Skip to content

CH14: Advanced Physical Acquisition

Introduction

For most of the first decade of mobile forensics, three techniques defined what an examiner could pull from a locked or damaged phone: JTAG, In-System Programming (ISP), and chip-off acquisition. When a Nokia feature phone arrived in an evidence bag with a cracked screen and no PIN, an analyst with a RIFF Box, a steady hand, and the right pinout could read the raw NAND in an afternoon. Early Android handsets and pre-A7 iPhones were just as cooperative. Vendor tooling like Easy JTAG, Medusa Pro, Octoplus, and UFI Box turned what had been a research-grade procedure into a workflow a small lab could actually staff.

That world has narrowed for smartphones. Apple's introduction of the Secure Enclave Processor (SEP) with the A7 in 2013, followed by Android's broad adoption of File-Based Encryption (FBE) and dedicated security cores like Google's Titan M2 and the Tensor security core, changed the math. A perfect bit-for-bit dump of a modern smartphone's NAND is now well-organized ciphertext, bound to a hardware key the examiner cannot extract. Chip-off on a current iPhone or Pixel returns data the examiner cannot read.

The techniques themselves did not die. They migrated. Today they remain the workhorses of any investigation that touches Internet of Things (IoT) hardware, drones, automotive infotainment, body cameras, GPS units, fitness wearables, smart-home hubs, kiosks, and a long tail of embedded devices built to a price point that excluded a hardware-backed key store. They are also the last resort for physically damaged storage and for the legacy feature phones that still surface in elder-fraud and cold-case work.

This chapter closes the course by mapping the full physical acquisition spectrum, showing where each technique lives in 2026, and giving you the analytical framework to decide when invasive acquisition is the right call.

Learning Objectives

After completing this chapter, you will be able to:

  1. Distinguish JTAG, ISP, and chip-off acquisition by access point, invasiveness, and ideal use case.
  2. Explain why hardware-backed encryption on modern smartphones renders raw NAND dumps unrecoverable without the user credential.
  3. Identify the device classes (IoT, drones, automotive, wearables, GPS, kiosks, legacy phones) where physical acquisition remains the most viable path.
  4. Compare hot-air and cold (mechanical) chip removal in terms of risk, equipment, skill floor, and evidence preservation.
  5. Document the chain-of-custody, validation, and reporting steps unique to invasive acquisition.

14.1 The Physical Acquisition Spectrum

Mobile forensics arranges acquisition methods on a hierarchy from least to most invasive. Logical acquisition uses the device's own APIs to copy user-accessible data. File system acquisition copies the visible filesystem, often with elevated privileges. Physical acquisition captures the underlying storage at the block level, including unallocated space and deleted artifacts. Advanced physical acquisition sits at the top of that hierarchy. It bypasses the operating system entirely and reads the storage chip directly through hardware test points, soldered leads, or, in the most invasive case, after physically removing the chip from the board.

Bar-chart-style diagram titled The Mobile Acquisition Spectrum showing five ascending steps from left to right with the vertical axis labeled Evidence Completeness and the horizontal axis labeled Invasiveness. The five steps in order of increasing height and invasiveness are: Cloud (provider data via legal process), Logical (device APIs and user-visible data), File System (visible filesystem, often elevated), Physical (block-level access, includes deleted artifacts), and Advanced Physical (JTAG, ISP, Chip-Off). The two rightmost steps are highlighted in orange and dark navy to indicate they are the focus of this chapter.

Figure 14.1: The mobile acquisition spectrum. As invasiveness increases, evidence completeness increases but reversibility and proportionality concerns rise sharply.

The three techniques in this chapter share a common goal of producing a raw NAND, eMMC, or Universal Flash Storage (UFS) image, but they differ sharply in how they get there. JTAG talks to the processor and asks it to read storage on the examiner's behalf. ISP bypasses the processor and talks directly to the storage chip while it remains soldered to the board. Chip-off removes the storage chip entirely and reads it in a bench-top adapter.

Analyst Perspective

Think of these methods as a graduated response. ISP is preferred over chip-off when the board is intact, because it preserves the device for later re-examination. Chip-off is reserved for cases where the board cannot be repaired or the chip cannot be reached in-system. The choice is rarely about what is technically possible. It is about what is proportionate to the case and what preserves the most evidentiary value.

A Brief History of NAND-Level Tooling

Before smartphones, the JTAG and chip-off ecosystem was dominated by GSM-era tooling. RIFF Box, originally a service tool for GSM repair shops, became a de facto JTAG flasher for forensic use. Medusa Pro, Z3X Easy JTAG, Octoplus, and UFI Box added support for newer chips and faster eMMC pinouts as Android storage standards stabilized. By the early 2010s, dedicated chip-off rigs and BGA (Ball Grid Array) socket adapters from vendors like Dataman and PRG turned chip reading into a repeatable, if slow, lab operation. Most of these vendors still ship hardware in 2026, though product lines have consolidated and the smartphone market they originally served has largely moved out of reach.

Close-up photograph of a Hynix HY27UH088G2M 8-gigabit NAND flash memory chip in a TSOP-48 surface-mount package. The chip is rectangular with 24 pins along each long edge, the manufacturer markings printed on the top of the package, and visible solder pads showing where it would attach to a PCB. Chips of this physical form factor were the standard target of feature-phone era chip-off acquisition, removed from the board and read in a TSOP-48 socket adapter.

Figure 14.2: A discrete TSOP-48 NAND flash chip of the type that dominated feature-phone era chip-off work. Image by Mister rf, CC BY-SA 4.0 via Wikimedia Commons.

14.2 JTAG Acquisition

JTAG (Joint Test Action Group) is the colloquial name for IEEE Standard 1149.1, an industry standard originally designed to test printed circuit boards (PCBs) at the factory. The standard defines a small set of pins called the Test Access Port (TAP), through which an external tool can drive the device's processor into a controlled state, walk its internal registers, and instruct it to read or write attached memory. Forensic JTAG repurposes this debug interface to compel the processor to dump the contents of the NAND or eMMC chip it manages.

Block diagram titled JTAG Acquisition: Test Access Port to Processor showing four labeled blocks connected left to right. The leftmost block is a JTAG Forensic Box labeled with examples Easy JTAG Plus, Medusa Pro, and UFI Box. A labeled connection of five wires plus ground leads to a TAP Controller block. The TAP Controller has five labeled pin lines coming off it: TDI (Test Data In), TDO (Test Data Out), TMS (Test Mode Select), TCK (Test Clock), and TRST (Test Reset). The TAP Controller connects to a Processor or SoC block, which connects to a final eMMC or NAND Storage block on the right. A callout note states JTAG drives the processor and the processor reads memory.

Figure 14.3: The JTAG acquisition path. The forensic box drives five signal wires into the processor's TAP, which then reads the storage chip on the examiner's behalf.

Acquiring data over JTAG requires four ingredients: the TAP pinout for the specific board, a JTAG-capable interface device (the "box"), a connection method (a soldered jig, spring-loaded pogo pins, or a vendor-supplied adapter), and a profile telling the box how to drive the target processor.

State diagram of the JTAG Test Access Port (TAP) controller defined in IEEE 1149.1. Sixteen circular states are connected by labeled transitions driven by the value of the TMS signal at each TCK clock edge. The state machine has two parallel branches: the Data Register (DR) branch on the left starting from Select-DR-Scan and including Capture-DR, Shift-DR, Exit1-DR, Pause-DR, Exit2-DR, and Update-DR; and the Instruction Register (IR) branch on the right with the equivalent IR states. Both branches return to the central Run-Test/Idle state. The Test-Logic-Reset state at the top is reached by holding TMS high for five clock cycles. Forensic JTAG tools drive this state machine to load instructions, then shift bits in and out to read the contents of memory the processor controls.

Figure 14.4: The IEEE 1149.1 TAP controller state machine. A JTAG forensic box drives this state machine through the TMS pin to load instructions and read or write memory through the target processor. Image by Rudolph H, free use via Wikimedia Commons.

The pinout is usually the hardest part. Vendor pinout databases such as those bundled with Easy JTAG Plus, Medusa Pro II, and the community-maintained GSMHosting and JTAG Test Points archives catalog tens of thousands of board variants. When a pinout is not in the database, the examiner must trace the test points by hand using a multimeter and a known JTAG box behavior, which can take hours per board.

JTAG's main advantages are non-destructive access and tolerance for moderate physical damage. A phone with a shattered screen and a dead USB port can often still respond on its TAP pads. Its main disadvantages are slow read speeds (often hours for a full eMMC dump) and dependence on a cooperating processor. If the processor is dead, JTAG is dead with it.

Analyst Perspective

JTAG is most valuable on lower-end Android devices, automotive infotainment heads, and embedded boards that still expose factory test pads. On modern flagships those pads have been removed or fused off, which is one of the reasons examiners moved to ISP for smartphone work.

14.3 ISP (In-System Programming) Acquisition

In-System Programming bypasses the processor entirely and speaks directly to the storage chip while it remains soldered to the board. For eMMC (embedded MultiMediaCard) storage, this means soldering fine wires to a defined set of pads: CMD (command), CLK (clock), DAT0 (data line zero), VCC (chip power), VCCQ (I/O power), and GND (ground). UFS storage uses a different pad set but the same principle. The wires lead to an ISP-capable reader, typically the same hardware used for JTAG (Easy JTAG Plus, Medusa Pro II, UFI Box, Z3X), running in a different mode.

Photograph of a Samsung KLMCG8GEAC eMMC memory chip removed from a circuit board, viewed from the underside to show the BGA solder ball pattern. The chip is roughly square with a uniform grid of small round solder balls covering most of the underside surface. A subset of these balls correspond to the standardized eMMC interface signals (CMD, CLK, DAT0 through DAT7, VCC, VCCQ, and GND) that an ISP examiner solders to in order to read the chip in place.

Figure 14.5: A Samsung eMMC memory chip showing the underside BGA pad layout. Only a small subset of these pads carry the data, clock, command, and power signals an ISP examiner needs to tap. Image by Toniperis, CC BY-SA 4.0 via Wikimedia Commons.

Diagram titled ISP Acquisition: Six Wires to the eMMC Pads showing a top-down stylized view of an eMMC chip with a uniform grid of small circular pads on its underside. Six pads are highlighted in orange and labeled with thin lines pointing to text labels: CMD (Command), CLK (Clock), DAT0 (Data Line 0), VCC (Chip Power 3.3V), VCCQ (I/O Power 1.8V), and GND (Ground). All other pads are shown in faded gray to indicate they are not connected for ISP. The six labeled wires bundle together on the right and connect to a labeled box reading ISP Reader, with examples Easy JTAG Plus, Medusa Pro II, and UFI Box. A note at the bottom right states the processor is not involved and the storage chip is read directly.

Figure 14.6: ISP wiring schematic. The examiner solders to six specific pads on the eMMC underside (out of dozens) and reads the chip directly through an ISP reader, bypassing the processor entirely.

ISP largely supplanted JTAG for smartphone work in the mid-2010s for three reasons. The eMMC pad layout is far more uniform across vendors than JTAG TAP locations. ISP does not require a working processor, so it survives processor-level damage that would block JTAG. Read speeds are also faster, often two to three times faster than JTAG on the same board.

The tradeoff is skill floor. ISP demands precise micro-soldering on pads that are often less than a millimeter apart, frequently buried under shielding cans that must be removed and replaced. A failed solder joint can short the chip and destroy the evidence. Most lab programs treat ISP as a competency requiring formal training, hours of supervised practice on scrap boards, and a peer-review step before touching evidence.

Warning

ISP looks deceptively similar to a repair-shop board rework, but the standards are not the same. A repair tech can replace a damaged board if a solder lifts a pad. A forensic examiner cannot. Every procedure must be planned, photographed, and reversible to the maximum extent possible. If you would not be willing to defend your soldering work in a deposition, you are not ready to perform ISP on evidence.

14.4 Chip-Off Acquisition

Chip-off is the most invasive option in the physical acquisition toolkit. The examiner physically removes the storage chip (eMMC, eMCP, UFS, or raw NAND) from the PCB, cleans it, and reads it in a bench-top adapter. Once removed, the chip can be re-read indefinitely, but the device itself is generally beyond reuse without a board-level repair.

Macro photograph showing a cross-section of a BGA chip package mounted on a PCB. The chip silicon die sits inside a black plastic package on top, the package substrate forms a thin layer in the middle, and a row of round solder balls connects the package to the PCB pads at the bottom. Each solder ball is the size of a fine grain of sand and forms one electrical connection between the chip and the board. To remove the chip, an examiner must liquefy or mechanically separate every one of these solder balls without damaging the silicon die above.

Figure 14.7: Cross-section of a BGA chip package, showing the silicon die on top and the row of solder balls connecting the package to the PCB beneath. Chip-off acquisition succeeds or fails on whether all of these connections can be released without harming the die. Image by TubeTimeUS, CC BY-SA 4.0 via Wikimedia Commons.

Two removal methods dominate, distinguished by whether they apply heat.

Side-by-side comparison diagram titled Chip Removal: Hot vs Cold. The left column is labeled Hot-Air Removal in orange and shows a flat illustration of an orange hot-air rework nozzle directed downward at a green PCB with a black BGA chip, with heat lines rising from the chip. Below the illustration: Method - Controlled thermal cycle 230 to 280 degrees Celsius; Equipment - Preheater plus hot-air station; Best for - Consumer-grade BGA, no underfill; Risk - Low to moderate. The right column is labeled Cold (Mechanical) Removal in dark navy and shows a flat illustration of a CNC milling spindle with a small drill bit positioned over a green PCB with a black BGA chip and small fragments scattering. Below the illustration: Method - Precision CNC milling, no heat; Equipment - Forensic CNC mill; Best for - Epoxy underfill, heat-stressed, stacked packages; Risk - High but unavoidable for these targets. A bottom-spanning bar reads: If epoxy underfill is visible, cold removal is the only defensible choice.

Figure 14.8: Hot-air and cold (mechanical) chip removal compared. The single most important decision factor is the presence of epoxy underfill or prior thermal stress.

14.4.1 Hot-Air Chip Removal

Hot-air chip-off uses a controlled thermal cycle to liquefy the solder balls under a BGA package so the chip can be lifted free. The workflow combines a board preheater (which brings the entire PCB to roughly 150 °C to prevent thermal shock) with a hot-air rework station (which delivers a focused stream at roughly 230 °C to 280 °C above the chip). Flux is applied to improve heat transfer and protect adjacent components. Once the solder reflows, the chip lifts off cleanly with vacuum tweezers.

Photograph of an integrated circuit being desoldered from a green PCB using a hot-air rework station. The cylindrical hot-air nozzle is positioned directly above the chip and is delivering a focused stream of heated air onto the package to liquefy the solder underneath. The PCB is held in a clamp on a workbench. Other components on the surrounding board are visible. Forensic hot-air chip-off uses the same principle and equipment, paired with a board preheater for thermal control and vacuum tweezers to lift the chip the moment the solder reflows.

Figure 14.9: A hot-air rework station lifting a chip from a PCB. Forensic hot-air chip-off uses the same equipment paired with a board preheater for thermal control and a stereo microscope for placement. Image by Aisart, CC BY-SA 3.0 via Wikimedia Commons.

Removed chips are typically reballed (new solder balls applied to the package's pad grid) before being placed in a socket adapter such as the Dataman 48Pro2 with the appropriate BGA socket, the UP-828P programmer with eMMC socket modules, or the Easy JTAG socket family. The adapter presents the chip to the reader as if it were still in-circuit, and the reader produces the raw image.

The skill floor is high but not exotic. A trained examiner with a quality preheater, a temperature-controlled hot-air station, decent flux, a stereo microscope, and a reballing stencil can perform hot-air chip-off reliably on most consumer-grade BGA packages. The hard parts are consistency and patience.

14.4.2 Cold (Mechanical) Chip Removal

Cold chip-off removes the chip by mechanical means, usually with a precision CNC milling machine or a controlled grinding rig. There is no thermal cycle. The examiner mills away the PCB substrate under and around the chip until the package separates from the board, then cleans the underside and reads the chip in the same kind of socket adapter used for hot-air work.

Cold removal exists because some chips will not survive heat. Three situations are typical:

  • Epoxy underfill. Many automotive, military, and industrial-grade boards are assembled with a structural epoxy under the BGA package to resist vibration. Heating an underfilled chip risks delaminating the package, cracking the silicon, or pulling the pads off when the chip is lifted.
  • Already heat-stressed chips. A device recovered from a fire, a lithium thermal runaway, or a hot car may have a chip that survived the original event but cannot tolerate a second thermal cycle.
  • Stacked or sandwiched packages. Some eMCP (embedded Multi-Chip Package) parts combine flash and RAM in one stack. A poorly controlled hot-air cycle can disturb the internal stack even if the package lifts cleanly.

Cold chip-off is slower (often a full shift per chip), demands more expensive equipment (a forensic-grade CNC mill costs in the tens of thousands of dollars), and carries less margin for error. The benefit is that it works on chips where any thermal approach would destroy the evidence.

Cross-section side-view illustration titled Cold Chip-Off: Milling Around the BGA Package showing a green PCB with a black BGA chip mounted on it. A gray CNC milling spindle with a 0.3 millimeter bit is positioned above the chip, and dotted arrows around the chip's perimeter indicate the milling path that removes the PCB substrate around the chip. The chip itself is highlighted with a thin orange outline and remains intact while the surrounding PCB substrate is being machined away. Three numbered callouts read: 1. CNC bit removes PCB substrate around package, 2. BGA package is freed without thermal stress, 3. Chip is cleaned and read in a socket adapter. A bottom note in italics reads: Used when epoxy underfill or thermal damage rules out hot-air removal.

Figure 14.10: Cold chip-off conceptual cross-section. The CNC mill removes the PCB material around the chip rather than melting the solder underneath it.

Analyst Perspective

The decision between hot and cold removal is rarely close. If you can see epoxy underfill around the chip, or you have any reason to believe the device has been thermally stressed, cold removal is the only defensible choice. Hot-air on an underfilled chip is the single most common way labs destroy evidence in this discipline.

14.5 Why Modern Smartphones Resist These Methods

Every advanced physical acquisition method in this chapter delivers the same product: a raw image of the storage medium. On a modern Apple or high-end Android device, that image is encrypted with keys the examiner cannot reach.

Diagram titled Why Chip-Off Fails on Modern Smartphones showing a key derivation flow inside a hardware-isolated security core. On the left, two stacked input boxes labeled User Passcode (with a lock icon) and Hardware UID 256-bit fused into silicon (with a chip icon). Both feed into a thick-walled vault-style container labeled Secure Enclave, Titan M2, Hardware Keystore. Inside the vault, a circular Key Derivation icon produces a Per-File Key. Outside the vault on the right, a stack of files labeled NAND Storage shows scrambled text characters labeled Ciphertext. A red dashed line with an X icon between the vault and the storage shows that the file key cannot leave the vault. Below the diagram, a caption in dark navy bold reads: A perfect chip-off image is just well-organized ciphertext.

Figure 14.11: Hardware-backed key derivation. The user passcode and a chip-bound UID combine inside the security core to produce file keys that never leave the silicon. A chip-off NAND dump returns ciphertext only.

Apple's Secure Enclave Processor, introduced with the A7 system-on-chip and present in every iPhone since the 5s, is a separate processor with its own boot ROM, firmware, and isolated memory. The SEP holds the device's Unique Identifier (UID), a 256-bit key fused into the silicon at manufacture. The UID never leaves the SEP. File-level encryption keys for user data are derived by combining the user's passcode with the UID inside the SEP, then released to main memory only when the device is unlocked. As Chapter 11 covered in detail, this means a chip-off image of an iPhone's NAND contains file contents encrypted with keys that exist only inside a chip the examiner did not extract.

Android implements a comparable model through hardware-backed keystores. Google's Titan M2 (in Pixel 6 and later) and Samsung's equivalent secure elements perform key derivation in dedicated silicon. File-Based Encryption, mandatory since Android 10, encrypts each user's directories with per-file keys derived from the user credential and a hardware-bound key. Samsung Knox adds a measured boot chain and a one-way "warranty bit" that records tampering. As Chapters 9 and 10 explained, the practical effect for chip-off is identical to iOS. The dump is ciphertext.

The brute-force math reinforces the point. A six-digit numeric passcode has one million possible values. Hardware key derivation deliberately rate-limits each guess so that attempting all one million takes years on the device itself. Removing the chip strips the rate limit but also strips access to the UID, so offline attack is mathematically impossible without breaking AES, which no public technique does.

Warning

Do not let this section convince you that physical acquisition is obsolete. It convinces you only that physical acquisition is the wrong tool for current flagship smartphones. On an IoT device with no hardware key store, on a drone storing flight logs in plaintext, or on a damaged feature phone, the same techniques still produce readable evidence.

14.6 Where These Methods Still Pay Off

Physical acquisition remains a routine, high-yield technique across an entire ecosystem of devices that were never built with hardware-backed encryption. Cost, power budget, time-to-market, and the absence of a regulatory push have all kept these device classes on plaintext or weakly protected storage. The following are the device classes where labs see the most consistent value in 2026.

Reference grid titled Where Physical Acquisition Still Pays Off showing a four-by-two grid of eight labeled device cards, each with a flat icon and a one or two word label. The eight cards are: 1) IP camera labeled IoT and Smart Home, 2) quadcopter drone labeled Drones, 3) car dashboard labeled Automotive, 4) body camera labeled Body Cams, 5) smartwatch labeled Wearables, 6) handheld GPS unit labeled GPS Units, 7) point-of-sale terminal labeled Kiosks and POS, 8) flip phone labeled Legacy Phones. Each card has a thin orange border and a small green checkmark badge labeled No Hardware Key Store above the device label. A dark navy bottom strip with white text reads: These devices were built to a price point that excluded hardware-backed encryption. Chip-off and ISP still produce readable evidence.

Figure 14.12: The device classes where physical acquisition remains the highest-yield approach in 2026. Each shares the same root cause: no hardware-backed key store protecting at-rest data.

IoT and smart-home devices. Smart locks, IP cameras, video doorbells, smart speakers, and home automation hubs typically run a stripped-down Linux or real-time operating system (RTOS) on a system-on-chip with eMMC or raw NAND storage. Encryption, when present at all, is often a transport-layer concern rather than a storage concern. Chip-off and ISP routinely yield Wi-Fi credentials, user account tokens, motion-event timelines, and cached audio or video.

Drones and unmanned aerial vehicles. Consumer and prosumer drones, particularly the DJI line, store flight logs, GPS tracks, telemetry, and frequently media on internal flash. Damage from crashes is common, which is exactly the case where ISP or chip-off is the only viable path. Flight logs are valuable in trespass, surveillance, and accident investigations.

Automotive infotainment and telematics. Head units, telematics control units (TCUs), and event data recorders carry navigation history, paired phone identifiers, contact and call logs synchronized from paired phones, and in some cases driver-behavior data. Many of these boards use industrial-grade chips with epoxy underfill, which is why cold chip-off appears more often in automotive work than in any other context.

Body-worn cameras and dashcams. Public-safety body cameras and consumer dashcams are typically large flash-storage devices in rugged housings. When a camera is damaged in an incident, chip-off may be the only way to recover the footage from the period of interest.

Fitness wearables and health trackers. Sleep, heart rate, GPS, and step data on smartwatches and fitness bands often live on internal flash with minimal protection. These artifacts have been useful in homicide and missing-person investigations as corroborating timelines.

GPS units and navigation devices. Standalone GPS units (Garmin, TomTom, marine and aviation chartplotters) store waypoints, route history, and in some cases voice annotations. Older units in particular respond well to ISP and chip-off.

Kiosks, point-of-sale terminals, and ATMs. Retail and financial endpoint hardware often runs aging embedded operating systems on commodity flash. Skimming, internal-fraud, and tampering investigations regularly rely on physical acquisition to capture transaction logs and tampering artifacts.

Legacy and feature phones. Pre-smartphone handsets continue to surface in elder-fraud, human-trafficking, and cold-case investigations. Many feature phones never used encryption at all. JTAG and chip-off remain the standard recovery path.

Analyst Perspective

When a non-smartphone device arrives in your lab, the right first question is not "can I chip this off." It is "does this device have a hardware key store, and if so what does it protect." For most of the device classes above, the honest answer is "none" or "transport keys only." That answer is what makes physical acquisition still worth your bench time.

14.7 Documentation, Validation, and Reporting

Invasive acquisition raises the documentation bar. The device leaves the lab in a different physical state than it arrived, and the examiner must be able to defend every alteration. Five practices distinguish defensible work from work that will be excluded.

Photographic documentation at every stage. Photograph the device on receipt, after disassembly, after shielding removal, before any soldering or milling, after each rework step, and with the chip seated in its reader. Most labs maintain a standard photo template so no step is skipped. These photographs become exhibits.

Horizontal timeline diagram titled Photographic Documentation Checkpoints for Invasive Acquisition showing seven evenly spaced numbered camera-icon checkpoints connected by a horizontal line. Each checkpoint has a number and a short caption beneath it. The seven checkpoints in order are: 1. Intake - Device on receipt, all sides; 2. Disassembly - Case opened, board exposed; 3. Shielding - Cans removed, target chip visible; 4. Pre-Rework - Chip in place, before any modification; 5. Post-Removal - Chip lifted or milled; 6. In Adapter - Chip seated in socket adapter; 7. Post-Read - Chip after data extraction. Below each checkpoint is a small flat icon depicting the relevant equipment or component. A lower band has two parallel rows: Hash Validation - SHA-256 plus SHA-1 calculated and recorded; Chain of Custody - Every alteration documented and reversible where possible.

Figure 14.13: The seven photographic checkpoints that make invasive acquisition defensible in court. Skipping any of these creates an evidentiary gap that opposing counsel can exploit.

X-ray image of a 14 by 14 ball BGA chip on a printed circuit board, viewed from above. The image reveals the regular grid of solder ball joints between the chip and the PCB as small dark circles, allowing inspection of joint integrity without removing the chip. A few of the solder joints are visibly asymmetric or partially formed, which would be flagged as defects in a manufacturing context. Forensic labs use the same kind of X-ray imaging to verify joint integrity after rework, to confirm a chip has been seated correctly in its socket adapter, and as part of the documentation record for invasive acquisition.

Figure 14.14: X-ray view of BGA solder joints. Forensic labs use X-ray imaging both to confirm rework quality and to add an additional verification artifact to the documentation record. Image by DJGB, public domain via Wikimedia Commons.

Vertical flowchart titled Acquisition Method Decision Tree starting from a top node labeled Device received. The first decision diamond asks Hardware-backed encryption present? A Yes branch leads to a result box reading: Pursue logical, cloud, or credential acquisition. Chip-off will not yield readable data. The No branch continues to the next decision: Is the device powered and responding to its native interface? Yes leads to: Logical acquisition first. Document and validate. No continues to: Are TAP test points exposed and processor functional? Yes leads to: Attempt JTAG. No continues to: Is the storage chip intact and accessible in-system? Yes leads to: Attempt ISP. No continues to the final decision: Epoxy underfill present or device thermally stressed? No leads to Hot-air chip-off. Yes leads to Cold (CNC) chip-off. Decision diamonds are orange-bordered and result boxes are navy-bordered. Yes branches use green checkmark icons; No branches use red X icons.

Figure 14.15: A working decision tree for selecting an acquisition method. The first question is always whether hardware-backed encryption will defeat the effort regardless of technique chosen.

Hash validation of the dump. As soon as the raw image is read, calculate at least two independent cryptographic hashes (typically SHA-256 and SHA-1 for legacy compatibility) and record them in the case notes. Re-hash the working copy before any analysis. Any later challenge to the integrity of the image is answered by re-running the hash.

Flash Translation Layer (FTL) and ECC awareness. Raw NAND images carry the chip's internal accounting structures, including wear-leveling tables, bad-block markers, and Error-Correction Code (ECC) parity. Parsing tools must be configured for the chip's FTL; otherwise the image will be misinterpreted as fragmented or corrupt. eMMC and UFS images present a logical view that hides most of this, but spare areas may still need explicit handling.

Parsing and interpretation tooling. The major commercial platforms (Cellebrite Physical Analyzer, Magnet AXIOM, MSAB XRY, X-Ways Forensics) all accept raw eMMC and UFS images and parse common filesystems automatically. Open-source workflows using Autopsy, Sleuth Kit, and ReclaiMe are viable for filesystems they support. For obscure embedded filesystems (YAFFS2, JFFS2, UBIFS), the examiner may need to build the parsing chain manually.

Court-facing reporting. Reports for invasive acquisition should explicitly identify the technique used, the justification for choosing it over less invasive alternatives, the equipment make and model, the examiner's training and certification, the photographs taken, and the hash values produced. The report should also identify any alterations to the device that are not reversible, so the chain of custody clearly reflects the device's post-examination state.

Warning

The single most common reporting failure in chip-off work is omitting the "less invasive alternatives considered" section. A defense expert who can show that ISP would have worked, but was skipped, can frame a chip-off as gratuitous destruction of evidence. Document the decision tree, not just the destination.

Acquisition Method Reference Matrix

The following matrix consolidates the four techniques covered in this chapter for use as a quick-reference and study aid.

Attribute JTAG ISP Hot Chip-Off Cold Chip-Off
Access point Processor TAP pads eMMC/UFS data pads Removed chip in socket Removed chip in socket
Invasiveness Low (test points) Moderate (micro-solder) High (chip removed via heat) Highest (PCB milled away)
Reversibility Fully reversible Largely reversible Not reversible Not reversible
Equipment cost band $1k to $5k $1k to $5k $5k to $15k $25k to $75k+
Skill floor Moderate High (micro-soldering) High (BGA rework) Highest (CNC operation)
Time on bench 2 to 8 hours 2 to 6 hours 4 to 12 hours 8 to 24 hours
Risk to device Low Moderate High High
Tolerates dead processor No Yes Yes Yes
Tolerates damaged board Limited Limited Yes Yes
Best fit Lower-end Android, embedded boards, legacy phones with TAPs exposed Mid-range and older smartphones, IoT, drones with intact boards Damaged devices, IoT/wearables, consumer-grade BGA targets Automotive, industrial, epoxy-underfilled, or thermally stressed targets

Putting It Together

Case-study flowchart titled Putting It Together: DJI Drone Stalking Investigation showing six sequential steps connected by right-pointing arrows. Step 1 in light blue: Damaged DJI drone received. Cracked airframe, dead USB. Step 2 in light blue: Attempt logical via DJI Assistant. FAILS - flight controller does not enumerate. Step 3 in orange: Evaluate ISP. eMMC reachable BUT epoxy underfill visible. Step 4 in orange: Decision - Hot-air would delaminate underfill. Choose COLD chip-off. Step 5 in deep navy with white text: CNC mill PCB substrate. Lift chip. Read in Dataman BGA socket. Step 6 in deep navy with white text: Parse 32 GB image in Cellebrite Physical Analyzer. Recover flight logs, GPS tracks. Failed paths are marked with red X icons. A callout box at bottom reads: Recovered Evidence Summary - Drone took off from suspect residence, hovered 7 minutes within 10 meters of complainant window, returned to launch point.

Figure 14.16: The decision flow for the DJI drone scenario walked through below. Each rejected option becomes a documented justification in the final report.

A small-municipality police agency arrives at the lab with a DJI consumer drone recovered from the rear yard of a residence under investigation for a stalking complaint. The drone's airframe is cracked, the camera gimbal is hanging by its ribbon cable, and one motor arm has separated. A neighbor's doorbell camera captured the drone hovering over the complainant's bedroom window for several minutes the previous night. The agency wants flight logs, GPS tracks, and any captured media.

The examiner begins with the least invasive option, attempting to power the drone and connect it to DJI Assistant on a forensic workstation. The drone's flight controller does not enumerate. Visual inspection under the stereo microscope reveals impact damage to the USB pads on the controller PCB. Attempting to re-establish those pads would risk further board damage and would not address the underlying question of whether the controller itself is functional.

The examiner moves to ISP. A pinout for this DJI flight controller's eMMC is documented in the lab's internal pinout archive (DJI shares enough hardware lineage across consumer models to make this practical). However, when the shielding can is removed, the eMMC package is visibly secured with a black epoxy underfill, consistent with DJI's vibration-hardening design choices on this model.

The decision tree now points firmly to cold chip-off. Hot-air would risk delaminating the underfilled package, and the case warrants the destruction of the controller given the felony stalking charge under consideration. The examiner photographs the board, mills away the PCB substrate around the eMMC package using the lab's CNC rig with a 0.3 mm bit on a documented program, lifts the package, cleans the underside ultrasonically, and seats the chip in a Dataman BGA socket. The eMMC reads cleanly to a 32 GB raw image. SHA-256 and SHA-1 hashes are calculated and recorded.

Parsing the image in Cellebrite Physical Analyzer surfaces the FAT32 partition the controller uses for flight logs, plus a separate region holding cached telemetry. The flight logs show the drone took off from a GPS coordinate matching the suspect's residence, flew a path consistent with the doorbell camera footage, hovered for seven minutes within ten meters of the complainant's bedroom window, and returned to the launch point. No media files are present (the drone's media is stored on a removed SD card not recovered with the airframe).

The report documents the decision to skip USB acquisition (hardware damage), the decision to skip ISP (epoxy underfill), the decision to use cold rather than hot chip-off (same), the equipment and program used, the hash values, and the parsed artifacts. The drone controller is preserved as an exhibit in its post-examination state.

Chapter Summary

  • Advanced physical acquisition covers three techniques (JTAG, ISP, and chip-off) that bypass the operating system and read storage at the hardware level.
  • JTAG uses the IEEE 1149.1 debug interface to drive the processor into reading storage on the examiner's behalf. It is fast to attempt but depends on a working processor and on TAP pinouts that modern flagships have removed.
  • ISP solders directly to eMMC or UFS data pads, bypassing the processor. It is the modern workhorse for in-board acquisition where the storage chip is intact.
  • Chip-off removes the storage chip entirely. Hot-air removal uses a controlled thermal cycle and suits most consumer-grade BGA targets. Cold (mechanical) removal uses CNC milling and is reserved for epoxy-underfilled, thermally stressed, or stacked packages.
  • Modern Apple and high-end Android smartphones resist these methods because file encryption keys are derived inside hardware-isolated security cores (Secure Enclave, Titan M2, equivalent) that the examiner cannot extract. Raw dumps from these devices are unreadable ciphertext.
  • Physical acquisition remains highly productive on IoT devices, drones, automotive infotainment, body cameras, fitness wearables, GPS units, kiosks and POS terminals, and legacy feature phones, where hardware-backed encryption is absent.
  • Defensible invasive acquisition requires photographic documentation at every stage, dual-hash validation, FTL and ECC awareness during parsing, and a report that explicitly justifies the choice of technique against less invasive alternatives.

This chapter closes the CFS280 acquisition arc. You began the course at the logical and cloud layers, worked through filesystem and OS-specific examination, and now hold the analytical framework for the entire spectrum down to silicon. The same disciplined decision tree applies regardless of where on that spectrum you begin: identify the device's protections, choose the least invasive technique that will produce the evidence you need, document every step, and validate everything you report.

Image Credits

This chapter draws on photographs sourced from Wikimedia Commons under open licenses, and on instructional diagrams generated for this course using Google's Gemini image generation model. Per the terms of the Creative Commons Attribution-ShareAlike licenses on the photographs, derivative works incorporating those images must be released under a compatible license.

Photographs and Diagrams (Wikimedia Commons)

Instructional Diagrams (AI-Assisted)

Figures 14.1, 14.3, 14.6, 14.8, 14.10, 14.11, 14.12, 14.13, 14.15, and 14.16 were drafted using Google's Gemini image generation model from prompts authored for this chapter. Concept, structure, technical content, and labeling were specified by the author; the model rendered the visual layout. All AI-generated figures were reviewed for technical accuracy before inclusion. These diagrams are released under the same license as the chapter text.