What is chip-off extraction and when is it used in embedded forensics?

Chip-off extraction is a forensic technique that physically removes a flash memory chip from a device's circuit board and reads its contents using a dedicated chip programmer. It is used when the device does not support logical or JTAG acquisition, when the device is damaged or non-functional, when security features block standard access methods, or when the device controller has been deliberately disabled. The extracted memory image is then processed with forensic tools to recover file systems, deleted files, and application data. Chip-off is an irreversible process that must be preceded by complete documentation and should only be performed after less invasive methods have been exhausted.

Can forensic analysis recover data from a smart home device?

Yes, in many cases. Smart home devices including Amazon Echo, Google Home, smart thermostats, video doorbells, and connected cameras store event logs, audio command histories, location data, network connection records, and in some cases audio or video clips in both local storage and associated cloud accounts. NYCF's embedded systems forensics practice addresses both the device's physical storage and the cloud data associated with the device's registered account. Smart home device evidence has been used in New York litigation to establish who was present at a location, when events occurred, and what audio was captured during a relevant time period.

What is JTAG forensics and how does it differ from standard digital forensics?

JTAG (Joint Test Action Group) is a hardware debugging interface present on many embedded processors that provides low-level access to the processor's memory space, registers, and debugging functionality through a dedicated connector on the circuit board. JTAG forensics uses this interface to read device memory directly, bypassing the operating system and any software-level security controls. It differs from standard digital forensics, which operates at the file system or logical level through the device's normal interfaces. JTAG access requires specialized hardware, knowledge of the target processor architecture, and physical access to the device's circuit board, making it a specialized technique used when standard acquisition methods are unavailable.

How does embedded systems forensics apply to New York corporate espionage matters?

Corporate espionage in New York increasingly involves IoT devices. Unauthorized recording devices disguised as office equipment, maliciously modified network hardware implanted in corporate infrastructure, and compromised building access control systems are among the embedded device scenarios NYCF has addressed for New York corporate clients. Forensic analysis of a suspected surveillance device can document its recording history, the data it captured, whether that data was transmitted externally, and the technical characteristics that identify the device's origin and purpose. This analysis supports both civil claims and referrals to the NYPD or FBI field offices for criminal investigation.

EMBEDDED DEVICE AND IoT FORENSIC ANALYSIS

Embedded Systems Forensics New York

From smart building controllers in Manhattan skyscrapers to IoT devices used in corporate espionage to industrial embedded systems at Long Island facilities, embedded device forensics addresses a class of evidence that standard digital forensic tools cannot reach. NYCF's embedded systems practice combines chip-off extraction, JTAG/UART hardware access, and firmware reverse engineering to recover evidence from devices that have no conventional interface for data acquisition.

Request Embedded Forensics Call (212) 561-5860

Embedded systems forensics methodology: acquisition tiers from logical access to chip-off, firmware analysis, and NY litigation support

Embedded Systems Evidence in New York Litigation

Embedded systems are everywhere in the New York built environment: in the building management controllers that regulate HVAC, access control, and fire suppression in Midtown office towers, in the point-of-sale terminals and ATMs that process financial transactions across the city, in the industrial controllers at manufacturing facilities in Long Island and Westchester, and in the hundreds of IoT devices that populate corporate offices, hotel rooms, and residences throughout the five boroughs. When these devices become relevant to litigation, whether as evidence of unauthorized access, as sources of records about events at a specific location, or as the subject of product liability or intellectual property claims, standard digital forensic techniques are often insufficient to access their data.

Unlike a laptop or smartphone, an embedded system typically does not expose a user-accessible interface for data export. It has no USB port that accepts a forensic write-blocker, no software agent that can be installed to perform a logical backup, and no standard file system that forensic tools recognize. Accessing its data requires hardware-level techniques: reading flash memory chips directly, accessing processor debug interfaces through JTAG pins on the circuit board, or capturing firmware over a serial UART connection during boot. These techniques require specialized equipment, electronics knowledge, and familiarity with the specific processor architectures and storage technologies used in the target device class.

New York courts are increasingly encountering embedded device evidence in contexts that did not exist a decade ago. A smart lock's access log can establish who entered an apartment at a specific time in a landlord-tenant dispute. A building management system's event log can document whether a fire suppression system behaved correctly in a liability case. A network-connected surveillance camera's internal storage can contain footage relevant to a criminal matter that was not captured by the cloud recording service. A modified electronic shelf label in a retail store can carry evidence of price manipulation. NYCF's embedded systems forensic practice addresses all of these scenarios, applying appropriate acquisition methodology and documenting findings for use in New York legal proceedings under NY CPLR Article 45 and applicable federal rules of evidence.

Chip-Off Extraction JTAG/UART Access Firmware Reverse Engineering Smart Device Forensics IoT Evidence Recovery Building Management Systems Flash Memory Analysis SWGDE Best Practices

Chip-Off Extraction and Hardware-Level Acquisition

Chip-off extraction is the most direct method for accessing embedded system storage: the flash memory chip is physically removed from the device's circuit board and read using a dedicated programmer. This technique is necessary when the device is damaged or non-functional, when security features prevent logical or JTAG access, when the device controller actively blocks external read commands, or when the examination requires access to data that may have been deleted from the active file system and is potentially recoverable from unallocated storage on the memory chip.

NYCF's chip-off procedure begins with detailed photographic documentation of the device before any disassembly, recording the physical condition, board layout, and location of the target memory chip. The chip is then removed using appropriate thermal desoldering equipment, with the specific technique selected based on the package type: ball grid array (BGA) chips require hot air rework stations with precision temperature control, while leaded packages can often be removed more simply. The removed chip is cleaned of solder residue and inspected for physical damage before reading. Programming hardware and software specific to the chip manufacturer and model are used to acquire a complete bit-for-bit image of the chip's contents, and hash values are recorded at acquisition for integrity verification.

The raw data acquired from a chip-off extraction is not immediately interpretable as user data. Embedded systems use a variety of file system types, wear-leveling algorithms, and data organization schemes that differ significantly from the NTFS, ext4, or APFS file systems used in conventional computers. Raw NAND flash storage employs out-of-band (OOB) data areas that store error correction codes interleaved with the data pages, and these OOB bytes must be correctly identified and handled for the data to be decoded accurately. NYCF's examiners work with tools including Binwalk for firmware analysis, custom scripts for OOB handling, and established forensic platforms including Autopsy for file system reconstruction to process the acquired data into an analyzable form.

For embedded systems where the memory chip cannot be removed without destroying the device, or where the risk of chip damage during removal is unacceptable given the importance of the evidence, NYCF employs in-circuit reading techniques where available: JTAG boundary scan, direct memory bus access through test pads, or ISP (in-system programming) interfaces that some manufacturers expose for firmware update purposes. These in-circuit approaches preserve the device's physical integrity while still providing raw memory access, and they are the preferred approach when chip-off is not the only option. The choice between chip-off and in-circuit access is documented in NYCF's methodology notes as part of the chain-of-custody record.

Device Documentation and Triage

Full photographic documentation of the device, identification of memory chips and processor architecture, and assessment of available acquisition methods before any physical intervention.

Least-Invasive Acquisition Attempt

Logical access, JTAG/UART, or ISP interface access is attempted before any chip removal, preserving the device's physical integrity where possible and producing a complete audit trail of each method tried.

Chip-Off Extraction (when required)

Thermal desoldering of flash memory chips followed by programmer acquisition of a complete bit-for-bit image with hash verification. OOB data handling specific to the chip model and manufacturer is applied.

Firmware and File System Analysis

Raw image processing to identify and reconstruct file systems, extract readable data, and apply data carving techniques to unallocated space for recovery of deleted content.

Report and Expert Testimony

A forensic report documents methodology, equipment, acquisition hash values, file system findings, and evidentiary data recovered, with expert testimony available for New York proceedings.

JTAG and UART Debugging Interface Forensics

JTAG (Joint Test Action Group, IEEE 1149.1) is a hardware standard originally designed for manufacturing test and board-level debugging that has become a primary access method in embedded forensics. The JTAG interface provides direct access to a processor's memory space through a boundary scan chain that connects the processor's debug logic to a small set of pins on the chip package, typically exposed as test points or a header connector on the circuit board. NYCF's examiners identify JTAG access points using board schematic analysis, visual inspection for unpopulated headers, and in some cases continuity testing to locate test points not labeled on the board.

JTAG forensic acquisition uses specialized hardware debuggers to establish communication with the target processor and issue memory read commands to copy the contents of RAM, flash, and other accessible memory regions to an external storage medium. The acquisition process is logged in detail, including the debugger hardware model, firmware version, the specific JTAG commands issued, and the memory map regions accessed. Hash values are calculated on the resulting data to establish an integrity baseline. JTAG access can recover memory contents that chip-off cannot: the contents of RAM at the time of access, including running process data, encryption keys held in memory, and data structures that are never written to flash storage, are accessible only through in-circuit methods like JTAG while the device is powered.

UART (Universal Asynchronous Receiver/Transmitter) serial interfaces are present on virtually all embedded Linux and RTOS devices, typically used during manufacturing and development for console access and debug output. NYCF locates UART interfaces through visual inspection for three or four pin header footprints with appropriate spacing, voltage testing with a multimeter, and logic analyzer capture to identify the baud rate and format of any serial traffic. A forensic UART connection can provide interactive console access to a live device's operating system, enable access to a boot monitor that can load alternative firmware or dump memory, or simply capture the device's boot log, which documents the device's software configuration, loaded services, and any error conditions present at the time of examination.

For New York litigation involving IoT devices as evidence, the distinction between JTAG and UART access methods may matter to opposing counsel in terms of the risk that the acquisition method altered device state. NYCF documents precisely which access method was used for each memory region acquired and explains in plain terms what was and was not readable through that method. For devices where interactive console access was used, a complete log of all commands entered and all output received is preserved as part of the examination record, providing the transparency that New York courts expect for novel forensic techniques presented under the standards applicable to technical evidence.

JTAG Memory Acquisition

Hardware debugger connection through JTAG interface for direct processor memory access, capturing RAM, flash, and peripheral register state from live and post-incident devices.

UART Serial Console Access

Serial console capture and interactive access through UART interfaces to document device configuration, boot logs, and operating system state at examination time.

Chip-Off Flash Memory Extraction

Physical removal and programmer-based reading of NAND and NOR flash chips with OOB handling, hash verification, and full documentation of the extraction process.

Firmware Reverse Engineering

Static and dynamic analysis of extracted firmware using Binwalk, Ghidra, and custom tools to identify data structures, encryption keys, communication protocols, and evidence-relevant functionality.

Smart Building Forensics: NYC Infrastructure and Corporate Premises

New York City's commercial real estate market, with its concentration of high-rise office towers, luxury residential buildings, and mixed-use developments, has made smart building technology ubiquitous. Building management systems (BMS) control HVAC, lighting, access control, elevator operation, and fire safety in virtually every Class A office building in Midtown and Lower Manhattan. These systems run on embedded platforms that log every event, every access credential use, every alarm condition, and every manual override, creating a continuous operational record that can be forensically significant in property damage claims, premises liability cases, tenant disputes, and employment matters.

Access control system forensics is particularly relevant in New York commercial litigation. When a dispute involves who was present in a building at a specific time, the access control system's event log, which records every card or fob read, every door open event, and every access denial, provides a technically objective record that is independent of witness accounts. For matters involving alleged unauthorized access to restricted areas, post-incident theft investigations, or disputes about employee presence during a relevant event, NYCF extracts and analyzes access control system logs from the embedded controllers that manage these systems. The specific acquisition methodology depends on the BMS platform: some use SQL databases on Windows-based servers that are accessible through conventional forensic tools, while others use proprietary embedded platforms that require JTAG or serial interface access.

NYC's smart building IoT layer extends beyond the primary BMS to include connected door locks, smart power outlets, environmental sensors, and IP cameras managed through building management APIs. A corporate tenant may deploy its own IoT layer within its leased space, using network-connected smart devices that log access, occupancy, audio, and environmental data independently of the building's infrastructure. When these tenant-managed IoT devices become relevant to litigation, forensic analysis requires examination of both the devices themselves and the cloud platform data they feed, which is typically held by the device manufacturer or a third-party IoT platform operator. The forensic team handles cloud-side data preservation and acquisition for IoT platforms commonly deployed in New York corporate environments.

Building Management System Forensics Access Control Log Analysis NYC Commercial Real Estate Smart Lock Evidence IoT Cloud Data Preservation Tenant IoT Forensics Premises Liability Support Corporate Espionage Detection

Firmware Analysis and IoT Device Evidence in NY Corporate Matters

Firmware reverse engineering addresses what is inside the software that runs an embedded device, answering questions about intended versus actual device functionality, the presence of malicious or unauthorized code, the data structures used to store evidence-relevant information, and the cryptographic methods used to protect device data. When a device is alleged to have been modified to perform unauthorized functions, such as a surveillance device concealed in office equipment or a network switch modified to exfiltrate data, firmware analysis of the device's flash storage provides the technical basis for characterizing what the device actually does as opposed to what it is supposed to do.

NYCF uses Binwalk for automated identification and extraction of firmware components from raw flash images, identifying bootloaders, Linux kernel images, compressed file system archives, and other components packaged within a firmware binary. Ghidra, the NSA-developed reverse engineering tool, is used for disassembly and analysis of firmware code to understand specific functions of interest. For matters involving malware on embedded devices, dynamic analysis in emulated environments using QEMU or Firmwalker allows execution of suspected malicious code in a controlled environment where its behavior can be observed and documented without risk to actual network infrastructure.

Corporate espionage matters in New York increasingly involve IoT devices as either the tool or the target of the espionage activity. A device found during a physical security sweep of a Midtown law firm's conference room or a hedge fund's trading floor may be a legitimate office device that has been compromised, a purpose-built surveillance device disguised as something innocuous, or simply an unauthorized device brought in by an employee. Embedded forensics can distinguish between these possibilities through firmware analysis, network communication logging during operation, and examination of the device's storage for evidence of recorded content and transmission logs. When the analysis supports a referral to law enforcement, NYCF coordinates with counsel to prepare the technical findings in a format appropriate for the NYPD or the FBI's New York field office.

NY critical infrastructure forensics represents an area of growing demand as New York State and City agencies take a more active posture on critical infrastructure protection following the enactment of the New York State Cyber Incident Reporting Act and related regulatory guidance from the Governor's Office of Information Technology Services. Embedded systems in water treatment facilities, power distribution equipment, transit control systems, and telecommunications infrastructure are subject to regulatory examination requirements and, when breached, generate incident documentation obligations. Post-incident analysis of industrial embedded devices at NYCF is documented with the specificity required for both regulatory reporting and subsequent civil or criminal proceedings. Contact NYCF at (212) 561-5860 or info@digitalforensics-newyork.com for a consultation on embedded forensics requirements in your matter.

Binwalk Firmware Analysis Ghidra Reverse Engineering QEMU Emulation Testing Malware Detection NY Critical Infrastructure Surveillance Device Analysis ISO/IEC 27037 Aligned ASTM E3016 Framework

Smart Home and Consumer IoT Evidence in New York Litigation

The consumer IoT market has placed forensically significant devices in virtually every New York home, apartment, and Airbnb rental. Amazon Echo devices maintain a voice command history accessible through the device's associated cloud account and may also retain locally cached audio data on the device's flash storage. Google Nest thermostats log occupancy patterns, temperature setpoints, and HVAC activation events with timestamps that can establish a timeline of activity at a residence. Ring and Nest doorbell cameras record motion events and video clips both locally and to cloud storage, with metadata that documents when a resident was entering or leaving a property.

In New York family law proceedings, smart home device data has been used to document a parent's actual presence at a residence, to demonstrate occupancy patterns inconsistent with claimed living arrangements in custody disputes, and to establish the timing of events during domestic incidents. Matrimonial attorneys in New York have found that smart home device logs frequently corroborate or contradict testimony about events at the marital residence in ways that neither party anticipated when the devices were installed. NYCF provides forensic analysis of consumer IoT devices for matrimonial matters coordinated through counsel, ensuring that privilege and confidentiality protections appropriate for family court proceedings are maintained throughout the engagement.

In New York criminal defense matters, smart home devices at the scene of an alleged crime may contain evidence supporting the defense theory of the case. An Amazon Echo that recorded ambient audio during the time window of an alleged incident, a smart lock that shows a different entry pattern than the prosecution claims, or a home monitoring system that places the defendant at a different location are each potentially significant defense evidence that requires forensic extraction and authentication to be usable at trial. NYCF's examiners are prepared to provide defense-side forensic analysis of smart home evidence in New York state courts and federal proceedings, with reports and testimony structured to address the authentication and reliability requirements applicable to IoT evidence in New York courts.

Request Embedded Forensics

Chip-off, JTAG/UART, and firmware forensics for New York IoT litigation, smart building evidence, and corporate espionage matters. Expert testimony available.

Request Analysis

Last updated: April 16, 2026