SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: ACLU, Michigan State Police, and Cellebrite

This week, the dispute between the ACLU of Michigan and the Michigan State Police engages most of my attention here. But there are a lot of other interesting items this week, including Verizon's 2011 Data Breach Investigations Report, one person's stab at what to do about Chinese espionage, and new information about the location data that Apple iPhones and 3G iPads collect about you. There's plenty to read, so I'll keep the introduction short. As always:

If you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to


  • Last week, the ACLU of Michigan sent a letter to Michigan State Police requesting information regarding MSP's purchase and use of Cellebrite Universal Forensic Extraction Devices (UFED). The ACLU's concern seems to be that the speed and ease with which the Cellebrite devices extract mobile phone data may lead police to disregard Constitutional protections and search/seize cell phone data without proper warrants or consent. While the ACLU's letter(PDF) does not allege that any misconduct has taken place, their press release says they are seeking information "regarding the use of portable devices which can be used to secretly extract personal information from cell phones during routine stops." This statement seems to go a bit further than the letter, in that it speculates about the possibility of misuse. It is still not an allegation, but it seems to have been enough for some news sources to blow it out of proportion. The ACLU has been seeking information about the purchase and use of the Cellebrite devices via Freedom of Information Act (FOIA) requests for several years, according to their letter, and claim that the Michigan State Police have played "stalling games" to avoid providing the requested information.
  • That, of course, is one side of the story. The Michigan State Police "fired back at claims" that they have misused the Cellebrite devices to wrongfully acquire citizens' data. In its official statement, the Michigan State Police say:

    The MSP only uses the DEDs if a search warrant is obtained or person possessing the mobile device gives consent. The department*s internal directive is that the DEDs only be used by MSP specialty teams on criminal cases, such as crimes against children.

    The DEDs are not being used to extract citizens' personal information during routine traffic stops.

    While it's natural that the statement from the Michigan State Police focuses most on the implication of wrong doing, and the subsequent bad press, I am disappointed that their statement does not also address why they are unable to produce, without great cost, the information the ACLU of Michigan requested via the Freedom of Information Act. If nothing else, it simply looks bad that the FOIA requests could not be resolved without such public display. This spectacle makes both sides look bad. It also has the unfortunate consequences of making citizens unnecessarily fearful/distrustful and of dragging Cellebrite's name through the mud (even though this could easily apply to any other manufacturer of forensics tools).


    Leaving aside the specifics of the issue, I believe the current dispute between the ACLU of Michigan and the Michigan State Police is a sign of things to come. It seems to me that one of the drivers of this request from the ACLU is fear (or concern) that the forensic tools will be misused to unlawfully collect data from unsuspecting citizens. Since the ACLU is not actually alleging any misconduct, their requests for information are exploratory, and could be seen as seeking reassurance. Their concern is understandable. All tools can be misused, and there will always be those who abuse both tools and authority. As forensic tools become faster and easier to use, they become accessible to a broader range of people with varying degrees of skill and training. The market is already moving toward Live Response and Data Acquisition tools that are fast enough and easy enough to be operated by first responders who have minimal (if any) technical training and experience. As that trend continues, it seems likely that concerns over the abuse of such tools will grow.

    It is also important to note that this story is not particular to the Cellebrite devices mentioned. It could as easily apply to any other model of data acquisition or extraction tool. I have heard through the grapevine that Cellebrite has been receiving nasty email messages from the general public, which is unfortunate to put it mildly. Cellebrite and other manufacturers create genuinely useful tools that help law enforcement and others catch and convict some truly heinous criminals. They do not deserve to have been brought, rather irresponsibly, into this fray.

    Finally, Det. Cindy Murphy brought it to my attention that the matter of "consent" is problematic at best. The statement from the Michigan State Police says that the data extraction devices are only used "if a search warrant is obtained or person possessing the mobile device gives consent." As Det. Murphy pointed out most elegantly in our email correspondence:

    If a person doesn't know that they're consenting to a full data dump of their phone, it can be argued later that they couldn't have reasonably known what they were consenting to.

    Det. Murphy also pointed out another problem with consensual search: scope. Consent to search a cell phone does not imply consent to search the online services (email, instant messaging, Skype, etc) that it may be connected to. The mobile device must be properly isolated from its network, so that the only data acquired is that which already exists on the phone. Otherwise, law enforcement risks performing warrant-less and non-consensual searches of these online accounts (as the device downloads/receives new content). Not only would that violate citizens' rights, but it would also jeopardize any case to which the acquired data might be applicable.

  • In other news, Applie iPhones and 3G iPads are recording and storing your location information, according to a new announcement from Alasdair Allan and Pete Warden. The article's title suffers from a bit of hyperbole, in that the author goes on to say that "there's no immediate harm that would seem to come from the availability of this data. Nor is there evidence to suggest this data is leaving your custody." As the author also points out, it remains to be learned why the data is being stored and what intentions Apple has for it. When discoveries like this one are announced, most readers and commentators tend to be concerned about the privacy implications. However, from a pure forensic perspective, the presence of this data is an absolute gold mine for investigators. So, as both a consumer and a forensicator, I'm ambivalent.

Good Reads:

  • Verizon's recently released 2011 Data Breach Investigations Report (PDF) highlights a couple of interesting, and perhaps unexpected, trends. The two things that will likely jump out immediately are: 1) the dramatic decrease in the total number of records compromised over the past three years and 2) a similarly dramatic drop in the number of incidents attributed to insiders. As you'll see, the report goes on to explain that the decrease in insider incidents doesn't really reflect a reduction in those incidents. Instead, it has more to do with the statistical effect of a dramatic increase in smaller external attacks. The number of insider incidents simply represents a smaller percentage of the number of total incidents. On the matter of records lost, the report suggests that the dramatic decrease may reflect a "change in the motives and tactics used by criminals to steal information."
  • The 2011 CyberSecurity Watch Survey (PDF) and the Analysis of Technical Observations in Insider Theft of Intellectual Property Cases (PDF) from CERT's Insider Threat Center help to shed light on the nature of insider threats and, perhaps more importantly, help account for why insider actions make up such a small percentage of the breaches reported in Verizon's DBIR. Pay attention to the statistics here regarding how many insider issues are handled internally by organizations without any law enforcement or legal involvement.
  • In China's hacking drains US economic power, Richard Clarke briefly discusses the economic impact of Chinese-based attacks on governments and businesses around the world. He says that the US (and, by extension, other western governments) must do something about it, or "just accept constantly growing Chinese global economic dominance." He goes on to suggest two possible options for doing something about it:
  • The US could organize with other victimized countries and develop a joint cyber forensics capability sufficient to make a case in the WTO, seek financial damages, and establish new rules. Or, the US could use its own cyber capabilities to systematically defend US companies and hack back against the attackers.


  • A few days ago, Jesse Kornblum dropped md5deep v3.8, which delivers 64-bit binaries for Windows and a new option that allows you specify multiple input items by listing them in a text file.
  • Corey Harrell created Digital Forensics Search, a truly useful custom Google search geared toward Digital Forensics and Incident Response. You can also ready Corey's introduction to the search over on his Journey into Incident Response blog.

Shout Outs:
This is just a quick thank you to several people who sent article suggestions and provided insight that helped me put this post together. Special thanks to Det. Cindy Murphy, whose help with the ACLU vs. MSP story kept me revising this piece well past deadline. :-)


Coming Events:

Digital Forensics Case Leads for 20110422 was compiled by Gregory Pendergast, forensicator, incident responder, and jack-0f-all-security at Virginia Commonwealth University. If you have an article to suggest for case leads please email it to