A leaked set of slides from a closed Cellebrite briefing, shared on the GrapheneOS forums by an anonymous user known as rogueFed, outlines which Google Pixel models and device states are susceptible to data extraction. The documents indicate a clear trend: Pixel phones running GrapheneOS exhibit substantially stronger resistance to forensic acquisition than those on stock Android.
Cellebrite leak: target devices and forensic device states
Cellebrite, an Israeli vendor of mobile forensic tools used by law enforcement and private investigators, typically keeps its capabilities confidential. The leaked screenshots reportedly cover Pixel 6, 7, 8, and 9, with Pixel 10 absent from the listed scope. Devices are categorized into three states widely used in digital forensics: BFU (Before First Unlock), when encryption keys have not been loaded after boot; AFU (After First Unlock), when some keys may reside in memory; and Unlocked, when the user has fully authenticated and the profile is accessible.
Stock Android on Pixel: where Cellebrite can extract data
According to the leak, Cellebrite’s tools can perform acquisitions on stock Pixel 6–9 devices across BFU, AFU, and Unlocked scenarios. Notably, the materials state that brute-force attacks on the device passcode/PIN are not supported, meaning the tooling does not bypass the lock screen via passcode cracking. This aligns with platform protections such as Android’s key-stretching and rate limiting designed to resist offline guessing attempts.
The slides also indicate that eSIM cloning is not currently supported on Pixel. As more flagships move toward eSIM-only configurations, the inability to duplicate eSIM profiles complicates lawful intercept or subscriber migration workflows during investigations.
GrapheneOS on Pixel: marked increase in acquisition resistance
For devices running GrapheneOS, the picture changes significantly. The leaked briefing suggests Cellebrite access exists only for older GrapheneOS builds predating late 2022. In effect, Pixel 8 and Pixel 9 are reported as resistant in BFU and AFU, blocking typical acquisition methods that rely on keys being present in memory after first unlock.
Moreover, as of late 2024, the slides claim that even on fully Unlocked GrapheneOS devices, tools fail to extract private user data beyond what is already open and accessible to the user session. This behavior indicates strengthened file-based encryption (FBE), hardened key management, and additional countermeasures that constrain live-response style data harvesting.
Why GrapheneOS hardening matters
GrapheneOS builds on AOSP with a strong emphasis on isolation and exploit mitigation. Public documentation highlights measures such as a hardened memory allocator, stricter app sandboxing and permissions, and tighter I/O policies (for example, conservative USB and debugging defaults). These controls raise the cost of both logical acquisitions and physical attacks by reducing attack surface and limiting what remains accessible in memory. Comparable principles are described in Google’s Android Security documentation on FBE and keystore-backed keys, and in GrapheneOS’s security model materials.
Implications for law enforcement and users
The leak reportedly originates from two private Cellebrite sessions attended incognito, and one screenshot appears to show an organizer’s name—suggesting vendors may increase participant verification. Strategically, the findings reinforce a broader industry trend: as mobile platforms double down on encryption and key isolation, particularly in BFU scenarios, “quick win” forensic techniques are yielding diminishing returns without user cooperation or lawful on-device access.
For users, the takeaway is practical. Strong authentication and secure configuration materially reduce exposure. Security guidance from organizations like the EFF and platform vendors consistently recommends a long alphanumeric passphrase (ideally 12+ characters), disabling developer options and USB access on the lock screen, enabling an eSIM PIN, applying updates promptly, and using emergency lockdown modes that temporarily disable biometrics. For high-risk profiles, adopting a hardened OS such as GrapheneOS can provide an additional layer of resilience.
As forensic capabilities and defensive technologies continue to evolve, both investigators and end users benefit from clarity about realistic access paths. Routine updates, robust passphrases, and conservative device settings remain the most reliable, cost‑effective controls—regardless of platform choice. Security teams should periodically reassess threat models and tooling, while individuals should align their device hardening with their personal risk tolerance and operational needs.
