spiral It is in the interest of the developers and users of digital forensic tools to never confirm what it can or can't do. So any information you read about them should almost always be presumed to be speculation.
Potential appearances of GrapheneOS in mobile forensic reports
quepasabebe Would you mind linking this one too?
@quepasabebe Thanks. Reading the report I am inclined to believe they used Cellebrite. Page 26 is a screenshot from Cellebrite Physical Analyser reports, and 275 is a screenshot from the Cellebrite Physical Analyser app.
Things like this is why you never trust retailers who sell GrapheneOS devices or people trying to sell you support. Most of them are just people trying to make bucks from criminals or take advantage of them, or worse, they are in illicit trade as well. When you see people going out to sell something like this and they aren't a transparent company with directors, you should just assume they are sketchy. The market for secure smartphones are a swamp of snake oil, criminal run businesses.
spiral Basically what ev6x said. I imagine a lot of people choose to read questions on the forums to get answers on questions they want, including about mobile forensics against GrapheneOS. The answers people will get on questions are limited, or at best speculative based on informed judgement from leaked materials or news articles other people have read which often miss out the details. People shouldn't rely entirely on answers people give as companies in the mobile forensics market will never write everything down in public. They could be able to do a lot less or a lot more on pixels, its hard to tell.
Many device extractions are possible by failure from the subject whose phone was seized, not a failure in the device's security. Extraction via exploitation definitely happens but on a much smaller scale than people like to put out.
- Edited
On page 237 we can see many apps saying
"not installed for user". Among them signal, telegram and other apps.
There could be an additional profile which they have not investigated.
Both phones where taken from her hands and both was in unlocked state when they was taken.
The iPhone was forensically investigated.
But the pixel 6 they only managed to take video recordings of opened apps.
I suspect since the girl had low knowledge on how to switch profiles she used the apps in her account. Regardless of that if phone was snatched in open state then they would be able to check that open profile also.
The app data sizes reveals that those apps though were all unused.
Om page 355 the report says that the phone has not been mirrored ( connected through usb) . Which could also mean they attempted but failed.
Overall the police acted in a hurry and had to do the best of the situation to collect any evidence. Specially since messages had timers for auto deletion.
3 months later
@quepasabebe
Any chance you can upload the report again ? it was deleted from the second link, I really want to read it.
Thanks.
shadowman1
This.
I got “File not Found”.
Here is another one: https://fup.link/data/files/tr/attunda/b-7380-22/Attunda_TR_B_7380-22_Aktbil_84.pdf
There isnt much to read about, phone was seized in BFU state turned off in suspects bag. Search the document for "pixel" and you can find all mentions.
Seems like they werent able to extract anything at all because there are no extraction reports, all there is "PM" or "prememoria" and the closest i can compare it to is an affidavit saying that the device is heavily encrypted.
Croak3114
Thanks.
Where do you find all those files? can you send link(s) to the resources? seems interesting.
Croak3114 Page 72:
The Google Pixel phone is very heavily encrypted and there is no legal use for such a phone.
Based on this, the Google Pixel phone should be considered a criminal tool.
dc32f0cfe84def651e0e Yea that's the statement from the officer, complete BS if you ask me. But since there is no extraction report and no data that has been added to the investigation it is pretty safe to say that they didnt manage to extract anything.
shadowman1 You can request any publicly available data, tax reports, income statements, court cases and outcomes through the "offentlighetsprincipen" you need to know the case number and which instance its being handled at and you can request it free of charge. They are not all published as per default sadly.
[deleted]
Croak3114
How to get case numbers of such interesting cases?
We are letting this thread stay up so that folks in the forum can discuss these topics on a technical level with factual accuracy.
Political commentary beyond that is unnecessary. Stick to the technical. Thank you.
(This is in reference to a now deleted comment).
Can someone post a concise summary, in English, of this case, so that we have some sense of what is going on?
Who was accused of what, what did police do, and what was the outcome?
I think it would be instructive to see how such things go in other countries.
- Edited
Couple thoughts from what is mentioned (have not read the document as I don't feel like downloading something that translates PDFs). Would love it if they got the Pixel in BFU and could not crack it. We don't really have any actual criminal trial reports on what LE can extract (if anything) from GOS with Cellebrite/GrayKey. Criminal/legal cases are the best as facts are under oath and adversarial - prosecution and defense providing their analysis - and public record. The fact that I have not been able to find a criminal case on GOS being cracked actual bodes well IMO.
We have alternative posts on the opened/unlocked phone being grabbed from her. This is how the FBI got Dred Pirate Roberts of Silk Road when he was using Tor and an onion website for his internationatioal dark web drug sales operation. FBI got a warrant to seize devices (a whole story in itself in how that came about) and set-up a sting team. Tailed him for a while and he went to a library to use its WiFi. FBI set-up a fake lovers quarrel near DPR that distracted him so they could grab his open laptop before he could close it where it would be encrypted. Thus, if you are doing some illegal stuff, undercover cops could always grab your open phone. They may figure criminals are aware of BFU and it is strong security with a stock iPhone or Android latest model/software in regards to Cellebrite/GrayKey.
This is one of 4 I have seen in sweden, 3 BFU and nothing rewarding for the LE. Only comment is that it is heavily encrypted and nothing could been extracted, first I saw was 2022 the rest 2023.
Saw one here earlier couple months ago, but was unlocked and they didnt extract any but screened the phone and took screen shots.
Cantseeleft
Can you share PDF or the files of the cases you saw? 10x
5 months later
Back with a new case.
Date: 2023-08-04
2 young boys killed 1 and injured another 1. The victims had been contacted and the suspects acted as if they wanted to buy drugs. When the victims arrived to the location, 2 young men approached the vehicle and emptied the clips. On the scene one of the victims had a "google pixel" (seized)
Police arrested the suspects 2023-08-22 and found a "google pixel"-phone (seized after a raid) in one of the suspects home.
preliminary investigation report:
https://easyupload.io/m/7ixsp6 (the language is swedish but some of you guys might find it interesting anyway)
The police have opened 1 of the suspects pixel and have the code (low security apparently he used pincode 4545
There are reports of extractions from cellbrite with signal conversations and picture (file: aktbil 192 page: 272, 1327)
Software/companies used for examination: Magnet forensic and Cellbrite.
Again, just to clarify; I love reading these reports and just want to share them with you guys.
Cheers!
quepasabebe So they guessed the PIN, and used forensics software to extract information after unlocking he device.
There's also zero indication here that the device was running GrapheneOS from what I can tell.
I'm not so sure that this fits in this thread or our community.
You are 100% correct, they guessed the PIN, and used forensics software to extract information after unlocking the device.
I'm not stating anything else.
Figured id share it for
1) those curios of the technical side, there are some people that may be wondering how law enforcement work.
2) in some countries ppl cannot get a hold of forensic info like this.
3) A news article circulating regarding this case saying that the police breached the "encrypted pixel phone" so those nosey enough can now see that they simply guessed a 4 digit code :)
matchboxbananasynergy There's also zero indication here that the device was running GrapheneOS from what I can tell.
page 214. (if no other OS uses the same icons ofc)
We can delete the thread if you feel like its damaging or denigrating our community,
I don't know any other way to find legitimacy other than reading that LE cant extract info.
Cheers!
- Edited
page 214. (if no other OS uses the same icons ofc)
I haven't checked the report, but based on the context, I assume there is a screenshot showing black & white icons, akin to those of our default apps.
This does not mean the devices are running GrapheneOS. We are aware of many GrapheneOS forks, including sketchy ones adding security theater etc.
Assuming something like this is GrapheneOS just based on the icon would be the wrong assumption to make if it's solely based on that, especially since we know these other forks doing sketchy stuff exists, because something that's compromised on these OSes may not be the case on GrapheneOS.
By that I mean, maybe these forks are adding features in an incorrect insecure way, or are otherwise removing things we've added, including low-level hardening, modifying our work in a misguided way, etc.
It doesn't have the mean that they're actively maliciously making the fork insecure. It could also be due to incompetence / lack of care.
Hope that makes sense.