At least one law enforcement agency in India — Delhi Police — has the tools to extract data from locked smartphones, including iPhones. However, the effectiveness and success rate of such tools remains under question.
There has been ample reportage about how American law enforcement agencies break into smartphones, especially iPhones, but the capabilities of their Indian counterparts have remained shrouded in mystery. The intrigue intensified after revelations that controversial Israeli cybersecurity firm NSO Group’s spyware was used to target at least 121 Indian citizens.
Tools available to the Delhi Police include tools from Israeli cybersecurity company Cellebrite such as UFED (Universal Forensic Extraction Device) Ultimate and Physical Analyzer that were famously used by FTI Consulting to suggest that Saudi Arabian Prince Mohammed Bin Salman had hacked into Jeff Bezos’s iPhone X. The same company was rumoured to have been helping the FBI with breaking into the iPhone of a San Bernadino shooter but this was refuted by the Washington Post and the Intercept.
Other tools available to the Delhi Police include Swedish firm MicroSystemation AB’s (MSAB) XRY tool, Russian firm Oxygen Forensics’ Detective, and Czech firm Compelson Labs’ MOBILEdit. These tools are capable of extracting data from locked and unlocked smartphones — usually both Android and iPhones — with varying degrees of success.
“All the forensic tools through which data can be extracted, they are available,” Anyesh Roy, the deputy commissioner of police who heads Delhi Police’s Cyber Crime Cell unit, told MediaNama. The need for this data extraction process is determined by the need of the investigation, what type of data the investigating officer is looking for, and how much data can be extracted from the device, he said. MediaNama saw these tools during our tour of the facility.
All these tools are housed in the National Cyber Forensic Laboratory (NCFL) in Dwarka, one of the four verticals of the Home Ministry’s Indian Cyber Crime Coordination Centre (I4C) and was created by upgrading Delhi Police’s Cyber Lab of Economic Offences. Meant to help with cyber forensics across India, NCFL is managed by the Delhi Police’s cybercrime unit — Cyber Prevention, Awareness and Detection (CyPAD) Centre.
Delhi Police can access data from locked phones, with limited success
Despite Apple’s famous refusal to build a backdoor to its iPhones at the behest of the FBI, data extraction tools like Cellebrite’s UFED enable law enforcement agencies to break into locked iPhones without the manufacturer’s assistance. For instance, within three weeks of the launch of iOS 14, Cellebrite had announced data extraction support for the latest operating system.
These data extraction tools, especially Cellebrite’s UFED, are capable of extracting all data, current and, to some extent, deleted from both locked and unlocked devices. Cellebrite UFED at the NCFL supports 35,000 phone models and allows them to extract drone footage as well. Due to confidentiality reasons, MediaNama was not shown extracted data or the extraction process, but we were shown the main console of UFED which allows the investigators to select which phone model they need to extract data from. MSAB claims that XRY can extract all data from iOS 14 and KaiOS apart from usual data extraction. Apart from the Delhi Police, investigating agencies across the world rely on MSAB and Cellebrite’s mobile data extraction tools (read Upturn’s report on use of such tools by American agencies).
Investigators choose the tool on the basis of the data they are looking for. For instance, if they want call logs from a password-protected iPhone, they would use Cellebrite UFED. In case they want some data from cloud storage, they would use Cellebrite UFED Cloud.
While Cellebrite claims on its website that it can bypass locks on iPhones, Roy warily told MediaNama that the success rate of these tools is pretty low. “Locked devices put a great restriction on us,” he said. “We are not actually aware of what all capabilities that [the software tools] have but for us, it is a big challenge to actually get data from devices,” Roy said.
This holds true for both iOS devices and Android devices. Most of these tools are software but the NCFL also has Cellebrite’s Physical Analyzer, a small grey tablet that can be taken to the field (view it here). The Physical Analyzer exports all data to the connected pen drive once a phone is connected to it.
On whether Cellebrite UFED — which is used at CyPAD — can indeed break into locked iPhones, Roy said, “UFED can’t. They claim to provide services which you talked about which FBI probably sought, I don’t know what is the credibility of that information, that UFED provides.” Rahul Mehra, the standing counsel for Delhi Police, in a separate conversation, also told us, “[T]here are tools in the FSL which can actually unlock a particular device. Probably the only one where [they] are facing difficulty is Apple. Other than those, I think all other devices can be easily opened up.”
“They [companies] will claim we will break into everything and anything but the reality is not like that. The chipset and their versions [and the operating system] determine the success rate,” Prasad Patibandla, cybercrime and digital intelligence analyst, who has worked in the Maharashtra Cyber in the past, told MediaNama. When it comes to creating “tokens” to carry out data extractions, the data extraction tools must be capable of going under the operating system “to the kernel, to the shell level”, down to the chipset itself and reading the data from the physical chip. “For instance, some time, the chipset is old but the OS has been upgraded so the tools may not be able to support it in terms of getting the data,” he said.
Mobile extraction tools like Cellebrite and MSAB’s can break into locked iPhones but the success rate depends on a combination of model, operating system, underlying chipset, etc. Most of them use known exploits. For instance, the latest versions of UFED and XRY rely on the checkm8 exploit to extract data from iPhones.
Makarand Wagh, the founder and managing director Macans Cyber Clinic, a Mumbai-based cybersecurity firm, agreed that that was the case but said that the success rate of Cellebrite, at least, is pretty high. Once they can break into a device, they can then get data from it, he told us.
Despite repeated queries to Cellebrite and personal acknowledgement of receipt of queries, we did not get a response from them about their success rates. We also reached out to MSAB, Oxygen Forensics and Compelson Labs but did not get a response.
What is the CyPAD capable of?
Cloud forensics: While Roy said that CyPAD doesn’t have tools that can be used remotely (think: Pegasus), it is building its cloud forensics capabilities to extract data from cloud backups. It already uses Cellebrite’s cloud extraction tool to that end. Any cloud related information that is extracted from phones is routed to this tool but the tool yields very limited results, as per the NCFL.
Network forensics: Through network forensics, the investigators analyse the logs of a particular network (LAN, wi-fi, etc.) to deduce which system may have been compromised. This reveals the other networks this compromised device connected to, the kind of data it uploaded and how it got infected amongst other things.
Malware analysis: The NCFL’s malware analysis lab analyses an infected device to know the source of the infection, the capabilities of the malware, etc. The malware is allowed to run amok in a sandbox environment that is air gapped (not physically connected to or on the same network) from the rest of the NCFL. This sandbox mimics an actual network so that investigators can see the malware in action.
Blockchain analysis: For blockchain related crimes, the NCFL has limited investigatory capabilities. The process is not very helpful in tracing the person who made the payment but it helps the police identify the crypto exchange on which the wallet is hosted, get the suspect’s IP address if it is available on open source but there’s no way to authenticate them. The tool that the lab uses lets them know where else the wallet has been used, or how it may be connected to other wallets.
Image and video analysis but not facial recognition: The NCFL routinely enhances images and videos, including CCTV footage, it gets from investigating officers. The NCFL does not have the ability to run facial recognition as the lab is not linked to any database of facial images. Facial recognition takes place in the Crime Records Office, a part of the National Crime Records Bureau. The NCRB is currently building a nationwide automated facial recognition system.
Some tools available in the NCFL:
- Imaging device from JMR-ICS (American)
- Write blockers, both portable kits and workstations, from Digital Intelligence (American). The annual maintenance contract for these devices is with Cyint, a Delhi-based digital forensics company which is also an authorised distributor/reseller of Digital Intelligence hardware.
- Cellebrite UFED, Cellebrite Physical Analyzer, Cellebrite UFED Cloud, Cellebrite Premium from Cellebrite (Israeli)
- MSAB’s XRY (Swedish)
- Oxygen Forensic Detective (Russian, as per the Intercept)
- Compelson Labs’ MOBILEdit (Czech)
- Tool to identify the crypto exchange on which cryptocurrency wallet is hosted
- Malware analysis lab
- Image and video analytics
The NCFL uses multiple tools for everything depending on the requirements and the features available. The Laboratory sends its requirements to the Provision and Logistics Department of the Delhi Police which then releases tenders for the equipment. Here are two tenders released for the CyPAD earlier this year. Roy did not know if the data extraction tools in question were purchased directly from companies such as Cellebrite, Oxygen Forensics, etc. or through third party aggregators such as Esec Forte, Third Eye, etc.
Most of the tools used for mobile forensics in the NCFL are also listed in the Ministry of Home Affairs’ November 2018 Cybercrime Investigation Handbook for Police Officers.
Metadata is ‘very useful’ in investigations
Data extraction is usually the last resort and contingent on a number of factors. Key amongst them is physical access to the device which is possible only when the police can physically apprehend the suspect, Roy said. An investigation involves many parallel processes, he said.
Data extracted from a person’s device supplements what the police identify through metadata (which is also stored with intermediaries), local intelligence, digital trail, money trail, Roy said. When CyPAD approaches intermediaries for information, it looks for basic subscriber information (BSI), access logs, and raw data about the incident under probe. “Normally, most of the service providers are only providing the metadata. … [e]ven that is helpful in tracing out suspects,” he said. It also relies on open source intelligence but it has “no evidentiary value per se”.
“You have to substantiate it [open source intelligence] with … somebody who is custodian of that data. Like, I may come to know that somebody has an account on, suppose, Zomato. I can see a review, suppose. I know that this person has probably ordered something or has visited [the restaurant]. That information has no value until and unless I get a report from Zomato about that person’s presence on the platform, the places he may have visited if Zomato maintains that data and shares that with me. It can definitely share the basic subscriber information with me.” — Anyesh Roy, DCP (Cyber), Delhi Police
“The wish list [for data from intermediaries] is huge but most of the cases don’t actually yield such results,” Roy said. For instance, Roy would like to get location data from Google but most such intermediaries have standards formats available on their portals for law enforcement requests.
For most common cybercrimes, attribution is not a problem: “As far as common cybercrimes are concerned … we have a lot of attributable information because the trail is there and most of the common frauds and online harassment instances, there we don’t see, yet, use of things which actually lead to non-attribution,” Roy said. At a geopolitical level, attribution is difficult because actions are initiated from outside India, and they deploy tools that prevent attribution, he explained.
The case of WhatsApp
Cooperation from social media intermediaries, especially from end-to-end encrypted platforms like WhatsApp, has been a sore point for law enforcement agencies around the world. The Tamil Nadu government, for instance, in the WhatsApp traceability case repeatedly bemoaned its inability to trace originators of harmful content on the platform. Multiple governments around the world, including Indian, have written to Facebook, asking it not to implement end-to-end encryption on its platforms as it thwarts the ability of law enforcement agencies.
Roy acknowledged that because of end-to-end encryption, WhatsApp cannot share content in any way. While the CyPAD does not deal with such critical cases, Roy said that even in terror-related matters, where content may be required, “WhatsApp probably won’t be able to provide despite proper legal recourse being taken by the concerned [authorities]”.
But metadata is “very useful” in nabbing culprits. Until about a year ago, WhatsApp would not respond to requests, and even when they shared information, “even the IP address was not complete”. “So there was no point in having that kind of metadata,” Roy said. “But nowadays, I think, they are more forthcoming as far as sharing of metadata is concerned,” he said.
“So where end-to-end encryption is there, we don’t get [access] in critical cases. Where you need access to the content, so you don’t get access. That is something which is not possible even if the force of law is there to get that content. So that impossibility basically nullifies the provision of law which has been provided for by the Parliament of India. The authority which has been vested, that authority cannot be exercised because technology, because the way technology has been implemented. It’s leading to actual nullification of the mandate given by the law,” Roy said
Getting information from international companies remains a challenge
Given the nature of cybercrimes, even a simple case of online fraud has 5-6 stakeholders from whom the police has to get attributable data, Roy said. Processes to give access at short notice and to give real-time access to the investigating officer have not been streamlined. Since one intermediary leads to another, it increases the police’s dependence on the intermediaries. “[E]xisting modalities” are limited to emails which take a lot of time, and major platforms are already handling so many requests from around the world so “they take their own time to process our requests”, he said.
It is access to this data from global companies that is a bigger problem than encrypted devices or communication, including end-to-end encrypted communications, Roy said. The turnaround time on MLAT (mutual legal assistance treaty) requests is 6-18 months because of which, while not a “completely futile exercise” since they have received results from some requests, “in effect, it does almost strangulate the investigation”, he said.
Roy is not the only one to face issues with the MLAT process. The Tamil Nadu government, in its submissions before the Madras High Court in the WhatsApp traceability case, repeatedly mentioned constraints of getting data from global intermediaries. “The MLAT treaty is too cumbersome. We have to go through various channels and that delays the investigative process,” Vijay Narayan, the Advocate General for Tamil Nadu, had told MediaNama.
Roy mentioned that there is a “tremendous difference” between how Indian and non-Indian intermediaries respond to requests for data. This is helpful with financial intermediaries, where there are many Indian players, but “in terms of email service providers, social media platforms, we hardly have any”, Roy said.
Preserving data is paramount
In forensics, preservation of evidence, both physical and digital, is paramount, Patibandla told us. To that end, the NCFL has imaging devices and write blockers to preserve data from computers, laptops, hard drives, pen drives and other types of storage devices and prevent it from being written over during investigation. These tools essentially freeze the device and its contents as they were at the time of seizure. To ensure that the authenticity of the clone cannot be challenged, the investigators compare hash values of the original storage device and the clone. All investigation then occurs on the copy of the contents while the original device is safely stowed away in a Faraday pouch to prevent anyone from remotely accessing it and is eventually returned to the investigating officers.
Data extraction, both from phones and storage devices (hard disks, pen drives, etc.), is a time-consuming and energy intensive process. For instance, processing a hard disk takes about three to four days while extracting data from a 64 GB phone would take about four hours. As a result, all CPUs in the NCFL are equipped with big fans and wide vents to prevent the systems from overheating. Some devices even have liquid cooling systems.
Can the Delhi Police force people to give up their mobile passwords?
The entire issue around data extraction arises because law enforcement agencies often do not have passwords to suspects’ devices and certain companies, most notably Apple, refuse to build backdoors for law enforcement agencies.
“I believe that we cannot force a person to provide access to a device because that will be violative of Article 20, I think,” Roy said. Mehra said that once the documents are sent to the Laboratory, “we don’t need anybody’s permission to unlock any device”. The problem occurs when the person does not cooperate and give the password, Mehra said. In such cases, the Delhi Police uses data extraction tools, he said.
While that is true for alpha-numeric passcodes, it becomes complicated when people have biometric passwords based on facial recognition or fingerprint verification. “There is no law that authorises them [the police] to [coerce biometric passwords],” Senior Advocate Rebecca John told MediaNama. Mehra also said that for the time being, there is no distinction between the two kinds of passcodes.
But how do you stop someone from clandestinely placing the phone in front of someone’s place, Mehra asked, or putting the person’s finger on the device? People should thus have two to three filters to protect their data, he said.
Both John and Mehra concurred that the courts would have to adjudicate on whether or not there is a distinction between alpha-numeric passcodes and biometric passwords, and if the police can compel people to give up their passwords. “Across the world, the verdict is a bit split and while even in places like America and other places, there is an increased recognition of a right of an individual to privacy because a phone is recognised as an instrument which is really a mirror image of your life and it may have information that you don’t want to share with people which is extremely personal,” John said.
Having said that, John warned that there can be compelling circumstances under which the police need information on a phone to, say, prevent a kidnapping or to trace a kidnapper. “It can’t be of universal application that under no circumstances can a police officer not be permitted to get into the phone of a person, whatever be the manner in which he gets into that phone,” she said. But the police must establish desirability and necessity, along with a judicial sanction, she said.
Online cybercrime reporting during COVID-19 practically doubled
The number of reports received on the National Cyber Crime Reporting Portal practically doubled during the lockdown, Roy told us. However, he warned that this does not necessarily mean that the incidence of cybercrime itself doubled, just the reporting did. It could be because there were actually more cybercrimes or because people had no other means to report crimes, he said.
However, Roy qualified that if people were indeed reporting cybercrimes online because they couldn’t go to the police stations, the trend did not reverse once the lockdowns were lifted. The number of cybercrimes reported through the national portal remain elevated. “What I could figure out is probably the platform has become popular,” he said. But another caveat here, he warned us about, is that other forms of cybercrime reporting are not that well documented.
Generally, 60% of all reported cybercrimes are financial frauds, 33%-35% are online harassment and related crimes and 5% are miscellaneous crimes, Roy said. During the lockdown, these broad trends persisted, indicating that the incidence of cybercrimes did not increase, just their reporting.
Edited by Aditya Chunduru