Extracting Evidence From Damaged Devices

Introductory voiceover: It may have started as an experiment in my basement, but damaging devices is not just a hobby I’ve tinkered with over time. It’s a complex body of work researched in the field and in the lab. It is constantly tested…

“10 minutes on this one. Let’s see what happens.” 

…meticulously studied…

“We’ve got some sparks at 7:30.”

…and organically evolving with every case.

Steve Watson: Hello, my name is Steve Watson. I’m with VTO Labs. I’m here today to share with you about damaged devices. We’ll be looking at a couple of studies that we’ve conducted over the last couple of years on frozen phones that have been submerged in freezing water and also devices that have been covered in blood.

I’m often asked why is damaged devices an area that should be researched? Why are you so interested in it, Steve? Our electronic devices have become so crucial to solving investigations that when we encounter a device that has been damaged in some way, it frustrates our investigations because we’ve grown so accustomed to getting the data off of these devices. 

By looking with thorough scientific method on how damage occurs to devices, we can determine are there ways that we can get around the damage so that we can address it and still retrieve the data we need to get off to help solve our cases?

Sometimes the data may be so crucial that that’s the only device that has the data to solve the case. If you had a case that was hinging on a particular device, and you found that it had been crushed or burned, it had been covered in a liquid that might cause damage to it, you can imagine how forensic examiners would wrestle over what to do. How can we address that?

As digital forensic scientists, we can investigate these problems and determine how to solve these issues so that we can provide guidance back to those that are working on a daily basis to keep us safe.

It’s often useful to start by asking how does damage occur to devices? On the screen we can see a few ways this may occur. It could be intentional damage intended to conceal a crime. It may have been damaged during a crash or incident. It could be damaged during routine use if the device is exposed to a maritime environment with high humidity or possibly dangerous chemicals.

We can see damage that’s caused because of poor product design. I remember a manufacturer a few years ago that claimed their devices were waterproof. And instead of actually waterproofing the device, they simply included a gasket that was meant to seal the case. That gas could easily be breached by bringing the device far enough underwater that the pressure would cause the gasket to fail. 

And lastly, we often see inadvertent damage by forensic practitioners who are dealing with devices that they have not been trained to address. 

What makes damaged devices so difficult? There’s really three primary reasons this is a hard area to work in. The first is there are many different types of damage. You can see here at least eight different kinds of damage and honestly, there’s some I’ve left off of this screen: thermal damage, liquid damage, impact damage, ballistics, damage, chemical damage, environmental damage, electrical damage, and even compound damage where you may have several of these factors affecting the particular device. 

There’s not a way for someone to be an expert in all of these. You can really figure out a particular discipline and spend your time to get good on that one, but there’s no way any of us can know how to address all of these. Damage from these types of damage affect devices in very different ways. A phone that has been frozen underwater looks very different than one that’s fallen out of a plane and you have to address it in different ways. 

The next is that damage occurs in very unpredictable ways. You can take two examples of the same model of phone and expose them to fire, and they will fail in two different ways. On one of them, you may see the screen starting to melt and pour over the board, on a different one you may see the plastic melting. It really depends on where the heat resides in that particular device.

Another example is you can take the same phones and put them underwater. A device that’s powered on may shorten the electrical circuit and damage the board in a different way than if the device goes underwater not in a powered state. This causes us to need to be very thorough in our investigation of what happened for this particular damage on this particular board, and how do we address and remedy that? 

Lastly, digital forensic practitioners may not see damaged devices frequently enough to develop an expertise on this topic. If you only receive a device that’s been burned once per year, it’s hard to develop an expertise on how to address that device.

The added complexity is that the next damaged device you get may not even be burned. It could be a phone that was thrown in a lake. And in those situations, we have two very distinct forms of damage that need different ways to address them to successfully retrieve the data. 

This makes it hard, and it makes it an area worthy of study for us to spend our time and get better at dealing with these so that we can help our science know how to address these problems.

Today, I’m going to share with you about two different research studies we conducted. I’m hoping that you can learn from the outcomes and apply them into your practices and your laboratory.

My research on frozen phones is a natural offshoot to the expansive study of water-damaged devices that began in 2014. At VTO Labs, we have phones submerged in both saltwater and freshwater to extend our studies out to 20 years of submersion. But frozen phone study piqued my interest because temperature variations in water and the viability of retrieving data after a device has been frozen, we can easily replicate this in a lab. A field study takes a little more patience for drops in the temperature and even changes in season before we can see the results. 

I’d like to start by sharing with you about our frozen phone studies. The very first question people have when they hear about our frozen phone study is why, why would you look at this particular aspect of damaged devices? In places around the world, criminals will try to damage devices and dispose of them in a variety of ways. It’s not uncommon for devices to be found in ponds or rivers, even the ocean. And if we think about in areas of the world where water may freeze during the winter, those devices that could be thrown into a lake during the summer or fall, they may freeze over the winter before someone is able to find them. 

And the question then that is presented to us is whether or not these devices are still viable to have the data extracted from them. This then leads us to our hypothesis. What can we define as a study to investigate this question and understand if devices that are frozen can have the data retrieved from them? 

Our hypothesis states, “As water expands at a known volume metric capacity when frozen, we postulate that an electronic device frozen in an aqueous solution will displace components attached to the printed circuit board and cause catastrophic device failure.”

Now that’s a lot of words in that hypothesis. What does it actually mean? When we look at what happens to water when it freezes, we know that water expands, and if we look at a printed circuit board and realize that components are very close together, if the water expands in a way that would cause those components to be displaced or moved on the board, it’s within the realm of possibility that that board would no longer power on and the device would not be accessible. 

When we realize that there’s a three-dimensional places all over the board where expansion could happen laterally, it could get under components and lift them up, it’s something worth exploring to understand, does the expansion of ice cause damage to a board that would prevent it from being turned on again?

9%. 9% is the volume metric change that happens when water freezes. So if you take a volume of water and freeze it, you can expect there to be a 9% change in that water. How do we know this? We know this from Professor Peter Hobbs’ classic book called Ice Physics.

In 1974 in Ice Physics, Professor Hobbs identified the volume metric change of 9% when water freezes. We’re able to use this as a reference point when we think of the expansion of water on electronic devices that we’re addressing. This brings up a really interesting point. Often in the science of digital forensics, we look only within our discipline to understand the scientific principles that may affect our research. One of the things that’s core and important to our research on damaged devices is that we look to material science and other areas, other scientific discoveries that may impact our ability to retrieve data off of the digital devices that we’re working with.

Next I’d like to share with you the materials that we use to conduct these research studies. The first material is a freshwater source. We identified a local pond that we could retrieve freshwater from to conduct our study. The second item is a set of mobile phones that could be used for testing. Third, tools to clean and dry the phones after they have been submerged in water, and lastly, mobile forensic tools so that we could acquire data before and after submersion to compare the results. 

We identified a local freshwater pond near our offices called Margaret’s pond. It allowed us to get easy access to the water, it also allowed us to safely interact with that water when the pond was frozen so that we could protect our people. 

One of the core features of our research on damaged devices is that we take measurements of the liquid the devices are submerged in so that we can understand does the chemical makeup of that liquid affect the damage on the device and ultimately affect our ability to retrieve data from the device?

The water we retrieved from Margaret’s pond has a makeup that you can see on the screen. One of the important things to note is the pH. A pH of 7.82 is just on the alkaline side of neutral. The conductivity shows us the amount of electrical capacity in this water to conduct electricity. We note the temperature of the water when we retrieved it. TDS is the total dissolved solids. And this really is how murky that water is. It affects how much particulate arrives on the board that we need to clean off. Lastly, you can see here that we’ve captured the salinity of the water. It has a fairly low salinity compared to some of the brackish or saltwater that we’ve tested around the world.

Sometimes when you retrieve water, you might not know what all you’re going to retrieve out of that. I’d like to introduce you to a Cyclopoida Plankton that we retrieved from the water at Margaret’s pond. The lab team affectionately named her Roberta, and her family, and you can see in this video images of the plankton moving around in the water. We were looking at the water under the microscope just to understand that the nature of the particulate in the water, and if there was anything growing that might have a factor on our ability when we go to clean these devices and understand if that caused additional damage to the devices.

you’ll notice we chose three different models of phones for the testing. We chose a feature phone because they’re often used by criminals that intend to dispose of it When they’re done. We also chose two smartphone form factors. We chose one device that has the chips attached to the board, but no underfill under the chips. And then the LG phone also has underfill under the chip. 

Here You’ll see the tools that we use to conduct this study: hand tools to disassemble the phones, water testing tools to be able to test the chemical makeup of the water, an ultrasonic cleaner to clean the devices after they’ve been submerged in the water and a drying oven to dry the devices. Over the next few slides, I will cover the experiment, the device preparation and the experiment execution. 

A first principle for us when we’re conducting research is to try to replicate at least one of the studies as close to real life as possible. When law enforcement agencies find evidence out in the wild, it’s often in a natural water source: a pond, a river, a lake, and in this situation where we’re dealing with frozen devices, we wanted to replicate that as closely as we could.

One of the very interesting things we learned quickly is that the water only freezes the first few inches of the pond. And so while the phones were resting on the bottom of the pond, our temperature sensors showed us that we’re not reaching freezing temperatures, and that caused us to look to other studies to ensure that devices reached a freezing state.

To ensure devices actually did freeze we conducted two additional studies to round out the series of studies. The first was taking devices to the lab and leaving them outside, where we could control the variables. We controlled the amount of water. We had temperature sensors in with the devices to ensure that they were freezing, but it wasn’t out in the natural water where the devices could be disturbed or that we weren’t sure that they would reach that freezing temperature. 

Lastly, inside the laboratory, we took that same water and we froze the devices in a laboratory freezer, again measuring the temperatures on all three of the different studies to understand precisely what temperatures these devices reached and for what duration they were at the freezing temperature.

Our device preparation included photographic and x-ray documentation of every device. We have photos of the devices before submersion, after submersion, before cleaning, after cleaning to understand, did anything happen to these devices? The next step was ensuring all of the devices were wiped to a factory reset position before we attempted any other efforts on the device. Third, we added known data to the devices so that when we did perform an acquisition before and after, we wanted to ensure that we could still find that same data that we had salted onto the devices. And lastly, we prepared these devices by conducting acquisitions of the data from the devices before submersion and after all of the cleaning processes at the very end, after the submersion, and after cleaning, as well.

This is where you begin to see my neurotic obsession with damaged devices. As previously mentioned, we used three different scenarios for freezing the devices: a frozen pond, a controlled outdoor freeze at our laboratory, and then a laboratory freeze inside the lab and laboratory freezers. 

The way we conducted these experiments is that we would freeze the devices for an 18-hour period, we would then retrieve them from this device and allow them to thaw for 24 hours to reach room temperature before we started any additional steps. You can see that we actually use a real pond, a real frozen pond, and in this photo you can see Caitlyn out on the ice, trying to figure out how to break the ice so that we can get the devices underwater. 

In this image, you can see the controlled outdoor freeze that we did. In this scenario, we have one of each of the devices frozen in these pans, and you can see thermal couples that are in each of those so that we could measure the temperature, both of the time it was frozen and through the entire thought process to understand what the temperature was the devices were going through.

In this photo, you can see the devices that are in the freezer underwater, and in this same scenario, we’re using the same fresh water that was from Margaret’s pond. You can also see the thermal couples that are in each of the individual containers, again measuring the water temperature, both during freezing and the fall process for these devices.

I realized quickly as we were into the research studies, there was a flaw in the study design. We missed an important factor when we’re thinking about these devices out in the real world. As frozen lakes and ponds move into spring, it’s not uncommon for the freeze and thaw cycle to come up above freezing and thaw and then as the night comes and the temperature drops, the pond or lake will freeze again. So in this scenario, you may have devices that are coming up above the freezing point and thawing out and then going back down again to freezing temperatures. 

In order to address this situation, I realized that we needed to change and adapt the study to accommodate this reality that devices may freeze and thaw a number of times. This is really where you see the neurosis kick in. I turned to our team and I said, “Team, we need to do the exact same study we did on the laboratory freezers, but we need to do it five times in a row.”

So we took those devices, we froze them in a laboratory freezer, we would take them out after an 18-hour freeze, thaw them completely for 24 hours, and then put them back in the freezer again for 18 more hours of freezing. That cycle would happen five times before we would then address the device and see if the device could be cleaned in such a way, dried and powered back on to get the data off.

Our post submersion experiment execution included the five following steps: after submersion, freezing and thawing, we would disassemble the phone, we would clean the phone, dry the phone, we would then attempt a power-on of the device, and finally complete a data acquisition to see if there was any change in the data.

The results are the most exciting part. And without further ado, I’d like to show you what those results are after each of these steps were completed. You’ll see here, video of one of the models of each device. And if you watch you’ll see a hand come onto the screen, turn the device on, and I’ll let you watch through the boot-up process of each of these devices. 

We had a 100% success rate across all of these studies. Four different methods, 27 different devices, and every one of these devices not only powered on, but the data matched after these freeze and thaw cycles the same as it was before we started. If you go back to my hypothesis, you’ll remember, we thought that the ice would cause an expansion on the boards and cause damage that would prevent them from powering on. My hypothesis failed, but it was a tremendous success for data acquisition and the ability to retrieve data from these frozen devices.

What can we learn from this? What conclusions should we draw? If devices are found in environments where they may have been subjected to freezing temperatures, perhaps over the winter; or in areas on the globe where they may have even been in freezing temperatures for an extended period of time; the presence of ice and liquid, that by itself should not preclude us from attempting data acquisition off of these devices. It should be noted that the proper cleaning and drying should be done on these devices, and we’re going to talk about that in just a few minutes, but don’t let the fact that these devices may have been frozen keep you from trying to get the data off of these devices. 

Being a landlocked state in the middle of the country, one big gap we have in our research is the ability to test with ocean water or saltwater. That’s something that should be discovered and should be researched is that if we look at devices that may have fallen into brackish or saltwater, and if it’s a cold enough polar region that that water could have frozen, does that in some way, negatively affect the ability to retrieve data from the devices?

A quick word of warning: over the next few slides, there are images of blood and medical procedures. If you have small children nearby or get squeamish, you might want to turn away from the screen for a few moments.

Throughout my career, working with law enforcement and investigations, there have been moments when I’ve been asked to get data off of phones exposed to biohazardous material.

When I first did the study on blood-damaged phones, the only blood we were able to find was pig blood. And for years I’ve wanted to repeat that study with human blood, but it’s hard to find human blood that you can use for this kind of testing. And so a few months ago, my wife said, “I finally figured out how you can get blood for your phones.” 

So now that I have a viable donor, let’s just say the supply is readily available, and this is not my first stab at it. We have phones from a previous blood draw that are currently soaking at varying lengths. So far, we have gotten all of the data.

For our next study, we’ll be talking about blood-soaked phones. The question I’m often asked is why, why do you test with blood on mobile devices and other kinds of electronic devices to see if you can get the data? Law enforcement agencies around the world may encounter devices in a bloody homicide scene or an accident where the devices might have fallen under a person and where blood has spilled out and soak the device. 

Through the years, we’ve encountered agencies who have asked us, how do we clean devices that have been covered with blood? Can the data still be recovered from these devices? And what should the proper handling be to safely address these for my team? 

There are three consistent themes we have seen in the questions that have arisen through the years. The first question is that people don’t know how to clean the devices. What should I do to clean and remove the blood from the electronic device? The second is they’re not sure how to protect themselves from dealing with the blood-covered device and make sure that they don’t contract a disease or an illness that they would injure themselves or take home to their family. Lastly, there’s industry misinformation out there that says a phone that has been covered in blood cannot have the data retrieved, and we’re here to look at this study and see if these things can be addressed.

Any good research study starts with a hypothesis of what you’re trying to test for and prove. In this situation, our hypothesis is that electronic devices that have been covered or soaked in blood do not experience catastrophic damage affecting the possibility of data acquisition. As we turn to the scientific literature to see is there previous research that’s been done on the topic of blood covered mobile phones, we find a particular paper of interest.

In 2011, a paper was published called “The Decontamination of Blood-Soaked Electronic Devices Using Ultrasonic Technology”. In this paper, they call out the primary objective was to develop a procedure for the complete removal of blood from the contaminated devices, with the intent to protect and preserve the data contained in the device. So the thing to really point out about this paper is it was primarily identified as a method for disinfection – How can we prove that we can clean all of the blood off this device in a way that doesn’t harm the electronics?

They tested five different cleaning procedures, they looked at 22 different devices over two different experiments, and one thing to point out here is they used porcine blood for this submersion and direct application to the printed circuit board. In this study, they did not use human blood for the study. 

It’s actually very difficult to get human blood to test for this kind of study. In jurisdictions around the world there are rules related to consent of the user providing their blood, there’s ethical questions of whether or not the researcher is imposing this desire on someone else, and in some places, it just simply may not be allowed. This creates a gap in our science that needed to be addressed. Can we take human blood, apply it to these devices in a research setting and test whether or not the data can be retrieved? 

The materials we needed to conduct this study include human blood, mobile phones, paper bags, and tools to clean and dry the phones. On this slide, you’ll see the mobile phones that we utilize to conduct this study. You’ll notice the two manufacturers were chosen: LG and Samsung, and we intentionally chose a variety of devices to conduct this study. When we think of a real-world application of devices that may be coming in covered in blood, it’s unlikely that we would receive all of the same devices covered in the same type of damage or liquid.And as such, we designed this study to be as close to real world as possible. We chose different models so that the same cleaning process could be utilized on all of the devices to see if it works successfully across all of the phones. 

You can see here an image of the paper bags we utilized to store the devices while they were waiting to be processed. We came up with this idea as numerous law enforcement agencies in the US describe this as their practice for dealing with any device or article of evidence that had been recovered with blood on it. We replicated their process exactly by using paper bags and then sealing the bag at the top so that it would have minimal air circulation and would sit in an evidence locker, a cool dry place until it was ready to be processed. 

You can see here an image of one of the devices that is covered in blood, and it’s sitting in the first stage of our cleaning solution. Our cleaning process, I will go into in just a bit and describe it to you. It’s important that we adhered to the same cleaning process for each of the devices that were addressed so that we know that the cleaning process would work successfully across all of the devices.

The methods we used to define the research study include experiment design, device preparation, and experiment execution. Our experiment design included the following four steps: the devices would be soaked in blood for one hour; immediately after, the control device would be cleaned using the same cleaning method reserved for all of the other devices; the remaining devices would be moved to brown paper bags for a defined storage duration; and then at the end of the storage duration, the device would be cleaned, mimicking the same process that we used for the very first control device.

As part of our experiment design, we defined in advance the length of time that devices would be stored with blood covering the circuit boards. We started with 24 hours, moved to one week, then one month, three months, six months, nine months, then 12 months duration. This allows us to address situations where a device might be quickly addressed by a law enforcement agency or something that would be put on a shelf in an evidence locker and not touched for up to a year.

To prepare our devices for the study, we first factory reset and powered up each of the devices to ensure that they were working. Next, we remove the circuit boards from the phone before submersion. We wanted to only submerge the circuit board in the blood as this is where the microcontroller and data storage chips are located. We know that the rest of the phone could be replaced with a donor phone if needed. The circuit board is really the core issue and whether or not the damage occurs to the device. Lastly, we prepared the plastic bags and brown paper bags before we started soaking the devices. When you draw the blood, it begins to coagulate very quickly once it’s exposed to oxygen. So you have a very short time to be able to move the phones into the bag, and then apply the blood onto them before it becomes a really sticky mess. 

Just a quick note of caution for the next slide. This is the actual blood draw performed on that day to get blood to soak the devices in. You’ll notice on the table behind me there’s plastic bags, where the circuit boards are already in the bags and the blood will be placed into the bags. The nurse drawing my blood is a friend who works in an emergency department at a local hospital and volunteered her time to come and help me perform this study.

In these photos, you’ll see the bags that we used immediately after the blood draw was completed. Blood was placed into the plastic bag on top of the circuit board so that it could completely coat all surfaces of the board. After the blood had coagulated, it was then moved into the paper bags for long-term storage to replicate what law enforcement agencies would do in their own criminal forensics labs.

In these images, you’ll see one of the phones that was used during the study. This particular device is device six, the device that was stored for a six-month duration. On the left side of the screen you’ll see it with the dried blood on it, the middle of the screen you see it after it has completed the cleaning processes, and finally, the device reassembled into the case and powered back on. 

The cleaning process that we used for this study is very similar to the one used for the frozen devices. And in just a few minutes, I’ll be sharing with you details about that cleaning process so you can put it into use in your own laboratories. 

The results of our study are below. Eight devices were covered in human blood. Seven of those devices experienced time durations out to 365 days with blood on the device. We found a 100% success rate with device power-on after utilizing our cleaning and handling processes. Of all the devices we touched, only one device experienced a failure of the digitizer. And on device six, the device you previously saw, we actually had to source a donor phone and replace the digitizer in order to get that device to power on. The data was still intact and the operating system was still functional, so we still consider that a success, even though we had a minor tweak to that process. 

Devices that have been with a person during a post-mortem event, introduce additional complexities. You may be dealing not only with blood, but also other human fluids, and you may have flesh decomposition that could affect the ability to retrieve data successfully off the devices. 

The other topic that would be of interest is when you consider that blood may be mixed with other material, as well. If it’s mixed with soil, it could be mixed with other liquids in the event of an accident or a crash of some kind. And that combination of multiple chemical factors could in fact affect the board in a negative way. This is worthy of additional exploration to understand does it affect our ability to retrieve data from the devices? 

But wait, there’s more. I mentioned to you earlier that I was going to share with you details about our cleaning processes. These are details we usually don’t speak out publicly about, but because of this special opportunity, I’m going to share them with you and open the curtain a bit more than usual of what we do to clean devices that have been exposed to this kind of material.

2 thoughts on “Extracting Evidence From Damaged Devices”

  1. Dear Mr. Watson,
    Once investigstor called me and informed me:”we take device out from the lake”. Then the investigator asked me question “How do I pack and seal wet device?”.
    I realised that I can’t answer to the question.
    Initially I said: put the wet device into the paper box, pierce small holes for ventilation and seal the box and carry the box to the lab.
    I think it should be allowed to dry naturally.

    Then I started to read information about wet device seizure and find information that device should be packed in sealed bag where is no oxygen, because oxygen may cause oxidation and rusting process.

    I would be happy if anyone can share best practices for wet device seizure?

    Best regards,
    Arturs

  2. I’m going to share them with you and open the curtain a bit more than usual of what we do to clean devices that have been exposed to this kind of material.

    Unfortunately the video is cut off abruptly after this sentence. It seems that the rest of the presentation has been removed.

    Where can we find it? Thank you.

Leave a Comment