Cellebrite: What You Need to Know About Cell Phone Forensics

Cellebrite: What You Need to Know About Cell Phone Forensics

Follow Jason on Twitter.

Smartphones are nearly ubiquitous devices that handle, create, and store massive amounts of information about our lives.

Law enforcement agencies have spent tens of millions of dollars on technology and training to seize a large trove of data on any given smartphone. Cellebrite has emerged as a leading supplier of cellular data seizure technology. Cellebrite produces software and mobile terminals that are used to physically copy data off of seized cell phones–data that might not be shared over a connection that can be intercepted.

Smartphones are often the best source of information on their users, which makes them attractive to marketers, spies, and law enforcement, among others. Law enforcement has invested heavily to retrieve and utilize data from smartphones in investigations and court cases.

North Star Post has previously reported on cell-site simulators (a.k.a. Stingray, IMSI catchers, DRT-boxes), which are capable of remote, widespread, indiscriminate and often times warrant-less surveillance. New evidence is emerging that certain variants of this technology can even jam frequencies, drain batteries and turn a cell phone into an active listening device.

Cell-site simulators are capable of uniquely tracking and/or identifying cell phones. Certain models can intercept text messages and phone calls. These capabilities are very powerful for tracking who associates with whom and for capturing communications for a large group or a target that an agency might not want or be able to get a wiretap for. The most advanced cell-site simulators still leave a large ocean of personal information untouched on a smartphone.

Smartphones typically store and access emails, photos, instant messages, location history, usage history on various apps (these could be anything from financial transactions to search history), and a variety of online and cloud services. Some forensics software is even capable of exploiting data stored on a smartphone to connect to social networks and cloud services and download personal data that is not available on the device itself.

Cellebrite offers the UFED (Universal Forensic Extraction Device) line of software and hardware to governments for them to copy as much data as possible off of seized smartphones. UFED contains a catalog of procedures for retrieving data from more than 95 percent of mobile devices on the market. These procedures might be as simple as accessing a built-in backup or debugging feature in a smartphone with weak security.

More secure smartphones may require the use of undisclosed bugs and exploits Cellebrite has compiled. Cellebrite also recently released a new product called UFED Cloud Analyzer, which allows users to use authentication codes and passwords saved by mobile apps to automatically log into Gmail, Google Drive, Facebook, Twitter, Dropbox, and Kik. Cloud Analyzer is then able to download emails, message history, files and contact lists as available. Cellebrite claims UFED Cloud Analyzer acts like these providers’ apps by using their application programming interfaces (APIs) to access data. Requests for comment from Google, Facebook, Twitter, and Dropbox went unanswered.

Cellebrite says there are “30,000 global deployments” of their forensics technology “in more than 100 countries” with users including “intelligence services, border patrols, special forces, military forces, public safety agencies and securities and financial organizations.” Cellebrite’s portable UFED unit is listed in a US military cellphone surveillance catalog published by The Intercept. Cellebrite has a large presence in US law enforcement–there are currently 48 courses scheduled in the US for the remainder of 2016.

Chandler, Arizona, has one week-long class scheduled. There are also several classes scheduled in Northern Virginia and Salt Lake City, with others generally scattered across the country. The courses range in technical complexity from basic use of UFED to dis-assembly and physical access to circuitry at advanced levels.

Documents from the Chicago Police Department claim that UFED “is crucial while conducting investigations where cellular telephones are present.” The documents then request approval to spend $7,074 on a portable UFED kit, as well as $999 a year of annual software fees thereafter. As Freddy Martinez of Lucy Parsons Labs in Chicago has uncovered, Chicago Police Department policy is to use seized drug money to cover the costs of surveillance technologies. Internally, this money confiscated prior to the trial or conviction of a suspect is called “1505” money.

Another memo on approving a payment for an update claims UFED “is proprietary and utilized in covert operations. Knowledge of it’s (SIC) existence should be kept within the Bureau of Organized Crime and limited to sworn personnel.” Chicago PD apparently let its license expire and rushed to renew it in August of 2011 because a “software update was immediately needed for the execution of a search warrant on an offenders cellular telephone (Operation Little Girl Lost).”

Cellebrite does not limit itself to using official procedures authorized by device makers. The company is active in searching for exploits against smartphone security features. One Cellebrite job ad listed “1337 skills” and “military intelligence elite courses (you know and we know)” as requirements. Cellebrite is based in Israel, which has a significant pool of skilled security researchers, in part due to the existence of Israeli military Unit 8200.

Unit 8200 is responsible for collecting signals intelligence, similar to the NSA and the UK’s GCHQ. Unit 8200 is unique in its recruitment and training of large numbers of talented security researchers who enter the private sector after completing mandatory military service. Another Cellebrite job posting lists experience in Unit 8200 as a qualification equivalent to holding a bachelor’s degree. The company boasts they have a staff of over 200 engineers.

Cellebrite has a key edge in attacking the security of smartphones–its relationships as the “exclusive provider of mobile synchronization systems for Verizon Wireless, AT&T, Sprint/Nextel, T-Mobile” and others that allow them to obtain “pre-production handsets and source codes from the cell phone manufacturers six months prior to retail launch which is a major advantage for research and development.” See here, courtesy of Lucy Parsons Labs.

Some or all source code on a cell phone is proprietary to the manufacturers and operating system vendors involved and kept secret from most security researchers and the general public. Source code is a human-readable set of instructions carried out in software. Most programs are translated from human-readable source code to binary data that is far more difficult to analyze for security flaws. Cellebrite holds a major advantage in finding secret exploits against proprietary source code that they have access to because security researchers cannot review the code for flaws and alert the public. The head start of up to six months to hack new phones and OS updates also stands out as a massive edge over those attempting to find and fix security flaws, especially when compared to the 1-3 year life-cycle of most smartphone models.

Law enforcement has aggressively exploited security and privacy gaps in mobile devices and their networks to surveil targets. “Tower dumps” of all communication traffic with a cell towers, other records from carriers, and cell site simulators all allow anyone with access to them to monitor the location and communications of cell phones. Mobile forensics software allows those with access to a device to collect far more information, some of which may only be available on the phone.

The proper use of good encryption on smartphones can protect stored information from someone knowledgeable in hacking them or from mobile forensics software. Cellebrite and other forensics software developers do research and package exploits against mobile devices, but many of these attacks can be easily reproduced by skilled hobbyists from information on public forums, especially if forensic accuracy is not required. A technically knowledgeable hobbyist or criminal could also further exploit authentication tokens and stored passwords on mobile devices to access emails or make fraudulent financial transactions. Encryption is the last line of defense between a smartphone user’s data and an attacker with physical access to the device.

The movement of Apple and Google to encrypt storage by default has triggered a wave of concern and complaints from FBI Directors James Comey and other law enforcement officials. Comey and others have called for device makers to provide a means of “exceptional access,” commonly called a “backdoor” in the security community by modifying designs of future smartphones and their operating systems. Apple and Google have both pushed back on these requests, with the support of the academic security and cryptography community, see here.

“The San Bernardino litigation isn’t about trying to set a precedent or send any kind of message. It is about the victims and justice,” Comey said in a piece written for the online publication Lawfare, adding “I also hope all Americans will participate in the long conversation we must have about how to both embrace the technology we love and get the safety we need.”

This conflict has reached a new peak in a court battle between Apple and the DOJ–the DOJ obtained an order to compel Apple to develop a modified version of iOS to extract data from an iPhone provided to Syed Rizwan Farook, one of the San Bernadino shooters, by his employer.

Follow Jason on Twitter.