There are two main techniques when dealing with mobile phone data recovery and flash recoveries. By interrogating the NAND memory chip, both of these techniques give data recovery engineers access to a low-level image of the data, although they are both very different. Mobile phones, flash storage and solid-state-drives all rely on memory chips for storing information in contrast to hard disk drives, which use rotating platters and read/write heads.
When it comes to hard disk drives they all tend to use a common approach to storing data, meaning that data recovery tools can be generic. Flash devices on the other hand vary a lot more having a wealth of different data formats, file structures, algorithms, memory types and configurations, data extractors are often ‘device specific’. This means that the only way to gain a bit for bit copy of the raw data is to interrogate the memory chips directly, effectively bypassing the operating system. This is where chip-off and JTAG technology comes into play.
The first method is the chip-off approach. This technique requires de-soldering the memory chip from the circuitry. In order to remove the chip from the device without causing any damage it requires precision skill under a microscope as making any tiny mistakes risks losing all the data permanently. After the chip is removed it can be read with data extractors. NAND chips are usually much easier to read than other types of chip and are normally what SD cards and iPhones use. This is due to the memory architecture and pin configuration being standardised. The pins are on the outside meaning there is no need to rebuild the connectors. Other common types of chip such as the BGA have multiple connectors on the underside which are directly soldered to the motherboard with thousands of different configurations so are much more difficult to remove.
The second method is JTAG which doesn’t require removal of the chip. A data recovery engineer can sometimes access the memory through the JTAG ports. This is a much more lengthy process and does not damage the media. This means it can be kept in a working state which is sometimes a critical requirement in forensic investigations. A downside of this method is that it is not always as successful and can be a riskier option.