Here’s everything Cellebrite’s forensic tool can extract from iPhones

Cellebrite UFED data dump main page

Documents uncovered by ZDNet have revealed the true scope of technology from Israeli developer Cellebrite Mobile Synchronization, which specializes in smartphone data extraction, transfer and analysis.

The leaked documents show just how much private data its smartphone forensic tool UFED, used by law enforcement, is capable of extracting from iPhones.

In a single data-extraction session, investigators were able to collect a huge array of personal data from an iPhone 5 like messages, phone calls, voicemails, images and more, including some deleted content. UFED can pull similar data from other phones, too, including Wi-Fi hotspots and cellular towers the device’s was connected to.

The image top of post shows the tool’s extraction report for an iPhone 5 running iOS 8.

After plugging the device to a machine running the tool, the officer was able to perform a logical extraction, which downloads what’s in the phone’s memory at the time.

Here’s some of the extracted data:

  • Mobile phone number
  • Registered Apple ID
  • iPhone’s IMEI number
  • Joined Wi-Fi networks
  • Database files
  • Call logs
  • Voicemails
  • User accounts in apps
  • Text messages
  • Music files
  • Notes
  • Calendars and contacts
  • Geolocation from photos
  • Installed apps
  • .plist configuration files
  • Settings and cached data
  • Web bookmarks and cookies

The software can also cross-reference data from the device to build up profiles across contacts, SMS and other communications. As mentioned earlier, UFED even extracted some content that had been deleted from the device, like deleted messages and photos.

Cellebrite UFED data dump locations
Cellebrite’s tool captures the geolocation of every photo that’s been taken.

It’s important to note that the phone’s owner didn’t set up a passcode, which has left the device entirely unencrypted and more vulnerable to Cellebrite’s hacking tool.

With that in mind, had the iPhone 5 in question been protected with a passcode, the data on the phone would have been fully encrypted and iOS would have deleted everything on the device after ten failed attempts to guess the passcode.

The FBI reportedly paid Cellebrite $1.3 million for UFED and apparently used it to bypass iOS’s passcode delay and automatic wipe features on the San Bernardino shooter’s iPhone 5c. Apple, naturally, wanted to learn about the exploits Cellebrite’s tool uses, but the FBI wasn’t interested in sharing that information.

Cellebrite UFED data dump call logs

Cellebrite alluded in April it might be able to bypass the passcode protection on the iPhone 6 series, but wouldn’t comment beyond that vague statement. The FBI later said Cellebrite’s forensic tools do not work on iPhone 5s and newer and Cellebrite itself has said that it’s indeed unable to crack the passcodes on iPhone 4s and later.

Cellebrite UFED data dump messages timeline
Investigators can see Messages content sorted chronologically.

One possible reason for that: Apple-designed processors that power iPhone 5s and newer phones feature an embedded Secure Enclave crypto-engine with its own encrypted memory and other hardware-based features aimed at strengthening security.

The Economic Times reported last month that India’s premier forensic institute, called The Forensic Science Laboratory, was buying Cellebrite’s technology to help its law enforcement agencies bypass locked iPhones.

A subsidiary of Japan’s Sun Corporation, Cellebrite was founded in 1996.

Source: ZDNet