Leaked documents show breadth of iPhone data accessible by Cellebrite forensic tool

Share this…

Thanks to the recent encryption debate many smartphone owners are keenly aware of personal data stored on their iPhone, from contacts to calendar entries to photo metadata and more. Newly leaked documents relating to Israeli digital forensics firm Cellebrite demonstrate how much of that information is available to law enforcement agencies, at least when a device is left unencrypted.

Source: ZDNet

Cellebrite is one of a number of firms specializing in cellphone cracking technology, or more specifically mobile device intrusion and data retrieval software and hardware. The company claims its UFED tool can bypass passcode locks, extract and decode almost all data from hundreds of smartphone and tablet models, including Apple hardware.

The capabilities of platforms like UFED are known but not widely discussed beyond certain circles. As revealed by ZDNet on Thursday, however, a series of extraction reports from an iPhone 5 running iOS 8 shows how much data can be gleaned from an unprotected handset, and subsequently the value of strong device encryption.

While not a definitive catalog of forensics capabilities available to law enforcement agencies, or customers willing to pay for services from Cellebrite and others, the leaked files reveal successful transfers of basic system information, calendar entries, voicemail messages, call logs, cookies, locations, notes and much more.

The publication notes the tool was even able to retrieve files a user recently deleted, though as anyone familiar with digital storage knows, “deleting” a file does not necessarily erase it from a hard drive or flash memory.

Most of the information extracted by Cellebrite’s tool can also be downloaded by verified users through common software, including Apple’s iTunes, but accessing data like configuration and database files requires a more involved procedure.

Law enforcement agencies have for years use UFED systems to extract mission critical data related to ongoing investigations. Notably, Cellebrite was at one time rumored to have assisted the Federal Bureau of Investigation bypass an iPhone 5c used by San Bernardino terrorist Syed Farook, though later reports suggested the agency actually purchased a zero-day exploit from gray hat hackers.

More recently, Cellebrite reportedly struck a deal with the Indian government to provide law enforcement officials in that country the tools to access a wide variety of devices.

It’s worth reiterating that the target iPhone in featured in ZDNet’s report was not protected by a passcode, meaning any and all present data was left unencrypted.

After taking initial steps toward protecting customers with Activation Lock in iOS 7, Apple enabled end-to-end data encryption in iOS 8. The company later introduced extremely sophisticated hardware-based safeguards with the Secure Enclave coprocessor and Touch ID in iPhone 5s. Cellebrite itself notes its UFED system is unable to crack passwords on iPhone 4S and above.

The latest iPhone and iPad hardware build on those early technologies to stay one step ahead of hackers and, controversially, the government. That being said, even the best methods can’t protect users who refuse to passcode lock their device.