Extract Forensic Information for LEAs from Encrypted SmartPhones

Terrorists and other criminals use secure features available to the public, such as secure communication applications or encrypted smartphones, which represent a huge challenge for LEAs. Due to the improved proprietary cryptographic implementations, it is impossible to obtain evidence from a modern smartphone. That’s why EXFILES aims to address the mandatory need to develop new methods to allow fast access by LEA to this encrypted data in accordance with a legal framework.
Encrypted mobile phones are often a key factor in criminal cases; the data stored in these devices may contain critical evidence. With most telephones protected by encryption, the rapid processing of critical evidence by various information retrieval techniques is slowed down, if not made impossible. EXFILES will use software exploitation, hardware methods and combined methods to give law enforcement officials the tools and protocols for rapid and consistent data extraction in strict legal contexts. Tools and methods inspired by other areas of information security will lead to new judicial methods of accessing data for lawful investigations. EXFILES will focus on the ethical and leg research and exploitation as well as dissemination and training activities for the next generation of forensic experts.
EXFILES’s main objective is to improve LEAs techniques and methods, to extract digital evidence from modern encrypted smartphones.
To be able to extract information from encrypted devices, a holistic approach (software, hardware) is required. The aim is, therefore, to find ways to access protected evidence by using semiconductor industry knowledge coupled with software exploitation techniques. EXFILES will focus on the following objectives:
• Categorize smartphones used by criminals
• Advance and update existing tools to improve reverse engineering of specific mobile devices
• Combine software and hardware techniques to produce advanced solutions
• Make evidence extraction from modern encrypted smartphones affordable and practical
• Improve law enforcement agencies’ capabilities regarding encryption and increase information sharing
• Involvement of all stakeholders from different domains
• Provide guidelines and recommendations for law makers and law enforcement agencies
• Evaluate the results against real use cases

The LEAs have defined the targets that the partners worked on. The classification of the targets has been done according to several criteria such as non-availability of a forensic solution, device model novelty, number of smartphones on the market, type of protection technology used in the device, etc. The LEAs have classified and prioritized the devices on which EXFILES research focused. This presents devices for which legal investigation were impossible by LEAs.
By developing complementary SW tools for HW attacks, WP3 worked on the global approach of the EXFILES that covers all forensic aspect for decryption of the HD of suspect’s Smartphone. LEA targets have been analysed and their inputs was exploited in the attack scenarios.
It has been investigated the mobile TEEs and common mobile security mechanisms, including ARM TrustZone, remote attestation, secure and trusted boot.
Deep research on the state of the art of all the techniques and tools that take part in the reverse engineering process of mobile phones have been made, including the main fields or categories that play a role on forensic reverse engineering.
A tooling supporting two versions of the QSEE that enables reversing engineering and identifies core functionalities and attack surfaces was developed.
Vulnerability discovery and exploit development, it has been provided solutions for 5 real-world LEA targets. Those solutions have been used in a high number of cases by LEAs resulting in a complete success of the task and the overall WP.
EXFILES worked on applying the different steps of hardware reverse engineering for deprocessing and imaging the smartphone targets: SoCs and SEs. The recent smartphone chips are based on a very small technological node. A public report was produced describing the state of the art in term of methodologies used for deprocessing and imaging the chips.
The ROM of one target has been extracted during the first period. The second period was used to further develop the deprocessing techniques.
The fuse banks of two chips from two target phones have been located, and specific deprocessing methodologies to expose the fuses have been developed. Custom methods based on AI techniques have been established to extract their logical states. The obtained information has been used to derive the encryption keys from one target phone. In addition, a procedure to modify single fuses has been studied and successfully demonstrated.
WP4 also dealt with ROM extractions from SoCs. During the first period, several methods have been evaluated to reach the bit encoding layer of these devices with aggressive nodes. First dump was done and through the development of the techniques, a total of three SoCs could be dumped before the end of the second period.
All the results obtained allowed improving LEAs capabilities regarding encryption.

Regarding scientific production, the publications list attests to the progress made, with all of these publications being closely aligned with the project's objectives. Despite the challenges related to the classified information constraints, the partners have managed to share their results and contribute to scientific knowledge in the hardware and software security field. These publications have covered various aspects of the project. However, it complies with the requested considerations in term of classified information, ensuring the protection of sensitive data while still contributing valuable insights to the field.
Some of these publications have even been recognized and awarded, demonstrating their excellence and impact (e.g. "Best Student Paper Award" in CARDIS’2022)

As for technical production, it is replete with advanced results that align with the project's objectives by 100%. However, due to CI considerations, these results cannot be published. Nevertheless, they represent a significant advancement for LEA that may encounter the encryption issue of the digital evidence during the judiciary investigation.
It is important to highlight the numerous technical advancements and proof of concepts achieved within the project. These advancements have pushed the boundaries of knowledge in the forensic field and facilitated the development of new methodologies for data decryption. They exemplify the expertise and dedication of the LEA teams involved in the project.

Solutions developed in the project and made available to LEAs have been applied in real cases. Hundreds of devices belonging to real cases have been solved in LEAs EXFILES countries thanks to these solutions. The solutions have been shared with some external LEAs, which are also already solving cases. The consortium is working on a way to share more information with European LEAs outside the consortium.

In conclusion, despite the Covid-19 pandemic impact, the project has successfully achieved all scientific objectives. The constraints associated with publishing classified information have been carefully managed, and the obtained results have been remarkable. The project has made a significant contribution to research with high impact on the scientific community.