When police want to use smartphones as evidence during an investigation, they often don't have easy access to the device. Even if they have authorization to search a suspect's phone, most modern devices lock their data using passcodes or biometric identification. Law enforcement in many countries uses specialized tools produced by private intelligence companies with names like Grayshift or Cellebrite. Let's have a look at some of the tools available to police, how they work and what information they can retrieve. Surprisingly, most of the technology for law enforcement to extract data from smartphones is publicly advertised. Cellebrite, currently maybe the most prominent company in digital forensics, has a website that looks like any other hip technology startup and they are very open about their services. They even separate into basic and premium services, much like media streaming services sell their subscriptions. One of their most popular devices is their "Cellebrite UFED" which stands for "Universal Forensic Extraction Device". UFED comes in different sizes and variations, for example with a touch screen or a rugged casing. I made a simple 3D model to show what this device roughly looks like. Once a target phone is connected, it can in theory bypass patterns and passwords on some iPhone models and extract data from the phone and SIM card. I'm saying "in theory", because how vulnerable an iPhone is, not only depends on the model and iOS version but also in which state of encryption is currently is. Basically, forensic companies distinguish between two states: Before First Unlock and After First Unlock. While a modern iPhone is turned off, its data is very well encrypted. Up to the time you first enter the device passcode, the phone is in the state "Before First Unlock" or short BFU. Unless Cellebrite have an attack they don't advertise, they currently don't seem to have a way to pull any meaningful data off of a device in the BFU state. The only reasonable attack seems to be to brute force the passcode in this case which is only possible by exploiting security flaws to remove the limit on passcode attempts. But most often, a seized iPhone is already turned on and in the state "After First Unlock" or AFU. In this state, the phone is more vulnerable because lots of encryption keys are stored in quick access memory at this point and it is more likely that some operating system exploit could expose them. Devices like Cellebrite's UFED usually don't break encryption but they find ways around it. An example of these two unlock states in action can be seen when receiving a call. In AFU state, the name of the caller shows up on the screen if it's saved in the contacts. But in BFU state, only the number of the caller shows up because the keys for decrypting the address book are not in memory yet. Cellebrite obviously doesn't provide exact details about how their devices work since most of the attacks are based on zero-day exploits, meaning publicly unknown security weaknesses in a target device and other confidential technology. All digital forensic companies try to keep their tools secret as long as possible so companies like Apple can't simply fix the weaknesses they are exploiting. Apart from providing the tools to break into a smartphone, Cellebrite also offers software to easily browse the extracted data. In a simple interface, law enforcement can browse installed apps and often their data, browser- and location history, social media and many other statistics. Similar tools exist for cloud-based evidence. Data from social media sites and cloud storage can be viewed in the UFED Cloud software but this appears to be only possible if access was already obtained through login credentials or extracted tokens and session cookies. They don't seem to be hacking into cloud accounts. According to a New York Times article from October 2020, Cellebrite has more than 7000 customers in 150 countries. They not only sell this technology to law enforcement but these extraction devices can increasingly be found at airports and even schools. Some school districts in the United States reserve the right to search student's phones using this forensic technology. And many countries all over the world have recently called for backdoors to encryption and weaker device protections. With the increasing availability of extraction devices, the number of unjust searches of such deeply personal items as smartphones will also most likely rise. Average users like students might wonder how they can better protect their personal phone data against brute force attacks and the answer is quite simply: Use a longer device passcode. iPhones make it easy to switch from the default PIN lock to a more complex alphanumeric passcode. While a six-digit PIN on average only takes a few hours to guess, passcode with 10 or more characters including letters and numbers increases the necessary guessing time to a few decades. Many iPhones can also quickly disable any other unlock methods besides passcode by pressing the side button five times. These are two ways, anyone can increase their device security immediately. Anyway, who do you think should have access to this technological power? Share your opinion and I'll see you in the next video.