Leaked files show what a Cellebrite phone extraction report looks like
Earlier this year, we were sent a series of large, encrypted files purportedly belonging to a US police department as a result of a leak at a law firm, which was insecurely synchronizing its backup systems across the internet without a password.
Among the files was a series of phone dumps created by the police department with specialist equipment, which was created by Cellebrite, an Israeli firm that provides phone-cracking technology.
The digital forensics firm specializes in helping police collar the bad guys with its array of technologies. It shot to fame earlier this year when it was wrongly pinned as the company that helped to unlock the San Bernardino shooter's iPhone, the same phone that embroiled Apple in a legal brouhaha with the FBI.
That's not to say that Cellebrite couldn't have helped.
Cellebrite's work is largely secret, and the company balances on a fine line between disclosing its capabilities to drum up business and ensuring that only the "good guys" have access to its technology.
US police are said to have spent millions on this kind of phone-cracking technology. And it's not surprising, because Cellebrite gets results.
The forensics company claims it can download almost every shred of data from almost any device on behalf of police intelligence agencies in over a hundred countries. It does that by taking a seized phone from the police, then plugging it in, and extracting messages, phone calls, voicemails, images, and more from the device using its own proprietary technology.
It then generates an extraction report, allowing investigators to see at a glance where a person was, who they were talking to, and when.
We obtained a number of these so-called extraction reports.
One of the more interesting reports by far was from an iPhone 5 running iOS 8. The phone's owner didn't use a passcode, meaning the phone was entirely unencrypted.
Here's everything that was stored on that iPhone 5, including some deleted content.
(Apple's iOS 8 was the first iPhone software version to come with passcode-based encryption. It would've been enough to thwart the average phone thief, but it might not have hindered some phone crackers with the right hardware. Cellebrite says it can't crack the passcodes on the iPhone 4s and later. iPhone 5s handsets and later come with a secure enclave co-processor on the iPhone 5s' main processor chip, which makes phone-cracking significantly harder.)
The phone was plugged into a Cellebrite UFED device, which in this case was a dedicated computer in the police department. The police officer carried out a logical extraction, which downloads what's in the phone's memory at the time. (Motherboard has more on how Cellebrite's extraction process works.)
In some cases, it also contained data the user had recently deleted.
To our knowledge, there are a few sample reports out there floating on the web, but it's rare to see a real-world example of how much data can be siphoned off from a fairly modern device.
We're publishing some snippets from the report, with sensitive or identifiable information redacted.