JTAG, the Joint Test Action Group (JTAG) is a standard that was developed by the Institute of Electrical and Electronics Engineers (IEEE). During the device production process, it is used to communicate with the processor through a specialized interface for testing purposes. Luckily for forensic examiners, it also allows them to communicate directly with the processor and retrieve a full physical image of the flash memory.

To perform a JTAG extraction, the device must be taken apart, down to the circuit board. The circuit board will contain multiple taps (physical contacts on the device circuit board), though they are commonly unlabeled and there are usually far more taps than required for JTAG. To determine the correct taps, an examiner would have to either find a pin-out online (or included with their tool of choice), or use electronic test equipment to determine what each tap is.

The examiner will then have to solder a wire to each tap, or use adapters (sometimes called jigs) that are commercially available, and connect to their JTAG box through a provided adapter:

JTAG may sound complicated (because it is), but it serves many useful purposes:

• It does not require the device to be powered on:
  • Can be successful even if the device is damaged
  • No RF-shielding concerns
• It does not require root, ADB, or USB debugging:
  • Can be used to bypass device PINs/passwords
  • Can image the entire flash memory

Many manufacturers make JTAG tools, and many of the most common ones that are used for mobile forensics can be found at http://teeltech.com/mobile-device-forensic-software/teel-tech-jtag-box-sets/. The RIFF box listed on this site is probably the most frequently used for mobile forensics, as it comes with support (including pin-outs) for a wide variety of devices.

JTAG is not always successful, or even possible. Though the interface is almost always on the circuit board, the manufacturer can choose to disable it after the device has been manufactured.