“What you see depends on how you view the world. To most people, dirt is just dirt. To a farmer, it’s potential.” ~ Doe Zantamata
Earlier this month, a local farmer came to Gillware Digital Forensics with a very battered Samsung Galaxy S3 mobile phone. The farmer had been having some ongoing problems with trespassing, poaching, and vandalism. The phone had been found in some woods on their property, and presumably, it may have belonged to one of the trespassers, poachers, or vandals.
Our digital forensic analysts were going to find out. We’re no strangers to Samsung’s Galaxy line of mobile phones, with plenty of Samsung Galaxy S3, Galaxy S4, and Galaxy S5 forensic analyses under our belt.
The Samsung mobile phone our client had turned up had been through a lot. Its screen and body were badly cracked. The battery had started to bulge out of its casing, and was even beginning to rust. And the phone was filthy, inside and out.
From the degree of water damage we noted, it looked like the phone had sat out in the woods through more than its fair share of inclement weather. In its sorry condition, there was no telling how long it had been sitting out there or to whom it belonged.
Digital forensics exists to help people answer these questions. If we could get this phone back into working order, or could find a way to coax the data from its flash memory chip, a forensic examination of this Samsung Galaxy S3 phone could let our client know who this phone belonged to, how long it had been lying in the woods, and perhaps whether or not its owner was one of the vandals vexing the beleaguered farmer.
Getting any data from this phone would not be easy. The phone lacked both a SIM card and a MicroSD card, making the internal flash memory chip the only source of user created data. Outside elements—rain, frost, mud and dirt—do not play well with electronics. Disassembling the Samsung mobile phone and breaking it down into its discrete components showed that there was a lot of rust, muck, and corrosion inside the phone (as one would expect from a phone that had no doubt weathered countless rainstorms and sat in countless muddy puddles).
Of course, due to the phone’s significant injuries, we couldn’t turn it on. This left us a few options for salvaging data from the phone as part of our forensic analysis.
One such option: a chip-off forensic procedure. Going ahead with this procedure, we would carefully remove the flash memory chip from the phone’s heavily-corroded logic board. Then, using a specialized chip reader and forensic imaging software, we would create as complete of a binary image of the chip’s contents as possible and use forensic analysis tools and techniques to glean information from our “copy” of the chip. This would result in a physical-level acquisition of the phone’s contents, but would be permanently destructive.
Another non-destructive option would be to create a “Frankenphone.” Essentially, this method involves carefully cleaning the logic board from the weather-worn Samsung handset and transplanting it into a healthy donor phone of a similar model, from which the logic board has been removed. Were this technique to pay off, we would have, essentially, a fully-working version of the unknown owner’s phone.
Both approaches had their own strengths and weaknesses. After some deliberation, we decided to see what was behind door number two.
We set to work cleaning the heavy corrosion off of the phone’s logic board. Using isopropyl alcohol, tiny brushes, elbow grease and patience, we could painstakingly wipe away the corrosion from the phone’s PCB. The corrosion had damaged some of the connections on the PCB, which we carefully repaired. With the PCB looking much less worse for the wear, we performed the transplant and slotted it into a functional Samsung Galaxy S3 model SCH -i530 handset.
The result: Success! The transplant went off without a hitch. The Frankenphone with its transplanted logic board booted up, good as new.
The phone was in airplane mode, with its date stuck in July. Some cell phones use signals from nearby cell towers to determine the date and time. Airplane mode prevents those signals from going through to your phone. This suggested to us that the phone may have lost power (likely due to a drained battery) around that date. It could have found its way into the woods before then.
The phone’s lock screen also displayed a message from the phone’s owner, including his first name. Using UFED4PC and Cellebrite Physical Analyzer, we could delve deeper into the phone. Reviewing the data, we could uncover its owner’s full name, home phone number, and usage history. There was no call history or texting activity. The owner was just a kid, who had mostly used the phone to connect to Google Hangouts and play mobile games. Judging by the phone’s usage history, it could have ended up in the woods as early as May.
We didn’t find any evidence on the wayward phone to suggest that its owner had taken part in any vandalism on our client’s property. But we did provide the farmer with enough information to investigate the possibility further. We reminded the client that, just as fish or frogs can rain down from the sky, cell phones can sometimes just wind up far from home and in places where they don’t belong.