Sasha Sheremetov (Rusolut)

Abstract

In this workshop we will discuss topics related to special technology for physical image extraction and data acquisition from broken flash devices and smartphones – “chip-off” and try it on practice. We will use a special platform for chip-off data recovery and digital forensics – Visual Nand Reconstructor.

The chip-off technology will be shown on the real chips and dumps extracted from damaged smartphones and other flash memory devices. Each participant will have the software installed on the computers in couple with hardware and be able to practice with several cases.

The workshop is divided into three parts:

- In the first part, we will discuss about types of memory chips, its architecture and the ways they store and allocate data. We will also have a look at the structure of data in NAND and the data encoding methods which controllers use in order to prevent fast degradation of memory. To finish this section we will discuss the whole workflow of
chip-off process, step by step.

- In the second part, we will introduce Visual Nand Reconstructor and its features including hardware platform – reader, raw NAND and eMMC adapters for physical image extraction. We will plug the chips into adapters and reader, and then extract physical images out of memory chips.

- The third part will be practical, with analysis of dump from different devices and its processing to files in the Visual Nand Reconstructor software. At the end of day we will talk about the challenges that modern devices bring to digital forensic specialists and the special methods for data acquisition from corrupted embedded devices such as monolithic SD cards, microSD cards and other devices.