Cellular phone forensics company Cellebrite recently gained national notoriety for its rumored assistance in cracking the password of an iPhone related to the San Bernardino murders. What many practitioners don’t know is that the FBI, DOJ and the SEC have been using Cellebrite’s forensic cell-phone cracking tools for years. While the use of its products to get past passcodes might have garnered more public acclaim, one of the other less well known features is its ability to speedily uncover information that might have been previously unrecoverable, including deleted data and text messages.
A. The Text of Texts Are Often Only Available On The Device Itself
Cellular service providers retain records of the parties to a text message and the date and time it was sent. They do not, however, retain the content of text messages for very long, if at all.
In 2010, the American Civil Liberties Union (“ACLU”) served a Freedom of Information Act (“FOIA”) request to the Department of Justice seeking an internal memorandum regarding the data retention plan of major cellular service providers. The memorandum contained information from the six largest cell phone carriers in the United States: Verizon, T-Mobile, AT&T/Cingular, Sprint, Nextel and Virgin Mobile. All of the providers retained records of the date and time of the text message and the parties to the message for time periods ranging from sixty days to seven years.
However, the majority of cellular service providers do not save the content of text messages at all. As of 2010, Verizon Wireless saved text message content for three to five days while Virgin Mobile retained text message content for ninety days but stated that it would only disclose that content if law enforcement had a search warrant containing a “text of text” request. As recently as November 25, 2015, T-Mobile’s privacy policy indicated that it retained “calls and text messages you send and receive (but we do not retain the content of those calls or messages after delivery).” Nathan Freitas, a fellow at the Berkman Center for Internet and Society at Harvard University explained that the carrier may have “details of whom [was]texted and when” but “the actual text is what is really hard to get, if not impossible” from the carrier. The Boston Globe reported that carriers, including the four biggest in the country ‑ AT&T, Verizon, T-Mobile and Sprint ‑ have publicly confirmed that they delete their copies of messages after delivering them.
Legislators have resisted attempts to force retention of content. Indeed, various law enforcement groups, including the Major Cities Chiefs Police Association, the National District Attorneys Association, the National Sheriffs’ Association, and the Association of State Criminal Investigative Agencies, asked the U.S. Senate to force cellular service providers to retain the substance of text messages for at least two years. The proponents sought an amendment to the Electronic Communications Privacy Act of 1986 to require service providers to retain the substance of text messages. On March 19, 2013, a House subcommittee held a Hearing on this issue. A proponent of increased text message retention plans Richard Littlehale from the Tennessee Bureau of Investigation explained:
“most cellular service providers do not retain stored text messages accessible to law enforcement for any time at all. Billions of texts are sent every day, and some surely contain key evidence about criminal activity. In some cases, this means that critical evidence is lost. I am well aware that retention means a cost for service providers. I would urge Congress to find a balance that is not overly burdensome to service providers, but that ensures that law enforcement can obtain access to critical evidence with appropriate legal process for at least some period of time.”
No such bill was passed and presently there is no law explicitly requiring cellular providers to store the substance of their customers’ text messages. However, the text of texts that have been deleted outside of cellular service providers’ retention schedules can still be recovered from one place: the device itself.
B. When Is A Text Message Actually Deleted?
Many experts respond with the answer: almost never. Most phones use “flash memory” which only actually deletes a deleted SMS message when the rest of the device’s data space has been exhausted by new information. Paul Luehr a former federal prosecutor and former supervisor of the internet fraud program at the Federal Trade Commission has explained that “[d]eleted text messages just sit there until they’re overwritten” and “most phone systems operate on a database, and so the data may still be there marked with a flag that says deleted.” Luehr also reiterated the point that in most circumstances in order to recover deleted text messages “you really need to have access to one or more physical devices.”
Cybersecurity expert John J. Carney has opined that simply deleting a text message only hides it from plain sight but “it’s still in there, it’s simply marked as ‘erased’ . . . it’s possible to go in there and collect them.” Moreover, Carney’s interview indicated that, in light of this emerging cell phone forensics technology, “many common methods for intentionally destroying phones do not make text messages and other data irretrievable.” “For example, shattering a device’s screen, breaking its charging ports or on-off switches, crushing it under weight, or submerging it in water are unlikely to wipe out the memory.”
C. Cellebrite’s UFED Device Can Recover Deleted Text Messages
According to computer forensics expert and technology professor Bradley Schatz, most cell phones are “set up to avoid indiscriminately overwriting data, so if you have a lot of spare space on the drive inside your phone, which you will do on a large iPhone, then the device will use that before it writes over or erases previously used space and deleted messages.” As most practitioners generally know, when a user deletes a text message, it is almost always recoverable through the forensic process. That is one key reason why federal investigators and litigants have been asking for the physical cellular phones of targets, witnesses and counterparties. A former Chief of the SEC’s Internet Enforcement office stated: “[t]he key to just about every important SEC investigation nowadays lies in the data that the Staff finds . . . occasionally you have wiretaps or a whistleblower, but generally, the critical smoking gun resides on some device as a byte of data.” Critical for the purpose of electronic data recovery and harvesting, Cellebrite’s principal product, the Universal Forensic Extraction Device (“UFED”), has the ability to recover deleted text messages from cellular phone devices.
Cellebrite’s main offices are located in Tel Aviv, Israel and it is a wholly owned subsidiary of the Sun Corporation, a public Japanese company. According to Cellebrite, its UFED Series is the prime choice of forensic specialists in law enforcement, military, intelligence, and corporate security and eDiscovery agencies in more than 100 countries. The Cellebrite website describes the UFED as a product that “enables physical, file system, and logical extractions of all data and passwords, included deleted data, from the widest range of mobile devices.” Further, a number of testimonial videos explain how law enforcement has been using the UFED during the course of investigations.
- One Canadian law enforcement agent described the use of the UFED in a homicide investigation: “one of the cases that comes to mind was being able to recover deleted messages off of a phone that was deleted intentionally by the suspect . . . we recovered not only pictures that were critical to the investigation as well as a week’s worth of text messages that were critical to a serious homicide investigation.”
- A detective from Wisconsin reported “the most recent one probably may be a shaken baby case where the suspect ran over his iPhone to try to destroy evidence on the phone we were able to do some physical repair on the phone itself and then use the UFED physical to recover data from the phone and recovered some deleted text messages directly related to the crime.”
- A detective on the Sacramento Valley High Tech Crimes Force explained “everybody wants deleted data, and its mostly deleted text messages so I have worked very closely with Cellebrite to have them provide deleted data for us. That was a big thing getting physical data, because that’s what everybody wants, everybody wants the deleted data, we do homicide cases, child pornography [cases], fraud cases, when you’re dealing with high profile cases they want all the data including the deleted stuff.” He further described a homicide investigation where the police discovered a soaking wet iPhone, with a shattered screen, that had been buried and was underground for at least two weeks. When he looked through the phone himself, he found ten text messages and about twenty voicemails. When he used the UFED he recoverd 80,000 text messages and about 20,000 voicemails. “The text messages had the two guys texting each other about the alibi that they were going to tell the police if they got caught.”
In addition to the testimonials, Cellebrite has posted numerous videos online which display the UFED’s ability to disable cell phone passcodes and extract the phone’s data.[1]
According to a study published by the New Jersey Law Journal, the UFED was able to “check a phone for deleted text messages, email, [and]voice mails.” “UFED extracts relevant information from Skype, Google Voice and even Words With Friends, which has a built-in chat client.” “We’ve had so many cases where people were using [Words With Friends] to communicate, thinking it doesn’t leave a trace, but UFED does a really good job of parsing out and making viewable the different data types that these apps store.” Moreover, the device allows the user to pinpoint only those communications between certain parties.
In a case involving the use of the Cellebrite by a Homeland Security agent, a Federal District Court wrote that the agent “examined [defendant’s] cell phone using CelleBrite software, which extracted all data (including deleted data) from the phone.” United States v. Smasal, No. 15-cr-85, 2015 WL 4622246, at *4 (D. Minn. June 19, 2015). “That process took approximately ten to fifteen minutes . . .” Id. The Seventh Circuit explained that by using the UFED it is “possible to ‘mirror’ (copy) the entire cell phone contents, to preserve them should the phone be remotely wiped.” United States v. Flores-Lopes, 670 F.3d 803, 809 (7th Cir. 2012) (citing the Cellebrite website).[2] In order to complete a copy, the cell phone would have to be directly plugged into the UFED. The UFED then creates a forensic copy of all of the phone’s information. It produces a comprehensive report that categorizes the information and makes it relatively easy to understand.
The UFED can also recover deleted Blackberry Messenger (“BBM”) messages, a text messaging application exclusive to Blackberry devices. This ability is critical for investigators because according to Blackberry Support,“[t]he Blackberry Messenger database does not keep permanent records of conversations between Blackberry Messenger users.” “The conversation contents are kept only as long as the conversation is open.” Because of the limited information retained with respect to BBMs they are a communication medium of choice for some criminal organizations. Business Wire reports that “organized criminals in particular have relied on encrypted BBM communications to ‘hide’ their activities from the police” and CNN referred to an Italian crime group, the ‘Ndrangheta, who was reported to have communicated overseas with the Gulf Cartel, a Mexican drug cartel, with BBMs because they are normally difficult to intercept. BBMs have previously been used to hide conversations, but now, the UFED can recover this data.
D. The SEC And Other Federal Investigators Have Been Using Cellebrite’s Technology For Years
Since September 27, 2012, the SEC has been contracting with Cellebrite for its UFED “Ruggedized System.” In 2014, the SEC gave notice of its intention to sole source the UFED with software updates for two option years. The SEC justifies these sole source contracts by explaining that the UFED device can extract a wealth of information from 95% of cell phones with a specialty in extracting deleted information.
The Federal Bureau of Investigation (“FBI”) contracted with Cellebrite for the UFED in 2009, 2012 (there were two contracts in 2012), 2013, 2014, 2015 and 2016 for the UFED. Similarly, the Drug Enforcement Agency purchased Cellebrite tools in 2015 and requested additional devices and training in 2016. Other federal authorities, including the Department of Homeland Security, Army, Navy and Secret Service have also contracted with Cellebrite. In addition, as of July 28, 2015, Cellebrite’s UFED products and applications have been made “available to federal government agencies under NASA’s Solutions for Enterprise-Wide Procurement contract and National Institutes of Health CIO-Commodities Solutions” which allows federal law enforcement agencies to “streamline procurement of Cellebrite’s UFED mobile forensics solutions” without going through the ordinary (and often time-intensive) bidding and procurement process.
Shortly after the SEC’s first contract with Cellebrite, on January 13, 2013, the SEC allowed CNBC into its crime lab and put their cell phone forensics technology on display. According to CNBC “if the SEC shows up with a subpoena asking for your hard drive and your cell phone records you should know that using passcodes and even deleting those files won’t protect your information.” Adam Storch, the COO of SEC’s Enforcement Division took CNBC through its “cell phone room” and explained that they were able to recover data from a cell phone that was purposely disfigured. Also, the SEC typically places the cell phones it acquires in metal boxes that block all outside signals from reaching it “because if we turn the device on and its able to access outside signals somebody could be able to remotely delete files from it, remotely wipe the device, emails or messages could start being sent in and out and what we really aim to do is to maintain the security and integrity of the information the way that we received it initially.” Scott Friestad, the associate director of the SEC’s enforcement division, has revealed that the SEC’s new forensics facility focuses on recovering deleted evidence which has been particularly helpful in insider trading investigations to find communications between tippers and tippees.
The Second Circuit has upheld Cellebrite-related testimony from an FBI Special Agent who “explained his training in the use of Cellebrite technology to retrieve text messages and other data from a cellular phone; described how he used Cellebrite to do so in this case; and testified that he confirmed the results by checking the messages on the phone itself.” United States v. Marsh, 568 F. App’x 15, 17 (2d Cir. 2014) cert denied 135 S.Ct. 111 (2014) (affirming conviction). Reported case law indicates widespread usage of the Cellebrite by law enforcement by various federal agencies as well as state and local police departments. [3]
E. Conclusion
As it turns out, Cellebrite’s so-called “new” space-age devices rumored to have been used in the San Bernardino case have actually been utilized by law enforcement for years. It is important for practitioners to inform their clients as to the sort of information – including previously “deleted” information – that can be recovered from their cellular phones.
[1] https://www.youtube.com/watch?v=odcFWueoaeA (Galaxy); https://www.youtube.com/watch?v=q-L4T2C9xxA (Samsung Android); https://www.youtube.com/watch?v=YE_uSkFsSyg (HTC); https://www.youtube.com/watch?v=AUgmnYChT48 (iOS).
As new phones are released and new phone security applications are created, Cellebrite will have to continue to adapt its product. It is possible that there are certain passcode protections on operating systems that the UFED is not yet able to crack.
[2] A remote “wipe” or “factory reset” occurs when a user remotely deletes information and reverts the cell phone back to its original state, as if it were to be resold.
[3] See e.g., United States v. Reilly, No. 14-cr-146, 2015 WL 4429415 (N.D.Ga. July 20, 2015) (FBI); United States v. Djibo, No. 15-cr-88, 2015 WL 9274916 (E.D.N.Y. Dec. 16, 2014) (United States Department of Homeland Security, Homeland Security Investigations); United States v. Smasal, No. 15-cr-85, 2015 WL 4622246 (D. Minn. June 19, 2015) (same); United States v. Martinez, No. 13-cr-3560, 2014 WL 3671271 (S.D.Ca. July 22, 2014) (same); United States v. Nyun, No. 12-cr-40017, 2013 WL 1339713 (D.S.D. Mar. 7, 2013)(same); United States v. Clinton, No. 12-cr-40018, 2012 WL 5185746 (D.S.D Oct. 17, 2012)(same); United States v. Mayo, No. 2:13-cr-48, 2013 WL 5945802 (D.Vt. Nov. 6, 2013)(DEA); United States v. Dixon, No. 12-cr-205, 2013 WL 4718934 (N.D.Ga. Sep. 3, 2013) (Bureau of Alcohol Tobacco and Firearms); United States v. Tienter, No. NMCCA-201400205, 2014 WL 4716290 (N-M. Ct. Crim. App. Sep. 23, 2014)(United States Marine Corp., Criminal Investigation Division); United States v. Garden, No. 4:14-cr-3072, 2015 WL 6039174 (D. Neb. June 29, 2015)(Nebraska State Patrol); United States v. Winn, 79 F. Supp. 3d 904 (S.D. Ill. 2015) (St. Clair County Sheriff’s Department); United States v. Zaaverda, No. 12-cr-156, 2013 WL 6438981 (N.D. Okl. 2013) (Oklahoma City Police); Foster v. State, No. 05-14-cr-01186, 2015 WL 8039901 (Tex. Crim. App. Dec. 7, 2015) (Collin County Sheriff’s Office); In re D.H., No. A140779, 2015 WL 514336 (Cal Ct. App. Feb. 6, 2015)(San Francisco Police); Washington v. State, No. 2-13-00526-cr, 2015 WL 505172, at *2 (Tex. Crim. App. June 17, 2015)(Lewisville Police Department); State v. Pratt, 128 A.3d 883 (Sup. Ct. Vt. 2015)(Vermont police officers. Noting that “[a]handful of courts have considered testimony regarding the use of the Cellebrite software and have ruled the testimony admissible.”); People v. Smith, 2015 WL 5224708 (Cal. Ct. App. Sep. 4, 2015) (California police officers).
*Joseph Evans is an Associate at Gage Spencer & Fleming LLP
