What a top Russian cyber forensics conference reveals about the country’s ability to hack iPhones and Androids

The human rights group Memorial found a publicly available video recording of the 2025 Moscow Forensics Day conference, held in mid-September in the Russian capital. The event brought together digital forensics experts from across the country. Speakers — including representatives not only from cybersecurity firms but also from Russia’s Investigative Committee — discussed the latest tools for hacking devices and online accounts. After watching nearly 10 hours of footage, Meduza has compiled the most notable moments. The main takeaway: none of the talks revealed any breakthrough technologies for hacking computers or smartphones, but they did offer a glimpse into the limits of Russian digital forensics.

Russia’s Investigative Committee can’t buy Cellebrite technology

During her presentation, Olga Tushkanova, head of the criminalistics research division at the Investigative Committee’s main forensics directorate, let slip that Russian forensic experts are unable to purchase products from the Israeli company Cellebrite. The company’s hardware and software tools for unlocking iPhones and Android devices are among the most well-known in the world. In July 2024, for instance, FBI agents used Cellebrite technology to get into the phone of 20-year-old Thomas Matthew Crooks — the man who opened fire on Donald Trump at a rally in Pennsylvania — in just 40 minutes.

Our only hope is you. Support Meduza before it’s too late.

“In general, we always face a face a problem getting what we want,” Tushkanova said. “Ideally, we’d like everything to be one, two, three, and done. Many software products have similar functions, but one has this little feature, another has that one. And I want both features. It’s always a challenge: you’re given a fixed amount of money for procurement, and that’s it — you have to fit the features you want into that budget. And it’s hard to justify that today I want ‘Mobile Criminalist,’ and tomorrow, well… what if Cellebrite comes back? Then I’ll want Cellebrite. It all depends on the market and what’s available.”

Cellebrite officially stopped selling its products and services in Russia in March 2021. However, Mediazona reported that after Russia’s full-scale invasion of Ukraine, the FSB used the company’s equipment at least once — to extract data from the phone of anti-war activist Dmitry Ivanov.

Forced biometric unlocking is becoming standard practice

Olga Tushkanova’s presentation focused on the “Standard methodology for expert analysis of information contained in mobile devices and their components,” developed by the Investigative Committee in 2025.

One of the new elements introduced in these guidelines is a set of petitions that forensic experts can submit to investigators, including requests:

• to obtain the password needed to access a mobile device’s memory;
• to obtain the PIN and/or PUK codes needed to access data on a SIM card;
• to have the device’s user present during the examination for the purpose of biometric identification.

Tushkanova didn’t explain who is responsible for fulfilling these requests or how they are to be carried out. She mentioned only questioning the phone’s owner, as well as certain “operational methods for obtaining password information” and unspecified “tactical maneuvers.”

The last type of request appears especially concerning for those who rely on Face ID or similar Android technologies: a forensic expert could simply hold your phone up to your face to unlock it.

state controls

Russia’s favorite scam The Kremlin’s proposed ‘anti-fraud’ laws mean fewer freedoms, more surveillance, and a free pass to hack its enemies

15 days ago

state controls

Russia’s favorite scam The Kremlin’s proposed ‘anti-fraud’ laws mean fewer freedoms, more surveillance, and a free pass to hack its enemies

15 days ago

If they find a password, forensic experts shouldn’t rush to download everything themselves

In her presentation, Olga Tushkanova also explained how the new guidelines address a question that had sparked heated debate among her colleagues at the Investigative Committee and the Interior Ministry: what should a forensic examiner do upon discovering “authentication data for cloud services and storage” on a device under examination?

“Well, let’s say we found [the passwords]. We logged into the email account and downloaded whatever we needed. We accessed the cloud storage and downloaded everything from there, too. There were a few reasonable objections: on the one hand, that’s probably beyond our authority […] and on the other, it creates a huge additional volume of data the expert then has to process.”

Ultimately, forensic experts were effectively advised to shift responsibility to investigators. They are instructed to immediately report such findings so that investigators can decide whether to use the discovered passwords and download additional data.

Everyone uses the same open-source program to brute-force passwords

That program is hashcat: a powerful open-source tool for password recovery. It performs password attacks using various methods — from dictionary and mask-based brute force to rule-based generation — and speeds up the process by using GPUs instead of CPUs.

Many speakers at the conference discussed the tool. Valeria Vakhrushina’s presentation for MKO Systems was entirely devoted to the “MK Bruteforce” module — essentially a wrapper for hashcat, adding a Russian-language GUI that’s integrated with the company’s other products.

spyware used against journalists

The million-dollar reporter How attackers hijacked the phone of Meduza co-founder Galina Timchenko, making her the first Russian journalist to be infected with Pegasus spyware

2 years ago

spyware used against journalists

The million-dollar reporter How attackers hijacked the phone of Meduza co-founder Galina Timchenko, making her the first Russian journalist to be infected with Pegasus spyware

2 years ago

How the Investigative Committee ‘cracks’ macOS accounts

Introducing Andrey Shavlovsky of the Investigative Committee’s Forensic Expert Center, the conference host promised that the “myth of Apple device invulnerability” would be dispelled.

Shavlovsky explained that local user account data in macOS is always stored in the same location: /var/db/dslocal/nodes/Default/users/<username>.plist (where <username> is the account name). Each file contains a hash and other parameters used to verify the user’s password. Feed those values to a tool like hashcat, and you can attempt to recover the password — but only if you can get hold of the files.

He outlined two major obstacles. First, those files aren’t accessible without the password for a superuser (root) account. On single-user machines with disk encryption enabled, the whole method is effectively useless. Second, the approach doesn’t work on modern Apple computers that use a cryptographic coprocessor — the Secure Enclave.

Answering audience questions, Shavlovsky acknowledged both limits:

Brute-forcing modern Androids also doesn’t work

Vyacheslav Chikin of ACELab described his experiments to speed up password cracking on modern Android devices. These devices use the scrypt key-derivation function, deliberately designed to demand large amounts of RAM. As a result, Chikin estimates that even an eight-character password — where the only thing you know is its length and you must therefore brute-force it on a high-end CPU or GPU — would take roughly 10,000 years to crack.