The police told the Coroner’s Court on September 1 that they were unable to access a mobile phone of the deceased fifteen-year-old Chan Yin-lam because it was passcode locked. FactWire found that this contradicted the fact that as early as September of last year – before Chan’s body was found – the police had already possessed the ability to unlock and extract data from equivalent and older models of passcode locked mobiles.
In late September of last year, Chan’s naked body was found floating on the sea near Yau Tong. The jury in the Coroner’s Court ruled today that her cause of death remains an open verdict.
During its inquest which started last month, Detective Constable Lee Ho-kit testified that the police had taken the two iPhones which Chan owned for investigation. No noteworthy browsing records were discovered in the black mobile found in Tiu Keng Leng MTR station. However, the police said it was unable to access the other mobile found on the podium of Hong Kong Design Institute, in pink, because it was locked with a passcode.
The court said today that it would retain the pink mobile for a year. Further investigation will be conducted if the police find the technology to extract its data.
FactWire obtained through open sources the mobile photos taken by Chan and reviewed them. From the photos’ raw data, it was an iPhone XR, mostly used for daily photography.
At the time of the photos’ timestamps, the iPhone XR was not available in the colour pink. The mobile used to take photos is thus likely to be the black mobile. The iPhone 11 and 11 Pro were also still not available for sale, suggesting that Chan’s pink mobile is actually an older model of the iPhone.
Taking reference from activist Joshua Wong’s case, the police already possessed the technology to unlock an iPhone XR in September of last year. A Facebook post by Wong on April 2, 2020 reads, ‘When the police arrested and charged me on August 30 last year, they took the iPhone XR I was using as evidence. I never provided my passcode to the police nor had they requested me to do so. To my surprise, the list of exhibits that I received on December 18 included four copies of my mobile messaging records.’
Wong said he later received a document handed to the court by the police. The confession stated that the officers of the Cyber Security and Technology Crime Bureau had made use of the forensic softwares ‘Cellebrite UFED Physical Analyzer’ and ‘MSAB XRY’ to acquire data from his iPhone XR, including its passcode and photos.
The written process of how the police used these softwares was described in the court document included in Wong’s Facebook post. It shows that the police extracted data from the mobile on September 9, 2019, using the Israeli software ‘Cellebrite UFED Physical Analyzer version 184.108.40.206’ and the Swedish software ‘MSAB XRY version 9.0.1’.
FactWire has further confirmed with Wong that the mobile unlocked by the police in September last year was an iPhone XR.
Not only is Cellebrite’s software able to extract data from the iPhone XR – which was the latest iPhone model at that time – it is also able to extract from older iPhone models. Extraction is based on the ‘Checkm8’ exploit developed by axi0mX. According to Cellebrite’s information, the exploit can be used to extract data from iPhones ranging from the model 5S to the X. The police is also a client to forensic service provider like MSAB and elcomsoft that are renowned for phone unlocking.