Dealing with Contaminated Digital Devices
Written by Steve Watson   

This article appeared in the March-April 2021 issue of Evidence Technology Magazine.
You can view that full issue here.

CRIME SCENES come in a variety of flavors. The scenes may reveal conditions as varied as breaking and entering with grand larceny, to complex homicides with multiple victims identified postmortem. We are all familiar with the crime scene collection protocols requiring personal protective equipment (PPE) to protect the crime scene from any unintended alteration during the investigation. The PPE serves a beneficial dual purpose of protecting crime scene personnel from biohazardous conditions they may encounter on-scene.

But what happens when this evidence is taken back to the laboratory for processing?

Evidence collected from crime scenes may have been exposed to conditions that are biohazardous to the teams processing the evidence items. Potential biohazards include bacteria, viruses, bloodborne pathogens, hazardous chemicals, drug residue, and, in some instances, chemical or biological weapons. These devices may be handled by various teams in a criminal investigation laboratory without adequate warning of the biohazardous contaminants that exist on the device.


Case-related phone from an arson homicide incident. Image: VTO Labs, 2019.

In traditional wet forensic laboratories, we observe the adherence to PPE protocols to prevent contamination of the trace evidence that may exist on the evidence items. This precaution serves the additional benefit of protecting lab personnel that may be handling items contaminated with blood, DNA, decomposing human remains, and other biological material that could be potentially biohazardous.

We can also observe strict adherence to PPE in laboratories conducting drug analysis. These teams are well-versed in the exposure risks of different natural and synthetic opioids. Their discipline for PPE extends beyond simply introducing contamination into evidence samples but very real risks to the laboratory personnel if proper protocols are not observed.

There is a team in many forensic laboratories that exists as a risk outlier alongside the other practicing forensic scientists. After the wet and trace forensics have been conducted and evidence is finally passed to the digital forensic teams, the risk of evidence contamination exists but the nature of this risk changes.

Digital forensic scientists risk the contamination of data inside of the devices rather than the physical and trace characteristics to which the evidence has been exposed. Digital forensic science goes to exceptional lengths to ensure the data is not altered during examination, but historically it has been presumed that the biohazard risks to the digital forensic personnel is minimal. A review of the processes employed in most laboratories reveals that this presumption is likely inaccurate.

Digital forensics personnel may receive computers and other electronic devices that have been exposed to biohazardous conditions without the warning that these devices may be contaminated. Additionally, many digital forensics labs have little more than gloves for handling devices. Crime scene investigators as well as wet forensics teams recognize other types of PPE may be required—including eye protection, masks or respirators for inhalation risk, and protective coverings to prevent dangerous material from landing on skin or clothing.

Why does this discrepancy exist?

Dr. Edmond Locard (1877–1966) formulated a guiding principle of forensic science that “Every contact leaves a trace.” This principle has guided evidence handling and crime scene investigation for generations.

As we look to the traditional forensic sciences, including crime scene investigation and wet and trace forensics, we readily see the influence of this principle on the handling of evidence and proximity to a crime scene. In this context, PPE historically prevents the investigators from introducing trace evidence at a crime scene. As a matter of example, hair, DNA samples, or trace fibers from clothing may alter the unadulterated crime scene.

This same principle shifts to the laboratory where PPE is primarily used to protect the evidence from any unintended alteration during the evidence processing and testing. Images of wet and trace forensic teams in a laboratory frequently display them wearing full-coverage PPE, including protective clothing, masks, gloves, and eye protection.

When we look to the digital forensic scientists, the mechanisms to protect against data alteration are not PPE. These mechanisms include write blockers to prevent the unintended data from being introduced, faraday containers to prevent radio frequencies from interacting with the devices, as well as defined processes and methodologies to investigate the data without the risk of data alteration.

All three categories of forensic scientists recognize and employ methods to prevent risk of evidence alteration, yet digital forensic scientists exist as an outlier as the data at risk for them is 1s and 0s inside the electronic device.

Is there a risk that evidence might not be processed because of the biohazard risks?

While investigating the risk associated with biohazard exposure to digital forensic science personnel, we learned that some laboratories working in the digital forensic space may deem evidence “too risky” to touch because of the biohazard risks. We have found some laboratories with strict policies of exclusion regarding touching devices exposed to bloodborne pathogens. Some laboratories may simply process the trace and wet forensics yet leave the digital evidence investigation in a long-term hold pattern because they do not know how to safely clean or interact with the contaminated evidence.

This possibility expands further when we include devices exposed to extremely life-threatening substances like fentanyl. While narcotics teams and illicit drug chemists or investigators know how to safely interact with these devices, digital forensics teams are woefully unprepared for the risk to life if they touch devices exposed to fentanyl without the requisite PPE to safely protect themselves.

If biohazard contaminated devices reach a dead end in the investigation because of the risk of device handling, is there data on these devices that could help solve investigations? Are there cleaning and handling processes that could be employed to make the devices safe for data retrieval?


Scientific testing of the ability to retrieve data from blood-covered circuit boards. Image: VTO Labs, 2019.

How is ‘biohazard’ defined in relation to crime scenes or contaminated evidence?

A quick review of known safety guidelines makes it clear that forensic science personnel supporting law enforcement investigations may easily come in contact with contaminated evidence exposed to a variety of biohazards.

The U.S. Occupational Safety and Health Administration (OSHA) defines “Contaminated” as “the presence or the reasonably anticipated presence of blood or other potentially infectious materials on an item or surface.” Bloodborne pathogens are defined as “pathogenic microorganisms that are present in human blood and can cause disease in humans.” OPIM or “Other Potentially Infectious Materials” includes a variety of human body fluids, “any unfixed tissue or organ (other than intact skin) from a human (living or dead) or HIV- or HBV-containing cells, tissue cultures, organ cultures, culture medium, blood, organs, or other tissues from humans or animals infected with HIV and HBV.

The National Institute for Occupational Safety and Health (NIOSH) outlines extensive recommendations for the safe operating procedures, personal protective equipment, and job categories which may be exposed to illicit drugs, including cocaine, methamphetamines, cannabinoids, cathinones, and opioids such as fentanyl and heroin. The guidelines explicitly call out the risks to law enforcement personnel conducting routine duties, as well as investigation and evidence collection.


Meth laboratory chemicals and paraphernalia. Image: VTO Labs, 2020.

These previous two descriptions do not even introduce the expansive list of toxic and hazardous substances including hazardous chemicals, toxics, and reactives outlined in OSHA standards (OSHA 1910.119 App A) that may exist in outlier investigations conducted by large law enforcement investigative organizations.

If bloodborne pathogens, OPIM, and illicit drug residue may reasonably exist on contaminated evidence, should we not ensure that all personnel interacting with these risks be eligible to receive the same disclosure and access to PPE to protect themselves, their colleagues, and their families?

Can biohazard contaminated evidence be decontaminated?

Robust protocols exist for the cleanup of biohazard waste. These methodologies have been employed in a variety of situations, including crime scene cleanup, decontamination after an exposure, and even rigorous protocols employed in healthcare to clean environments to protect patients and staff. Could these same protocols be applied to evidence after the requisite wet and trace forensics are completed?

During our investigation of this topic, we sought to clean electronic devices exposed to biohazardous substances to render them safe for handling by digital forensic personnel. Our testing included bloodborne pathogens, OPIM from post-mortem embedded electronic devices, as well as toxic chemicals frequently found in meth laboratory environments. We utilized chemicals and methodologies known to decontaminate the pathogens and chemicals, but the techniques had never been applied to electronic devices.


Case-related iPhone that was submerged in blood. Image: VTO Labs, 2019.

Do the chemicals and processes used to clean bloodborne pathogens, OPIM, and drug residue damage electronic devices?

The short answer is no. We don’t have to reinvent the wheel of “how to decontaminate”. The scientific question in this proposition is whether known decontamination solutions affect digital devices in a manner that would damage the data inside.

The chemicals and processes known to clean these biohazardous materials did not damage the electronic devices to the point where digital investigation was prevented. We were able to conduct routine digital forensic data acquisition from these devices including computers, tablets, USB drives, drones, and hard drives.

Chemicals and processes known to decontaminate biohazardous risks can be tested on non-evidentiary devices to determine the viability of data recovery.


Scientific testing to remove bloodborne pathogens from blood-covered phones. Image: VTO Labs, 2020.

How else can this discovery aid in the investigative process?

We readily see that crime scene investigators, as well as wet and trace forensic scientists, employ the requisite PPE to keep themselves safe while not introducing risk to the integrity of the evidence. Digital forensic scientists can benefit from access to and appropriate training for PPE, as well as the relevant detail on whether the evidence may have been exposed to biohazardous conditions.

Are there other personnel in the investigative process who may also benefit from PPE availability and training? Should notification that evidence may have been exposed to biohazardous conditions be mandatory for evidence intake? Should labs be trained that a possibility of decontamination of this evidence exists?

Additional personnel could include evidence storage technicians or firearm and toolmark scientists. For these personnel, the wet and trace evidence tasks may have been completed—yet additional handling and testing may be required that could put them in contact with the potentially risky evidence.

If evidence could be decontaminated for safe handling after the initial wet and trace forensics are completed, perhaps risk could be reduced throughout the investigative organization.

Techniques, best practices, and decontamination solutions exist that can safely decontaminate physical and digital evidence from bloodborne pathogens, other potentially infectious material, and illicit drug residue. We no longer need to risk the health and safety of our personnel or exclude potentially risky evidence that may be vital for our investigations. Decontamination of biohazard-exposed digital (and physical) evidence is now a possibility.


About the Author
This e-mail address is being protected from spam bots, you need JavaScript enabled to view it is the founder and CEO of VTO Labs. His research and specialization is embedded device hardware forensics. Watson is the chair of Forensics Committee for the Scientific Working Group on Digital Evidence (SWGDE). Watson and VTO Labs spend their time getting data off of new technology and extremely damaged devices.

 
< Prev   Next >






Editorial

ONE OF THE CHALLENGES of writing and editing a magazine is telling a story in a relatively small amount of space. Sometimes it seems like there is never enough room to say everything that needs to be said. I find myself making tough decisions about what parts stay and what parts go.

Read more...