Police come across killer’s encrypted data – and crack encryption

A student was murdered in Freiburg in 2016. Encrypted data on an iPhone played a role in solving the case.

Deutsche Version

When a criminal uses an encryption program like PGP, TrueCrypt or VeraCrypt, the police are usually at a loss. Today’s crypto software is so secure that even the best IT forensic experts often have no chance of solving an encryption. Similarly, data stored on a password-protected smartphone is usually protected with modern cryptography as well.

However, there are exceptions. For example, if the user uses a password that can be guessed, investigators can often crack an encryption. Sometimes it’s also bugs in the hardware or software that make it possible for the police to get hold of the key. The encryption method itself, on the other hand – often it is the AES – is not solvable even for the best experts.

Cases where criminals or suspects have used modern encryption abound. I compiled a list of such cases years ago. In the meantime, 55 cases have been collected there. I have noted numerous others, which I will include when I have the opportunity. It would certainly be possible to expand the list to 100 or more cases.

One thing is clear: My list only includes cases that are publicly known. However, this is only the tip of the iceberg, because the police do not like to talk about it when criminals use encryption technology.


The Maria Ladenburger case

A few days ago, I noticed that a criminal case I already knew from the media fit my list – without me being aware of it. In the meantime, I have taken it up. It’s about the murder of 19-year-old medical student Maria Ladenburger in Freiburg (Breisgau) in 2016. Ladenburger was found dead in the water of the Dreisam River on October 15, 2016. The perpetrator had raped his victim before the murder.

After an intensive manhunt, police identified Afghan Hussein Khavari as the suspect. Khavari confessed to the murder, but claimed to have killed Ladenburger in the heat of passion, which could have had a mitigating effect on the sentence.

Among the evidence police evaluated was the iPhone 6 S belonging to the alleged perpetrator. A police officer is quoted as saying, “He [Khavari] didn’t want to give us the PIN code, and without a PIN code you can’t do anything with iPhones from the 4 S model.” This is because smartphones of this type encrypt the data stored on them, provided the user has activated password protection.

The police now approached a company from Munich to crack the encryption. After several months – shortly before the start of the trial – they succeeded. On the cell phone, which was now accessible, the forensic experts were first interested in the device’s geodata. With these, the investigators were able to trace where Khavari had been on the night of the murder – everything matched the course of the crime.

The “health app” on Khavari’s smartphone proved even more interesting. This pre-installed tool records how many steps the user takes in a certain time and the distance he climbs. It turned out that between about 2:30 a.m. and shortly after 4 a.m., Khavari moved only a few steps. However, his cell phone showed “climbing stairs” twice during the period in question. These had to be the two moments when Khavari had dragged his victim down the embankment and then climbed back up.

These data showed: Khavari had not acted in the heat of the moment, but had sexually abused Maria Ladenburger over a longer period of time. The reduction in sentence hoped for by the perpetrator was thus off the table. In the end, the court sentenced Khavari to life imprisonment, establishing the particular gravity of the guilt.



The Ladenburger case shows that digital data is becoming increasingly important in solving crimes – even when they are not online crimes.

As in virtually all the other cases on my list, the police in this one have by no means released all the information about the encryption technology used. At least we know that the perpetrator used an iPhone 6 S.

And who was the “Munich company” that cracked the iPhone. As we learn in the following documentary (from 37:11), it was probably the Israeli company Cellebrite, whose German branch is based in Munich:

What is not known, however, is the company’s approach to leveraging the encryption. The experts are unlikely to have cracked the encryption itself (AES is used). Since an iPhone deletes the key after ten incorrect PINs have been entered, it is not possible to simply try through all the PINs.

So the specialists must have somehow gotten hold of the key, which was derived from the PIN (using a hash function). One possibility for the attacker is to hash one PIN candidate after another and compare the result with the hash value (dictionary attack). However, this requires knowing the hash method and the location of the hash value – both of which are kept secret by Apple.

In the case of the San Bernardino spree killer, the specialists managed to bypass part of the iPhone operating system and thus pass the PIN directly to the encryption module – without counting incorrectly entered PINs. This allowed investigators to try through all four-digit PINs to determine the correct one.

It may well be that Cellebrite took a similar approach when it cracked Khavari’s iPhone. However, details are not known.

If any readers know more about this case or know of other cases of this nature, I would be interested.

If you want to add a comment, you need to add it to the German version here.

Further reading: Ungelöste Kriminalfälle mit ungelösten Verschlüsselungen

–Linkedin: https://www.linkedin.com/groups/13501820
Facebook: https://www.facebook.com/groups/763282653806483/

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.