• General

  • Potential appearances of GrapheneOS in mobile forensic reports

shadowman1

Here is another one: https://fup.link/data/files/tr/attunda/b-7380-22/Attunda_TR_B_7380-22_Aktbil_84.pdf

There isnt much to read about, phone was seized in BFU state turned off in suspects bag. Search the document for "pixel" and you can find all mentions.

Seems like they werent able to extract anything at all because there are no extraction reports, all there is "PM" or "prememoria" and the closest i can compare it to is an affidavit saying that the device is heavily encrypted.

      Croak3114
      Thanks.

      Where do you find all those files? can you send link(s) to the resources? seems interesting.

          dc32f0cfe84def651e0e Yea that's the statement from the officer, complete BS if you ask me. But since there is no extraction report and no data that has been added to the investigation it is pretty safe to say that they didnt manage to extract anything.

          shadowman1 You can request any publicly available data, tax reports, income statements, court cases and outcomes through the "offentlighetsprincipen" you need to know the case number and which instance its being handled at and you can request it free of charge. They are not all published as per default sadly.

                • [deleted]

                • Post #26

                Croak3114
                How to get case numbers of such interesting cases?

                  We are letting this thread stay up so that folks in the forum can discuss these topics on a technical level with factual accuracy.

                  Political commentary beyond that is unnecessary. Stick to the technical. Thank you.

                  (This is in reference to a now deleted comment).

                  Can someone post a concise summary, in English, of this case, so that we have some sense of what is going on?

                  Who was accused of what, what did police do, and what was the outcome?

                  I think it would be instructive to see how such things go in other countries.

                  Couple thoughts from what is mentioned (have not read the document as I don't feel like downloading something that translates PDFs). Would love it if they got the Pixel in BFU and could not crack it. We don't really have any actual criminal trial reports on what LE can extract (if anything) from GOS with Cellebrite/GrayKey. Criminal/legal cases are the best as facts are under oath and adversarial - prosecution and defense providing their analysis - and public record. The fact that I have not been able to find a criminal case on GOS being cracked actual bodes well IMO.

                  We have alternative posts on the opened/unlocked phone being grabbed from her. This is how the FBI got Dred Pirate Roberts of Silk Road when he was using Tor and an onion website for his internationatioal dark web drug sales operation. FBI got a warrant to seize devices (a whole story in itself in how that came about) and set-up a sting team. Tailed him for a while and he went to a library to use its WiFi. FBI set-up a fake lovers quarrel near DPR that distracted him so they could grab his open laptop before he could close it where it would be encrypted. Thus, if you are doing some illegal stuff, undercover cops could always grab your open phone. They may figure criminals are aware of BFU and it is strong security with a stock iPhone or Android latest model/software in regards to Cellebrite/GrayKey.

                  This is one of 4 I have seen in sweden, 3 BFU and nothing rewarding for the LE. Only comment is that it is heavily encrypted and nothing could been extracted, first I saw was 2022 the rest 2023.

                  Saw one here earlier couple months ago, but was unlocked and they didnt extract any but screened the phone and took screen shots.

                    5 months later

                    Back with a new case.

                    Date: 2023-08-04
                    2 young boys killed 1 and injured another 1. The victims had been contacted and the suspects acted as if they wanted to buy drugs. When the victims arrived to the location, 2 young men approached the vehicle and emptied the clips. On the scene one of the victims had a "google pixel" (seized)

                    Police arrested the suspects 2023-08-22 and found a "google pixel"-phone (seized after a raid) in one of the suspects home.

                    preliminary investigation report:
                    https://easyupload.io/m/7ixsp6 (the language is swedish but some of you guys might find it interesting anyway)

                    The police have opened 1 of the suspects pixel and have the code (low security apparently he used pincode 4545
                    There are reports of extractions from cellbrite with signal conversations and picture (file: aktbil 192 page: 272, 1327)
                    Software/companies used for examination: Magnet forensic and Cellbrite.

                    Again, just to clarify; I love reading these reports and just want to share them with you guys.

                    Cheers!

                      matchboxbananasynergy

                      You are 100% correct, they guessed the PIN, and used forensics software to extract information after unlocking the device.
                      I'm not stating anything else.

                      Figured id share it for
                      1) those curios of the technical side, there are some people that may be wondering how law enforcement work.
                      2) in some countries ppl cannot get a hold of forensic info like this.
                      3) A news article circulating regarding this case saying that the police breached the "encrypted pixel phone" so those nosey enough can now see that they simply guessed a 4 digit code :)

                      matchboxbananasynergy There's also zero indication here that the device was running GrapheneOS from what I can tell.
                      page 214. (if no other OS uses the same icons ofc)

                      We can delete the thread if you feel like its damaging or denigrating our community,
                      I don't know any other way to find legitimacy other than reading that LE cant extract info.

                      Cheers!

                            quepasabebe

                            page 214. (if no other OS uses the same icons ofc)

                            I haven't checked the report, but based on the context, I assume there is a screenshot showing black & white icons, akin to those of our default apps.

                            This does not mean the devices are running GrapheneOS. We are aware of many GrapheneOS forks, including sketchy ones adding security theater etc.

                            Assuming something like this is GrapheneOS just based on the icon would be the wrong assumption to make if it's solely based on that, especially since we know these other forks doing sketchy stuff exists, because something that's compromised on these OSes may not be the case on GrapheneOS.

                            By that I mean, maybe these forks are adding features in an incorrect insecure way, or are otherwise removing things we've added, including low-level hardening, modifying our work in a misguided way, etc.

                            It doesn't have the mean that they're actively maliciously making the fork insecure. It could also be due to incompetence / lack of care.

                            Hope that makes sense.

                              Law enforcement could've just guessed the PIN based on information they gathered while investigating the subject, hints collected while examining their apartment, etc.

                              I can read Swedish, but the reports are totalling 2000+ pages, so that's not something I'll dive into anytime soon. 😅

                              matchboxbananasynergy maybe not a GrapheneOS phone, and I dont think it was portrayed as such - but it's still an interesting subject and part of the reason a lot of people chose GrapheneOS in the first place. I for one would like to see such subject matter posted here with full disclaimers.

                                Im reading the reports, it looks like he used GrapheneOS (but its never mentioned in the report and I think that's deliberately). Just recently Dutch courts started mentioning GrapheneOS and having GrapheneOS on your phone is enough reason to get your phone confiscated in a case since it will be stamped is 'crypto phone'. I'm still going through the reports of this Swedish case (I use a translator tool).

                                  Hathaway_Noa Just recently Dutch courts started mentioning GrapheneOS and having GrapheneOS on your phone is enough reason to get your phone confiscated in a case since it will be stamped is 'crypto phone'

                                  Seriously? You got a source for this? Sounds unbelievable, yet believable.

                                      wuseman

                                      Suspect, [co-suspect] and [name 12] (hereinafter: [name 12]) use several telephones at the same time, including Google Pixels. Six Google Pixels were identified in the study. The Google Pixels run on the GrapheneOS operating system, which improves user privacy and security. In addition, the Molly application is installed on these telephones. Molly is a modified version of Signal, which is more secure.

                                      The public prosecutor has taken the position that the suspect's mobile phone of the Google Pixel brand, type 4a, should be confiscated. The public prosecutor has put forward that the phone is a PGP device that is generally not returned to suspects and that the contents have not yet been examined because the device could not be decrypted.

                                      The suspect has taken the position that the Google Pixel is not a PGP phone and that there are no incriminating matters on it. It is not clear to the suspect why this telephone still needs to be investigated, while the investigation has been completed

                                      The court is of the opinion that the interests of criminal proceedings preclude the return of the Google Pixel mobile phone listed on the seizure list. This criminal law interest does not end with the conclusion of the investigation in the first instance. Now that the criminal law interest still opposes return, the telephone will be forfeited.

                                      Source: https://uitspraken.rechtspraak.nl/details?id=ECLI:NL:RBOVE:2024:2048

                                      Another:

                                      The police saw on camera images that on the evening in question one of the suspects from the group placed or hid something in the parking lot near a fence. Later, officers found a Google Pixel phone and a Nokia phone near the fence. The Nokia was still on, because the screen lit up when the police found this phone. The court therefore assumes that the telephones belonged to one or more suspects.

                                      The Google Pixel phone had the GrapheneOS operating system installed. This is an alternative operating system that is designed to guarantee privacy/anonymity as best as possible and to communicate anonymously. According to reporting officers, such telephones are frequently used in criminal circles.

                                      Source: https://uitspraken.rechtspraak.nl/details?id=ECLI:NL:RBZWB:2023:6754

                                      Basically whenever you come across court cases in the Netherlands where criminals used Pixel phones, it's 90% chance they had GrapheneOS installed on them since it's the most popular OS in Dutch criminal world. In a lot of court cases they straightly mention the google pixel phones as cryptophones and are able to confiscate them in a case against a s suspect solely because the suspect used a google pixel phone. Since this has become an issue some criminals are now using google pixel phones but modified the appearance of the phone to look like an Iphone since its less suspected during car checks and what not.