By browsing this site, you are agreeing to our cookie policy. More Information

Best Practices in Recovering Data from Water-Damaged Devices

Digital Forensics | Oct 16, 2015

Mobile devices are everywhere. The evidence they hold can be the key to a successful investigation outcome, if you are able to acquire it. Water-damaged phones add even more complexity. How successful have you and your agency been in responding to water-damaged devices?

Steve Watson, a technologist focused in the areas of e-discovery, forensics, risk and compliance, posed this question to a full house at Enfuse (CEIC 2015) earlier this year. The popularity of his session, “Water-Damaged Devices – An Analysis of Evidence Locker Corrosion,” made a clear statement that EnCase® users are ready and eager to learn how best to tackle the data that resides on damaged devices.

If you missed this popular lecture, you can read a brief summary of it in this blog, and also download the complete slide presentation here: Water-Damaged Devices: An Analysis of Evidence Locker Corrosion.  We’d also like to remind you to register early for Enfuse 2016, where you can hear similar topics that will showcase the latest and most innovative tools and techniques to make your job easier as a forensic investigator.

Survey Proves More Research is Needed on Damaged Devices


Recently, Watson performed an industry survey of federal, state, and local agencies to gather trends in damaged devices. What he found was that most agencies receive water-damaged devices so infrequently that they can’t develop solid experience in this area:

water 1


The survey was used by Watson to launch The Damaged Devices Project—a series of research projects whereby devices are exposed to damage with scientific precision, followed by remediation and documentation. The results are then published to the digital forensics community. The scope of his research is on liquid damage, thermal damage, impact damage and ballistics damage.  His session at CEIC (Enfuse), however, focused specifically on the damage that occurs to mobile phones that have been submerged in water. 
 
Watson reported from his survey responses that most devices spend less than 30 days under water:

water 2


The majority of forensic examiners said a damaged device sits in an evidence locker room for at least three days before it is retrieved for cleaning in preparation for data acquisition. The problem here, according to Watson, is that as the duration of time increases that a water-damaged phone waits in evidence storage to be prepared for data acquisition, the corrosion and sediment buildup also increases exponentially.

water 3


In addition to risks of mold, biological hazards, battery damage, and electric discharge, mobile devices that stay zipped up in a locker room evidence bag will show greater liquid damage, including:

  • PCB layer damage
  • Rust
  • Pitting on the PCB traces
  • Corrosion (galvanic or electrolytic)
  • Damage to SMT leads

Top Five Recommendations to Remediate Water-Damaged Phones


The audience walked away with Watson’s top five recommendations in remediating water-damaged devices:
 
  1. Remove the battery as soon as possible
  2. Do not attempt a power-on or charge until dry
  3. The device is more stable if transported in water to the lab for cleaning
  4. If you can’t transport the device in liquid, disassemble and make a best effort to dry it before shipping or storing
  5. Do not expect a successful acquisition from devices that have remained in evidence bags for nine months or more 

Watson maintained an interactive session through a live demonstration of two phones that had been submerged for three days in water and then stored in an evidence bag for 221 days. The damaged phones were used to share best practices in phone disassembly, identification of damaged areas, and cleaning and drying of the device. To get the rest of these best practices and more, click here to download the complete presentation: Water-Damaged Devices: An Analysis of Evidence Locker Corrosion.   

You can also track or participate in this ongoing research on damaged devices by visiting Watson’s website: The Damaged Devices Project.
 
Don’t forget that you can attend other top-notch sessions like this one at Enfuse 2016 in Las Vegas, May 23-26, 2016. Enfuse brings the power of hands-on labs, learning sessions, and networking events together in a way that will take your work—and your career—to a whole new level. 
 
Click here to learn more about Enfuse and how you can save over 40% off the regular conference registration fee if you act by November 30, 2015.
Load more comments
Thank you for the comment! Your comment must be approved first
comment-avatar

You May Also Like

Digital Forensics

Now Available OnDemand: Advanced Internet Examinat...

Keep your skills up-to-date from the comfort of your home or office – no travel justification needed.
Nov 19
Digital Forensics

Sneak Peek at One Piece of Our New Logo

Since 1997, Guidance Software has had a look
Nov 3