When cops have a phone to break into, they just might pull a small, laptop-sized device out of a rugged briefcase. After plugging the phone in with a cable, and a few taps of a touch-screen, the cops have now bypassed the phone’s passcode. Almost like magic, they now have access to call logs, text messages, and in some cases even deleted data.
State police forces and highway patrols in the US have collectively spent millions of dollars on this sort of technology to break into and extract data from mobile phones, according to documents obtained by Motherboard. Over 2,000 pages of invoices, purchase orders, communications, and other documents lay out in unprecedented detail how one company in particular has cornered the trade in mobile phone forensics equipment across the United States.
Cellebrite, an Israel-based firm, sells tools that can pull data from most mobile phones on the market, such as contact lists, emails, and wiped messages. Cellebrite’s products can also circumvent the passcode locks or other security protections on many current mobile phones. The gear is typically used to gather evidence from a criminal suspect’s device after it has been seized, and although not many public examples of abuse are available, Cellebrite’s tools have been used by non-US authorities to prosecute dissidents.
Previous reports have focused on federal agencies’ acquisition of Cellebrite tools. But as smartphones have proliferated and increasingly become the digital center of our lives, the demand and supply of mobile forensics tools has trickled down to more local bodies.
UFED Touch2 Platform. Cellebrite screengrab
Cellebrite has sold its wares to regional agencies in 20 states, and likely many more, according to the cache of documents acquired by Motherboard. Those items specifically include Cellebrite’s range of Universal Forensic Extraction Devices (UFED); the typically laptop-sized or handheld devices for hoovering up data from phones. Some of the agencies note in the documents that they use the technology for legal searches of devices.
Cellebrite does not publicly comment on its customers, and did not respond to a request for an interview on the company’s US strategy.
According to a spreadsheet detailing what models of phones Cellebrite can handle, the UFED can extract data from thousands of different mobile devices. It can’t, however, extract the passcode on the iPhone 4s or above.
“We use it for any and all crimes,” Nate McLaren, Special Agent in Charge at the Iowa Department of Public Safety’s Cyber Crime Unit and Internet Crimes Against Children Task Force, told Motherboard in a phone call. “Anywhere we think there might be a digital footprint or a digital fingerprint.”
To get a better idea of the extent mobile phone forensics technology has trickled down from the federal level, Motherboard filed public record access requests with state police forces and highway patrols in every US state, asking for records from 2010 to this year. Some agencies diverted the request to respective state Department of Public Safety or other similar institutions. Others declined to release the records, pointing to exemptions in local law; a few demanded excessively high fees for the documents to be released, and some did not respond to the requests at all. Some agencies only retained related records for five years, so provided those.
In all, Motherboard has obtained documents from agencies in 20 states, including the Illinois State Police, Missouri State Highway Patrol, and Arizona Department of Public Safety. (The cache of documents is included at the end of this article, as well as spreadsheets created by Motherboard breaking down each agency’s expenditure.)
As our investigation found, most of the agencies spent tens of thousands of dollars acquiring Cellebrite’s phone cracking and forensic UFEDs. Cellebrite sells several different versions of the UFED, which either comes as an actual device—the UFED Touch, Ultimate, or Pro—or a piece of software for a computer called UFED4PC.
In short, there are two main ways Cellebrite’s UFEDs extract data from devices: either in a logical form, or a physical form.
“Logical is what-you-see-is-what-you-get,” Rene Novoa, senior manager at forensics company DriveSavers Data Recovery, told Motherboard in a phone call, referring to whatever data is immediately available on the phone. This likely includes messages, photos, or the information in databases generated by apps. Physical extraction, meanwhile, allows the retrieval of hidden or deleted material.
Getting around many phone’s passcodes is easy pickings for the UFED too.
“That is sort of built into their product: We do have the ability to get past many passcodes,” Novoa continued, referring to his own use of Cellebrite products. Once an investigator has broken into the phone, they can export chat messages in a conversation format and create PDF reports.
According to one memorandum from the Delaware State Police Criminal Intelligence and Homeland Security Section, the UFED can be used with little to no training.
But the vast majority of the agencies’ expenditure went on renewing annual licenses for Cellebrite products. If police forces want to be able to pull data from the latest phones, they have to keep paying subscription costs to the Cellebrite service. The Arizona Department of Public Safety spent around $110,000 over three years on these subscriptions alone. The Illinois State Police spent just over $45,000 on renewals, and the Iowa Department of Public Safety spent around $92,000.
Some funds were used to trade-in one Cellebrite model for another, and to a lesser degree, some forces paid for extra training in how to use the forensics gear.
Agencies also spent tens of thousands of dollars on other Cellebrite products,including Link Analysis, a piece of software that visualizes data pulled from phones into easy to understand graphs, allowing investigators to quickly map out relationships between multiple individuals’ contacts, or a device’s GPS location across time.
Some agencies did buy equipment from other mobile phone forensics providers. There’s BlackBag, which has a particularly good reputation for extracting data from
Working as a cyber security solutions architect, Alisa focuses on bug bounty and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.