lately everyone in brasilia is freaking out about this "digital raid" thing and the use of cellebrite premium. but is it really that big of a deal? or is it just hype to scare people?
as a dev who works with cloud and infrastructure, data security is a daily topic: compliance, gdpr-ish stuff, protecting sensitive client data. i decided to write about what i learned on how this tech actually works.
what is cellebrite?
cellebrite is an israeli company that sells ufed and premium. basically its a legalized hacking kit that police uses.
they dont need the users password to get in. they exploit security holes (zero-days) that even apple or google havent patched yet.
their strength is mobile: they can extract everything, whatsapp, photos, location, deleted files. and its not "per use", the police pays a millionaire "unlimited" license, meaning they can plug 100 phones in a day without paying extra.
the legend of the "password breaking cage"
media talks a lot about the faraday cage, but they explain everything wrong.
putting the phone in the cage does not break encryption. the cage only blocks signal (4g/wifi). so what is it for then?
- prevent remote wipe: so the owner cant send a remote command to erase the phone.
- prevent blocking: some phones lock certain data ports if they connect to a network.
so the cage is just to keep the phone "alive" until cellebrite gets plugged in.
password vs biometrics (face/finger)
heres the biggest mistake people make: thinking face id is more secure. its not!
biometrics is convenient, but physically insecure. in a police raid or robbery, they can force ur finger on the sensor or hold the phone to ur face.
biometrics is easy to bypass with physical force. alphanumeric password is impossible to force, u can "forget" it or refuse to talk.
if u think ur gonna lose ur phone, hold power + volume (iphone) or activate lockdown mode (android). this disables biometrics instantly and only unlocks with password!
the cloud illusion (google drive is not a safe!)
this is a classic. "oh but my google drive is encrypted".
big mistake. google (and dropbox, onedrive, standard icloud) uses server-side encryption. this means they scramble ur files, but they also keep the key to unscramble.
if an employee wants to, or a hacker gets access, they decrypt and grab everything. ur data is "locked", but the key is at the buildings front desk, not in ur pocket.
in my setup (using aws s3 and other secure object storages), i use my own encryption key. if u dont have the private key (client-side), u dont have real security.
the "ghost" of the browser (cache)
lots of people think closing the tab fixes it. nope!
when u browse, chrome/firefox downloads images, scripts and pieces of pages to ur pc to load faster later. this is the cache.
forensics loves this. even if u dont have history saved, they can reconstruct what u saw (images, videos, text) just by analyzing the systems cache folder. even thumbnails u saw in windows explorer stay saved in a file called thumbs.db or iconcache forever, even if u delete the original file!
"delete" is not "gone"
this part is dangerous.
when u click "delete" and empty the trash, windows/linux does not erase the file. it just goes to the disks address table and marks that space as "free to write over".
but the data (the zeros and ones) stays there intact until u write something else on top. simple tools recover this in seconds.
ssd vs hdd: how to actually clean?
to protect urself from this, the technique changes depending on the disk:
the only solution is to overwrite (write zeros or garbage on top). tools like shred on linux work well here.
dont use regular shred! overwriting an ssd damages its lifespan and doesnt guarantee it got erased (because of wear leveling). the solution is the trim / blkdiscard command or crypto-shredding (explained below).
the "cold boot" attack and ram
finally, if u use encryption on ur pc (bitlocker/luks), never leave it in sleep/suspend.
while the pc is on (even with locked screen), the encryption key is written in ram memory in plain text. police uses the cold boot attack: they spray freezing stuff on the ram, rip it out and read the data elsewhere before the power fades.
always use full shutdown, never sleep/hibernate, if ur pc has sensitive data with active encryption.
crypto-shredding: the industry standard for ssds
back to the ssd problem: shred and overwriting dont work because the firmware redirects writes (wear leveling). the industry standard solution, used by aws, gcp and azure for disk disposal, is crypto-shredding.
instead of deleting data directly, u encrypt the entire volume with a randomly generated aes-256 key, then discard only the key. the result? the data is still there physically, but mathematically unrecoverable without it. this is exactly what the blkdiscard command with active encryption (luks) does on linux.
this model is documented by nist sp 800-88 (guidelines for media sanitization) as an approved sanitization method for solid state media. its the same principle behind the iphone "erase all content": the device doesnt erase the data, it discards the encryption key protecting the volume.
if the volume was encrypted with luks from the start, "secure wipe" boils down to: cryptsetup erase /dev/sdX. this destroys the key slot and makes the volume inaccessible irreversibly, without needing to overwrite byte by byte.
the lesson is: encrypt the disk from the start (luks on linux, bitlocker on windows, filevault on mac). if u do this, "wiping" at the end of the disks life is trivial and reliable. if u dont, ur gonna have a headache trying to guarantee secure disposal later.