Water Damaged Devices - Evidence Locker Corrosion

www.encase.com/ceic

Water Damaged DevicesEvidence Locker Corrosion

PUBLIC

Presented21 May 2015At CEIC 2015

The opinions expressed and materials shared in this

presentation are my own and may not reflect the opinions,

policies, procedures or advice of my employer, committees

or groups in which I participate.

Disclaimer

WDD001 – Evidence Locker Corrosion

Page 2

How does water damage a phone?


Page 3

FitBit One

Page 4

Apple iPhone 4S


Page 5

Problem Statement

• Every agency will encounter a damaged mobile device.

• Strong, conflicting opinions exist within the community.

• Little research exists in the digital forensics space on this topic.

• Most of the information is marketing materials.


Page 6

Forensics:

1. K. C. Dudeck, T. C. Brennan and D. J. Embury, "Decontamination of blood soaked electronic devices using ultrasonic technology," Forensic Science International, vol. 214, pp. 88-95, 2012.

2. R. van der Knijff, "Chapter 8 - Embedded Systems Analysis," in Handbook of Digital Forensics and Investigation, E. Casey, Ed., Burlington, MA: Elsevier Academic Press, 2009, p. 396.

3. Scientific Working Group for Digital Evidence., DRAFT - SWGDE Best Practices for Handling Damaged Mobile Devices, USA: SWGDE, 2014.

4. Scientific Working Group for Digital Evidence., SWGDE Best Practices for Handling Damaged Hard Drives, USA: SWGDE, 2014.

Existing Literature:

Master Title

Page 7

Damaged Devices ResearchSeries of research projects focused on

damaged devices:

1. Liquid (water) damage [WDD]

2. Thermal damage [TDD]

3. Impact damage [IDD]

4. Ballistics damage [BDD]


Page 8

Photo reference links(clockwise): 1, 2, 3, 4

http://www.geek.com/mobile/htc-phones-officially-the-best-at-stopping-bullets-1575442/

https://www.youtube.com/watch?v=dNrdgDEdCW0

http://www.citynews.ca/2007/11/29/man-dies-after-exploding-cell-phone-found-burned-into-his-chest/

http://www.damageddevices.com/

Damage Project Reference Description

WDD

WaterDamagedDevices

WDD001 Evidence Locker Corrosion

WDD002.001 Baseline for cleaning, resulting in acquisition.

WDD002.002 Expanded WDD002.001 with LDN water.

WDD002.003 Repeat WDD002.001 with powered on.

WDD002.004 Extend time duration of WDD002.001

WDD003 Water damage longevity study.

WDD004 Efficacy of cleaning products.

WDD05 Efficacy of drying techniques.

WDD006 Transport from scene to lab.


Page 9

Status/Color

DONE

CURRENT

FUTURE

Survey InputFrequency of Receiving WDD

Frequently 23.08%

Monthly 15.38%

Annually 61.54%

Duration Underwater

1 day 16.67%

3 day 33.33%

7 days 16.67%

30 days 25.00%

365 days 8.33%

Time until Cleaning

12 hours 10%

1 day 10%

3 days 50%

7 days 10%

30 days 20%

Liquid Type

freshwater (as primary liquid) 69.23%

brackish water (secondary liquid) 15.38%

salt water (secondary liquid) 23.08%

blood (secondary liquid) 23.08%

other liquid 7.69%

Cumulative input from federal, state, local agencies and supporting vendors.



50% of survey responders said 3 days

until device is cleaned to attempt data

acquisition

First responders pulling device from water,

letting the water drip out, then placing in an

evidence bag.

3 days

1 month

6 month

9 months

11


Project Setup

• 10 devices

• 9 submerged, 1 control

• 3 days submersion

• Freshwater pond – water

tested


Page 12

Freshwater Pond


Page 13

Westminster, Colorado

Phones Used – HTC SDA / Tornado (ST22A)


Page 14

Project Setup


Page 15


Page 16

pH is a quantitative measure of the hydrogen ion concentration in an aqueous solution.

The pH scale ranges from acidic to alkaline or alkalinity of an aqueous solution.

Total dissolved solids (TDS) is a measure of the mineralization in aqueous solutions.

This measure is informative in determining the overall ionic effect in the solutions.

Electrical Conductivity is the ability of a solution to transfer (conduct) electric current.

It is the reciprocal of electrical resistivity (ohms).

Chlorine is a measure of the dissolved chlorine in the aqueous solution.

Temperature measured in Fahrenheit.

Water variables measured in WDD001


Page 17

Date Time pH TDS (PPT) EC (mS/cm) Temp(F) Chlorine

10/13/14 0630 7.66 0.29 0.59 48.8 0

10/16/14 0646 8.61 0.35 0.70 54.5 0

Water Variables


Page 18

Testing Notes:

• The differences in variables is outside of the bounds for temperature change.

• This is one of the challenges of live water testing. Water variables can change while devices are submerged.

Submersion


Page 19

GoPro HD

• Waterproof case

• Zip-tied to end of cage

• Photos every 30 seconds

until battery ran out.


Page 20

Retrieval

Phones retrieved after 72 hours (3 days).

All phones were present.

All phones were powered off.

GoPro HD had ran out of battery.

Allowed water to run out of phones then

logged in evidence bags.


Page 21

Device Submerged Remediation

WDD001-001 control control

WDD001-002 3 days 0 hours

WDD001-003 3 days 24 hours

WDD001-004 3 days 3 days





WDD001-009 3 days 221 days (TODAY)



Page 22

Potential Damage to WDD

1. PCB Layer Damage

2. Rust

3. Pitting on the PCB traces

4. Corrosion (galvanic or electrolytic)

5. Damage to SMT leads

Water Damage Assessment Scale

PCB Layer Damage -1 to 0

Rust -1 to 0

Pitting on PCB traces

-1 to 0

Corrosion -2 to 0

Damage to SMT leads

-2 to 0

Created as part of WDD002.001 to distinguish between the damage that was being identified on the PCBs.


Page 23

Additional Risks to Consider

1. Mold

2. Biological hazards

3. Battery damage

4. Electric discharge


Page 24

Photo Reference Link

http://commons.wikimedia.org/wiki/File:Biosafety_level_4_hazmat_suit.jpg

Examples:

• Transport

• disassembly at scene, straight into evidence bag

• transport in liquids, dry off before transport

• Cleaning

• water, isopropyl alcohol, “Scrubbing Bubbles”, industrial cleaners

• ultrasonic cleaners, forced water, brushing debris from PCB

• removing RF shields on PCB?

• Drying

• air dry, forced air dry, heat (oven)

Disagreements on how to address WDD


Page 25

Rule #1

Practice, practice, practice

▫ Don’t practice on pieces of evidence.

▫ Get some phones to practice disassembly.

▫ Practice powering a phone without a battery.

Rule #2

Understand whether you will need to reassemble the phone.

Rule #3

Right tools for the right job.

Demonstration – Disassembly of the phone.


Page 26

1. Review with microscope at the board level.

2. Identify areas of concern.

3. Suggestions for how to address problem areas.

Demonstration - Identification of damaged areas.


Page 27

Explanation of tools, techniques and processes to clean the device.

Demonstration - Cleaning of the device.


Page 28

Explanation of three methods for cleaning the device.

1. Air dry.

2. Dessicant.

3. Forced air dry.

4. Heated convection air dry.

Presenter’s preferred method?

Demonstration - Drying of the device.


Page 29

1. Powering the device.

2. Acquisition options.

3. How far is too far gone?

Demonstration - Preparation for acquisition..


Page 30

What information do I want you to take back to your

agency?

1. Remove battery as soon as possible.

2. Do not attempt power-on or charge until dry.

3. Data is indicating device is more stable if transported

in water to lab for cleaning.

4. If you can’t transport in liquid, disassemble and make

best effort to dry before shipping or storing.

5. Do not expect devices in evidence bags for 9 months

to be successful acquisition.

Current Recommendations regarding WDD


Page 31

My opinion will continue to change and evolve as the data emerges in these research

projects.

1. Identify organizations who are interested in this research.

2. Practitioners and researchers who are interested in partnership.

3. Funding for equipment, devices, lab supplies, cleaning chemicals,

Research Support


Page 32

Contact Details

Steve Watson

Westminster, Colorado US

[email protected]

www.stevewatson.net

www.damageddevices.com


Page 33

Water Damaged Devices - Evidence Locker Corrosion

Technology

digital evidence

evidence bag

liquid water damage

ldn water

salt water secondary

blood secondary liquid

electronic devices

primary liquid