“Find my device”, the Android function to remotely wipe data. Photo: Shutterstock
After it became known that the information on the cell phone of Fernando Sabag, the attacker arrested for the attack on Cristina Fernández de Kirchner, was deleted, the methods used to try to unlock the device raised two questions:everything can be removed remotely? Things UFEDthe Israeli system they used to try to gain access, and how does it work?
The answer to the first question is that Yes: A phone can be reset to factory settings remotely (i.e. hand-held, from a computer). Sabag used a Galaxy A50It’s a lot Googleoperating system owner Androidlike Samsung, the manufacturer of the device, have functions to access remotely: “Find my device” and “Find my mobile”.
However, there are some conditions to be able to do this. “To remotely wipe data from a phone, the device must have some form of network connectivity. Either being connected to a previously configured Wi-Fi network (a very unlikely situation due to where the situation occurred) or to the cellular data network, ”explains Javier Smaldone, system administrator and IT expert.
“Also, to wipe the data from another location, someone would have had to activate the option remotely, using the defendant’s account, which is currently in detention and without access to a computer,” he adds.
After Sabag’s arrest, Judge María Eugenia Capuchetti ordered the phone to be placed in an envelope with what is known as a “chain of custody”.
It was then that the Federal Police tried to gain access, unsuccessfully, and ended up referring the case to the Ezeiza Airport Security Police. According to reports, they both used the “UFED” system with no success.
UFED, the system they used to try to unlock it
“Universal Forensic Extraction Device”, UFED, is the name of the program of the Israeli company Cellebrite to extract information from cell phones by order of the court.
“It is a security product of the Israeli company Cellebrite, oriented to the extraction of data for forensic use. While its use in mobile devices has become popular, it covers an important range of devices, including GPS and drones, “he explains Clarione Mauro Eldritch, cyber security threat analyst.
“After connecting to a device, UFED is able to obtain information by two methods: extraction logic, interacting with the API specifications of the device manufacturer to obtain its ‘current status’ -communications, personal data, files-; or extraction physicistwhich produces a ‘dump’ of the device’s content, potentially allowing access to files that have been deleted, hidden or simply not understood by the first method, ”he adds.
As for how it works, the expert states that “they use different techniques to achieve their goal, such as using functions for bypass the locks (PIN, password), temporarily “root” -gain more permissions- of the device, or place it in a bootable mode (start) in particular, such as ‘EDL’ mode, Emergency Download Mode ”.
However, he warns that “Cellebrite has Certified Operators (CCO) for the use of its devices, for the criticality of the cases in which it is applied and for the potentially destructive nature of some of its functions: a malfunction of the product can make a device under investigation unusable “.
In this scenario, it is difficult to understand how information could have been erased from a device that should have been in airplane mode, in a sealed envelope, and with a chain of custody.
The data is not insignificant because the suspect’s cell phone is one of the main evidence of the case investigating the attack on Cristina Kirchner.
So, it is fortunate to be useless and become a device “walled up“, As they say in computer jargon, for” brick “in English: a brick.
John Brodersen
Source: Clarin
