What happens to your phone if you get arrested? Part 1: What is a UFED?
*Legal disclaimer: I am not a lawyer and this is not legal advice. I am an artist and designer, I am not claiming this is the whole truth or the only truth about this subject; the things I say here are based on my experience and research. Also, I am not advocating any of this information be used in the perpetration of a crime, and I am not instructing, soliciting or condoning the perpetration of a crime.*
Getting arrested throws a person into a world of uncertainty. The experience of being totally subjected to the power of the state is overwhelming and it can be hard to think clearly about anything when you are getting arrested. It’s certainly difficult to remember what your rights are and what careful steps you have to take to preserve them. Most people know not to talk to the police because it can be self-incriminating, but most people don’t think about the ways their smartphone can be even worse than a loud mouth. One step we can take to reduce harm is to think about mobile device security before anyone gets arrested, and implement protective measures as a regular part of our life.
So what is a UFED, and what does it have to do with getting arrested?
The short answer is that a UFED is an incredibly invasive tool which can crack your phone’s encryption and extract tons of data about you, your contacts, your online habits and your communications. UFED stands for universal forensic extraction device. It’s a product line made by Cellebrite, and Israeli tech company. There are multiple devices in the UFED line, including both hardware devices and software meant to be used on designated forensic analysis computers. The current UFED lineup includes the following products:
UFED Ultimate is the “industry standard” forensic extraction device according to Cellebrite. It’s a software only version of the UFED meant to be used as an application on a designated computer for forensic analysis. UFED Ultimate can bypass pattern, password and PIN locks on most devices, extract logical, file system and physical data (including deleted data) and then reassemble that data into human-readable reports. Most major metropolitan police departments have purchased UFED Ultimate in the years between 2016 and 2020.
UFED 4PC is another software only version, meant to be used as an application on a designated computer for forensic analysis. Most police stations in the US use this at a bare minimum if they don’t have devices.
The UFED Touch2 is a portable touch screen device, almost like a small tablet, which “enables comprehensive extraction capabilities anywhere, whether in the lab, a remote location, or in the field.” These kinds of portable options are often preferred because the sooner forensic images can be taken, the less there is a chance that a person could have an associate of theirs remotely wipe their phone.
The UFED Touch2 Ruggedized is the same as the Touch2 but made to withstand harsher environmental conditions.
the UFED Ruggedized Panasonic Laptop is a pre-configured UFED specific laptop meant to expand the functions of the basic software and the Touch2 devices to give even more forensics options.
Beyond the basic UFED line listed above, Cellebrite also makes lots of more advanced options for departments and agencies willing to shell out a little more money;
UFED Cloud is a software suite which can extract both public and private domain information from online sources. It can rip and decrypt social media data, instant messaging, cloud file storage such as Google Drive and iCloud, and other web based content. Cellebrite even goes as far as to say that one of the problems UFED Cloud aims to solve is service providers delaying meeting subpoena demands for private information. The implication here is the UFED Cloud is a workaround for those police and investigators who don’t want to wait for the bothersome legal processes of obtaining a warrant and a subpoena for a cloud provider their suspect is using.
Cellebrite Premium is an add on software which increases the UFED line’s power to crack encryption. Cellebrite Premium gives the user the option to crack all current devices running any version of iOS up to the latest one, all Samsung flagship devices and many other android phones.
Cellebrite Responder is a software which is intended for “police stations, correction facilities, border control checkpoint, or on-the-go” situations, according to Cellebrite. It’s likely the software used by ICE and CBP to make forensic copies of phones of people entering the US, even those who haven’t been arrested. This software is meant to be used in real-time, whereas UFEDs generally are used to generate a report which is reviewed later. The suggested use cases in Cellebrite’s product overview include quickly confirming if a person is a threat in a triage scenario, using their location data to see where a person has been before allowing them to cross a border, and using real-time information to confirm a person’s claims while they are being interrogated.
Cellebrite Macquisition is a tool intended to crack, extract data from and otherwise exploit Mac computers. Cellebrite says Macquisition “is the first and only solution to create physical decrypted images of Apple’s latest Mac computers utilizing the Apple T2 Chip.” Macquisition is basically a UFED made streamline just for Apple computers; it extracts files, email, chat, address book and other data. It can also extract data from RAM.
Cellebrite offers more products than just these, but these are their products which I think are most relevant to this discussion. Their suite of products together make a formidable force. The UFED suite can crack the stock encryption of pretty much any of the most common phones. Cellebrite says they can crack any iPhone up to the 11, all Samsung flagship phones and most other android phones. The only real solution I can see (which would maintain some degree of usability) is running a custom ROM on an android phone with heavy encryption enabled and using ephemeral communications. Short of doing that, using encrypted ephemeral communications should provide some additional layer of protection. If you’re using signal or a similar platform which allows the setting of a PIN for the app, I’d also recommend that you set an 8+ digit pin which locks the app after one minute of inactivity. Make sure this PIN is different from your device PIN, and preferably not the same as any other PIN you use anywhere else.
So what data can they really get with these things, why should I care?
UFEDs can extract call logs, texts, app data, contacts, all account credentials that have been logged into on the phone, all wifi networks connected to by the phone, Bluetooth connection logs voicemails, deleted messages and more. They also support data extraction from thousands of apps, meaning they can pull DMs, posts, history and other data from inside individual apps. All that data provides a lot of information a prosecutor could piece together to try to make a convincing case. This kind of data is often taken as objective truth, and that perception makes it easier to fabricate narratives with said data. In many cases there is only enough data to form conjecture, but that doesn’t stop a narrative from being built around extracted data.
This data can also be used to target people in your network. If one person is arrested at a protest, but they’ve been communicating with all the organizers of the protest via an insecure device with stock encryption, all the people they have talked to will likely get a door knock from LE. Your lack of security could mean trouble for the people you love, it’s all intertwined.
Additionally, if you have an iPhone and the UFED is unable to extract meaningful data from your phone itself, Cellebrite has also built in the capability to decrypt and decode iCloud data provided by Apple. iCloud backups include pretty much everything that would be found on your phone otherwise. Apple will turn over any data the police request, and their encryption guarantees mean nothing when LE has access to UFEDs.
Why does this matter if you don’t think you have have anything incriminating on your phone?
1. You don’t know what is or is not incriminating. there are 30,000+ pages of federal law. The laws are always changing and we’re currently seeing active criminalization of protest, civil disobedience and dissent.
2. They can extract your contacts and social circle to investigate them as well. This could lead to your contacts being subject to door knocks, raids, detention and general harassment and intimidation by LE.
3. The data extracted from your phone could be used retroactively against you or the people you talk to on your phone.
Your privacy is intrinsically linked to everyone you interact with.
But… who really has these? Is there really a risk for me?
Yes, there really is. I couldn’t find any list of agencies that have UFED technology, so I did some research to find primary sources (mostly FOIA request documents). This is far from a complete list of US agencies with known UFED purchases, it’s just those that I could come up with in a few hours of research. I’ll probably add more to this list as I have time. Many of these original documents show purchases of between two and ten UFEDs in a single year alone. I think it’s safe to assume that if this many medium sized metropolitan police departments have multiple UFEDs, probably pretty much every single local department in the US has them. Special thanks to journalists who submit FOIA requests for uncovering this data, agencies only disclose this kind of info if citizens submit requests so we wouldn’t know about it otherwise!
Alameda County District Attorney's Office -
2017 https://assets.documentcloud.org/documents/4585459/Alameda-Co-DA-Cellebrite-Invoice-23Oct2017.pdf
Baltimore County Police Department -
2011 https://assets.documentcloud.org/documents/3767097/Cellebrite-PO-3476.pdf
California DOJ -
2014 https://assets.documentcloud.org/documents/6140261/9-PO-for-Cellebrite.pdf
2018 https://assets.documentcloud.org/documents/6318405/RFQ-18-021-UFED-Renewal-Ag.pdf
Charlotte-Mecklenburg Police Department -
2017 https://assets.documentcloud.org/documents/3760199/Invoice-3.pdf
Chicago Police Department -
2020 https://assets.documentcloud.org/documents/6705447/Cellebrite-Invoice-Records-redacted-pdf.pdf ,
Colorado State Police -
2014 https://assets.documentcloud.org/documents/3235500/Colorado-3.pdf
DEA -
2016 https://assets.documentcloud.org/documents/4425614/DEA-Cellebrite-Unlock-Service.pdf
Delaware State Police (Criminal Intelligence and Homeland Security Section) -
2016 https://assets.documentcloud.org/documents/4436209/20180323150442.pdf
Houston Police Department -
2013 https://assets.documentcloud.org/documents/3734174/PO4500175021-0-pdf.pdf
Iowa Department of Public Safety (Division of Criminal Investigation) -
2011 https://assets.documentcloud.org/documents/3235520/Iowa-5.pdf
Kansas City Police Department -
2013 https://assets.documentcloud.org/documents/3455364/Kansas-City-Police-Department-Correct.pdf
Maryland Department of State Police -
2016 https://assets.documentcloud.org/documents/3235530/Maryland-11.pdf
Mesa Police Department -
2012 https://assets.documentcloud.org/documents/3731599/Cellebrite-MFAC.pdf
Minneapolis Police Department -
2017 https://assets.documentcloud.org/documents/4114345/Cellbrite-3400-Redacted.pdf
Nebraska State Patrol -
2015 https://assets.documentcloud.org/documents/3881620/Cellebrite-Documents-pdf.pdf (page 58)
New Jersey State Police -
2015 https://assets.documentcloud.org/documents/3235599/New-Jersey-23.pdf
New Mexico Attorney General -
2016 https://assets.documentcloud.org/documents/4354940/20172012202620RECORDS20-20Inspection-pdf.pdf
New Mexico High Intensity Drug Trafficking Area - Las Cruces
2016 https://assets.documentcloud.org/documents/3528142/Record-Request-Response-from-Purchasing.pdf
North Carolina DPS (Division of Prisons Administration) -
2012 https://assets.documentcloud.org/documents/2918388/Cellebrite-1-Redacted.pdf
Oklahoma City Police Department -
2014 https://assets.documentcloud.org/documents/3881620/Cellebrite-Documents-pdf.pdf
Riverside County Sheriff's Department -- Annual budget of $75,000 for Cellebrite contracts and devices
2013 https://assets.documentcloud.org/documents/3881620/Cellebrite-Documents-pdf.pdf (page 43)
County of San Diego Sheriff's Department -
2013 https://assets.documentcloud.org/documents/3881620/Cellebrite-Documents-pdf.pdf (page 49)
-- Used in District Attorney's Office
-- Sheriff's Department Gang Task Forces
-- Regional Computer Forensic Laboratory
-- High Intensity Drug Trafficking Border Crome Suppression Team
San Antonio Police Department -
2015 https://assets.documentcloud.org/documents/3455436/San-Antonio-Police-Department.pdf
San Jose Police Department -
2015 https://www.documentcloud.org/documents/3688596-Davis4.html
San Leandro Police Department -
2014 https://assets.documentcloud.org/documents/2775219/SLPD-Cellebrite-Invoices-PO-53639-9Jul2014.pdf $14,082.99
Tucson Police Department -
2012 https://assets.documentcloud.org/documents/3455374/Tucson-Police-Department.pdf
2016 https://assets.documentcloud.org/documents/3731808/Cellebrite-license-renewal-Crime-Lab-2016.pdf
Washington State Patrol -
2016 https://assets.documentcloud.org/documents/3235759/Washington.pdf