. I don’t have the battery or any sim cards.l can’t afford too too much but I can pay something to get the pictures I do have on the phone extracted. If this is a possibility I will forever be greatful as this is something that has been a pressing matter since the phone was broken. I do believe that this could be a potential life changing experience for us both. I can go more into detail if you’d like, no problem at all. With that said I thank you In Advance for taking the time in reading this message and I will be eagerly and with great anticipation be 16awaiting your response. Sincerely Nancy Ginter from Winnipeg, Manitoba, Canada.

  28. Hi Igor, i had a old Samsung C300 (from 2007) i broke the phone and burned the motherboard with gas torch. And then i put the phone parts on reguler fire for 15-20 minutes. Phone parts melt away, even aluminum parts melt away but chips on motherboard didn’t. Do you think it’s still recoverable?

  29. hello Igor,I am akasmita my vivo 7 plus phone got damaged and motherboard also broken and service centre says can’t recover my data..I want to recover my important photos..and my photos are not save my Google account before broken my phone ..how to recover my photo..pls sir help me plz..do you have any facility in India..

  31. Hey Igor,

    I had a one plus two phone which is water logged now. When I took it to the service center they told me both the mother board and the display are damaged and they won’t be able to recover any of the data from it. I have pictures and videos of my recent trip to Khoa Lak national park. Is there a way to extract these data? Please mail me.

Leave a Comment