New Diagnostic Forensic Protocol for Damaged Secure Digital Memory Cards

Over the past twenty years, Secure Digital memory cards have become the most popular digital storage media. Therefore, law enforcement agencies need to develop forensic techniques to enable recovery of data, especially from cards severely damaged by accidents, air crashes, terrorist attacks or deliberate attempts by criminals to destroy evidence. The paper discusses the non-invasive and invasive diagnostics available to legal forensic experts, with descriptions of the necessary equipment, including binocular microscopes, X-Ray equipment, scanning acoustic microscopes, chemical benches, and, for the first time, infrared cameras. All of these techniques can be used to methodically determine the best treatment in order to repair damaged storage media and extract data from them. The main contributions of the paper include the development of an innovative systematic forensic protocol for diagnostics on damaged cards, which involves a simple decision-making diagram. Finally, a concrete case study is presented using the new forensic decision diagram-based protocol and the panel of techniques available to diagnose a card damage.


I. INTRODUCTION
With the evolution of technology and lifestyles, many people now have one or more Internet of Things (IoT) devices [1]. These devices have become almost essential, which continues to support the drive for miniaturization. The widespread use of these electronic devices has resulted in an increased need for storage capacity. As a result, system manufacturers have gradually started to replace internal storage units [2] of considerable dimensional size, such as Hard Disc Drives (HDDs), with smaller ones that are faster and more efficient for data exchange, such as Solid-State Drives (SSDs).
Due to users' needs for increasing storage capacity, an alternative was proposed. Because of the importance of cost for manufacturers to increase internal storage, the choice was quickly made to adopt a removable storage system, and Secure Digital (SD) cards fully meet this need [3]. Therefore, system manufacturers have integrated slots for Secure Digital (SD), mini-SD or micro-SD cards ( Figure 1) to better adapt to the needs of users and to increase the storage capacity of the entire spectrum of electronic devices.
A user can adapt the storage capacity of a device at low cost, depending on their storage or reading/writing speed requirements. It is now possible to buy a micro-SD card with a capacity of 400 GB, using Secure Digital eXtended Capacity (SDXC) technology, for less than 100e .
A user who does not need much storage may be satisfied with the internal storage offered by the manufacturer, while a user making a video in 4k high resolution will need a large storage capacity and a fast writing speed to avoid the phenomenon of latency [4]. SD card manufacturers have been able to adapt to such needs over the past twenty years (Figure 2), by offering more efficient media that are faster and have more storage capacity. Currently, there are four main types of SD card memory systems: Secure Digital Standard Capacity (SDSC, often referred as SD), Secure Digital High Capacity (SDHC), Secure Digital eXtended Capacity (SDXC) and Secure Digital Ultra Capacity (SDUC). These four types are ranked according to their capacity and recommended file system format (Figure 3). The standard chosen by users will offer a range of storage capacity suiting their requirements. By cross-referencing information from two sources, the evolution of capacity can be described as follows. In early 2000, an SD standard card had a capacity of less than 2 GB, to be supplanted in 2006 by the SDHC card with a capacity of up to 32 GB. This was exceeded by the SDXC standard, with a storage capacity increasing from 32 GB to 2 TB over the years between 2009 and 2017, while in 2018 the new standard SDUC was released, with a capacity ranging from 2 TB to 128 TB.
Forensic experts also had to adapt to this technological evolution [5]. The SD card became the object of tests [6] included in almost all judicial evidence [7] (including devices such as smartphones, cameras, automation tools, actioncams, game consoles, laptops, and connected vehicles). As these storage devices have become more and more efficient, they enable data to be secured through various options such as locking or encrypting [8]. Some manufacturers even use SD cards as key stores to encrypt the data for very high security smartphones, called darkphones, like No.1BC (https://no1bc.com/).
Although cards have the advantage of being removable and easily transportable, they also have the disadvantage of being fragile (easily damaged by impact and accident) and easily concealable for illegal use (such as child pornography, terrorism, or drug trafficking). Law enforcement agencies have increasingly seen surprising practices during arrests. Frequently, individuals engaged in illicit activities try to destroy as much evidence as possible at the time of arrest by physically destroying their SD cards. For this reason, diagnostic processes for recovering information from SD cards are becoming standard practice for many forensic laboratories.
While there are several papers dealing with different stages of data recovery from SD cards, to the best of our knowledge there is no public diagnostic forensic protocol for damaged cards. The closest work is the decision diagram for damaged and undamaged mobile devices (i.e. smartphones) [9]. In [10], [11], the authors discuss how to adapt acquisition and analysis techniques to recover accurate and relevant data from flash memory chips; however, this is under the implicit assumption that they are not damaged. In [12], the authors explain that due to their block-based structure, flash memories are becoming forensics targets but they mainly propose an anti-forensic technique. Although present in most IoT devices, SD cards are rarely considered in recent surveys dealing with IoT forensics [13]- [15], further increasing the potential value of our contribution of a systematic diagnostic forensic protocol for damaged SD cards.
The main contribution of this paper is the proposal of a new forensic protocol for damaged SD cards, which aims at minimizing the risk of additional damage during the diagnostic process. This proposal relies on a simple decisionmaking diagram encompassing the main non-invasive and invasive techniques that law enforcement agencies can use to identify issues while preserving the integrity of the evidence on the damaged card, and then make repairs to enable data extraction. Note that the data extraction step is not covered in this paper.
Our additional contributions are as follows: • Surveying the available non-invasive and invasive techniques applicable to SD cards. • Introducing a new diagnostic technique using an infrared camera to locate and characterize the damage on an SD card. • Detailing the application of the proposed forensic protocol in a real case study.

B. STRUCTURE
Section II introduces the SD card from both hardware and software perspectives. Section III introduces the proposed forensic protocol for SD cards, which uses the developed decision-making diagram and presented diagnostic techniques to determine how to repair damage and conduct data extraction even in the most complex cases. Section IV illustrates the application of the proposed forensic protocol to a real case study and shows the extent to which the diagnostic technique using an infrared camera can minimize the risk of additional damage in forensic conditions. Section V discusses of subsequent data recovery steps not covered in this paper. Section VI concludes the paper.

II. FUNCTIONAL OVERVIEW OF AN SD CARD
(a) SD and micro-SD cards (b) eMMC memory [22] ✗ ✗ B6 ✗: Do not exist by the SD Card Association [18] for interoperability purposes; and (b) one internal bus with the memory dice, for which there are several standards for communication signals (ONFI [19], JEDEC [20], Toggle NAND interface [21]) and no standards for pinout topologies (as illustrated in Figures 17 and 18, pinouts of memory dice with the microcontroller are card-model specific). The external pinouts of these managed systems also have similarities in signals, as shown in Figure 6a for SD and micro-SD cards and in Figure 6b for eMMC. The similarities and differences between pinouts for the different signals are illustrated in Table 1.
Though as illustrated in Figures 17 and 18, pinout patterns (sometimes called debug pads) are card-model specific, it is worth noting that accessing the internal bus can allow direct reading of the memory dice in order to perform complex data reconstruction tasks if, for instance, the microcontroller is malfunctioning.
While the function of a memory die is data storage, the roles of the microcontroller are multiple. The microcontroller performs arithmetic operations, manages data flow, and generates control signals in accordance with a sequence of instructions. Microcontrollers are dedicated to run one specific program. The program is usually stored in the microscontroller's own Read-Only Memory (ROM). All the functions of the SD-card microcontroller are shown schematically in Figure 4.

B. DATA ORGANISATION
As the microcontroller acts as an interface between raw NAND flash memory dice and the host to offer managed data storage, it is in charge of data organisation. It distributes data in the memory plan of the different dice to optimise reading/writing. It also excludes memory areas corrupted during writing or defective as a result of the manufacturing process. In addition, it allows correction of read errors and memory corruption using Error-Correcting Code (ECC).
The microcontroller manages the memory using a system of blocks and pages. The block is the smallest erasable unit. Each block is itself divided into pages, which are the smallest unit of writing and reading.  As illustrated in Figure 7, pages themselves are structured in one or more chunks, which contain usually two areas: the data area where user data are stored, and the spare area containing information about the page (like the page number) and ECCs related to user data. However, this structure varies according to the manufacturer of the microcontroller and the SD card model.
ECCs are important for maintaining data integrity in SD memories. There are multiple sources of bit errors in NAND flash memories (including cell-to-cell interference, charge leakage, read disturbances, and bad transistor programming at writing). This control data allows the management of errors and their correction. These tasks of identification, control, and correction of errors are performed by the microcontroller. Each time a page is accessed, the microcontroller carries out ECC computations. When reading, in order to validate the read data and correct it if necessary 2 , the microcontroller uses the ECC value read, knowing that the read errors can be in the data read or in the ECC value read or in both 3 . Before writing data to be stored, the microcontroller calculates the ECC value to write in the spare data.
To prolong the memory lifetime of an SD card, the microcontroller implements a wear leveling algorithm since NAND flash memory cells usually support around 5000 programming cycles. However, on modern devices using these memories, such as phones and GPS units, data changes are constant. As illustrated in Figure 8, the aim of the wear leveling mechanism is to erase as little as possible in each block, writing the new data in priority over the empty blocks that are least used. It is based on the number of erases in each block, using an incremented counter mechanism. FIGURE 8. Example of new data writing with and without wear leveling in NAND flash memory [9] In the example presented in Figure 8, five blocks are filled with data. Blocks A and B, which will be deleted, are marked as invalid by the system. The blocks are not systematically released in order to preserve the life of the flash memories. Without wear leveling, the new pages (F and G) are written in the first available blocks, in place of the old pages (A and B). But with wear leveling, the first two blocks are marked as having been used once already. Therefore, the new pages are written in the first blocks that have the lowest usage count. In the presence of wear leveling, when a block needs to be modified, the microcontroller copies it with the data modified elsewhere in the memory and connects this new physical address to the logical address; the previous block is marked as invalid. Using the standard external interface of the SD card the data storage is consistent and only the current state of a logical block is accessible. However, using the internal bus, it is possible to access each physical block and thus to access content of interest to forensic experts, such as the previous contents of a logical block (those whose physical blocks have not yet been released).
In addition to wear leveling in SD memory technology, the microcontroller can also implement a garbage collector mechanism [23], which is responsible for managing the free space. Its role is to determine which spaces can no longer be used and to then recover them. If blocks contain pages marked as invalid (i.e. no longer used), the algorithm moves the valid pages to another block, and then frees the initial blocks.

C. EXCHANGE PROTOCOLS AND BASIC OPERATIONS
Like other types of flash memory card, an SD card from any SD family is a block-addressable storage device, in which the host device can read or write fixed-size blocks by specifying their block number.
As illustrated in Table 1, the interface between the host and the SD card uses its own power, control and I/O signals. At power-up from the host (the so called hardware reset), the microcontroller is in an idle state and waits to receive commands from among the 64 defined in [18]. The first is the CMD0 command to define the bus mode: SD or SPI mode. At this stage, the bus is 1 bit in width and so only DAT0 is used for data transfers. However, the host can configure the device to use a wider data bus, DAT0-DAT3 or DAT0-DAT7, for data transfer in SD mode.
Commands sent by the host to the microcontroller can be read or write commands for single or multiple blocks as illustrated in Figures 9 and 10. . Protocol between the host and the microcontroller for read operation in SD mode [18] FIGURE 10. Protocol between the host and the microcontroller for write operation in SD mode [18] Thus, when the microcontroller receives a command to read one or more blocks, it will use the appropriate protocol on the bus connecting it to the memory dice (mostly ONFI [19] -even if other standards exist, such as JEDEC [20], Toogle mode [21]), to read the data from the requested block(s) before sending them to the host after ECC corrections. Similarly, when receiving a write command and the data to be stored, the microcontroller will use the same bus and the appropriate protocol to write data to the memory dice after the calculation of the ECC correction data. VOLUME 4, 2016

III. PROPOSED FORENSIC PROTOCOL USING DIAGNOSTIC TECHNIQUES
The SD card initial diagnostic is basically not different from a classic failure analysis [24], the main goal being to find the defect without accentuating it. The first step, when the sample is received, is to proceed with non-invasive handling before making tests electrically. Based on an analysis of several samples with different and unknown damage levels, the following global decision diagram is proposed ( Figure 11). The proposed decision diagram can be developed in two sub-parts. The non-invasive part ( Figure 12) is composed of steps that should not modify data contained in memories if the forensic expert proceeds appropriately. In contrast, the invasive part ( Figure 13) can accentuate defects and lead to data loss. For this reason it is located in the second part of the decision diagram. This part of the diagram is only applied if the non-invasive part has been inconclusive. For each of the steps, the transition options are presented as well as the possible repairs, which are discussed later.

A. NON-INVASIVE DIAGNOSTICS
The main goal of the non-invasive analysis is to locate possible defects in the SD card package without accentuating  • optical inspection; • 2D and 3D X-Ray observations; • scanning acoustic microscopy analysis. Each of these processes is detailed below.

1) Optical inspection
Using a binocular microscope, a forensic expert looks for cracks in the package (Figure 14a). Any abnormal curvature of the card is also searched since this can create important mechanical stresses on the chips. Inspection of the printed circuit boards (PCBs) is also performed in order to find cutting tracks, which could block internal communication between the microcontroller and the memory dice (Figure 14b). If defects are located, it is possible to characterize them to determine whether they are just superficial or whether they affect the integrity of the card.
Another aspect looked for in optical inspection is the presence of corrosion. When such media have been in prolonged contact with water, the exposed metal elements are attacked. The areas of the SD card under the varnish or with a gold coating are protected. Thus, one objective of optical inspection is to find whether humidity is present and to investigate how it has entered the package. If the presence of humidity is suspected, the use of a Scanning Acoustic Microscope (SAM) can determine the propagation of corrosion in order to estimate the damage.

2) 2D and 3D X-Ray observations
Complementary to the optical inspection, X-Ray inspection allows further internal diagnosis. The realization of a 2D view from the top of the sample, then from the side, allows investigators to search for structural anomalies such as damaged or missing bondings at the chip level. However, this type of observation does not always make it possible to correctly differentiate the elements and their layers. It is thus preferable to carry out a 3D acquisition and reconstruction [25] to allow forensic experts to identify the levels between the PCB and the bondings, and thus to better locate possible defects [26]. Figures 15 and 16 show a break in the silicon through the active copper layer of the memory dice. This defect was not visible during the optical inspection step. However, with the X-Ray analysis, the forensic expert has additional information for repairing the sample. A 3D image acquisition allows observation of the different slices of the sample on each axis. From the images obtained in 3D X-Rays, a forensic expert can reverse engineer the different signals by using the GIMP drawing tool to colorize the copper tracks: (a) those between the microcontroller and the external pins of the SD card (i.e. those that are in contact with the host's reader); and (b) those between the microcontroller and the memory dice (Figures 17 and 18). The next step of the analysis is to assign a function for each color. With the aim of identifying signals, forensic experts can compare identified tracks with existing databases. For example, the "PC-3000 Flash" database [27] (from ACE Lab [28]) can help to make the identification and reverse engineering operations much faster by comparing the internal bus pinout topology with the existing database. This technique and the analysis of each layer make it possible to know which circuits correspond to the ground, through which the data are transferred, and which are the circuits through which the microcontroller receives commands and sends actions to be performed. However, identified tracks need to be physically verified by checking each output signal since similar internal bus pinout topologies may be used on different SD cards to route different signals.
In the example presented in Figure 18, a comparison of the copper level of an unknown card with the "PC-3000 Flash" database ( Figure 19) allows the forensic expert to very quickly obtain a description of the pinout topology for the VOLUME 4, 2016 internal bus between the microcontroller and the memory dice ( Figure 20).  . SD card pin identification from the "PC-3000 Flash" database [27] When the pinout topology does not exist in the database, forensic experts can use a similar card (i.e. with identical internal components: sometimes, cards of the same model and brand can be externally identical but internally different). A logic analyzer is connected to both the external and the internal buses in order to identify the signals on each track.  Figure 19 Having found a description of the pins connecting the microcontroller 4 , it is also possible to schematize it as illustrated in Figure 21 to assist in the diagnostic process.  To summarize, X-Ray observations, specifically 3D X-Ray tomography images, are very powerful when the card to be diagnosed is an unknown model (e.g. in the event of an air crash or an explosion) since it is essential to be able to identify the card model during the diagnostic process. However, forensic experts should be aware of the possibility of introducing incorrigible bit errors [29] when using X-Rays on multilevel flash memories [30]. As with every method, forensic experts must carefully evaluate the pros and cons.

3) Scanning acoustic microscopy analysis
Acoustic scanning is an observation technique that can determine the presence of air in a component package by using the propagation of an acoustic wave in water. The sample is immersed in water while a probe projects an acoustic wave in the order of 10 to 100 MHz. This wave will pass through several successive media: first the surrounding water, then the component package, and finally the chips. Without air in the package, the signal is returned with the same phase as the signal emitted. With the presence of air in the package, the signal is disturbed. By scanning the sample on three axes, the microscope will produce an image indicating the so-called delamination areas and the healthy areas ( Figure 22). On Figure 22, the delamination area, highlighted in red, means that moisture is able to penetrate into the package in that region, causing a risk of corrosion.

FIGURE 22. Example of delamination on a sample lead frame viewed with a SAM analysis [31]
This technique is widely used in failure analysis laboratories in the search for and diagnosis of several structural defects [32]. This is an extra way for non-invasive diagnosis to observe moisture propagation in the component. An SD card has a resin and varnish package, showing only the metal pins for communication with the host. These pins are coated with gold to protect them from degradation. The other metal parts are protected by the package. If a crack or a scratch appears in the resin or varnish, moisture can infiltrate and create an area of corrosion. If the die is corroded, data retrieval will not be possible. However, if corrosion is on a track, the signal could be cut, making the SD card nonfunctional. As illustrated in Figure 12, the decision-making diagram allows the subsequent use of 3D X-Ray observation to identify this type of defect, enabling repair of the assembly defect, which is not covered in this paper.

B. INVASIVE DIAGNOSTICS
Invasive diagnostics are not without risk to the sample. In the context of forensic expertise, it is important that the nature and traceability of the evidence are guaranteed. Specifically, in the context of a legal investigation, invasive diagnostics can only be used after having obtained authorization from a judge. Indeed, an invasive technique can alter or destroy information by accentuating or creating a defect. For this reason, an invasive technique should always be thoroughly practiced and mastered. Training and a good knowledge of the procedures are therefore very important before using the following techniques: • basic electrical tests; • infrared analysis; • chemical sample opening. Each of these is detailed below.

1) Basic electrical tests
The purpose of this analysis is not to study the card during operation but to look for potential faults in the junctions at the level of the input/output signals. So-called active electronic circuits, such as memory dice or microcontrollers, are based on CMOS technology [33]. Therefore, they have protection diodes on the input, output or bidirectional signals; the direction of the diode varies depending on the nature of the signal. These diodes, induced by the transistors which drive the signals, are connected either to the power or to the ground (GND) of the component ( Figure 23) and are easily observable with a multimeter [34]. By positioning probes between a signal and the ground, it is possible to observe either a functioning diode (meaning correct operation), or a short-circuit or an open circuit (meaning a failure of the signal).

FIGURE 23. Electrical behaviour of inert nMOS transistor
By scanning each input/output of each component of the SD card in this way; i.e. the microcontroller and memory dice, the faulty element in the chain can be located. According to Figure 13, a forensic expert can check the die impacted by searching for anomalies with 3D X-Rays to decide what type of repair can be conducted.

2) Infrared analysis
An infrared camera, also called a thermal camera, records the infrared radiation (also called heat waves) emitted from an object, which will vary according to the object's temperature (Planck's law [35]). On a theoretical level, infrared wavelengths cover the range from 780 nm to 1 µm, but the cameras used in electronics work on a range from 2 µm to 15 µm. Infrared cameras capture a matrix of thermal points, producing a color-scale image. This technique has the drawback of being ineffective on reflective areas. Consequently, VOLUME 4, 2016 areas with a mirror effect, such as the rear faces of silicon chips or raw metal shields, will appear on the images as heat sinks, distorting the statistical analysis of the image (Figures 24a and 24b). Despite this minor drawback, this technique makes it possible to identify anomalous areas of high heat (or abnormally low heat), and to highlight a defect. In general, the study of a sample is carried out in comparison with a control sample (i.e. a similar functional product). This principle allows comparison of hot and cold spots to identify differences in behavior between the two samples. The thermal camera highlights transient effects, which are normally difficult to detect (Figure 25). According to Figure 13, identifying such issues enables a forensic expert to check relevant failures using 3D X-Ray images to then decide whether and how these failures can be repaired.
In this example of image acquisitions using an infrared camera, the micro-SD card is detected by the computer but the reading and writing processes are not possible. The computer offers only the possibility to format the card. In this initial state, the micro-SD card is powered on (Figure 25a), then the card is requested for reading by the host. As shown in Figures 25b, 25c and 25d, heat builds up very quickly in half of the microcontroller. In order to preserve the card, the forensic expert observing this phenomenon has to be ready to stop the experiment immediately. A difference in overall coloration of Figures 25a, 25b and 25c can be observed due to the auto-calibration of the camera. The difference in coloration between Figures 25c to 25g is due to heat propagation and dissipation in the micro-SD card package. With such analysis, it is difficult to accurately identify the starting point of the fault and the evolution of heat. It is possible that: • The temperature will continue to increase until it reaches a threshold that is dangerous for the integrity of the chip materials. In this case, the forensic expert must be ready to stop the process to cool the controller. The experiment will have made it possible to identify the faulty chip but not the precise location. In this case, there is no stabilized state that could be qualified as a final state. • The temperature will stop increasing, which allows the camera to adapt and therefore to provide a more precise image of the area where the fault is located. In this case, there is a stabilized state that can be called a final state. This is the moment when the system has reached a thermal equilibrium, allowing the expert to make a precise observation without risk of degradation of the sample. When using an infrared camera, a challenge for the forensic expert is to determine whether the sample will reach a final state (and thus a stabilized state). The forensic expert will have to launch several image acquisitions to validate the assumption, each time on a slightly longer time base, until a stabilized state is reached.
Returning to our example, the temperature of the micro-SD card stops increasing. The camera therefore succeeds in defining the intense heat zone, as shown in Figures 25e and 25f. In the final state (Figure 25g), the forensic expert can distinguish a warm-up point on the left of the map not far from the row of bondings. By comparing the timing of the acquisition and the operations carried out on the micro-SD card, it can be shown that the connection of the micro-SD card to the computer (and therefore the power-up) did not cause an operating fault. However, it establishes there is an internal fault in the transistors in the microcontroller, which prevents the forensic expert from accessing the data. As explained before and according to the decision diagram (Figure 13), the forensic expert must check, using 3D X-Ray analysis, whether the failure is visible in order to then decide to switch to either a reparation or to a chemical opening of the sample to search for the failure inside.

3) Chemical sample opening
This is the most destructive technique that can be used to diagnose a fault [36] as it will remove the protective resin from the chips to expose them [37]. There are several chemical solutions that can achieve this, but the most common is to locally deposit drops of fuming nitric acid 100 % previously heated to 90°C to carry out a localized attack on the chips [24]. There are several constraints on using this technique. First, the area of attack must be identified with an X-Ray view and then the concentrated acid must be applied at the right place. The attack must also be controlled to expose only the silicon without overexposing other elements, such as bonding, or copper PCB, which would be severely damaged. To avoid this problem, it is possible to change the process by modifying the attack temperature, the nature of the chemical, or the nature of a possible mixture. The most commonly used solution is a mixture of fuming nitric acid 100 % diluted to 60 % in sulfuric acid heated to only 40°C [38]. This chemical attack, although it takes longer to set up, keeps the copper elements safe and therefore keeps the SD card functional [39]. An alternative to manual etching is to use a machine designed for the chemical opening of components ( Figure 26). There are several brands of equipment on the market and the investment is worthwhile for batch processing or for repeatability requirements.
Another way to accelerate the chemical attack is by using laser ablation. Using a laser, the forensic expert can start by making a window in the resin at the location of the defect, removing much of the resin (Figure 27). The acid applied will be directed and centralized by laser ablation through the hole that has been created. The exposure time to acids will be considerably reduced, in order to increase the chances of success [41].
The purpose of implementing all of these techniques together is to determine the origin of the card malfunction, in order to identify which chip(s) is affected. As already introduced in part III, each chip has a function but the main objective was to be able to extract the data. The main focus is on the memory chips and a failure of this element definitively stops the study.

IV. CASE STUDY
The case study presented is related to a non-functional SD card. Before presenting the work performed on this media, it is important to specify the context and the rules that must be respected when receiving a sample.

A. CONTEXT
In France, as in many other countries, expertise is not centralized in a single laboratory. There are indeed several laboratories, each with forensic experts who have their own technical specializations. In addition to the state forensic laboratories, depending on the rules applied by law enforcement agencies, there are private laboratories that handle cases for a fee. Due to the plurality of actors, evidence arriving in a laboratory has a past. Although the forensic expert has the context of the origin of the evidence, he/she does not have direct access to the history of the actions carried out by other laboratories on it. Therefore, the reception state of the sample is considered as the original state. Any crack, scratch, or curvature of the sample must be considered as original and treated as such. VOLUME 4, 2016

B. SAMPLE PRESENTATION
The sample in the case study is an SD card ( Figure 28). First, it can be seen that the plastic package enveloping the dice and the PCB has been removed. No writing is visible on the PCB or on the resin. It is therefore not possible to directly obtain the manufacturer, model or memory size of the card. However, some information can be inferred. For instance, the bus topology of the SD interface is that of a UHS-II card, which suggests a recent card designed for fast communication, with a huge memory size. It will be possible with a 2D X-Ray analysis to observe the design of the PCB tracks, which can sometimes suggest a manufacturer. According to the information from the requester, the SD card is recognized when inserted in a reader, but requests formatting, and access to current data is not possible. The purpose of the expert analysis is to access the data contained in this SD card. To do so, the protocol described in Figure 11 is strictly applied to initiate the diagnostic phase and orient the expertise according to the results obtained. Then the necessary repair protocol will be applied to recover data.

C. NON-INVASIVE SAMPLE ANALYSIS 1) Optical inspection
According to the proposed forensic decision diagram, an optical inspection is performed ( Figure 28). With regard to the resin, no crack, delamination or any other defect can be observed. Looking at the PCB, an abrasion has been carried out at the level of the memory debug pads (Figure 29). This polishing may have several origins, either accidental or deliberate by another laboratory during an attempt to perform a diagnosis. Given the shape and position of this polishing, the diagnostic hypothesis is prioritized. Moreover, it was correctly performed because no track was damaged.
As the optical inspection does not provide information about the defect in the card, the next step in the decision diagram ( Figure 12) is performed. In the absence of visible delamination and without any indication of immersion, use of the SAM can be omitted to focus on the next stage: X-Ray observations. Since no anomalies were observed during optical inspection, an X-Ray observation is performed. First, the observation is made in two dimensions, looking for identifiable defects. Due to the density of the elements constituting this SD card, some areas in the images appear difficult to interpret. Since the 2D analysis does not show any visible damage, a 3D examination is carried out to collect more information.
As mentioned previously, 3D tomography is the most effective way to locate a structural anomaly in a complex technological stack. For the case study, Figure 30 shows the layers of interest in the SD card. Two of them are the PCB layer on the chip side ( Figure 30a) and the PCB layer on the debug pads side (Figure 30b), on which there are no cutting tracks. The others points of interest are the dice (Figure 30c) and their bondings (Figure 30d). However, the images show no defects and the X-Ray observation being the last noninvasive step in the decision diagram (Figure 12), the next phase is invasive diagnostics.

D. INVASIVE SAMPLE ANALYSIS
As described in Figure 13, the first step involves electrical tests.

1) Electrical tests
The behavior of the SD card described in section IV-B indicates a recognition by the host of the SD card but not of the file system. This information would indicate that the electrical behavior of the microcontroller is normal. To verify this, a diode test with a multimeter is performed on the external pads of the SD bus. This test being conclusive, a second analysis is performed at the level of the debug pads present between the memory and the microcontroller. This test also being conclusive, there is no shortcut between the signal and the power supply on the dice of the SD card. This conclusion allows the forensic investigator to move on to the next step in the decision diagram ( Figure 11): infrared camera analysis. To evaluate potential defects as reflected by the temperatures measured using an infrared camera, a comparative thermal analysis is performed on the case study ( Figure 32) and on a control sample ( Figure 31). To execute the test, the SD card is connected to a host by a card reader controlled by a script, powering on the card and then reading 500MB of data at a random address. This piloting phase, taking a few seconds, is performed while the card is placed under the infrared camera.
In the initial state, the card has not been driven and it is at rest. The whole of the card has a homogeneous coloring and therefore a homogeneous temperature of 26°C ( Figure 31a). As soon as the script is started, the host powers up the card. A minimal color change is observed in the top left corner (Figure 31b), corresponding to the position of the microcontroller die according to the X-Rays (Figure 30c). Then the host switches to data reading mode and executes multiple successive requests. This action has the effect of increasing the functioning of the microcontroller (Figure 31c). The temperature of the microcontroller changes to 27°C and continues to increase as shown in Figure 31  In contrast to the behavior of the sample control, the case study card shows an increase in temperature at the memory from the initialization phase (Figure 32b). This is the hot spot at the bottom right. When the script switches to the reading phase, the rise in temperature at the memory is even more noticeable (Figure 32c) and increases with time ( Figure 32d). In view of the result, the analysis is stopped in order to avoid further damage to the card.
Analysis of the infrared camera images ( Figure 32) and X-Ray images (Figure 30c) confirms the position of the fault in the memory, at the position of a series of bondings. Considering that the component is in a rigid package, it is normally not possible for the bondings to move and to touch each other. There are therefore two hypotheses that can explain the phenomenon. The defect may be in the bondings, and in this case the temperature has increased enough to melt the resin to allow the bondings to join. Alternatively, fusion of the circuitry has occurred internally in the die (i.e. fusion of the silicon, silicon oxides and tracks). At this stage of the analysis, it was not possible to proceed because further investigation would require a chemical opening to observe the bondings and the surface of the dice. We did not have access to a chemical laboratory to continue investigations. However, the aim of this case study was not to perform all the steps of the proposed forensic decision diagram ( Figure 11) but to illustrate its practicability for forensic experts in the choice of diagnostic techniques to be used, both to save time and to reduce the risk of creating additional damage in the sample.

V. DISCUSSION
This paper, to the best of our knowledge, has introduced for the first time the possibility of using an infrared camera as a diagnostic method in forensic protocols for digital devices. However, this method must be classified as an invasive method since the infrared diagnosis requires the SD card to be powered on, which increases the risk of accentuating or creating a fault not previously diagnosed 5 .
At the end of the diagnostic process using the decisionmaking diagram, providing a "data lost" state has not been reached, the next steps are first the reparation of the SD card, which is out of the scope of this paper (some examples can be found in [7], [9]) and then the reading of data either via the external interface or by interfacing directly with the memory dice 6 , for instance if the microcontroller is out of service. After the physical reading of data from the memory dice, the task faced by forensic experts is complex. To obtain exploitable data from the raw data, they have to reproduce all the operations of the microcontroller but without the same level of knowledge (e.g. how data are spread among the different dice and the ECC algorithm is often unknown). Among the different operations from the raw dump, forensic experts will have to remove manufacturing memory defects in the dice (called "bad columns"), to find page structures and to find the ECC type used to then correct the pages in the dump accordingly (and if ECC data are not sufficient, they will have to read corrupted areas again), to find the right XOR key (which can be dynamic) to get access to page contents and finally to reassemble all blocks and their pages in the right order to produce an image containing partitions and file systems. For these tasks, forensic experts can use software like PC-3000 Flash [42] or VNR (Visual Nand Reconstructor) [43].

VI. CONCLUSION
In the context of forensic investigations, experts are increasingly collecting evidence from removable memory devices, particularly the popular SD cards. These cards are used everywhere, including by criminals (from small-scale traffickers using them as data storage in their mobile phones to international mobs using them as key stores to encrypt data on high security smart phones). In addition, following air crashes, terrorist attacks or explosions, the judges in charge of investigations are now systematically requesting the extraction of digital data to understand the crime scene from videos that may have been filmed during the incidents.
These two examples illustrate that forensic experts have more cases to handle and they need to adapt their protocols by developing new diagnostic techniques, which were until now very marginal. Therefore, the main contribution of this study is the proposal of a new forensic protocol for damaged SD cards, which aims at minimizing the risk of creating additional damage during the diagnosis of existing damage. Since it relies on a simple and effective decision-making diagram encompassing the main non-invasive and invasive techniques, it strengthens the ability of law enforcement agencies to successfully handle more cases. In addition, for the first time, a new infrared diagnostic technique has been introduced to highlight transient effects that are potentially dangerous for data preservation and not visible by other conventional methods.
In future work, the new infrared diagnostic technique will be studied further and innovative repair methods to obtain the raw data will be explored.