After it became known that the cell phone information of Fernando Sabag, the aggressor arrested for the attack against Cristina Fernández de Kirchner, had been erased, the methods used to try to unlock the device raised two questions:everything can be removed remotely? What is UFEDthe Israeli system they used to try to gain access, and how does it work?
The answer to the first question is that Yes: A phone can be factory reset remotely (ie off-hand, from a computer). Sabag used a Galaxy A50and so much Googleowner of the operating system Androidlike Samsung, manufacturer of the device, have functions to access remotely: “Find my device” and “Find my Mobile”.
However, there are certain conditions to be able to do this. “In order to remotely wipe data from a phone, the device has to have some form of network connectivity. Either be connected to a previously configured Wi-Fi network (a very unlikely situation due to the place where the situation occurred) or to the cellular data network”, explains Javier Smaldone, system administrator and IT expert.
“In addition, to delete the data from another place, someone should have activated the option remotely, using the account of the accused, who is currently detained and without access to a computer,” he adds.
The function is used to search for the phone, but it also allows you to erase data: only someone who has the key can do it. Photo: Shutterstock
After Sabag’s arrest, Judge María Eugenia Capuchetti ordered the phone to be placed in an envelope with what is known as a “chain of custody.”
It was then that the Federal Police tried to gain access, without success, and ended up referring the case to the Ezeiza Airport Security Police. According to reports, both used the “UFED” system without success.
UFED, the system they used to try to unlock it
UFED, the system used to access cell phones. Photo Cellebrite
“Universal Forensic Extraction Device”, UFED, is the name of the program of the Israeli company Cellebrite to extract information from mobile phones under court orders.
“It is a security product from the Israeli firm Cellebrite, oriented to data extraction for forensic use. Although its use in mobiles became popular, it covers an important range of devices, including GPS and drones”, he explains to Clarion Mauro Eldritch, computer security threat analyst.
“After connecting to a device, UFED manages to obtain information by two methods: extraction logic, interacting with the specific API of the device manufacturer to obtain its ‘current status’ -communications, personal data, files-; or extraction physicalwhich produces a ‘dump’ of the content of the device, potentially allowing access to files that were deleted, hidden or simply not understood by the first method”, he adds.
As for how it works, the expert says that “they use different techniques to achieve their goal, such as the use of functions to bypass locks (PINs, passwords), temporarily ‘root’ -gain more permissions- of the device, or place it in a bootable mode (boot) particular, such as the ‘EDL’ mode, Emergency Download Mode”.
However, it warns that “Cellebrite has Certified Operators (CCO) for the use of its devices, due to the criticality of the cases where it is applied and the potentially destructive nature of some of its functions: a misoperation of the product can render an investigated device unusable”.
Sabag Montiel, CFK’s aggressor, is being held at the Cavia street police headquarters in Palermo. Photo Federico Imas
Under this scenario, it is difficult to understand how information could have been deleted from a device that should have been in airplane mode, in a sealed envelope and with a chain of custody.
The data is not minor because the suspect’s mobile phone is one of the main pieces of evidence that the case investigating the assassination attempt on Cristina Kirchner has.
Thus, it is lucky to be useless and become a device “bricked”, as it is said in computer jargon, for “brick” in English: a brick.