A leaked document obtained by ZDNet has revealed the scope of data that Cellebrite’s tool can extract from iPhones. The Israeli company came into the limelight earlier this year in the San Bernardino shooting case when it was rumored that the FBI took help from the company to unlock the locked iPhone 5c of one of the shooters.
The leaked files are “extraction reports,” which are organized to allow investigators to easily see and analyze data from a phone. Extraction is conducted by plugging the phone into a Cellebrite UFED device. While the device is primarily for extracting information currently on the phone it can, in some cases, extract recently deleted items. The phone at the heart of ZDNet’s extraction report was an non-passcode protected iPhone 5 running iOS 8.
After plugging the device to a machine running the tool, the officer was able to perform a logical extraction, which downloads what’s in the phone’s memory at the time.
Here’s some of the extracted data:
- Mobile phone number
- Registered Apple ID
- iPhone’s IMEI number
- Joined Wi-Fi networks
- Database files
- Call logs
- User accounts in apps
- Text messages
- Music files
- Calendars and contacts
- Geolocation from photos
- Installed apps
- .plist configuration files
- Settings and cached data
- Web bookmarks and cookies
The software can also cross-reference data from the device to build up profiles across contacts, SMS and other communications. As mentioned earlier, UFED even extracted some content that had been deleted from the device, like deleted messages and photos.
The catch here is that the phone used was an iPhone 5 running iOS 8, with no passcode being used which means that it was completely unencrypted. iPhone 5s and above don’t work well with Cellebrite’s tool since they come with a dedicated secure enclave coprocessor.
The FBI reportedly paid Cellebrite $1.3 million for UFED and apparently used it to bypass iOS’s passcode delay and automatic wipe features on the San Bernardino shooter’s iPhone 5c. Apple, naturally, wanted to learn about the exploits Cellebrite’s tool uses, but the FBI wasn’t interested in sharing that information.
Cellebrite alluded in April it might be able to bypass the passcode protection on the iPhone 6 series, but wouldn’t comment beyond that vague statement. The FBI later said Cellebrite’s forensic tools do not work on iPhone 5s and newer and Cellebrite itself has said that it’s indeed unable to crack the passcodes on iPhone 4s and later.
One possible reason for that: Apple-designed processors that power iPhone 5s and newer phones feature an embedded Secure Enclave crypto-engine with its own encrypted memory and other hardware-based features aimed at strengthening security.
The Economic Times reported last month that India’s premier forensic institute, called The Forensic Science Laboratory, was buying Cellebrite’s technology to help its law enforcement agencies bypass locked iPhones.