Last updated:
📱 Cellebrite, UFED and Phone Forensics: What It Can Actually Extract
The Israeli forensics toolkit used by police worldwide — what its own leaked support matrices say it can and cannot do, why BFU versus AFU decides almost everything, and the one countermeasure that beats all the others.
Key findings
Cellebrite's own leaked Android OS Access Support Matrix — screenshotted from a private law-enforcement briefing by a source calling themselves rogueFed in October 2025 and reported by 404 Media — shows its tools can extract from stock Pixel 6, 7, 8 and 9 in all three device states, but cannot brute-force passcodes and cannot copy eSIMs from Pixels. The same matrix lists every locked Pixel 9 running GrapheneOS as no-access, with access only against GrapheneOS builds older than roughly late 2022. The decisive variable isn't the phone, it's the state: BFU (before first unlock — keys not in memory) versus AFU (after first unlock — keys resident in RAM). Which makes the single highest-leverage countermeasure embarrassingly simple: power the device off. Vendors know it — Cellebrite's Safeguard Mode and Magnet's GrayKey Preserve exist specifically to fight iOS inactivity reboot.
Cellebrite is the most widely deployed phone-extraction toolkit in law enforcement. Almost everything published about it is either vendor marketing or speculation. This page uses a better source: Cellebrite's own internal support matrices, leaked three times between April 2024 and October 2025, in which the company tells its customers exactly where its tools fail.
BFU vs AFU: the distinction that decides everything
Almost every argument about phone forensics is really an argument about state. A seized device is in one of three, and the gap between them is far larger than most people assume:
What the leaked matrices say
Cellebrite does not publish its capabilities. Three leaks did it for them. In April 2024, iOS and Android support matrices surfaced. A further matrix appeared in February 2025. Then in October 2025, a source using the handle rogueFed joined a private Microsoft Teams briefing between Cellebrite staff and prospective law-enforcement buyers, screenshotted the internal Android OS Access Support Matrix, and posted it to the GrapheneOS forums. 404 Media reported it.
| Target | BFU | AFU | Unlocked |
|---|---|---|---|
| Pixel 6/7/8/9 — stock Android | Some access | Access | Access |
| Pixel 6a+ — GrapheneOS | No access | No access | Lost FFS support (per Oct 2025 matrix) |
| GrapheneOS builds older than ~late 2022 | Partial | Partial | Partial |
| Passcode brute-force | Not supported — cannot gain full control | ||
| eSIM copying (Pixel) | Not supported — a real gap as devices go eSIM-only | ||
The Pixel 10 does not appear on the leaked list. Absence is not evidence of protection — it is evidence of a document with a date on it.
Why GrapheneOS shows up so differently
The same hardware, a different OS, and a dramatically different row in Cellebrite's own table. The reasons are unglamorous and worth stating because they generalise:
- Patch speed. GrapheneOS shipped a fix for CVE-2024-53197 — part of an active Cellebrite exploit chain — ahead of upstream. In a patch race, weeks matter.
- USB hardening. Most extraction arrives over USB. GrapheneOS restricts USB behaviour while locked far more aggressively than stock Android.
- Auto-reboot. A configurable timer returns the device to BFU after idle — automating the one countermeasure that actually works.
- Attack-surface reduction. Hardened memory allocator, stricter sandboxing, fewer reachable code paths for an exploit to land in.
Countermeasures, ranked honestly
Frequently asked questions
What is Cellebrite?
Cellebrite is an Israeli digital-forensics company whose tools extract data from seized mobile devices. Its best-known product line is UFED (Universal Forensic Extraction Device), now sold alongside the newer Inseyets platform, plus Guardian for cloud evidence management and Digital Collector for computer acquisition. Customers are police forces, intelligence agencies and private investigators worldwide. It is the single most widely deployed phone-extraction toolkit in law enforcement, which is why what it can and cannot do is a matter of public interest rather than idle curiosity.
What are BFU and AFU, and why do they matter more than anything else?
They are the three states a seized phone can be in, and they determine almost everything about what can be extracted. BFU (Before First Unlock) means the device has not been unlocked since it was last powered on: full-disk encryption keys are not in memory, and the data is genuinely encrypted. AFU (After First Unlock) means it has been unlocked at least once since boot, so decryption keys are resident in RAM and a large amount of data becomes reachable even though the screen is locked. Unlocked means an examiner can simply browse it. The gap between BFU and AFU is enormous — far bigger than most people assume — which is why the single most effective thing you can do when a device may be seized is power it off.
What did the leaked Cellebrite support matrices actually show?
In October 2025, an anonymous source using the handle rogueFed joined a private Microsoft Teams briefing between Cellebrite staff and prospective law-enforcement customers, screenshotted an internal 'Android OS Access Support Matrix', and posted it to the GrapheneOS forums; 404 Media reported it. Earlier matrices leaked in April 2024 and February 2025. Together they showed that Cellebrite could extract data from stock Google Pixel 6, 7, 8 and 9 devices across all three states — but could not brute-force passcodes to gain full control, and could not copy eSIMs from Pixel devices. The most cited finding was that Pixels running GrapheneOS resisted extraction dramatically better than the same hardware running stock Android.
Does GrapheneOS actually stop Cellebrite?
According to Cellebrite's own leaked matrices, largely yes on recent hardware — with caveats worth stating precisely. The matrices indicate GrapheneOS on Pixel 6a and newer resists both BFU and AFU extraction, and that access was only available against GrapheneOS builds older than roughly late 2022. A matrix leaked in October 2025 suggests Cellebrite had by then also lost full-file-system extraction against even unlocked GrapheneOS devices. Locked Pixel 9 units running GrapheneOS were listed as no-access. The mechanisms are unglamorous: faster kernel patching (GrapheneOS shipped a fix for CVE-2024-53197, part of an active Cellebrite exploit chain, ahead of upstream), USB stack hardening, attack-surface reduction, and an auto-reboot timer that returns the device to BFU. None of this is permanent — it is a patch race, and a leaked matrix is a snapshot of one vendor on one date.
What is the single most effective countermeasure?
Power the device off. That is not a slogan; it follows directly from the BFU/AFU distinction. A powered-off phone has no decryption keys in memory, which removes the entire class of AFU extraction techniques that most forensic workflows depend on. It also disables biometric unlock, which matters legally in the US: courts have been far more willing to compel a fingerprint or face than a passcode, and the law here is genuinely unsettled and varies by circuit. GrapheneOS's auto-reboot feature automates this by returning the device to BFU after a configurable idle period. Forensic vendors have noticed — Cellebrite's Safeguard Mode and Magnet's GrayKey Preserve are explicit countermeasures to iOS's inactivity reboot.
What is lockup, and should I rely on it?
lockup (github.com/levlesec/lockup) is a proof-of-concept Android application, released under CC0, that aims to detect and defeat some UFED extraction techniques. It is genuinely interesting as research and it is worth reading. It is not something to bet your safety on: its own description says proof-of-concept, and its last commit was June 2024, which is a long time in a field where the exploit surface changes with every patch level. Treat it as a demonstration of the idea rather than a shield. If your threat model actually includes device seizure, hardened firmware and powering off are load-bearing; a PoC app is not.
Is Cellebrite only used by police?
No, and that is part of why it draws scrutiny. Cellebrite sells to law enforcement, intelligence services, border agencies, corporate investigators and regulators, and its tools have been documented in use against journalists and activists in several countries. The company has policies restricting sales to certain jurisdictions and has withdrawn from some markets after reporting. The broader point for anyone modelling their risk: extraction capability is not confined to a single agency in a single country, and a device seized at a border is subject to a very different legal regime than one seized under a domestic warrant.
Is any of this illegal to read about?
No. Everything on this page comes from published reporting, leaked documents already covered by mainstream outlets, public CVE records and open-source repositories. Understanding how forensic extraction works is ordinary security literacy — it is the same knowledge the vendors sell to their customers, and the same knowledge defence lawyers need to challenge an extraction's reliability in court. Using it to obstruct a lawful investigation is a separate matter and a serious offence in most jurisdictions; knowing how your own device protects you is not.