Cyberforensics is not new to the world. With the advent of smartphones, law agencies have always felt the need to be able to extract data from smartphones used by suspects when investigating a case. And while there has been an impression that the police in India are not really interested in such tools, an enlightening new report from Medianama sheds light on at least one law enforcement agency that relies on forensic tools to extract data from locked smartphones, although the effectiveness of such tools are questionable.
The report states that the Delhi Police uses a bunch of tools made by companies across the world including Israel, Sweden, Russia and the Czech Republic. Some companies, like Isreal’s Cellebrite has made a name for itself in providing data extraction tools to law agencies across the world. In fact, this is the same company that allegedly helped the FBI break into the iPhone of the San Bernandino shooter, and also the same company that reportedly helped Saudi Arabian Prince Mohammed Bin Salman to hack into Jeff Bezos’ iPhone X.
The tools, according to the report, are housed in the National Cyber Forensic Laboratory (NCFL) in Dwarka, which is one of the four verticals of the Home Ministry’s Indian Cyber Crime Coordination Centre. The NCFL is managed by the Cyber Crime wing of the Delhi Police, which goes by the name Cyber Prevention, Awareness and Detection centre. (CyPad).
Curious about what the police use to break into smartphones of suspects? These are the tools –
Tools used by Delhi police to extract data from locked smartphones
Cellebrite, an Isreali digital intelligence firm has a tool called UFED (Universal Forensic Extraction Device). This has a software and a physical analyzer that’s used by the police. UFED, according to Cellebrite is capable of extracting all data currently housed in the device, and to some extent, even data that is deleted from them. The firm claims the tool works on both locked and unlocked smartphones, but the report quotes sources within the Delhi Police saying they are not 100 per cent effective.
The Cellebrite UFED tool housed at the NCFL can reportedly support 35,000 smartphone models. The tool can provide call logs from a password protected iPhone but it’s not always successful. An intelligence analyst told Medianama that the data extraction tools has to be capable of going under the operating system, to the kernel and shell level to extract data from the physical chips. But even if the chip is old and the OS is updated to the latest version, UFED may be unable to help.
Cellebrite also has a cloud forensics tool to extract data from the cloud. This is different from remote hacking that’s more in line for Pegasus, the Isreali spyware that was used to target Indian citizens.
Microsystemation AB XRY
XRY is made by a Swedish firm that claims to support more than 30,000 smartphone models and app profiles. It can automatically detect the device model as soon as it is connected, and perform the extraction process step by step. The tool can decode almost all data in physical extractions and can also work on data stored by apps including an automatic mode for WhatsApp and Telegram.
As for data extracted from a locked device, the firms making these tools certainly boast of the capabilties. But in the real world, bypassing locks especially on iPhones have proven to be troublesome. The success rate is actually determined by the chipset and the operating system.
Oxyengen Forensic Detective
The tool Detective made by a Russian company is also used by the Delhi Police as an all-in-one platform to extract, decode and analyze data from digital sources including smartphones, IoT devices, drones and cloud services. It also works on Windows, macOS and Linux machines to extract credentials. The software can reportedly bypass lockscreens, locate passwords to encrypted backups as well as recovering deleted data. The software is distributed in a USB dongle that is simply plugged into the device that needs to be investigated.
Compelson Labs MOBILEdit
Lastly, this is a tool made by a Czech firm that can be used by regular people to migrate data from one phone to another, or to manage data stored in a phone. But it also serves forensic purposes in finding deleted data in a phone including call history, text messages, multimedia messages, photos, videos, passwords, as well as data from apps like WhatsApp, Skype, Dropbox, Facebook, Signal and more. Interestingly, MOBILEdit is now available to the general public and costs $99 (roughly Rs 7,300) for a single phone. A $1500 payment will lift the single phone limit and provide 12 months of updates.
So these are the apps and tools used by the police to break into smartphones in India. Medianama got access to these tools during a tour of the NCFL premises, and while this does raise a lot of questions regarding user privacy, but there is also the other side of the spectrum where a smartphone is indeed used to store malicious information. This also raises questions around the security and privacy features hailed by smartphone manufacturers.