Successful forensic data extraction Pixel 6a

diverse_megen

2 years ago, 2 of my friend's Pixel 6a devices were kept for forensic data extraction and last week he got notice from his legal notice that they succeeded accessing both devices, extracting the encrypted data and gained access to thousands of messages and files.

The first phone had a 5 digit PIN, of this I am sure. But he claims the second phone had an 8 character alphanumeric password. Both were randomly generated.

This suggests they bypassed the TPM/Tensor chip to brute force the devices.

I don't know the software version the devices were on and if they were BFU of AFU but I am 100% sure that the bootloader was locked, OEM unlocking was disabled and there were no options like USB debugging activated.

I would to ask if there is more information available on how this is possible, discuss about forensic extraction and possible points of failure for academic purposes as I know you don't condone use for anything illegal.

Novalissoide

diverse_megen I am 100% sure that the bootloader was locked, OEM unlocking was disabled and there were no options like USB debugging activated.

This was two years ago, and you are 100% certain of these details. Was there a friend or are these P6a:s actually yours?

MetropleX

diverse_megen I don't know the software version the devices were on and if they were BFU of AFU

We can't discuss the issue if these details aren't available. What we know is that a supported device running our OS that is up to date and patched, isn't currently accessible by at least Cellebrite/Graykey based on the information we have access to.

Use of our Duress PIN feature would mitigate the entire situation if used and made available.

Having access to encrypted data means they can't decrypt it without the PIN etc, having access to encrypted messaging data doesn't mean anything either.

It's possible they extracted encrypted data to decrypt later. It's also possible they made claims to encourage self discriminatory disclosure. Need more precise and accurate info.

The-Man

diverse_megen 2 years ago, 2 of my friend's Pixel 6a devices were confiscated by a Law Enforcement Organization.

More fool "your friend" for storing such information on the phone in the first place.
Current upto date software impregnable, two year out of date software.... less so.
Now everyone reading this, it will now dawn on you, that everything you store on your phone or Google hoover from you will be, if not now, at some point in time be accessable.
Everyone who has had a device seized and not returned, the clock is ticking until the device is so out of date its accessable, then dark uniformed people will come crashing through your front door sometime soon, and you thought you got away with whatever you did......

Johnnyloans

diverse_megen

Thanks for the heads up :)

ElliesSurviving

not saying ur lying but it feels like theres more to the story if they were able to bruteforce those. especially within the span of two years. assuming its stock GrapheneOS it would have auto rebooted in maximum 3 days anyways, which means bruteforcing is their only way to access the data

littlerack

ElliesSurviving there is no mention of GOS in the post

diverse_megen

ElliesSurviving I don't know if auto reboot was already an option at that time, but if it was, it was set to maximum 12 hours.

diverse_megen

littlerack

I assumed that was kind of obvious, but they were running GrapheneOS.

littlerack

diverse_megen should be, but it's not for granted.
Anyway, just like here https://discuss.grapheneos.org/d/33493-successful-forensic-data-extraction-pixel-6a/3

de0u

From time to time posts are made claiming data has been extracted from Pixel devices, but so far no serious threat has been documented. Sometimes the posts lack many details. Sometimes links are provided to official court documents that most likely indicate that the device was not directly compromised, or that the device was running a known-vulnerable version of Google's stock OS, etc. In some cases it has seemed possible that some of the posts were consistent with deliberate FUD operations by government agencies.

So far for this report we don't know:

which country
what form of "legal notice"
what version of which OS was running
what data were obtained
whether or not a PIN was obtained (e.g., from security-camera footage)

diverse_megen This suggests they bypassed the TPM/Tensor chip to brute force the devices.

Personally I don't see enough information so far to draw any conclusion, let alone that conclusion. By no means is it impossible that some government agency broke into some Pixel! But many things are possible in theory. Detailed evidence is more convincing, when available.

Novalissoide

Dde0u
❤️

Novalissoide

diverse_megen I don't know if auto reboot was already an option at that time

It was.
https://imgur.com/a/SdHnwSf