• General

  • Potential appearances of GrapheneOS in mobile forensic reports

quepasabebe says that an undercover police grabbed the phone from the suspect while it was unlocked.

With a lot of high-security systems with forensic tool resistance or even anti-forensic features, investigators will adapt and make different procedures if they expect you are using something of the sort. While you should expect companies who sell exploits for mobiles like digital forensics companies likely have Pixels or GrapheneOS on their sights, in most cases you shouldn't expect them to take the same process as an ordinary smartphone with stock Android. While there is no evidence there is an exploit of a supported new Pixel with GrapheneOS, you should expect the procedure to be different even if there was one - since the users of the OS would be inclined to behave very differently compared to ordinary people or unqualified criminals with lackluster knowledge in computer security or digital forensics.

Police are likely to expect GrapheneOS to be trouble, so them going to attempt to seize the phone just to acquire evidence it through a toolkit like Cellebrite is likely out of the question. They'd likely conduct surveillance on the suspect to acquire the phone while it is unlocked or to discover the PIN/password as mentioned in this example. Doing this allows them to turn off unlock methods and enable USB debugging to perform basic extractions and display capture. For cases where they think plugging the device in would trigger a kill switch, they have dedicated cameras to take pictures of the screen without connecting it to anything. Devices would also be placed in faraday cages or in any other signals blocking setup to prevent remote erasure.

If any device is completely unlocked and with the security measures turned off then any extraction tool would work. You shouldn't expect this 'TekPro' to be special to other tools, mobile forensics toolkits are often chosen out of investigator preference unless another is needed for a certain device or app. You'll find investigators use a variety like Cellebrite Physical Analyser, Oxygen Forensics, Magnet AXIOM etc. to perform their evidence processing. Cellebrite is a gold standard since they do both evidence acquisition (UFED) and processing (Physical Analyser, Investigator, etc.)

When relying on digital forensics questions on this forum you need to constantly remind yourself many information is speculative as companies try their best to black box their systems and not disclose unique capabilities that their enhanced plans for law enforcement and government may have. I also personally have my doubts they'd even mention if they had any unique capabilities with GrapheneOS devices in public, considering how many of their users sleuth around the Internet and are interested in anti-forensics. Having any sort of knowledge like that in public would be a tip-off and probably cause users to suggest more anti-forensics.

Also @quepasabebe The file you sent has an invalid URL, would you be kind to upload it again? I would love to read this report. It would be the first report I've seen with GrapheneOS in the wild that has been public.

      final

      I know that swedish police now can use trojans and install them on peoples devices, these months a lot of iphone users have been caught during weird circumstances and which all suspects have had iphones...

      https://easyupload.io/xnmz82 There you go mate.
      She has been chatting to someone who calls himself "GrapheneOs Support" on signal. Just found out that he has been caught also and is waiting for a trial. Ill be back with his files later when they get rdy. Its also drugs and money laundering.

        GrapheneOS

        The guy which called himself "grapheneos support" has also been arrested for drugs and money laundry. He used to sell sky phones and encro, apparently.

        "The reasons for the district court's decision
        The criminal suspicion
        *akob *unc is, on probable grounds, suspected of particularly serious drug crime and serious
        money laundering offense during the period May 2021 to June 8, 2023 in Stockholm.
        The special grounds for detention
        There is a risk that *akob *unc deviates or evades prosecution in some other way
        or punishment
        There is a risk that *akob *unc by eliminating evidence or in some other way
        complicates the investigation of the matter. This risk is such that the prosecutor's request for a continuance
        restrictions must be accepted."

            final

            "When relying on digital forensics questions on this forum..."

            What? Can you please clarify for me what you meant here?

                spiral It is in the interest of the developers and users of digital forensic tools to never confirm what it can or can't do. So any information you read about them should almost always be presumed to be speculation.

                  @quepasabebe Thanks. Reading the report I am inclined to believe they used Cellebrite. Page 26 is a screenshot from Cellebrite Physical Analyser reports, and 275 is a screenshot from the Cellebrite Physical Analyser app.

                  Things like this is why you never trust retailers who sell GrapheneOS devices or people trying to sell you support. Most of them are just people trying to make bucks from criminals or take advantage of them, or worse, they are in illicit trade as well. When you see people going out to sell something like this and they aren't a transparent company with directors, you should just assume they are sketchy. The market for secure smartphones are a swamp of snake oil, criminal run businesses.

                  spiral Basically what ev6x said. I imagine a lot of people choose to read questions on the forums to get answers on questions they want, including about mobile forensics against GrapheneOS. The answers people will get on questions are limited, or at best speculative based on informed judgement from leaked materials or news articles other people have read which often miss out the details. People shouldn't rely entirely on answers people give as companies in the mobile forensics market will never write everything down in public. They could be able to do a lot less or a lot more on pixels, its hard to tell.

                  Many device extractions are possible by failure from the subject whose phone was seized, not a failure in the device's security. Extraction via exploitation definitely happens but on a much smaller scale than people like to put out.

                      On page 237 we can see many apps saying
                      "not installed for user". Among them signal, telegram and other apps.

                      There could be an additional profile which they have not investigated.

                      Both phones where taken from her hands and both was in unlocked state when they was taken.
                      The iPhone was forensically investigated.
                      But the pixel 6 they only managed to take video recordings of opened apps.

                      I suspect since the girl had low knowledge on how to switch profiles she used the apps in her account. Regardless of that if phone was snatched in open state then they would be able to check that open profile also.

                      The app data sizes reveals that those apps though were all unused.

                      Om page 355 the report says that the phone has not been mirrored ( connected through usb) . Which could also mean they attempted but failed.

                      Overall the police acted in a hurry and had to do the best of the situation to collect any evidence. Specially since messages had timers for auto deletion.

                      3 months later

                      shadowman1

                      Here is another one: https://fup.link/data/files/tr/attunda/b-7380-22/Attunda_TR_B_7380-22_Aktbil_84.pdf

                      There isnt much to read about, phone was seized in BFU state turned off in suspects bag. Search the document for "pixel" and you can find all mentions.

                      Seems like they werent able to extract anything at all because there are no extraction reports, all there is "PM" or "prememoria" and the closest i can compare it to is an affidavit saying that the device is heavily encrypted.

                          Croak3114
                          Thanks.

                          Where do you find all those files? can you send link(s) to the resources? seems interesting.

                              dc32f0cfe84def651e0e Yea that's the statement from the officer, complete BS if you ask me. But since there is no extraction report and no data that has been added to the investigation it is pretty safe to say that they didnt manage to extract anything.

                              shadowman1 You can request any publicly available data, tax reports, income statements, court cases and outcomes through the "offentlighetsprincipen" you need to know the case number and which instance its being handled at and you can request it free of charge. They are not all published as per default sadly.

                                    • [deleted]

                                    • Post #26

                                    Croak3114
                                    How to get case numbers of such interesting cases?

                                      We are letting this thread stay up so that folks in the forum can discuss these topics on a technical level with factual accuracy.

                                      Political commentary beyond that is unnecessary. Stick to the technical. Thank you.

                                      (This is in reference to a now deleted comment).

                                      Can someone post a concise summary, in English, of this case, so that we have some sense of what is going on?

                                      Who was accused of what, what did police do, and what was the outcome?

                                      I think it would be instructive to see how such things go in other countries.

                                      Couple thoughts from what is mentioned (have not read the document as I don't feel like downloading something that translates PDFs). Would love it if they got the Pixel in BFU and could not crack it. We don't really have any actual criminal trial reports on what LE can extract (if anything) from GOS with Cellebrite/GrayKey. Criminal/legal cases are the best as facts are under oath and adversarial - prosecution and defense providing their analysis - and public record. The fact that I have not been able to find a criminal case on GOS being cracked actual bodes well IMO.

                                      We have alternative posts on the opened/unlocked phone being grabbed from her. This is how the FBI got Dred Pirate Roberts of Silk Road when he was using Tor and an onion website for his internationatioal dark web drug sales operation. FBI got a warrant to seize devices (a whole story in itself in how that came about) and set-up a sting team. Tailed him for a while and he went to a library to use its WiFi. FBI set-up a fake lovers quarrel near DPR that distracted him so they could grab his open laptop before he could close it where it would be encrypted. Thus, if you are doing some illegal stuff, undercover cops could always grab your open phone. They may figure criminals are aware of BFU and it is strong security with a stock iPhone or Android latest model/software in regards to Cellebrite/GrayKey.

                                      This is one of 4 I have seen in sweden, 3 BFU and nothing rewarding for the LE. Only comment is that it is heavily encrypted and nothing could been extracted, first I saw was 2022 the rest 2023.

                                      Saw one here earlier couple months ago, but was unlocked and they didnt extract any but screened the phone and took screen shots.