Chip-off, as the name suggests, is a technique where the NAND flash chips are removed from the device and examined to extract information. Hence, this technique will work even when the device is passcode-protected and USB debugging is not enabled. Unlike the JTAG technique, where the device functions normally after examination, the chip-off technique usually results in the destruction of the device, that is, it is more difficult to reattach the NAND flash to the device after examination. The process of reattaching the NAND flash to the device is called re-balling and requires training and practice.

Chip-off techniques usually involve the following forensic steps:

1. All of the chips on the device must be researched to determine which chip contains user data.
2. Once determined, the NAND flash is physically removed from the device. This can be done by applying heat to desolder the chip:

3. This is a very delicate process and must be done with great care, as it may result in damaging the NAND flash.
4. The chip is then cleaned and repaired to make sure that the connectors are present and functioning.

5. Using specialized hardware device adapters, the chip can now be read. This is done by inserting the chip into the hardware device, that supports the specific NAND flash chip. In this process, raw data is acquired from the chip, resulting in a .bin file.
6. The data acquired can now be analyzed using forensic techniques and the tools described earlier.

The chip-off technique is most helpful when a device is damaged severely, locked, or otherwise inaccessible. However, the application of this technique requires not only expertise but also costly equipment and tools. There is always a risk of damaging the NAND flash while removing it and, hence, it is recommended to try out the logical techniques first to extract any data.

While root access is a must to perform any of the techniques discussed earlier, it must be noted here that, at the time of writing this book, none of these techniques would work on devices that have Full Disk Encryption (FDE) enabled. As discussed in Chapter 7, Understanding Android, Google has mandated the use of FDE for most devices starting from Android 6.0. Although some techniques were demonstrated and published for decrypting full disk encryption, they are device-specific and are not widely applicable.