Our services
Among the techniques of data recovery, that of the chip-off is typically used during forensic analysis and in cases where the device is completely destroyed or there is no connection interface for extraction. Here's how to put it into practice, the risks and the most common problems
17 Nov 2021V Michele Vitiello Computer forensic consultantThe chip-off technique represents a data recovery method that is used in extreme cases, when the device is completely destroyed or there is no connection interface for extraction.
Index of topicsData recovery: how and when to use the chip-off
The chip-off is usually chosen as a last resort, after trying all the less complex and invasive data recovery techniques, such as the use of forensic software (Cellebrite UFED or Oxygen Forensic Detective), the repair of the device and the extraction using JTAG (Joint Test Action Group).
WHITEPAPER Storage technologies to modernize the IT infrastructure: discover the benefits for IT Operators! StorageBackupDownload the WhitepaperThe chip-off involves the disassembly of the device and the identification of the memory and, just as the name suggests, the removal of the relative chip that contains all the information of interest.
The chip-off can be performed not only on USB pendrives, but also on mobile phones and some types of smartphones and tablets, music players, audio recorders and any other device with memory.
This technique is used for recovery from flash type memories (eMMC, NAND, OneNAND and NOR) and the chips can be of two types: BGA (Ball Grid Array) and TSOP (Thin Small Outline Package).
Two images of BGA and TSOP chips.
BGA chips are much more difficult to unsolder, as they have 40 to 255 contact pins located at the bottom of the chip, while TSOPs have a series of external pins located on the sides.
Obviously, according to the development technology, the type of desoldering iron to be used varies, for BGA it is advisable to use the infrared one, as it is able to heat and unsolder from both sides thanks to the plate at the base, thus facilitating the removal, while for TSOPs simply the hot air one is enough, as it is necessary to simply heat the sides and proceed with desoldering.
Data recovery: the phases of the chip-off technique
The various steps to be followed necessary to complete the chip-off technique are proposed below:
- disassembly of the damaged device and identification of the memory chip;
- desoldering the chip using the appropriate instrumentation;
- cleaning the chip with suitable chemical products and checking the condition following the desoldering;
- connection of the chip to readers and specialized instrumentation, in order to extrapolate the information in the raw state (memory DUMP);
- data conversion to make them readable to the user.
General concepts and structure of Flash chips
Devices that mount flash memories can have different connection interfaces: USB, SATA, SD, microSD, MS, XD and so on.
The data to be saved inside the device first passes through the connection interface, then the controller processes them following specific rules and writes the result inside the memory chips, when the data changes, the controller corrects all information and replaces what has changed.
As for the inverse procedure, the controller reads the data of interest from the chip, carries out the necessary manipulations to make them accessible to the user and transmits them to the connection interface.
All the data reading, acquisition, conversion and saving phases are carried out with the aid of specific data recovery suites, one of the most used is AceLaboratory PC3000 Flash.
Risks and problems of the chip-off
The chip-off technique is a very complex operation, because being composed of several delicate phases, the possibility of making mistakes is very high: in fact, one must be very good both from a manual point of view and in the use of specific software.
If the chip removal process is not performed by experts in the field, serious damage can be caused, very often permanent, eventually leading to the loss of all data contained on it.
The most difficult and delicate phase is certainly the desoldering of the chip: you need to be able to masterfully dose the temperature and have a lot of manual skill and patience, as well as an adequate instrumentation kit.
Data recovery: chip off and computer forensics
While conducting judicial investigations, it is not uncommon to come across people who have tried to eliminate the evidence of the crime using imaginative methods, engaging in feats such as throwing the tablet out of the window, throwing the smartphone in the toilet or chopping USB pendrives in the blender.
Not being aware of the technology that underlies the operation, they mistakenly thought of destroying the device in various ways, still remaining stuck as it was possible to recover the data, since the memory chips were left intact. And, in fact, helping investigations by inadvertently admitting the presence of relevant data on the device they tried to destroy.
During the forensic copying phases it is always necessary to certify the acquisition method, in the case of chip-offs, since it is a one-time assessment. It is advisable to resume all the steps that lead to the extrapolation of the data, in order to demonstrate the operations carried out to third parties.
As with any other data extraction method, even in the case of the chip-off it is possible to recover all the present and deleted data not yet overwritten saved in the memory.
@PRODUCTION RESERVEDCharactersMMichele VitielloArgomentiBBackupCCloudData recoveryIinformatics forensicsChannelsBusiness solutionsBusiness solutionsTHE COMPLETE GUIDE