Retrieving Evidence from Damaged Mobile Devices
It's not uncommon these days to encounter mobile devices that have sustained some type of damage. The damage can be accidental – dropped on pavement or in a puddle – or intentional, when criminals damage their own or victims' devices in a bid to destroy or conceal evidence.
In one recent high profile homicide in Texas, a teenage rape victim, Shania Gray, was killed by her rapist, Franklin Davis, after he failed to intimidate her from testifying against him. Because her iPhone contained his incriminating text and social media messages, Davis threw the device into a nearby pond following the murder.
The badly waterlogged device contained the only evidence of Davis’ connection to the crimes. Several law enforcement forensics labs were unable to salvage the evidence, and investigators had to forward the device to data recovery specialists in California. They did retrieve the evidence, and Davis was convicted of capital murder last November.
The takeaway: don’t give up on crushed, soaked, burned or shattered devices. Many options exist to get you the evidence you need for a case. Some of them can be “do it yourself” projects if you have the time, patience, and willingness to take a chance. Others require more specialized assistance.
DIY mobile device repair
Many devices will not function without a SIM card. If the SIM in an evidence device is missing or damaged, you can create a “test” or clone SIM, which may be able to get the device working.
Most commercial mobile forensics tools have an option to clone a SIM card, which automatically retrieves the IMSI and ICCID numbers that the phone needs to authenticate a SIM card and make data available. Cloning a SIM card has the added benefit of isolating the device from the network, and should be standard procedure whether or not the device is damaged.
When a device has a shattered screen or has been damaged to the extent that its primary buttons will not work, you may be able to repair the device using parts you order online. In a Wisconsin case from 2012, a child abuser ran his iPhone over with his SUV in a bid to hide video evidence that he had intentionally shaken an infant. This crushed the display and rendered the device's Home button inoperable.
The investigator in that case went so far as to order iPhone parts online, then repair the crushed device herself. She was able to recover not only the video the prosecutor needed to prove her case, but also another video that helped to establish a timeline of the case’s events.
You might have heard that you can salvage a wet device by sealing it in a plastic bag or container filled with rice, which absorbs the moisture. (Some commercial firms market bags purpose-made with silica gel.)
Beware, however, the device that has been submerged in salt water. Salt water corrodes electronics, a process which accelerates when the device is exposed to air. Therefore, rather than remove the device from the water entirely, preserve it in a container of salt water from the environment it was submerged in until you can get it to a specialist for processing.
Finally, if the device has been exposed to blood or other bodily fluids, sewage, soot (if involved in a fire) or other environmental hazards, decontaminate it by submerging it in denatured alcohol. The alcohol lifts the contaminants from the device, and dries quickly.
Specialized mobile data extraction
Of course, some devices are damaged beyond repair. This is true especially when the device's data port is too mangled to connect a cable to a mobile forensic extraction tool, or in the case of prepaid "burner" phones, when the data port is locked.
In these cases, it becomes necessary to recover data physically from the device memory. Although the methods required to do this can become “DIY” projects, they require extensive training and practice before you start using them on evidence devices.
A JTAG (Joint Test Action Group) extraction involves soldering wire leads to a device’s test access ports (TAPs) and using an emulator -- a box that pretends to be the device’s operating system -- to instruct the processor to transfer the raw data stored on the device’s memory chips. Data extracted this way goes to a binary file, which can then be decoded and analyzed by mobile forensics software.
A chip-off extraction is more destructive than the JTAG process, because it risks further damaging not only the device, but also the memory chip storing the evidence. As a result, it is often a last resort in the most severe or high profile cases where it's not possible to extract mobile data by any other means.
Chip-off extraction involves several steps, the first of which is to desolder and physically remove the memory chip from the device’s motherboard. The second step is to use specialized equipment to exploit "wear leveling," the process by which a mobile device distributes data across its chip, to image data from the chip. As with JTAG-extracted data, this raw image can then be decoded and analyzed with mobile forensics software.
In some cases, the effort or expense it takes to repair a damaged mobile device may not be worth the expected return. However, for serious felonies, it's not only possible but also often necessary to go the extra mile in finding a way to extract the evidence you need for a solid case.
Further reading:
http://www.drivesaversdatarecovery.com/blog/iphone-data-key-to-texas-murder-conviction/
http://www.evidencemagazine.com/index.php?option=com_content&task=view&id=1036
