Demystifying phone unlocking tools: A technical overview (external article)

final

This post by Italian non-profit Osservatorio Nessuno provides an introductive technical overview to forensic phone unlocking exploit kits used by governments and law enforcement, most notably Cellebrite.

This post provides an overview on how disk encryption works on Android, common attack vectors used by forensic tools to brute force or extract a device, their countermeasures against popular security features like automatic reboot in iOS and how you can protect yourself against such tools, including several mentions about GrapheneOS.

I opened a dialogue with the author recently to add some further information that might be of interest, given the article's nature I thought I would share it here too. Some of my suggestions have already been put in place. I will likely go on to recommend adding more countermeasures not mentioned in this article, such as the use of user profiles/private spaces for separated user data encryption.

Feel free to read it for yourself, I'd be glad to hear your thoughts: https://osservatorionessuno.org/blog/2026/05/demystifying-phone-unlocking-tools-a-technical-overview/

final

If you are less interested about the technology and security implications of mobile device forensics and the exploit tools and you just want to know more about the procedures examiners take with collecting devices then I highly recommend reading the Best Practices provided by SWGDE.

A good first start is on their Best Practices for Mobile Device Evidence Collection & Preservation Handling, and Acquisition: https://www.swgde.org/wp-content/uploads/2025/09/2025-08-21-Best-Practices-for-Mobile-Device-Evidence-Collection-Preservation-Handling-and-Acquisition-18-F-003-2.0.pdf

Best Practices for Mobile Device Forensic Analysis (is a few years old): https://www.swgde.org/documents/published-complete-listing/20-f-005-swgde-best-practices-for-mobile-device-forensic-analysis/

Carrousel7956

Page 10 of 2nd link:

Include any smear mark patterns that may be used to obtain passcode Include any smear mark
patterns that may be used to obtain passcode.

That's an error the document repeats itself :O

Could this actually be an avenue to obtaining the passcode? I've seen this in pop culture, but it's unfathomable to me because I touch all over the phone way more frequently than I press the pin. Fortunately the pin scramble mitigates. I guess the whole document is preserving evidence so there's no harm in looking and documenting.

I just tested it and if you wipe off your phone and then purposefully smear you can see where the marks were. Also even without pin scramble you still don't know the order and there's the rate limit. I imagine there could be more detail that could be seen with specialized tools, but still why would it be differentiable from keyboard usage?

Carrousel7956

5.3.3.2 Cover Microphone and Cameras
Be cognizant that the microphone and camera could be turned on when an incorrect passcode is
entered resulting in exfiltration of information about the attempt. Use either a microphone
blocking plug or take precautions that are available to prevent audio collection. Cover all
cameras including front and rear facing

This is very strange what OS has this feature?