Last updated:

📱 Cellebrite, UFED and Phone Forensics: What It Can Actually Extract

The Israeli forensics toolkit used by police worldwide — what its own leaked support matrices say it can and cannot do, why BFU versus AFU decides almost everything, and the one countermeasure that beats all the others.

Key findings

Cellebrite's own leaked Android OS Access Support Matrix — screenshotted from a private law-enforcement briefing by a source calling themselves rogueFed in October 2025 and reported by 404 Media — shows its tools can extract from stock Pixel 6, 7, 8 and 9 in all three device states, but cannot brute-force passcodes and cannot copy eSIMs from Pixels. The same matrix lists every locked Pixel 9 running GrapheneOS as no-access, with access only against GrapheneOS builds older than roughly late 2022. The decisive variable isn't the phone, it's the state: BFU (before first unlock — keys not in memory) versus AFU (after first unlock — keys resident in RAM). Which makes the single highest-leverage countermeasure embarrassingly simple: power the device off. Vendors know it — Cellebrite's Safeguard Mode and Magnet's GrayKey Preserve exist specifically to fight iOS inactivity reboot.

Cellebrite is the most widely deployed phone-extraction toolkit in law enforcement. Almost everything published about it is either vendor marketing or speculation. This page uses a better source: Cellebrite's own internal support matrices, leaked three times between April 2024 and October 2025, in which the company tells its customers exactly where its tools fail.

Why this is on an OSINT site: every tool here helps someone find things out. Understanding what a forensic toolkit can pull from a seized device is the same literacy in reverse — and the same knowledge a defence lawyer needs to challenge an extraction's reliability in court.

BFU vs AFU: the distinction that decides everything

Almost every argument about phone forensics is really an argument about state. A seized device is in one of three, and the gap between them is far larger than most people assume:

🔒 BFU — Before First UnlockNot unlocked since it powered on. Full-disk encryption keys are not in memory. The data is genuinely encrypted. Extraction yields little beyond device identifiers. This is the state you want.
🔓 AFU — After First UnlockUnlocked at least once since boot, then re-locked. Decryption keys are resident in RAM. Even with the screen locked, a large amount of the filesystem becomes reachable. Most seized phones are in this state — which is the entire business model.
👁️ UnlockedAn examiner browses it directly. The simplest forensic case and the one no software countermeasure helps with.
This is why "power it off" is not folk wisdom. A powered-off phone is in BFU. No keys in memory means the entire class of AFU techniques — the ones most forensic workflows actually rely on — simply doesn't apply. It also disables biometric unlock, which in the US matters legally: courts have been considerably more willing to compel a face or fingerprint than a passcode. That area of law is genuinely unsettled and varies by circuit — but the practical asymmetry is real.

What the leaked matrices say

Cellebrite does not publish its capabilities. Three leaks did it for them. In April 2024, iOS and Android support matrices surfaced. A further matrix appeared in February 2025. Then in October 2025, a source using the handle rogueFed joined a private Microsoft Teams briefing between Cellebrite staff and prospective law-enforcement buyers, screenshotted the internal Android OS Access Support Matrix, and posted it to the GrapheneOS forums. 404 Media reported it.

TargetBFUAFUUnlocked
Pixel 6/7/8/9 — stock AndroidSome accessAccessAccess
Pixel 6a+ — GrapheneOSNo accessNo accessLost FFS support (per Oct 2025 matrix)
GrapheneOS builds older than ~late 2022PartialPartialPartial
Passcode brute-forceNot supported — cannot gain full control
eSIM copying (Pixel)Not supported — a real gap as devices go eSIM-only

The Pixel 10 does not appear on the leaked list. Absence is not evidence of protection — it is evidence of a document with a date on it.

Why GrapheneOS shows up so differently

The same hardware, a different OS, and a dramatically different row in Cellebrite's own table. The reasons are unglamorous and worth stating because they generalise:

  • Patch speed. GrapheneOS shipped a fix for CVE-2024-53197 — part of an active Cellebrite exploit chain — ahead of upstream. In a patch race, weeks matter.
  • USB hardening. Most extraction arrives over USB. GrapheneOS restricts USB behaviour while locked far more aggressively than stock Android.
  • Auto-reboot. A configurable timer returns the device to BFU after idle — automating the one countermeasure that actually works.
  • Attack-surface reduction. Hardened memory allocator, stricter sandboxing, fewer reachable code paths for an exploit to land in.
The honest caveat: this is a snapshot, not a guarantee. A leaked matrix describes one vendor's capability on one date. Cellebrite is not the only vendor — Magnet's GrayKey occupies similar ground — and capability changes with every patch cycle in both directions. Anyone telling you a phone is forensically safe is selling something.

Countermeasures, ranked honestly

1Power it offForces BFU. Removes keys from memory. Disables biometric unlock. Free, instant, and it beats everything below it. If you do one thing, do this.
2A long passphrase, not a PINBFU protection is only as good as the key. If brute-force can't be run — and the matrices say it can't — then length is what stands between an encrypted disk and a decrypted one.
3Auto-reboot timersGrapheneOS ships one; iOS has inactivity reboot. Both drag the device back to BFU without you remembering to. Cellebrite's Safeguard Mode and Magnet's GrayKey Preserve exist specifically to fight this, which tells you it works.
4Hardened firmwareGrapheneOS on a recent Pixel is the configuration Cellebrite's own matrix lists as no-access. iOS Lockdown Mode reduces surface on Apple devices.
5lockup — interesting, not load-bearinggithub.com/levlesec/lockup — a CC0 Android app that detects and attempts to defeat some UFED techniques. Its own description says proof-of-concept, and its last commit was June 2024. Read it as research. Do not build a threat model on it.

Frequently asked questions

What is Cellebrite?

Cellebrite is an Israeli digital-forensics company whose tools extract data from seized mobile devices. Its best-known product line is UFED (Universal Forensic Extraction Device), now sold alongside the newer Inseyets platform, plus Guardian for cloud evidence management and Digital Collector for computer acquisition. Customers are police forces, intelligence agencies and private investigators worldwide. It is the single most widely deployed phone-extraction toolkit in law enforcement, which is why what it can and cannot do is a matter of public interest rather than idle curiosity.

What are BFU and AFU, and why do they matter more than anything else?

They are the three states a seized phone can be in, and they determine almost everything about what can be extracted. BFU (Before First Unlock) means the device has not been unlocked since it was last powered on: full-disk encryption keys are not in memory, and the data is genuinely encrypted. AFU (After First Unlock) means it has been unlocked at least once since boot, so decryption keys are resident in RAM and a large amount of data becomes reachable even though the screen is locked. Unlocked means an examiner can simply browse it. The gap between BFU and AFU is enormous — far bigger than most people assume — which is why the single most effective thing you can do when a device may be seized is power it off.

What did the leaked Cellebrite support matrices actually show?

In October 2025, an anonymous source using the handle rogueFed joined a private Microsoft Teams briefing between Cellebrite staff and prospective law-enforcement customers, screenshotted an internal 'Android OS Access Support Matrix', and posted it to the GrapheneOS forums; 404 Media reported it. Earlier matrices leaked in April 2024 and February 2025. Together they showed that Cellebrite could extract data from stock Google Pixel 6, 7, 8 and 9 devices across all three states — but could not brute-force passcodes to gain full control, and could not copy eSIMs from Pixel devices. The most cited finding was that Pixels running GrapheneOS resisted extraction dramatically better than the same hardware running stock Android.

Does GrapheneOS actually stop Cellebrite?

According to Cellebrite's own leaked matrices, largely yes on recent hardware — with caveats worth stating precisely. The matrices indicate GrapheneOS on Pixel 6a and newer resists both BFU and AFU extraction, and that access was only available against GrapheneOS builds older than roughly late 2022. A matrix leaked in October 2025 suggests Cellebrite had by then also lost full-file-system extraction against even unlocked GrapheneOS devices. Locked Pixel 9 units running GrapheneOS were listed as no-access. The mechanisms are unglamorous: faster kernel patching (GrapheneOS shipped a fix for CVE-2024-53197, part of an active Cellebrite exploit chain, ahead of upstream), USB stack hardening, attack-surface reduction, and an auto-reboot timer that returns the device to BFU. None of this is permanent — it is a patch race, and a leaked matrix is a snapshot of one vendor on one date.

What is the single most effective countermeasure?

Power the device off. That is not a slogan; it follows directly from the BFU/AFU distinction. A powered-off phone has no decryption keys in memory, which removes the entire class of AFU extraction techniques that most forensic workflows depend on. It also disables biometric unlock, which matters legally in the US: courts have been far more willing to compel a fingerprint or face than a passcode, and the law here is genuinely unsettled and varies by circuit. GrapheneOS's auto-reboot feature automates this by returning the device to BFU after a configurable idle period. Forensic vendors have noticed — Cellebrite's Safeguard Mode and Magnet's GrayKey Preserve are explicit countermeasures to iOS's inactivity reboot.

What is lockup, and should I rely on it?

lockup (github.com/levlesec/lockup) is a proof-of-concept Android application, released under CC0, that aims to detect and defeat some UFED extraction techniques. It is genuinely interesting as research and it is worth reading. It is not something to bet your safety on: its own description says proof-of-concept, and its last commit was June 2024, which is a long time in a field where the exploit surface changes with every patch level. Treat it as a demonstration of the idea rather than a shield. If your threat model actually includes device seizure, hardened firmware and powering off are load-bearing; a PoC app is not.

Is Cellebrite only used by police?

No, and that is part of why it draws scrutiny. Cellebrite sells to law enforcement, intelligence services, border agencies, corporate investigators and regulators, and its tools have been documented in use against journalists and activists in several countries. The company has policies restricting sales to certain jurisdictions and has withdrawn from some markets after reporting. The broader point for anyone modelling their risk: extraction capability is not confined to a single agency in a single country, and a device seized at a border is subject to a very different legal regime than one seized under a domestic warrant.

Is any of this illegal to read about?

No. Everything on this page comes from published reporting, leaked documents already covered by mainstream outlets, public CVE records and open-source repositories. Understanding how forensic extraction works is ordinary security literacy — it is the same knowledge the vendors sell to their customers, and the same knowledge defence lawyers need to challenge an extraction's reliability in court. Using it to obstruct a lawful investigation is a separate matter and a serious offence in most jurisdictions; knowing how your own device protects you is not.