Fixxx
Moder
- Joined
- 20.08.24
- Messages
- 978
- Reaction score
- 3,886
- Points
- 93
Everyone of us carries a smartphone in our pocket: a small safe with chats, photos, notes, wallets, etc. Sometimes it contains things that, in an unfavorable scenario, could land you in jail. When law enforcement needs access to your phone’s contents, mobile forensics comes into play: specialized systems are used - from well-know ones like GrayKey and Cellebrite UFED. I want to focus on the first, since we have a rather limited data set.
GrayKey is a commercial forensic suite from Grayshift (now part of Magnet Forensics) that law enforcement uses to extract data from mobile devices It's a specialized hardware/software appliance that, given physical access to the phone and legal grounds, attempts to gain full or partial access to the file system and application artifacts.
In November 2024, 404 Media published an investigation into a leak of internal Grayshift documents: it included GrayKey compatibility tables showing access levels by model and OS version (Full, Partial, Consent, None) and notes about AFU/BFU modes; the key conclusion at that time - iPhones on iOS 18/18.0.1 the tool in most cases provides only partial extraction and beta iOS 18.1 completely blocked access. The leak also included a full table for Android: hundreds of Samsung, Pixel, Xiaomi/Redmi, Oppo/OnePlus and other models. It shows how results heavily depend on firmware and security patches: the same device can move from Full to Partial or even to None in different months, especially after major updates and when protections like Knox are enabled.
In the table, devices are marked as follows:
The data covers up to November 2024: yes, many things have changed since then with iOS/Android patches, but the overall pattern is visible - there is still no universal key to break all devices, the AFU state (after the first unlock) is critical and a reboot puts the device into BFU (before first unlock) and sharply reduces access; but status also depends on chipset/firmware and vendor protections. A bit about unlock states:
There is no reliable confirmation that law enforcement agencies officially use GrayKey. Some countries have their own analogues that likely use the same vulnerabilities:
GrayKey is a commercial forensic suite from Grayshift (now part of Magnet Forensics) that law enforcement uses to extract data from mobile devices It's a specialized hardware/software appliance that, given physical access to the phone and legal grounds, attempts to gain full or partial access to the file system and application artifacts.
GrayShift Data Leak
In November 2024, 404 Media published an investigation into a leak of internal Grayshift documents: it included GrayKey compatibility tables showing access levels by model and OS version (Full, Partial, Consent, None) and notes about AFU/BFU modes; the key conclusion at that time - iPhones on iOS 18/18.0.1 the tool in most cases provides only partial extraction and beta iOS 18.1 completely blocked access. The leak also included a full table for Android: hundreds of Samsung, Pixel, Xiaomi/Redmi, Oppo/OnePlus and other models. It shows how results heavily depend on firmware and security patches: the same device can move from Full to Partial or even to None in different months, especially after major updates and when protections like Knox are enabled.
In the table, devices are marked as follows:
- Green - Full / Full + AFU. Full data extraction (file system image, wide set of artifacts). Full + AFU means this volume is possible only if the phone has been unlocked at least once after power-on (it doesn't work in BFU).
- Blue - Partial AFU. Partial access and only in AFU: selected directories/databases are extracted (media, some logs and app data), but not the entire file system.
- Yellow - Consent. Access is possible only with the owner’s consent - effectively extraction after entering the passcode/confirming a connection, but who in their right mind would grant consent and whether they would even be asked...
- Red - None. No support: extraction is not performed (except possibly minimal system information).
It’s important to understand: these statuses are always tied to a specific model and OS version.
The data covers up to November 2024: yes, many things have changed since then with iOS/Android patches, but the overall pattern is visible - there is still no universal key to break all devices, the AFU state (after the first unlock) is critical and a reboot puts the device into BFU (before first unlock) and sharply reduces access; but status also depends on chipset/firmware and vendor protections. A bit about unlock states:
- BFU (Before First Unlock) - the phone has just been powered on/rebooted and the user has not yet entered the passcode. Most keys for user data remain wrapped (protected by a hardware key + your passcode), so access to data is minimal. Obtained data includes device identifiers, OS version, some system metadata/logs. Most user data and keychain/keystore are unavailable.
- AFU (After First Unlock) - the user has entered the passcode at least once after power-on. From this point some keys are unwrapped and held in secure memory, so even when the screen is locked again a significant portion of data remains accessible to the system (and, regrettably, to forensic tools) until the phone is fully rebooted; therefore law enforcement may obtain access to the full file system/artifacts or selected device databases depending on the access level.
Use of forensic suites by law enforcement
There is no reliable confirmation that law enforcement agencies officially use GrayKey. Some countries have their own analogues that likely use the same vulnerabilities:
- Elcomsoft (EIFT/EMFB/Phone Breaker) - tools for extracting and decrypting backups, cloud data from Apple/Google, working with keys and passwords; on iOS they rely on jailbreaks/exploits (including checkm8 on compatible models).
- Chinese suites (Meiya Pico, etc.) - mobile forensics hardware/software stations; the vendor has a Russian-language site and mentions partnerships/distribution in Russia.
- "Mobile Forensicist" (MKO Systems) - a Russian suite for extraction/analysis of phone, PC and cloud data; the maker regularly claims support for new exploits/methods.