Potential appearances of GrapheneOS in mobile forensic reports

quepasabebe There is a lot of photos as you can see where they have the phone unlocked without her giving the passcode.

Is it clear from the documents that a fingerprint was not used? Or perhaps surveillance video of the passcode?

Cantseeleft From my understanding the person in question did not even have a passcode.

While it was indeed unlocked, page 415 has KOD helena62 as a note on the Google phone entry. Or is that something else? First time reading one of these and boy was that fascinating (oh look it's already 03:45, whoops)

And bloody hell is she fucked with all that evidence. Looks like she's going to have fun in prison för the next 2-7 years.

Would you be able to point to the page where GrapheneOS is mentioned as the installed OS on the phone? I did a search through the document for "graphene" which returned two results for "Graphene0s Support", which apparently was a contact in the suspect's contact list (for reasons I don't understand).

Relaks Page 23, third column, misspelled as GrapheheOS.

Page also 237-240 has pictures of GOS system apps.

In the phone there are 11 contacts that may be of value to the investigation, they go to Benzema Balance, Benzema 9, bumbel, Rarry, Roma, Z, Graphene0s Support, Real Graphene0s Support.

This creates an impression that the whole thing was preinstalled by some some boutique "super encrypted phone" vendor or individual that sells Pixels with GrapheneOS preinstalled and provides "support".

Cantseeleft Obligatory https://xkcd.com/538/

quepasabebe This is a good reason to use multiple users. Data in secondary users that are at rest will be safe if access to the main user was obtained if they aren't currently logged in. If they are logged in, then exploiting the device would obtain access to the data. You can disable users running in the background if you want to avoid forgetting to use end session. Using a secondary user as your main user is mentioned in https://grapheneos.org/faq#encryption as a useful approach for high threat model use cases.

Relaks GrapheneOS has support solely through our discussion forum and chat rooms. It's explicitly stated on the site that contact@grapheneos.org shouldn't be used for support and we have no public company phone number yet, which won't be usable for support when we do. It's very questionable if this is actually GrapheneOS. It would be good to know which vendor is selling phones potentially misleading people about what they're getting and directing them to our email account or somewhere else for support.

quepasabebe says that an undercover police grabbed the phone from the suspect while it was unlocked.

With a lot of high-security systems with forensic tool resistance or even anti-forensic features, investigators will adapt and make different procedures if they expect you are using something of the sort. While you should expect companies who sell exploits for mobiles like digital forensics companies likely have Pixels or GrapheneOS on their sights, in most cases you shouldn't expect them to take the same process as an ordinary smartphone with stock Android. While there is no evidence there is an exploit of a supported new Pixel with GrapheneOS, you should expect the procedure to be different even if there was one - since the users of the OS would be inclined to behave very differently compared to ordinary people or unqualified criminals with lackluster knowledge in computer security or digital forensics.

Police are likely to expect GrapheneOS to be trouble, so them going to attempt to seize the phone just to acquire evidence it through a toolkit like Cellebrite is likely out of the question. They'd likely conduct surveillance on the suspect to acquire the phone while it is unlocked or to discover the PIN/password as mentioned in this example. Doing this allows them to turn off unlock methods and enable USB debugging to perform basic extractions and display capture. For cases where they think plugging the device in would trigger a kill switch, they have dedicated cameras to take pictures of the screen without connecting it to anything. Devices would also be placed in faraday cages or in any other signals blocking setup to prevent remote erasure.

If any device is completely unlocked and with the security measures turned off then any extraction tool would work. You shouldn't expect this 'TekPro' to be special to other tools, mobile forensics toolkits are often chosen out of investigator preference unless another is needed for a certain device or app. You'll find investigators use a variety like Cellebrite Physical Analyser, Oxygen Forensics, Magnet AXIOM etc. to perform their evidence processing. Cellebrite is a gold standard since they do both evidence acquisition (UFED) and processing (Physical Analyser, Investigator, etc.)

When relying on digital forensics questions on this forum you need to constantly remind yourself many information is speculative as companies try their best to black box their systems and not disclose unique capabilities that their enhanced plans for law enforcement and government may have. I also personally have my doubts they'd even mention if they had any unique capabilities with GrapheneOS devices in public, considering how many of their users sleuth around the Internet and are interested in anti-forensics. Having any sort of knowledge like that in public would be a tip-off and probably cause users to suggest more anti-forensics.

Also @quepasabebe The file you sent has an invalid URL, would you be kind to upload it again? I would love to read this report. It would be the first report I've seen with GrapheneOS in the wild that has been public.

final

"When relying on digital forensics questions on this forum..."

What? Can you please clarify for me what you meant here?

spiral It is in the interest of the developers and users of digital forensic tools to never confirm what it can or can't do. So any information you read about them should almost always be presumed to be speculation.

quepasabebe Would you mind linking this one too?

@quepasabebe Thanks. Reading the report I am inclined to believe they used Cellebrite. Page 26 is a screenshot from Cellebrite Physical Analyser reports, and 275 is a screenshot from the Cellebrite Physical Analyser app.

Things like this is why you never trust retailers who sell GrapheneOS devices or people trying to sell you support. Most of them are just people trying to make bucks from criminals or take advantage of them, or worse, they are in illicit trade as well. When you see people going out to sell something like this and they aren't a transparent company with directors, you should just assume they are sketchy. The market for secure smartphones are a swamp of snake oil, criminal run businesses.

spiral Basically what ev6x said. I imagine a lot of people choose to read questions on the forums to get answers on questions they want, including about mobile forensics against GrapheneOS. The answers people will get on questions are limited, or at best speculative based on informed judgement from leaked materials or news articles other people have read which often miss out the details. People shouldn't rely entirely on answers people give as companies in the mobile forensics market will never write everything down in public. They could be able to do a lot less or a lot more on pixels, its hard to tell.

Many device extractions are possible by failure from the subject whose phone was seized, not a failure in the device's security. Extraction via exploitation definitely happens but on a much smaller scale than people like to put out.

@quepasabebe
Any chance you can upload the report again ? it was deleted from the second link, I really want to read it.

Thanks.