matchboxbananasynergy Y'all can correct me if I'm wrong here, but assuming the phone is in BFU state when the advesary gets a hold of it, and assuming that you use a password that distrusts the secure element (90+ entropy password/passphrase), I fail to see how they can get anything from it, seeing as everything is at rest and cannot be bruteforced.
I imagine from a forensics perspective it's already extremely difficult to succeed without this type of setup, so this would make it so much more. I'd still never say never and assume anything can be exploited with enough time. GrapheneOS already does a lot to make certain extraction methods not possible in comparison to Stock.
Nuttso you're one of the very few people that seem to understand what kind of importance data integrity has Infront of a court.
Thanks. While I focus on information security now I used to do Mobile forensics, hence how I am qualified for using UFED (A Ruggedized UFED Touch2 to be exact). Luckily never been to court but know many people who have.
I read the thread and the conclusions you make are about the same as mine, although I think Cellebrite are less capable than both what they describe and what people think they might have, mainly because when things get as sophisticated as this, they simply aren't for Cellebrite to deal with. I also made a post a while ago about how GrapheneOS features make Cellebrite unintuitive and why they would likely avoid using them entirely here:
https://discuss.grapheneos.org/d/4727-graykey-countermeasures/30
Oftentimes I find the overhype being just people grouping Cellebrite with intelligence-agency level threats which isn't comparable or realistic. These tools quite literally exist so investigators can do the work with minimal knowledge, time, and effort while maintaining forensic integrity. I would not be inclined to think an intelligence agency who will classify everything would give a shit about ANY integrity considering they would kill to get information on some people depending what state it is. Plus, sometimes knowing information on a target could be so good for their operations it doesn't matter if the evidence is invalid to them or not.
Nuttso I'm working with bunch of lawyers in Germany hand in hand on the encro and sky ecc cases. This is our work here:
I can't say a lot about these since my knowledge basically boils down to hyped news articles. From what I've seen these devices have always been total garbage, and the fact they could get away with making a phone that essentially relies on trusting a centralised, targeted and at-risk source to function is really bad... not to mention their insecure hardware.
I don't remember where this was said but I remember hearing that GrapheneOS gets targeted by companies who sell that crap because the existence of a real, open and secure mobile OS like this one puts these criminal markets out of business. Big reason why I donate and support this project.