Age of the Tele-Rat: Trayvon Martin's Missing Cell Phone Data
I think the biggest revelation is about Trayvon Martin’s cell phone and mysteriously missing data. Even if you have no interest in the George Zimmerman case, you should read this to see the extent to which information stored in your phone is capable of being retrieved and provided to law enforcement (or anyone else who gets their hands on your phone and wants to know what’s on it.) It's a new dawn in the age of the Tele-Rat. [More....]
According to the Motion to Continue, the state told O’Mara that when Trayvon’s phone was recovered, the phone was wet and inoperable. On August 8, at a joint meeting, O’Mara asked if a charger could be used to restart it. FDLE analyst Steven Brenton came in and charged up the phone. When the screen came up, it said the phone was “locked out,” meaning someone had tried to unlock it more than the maximum permitted times with the wrong password. Brenton then disclosed he had performed an analysis of the phone, but was only able to access the SIM card and SD card, not the internal memory. (Eventually, O’Mara received some of the material Brenton had downloaded from the phone and Brenton's report.)
Sometime after that, someone at the state’s attorneys office shipped Trayvon's phone to a law enforcement agency in California for analysis. The agency was "seemingly able" to access the internal memory. The state refuses to give the defense any information as to who at the state’s attorney’s office decided to do this, the name of the agency it was sent to, the identity of the analyst who obtained the data, or the results obtained.
After the unnamed agency returned the phone, during the first week of January, 2013, the state sent it to Cellebrite in New Jersey for analysis. Cellebrite also was able to access the internal memory, and the state provided the defense with the results on January 18. The defense says Cellebrite obtained an "enormous" amount of information from the internal memory. But, guess what's missing? All data for Feburary 26, the day/evening of the shooting.
As illustrative example, while the analysis includes GPS locating records for Mr. Martin's phone for all of the time that he was in the Sanford area, specifically absent is any such data for February 26, 2012, the date of the event. Similarly, there seems to be missing entries regarding phone callsor texts made to or from the phone in the evening hours of February 26,2012. (My emphasis.)
Obviously, the defense wants an explanation for the missing data, and the results of the analysis from the unnamed California law enforcement agency that first accessed the phone's internal memory.
I think it’s fair to ask whether there is a legitimate explanation for Cellebrite's ability to provide GPS and other data stored on the phone for every day Trayvon Martin was in Sanford except Feb. 26, the day of the shooting. Why did only the data for Feb. 26 go down the rabbit hole? Was the data for Feb. 26 intentionally removed by the California law enforcement agency, and if so, at whose request? Or is there some innocent technological reason?
Here’s what I’ve learned in the last 24 hours from material available on Cellebrite’s website. The Cellebrite UFED Touch Ultimate provides both physical extraction and logical extraction services. Many more phones support logical extraction than physical extraction. These are the descriptions provided for each:
1. Physical Extraction- For devices supported in this category, the Cellebrite UFED Touch Ultimate will use advanced methods to extract a physical image of the flash memory or address range of a device, including unallocated space. Unlike conventional logical extraction processes, the physical extraction method bypasses the phone’s operating system, acquiring the data directly from the phone’s internal flash memory. Unallocated space may contain access to deleted items such as SMS, Call logs, Phonebook entries, Pictures, and Video. Support for data types automatically decoded are marked for each device.
2. File System Extraction- For devices supported in this category, the Cellebrite UFED Touch Ultimate will extract the logical file system as a directory structure, which does not include unallocated space and decoding for deleted files. Extracting the file system is an alternative way to get data from phones, including phone models that are not currently supported with physical extraction. UFED Touch Ultimate provides access, and extracts hidden files and databases inaccessible by other file system acquisition tools. From the extracted file system you can get many different types of application files that can be decoded and then searched for information, such as the Contacts or SMS database files. File system extraction can also be used to locate content types such as SMS and Call Logs not yet supported by the normal UFED “extract from phone” option.
** Important note- Many other mobile forensic tools are incorrectly referring to a File System extraction (Logical extraction process) as a true Physical extraction (Physical extraction process). The Cellebrite Ultimate designations for Physical and File System capability are based on the technically accurate descriptions above.
3. Password Extraction- For devices supported in this category, user lock codes are able to be directly extracted and displayed on the UFED device itself, using the “Extract Password” selection in the menu. No PC is required for analysis or decoding, the passcode will be displayed directly on the UFED LCD display.
4. File System Reconstruction
In addition to these software programs, Cellebrite has applications. One of the Applications that is available with UFED Ultimate (both Touch and Classic versions) is the Physical Analyzer.
UFED Physical Analyzer
Available with the UFED Touch Ultimate and UFED Classic Ultimate is the UFED Physical Analyzer: the most advanced analysis, decoding and reporting application in the mobile forensic industry. It includes malware detection, enhanced decoding and reporting functions, project analytics, timeline graph, exporting data capabilities and much more.
Physical Analyzer will reconstruct the device’s file system directory structure from a physical extraction or extracted container file. The file system tree can then be saved, producing the actual files (for example phone database files, settings files, MMS files) contained in the phone.
With respect to Android phones, the analyzer provides “advanced decoding of all physical extractions performed on devices running any Android versions and advanced decoding of applications and application files.”
The key phrase of distinction seems to be “devices supported in this category.” What features are supported on Trayvon’s phone, a Huawei U8150 Ideos Android phone, sold by T-Mobile as the T-Mobile Comet, or for that matter, your phone?
According to Cellebrite’s December, 2012 release notes, its UFED logical system was already supported on 4,827 mobile devices. Newly added: 363 devices for UFED Physical extraction (one of which is the Huawei U8150 (Android); 249 new devices for UFED File System extraction (including the Huawei 8150 (Android) and 186 new devices that support Password Extraction (none of which are the Huawei 8150 (Android)).
Cellebrite provides a handy Excel spreadsheet (downloadable here) of supported phones for each program, along with a table of the accessible types of data for each supported phone.
The UFED Ultimate features available with the Huawei 8150 (Android) are (by tab letter and feature):
- C: Physical extraction
- E: File system extraction
- l: File system reconstruction
- m: sms
- N: contacts
- O: call log
- P: MMS
- Q: bluetooth
- R: location
- S: Notes
- T: Bookmarks
- U: email
- V: Accounts
- W: cookies
- X: dictionary
- Y: viber
- Z: Facebook
- AA: Facebook Messenger
- AB: What’s App
- AC: Google Plus
- AD: Skype
- AE: Google Talk
- AF: Twitter
- AG: Ping chat
- AH: Gesture Decoding
Not Available for this phone:
- D: physical bypassing lock
- F: Password extract
- G: Platform
Also Not Available for this phone(from the logical extraction process, listed under T-Mobile Comet):
- AI: Calendar
- AJ: BBM
- AK: Tasks
- AL: Chat
- AM: Passwords
- AN: Web History
- AO: MotionX
- AP: Voicemail
- AQ: Application Usage
- AR: Wifi
- AS: Installed Applications
- AT: Garmin
- AU: TextNow
- AV: Tiger Text
- AW: Fring
- AX: twitterific
- AY: TextFree
- AZ: Yahoo Messenger
- BA: FourSquare
- BB: Ping Chat
- BC: Waze
- BD: Dropbox
- BE: UserCode
If you haven’t already thrown your phone out the window at this point, you might want to check the spreadsheet and see what information Tele-Rat is able to provide law enforcement without your knowledge or consent about what's stored on your phone. For example, for devices running iOS like iPhones and iPads, the Physical Analyzer can:
- Bypass simple and complex passcode while performing physical and file system extraction on selected devices running iOS 3.0 or higher including iOS 6
- Real-time decryption and decoding of data, applications, and keychain real-time decryption while revealing user passwords
- Advanced decoding of applications
The full feature list is here. (According to the spreadsheet, the physical bypassing lock works on the iPhone up to model 4 and on iPad 1, and the password reveal works on the iPhone up to model 3 and the iPad 1.) To find out if your phone supports the physical bypassing lock and password extraction, find your phone and look at columns D and F to see if it has a "Y" in it.
I have a question for any tech gurus (or cops) reading this. What happens if the phone user doesn’t program the phone to back up or store data? Does the phone automatically back up and internally store data at specific intervals? For example, is it possible that Trayvon didn’t program his phone for backups, but the phone automatically backs up once a day, and that when his phone went dead on Feb. 26, it hadn’t yet backed up that day’s data, so that the activity for Feb. 26 was never saved, and thus was lost or unrecoverable by Cellebrite, while the previous days’ data which had been backed up was accessible? In other words, is it possible that Cellebrite can reclaim stored and deleted data, but not data that was never saved to begin with?
Also, what if FDLE Analyst Brenton, who first accessed the phone, did a soft reset when he was trying to access the data on the internal memory without the password or security code? Would that result in non-backed up data being lost while the previous days’ backed up data was retained? (Supposedly, only a hard reset would have erased all data.)
Shorter version: Is there a reasonable and innocent explanation why only the data for Feb. 26 would be missing or unrecoverable from the internal memory of Trayvon Martin’s phone, given that Cellebrite was able to extract the data for the other five days he was in Sanford?
I’m looking forward to reading the state’s response to Mark O'Mara's motion. And finding a phone that is Tele-Rat proof.
|< Thursday Night Open Thread | Zimmerman Contributions Rise After Most Recent Request >|