• Aucun résultat trouvé

M Burnt to memory

N/A
N/A
Info
Télécharger
Protected

Academic year: 2021

Partager "M Burnt to memory"

Copied!
3
0
0

Chargement.... (Voir le texte intégral maintenant)

Texte intégral

(1)

Burnt to memory Mobile phones are essential tools for work and

leisure in modern society. This ubiquity of use in the general public can be an asset in crime scene investigations, as many criminals and victims of crime will be carrying mobile phones, each with a unique Subscriber Identity Module (SIM) card. Many phones turn up at crime scenes and accident sites.

Whether a phone is found with a body, or has been used to detonate a bomb, forensic analysis may be able to help identify victims or perpetrators, last active location, or calls made and received – which could provide vital assis- tance to investigators of these incidents.

Unfortunately, in some cases such as road traffic accidents, bomb sites and building fires, mobile phones may be significantly damaged, either mechanically or by high temperatures. In many cases data from damaged phones can not be read in the usual manner; however, the actual data may be retained in even highly damaged phones, but is inaccessible by conventional techniques.

EPSRC funded researchers at ETCbrunel and UCL Electronic Engineering, in association with The Forensic Science Service, have been working to determine the level of retained data within a heat damaged SIM card or

s m a r t c a r d , a n d t o d e v e l o p n o v e l d a t a extraction methods to glean information from burnt or damaged SIM cards for use in forensic investigations.

In this respect, the most valuable part of a SIM card is the non-volatile re-writable memory, usually in the form of flash mem- ory. This is part of the chip that is integrated into the familiar SIM card package and allows easy reading of the data via electrical contact to the interface. In some instances where the SIM card package has been damaged, electrical contacts can be made on the surface of the chip itself. However, this practice is becoming more difficult for a number of reasons, including the need for specific hardware access control circuits for each different type of chip, and, in particular, because of the high likelihood of the chip being damaged during criminal activities, by fire, or during extraction.

In a typical memory device, data are held in individual bit cells, in the form of charge stored on a floating gate, electrically iso- lated top and bottom by a very thin oxide layer. Each memory bit (making up 1/8th of a byte) is either a 0 or 1 and consists of the presence or absence of charge that is intro- duced or removed from the floating gate by applying a voltage to various control points – writing or erasing the data. Once in the floating gate, charge is held there due to the surrounding oxide.

Modern flash memories are capable of holding charge for several decades. Each bit cell is less than a thousandth of a millimetre in size,

Dr Benjamin Jones, Research Co-ordinator at the Experimental Techniques Centre, Brunel University, turns the spotlight on to data extraction

from damaged mobile phones…

FORENSIC SCIENCE

68

SIM card recovered from fire

(2)

and thousands of these are connected via multiple layers of micro-circuitry to the microprocessor unit, interface and the outside world.

Damage by heat or fracture may have broken some of these connections, or damaged the upper circuitry, thus causing a SIM card to become unreadable via the inter- face or through direct probing of electrical contacts.

However, the stored data – charge retained in the floating gate – will not necessarily have been compromised; only the conventional access route is removed.

Samples of SIM cards represent- ing a range of manufacturers, n e t w o r k s a n d a g e s w e r e collected from networks, distrib- utors and members of the public in Ireland, Sweden and the UK.

Researchers processed the SIM cards and created a deliberately artificial experimental arrange- ment, an idealised situation where mechanical damage to the chip is minimised.

SIM card chips were heated in idealised conditions to a range of temperatures up to 650oC, then reassembled and connected to an interface for reading via con- ventional means. At the highest temperatures, the heating caused damage that rendered reading by reconnection impos- sible. However, all mechanically undamaged chips heated to temperatures of around 180oC could be read with this method, and uncorrupted data was also obtained from a device heated to approximately 450oC.

These experimental results are supported by data published by manufacturers. Most memory device manufacturers provide nominal data reten- tion times for operation at room temperature. In some cases, this can be extrapolated to operation times at different temperatures, using a variety of models. Information for one memory type suggests data can be retained at 450oC for approximately an hour, while at 700oC this has reduced to a few minutes.

The relevance of these temperatures can be seen from experiments conducted by researchers in the National Institute of Standards and Technology in America. In their experiment on a full-scale house fire, fuelled by household furniture and accelerated with petrol and oil, the tempera- ture experienced varies with location within the house, and increases significantly with height. Although the maximum temperature reached was 738oC, this is only obtained briefly, close to the ceiling. The maximum temperature in the floor area is 166oC and temperatures here are in fact only maintained above 100oC for 90 seconds, indicating that phones in these locations will not suffer data loss due to heating effects. At approximately desk height, the tem- perature is sustained at an average of 450oC; data retention will only become an issue for phones that experience this temperature for an hour or longer.

FORENSIC SCIENCE

69 Magnified optical image of moderate heat-induced damage to surface of SIM card chip

Sections salvaged from SIM card suffering minor heat damage, including, far left, the microchip; with undamaged

SIM card for comparison

(3)

It is worth noting that these temperatures are maximums and the house fire temperature is considerably reduced away from the source of ignition and highly combustible furnishings. The temperatures reached in an adjacent room comfortably allow sustained data retention.

From these experiments we can see that data are likely to be retained in phones that experience temperatures similar to those of a house fire. However, for many SIM cards heated outside idealised laboratory conditions, access to the data through conventional electrical contacts is impos- sible due to the additional damage caused to the chip.

A key question is the feasibility of reading this data from chips that have been exposed to elevated temperatures or have suffered mechanical damage. A range of techniques exists to access protected data or programs in embedded microprocessors during program execution – what might commonly be called hacking. Such techniques can be non-invasive: side channel attacks monitor unintended outcomes of processor operation. For example, it is possi- ble to measure charge movement within processors using magnetic probes. Highly invasive techniques can also be used, such as deliberately introducing a fault in the chip and observing the response. Fraud countermeasures, advanced cryptography and physical protection systems

are put in place by manufacturers to curtail the effectiveness of such attacks.

Many of these techniques are unsuitable for reading memory from burnt phones as they require either an operating chip, knowledge of the specific electronic architecture, or they may result in degradation or erasure of the stored memory.

An alternative is to use a highly controllable, ultra-fine, electrically sensitive probe to directly read the charge in individual floating gates, each corresponding to one bit. This has the advantages of not requiring the upper cir- cuitry to remain intact, and is operable even if only fragments of the chip are available. This may, therefore, be a useful technique to detect the data that is retained even in damaged chips.

However, there are considerable drawbacks in such techniques, including the very slow read speed, the delicate and lengthy preparation process which may destroy cells or compro- mise the integrity of any data retained – and, lastly, the descrambling of the binary contents of the memory array into meaningful data.

In summary, data is retained in SIM card devices that are subjected to temperatures which exceed those likely to be experienced in house fires. In some cases the data is retrievable by rebuilding severed connections; however, in the majority of instances, chips will suffer additional dam- age to the top surface or circuitry, or experience some mechanical damage. In these cases, although the data is retained in the memory, it cannot be read by conventional methods, and an alternative technique, such as direct probing of the stored charge, needs to be employed to access the retained data. Investigations into the develop- ment of data reading techniques are continuing, as part of ETCbrunel’s broader interest in forensics, which extends into fingerprinting, ballistics and failure analysis.

FORENSIC SCIENCE

70

Dr Benjamin Jones Research Co-ordinator Experimental Techniques Centre Brunel University

Uxbridge

Middlesex UB8 3PH b.j.jones@physics.org www.ETCbrunel.co.uk

Références

Télécharger maintenant ( PDF - 3 Page - 0.91 MB )

Documents relatifs

Direct and inverse problems in the theory of materials with memory

SUMMARY - We prove some existence, uniqueness and stability results for a di- rect and an inverse problem related to the linear integrodifferential equa- tions

Optimisation and Simulation of an Alternative nano-flash Memory: the SASEM device

The various geometrical parameters (e.g dot surface, dot-channel distance ...) of the nano-device have been simulated as a function of the oxidation temperature and the duration of

Geometric Methods in Learning and Memory

For these series of experiments we have used raw data for all available ticks from 1 st to 286 th. In the case of usage of principal components the 50 highest ones were entered

Chunks in expert memory: Evidence for the magical number four… or is it two?

The similarity of the relative differences between display types within the current study (computer presentation showing larger chunks than physical-board presentation) and

Large Linear Classification When Data Cannot Fit In Memory

To see how serious the situation is, Figure 1 presents the running time by applying an efficient linear classification package LIBLINEAR [1] to train data with dif- ferent scales on

L’impact du risque prud’homal sur le recours aux contrats à durée déterminée : une analyse à partir des DMMO

Dans cette étude, qui porte sur les établissements de 50 salariés et plus ayant recruté dans l’année, le risque de contentieux est appréhendé à l’aide de deux

L’enseignement de l’Histoire à l’école primaire au cycle 2, elle s'enseigne !

d’histoire : à la recherche de modèles transposés de raisonnement historique », Le Cartable de Clio, Lausanne, LEP, N°2.. Cette approche est plus utilisée pour des élèves

The central novelty of the language is the use of static capabilities to specify the permissibility of various operations, such as memory access and deallocation

which states that (when memory has type Ψ, free constructor variables have kinds given by ∆, and free value variables have types given by Γ) it is legal to execute the term e,