WO2008156328A2 - Digital forensic system and method - Google Patents
Digital forensic system and method Download PDFInfo
- Publication number
- WO2008156328A2 WO2008156328A2 PCT/KR2008/003512 KR2008003512W WO2008156328A2 WO 2008156328 A2 WO2008156328 A2 WO 2008156328A2 KR 2008003512 W KR2008003512 W KR 2008003512W WO 2008156328 A2 WO2008156328 A2 WO 2008156328A2
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- target board
- flash memory
- data
- control device
- forensic
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 34
- 238000004458 analytical method Methods 0.000 claims description 33
- 238000013507 mapping Methods 0.000 claims description 14
- 230000004044 response Effects 0.000 claims description 14
- 238000012360 testing method Methods 0.000 claims description 12
- 230000009471 action Effects 0.000 claims description 4
- 230000008569 process Effects 0.000 abstract description 9
- 239000000284 extract Substances 0.000 abstract description 4
- 238000010586 diagram Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 6
- 238000004891 communication Methods 0.000 description 3
- 238000007405 data analysis Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000011156 evaluation Methods 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 239000000463 material Substances 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 230000001413 cellular effect Effects 0.000 description 1
- 230000001010 compromised effect Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F15/00—Digital computers in general; Data processing equipment in general
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04B—TRANSMISSION
- H04B7/00—Radio transmission systems, i.e. using radiation field
- H04B7/24—Radio transmission systems, i.e. using radiation field for communication between two or more posts
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W88/00—Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
- H04W88/02—Terminal devices
Definitions
- the present invention disclosed herein relates to digital forensics, and more particularly, to a method for recovering evidence from portable information/communication devices and analyzing the evidence.
- Digital forensics is used to describe a technique for collecting digital evidence and analyzing it. This digital forensics includes all processes related to collection, conservation, analysis, and documentation of evidence and also evidence usage for a trial.
- the present invention provides a digital forensic system and its method.
- the present invention provides a digital forensic method for analyzing and recovering digital evidence of portable personal information/communication terminals.
- the digital forensic method requires all information of the potable terminals such as product information of the portable terminals, user information, all stored data, and deleted and damaged area.
- the present invention obtains the above information from the portable terminals, and generates it as digital evidence through an authorized analysis tool.
- Embodiments of the present invention provide a digital forensic system includes a target board configured to be equipped with a flash memory (or a flash solid state disk (SSD)). This target board has a memory controller. The forensic system further comprises a target board control device for transmitting a file system analysis code to the target board in response to a connection of the target board.
- a flash memory or a flash solid state disk (SSD)
- SSD flash solid state disk
- the memory controller operates in response to the transmitted file system analysis code, and controls the flash memory to transmit all data stored in the flash memory to the target board control device regardless of a mapping table stored in the flash memory.
- the file system analysis code comprises a remapping command.
- the memory controller analyzes file system information stored in a code region of the flash memory in response to the file system analysis code, and transmits an analyzed result to the target board control device.
- the memory controller changes mapping information about deleted data of the flash memory in response to the remapping command in order to allow the deleted data to be read as undeleted data.
- the target board control device converts the transmitted binary data into meaningful data according to the transmitted analysis result.
- the analysis result comprises folder and file structures of data stored in the flash memory, start and end addresses of each folder in the folder structure, a header of a file structure in each of the folders, and data and trailer regions.
- the memory controller controls the flash memory to allow data corresponding to the changed mapping information to be transmitted to the target board control device.
- the target board control device converts the data corresponding to the changed mapping information as the deleted data according to the transmitted analysis result.
- the target board is connected to the target board control device through a Joint Test
- the target board control device includes: a forensic server; and an emulator connected to a JTAG port and configured to interface between the forensic server and the target board.
- the target board is configured to be equipped with a mobile device including a flash memory.
- the mobile device of the target board is connected to the target board control device through a serial interface.
- FIG. 1 is a block diagram illustrating a digital forensic system according to the present invention
- FIG. 2 is a block diagram of a mobile forensic server of FIG. 1 ;
- FIG. 3 is a block diagram of a target board of FIG. 1 ;
- FIG. 4 is a flowchart illustrating a digital forensic method according to the present invention.
- FIG. 5 is a view illustrating a connection between a target board and a JTAG port of
- FIG. 1 A first figure.
- FIG. 6 is a flowchart confirming whether there is a JTAG port in a target board of
- FIG. 4
- FIG. 7 is a flowchart illustrating a method of extracting information from a flash memory of a target board of FIG. 4;
- FIG. 8 is a flowchart illustrating a process of generating digital evidence by analyzing extracted information of FIG. 7;
- FIG. 9 is a view illustrating digital evidence analyzed in FIG. 8.
- FIG. 1 is a block diagram illustrating a digital forensic system according to the present invention.
- the digital forensic system 100 includes a target board 10, a Joint Test Action Group (JTAG) emulator 20, and a mobile forensic server 30.
- JTAG Joint Test Action Group
- the target board 10 is configured to be equipped with a mobile device 11 such as a cellular phone or a flash memory 4.
- the target board 10 has a Joint Test Action Group (JTAG) port 13 and a standard 24 pin port 14.
- JTAG Joint Test Action Group
- the JTAG emulator 20 extracts stored information from the flash memory 4 of the target board 10 in response to a control of the mobile forensic server 30.
- the mobile forensic server 30 controls the JTAG emulator 20 and analyzes the extracted information in order to generate digital evidence.
- the mobile forensic server 30 includes software for extracting information from the target board 10 by using the JTAG emulator 20 and processes the extracted information. Accordingly, the digital forensic system 100 extracts and processes the information stored in the target board 10 in order to provide digital evidence for a trial.
- the mobile forensic server 30 connects a serial port 32 or a universal serial bus (USB) port 33 with the standard 24 pin port 14 of the target board 10 for communication.
- USB universal serial bus
- the mobile forensic server 30 may extract from the flash memory 4 letter information, voice information, movie information, picture information, and telephone number information among undeleted effective information. However, there is no way to obtain information such as deleted information or call contents (i.e., caller phone numbers and callee phone numbers).
- the manufacturer of the target board 10 may provide information or call contents, which are deleted through its software. However, this act infringes privacy and also the manufacturer does not feel necessary for it. Additionally, because the target board 10 is manufactured by various manufactures, software provided from the manufactures are not compatible. The mobile forensic server 30 will be described in more detail with reference FIG. 2.
- FIG. 2 is a block diagram of the mobile forensic server of FIG. 1.
- the mobile forensic server 30 includes a forensic driver
- an operating system (OS) 50 an evidence storage unit 60, a parallel port 31, a serial port 32, and a USB port 33.
- OS operating system
- evidence storage unit 60 a parallel port 31, a serial port 32, and a USB port 33.
- the OS 50 means an operating system (e.g., Window XP or LINUX) for driving the mobile forensic server 30.
- an operating system e.g., Window XP or LINUX
- Windows XP an operating system for driving the mobile forensic server 30.
- the evidence storage unit 60 stores data analyzed by the forensic driver 40.
- the forensic driver 40 includes a file system analysis code 41 for analyzing a file system stored in a NAND flash memory of the forensic driver 40 and dumping data stored in the NAND flash memory, an emulator function 42 for controlling the JTAG emulator 20, a data analysis function 43 for analyzing the dumped data, statistics/ management report function 44 for reporting by collecting statistics and managing the data analyzed by the data analysis function 43, a Flash/ diagnostic monitor (DM) function 45 for performing DM (i.e., analysis observation) of a flash memory, a DB/ log process 46 for generating digital evidence for the evidence storage unit 60, and a user interface (U 71) block 47 for connecting the function blocks 41 to 46 to indicate processing states of the target board 10.
- DM diagnostic monitor
- the forensic driver 40 supports a method of connecting the JTAG emulator 20 with the parallel part 31 or the serial port 32 and the USB port 33, and a method of connecting the standard 24 pin port 14 of the target board 10 with the serial port 32 or the USB port 33.
- FIG. 3 is a block diagram of the target board of FIG. 1.
- the present invention is illustrated using a model (i.e., a mobile processor) between MSM6100 and MSM6500 provided from Qualcomm Company.
- a mobile station modem (MSM) chip provided from Qualcomm Company is equipped with an ARM processor. Because types and versions of the ARM processors are varied according to a model of the MSM chip, a command set controlling a flash memory may differ.
- the target board 10 includes a memory controller 1, a dynamic random access memory (DRAM) 2, and a NAND flash memory 4.
- the memory controller 1 built in a mobile device of a code division multiple access (CDMA) type means that MSM chip is provided from Qualcomm Company.
- the memory controller 1 includes a test access port (TAP) controller 8.
- TAP controller 8 includes an instruction register (IR) and a data register (DR).
- IR instruction register
- DR data register
- a state of the TAP controller 8 varies according to data applied to TAP.
- a state of the TAP controller 8 varies according to data applied to JTAG ports such as test data in (TDI), test mode select (TMS), test clock (TCK), test reset (TRST) ports.
- the DRAM 2 serves as a main memory that drives the target board 10 and includes an empty space 3.
- the NAND flash memory 4 stores a booting code and data for driving the target board 10, and includes a code region 5, a data region 6, and a blank space region 7.
- FIG. 4 is a flowchart illustrating a digital forensic method according to the present invention.
- a suspect or a criminal usually destroys his/her mobile device containing criminal evidence in order to eliminate materials related to a crime.
- the mobile device containing criminal materials may be used as digital evidence for a trial.
- the digital evidence stored in the mobile device may include pictures, movies, call lists, voice records, voice recorded call contents, letter messages, and telephone numbers.
- a user applies power supply to a mobile device and then determines whether the mobile device normally operates or not in operation 410. Even if the mobile device normally operates after being damaged, the mobile forensic server 30 connects an emulator with a main board of the mobile device and then determines whether there is a JTAG port in the main board of the mobile device in operation 420. If the mobile device does not normally operate, the user detaches only a flash memory from the mobile device and then loads it into a target board 10 in operation 430. That is, the target board 10 is a simulation board or an evaluation board, which is configured to functionally have the same environment as the main board of the mobile device.
- Main boards of mobile devices manufactured by most of major mobile device manufacturing companies, typically have a JTAG port. Generally, the main board manufacturers utilize the JTAG port to test and analyze their main boards. However, some of mobile device manufacturers may sell products that cannot be connected to the JTAG port of the mobile device. [47] The JTAG emulator 20 determines whether there is the JTAG port in the mobile device in operation 420. If the mobile device does not have the JTAG port, the flash memory built in the mobile device is detached and then loaded into the evaluation board in operation 430.
- the mobile forensic server 30 analyzes a file system of the flash memory in the mobile device through the JTAG emulator 20, and then receives the dumped binary data stored in the flash memory in operation 440.
- the mobile forensic server 30 analyzes the dumped binary data in operation 450.
- a method of confirming whether the JTAG port is built in the main board of the mobile device will be described in more detail with reference to FIGS. 5 and 6.
- a method of analyzing a file system of a NAND flash memory in the mobile and receiving dumped binary data stored in the NAND flash memory will be described in more detail with reference to FIG. 7.
- a method of analyzing the dumped binary data of FIG. 7 will be described in more detail with reference to FIG. 8.
- FIG. 5 is a view illustrating a connection between the target board and the JTAG port
- FIG. 6 is a flowchart confirming whether there is the JTAG port in the target board 10 of FIG. 4.
- the target board 10 provides VCC, nTRST, TDO, TDI, nQREQ,
- the JTAG port 13 of the target board 10 is connected to a cable 21 of the JTAG emulator 20.
- the cable 21 of the JTAG emulator 20 is a standard 16 pin two column connector having a pin interval of 2.54 mm.
- a pull-up resistor Rpu is attached to the nTRST, TDO, TDI, TCK, TMS, and nHRESET ports.
- the pull-up resistor has a resistance value of 10K ⁇ or 4.7K ⁇ .
- a pull-down Rpd resistor is attached to the nQACK port. A resistance value of the pull-down resistance Rpd is 100 ⁇ .
- TDO, TDI, TCK, and TMS ports as a basic interface of the JTAG port and conceal the other ports. If all of the JTAG ports are open to the public, technologies of manufacturers can be compromised.
- the JTAG emulator 20 confirms concealed ports in order to control the target board 10. That is, the mobile forensic server 30 inputs various patterns to the JTAG emulator 20 to confirm the nPRESENT, nQREQ, nSRESET, nHRESET, nCKSTOP, and nQACK ports and analyzes outputted signals to confirm what kind of ports are connected to the target board 10. Additionally, arbitrary patterns may be applied to the concealed ports and analyzes outputted signals according to a method of determining whether there is the JTAG port of FIG. 6 or not, in order to connect the JTAG ports of the target board 10 with the cable of the JTAG emulator 20.
- the nSRESET and nCKSTOP ports are generally not used for connection.
- the nQACK port has an inner ground voltage or a pull-down resistance if there is no MSM chip.
- An output signal of the nQREQ port is activated if the MSM chip is a low power mode or a sleep mode. Additionally, the MSM chip becomes in a check stop mode at the CKSTOP port when an output signal is applied. That is, a check stop signal CKSTOP is activated, an internal hard reset sequence occurs.
- a PRESENT pin is pull down by a debugger if an external debugger is connected. That is, the present invention confirms that each port is connected to which cable pin number of the JTAG emulator by using characteristics of public ports.
- the JTAG emulator 20 sets a state of the TAP controller 8 of the target board 10 to be a "run Test Idle state in response to a control of the mobile forensic server 30 in operation 421.
- a "bypass" command is inputted to the command register IR in operation 422.
- the TAP controller 8 sequentially outputs the signal (which is inputted into the TDI port by the "bypass command) to the TDO port through a boundary scan register (BSR).
- BSR boundary scan register
- the JTAG emulator 20 sequentially inputs an arbitrary data pattern into the TDI port according to a control of the mobile forensic server 30 in operation 423.
- the JTAG emulator 20 determines whether the pattern outputted from the TDO port is identical to the pattern inputted into the TDI port in operation 424. If they are identical, the target board 10 confirms whether there is a JTAG interface or not in operation 425. If not, the target board 10 will confirm that there is no JTAG interface in operation 426.
- FIG. 7 is a flowchart illustrating a method of extracting information from the flash memory of the target board 10 of FIG. 4.
- the memory controller 1 confirms a position of the bland block 3 of the DRAMS 2 or a position of the bland block 7 of the flash memory 4 in response to a control of the mobile forensic server 30 in operation 441.
- a file system analysis code FS_anal_code stored in the mobile forensic server 30 is stored in the empty block 3 of DRAM 2 or the empty block 7 of the flash memory 4 through the JTAG emulator 20 in operation 442.
- the file system analysis code FS_anal_code includes an instruction set for analyzing a file system of a flash memory.
- the file system analysis code FS_anal_code is executed by the memory controller 1 in operation 443.
- the memory controller 1 confirms a code region among the flash memory region according to the file system analysis code FS_anal_code in operation 444.
- the memory controller 1 analyzes a file system structure of the flash memory according to the file system analysis code FS_anal_code in operation 444. For example, in a case of a NAND flash memory, information about start and end addresses of a data region, an address where movie data are stored, an address where letter data are stored, an address where deleted information is stored is analyzed from the file system of the memory.
- the memory controller 1 returns the analyzed information to the mobile forensic server 30 in operation 446.
- the memory controller 1 dumps binary data of the flash memory to the mobile forensic server 30 in operation 447.
- mapping table of the NAND flash memory performs marking in order not to read the deleted information. This means that it is impossible to read the deleted information by using a typical method.
- a method of remapping the deleted region of the mapping table with marking can be realized by using a flash translation layer (FTL) structure for performance improvement of the NAND flash memory among characteristics of a file system structure of the NAND flash memory.
- FTL flash translation layer
- the memory controller 1 executes a command for remapping the deleted information display according to the file system analysis code FS_anal_code such that all data information including deleted information can be dumped into the mobile forensic server 30.
- the JTAG emulator 20 performs debugging. That is, the JTAG emulator
- MMU memory management unit
- the memory controller 1 confirms the code region of the NAND flash memory according to the file system analysis code FS_anal_code, and then analyzes the file system of the NAND flash memory, which is stored in the code region. That is, the analyzing of the file system of the NAND flash memory allows the dumped binary data to be converted into meaningful data.
- FIG. 8 is a flowchart illustrating a process of generating digital evidence by a nalyzing the extracted information of FIG. 7.
- FIG. 9 is a view illustrating the digital evidence analyzed in FIG. 8.
- the mobile forensic server 30 stores binary data.
- the mobile forensic server 30 confirms an entire structure of the dumped binary data in operation 451. That is, the mobile forensic server 30 confirms the binary data structure through a file system analysis of the flash memory of FIG. 7. For example, the mobile forensic server 30 confirms a folder structure of binary data and file types of each folder.
- the mobile forensic server 30 analyzes a block/page map to convert the binary data into meaningful data in operation 452.
- FIG. 9 illustrates data obtained by converting the binary data in operation 452.
- Directory "SKY ⁇ SMS ⁇ RECV contains a file RecvDataOOOO.
- the upper most 8 bytes of the file RecvDataOOOO contain a pointer where a message starts, the next 32 bytes contain information about transmitter/ receiver, the next 240 bytes contain information for message contents, the 12 bytes contain information for transmitting and receiving, and the next 6 bytes contain the end of the message.
- the NAND flash memory includes a plurality of blocks. Each block includes a plurality of fixed size of pages.
- the NAND flash memory performs a read operation, a write operation, an erase operation, and copy back operation.
- the read operation simply read contents from the flash memory and the write operation simply writes data to the flash memory. These operations are performed by a page unit.
- the erase operation is performed by a block unit if there is an operation for writing new data to the flash memory. That is, memory contents are erased for the write operation.
- the copy back operation copies one page into another page in the flash memory chip.
- Each page includes a blank area of couple of bytes for recoding out-of -band-data.
- the mobile forensic server 30 analyzes the block/page map and confirms whether there is a deleted area among the analyzed file in operation 453. The mobile forensic server determines whether there is the deleted area or not in operation 454.
- a command for remapping a deleted mark is used for dumping the deleted area. Accordingly, the determining whether the remapping command is used or not can determine whether there is deleted area or not.
- the mobile forensic server 30 confirms the deleted area by using the analyzed data and recovers the deleted data in operation 455. If not, the mobile forensic server 30 reports the digital evidence by using the analyzed data in operation 456.
- the mapping table for storing an address of the deleted data is modified by the remapping command. Therefore, the mobile forensic server 30 confirms an address where the data of a deleted area are stored by using the modified mapping table, and reads the address to recover the deleted data.
- the present invention may be applied to prove crime evidence if a mobile device equipped with a flash memory device is used for a crime.
Landscapes
- Engineering & Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Techniques For Improving Reliability Of Storages (AREA)
- Debugging And Monitoring (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
Provided is a digital forensic system including confirming a JTAG port of a mobile device, connecting the mobile device with a JTAG emulator, analyzing a file system of flash memory built in the mobile device, receiving dumped data of the flash memory, analyzing the dumped data, and outputting digital forensic evidence. Accordingly, the digital forensic system extracts and processes evidence information from various mobile devices and then submits it for a trial.
Description
Description DIGITAL FORENSIC SYSTEM AND METHOD
Technical Field
[1] The present invention disclosed herein relates to digital forensics, and more particularly, to a method for recovering evidence from portable information/communication devices and analyzing the evidence. Background Art
[2] Digital forensics is used to describe a technique for collecting digital evidence and analyzing it. This digital forensics includes all processes related to collection, conservation, analysis, and documentation of evidence and also evidence usage for a trial.
[3] Digital format information takes more than 95 % among production and circulation of the latest information. As digital technologies have been developed, crime evidence exists in various places such as network, internet, database, mobile devices, etc. Because portable personal digital devices such as mobile phones, personal digital assistances (PDAs), electronic schedulers, digital cameras, MP3 players, camcorders, portable memory cards have very small sizes and are easy to carry, they can be concealed without difficulty. In the necessity of obtaining evidence, it is very important to extract necessary information from those digital devices and analyze it in order to secure digital evidence.
[4] Digital evidence collection and analysis processes are technically complex and difficult such that integrity and authenticity of evidence is determined through professionalism of an analyst. Researches for various methodologies and digital forensic solutions with respect to portable personal digital devices become more essential. Accordingly, participation of IT specialists and researches for digital forensic techniques are on demand in order to achieve a high level of digital evidence collection and analysis processes. Disclosure of Invention
Technical Problem
[5] The present invention provides a digital forensic system and its method.
Technical Solution
[6] The present invention provides a digital forensic method for analyzing and recovering digital evidence of portable personal information/communication terminals. The digital forensic method requires all information of the potable terminals such as product information of the portable terminals, user information, all stored data, and deleted and damaged area. The present invention obtains the above information from the portable terminals, and generates it as digital evidence through an authorized
analysis tool.
[7] Embodiments of the present invention provide a digital forensic system includes a target board configured to be equipped with a flash memory (or a flash solid state disk (SSD)). This target board has a memory controller. The forensic system further comprises a target board control device for transmitting a file system analysis code to the target board in response to a connection of the target board.
[8] The memory controller operates in response to the transmitted file system analysis code, and controls the flash memory to transmit all data stored in the flash memory to the target board control device regardless of a mapping table stored in the flash memory. The file system analysis code comprises a remapping command.
[9] The memory controller analyzes file system information stored in a code region of the flash memory in response to the file system analysis code, and transmits an analyzed result to the target board control device. The memory controller changes mapping information about deleted data of the flash memory in response to the remapping command in order to allow the deleted data to be read as undeleted data.
[10] The target board control device converts the transmitted binary data into meaningful data according to the transmitted analysis result. The analysis result comprises folder and file structures of data stored in the flash memory, start and end addresses of each folder in the folder structure, a header of a file structure in each of the folders, and data and trailer regions.
[11] The memory controller controls the flash memory to allow data corresponding to the changed mapping information to be transmitted to the target board control device.
[12] The target board control device converts the data corresponding to the changed mapping information as the deleted data according to the transmitted analysis result.
[13] The target board is connected to the target board control device through a Joint Test
Action Group (JTAG) port.
[14] The target board control device includes: a forensic server; and an emulator connected to a JTAG port and configured to interface between the forensic server and the target board.
[15] The target board is configured to be equipped with a mobile device including a flash memory.
[16] The mobile device of the target board is connected to the target board control device through a serial interface. Brief Description of the Drawings
[17] FIG. 1 is a block diagram illustrating a digital forensic system according to the present invention;
[18] FIG. 2 is a block diagram of a mobile forensic server of FIG. 1 ;
[19] FIG. 3 is a block diagram of a target board of FIG. 1 ;
[20] FIG. 4 is a flowchart illustrating a digital forensic method according to the present invention;
[21] FIG. 5 is a view illustrating a connection between a target board and a JTAG port of
FIG. 1;
[22] FIG. 6 is a flowchart confirming whether there is a JTAG port in a target board of
FIG. 4;
[23] FIG. 7 is a flowchart illustrating a method of extracting information from a flash memory of a target board of FIG. 4;
[24] FIG. 8 is a flowchart illustrating a process of generating digital evidence by analyzing extracted information of FIG. 7; and
[25] FIG. 9 is a view illustrating digital evidence analyzed in FIG. 8.
Best Mode for Carrying Out the Invention
[26] Preferred embodiments of the present invention will be described below in more detail with reference to the accompanying drawings. The present invention may, however, be embodied in different forms and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the present invention to those skilled in the art.
[27] FIG. 1 is a block diagram illustrating a digital forensic system according to the present invention. Referring to FIG. 1, the digital forensic system 100 includes a target board 10, a Joint Test Action Group (JTAG) emulator 20, and a mobile forensic server 30.
[28] The target board 10 is configured to be equipped with a mobile device 11 such as a cellular phone or a flash memory 4. The target board 10 has a Joint Test Action Group (JTAG) port 13 and a standard 24 pin port 14. The JTAG emulator 20 extracts stored information from the flash memory 4 of the target board 10 in response to a control of the mobile forensic server 30. The mobile forensic server 30 controls the JTAG emulator 20 and analyzes the extracted information in order to generate digital evidence.
[29] The mobile forensic server 30 includes software for extracting information from the target board 10 by using the JTAG emulator 20 and processes the extracted information. Accordingly, the digital forensic system 100 extracts and processes the information stored in the target board 10 in order to provide digital evidence for a trial.
[30] Moreover, the mobile forensic server 30 connects a serial port 32 or a universal serial bus (USB) port 33 with the standard 24 pin port 14 of the target board 10 for communication. In this case, by using software provided from the manufacturer of the
target board 10, information can be read from or programmed into the flash memory 4 of the target board 10.
[31] If the software provided from its manufacturer is used, reading of information stored in the flash memory 4 is limited. For example, the mobile forensic server 30 may extract from the flash memory 4 letter information, voice information, movie information, picture information, and telephone number information among undeleted effective information. However, there is no way to obtain information such as deleted information or call contents (i.e., caller phone numbers and callee phone numbers). The manufacturer of the target board 10 may provide information or call contents, which are deleted through its software. However, this act infringes privacy and also the manufacturer does not feel necessary for it. Additionally, because the target board 10 is manufactured by various manufactures, software provided from the manufactures are not compatible. The mobile forensic server 30 will be described in more detail with reference FIG. 2.
[32] FIG. 2 is a block diagram of the mobile forensic server of FIG. 1.
[33] Referring to FIGS. 1 and 2, the mobile forensic server 30 includes a forensic driver
40, an operating system (OS) 50, an evidence storage unit 60, a parallel port 31, a serial port 32, and a USB port 33.
[34] The OS 50 means an operating system (e.g., Window XP or LINUX) for driving the mobile forensic server 30. Here, a case where the mobile forensic server 30 is driven by Windows XP will be described.
[35] The evidence storage unit 60 stores data analyzed by the forensic driver 40.
[36] The forensic driver 40 includes a file system analysis code 41 for analyzing a file system stored in a NAND flash memory of the forensic driver 40 and dumping data stored in the NAND flash memory, an emulator function 42 for controlling the JTAG emulator 20, a data analysis function 43 for analyzing the dumped data, statistics/ management report function 44 for reporting by collecting statistics and managing the data analyzed by the data analysis function 43, a Flash/ diagnostic monitor (DM) function 45 for performing DM (i.e., analysis observation) of a flash memory, a DB/ log process 46 for generating digital evidence for the evidence storage unit 60, and a user interface (U 71) block 47 for connecting the function blocks 41 to 46 to indicate processing states of the target board 10.
[37] The forensic driver 40 supports a method of connecting the JTAG emulator 20 with the parallel part 31 or the serial port 32 and the USB port 33, and a method of connecting the standard 24 pin port 14 of the target board 10 with the serial port 32 or the USB port 33.
[38] FIG. 3 is a block diagram of the target board of FIG. 1.
[39] The present invention is illustrated using a model (i.e., a mobile processor) between
MSM6100 and MSM6500 provided from Qualcomm Company. A mobile station modem (MSM) chip provided from Qualcomm Company is equipped with an ARM processor. Because types and versions of the ARM processors are varied according to a model of the MSM chip, a command set controlling a flash memory may differ.
[40] Referring to FIG. 3, the target board 10 includes a memory controller 1, a dynamic random access memory (DRAM) 2, and a NAND flash memory 4. The memory controller 1 built in a mobile device of a code division multiple access (CDMA) type means that MSM chip is provided from Qualcomm Company.
[41] The memory controller 1 includes a test access port (TAP) controller 8. The TAP controller 8 includes an instruction register (IR) and a data register (DR). A state of the TAP controller 8 varies according to data applied to TAP. In more detail, a state of the TAP controller 8 varies according to data applied to JTAG ports such as test data in (TDI), test mode select (TMS), test clock (TCK), test reset (TRST) ports.
[42] The DRAM 2 serves as a main memory that drives the target board 10 and includes an empty space 3. The NAND flash memory 4 stores a booting code and data for driving the target board 10, and includes a code region 5, a data region 6, and a blank space region 7.
[43] FIG. 4 is a flowchart illustrating a digital forensic method according to the present invention.
[44] A suspect or a criminal usually destroys his/her mobile device containing criminal evidence in order to eliminate materials related to a crime. The mobile device containing criminal materials may be used as digital evidence for a trial. The digital evidence stored in the mobile device may include pictures, movies, call lists, voice records, voice recorded call contents, letter messages, and telephone numbers.
[45] Referring to FIGS. 3 and 4, a user applies power supply to a mobile device and then determines whether the mobile device normally operates or not in operation 410. Even if the mobile device normally operates after being damaged, the mobile forensic server 30 connects an emulator with a main board of the mobile device and then determines whether there is a JTAG port in the main board of the mobile device in operation 420. If the mobile device does not normally operate, the user detaches only a flash memory from the mobile device and then loads it into a target board 10 in operation 430. That is, the target board 10 is a simulation board or an evaluation board, which is configured to functionally have the same environment as the main board of the mobile device.
[46] Main boards of mobile devices, manufactured by most of major mobile device manufacturing companies, typically have a JTAG port. Generally, the main board manufacturers utilize the JTAG port to test and analyze their main boards. However, some of mobile device manufacturers may sell products that cannot be connected to the JTAG port of the mobile device.
[47] The JTAG emulator 20 determines whether there is the JTAG port in the mobile device in operation 420. If the mobile device does not have the JTAG port, the flash memory built in the mobile device is detached and then loaded into the evaluation board in operation 430. If the there is the JTAG port in the mobile device, the mobile forensic server 30 analyzes a file system of the flash memory in the mobile device through the JTAG emulator 20, and then receives the dumped binary data stored in the flash memory in operation 440. The mobile forensic server 30 analyzes the dumped binary data in operation 450.
[48] A method of confirming whether the JTAG port is built in the main board of the mobile device will be described in more detail with reference to FIGS. 5 and 6. A method of analyzing a file system of a NAND flash memory in the mobile and receiving dumped binary data stored in the NAND flash memory will be described in more detail with reference to FIG. 7. A method of analyzing the dumped binary data of FIG. 7 will be described in more detail with reference to FIG. 8.
[49] FIG. 5 is a view illustrating a connection between the target board and the JTAG port
13 of FIG. 1, and FIG. 6 is a flowchart confirming whether there is the JTAG port in the target board 10 of FIG. 4.
[50] Referring to FIG. 5, the target board 10 provides VCC, nTRST, TDO, TDI, nQREQ,
TCK, TMS, nSRESET, nHRESET, nCKSTOP, and nQACK ports as the JTAG port 13. The JTAG port 13 of the target board 10 is connected to a cable 21 of the JTAG emulator 20. The cable 21 of the JTAG emulator 20 is a standard 16 pin two column connector having a pin interval of 2.54 mm.
[51] A pull-up resistor Rpu is attached to the nTRST, TDO, TDI, TCK, TMS, and nHRESET ports. The pull-up resistor has a resistance value of 10KΩ or 4.7KΩ. Additionally, a pull-down Rpd resistor is attached to the nQACK port. A resistance value of the pull-down resistance Rpd is 100Ω.
[52] Typically, mobile device manufacturers providing the JTAG port reveal the nTRST,
TDO, TDI, TCK, and TMS ports as a basic interface of the JTAG port and conceal the other ports. If all of the JTAG ports are open to the public, technologies of manufacturers can be compromised.
[53] Through the JTAG port of the target board 10, the JTAG emulator 20 confirms concealed ports in order to control the target board 10. That is, the mobile forensic server 30 inputs various patterns to the JTAG emulator 20 to confirm the nPRESENT, nQREQ, nSRESET, nHRESET, nCKSTOP, and nQACK ports and analyzes outputted signals to confirm what kind of ports are connected to the target board 10. Additionally, arbitrary patterns may be applied to the concealed ports and analyzes outputted signals according to a method of determining whether there is the JTAG port of FIG. 6 or not, in order to connect the JTAG ports of the target board 10 with the
cable of the JTAG emulator 20.
[54] For example, the present invention through eight pin definition, provided from
Qualcomm Company, confirms the JTAG interface. The nSRESET and nCKSTOP ports are generally not used for connection. The nQACK port has an inner ground voltage or a pull-down resistance if there is no MSM chip. An output signal of the nQREQ port is activated if the MSM chip is a low power mode or a sleep mode. Additionally, the MSM chip becomes in a check stop mode at the CKSTOP port when an output signal is applied. That is, a check stop signal CKSTOP is activated, an internal hard reset sequence occurs. A PRESENT pin is pull down by a debugger if an external debugger is connected. That is, the present invention confirms that each port is connected to which cable pin number of the JTAG emulator by using characteristics of public ports.
[55] Description for the JTAG emulator of FIG. 6 follows standard IEEE 1149.1-1990, i.e., IEEE Standard Test Access Port and Boundary-Scan Architecture.
[56] Referring to FIGS. 3, 5, and 6, the JTAG emulator 20 sets a state of the TAP controller 8 of the target board 10 to be a "run Test Idle state in response to a control of the mobile forensic server 30 in operation 421. A "bypass" command is inputted to the command register IR in operation 422. The TAP controller 8 sequentially outputs the signal (which is inputted into the TDI port by the "bypass command) to the TDO port through a boundary scan register (BSR). The JTAG emulator 20 sequentially inputs an arbitrary data pattern into the TDI port according to a control of the mobile forensic server 30 in operation 423. The JTAG emulator 20 determines whether the pattern outputted from the TDO port is identical to the pattern inputted into the TDI port in operation 424. If they are identical, the target board 10 confirms whether there is a JTAG interface or not in operation 425. If not, the target board 10 will confirm that there is no JTAG interface in operation 426.
[57] FIG. 7 is a flowchart illustrating a method of extracting information from the flash memory of the target board 10 of FIG. 4. Referring to FIGS. 3 and 7, the memory controller 1 confirms a position of the bland block 3 of the DRAMS 2 or a position of the bland block 7 of the flash memory 4 in response to a control of the mobile forensic server 30 in operation 441.
[58] A file system analysis code FS_anal_code stored in the mobile forensic server 30 is stored in the empty block 3 of DRAM 2 or the empty block 7 of the flash memory 4 through the JTAG emulator 20 in operation 442. The file system analysis code FS_anal_code includes an instruction set for analyzing a file system of a flash memory.
[59] The file system analysis code FS_anal_code is executed by the memory controller 1 in operation 443. The memory controller 1 confirms a code region among the flash memory region according to the file system analysis code FS_anal_code in operation
444. The memory controller 1 analyzes a file system structure of the flash memory according to the file system analysis code FS_anal_code in operation 444. For example, in a case of a NAND flash memory, information about start and end addresses of a data region, an address where movie data are stored, an address where letter data are stored, an address where deleted information is stored is analyzed from the file system of the memory. The memory controller 1 returns the analyzed information to the mobile forensic server 30 in operation 446. The memory controller 1 dumps binary data of the flash memory to the mobile forensic server 30 in operation 447.
[60] For example, if arbitrary information is deleted in the NAND flash memory, a mapping table of the NAND flash memory performs marking in order not to read the deleted information. This means that it is impossible to read the deleted information by using a typical method.
[61] Therefore, a method of remapping the deleted region of the mapping table with marking can be realized by using a flash translation layer (FTL) structure for performance improvement of the NAND flash memory among characteristics of a file system structure of the NAND flash memory.
[62] The memory controller 1 executes a command for remapping the deleted information display according to the file system analysis code FS_anal_code such that all data information including deleted information can be dumped into the mobile forensic server 30.
[63] Moreover, the JTAG emulator 20 performs debugging. That is, the JTAG emulator
20 directly controls a memory management unit (MMU) in the memory controller 1, thereby dumping all data including deleted information to the mobile forensic server 30.
[64] The memory controller 1 confirms the code region of the NAND flash memory according to the file system analysis code FS_anal_code, and then analyzes the file system of the NAND flash memory, which is stored in the code region. That is, the analyzing of the file system of the NAND flash memory allows the dumped binary data to be converted into meaningful data.
[65] FIG. 8 is a flowchart illustrating a process of generating digital evidence by a nalyzing the extracted information of FIG. 7. FIG. 9 is a view illustrating the digital evidence analyzed in FIG. 8.
[66] Referring to FIGS. 3 and 8, the mobile forensic server 30 stores binary data. The mobile forensic server 30 confirms an entire structure of the dumped binary data in operation 451. That is, the mobile forensic server 30 confirms the binary data structure through a file system analysis of the flash memory of FIG. 7. For example, the mobile forensic server 30 confirms a folder structure of binary data and file types of each
folder.
[67] The mobile forensic server 30 analyzes a block/page map to convert the binary data into meaningful data in operation 452. For example, FIG. 9 illustrates data obtained by converting the binary data in operation 452. Directory "SKY\SMS\RECV contains a file RecvDataOOOO. The upper most 8 bytes of the file RecvDataOOOO contain a pointer where a message starts, the next 32 bytes contain information about transmitter/ receiver, the next 240 bytes contain information for message contents, the 12 bytes contain information for transmitting and receiving, and the next 6 bytes contain the end of the message.
[68] The NAND flash memory includes a plurality of blocks. Each block includes a plurality of fixed size of pages. The NAND flash memory performs a read operation, a write operation, an erase operation, and copy back operation. The read operation simply read contents from the flash memory and the write operation simply writes data to the flash memory. These operations are performed by a page unit. The erase operation is performed by a block unit if there is an operation for writing new data to the flash memory. That is, memory contents are erased for the write operation. The copy back operation copies one page into another page in the flash memory chip. Each page includes a blank area of couple of bytes for recoding out-of -band-data.
[69] One of disadvantage of the flash memory is that it is impossible to overwrite data.
That is, if a page is changed, it is impossible to overwrite the page and it is necessary to allocate new page for storing new data. This means that the old page should be useless when new data are written into the new page. That is, if an erase operation is performed on arbitrary data of the flash memory, the arbitrary data are not actually detected but are stored in another page.
[70] Referring to FIGS. 3 and 8, the mobile forensic server 30 analyzes the block/page map and confirms whether there is a deleted area among the analyzed file in operation 453. The mobile forensic server determines whether there is the deleted area or not in operation 454.
[71] For example, if there is a deleted area in the flash memory, a command for remapping a deleted mark is used for dumping the deleted area. Accordingly, the determining whether the remapping command is used or not can determine whether there is deleted area or not.
[72] If there is a deleted area, the mobile forensic server 30 confirms the deleted area by using the analyzed data and recovers the deleted data in operation 455. If not, the mobile forensic server 30 reports the digital evidence by using the analyzed data in operation 456.
[73] For example, if a remapping command is used for dumping the deleted area of the flash memory, the mapping table for storing an address of the deleted data is modified
by the remapping command. Therefore, the mobile forensic server 30 confirms an address where the data of a deleted area are stored by using the modified mapping table, and reads the address to recover the deleted data.
[74] The above-disclosed subject matter is to be considered illustrative, and not restrictive, and the appended claims are intended to cover all such modifications, enhancements, and other embodiments, which fall within the true spirit and scope of the present invention. Thus, to the maximum extent allowed by law, the scope of the present invention is to be determined by the broadest permissible interpretation of the following claims and their equivalents, and shall not be restricted or limited by the foregoing detailed description. Industrial Applicability
[75] The present invention may be applied to prove crime evidence if a mobile device equipped with a flash memory device is used for a crime.
Claims
[1] A digital forensic system comprising: a memory controller; a target board configured to be equipped with a flash memory; and a target board control device for transmitting a file system analysis code to the target board in response to a connection of the target board, wherein the memory controller of the target board operates in response to the transmitted file system analysis code, and controls the flash memory to transmit all data stored in the flash memory to the target board control device regardless of a mapping table stored in the flash memory.
[2] The digital forensic system of claim 1, wherein the memory controller analyzes file system information stored in a code region of the flash memory in response to the file system analysis code, and transmits an analyzed result to the target board control device.
[3] The digital forensic system of claim 2, wherein the file system analysis code comprises a remapping command and the memory controller changes mapping information about deleted data of the flash memory in response to the remapping command in order to allow the deleted data to be read as undeleted data.
[4] The digital forensic system of claim 2, wherein the target board control device converts the transmitted binary data into meaningful data according to the transmitted analysis result.
[5] The digital forensic system of claim 4, wherein the analysis result comprises folder and file structures of data stored in the flash memory, start and end addresses of each folder in the folder structure, a header of a file structure in each of the folders, and data and trailer regions.
[6] The digital forensic system of claim 2, wherein the memory controller controls the flash memory to allow data corresponding to the changed mapping information to be transmitted to the target board control device.
[7] The digital forensic system of claim 6, wherein the target board control device converts the data corresponding to the changed mapping information as the deleted data according to the transmitted analysis result.
[8] The digital forensic system of claim 1, wherein the target board is connected to the target board control device through a Joint Test Action Group (JTAG) port.
[9] The digital forensic system of claim 1, wherein the target board control device comprises: a forensic server; and an emulator connected to a JTAG port and configured to interface between the
forensic server and the target board.
[10] The digital forensic system of claim 1, wherein the target board is configured to be equipped with a mobile device including a flash memory.
[11] The digital forensic system of claim 10, wherein the mobile device of the target board is connected to the target board control device through a serial interface.
[12] A forensic method comprising: transmitting a file system analysis code to a target board in response to a connection of the target board including a flash memory; and transmitting all data stored in the flash memory into the target board control device regardless of a mapping table stored in the flash memory according to the transmitted file system analysis code.
[13] The forensic method of claim 12, wherein the transmitting of the data into the target board control device comprises: analyzing file system information stored in a code region of the flash memory in response to the file system analysis code; and transmitting the analyzed result to the target board control device.
[14] The forensic method of claim 13, wherein the transmitting of the data into the target board control device further comprises changing mapping information about deleted data of the flash memory to allow the deleted data to be read as undeleted data in response to a remapping command including in the file system analysis code.
[15] The forensic method of claim 13, further comprising converting the transmitted binary data into meaningful data according to the transmitted analysis result.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| KR1020070061186A KR100901743B1 (en) | 2007-06-21 | 2007-06-21 | Digital forensic system and method |
| KR10-2007-0061186 | 2007-06-21 |
Publications (3)
| Publication Number | Publication Date |
|---|---|
| WO2008156328A2 true WO2008156328A2 (en) | 2008-12-24 |
| WO2008156328A3 WO2008156328A3 (en) | 2009-02-26 |
| WO2008156328A4 WO2008156328A4 (en) | 2009-04-16 |
Family
ID=40156811
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| PCT/KR2008/003512 WO2008156328A2 (en) | 2007-06-21 | 2008-06-20 | Digital forensic system and method |
Country Status (2)
| Country | Link |
|---|---|
| KR (1) | KR100901743B1 (en) |
| WO (1) | WO2008156328A2 (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2012015363A1 (en) * | 2010-07-30 | 2012-02-02 | Agency For Science, Technology And Research | Acquiring information from volatile memory of a mobile device |
| CN104182541A (en) * | 2014-09-05 | 2014-12-03 | 四川效率源信息安全技术有限责任公司 | Method for showing smart phone data information |
| WO2014193058A1 (en) * | 2013-05-30 | 2014-12-04 | 한국전자통신연구원 | Device and method for providing security in remote digital forensic environment |
| US9886596B1 (en) | 2013-10-31 | 2018-02-06 | Square, Inc. | Systems and methods for secure processing with embedded cryptographic unit |
| US10410202B1 (en) | 2016-12-31 | 2019-09-10 | Square, Inc. | Expedited booting with brownout monitoring |
| US10410189B2 (en) | 2017-09-30 | 2019-09-10 | Square, Inc. | Scanning system with direct access to memory |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR101183975B1 (en) | 2010-03-26 | 2012-09-19 | 한국전자통신연구원 | Pin-map discrimination system and method foe discriminating pin-map using the same |
| JP6467233B2 (en) * | 2015-01-29 | 2019-02-06 | 株式会社Screenホールディングス | Inspection apparatus, drawing apparatus, and inspection method |
| KR102335310B1 (en) * | 2020-04-01 | 2021-12-08 | 주식회사 한컴위드 | Method and program for forensic acquisition of evidence data through security bypass |
| KR102260901B1 (en) * | 2020-04-28 | 2021-06-04 | 주식회사 에스엔티웍스 | device for collecting physical data of solid state drive and collecting method thereof |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2007067424A2 (en) * | 2005-12-06 | 2007-06-14 | David Sun | Forensics tool for examination and recovery of computer data |
-
2007
- 2007-06-21 KR KR1020070061186A patent/KR100901743B1/en not_active IP Right Cessation
-
2008
- 2008-06-20 WO PCT/KR2008/003512 patent/WO2008156328A2/en active Application Filing
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2007067424A2 (en) * | 2005-12-06 | 2007-06-14 | David Sun | Forensics tool for examination and recovery of computer data |
Non-Patent Citations (3)
| Title |
|---|
| BREEUWSMA, I.M.F.: 'Forensic imaging of embedded systems using JTAG(boundary-scan)' DIGITAL INVESTIGATION vol. 3, no. 1, 2006, pages 32 - 42, XP005335506 * |
| JEONG I.R. ET AL: 'Technologies and trends of digital forensics' ELECTRONICS AND TELECOMMUNICATIONS TRENDS vol. 22, no. 1, 2007, pages 97 - 104 * |
| WILLASSEN S.: 'Forensic analysis of mobile phone internal memory' IFIP INTERNATIONAL FEDERATION FOR INFORMATION PROCESSING vol. 194, 2005, pages 191 - 204 * |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2012015363A1 (en) * | 2010-07-30 | 2012-02-02 | Agency For Science, Technology And Research | Acquiring information from volatile memory of a mobile device |
| US8838094B2 (en) | 2010-07-30 | 2014-09-16 | Agency For Science, Technology And Research | Acquiring information from volatile memory of a mobile device |
| WO2014193058A1 (en) * | 2013-05-30 | 2014-12-04 | 한국전자통신연구원 | Device and method for providing security in remote digital forensic environment |
| US9734346B2 (en) | 2013-05-30 | 2017-08-15 | Electronics And Telecommunications Research Institute | Device and method for providing security in remote digital forensic environment |
| US9886596B1 (en) | 2013-10-31 | 2018-02-06 | Square, Inc. | Systems and methods for secure processing with embedded cryptographic unit |
| US10430616B2 (en) | 2013-10-31 | 2019-10-01 | Square, Inc. | Systems and methods for secure processing with embedded cryptographic unit |
| CN104182541A (en) * | 2014-09-05 | 2014-12-03 | 四川效率源信息安全技术有限责任公司 | Method for showing smart phone data information |
| US10410202B1 (en) | 2016-12-31 | 2019-09-10 | Square, Inc. | Expedited booting with brownout monitoring |
| US10410189B2 (en) | 2017-09-30 | 2019-09-10 | Square, Inc. | Scanning system with direct access to memory |
| US10528928B1 (en) | 2017-09-30 | 2020-01-07 | Square, Inc. | Scanning system with direct access to memory |
Also Published As
| Publication number | Publication date |
|---|---|
| KR20090002208A (en) | 2009-01-09 |
| WO2008156328A4 (en) | 2009-04-16 |
| WO2008156328A3 (en) | 2009-02-26 |
| KR100901743B1 (en) | 2009-06-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2008156328A2 (en) | Digital forensic system and method | |
| Breeuwsma et al. | Forensic data recovery from flash memory | |
| TWI386946B (en) | Apparatus and method for memory card testing | |
| CN100524241C (en) | Method for integrating and testing platform of multiple operating systems | |
| US8122181B2 (en) | Systems and methods for enhancing a data store for handling semantic information | |
| Geier | The differences between SSD and HDD technology regarding forensic investigations | |
| EP4318284A1 (en) | Secure boot device and method | |
| US6970954B1 (en) | System and method for intercepting and evaluating commands to determine if commands are harmful or benign and to emulate harmful commands | |
| Kim et al. | Data acquisition from cell phone using logical approach | |
| Jansen et al. | Guidelines on PDA forensics | |
| Kong | Data extraction on mtk-based android mobile phone forensics | |
| CN113220581A (en) | Method, device, medium and terminal for extracting logs in aging test | |
| CN102305906B (en) | Chip testing method and device | |
| CN111782474A (en) | Log processing method and device, electronic equipment and medium | |
| CN101206613A (en) | High speed basic input/output system debug card | |
| US8285509B2 (en) | Method and system of testing electronic device | |
| Lyle | A strategy for testing hardware write block devices | |
| JP2007080077A5 (en) | ||
| CN106528658B (en) | The lookup method and device of application file | |
| CN105320580B (en) | Data storage system with protecting information safety | |
| CN108563578A (en) | SDK compatibility detection method, device, equipment and readable storage medium storing program for executing | |
| JP2007328620A (en) | Access frequency evaluation system and access frequency evaluation method | |
| CN113961427A (en) | System memory analysis method and electronic equipment | |
| Sansurooah | A forensics overview and analysis of USB flash memory devices | |
| JP4339269B2 (en) | Mobile phone bus monitor system and method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| 121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 08766472 Country of ref document: EP Kind code of ref document: A2 |
|
| NENP | Non-entry into the national phase |
Ref country code: DE |
|
| 122 | Ep: pct application non-entry in european phase |
Ref document number: 08766472 Country of ref document: EP Kind code of ref document: A2 |