Mobile phone data recovery and all flash recoveries use two types of techniques. These offer data recovery engineers access to a low-level image of the data, by interrogating the NAND memory chip directly. However, both techniques are very different. Mobile phones, flash storage and solid-state-drives rely on memory chips for storing information in direct contrast to hard disk drives, which still use rotating platters and read/write heads.
Hard disk drives use a common approach to data storage, meaning that data recovery tools can be generic. Flash devices on the other hand vary considerably in their approach. With a wealth of different data formats, file structures, algorithms, memory types and configurations, data extractors are often ‘device specific’. This means that the only way to gain a bit for bit copy of the raw data is to interrogate the memory chips directly, effectively bypassing the operating system. This is where chip-off and JTAG technology features.
The chip-off approach (as its name suggests) requires de-soldering of the memory chip(s) from the circuitry. To remove the chip(s) from the device without damage requires precision skill under a microscope. Any mistake risks losing all the data permanently. Once the chip is removed it can be read with data extractors. NAND chips typically found on SD cards and iPhones is much easier to read than others. This is simply because the memory architecture and pin configuration are standardised. The pins are located on the outside and so no rebuilding of the connectors is necessary. Other types of chip such as the BGA have multiple connectors on the underside that are directly soldered to the motherboard and thousands of different configurations – a much more difficult task!
JTAG on the other hand doesn’t require removal of the chip(s). Put simply, a data recovery engineer can access the memory through the JTAG ports. Although a much more lengthy process, this approach does not ‘destroy’ the media and keeps it in a working state – a critical requirement in forensic investigations. On the downside, JTAG is not as successful and is a riskier proposition.
Once a low-level image has been obtained by either method, this is ‘decoded’ and the user’s data rebuilt. Both chip-off and JTAG technology is expanding and becoming much more reliable. As such our data recovery success rates from mobile phones is approaching that of hard disk drives.