ASTM E3017-19

This document is not an ASTM standard and is intended only to provide the user of an ASTM standard an indication of what changes have been made to the previous version. Because
it may not be technically possible to adequately depict all changes accurately, ASTM recommends that users consult prior editions as appropriate. In all cases only the current version
of the standard as published by ASTM is to be considered the official document.
Designation: E3017 − 15 E3017 − 19
Standard Practice for
Examining Magnetic Card Readers
This standard is issued under the fixed designation E3017; the number immediately following the designation indicates the year of
original adoption or, in the case of revision, the year of last revision. A number in parentheses indicates the year of last reapproval. A
superscript epsilon (´) indicates an editorial change since the last revision or reapproval.
1. Scope
1.1 Magnetic card readers, when used for illegal purposes, are commonly referred to as skimmers. This practice provides
information on seizing, acquiring, and analyzing skimming devices capable of acquiring and storing personally identifiable
information (PII) in an unauthorized manner.
1.2 This standard cannot replace knowledge, skills, or abilities acquired through education, training, and experience and is to
be used in conjunction with professional judgment by individuals with such discipline-specific knowledge, skills, and abilities.
1.3 This standard does not purport to address all of the safety concerns, if any, associated with its use. It is the responsibility
of the user of this standard to establish appropriate safety, health, and environmental practices and determine the applicability of
regulatory limitations prior to use.
1.4 This international standard was developed in accordance with internationally recognized principles on standardization
established in the Decision on Principles for the Development of International Standards, Guides and Recommendations issued
by the World Trade Organization Technical Barriers to Trade (TBT) Committee.
2. Referenced Documents
2.1 ASTM Standards:
E2763 Practice for Computer Forensics (Withdrawn 2019)
E2916 Terminology for Digital and Multimedia Evidence Examination
2.2 ISO Standards:
ISO/IEC 7811 Identification Cards—Recording Technique
ISO/IEC 78127812-1:2017 Identification Cards—Identification of IssuersIssuers—Part 1: Numbering SSystem
ISO/IEC 78137813:2006 Information Technology—Identification Cards—Financial Transaction Cards
2.3 SWGDE Standards:
SWGDE Best Practices for Chip-Off
SWGDE Best Practices for Computer Forensics for Computer Forensics
SWGDE Recommendations for Validation Testing for Validation Testing
SWGDE Tech Notes Regarding Chip-Off via Material Removal Using a Lap and Polish Process
2.4 ANSI Standards:
ANSI X4.16 Financial Services—Financial Transaction Cards—Magnetic Stripe Encoding
3. Terminology
3.1 Definitions:
3.1.1 For definitions of terms used in this practice, refer to Terminology E2916.
3.2 Definitions of Terms Specific to This Standard:
This practice is under the jurisdiction of ASTM Committee E30 on Forensic Sciences and is the direct responsibility of Subcommittee E30.12 on Digital and Multimedia
Evidence.
Current edition approved May 1, 2015June 1, 2019. Published June 2015June 2019. Originally approved in 2015. Last previous edition approved as E3017 – 15. DOI:
10.1520/E3017-15.10.1520/E3017-19.
For referenced ASTM standards, visit the ASTM website, www.astm.org, or contact ASTM Customer Service at service@astm.org. For Annual Book of ASTM Standards
volume information, refer to the standard’s Document Summary page on the ASTM website.
The last approved version of this historical standard is referenced on www.astm.org.
Available from National Institute of Standards and Technology (NIST), 100 Bureau Dr., Stop 1070, Gaithersburg, MD 20899-1070, http://www.nist.gov.
Available from the Scientific Working Group on Digital Evidence (SWDGE), https://www.swgde.org.
Available from American National Standards Institute (ANSI), 25 W. 43rd St., 4th Floor, New York, NY 10036, http://www.ansi.org.
Copyright © ASTM International, 100 Barr Harbor Drive, PO Box C700, West Conshohocken, PA 19428-2959. United States
E3017 − 19
FIG. 1 Example of a Hand-Held Skimmer
3.2.1 parasitic skimmer, n—a type of device manufactured for the capture of account data from magnetically encoded cards that
operates in-line with the original ATM, gas pump, or other card reading device.
3.2.2 start sentinel, n—a 5-bit binary sequence, or equivalent ASCII character, used to signify the beginning of track data. (See
ISO/IEC 7813).7813:2006.)
3.2.3 skimmer, n—a magnetic card reader, specifically when used for an illegal purpose.
3.2.4 skimming, n—using a skimmer to acquire PII in an unauthorized manner.
3.2.5 swipe, v—to manually pass a magnetically encoded card through a card reader device to transfer information from the
card.
3.3 Acronyms:
3.3.1 ADPCM, n—adaptive pulse code modulation
3.3.2 AES, n—advanced encryption standard
3.3.3 ASCII, n—American standard code for information interchange
3.3.4 BIN, n—bank identification number
3.3.5 BFSK, n—binary frequency-shift keying
3.3.6 CVV, n—card verification value
3.3.7 CVV2, n—card verification value 2
3.3.8 EEPROM, n—electrically erasable programmable read only memory
3.3.9 IIN, n—issuer identification number
3.3.10 PAN, n—primary account number
3.3.11 PCM, n—pulse code modulation
3.3.12 PII, n—personally identifiable information
3.3.13 PIN, n—personal identification number
3.3.14 USB, n—universal serial bus
3.3.15 XOR, n—exclusive or
3.3.16 ZIF, adj—zero insertion force
3.2.16 BIN, n—bank identification number
4. Significance and Use
4.1 As a skimming device is not typically deemed contraband in of itself, it is the responsibility of the examiner to determine
if the device contains unauthorized account information. The purpose of this practice is to describe best practices for seizing,
acquiring, and analyzing the data contained within magnetic card readers.
4.2 Limitations—Skimmers present unique examination challenges due to:
4.2.1 Rapid changes in technology,technology;
4.2.2 Difficulty of device disassembly,disassembly;
4.2.3 Lack of standards in use of the technology,Use of alternate/repurposed components;
4.2.4 Use of alternate/repurposed components, encryption or examination countermeasures, or both;
4.2.5 Use of encryption,
4.2.5 Multiple data encoding/modulation formats,formats;
E3017 − 19
FIG. 2 Example of an Altered Hand-Held Skimmer
FIG. 3 Example of an Altered Hand-Held Skimmer with Bluetooth
FIG. 4 Example of a Custom Skimmer
4.2.6 Prevention of chip identification by obfuscation of the device,device;
4.2.7 Availability of training and documentation,documentation;
4.2.8 Lack of chip information/documentation, information/documentation;
4.2.9 Lack of adapters available for chip reading, reading;
4.2.10 Expense of available equipment used in chip removal and reading;
4.2.11 Lack of software’s ability to support reading chip data,data; and
4.2.12 Lack of commercial software available to analyze encrypted data extracted from skimmers.
5. Technical Background
5.1 As skimmers are often unique in design and implementation, examination processes vary depending upon the category or
type of device, or both.
5.2 In general, skimmers may be broken down into the following three categories:
5.2.1 Hand-held,
5.2.2 Altered hand-held, and
5.2.3 Custom.
5.3 The processes used in examinations vary greatly depending on the device itself and the manner in which the stored
information is encoded.
5.4 Hand-Held—Data extraction of hand-held skimmers (Fig. 1) is accomplished by connecting the skimmer to the examiner’s
computer by means of a data cable. Once connected, a program is executed that extracts all of the stored track data from the device.
E3017 − 19
FIG. 5 Example of a Custom Skimmer (Door)
5.5 Altered Hand-Held—It is common for commercial skimmer devices to be dismantled and used for parts (cannibalized).
These devices are commonly seized from automated teller machines (ATMs), bank point-of-sale terminals, and gas pumps.
Examination of these devices is frequently performed in a manner similar to hand-held devices. Wireless-enabled skimmers are
often seen as an alteration of commercial skimmers (Figs. 2 and 3 ).
5.4 Custom: Skimmer Examples:
5.4.1 Hand-Held—Manufactured primarily for legitimate uses, for example, registering attendance at a conference, handheld
skimmers can also be used for illegitimate purposes, for example, a collusive waiter that will skim customers’ credit cards (see Fig.
1).
5.4.2 Altered Hand-Held—By far, the most complicated and difficult-to-examine skimmers are custom-manufactured devices (It
is common for commercial skimmer devices to be dismantled and used for parts (cannibalized). These devices are commonly
seized fromFig. 4). These devices use many different circuit designs and proprietary data encoding, modulation, and automated
teller machines (ATMs), bank point of sale terminals, and gas pumps (see Fig. 2encryption schemes. These ). Commercial
skimmers can be combined with a pinholealtered by adding wireless functionality, for example, the addition of a Bluetooth camera
ormodule (see Fig. 3a keypad overlay to capture the personal identification number (PIN) of the account holder.) used to remotely
download stolen track data.
5.6.2 As it is common in some larger metropolitan area ATMs to require a customer to use their account card for entry to a
vestibule, subjects can implant foreign circuitry into the door reader (Fig. 5).
5.4.3 Custom—Some skimming devices may have the capability to output captured data by means of wireless communication
methods (Custom manufactured devices use many different circuit designs (see Fig. 64). These devices may transmit their data in
real-time or batch mode. The transmitting ability of these devices and the choice of transmission protocols used make detection
of receivers difficult. ) and typically employ varied data encoding, modulation, and encryption schemes. These skimmers can be
combined with a pinhole camera or a keypad overlay to capture the personal identification number (PIN) of the account holder.
5.4.3.1 As it is common in some larger metropolitan areas for ATMs to require a customer to use their account card for entry
to a vestibule, subjects can implant foreign circuitry into the door reader (see Fig. 5).
5.4.3.2 As previously noted, skimming devices may have the capability to output captured data by means of wireless
communication methods (see Fig. 6). These devices transmit their data in real-time or batch mode. Transmission protocols of these
devices vary.
5.4.3.3 Similar to the altered handheld devices, custom skimmers can use Bluetooth transmission technology (see Fig. 7 and Fig.
8).
5.4.3.4 In addition to Bluetooth and Global System for Mobile Communications (GSM) modules, skimmers can be remotely
accessed through other transmission technologies, to include ZigBee radio (see Fig. 9).
5.4.3.5 Skimmers used on ATMs typically will capture both the data on the card and a user’s PIN number. As noted above, the
method to capture the user’s PIN could be a completely different device, but even if that is true, the PIN information could be sent
to storage on the same skimming device that is capturing the track data (see Fig. 10). That information can be saved on flash chip(s)
or a secure digital (SD) card, as seen in Fig. 11.
5.4.3.6 Some ATM skimmers may be affixed to the front of an ATM, others are secreted inside the card slot (see Fig. 12). Many
of these types of skimmers will read data from a chip-enabled card.
NOTE 1—Just because data is skimmed from a chip, does not mean that the subject can use that data to create future, fraudulent transactions.
5.5 Card Data/Structure: Data/Structure—Understanding the manner in which credit and debit cards store their data is
important. The ability to decode skimmer-stored information relates to how data is stored on the magnetic stripe of a card.
5.5.1 Fundamentals of Track Data:
5.5.1.1 The International Standards Organization (ISO) created ISO/IEC 7812,7812-1:2017, which specifies, “a numbering
system for the identification of issuers of cards that require an issuer identification number (IIN) to operate in international,
inter-industry and/or intra-industry interchange.”
A trademark of Bluetooth SIG, Inc., Kirkland, WA.
The validation process is discussed in SWGDE Recommendations for Validation Testing.A trademark of ZigBee Alliance in San Ramon, CA.
E3017 − 19
FIG. 6 Example of a Cellular Enabled Skimmer
FIG. 7 A Bluetooth Custom Skimmer
5.5.1.2 The primary account numbers are generally 15 or 16 digits in length but may be as short as 12 (Maestro)(Maestro ) or
10 11
as long as 19 (China UnionPay).UnionPay ). The credit card companies have reserved prefixes, for example, American Express
credit cards begin with 34 or 37. Credit card processors use the Luhn algorithm (see ISO/IEC 7812)7812-1:2017) to ensure the
integrity of the primary account number (PAN).
5.5.1.3 Applications such as access control, identification, and driver licenses have developed their own custom formats for each
track. This capability to reformat the content of each track has allowed magnetic stripe card technology to expand into many
industries.
5.5.1.4 Applications such as access control, identification, and driver licenses have developed their own custom formats for each
track. This capability to reformat the content of each track has allowed magnetic stripe card technology to expand into many
industries. As defined for financial industry applications, the magnetic stripes carry three tracks of data.data:
(1) Track 1—Track 1 contains alphanumeric information for the automation of airline ticketing or other transactions in which
a reservation database is accessed. In addition to the account number and expiration date, this track will contain contains the
account holder’s name. Typically, Track 1 is only read by hand-held and altered hand-held skimmers.
(2) Track 2—Track 2 contains numeric information for the automation of financial transactions. While this track does not
contain the account holder name, it does contain the electronic card verification value (CVV). This track is read by systems that
require a PIN (for example, ATMs). Typically, custom skimmers will capture only Track 2 information. Track 2 is encoded using
5-bit ASCII (4-bit odd parity). The account information follows a start sentinel of 11010.PIN, for example, ATMs.
(3) Track 3—Track 3 contains information that is intended to be updated (re-recorded) with each transaction (fortransaction,
for example, cash dispensers that operate off-line).off-line. This track is rarely used and is not of forensic value in most financial
fraud investigations.
5.5.2 Card Verification Value (CVV)—This code is recorded on the second track of a card and used to verify the card is present
during a transaction.
5.5.3 Card Verification Value 2 (CVV2)—This code is a three- to four-digit number printed on the back of a card (hard to steal
electronically) ((see Fig. 713). It was designed to help curb fraud in “card not present” transactions, such as Internet purchases.
A trademark of ZigBee Alliance, San Ramon, CA.MasterCard International Incorporated in Purchase, NY.
A trademark of China UnionPay Co., Ltd., in Shanghai, China.
A trademark of American Express Marketing and Development Corp. in New York, NY.
E3017 − 19
FIG. 8 A Bluetooth Custom Skimmer Secreted Inside a Gas Pump
FIG. 9 A ZigBee Radio Recovered from the Interior of a Gas Pump
FIG. 10 Front View of a Skimmer Using Separate Boards for Capturing Track Tata and PINs
5.5.4 Debit Cards—Cards: When skimmed, debit cards and credit cards contain similar data. However, debit cards are different
from credit cards as the account is directly linked to fund availability in a bank (or otherwise stored) account. Debit cards present
a much more attractive target for skimming as compromised accounts can be converted directly into cash as opposed to goods and
services.
E3017 − 19
FIG. 11 Rear View of a Skimmer Using Separate Boards for Capturing Track Data and PINs
FIG. 12 A Skimmer That is Inserted Into an ATM Card Slot
FIG. 713 Example of CVV2
5.5.4.1 When skimmed, debit cards and credit cards convey similar data. However, debit cards are different from credit cards
as the account is directly linked to fund availability in a bank (or otherwise stored) account. Debit cards present an attractive target
for skimming, as compromised accounts can be converted directly into cash as opposed to goods and services.
6. Evidence Collection
6.1 Seizing Evidence: Seizure:
6.1.1 Devices should be collected and protected in the same manner as flash memory devices (refer to Practice E2763). and
SWGDE Best Practices for Computer Forensics). Associated cables, documentation, and software should also be collected.
6.1.2 Identifying parasitical devices can be challenging, as they are, by their nature, designed to be hidden. These include
recording devices hidden under keypads and those placed in-line with a legitimate card reader (Figs. 8 and 9). Removal of these
devices may be destructive in nature and should be done cautiously.Specific Skimmer Considerations Related to Seizure:
E3017 − 19
FIG. 1016 Example of an Analog-Based Skimming Device
6.1.2.1 There is a possibility of two devices being used to make up the skimmer, one device capturing card track data and a
separate device capturing PINs, for example, video and keypad overlay.
6.1.2.2 If a device is wired into something like a gas pump, it is most likely using power from the pump. Removing the device
from that type of power connection will not affect the examination. If a battery is observed on a skimmer, leave the battery in place,
unless there will be a significant delay before examination, that is, more than a month.
6.1.2.3 If the skimmer is using a universal integrated circuit card (UICC) or SD card, it should be removed at the time of seizure.
6.1.2.4 If a device uses video or audio recording, or both, to capture information, that recording may continue after the device
is seized.
6.1.2.5 Identifying parasitical devices can be challenging, as they are, by their nature, designed to be hidden. These include
recording devices hidden under keypads and those placed in-line with a legitimate card reader (see Fig. 14 and Fig. 15). Removal
of these devices can be destructive in nature and should be done cautiously.
6.2 Handling Evidence—Evidence: Evidence should be handled according to laboratory policy while maintaining a chain of
custody and by using best practices (refer to Practice E2763).
6.2.1 Evidence should be handled according to laboratory policy while maintaining a chain of custody and by using best
practices (refer to Practice E2763 and SWGDE Best Practices for Computer Forensics).
6.3 Equipment—Equipment in this section refers to the non-evidentiary hardware and software the examiner uses to conduct
data extraction and analysis of the evidence. Equipment and software applications should be verified to ensure proper
performance.
7. Data Extraction7. Acquisition – Account Data
7.1 Hand-Held/Altered Hand-Held Skimming Devices—Background: As skimmers are not useful unless one can extract the
swiped card information, the manufacturers of these devices provide software to facilitate the exportation of the stored data. The
software typically has the added functionality to decode stored user passwords from the device. The software only provides for
logical extraction (that is, no deleted information) into a text format. The examiner will need the device, appropriate software, and
the appropriate data cable to conduct a successful data extraction. Of particular note, the cable used performs the extraction by
means of serial over Universal Serial Bus (USB) connectivity. The proper driver loaded on the examination computer and a low
COM port setting should be selected so the device has sufficient priority on the system.
7.1.1 As skimmers are often unique in design and implementation, examination processes vary depending upon the category or
type of device, or both.
7.1.2 When considering retrieving stored account information, due to differences in acquisition and analysis, skimmers can be
broken down into two general categories, analog or digital.
7.1.3 The processes used in examinations vary depending on the device itself and the manner in which the stored information
is encoded. While many skimmers will be manufactured with the capability of remotely downloading skimmed account data by
the subject, that functionality does not typically change the way skimmed account information is stored on the skimmer or acquired
by the examiner. Acquiring and analyzing Bluetooth module artifacts is completed separately from processing the skimmer for
stolen account data (see Section 10, Bluetooth Modules).
7.1.4 All skimming devices read magnetically-stored data on a card. This process is accomplished by means of an
electromagnetic head, similar to that found in an audiocassette tape player. As the card is manually swiped through the device, the
head converts the magnetic information on the card into an electrical signal of time-varying voltage, which may be passed to other
signal processing components. Devices that store that waveform without further processing are referred to as “analog” devices.
“Digital” devices further process the waveform.
7.2 Analog Skimming Devices:
7.2.1 Analog skimming devices capture the magnetic signal on the card stripe to a digital waveform in flash memory. This signal
is encoded according to the ISO/IEC 7811 suite of standards, but is otherwise similar to an audio waveform. The resulting file
extracted from a device is similar to an audio file and significantly larger than a decoded bit-string of account data. Recovery of
the encoded data requires further processing.
E3017 − 19
FIG. 814 Example of Keypad Overlay
FIG. 915 Example of an In-Line Skimmer
7.2.2 Identification:
7.2.2.1 Recognizing an analog skimmer is important, as the method of extraction differs from that of a custom, digital skimmer.
Identification of an analog skimmer can be made by either recognizing the cannibalization of an MPEG-2 Audio Layer III (MP3)
device or by recognizing the unusually large storage capacity of the device’s flash memory chip, or both (see Fig. 16). As an
example, a typical digital skimmer uses a flash chip in the area of two megabytes of storage, an analog skimmer typically contains
a flash storage chip in the two gigabytes or more range.
7.2.3 Extraction:
7.2.3.1 Many analog skimmers originated as other devices, for example, MP3 sunglasses. Therefore, an examiner may extract
data from the device using its built-in universal serial bus (USB) mass storage mode. As it is common for a person constructing
the skimmer to remove the USB header, the examiner must recognize this architecture and solder a header or leads on the device
to facilitate communication. Once the header is attached, the examiner creates an image using traditional computer forensics
imaging techniques and software (refer to Practice E2763 and SWGDE Best Practices for Computer Forensics).
7.3 CustomDigital Skimming Devices—Devices: All skimming devices must first read the magnetic signal stored on a card. This
process is accomplished by means of an electromagnetic head, similar to that found in an audio cassette tape player. As the card
is manually swiped through the device, the head converts the magnetic signals on the card into an electrical signal of time-varying
voltage, which is passed to other signal processing components for digital conversion. Devices that store that waveform without
further processing are referred to as “analog” devices. “Digital” devices further process the waveform to recover the encoded
digital data and only store the decoded information.
7.3.1 Analog Skimming Devices—“Analog”Digital skimming devices pass the analog swipe waveform to an analog-to-digital
converter (ADC), ADC to produce a digital waveform, which is stored, undecoded, stored and coded in flash memory. The
resulting data file extracted from a device is similar to an audio file and will be significantly larger than a decoded bit string of
account data.Digital skimmer devices accept input by means of a magnetic stripe reader like analog skimmers; however, once the
skimmer’s processor receives the waveform, the signal is decoded with logic before being stored in flash memory. Data can be
stored in a variety of formats, which might or might not be ciphered or encrypted.
7.2.1.1 Identification—Recognizing an analog skimmer is important as the method of extraction is different than that of a
custom, digital skimmer. While the examiner may notice the lack of an analog to digital encoder chip (although a digital skimmer
may lack this chip as well with the processing being completed by the microcontroller), the identification of an analogue skimmer
E3017 − 19
is typically made by recognizing the unusually large storage capacity of the device’s flash memory chip and are typically indicative
of an audio-based skimming device (Fig. 10). While a typical custom skimmer may use a flash chip with two megabytes of storage,
an analogue skimmer will typically contain a flash storage chip in the two gigabyte range.
7.2.1.2 Extraction—As analog skimmers likely originated as other devices, that is, MP3 sunglasses, an examiner may extract
the information from the device over USB mass storage device mode. As it is common for a person constructing the skimmer to
remove the USB header, the examiner must recognize the architecture and solder a new header on the device to facilitate
communication. Once the header is attached, a write blocker shall be used between the device and an examiner’s computer, and
an image (Terminology E2916) of the device can be extracted using traditional computer forensics imaging software.
E3017 − 19
7.3.2 Chip Identification:
7.3.2.1 Custom skimming devices can be complicated in nature. Their design can be developed using new or cannibalized
circuits/chips, or both. The main components of chip identification are the manufacturer and chip model numbers of both the
microcontroller and flash chips. It is important to document/photograph them before removal, as extreme temperatures can remove
identification markings. In cases where the identification number is worn or difficult to read, a microscope might be required.
Additionally, applying a non-reactive and easily removed solution, such as isopropyl alcohol, can make identification numbers
easier to read.
7.3.3 Digital Skimmer Devices—Chip Removal: Digital skimmer devices accept input via a magnetic stripe reader just like
analog skimmers. However, once the skimmer’s processor receives the waveform, the signal is decoded with logic before being
stored in flash memory. Data is stored in a digital format, which may or may not be encoded or encrypted or both. Extraction of
information from a digital skimmer is most commonly done by removing the flash chip and reading the information through the
use of a chip programmer.
7.3.3.1 Extraction—As custom (and some altered) skimming devices typically do not have a universal and dependable method
to connect to and download the skimmed account information (other than USB used by analog devices), an examiner should
consider removing remove the data storage chip and then read the information stored therein. The microcontroller maymight also
need to be removed and read to understand the encoding or encryption methods used by the device. Code Unfortunately, code
protection may prevent the extraction of codedata from thea device’s microcontroller.
7.2.2.2 Chip Identification—As previously referenced, custom skimming devices can be quite complicated in nature. Their
design can be developed using both new and cannibalized circuits/chips. One of the first steps in examining such a device is to
identify how the skimmer is extracting and storing account information. The identification of the components that make up a
skimmer is crucial to understanding how to extract stored data successfully. The main components of chip identification are their
manufacturer and chip number. The primary chips the examiner should be able to successfully identify are the microcontroller and
the flash storage chips. It is important to document/photograph them before removal as extreme temperatures may remove the
markings on the chip. In cases where the chip identification number is worn or difficult to read, a microscope may be required.
Additionally, applying a non-reactive and easily removed solution such as isopropyl alcohol can make chip numbers easier to read.
7.3.3.2 Chip Removal—Once the chips of forensic significance are identified, they The chips should be properly removed from
the circuit board in a manner that ensures the chips they are not damaged. Chip removal Removal should only be performed by
properly trained and experienced personnel. The two most prominently used methods Methods of extraction include hot air and
infrared. air, infrared, and chip polishing/lapping/milling. Methods that heatrequire the entire chip being removed at once are
preferred, as they reduce the chance of physical damage to the chip induced by prying and bending the pins.pins or destroying
connection pads, or both (refer to SWGDE Best Practices for Chip-Off and SWGDE Tech Notes regarding Chip-Off via Material
Removal Using a Lap and Polish Process).
7.2.2.4 Chip Connectivity and Reading—There are several chip readers commercially available with each reader possibly
supporting a different subset of chips. Most readers require a socket adapter, which is dependent on the chip package. However,
on certain smaller chips (that is, 8-pin flash chips) connectivity between the chip and the socket adapter may be established through
a series of wires soldered to the chip pins and inserted into the reader, typically by means of a ZIF (zero insertion force) socket.
Once properly connected, the chip can then be read using the vendor-provided software, which should be saved and handled as
original evidence.
7.2.2.5 As was mentioned in 5.6.3, some skimming devices use a wireless technology to broadcast the stolen card information,
6 8
that is, Bluetooth, ZigBee, etc. It may be possible, and preferred, to extract data from these through a wireless connection (as
the creator intended) if certain pairing data is known to the examiner, for example, the correct channel on which a ZigBee radio
skimmer is broadcasting, the pairing code for a Bluetooth enabled skimmer.
7.3.4 Chip Connectivity and Reading:
7.3.4.1 There are several chip readers commercially available, with each reader possibly supporting a wide array of chips. Most
of the time, the examiner will need to use a chip socket a
...