SOCNET: The Special Operations Community Network

SOCNET: The Special Operations Community Network (http://www.socnet.com/index.php)
-   Law Enforcement (http://www.socnet.com/forumdisplay.php?f=110)
-   -   Cracking cell phones (http://www.socnet.com/showthread.php?t=133595)

Fu King Lawyer 23 November 2018 09:54

Cracking cell phones
 
Back in 2016 - we were still having trouble cracking into i-phone 8s and above. The "trouble" was more authenticating the data for later use in court, as opposed to getting into the device - but that was still very difficult.

I see now that Grayshift and Cellebrite are able to get in and the data gleaned is apparently reliable enough to use as trial evidence.

https://www.whio.com/news/local/loca...FsJmOJjO04TJK/

The retired FBI agent/attorney quoted for the article should remember that we have a federal criminal statute (18 USC 242) that will jam up any cop who fails to have probable cause/warrant to look at contents of communications stored in the device.

The whole thing reminds me of Cincinnati Microwave vs highway patrols and how traffic speed radars and Fuzzbuster detectors would leapfrog each other on a more or less annual basis. Agencies and drivers were constantly buying new equipment to keep ahead of the other's technology.

SHHINT 23 November 2018 10:32

Regardless, I hate working mobile devices....pretty much defer to anyone else now.

Spinner 23 November 2018 18:03

Lester Freamon made it all seem so easy on The Wire.

Polypro 24 November 2018 08:35

I don't know how iPhones handle security as I am not a user. But all I saw in the article was a *powered on* phones' *passcode* being bypassed. 99.9% of the public is using a 4 digit passcode - not very difficult in today's times.

I'd like to see how it does from a powered off state, and with a 17 character full ascii password?

Fingerprints are stupid, don't use them - I think the iPhone requires a pass code initially, then you can add fingerprints - which means either one can be attacked.

I have a Nexus 5 I'll give to any LE agency to try to get into from a powered off state. It's pre-boot encrypted using LUKS with about a 42 character random string - the screen lock password is 17 characters random. Hit me up if you think you can get in.

Always power off - if you can. I realize you can be jumped as your using it, but power off if possible (which is more cumbersome to do with apple products IIRC, compared to Android).

Edit:
Quote:

Press and hold the Side button and either volume button until the slider appears.

Drag the slider to turn your device completely off.

Xdeth 24 November 2018 11:41

Quote:

Originally Posted by Polypro (Post 1058764127)
I don't know how iPhones handle security as I am not a user...

It handles it well but as usual, weakness is the user. You can choose long alphanumeric codes or something easy, six numbers I think is a default. Rate limiting has been the decisive feature they added so that even covering space of 20 bits takes years. I understand this is the mechanism under attack by newer approaches.

CV 24 November 2018 15:39

Hemming up a cop that doesn't get adequate probable cause still won't prevent the abuse in the first place. The article sums up the entire back and forth by stating this is an arms race. The only side that suffers though is the user/consumer. Privacy is a monster and is getting bigger. Europe is already lightyears ahead of the US, which is sad and ironic... considering we try to sell "Freedom".

I think your post FKL is more just a general conversation about cracking phones? It's a Coke/Pepsi debate, but I've seen more reverse engineers crush Android than iOS. It will continue to be the prime target of good and bad guys as folks use their phones for just about everything now.

Fu King Lawyer 24 November 2018 22:04

Quote:

Originally Posted by CV (Post 1058764175)
Hemming up a cop that doesn't get adequate probable cause still won't prevent the abuse in the first place. The article sums up the entire back and forth by stating this is an arms race. The only side that suffers though is the user/consumer. Privacy is a monster and is getting bigger. Europe is already lightyears ahead of the US, which is sad and ironic... considering we try to sell "Freedom".

I think your post FKL is more just a general conversation about cracking phones? It's a Coke/Pepsi debate, but I've seen more reverse engineers crush Android than iOS. It will continue to be the prime target of good and bad guys as folks use their phones for just about everything now.

Yes, Sir. It was a general comment, along with the fact that I was surprised that apparently it took 2 years to get to the point they were able to authenticate data mirrored from iOS 8 and up for use in court. Also, I agree with your comment, at least back in my time, Android always seemed more easy to get to.

Polypro 25 November 2018 09:57

Quote:

Originally Posted by Fu King Lawyer (Post 1058764249)
Android always seemed more easy to get to.

Some notes on Android: Up until very recently, Android wasn't encrypted by default - the user had to go into 'Security' and then 'Encrypt Phone'. 99.9% (the same percentage that uses '1234' as a Screen Lock on all platforms) - would never do that. Combined with the fact that Android, due to it being free, and able to run on *any* phone - it's no wonder that it seems like every Android was easily cracked.

The proper way would be for the user to immediately come up with a 17 character "random" (to everyone but you - you obviously have to able to store it in long term memory) ASCII string (letters, numbers, punctuation), to use as a screen unlock password. This in turn, is what is used to encrypt the SSD with pre-boot authentication. Due to user level limitations in Android, this is as long as the password can be, but 17 random is pretty good - thousands of years to brute force.

Nerds, on the other hand, would do as above, but then immediately install the app EncPassChanger, or CryptFS (or use Terminal commands) and then change that 17 character password that is being used for disk encryption - to one that is as long as you feel like typing in when booting from a power off state (Your Screen Unlock still stays at 17). You are now up to millions of years to brute force. Android is Linux - Linux uses LUKS for encryption - LUKS is really good encryption.

Like Xdeth said, if the end user is a nug, '1234' gets you owned no matter what phone/platform you have. I personally would choose LineageOS or a custom security build of Android on a Nexus 5 or 7 (those devices specifically have an app that will also let you lock/unlock the bootloader on the fly = more security) - if I was Dr. Evil and wanted LASER Beams on Sharks Heads. Linux is really powerful - if you know how to use it.

Fu King Lawyer 25 November 2018 19:24

Apple was also relatively easy to crack if you had the money and the political push - for instance, in the San Diego terrorist attack, rumor had it, that it was a million bucks.

https://www.npr.org/sections/alltech...-on-encryption

There were times when it was possible to get into the cell phone device through "favors", but nobody was willing afterwards to come into court and establish the equivalent of the "hash" (computer imaging)

https://www.forensicon.com/resources...drive-imaging/

and therein was the reason for my frustration, the data does very little good if you can't get the "image" in front of the jury and establish the admissibility of what you found. Lawyer shit, I know.....

Macka 25 November 2018 19:47

Quote:

Originally Posted by Polypro (Post 1058764298)
Like Xdeth said, if the end user is a nug, '1234' gets you owned no matter what phone/platform you have.

Or like my criminal mastermind from last summer who had two phones, one Apple, one Android. When we did a SW on his car and seized the phones (which were listed on the warrant) we discovered them both to be unlocked! Too easy.

Zamir 26 November 2018 09:40

Quote:

Originally Posted by Fu King Lawyer (Post 1058764030)
Back in 2016 - we were still having trouble cracking into i-phone 8s and above. The "trouble" was more authenticating the data for later use in court, as opposed to getting into the device - but that was still very difficult.

I see now that Grayshift and Cellebrite are able to get in and the data gleaned is apparently reliable enough to use as trial evidence.

https://www.whio.com/news/local/loca...FsJmOJjO04TJK/

The retired FBI agent/attorney quoted for the article should remember that we have a federal criminal statute (18 USC 242) that will jam up any cop who fails to have probable cause/warrant to look at contents of communications stored in the device.

The whole thing reminds me of Cincinnati Microwave vs highway patrols and how traffic speed radars and Fuzzbuster detectors would leapfrog each other on a more or less annual basis. Agencies and drivers were constantly buying new equipment to keep ahead of the other's technology.

When I was in charge of CID...our guys used Cellebrite to crack phones all the time. If we ever ran into any issues, we could call a tech on the phone and he/she would help if he we hit a road block. The calls, content and people we spoke with were also documented in case they needed to be subpoenaed.

We had no issues with using intel we pulled from phones being admissible in court or used to obtain search/arrest warrants (along with other information, not just stand alone).

Fu King Lawyer 26 November 2018 15:31

Quote:

Originally Posted by Zamir (Post 1058764514)
When I was in charge of CID...our guys used Cellebrite to crack phones all the time. If we ever ran into any issues, we could call a tech on the phone and he/she would help if he we hit a road block. The calls, content and people we spoke with were also documented in case they needed to be subpoenaed.

We had no issues with using intel we pulled from phones being admissible in court or used to obtain search/arrest warrants (along with other information, not just stand alone).

Zamir, Along with a couple others, we bought and used their products/services, too and as you mention they were good. The issue above centers on the encryption as each new operating system is released and the fact that the companies have to figure out a way through each new encryption. The companies that do the cracking first have to find a way to break the encryption. Then there is sort of a "gap" after that happens before the companies are able to provide evidence that the image is the same as the device and prove it is reliable. Per the links above, it appears it was about 2 years before they were able to push out to agencies the program to crack iOS 8 and above. With both the San Diego terrorist and his wife dead, apparently in that case the FBI felt the intel so valuable that even if inadmissible, it was worth paying for the crack. That is all that I was commenting upon. v/r fkl

Sharky 26 November 2018 16:46

I used Cellebrite for years and know Jordan Jacobs well. Cellebrite and STRIKE used to be joined at the hip. Cellebrite works great on some phones and not so great on others. Celldek is another good platform.

Our issue was always time. We were working SSE on target mostly so if you couldn't get it fast you had to just go to the next one and let the JDEC play with it in the rear where time isn't an issue. Luckily, Hajji usually wasn't that security savvy most of the time.

just11b 26 November 2018 23:42

Someone would be pretty disappointed to crack/hack my phone, and or computer. It would be more of that persons life wasted, than mine was when I heard of a singer called post malone. So, hack/crack/track, IDGAF anymore.

Sharky 27 November 2018 10:01

Quote:

Originally Posted by just11b (Post 1058764747)
Someone would be pretty disappointed to crack/hack my phone, and or computer. It would be more of that persons life wasted, than mine was when I heard of a singer called post malone. So, hack/crack/track, IDGAF anymore.

It's not really something people do as a hobby.

Sado_1 27 November 2018 18:34

Quote:

Originally Posted by Fu King Lawyer (Post 1058764030)
Back in 2016 - we were still having trouble cracking into i-phone 8s and above. The "trouble" was more authenticating the data for later use in court, as opposed to getting into the device - but that was still very difficult.

I see now that Grayshift and Cellebrite are able to get in and the data gleaned is apparently reliable enough to use as trial evidence.

The retired FBI agent/attorney quoted for the article should remember that we have a federal criminal statute (18 USC 242) that will jam up any cop who fails to have probable cause/warrant to look at contents of communications stored in the device.

I work in investigations that require this process almost daily. Cellbrite is a bit outdated as a new software was launched in response to Apples heightened security via their new devices (8 series and later) and after the 11.0 update which affected our ability to bypass passwords. There was some general panic for a few months on apple specific devices for this until a forensic software company aided us in a specific method used to bypass this feature they developed. But in sum, yes..... we are constantly battling keeping up with the ages. In law enforcement with regards to digital forensics and such, my struggle has never been search warrants or the validity of the information or data I have retrieved rather, retrieving data from some of the so called encrypted apps available now who claim to have no storage servers to retrieve said data..... certain apps make our lives nightmares while others featured to be secure for a user, are not. Right now, we do possess the technology to bypass codes and even facial recognition security measures with the 10 series and such. It just means that you will probably never get your phone back and your phone will be destroyed in the process but it is possible and in most cases, highly probable. In response to some of the legal aspects..... I would never enter any device unless I had the PC to do it.....
generally I have a search warrant to take the device and to inspect its contents initially, and then once I find some things I am looking for, I obtain a second search warrant for the forensic processes. I use to do one massive search warrant also referred to as a hybrid, which included verbiage for every possible process that could be necessary from start to finish, but many judges are now moving away from that and requiring often several for the same devices as we go along to protect themselves.

Fu King Lawyer 27 November 2018 20:11

"It just means that you will probably never get your phone back and your phone will be destroyed in the process"

Forgive me? When you know you are going to destroy a suspect's property during the execution of the Warrant, do you obtain a Court Order allowing you to do so? Just asking.....

Bakertaylor28 28 November 2018 00:02

None of this makes much of a difference in the first place- the warrant clause of the constitution is rather clearly established law at this point with respect to cell phones. Riley v. California, 573 U.S. __ (2014) was the first big case on the topic, with Carpenter v. United States, No. 16-402, 585 U.S. ____ (2018) being the last one. These cases rather have the implication that even if the police break into a phone without a warrant- they can't really use the data without having been caught doing it with a hefty 42 USC 1983 judgment to boot. That said, container encryption is a far easier bet than device encryption. Try hacking a .7z file for starters.

Silverbullet 28 November 2018 00:26

Dude, you're an annoying know it all.

Worse, you think we're unaware and need you to educate us.

Banned

Polypro 28 November 2018 08:42

Quote:

Originally Posted by Macka (Post 1058764399)
Or like my criminal mastermind from last summer who had two phones, one Apple, one Android. When we did a SW on his car and seized the phones (which were listed on the warrant) we discovered them both to be unlocked! Too easy.

Yup - criminals still got caught after gloves were invented :biggrin:


All times are GMT -4. The time now is 20:54.

Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2020, vBulletin Solutions Inc.
Socnet.com All Rights Reserved