Chip-off Forensics is the process in which a BGA memory chip is removed from a device and prepared so that a chip reader can acquire the raw data to obtain a physical data dump. A chip reader, like the UP 828P Programmer or a SIREDA test socket, is required to perform the read and in the case of the UP 828P, a specific adapter will be required depending on the specific chip. Unlike JTAG, chip-off is a destructive process, and the device will no longer function. Many examiners start with a non-destructive technique like JTAG or ISP before submitting to a Chip-off.
Joint Test Action Group (JTAG) is an industry standard devised for testing printed circuit boards (PCBs) using boundary scan and was designed to quickly and easily test PCBs coming off a manufacturing assembly line. JTAG Forensics is a process that uses that same process and involves connecting the the Test Access Ports (TAPs) on a PCB via solder, molex or jig and then uses a supported JTAG Box (Riff, Z3X, ATF, etc.) to instruct the processor to acquire the raw data stored on the connected memory chip to get a full physical image from the device. This process is non-destructive to the phone.
In-System Programming (ISP) applied to forensics, is the practice of connecting to an eMMC or eMCP flash memory chip for the purpose of downloading a device’s complete memory contents. eMMC and eMCP memory are the standard in today’s smartphones, and the ISP practice enables examiners to directly recover a complete data dump without removing the chip or destroying the device. Identifying the taps that connect to the memory chip using a multimeter is required in ISP technique. Thus, for each evidence phone, a second identical phone that can be destroyed will be needed.