Forensic recovery via chip-transplantation in samsung smartphones

Abstract

The advancement of mobile forensic technology has induced the increase of anti-forensic activities such as smartphone destruction, while prompting major manufacturers to strengthen their data encryption policies at the same time. Such changes resulted in forensic analysts having to perform ‘Chip-transplantation’ when extracting data from damaged smartphones. Chip-transplantation is a method referring to transplanting data storage and decryption modules from the original damaged device to a compatible device of same model. However, chip-transplantation consists of procedures such as chip-off which are risky in terms of data integrity, and require comprehensive understanding of the target device's hardware for a successful recovery. This study explores the improvements to chip-transplantation techniques that are compatible with Samsung's premium smartphone's AP and eSE modules. Experimental results indicate that for a successful data acquisition via Chip-Transplantation on Samsung smartphones, transplantation of the eSE module along with the AP and flash memory is required irrespective of user password settings. As there is a lack of research on the physical structure and PCB placement of the eSE, this study provides eSE's terminal information, PCB placement, and jump points to bypass damage to PCB pin terminals. Lastly, for cases where damage to AP or eSE modules is suspected prior to or after transplantation, this study suggests two less invasive and cost-effective diagnostic methods – smartphone log analysis during the boot process and current consumption pattern analysis – that can be used along with conventional continuity testing, thermal imaging, and X-ray analysis. As the adoption of dedicated encryption modules in smartphones grows with privacy protection schemes, this study will contribute to advancing the chip-transplantation success rate against ever-evolving hardware landscape.