iPhone 3G 8GB – Memory size problem

UPDATE Feb. 12, 2012

While I was at the DOD Cybercrime conference in Atlanta this past month, I atteneded a presentation by Drew Fahey (Vice President, Product Development, BlackBag Technologies Incorporated) on iOS Device: Seizure and Analysis. During this presentation, Drew confirmed my findings that the NAND flash memory is manufatured larger than the actual size indicated by the chip specs. He explains that this is to help offset the bad pages that are present during the manufacturing process of the chip. We have also confimed this a number of times in the Chipoff Training when we do the RAW data dumps of the NAND chips, the dumps are of various sizes larger than the chip size specs indicate. So keep in mind, the forensic tools are doing a physical acquisition, but are they getting it all…..NO! One un-named manufacturer of mobile phone forensic tools expliained to me that they can only access the defined partition of the NAND flash and that only the chipoff process will get the full physical dump. Are we missing evidence?????????? Something to keep in mind!

*****This is an update to the original post as the way I wrote it read like I was making assumptions when they were actually observations.  My bad!*****
I have a case where the suspect has destroyed his cell phone during his arrest. The phone would not function at all and is in small pieces. I located the 48 PIN TSOP NAND chip and found that it was intact. I recovered the chip by desoldering it and cleaning the pins for data reading with a programmer.

I placed the chip in the reader and tried to read it as an 8GB chip as the iPhone indicated that it was an 8GB model. The programmer kept erroring out and when it did a read, it was only a partial read. One read would get 1.6 GB, then one would get 5.3 GB, the one would get another random amount, and so on, all of them had error alarms going off during the process.

This led me to try out other programmers, specifically, one that allows me to manually configure the size of the reads from the NAND chips. This is when I actually read the chip number off the chip itself. The number for this chip was MT29F64G08TAA. My original assumption was that the chip identification reference indicated the “64G” as a 64 GB chip, the data sheet actually indicated 64GB but this refers to 64 GBits, not 64 GBytes (thanks to all who guided me in the right direction on this).
I reconfigured the programmer to read 64GB and it read with no errors. As a test, I did a second read for 128 GB and it read up to 64 GB and then 0’d out for the next 64 GB. My next plan it to do a read of 8 GB only, then compare this data with the first 64 GB read I got to see if there is any discrepancies or information found in the 64 GB read that not present in the 8 GB dump.
The dump creates two files, 32 GB each. I can read each one using Encase and they are different, indicating that it was not just reading 32 GB and then repeating itself. Both 32 GB dumps had different header information which indicates that I was not just getting 8 X 8GB reads as well. So what am I getting? This remains unclear but what I believe I am getting more than just an 8 GB data read from the chip.
I have discussed this problem with another expert in our field, Shafik Punja of Calgary PS, and his thought was this may be a function of the iPhone hardware, software, Controller Chip or the Flash Translation Layer that limits the usage of 8 GB of the actual size of the chip.
Unfortunately, NAND works in a manner that does not restrict this possible limitation defined by the iPhone and/or Controller Chip. NAND will use the full capacity of the chip as required to store data and allow for the process of the Wear Levelling functions. The memory will use the full capacity of the NAND chip and then move around and wipe data as required to store and update the user’s data, again, using the full capacity of the chip.

We have found similar instance’s of this when we do our chipoff  training and work with 1 GB thumb drives to practice removing and reading the TSOP NAND memory. After the students complete the reads, the file size of the dumps are different. With the 1 GB thumb drives, we were getting dump of between 1.0 and 1.6 GB.
It is a known fact that NAND memory chips are sent from the manufacturer with bad blocks on them (unlike NOR), are the chip really bigger then we all believe them to be? Is there an area beyond the 8GB present to compensate for this? Do the manufacturers sell the NAND chips providing some extra space to make up for the bad blocks to provide an area for fault processes? There has also been a suggestion relating to how much the chip can actually buffer out in contrast to its actual size.

Another expert, that will remain nameless as I have not asked his permission to disclose it, provides this explanation:

Basically, this is very similar to a USB drive that its partition is being imaged (Fat16/FAT32 …). Actually this USB drive has a flash chip inside that in most cases will be larger than the actual partition (each USB drive manufacturer uses his own FTL and the ratio between declared size and actual flash size is their secret).

 You can also see this from a different angle:

If an iPhone physical dump is in dd format, there are no flash spare area’s there, so only the “live” partition sectors are extracted, so there are generally other flash physical sectors that are not extracted.

There are other examples, such as Windows Mobile physical dump that also extracts the live partitions (Generally FAT). Same regarding some of the Android solutions that extract the YAFFS2, EXT2, EXT3 partitions, but not the complete flash chip.

During the analysis of this iPhone, I am recovering data throughout the chip read and some of the user data dates back 3 years including SMS text, internet history, emails and call logs. Good stuff to find but I need to validate if it came from beyond the 8 GB identified by the chip size.

I need to do some more work on this but I am also looking for others who are doing the same kind of work to see if we can come to a consensus on this. Is the NAND chip on the iPhone, or any phone for that matter, exactly the size indicated by the phone manufacturer?  Is there user data beyond the size of the NAND chip identified by the chip number and phone company specs that can provide us with missing evidence?

I would like to open this for “constructive” discussion with other experts who are involved in the physical and RAW data extractions of mobile phones and see if anyone can help me with more research on this. I would hate to be missing out on valuable user data if it is there for the picking.

I appreciate the information/feedback from the original post I received from people like Shafik, Larry, Ron, J Z, Sean, Boris, Stephane, Mark, pytey from the DEV Team, Georg and the crew from Forensic Forum this weekend, all good stuff and it helps us solve the puzzles we encounter during our work on a daily basis. I have a number of suggestions to try and validate what I am seeing here, and will be busy over the next while working on it. I will update you when I can, so many projects on the go (-:

Thanks again!

Advertisements