A computer hard drive can be a rich source of evidence in a forensic investigation…but only if the device is intact and undamaged otherwise many additional steps to retrieve incriminating data from within are needed and not always successful even in the most expert hands. Research published in the International Journal of Electronic Security and Digital Forensics considers the data retrieval problems for investigators faced with a hard drive that has been submerged in water.
Alicia Francois and Alastair Nisbet of the Cybersecurity Research Laboratory at Auckland University of Technology in New Zealand, point out that under pressure suspects in an investigation may attempt to destroy digital evidence prior to a seizure by the authorities. A common approach is simply to put a hard drive in water in the hope that damage to the circuitry and the storage media within will render the data inaccessible.
The team has looked at the impact of water ingress on solid-state and conventional spinning magnetic disc hard drives and the timescale over which irreparable damage occurs and how this relates to the likelihood of significant data loss from the device. Circuitry and other components begin to corrode rather quickly following water ingress. However, if a device can be retrieved and dried within seven days, there is a reasonable chance of it still working and the data being accessible.
“Ultimately, water submersion can damage a drive quickly but with the necessary haste and skills, data may still be recoverable from a water-damaged hard drive,” the team writes.
However, if the device has been submerged in saltwater, then irreparable damage can occur within 30 minutes. The situation is worse for a solid-state drive which will essentially be destroyed within a minute of saltwater ingress. The research provides a useful guide for forensic investigators retrieving hard drives that have been submerged in water.
Francois, A. and Nisbet, A. (2021) ‘Forensic analysis and data recovery from water-submerged hard drives’, Int. J. Electronic Security and Digital Forensics, Vol. 13, No. 2, pp.219–231.