|Statewatch article: RefNo# 34466
|Statewatch News Online, January 2015
|On Thursday 16 January around 600 people in Leipzig took part in a spontaneous demonstration against racism focused on the murder of Khaled Idris Bahray, a 20-year-old Ertirean refugee who was found stabbed to death two days earlier in Dresden, the capital of the federal state Saxony. 
His friends had made posts on Facebook saying that the injuries he suffered led them to guess it was murder, but the police initially claimed they did not consider there to be any third-party responsibility for his death. The next day, 30 hours later, a spokesperson for the police reported that when washing the corpse they found several wounds, probably inflicted by a knife, and from which he probably died. The crime scene was until that point not secured or thoroughly investigated.
Protesters at the demonstration in Leipzig, which is about 100 kilometres (60 miles) from Dresden, allegedly pelted police with stones. According the Saxony police the group smashed shop windows and display cases as well.
A large number of the protesters escaped when the police attempted to close in. Local journal MOPO24 reported that about 150 protesters had been surrounded. They were searched by the police, stripped of their jackets and photographed. According to MOPO24 all 150 people also had their mobile phones confiscated. The following day an article posted on Indymedia also described the seizure of the phones. 
Saxony police have monitored mobile phones before
It is currently unclear under which legislation and for which investigations the phones were seized. MOPO24 quoted a police officer at the demonstration as saying: "We will not put up with that [presumably meaning the rioting] and will react with the utmost consistency."
Although not mentioned in any report, the police response might have been revenge for an attack that happened one week earlier,  when around 50 people smashed the windows of a local police station in protest over the death of Oury Jalloh, an asylum seeker who burnt to death in a police cell after being arrested in a cold winter's night in January 2005. 
The seizure of the mobile phones appears to be unprecedented, at least in Saxony.  However, police analysis of protesters' mobile phone data has previously taken place in Dresden. Germany's largest annual anti-Nazi demonstration in 2011 led to the analysis of vast amounts of traffic data pertaining to phones collected by the police in subsequent investigations.
According to discussions in the local parliament the 2011 sweep was the second of its kind. In total, police netted more than one million pieces of information. A storm of protest over the huge amounts of data retained and analysed led to the resignation of Dresden police chief, Dieter Hanitsch. 
Tools for extracting content and bypassing passwords
The spontaneous nature of the Leipzig protest means that the police may not have been able to intercept mobile phone communications, and a police spokesperson confirmed that there has not yet been monitoring of content or traffic data. There was no comment made on making use of the possibility to force telecommunications companies to hand over traffic data afterwards for police investigations.
But the investigators now have additional data that allow conclusions about social networks of the suspects: if the operating systems of the seized mobile phones are not encrypted it can be determined who was talking to whom, and the content of any text based communication can easily be accessed. According to a Leipzig police press release the investigators also hope to find video and still images of the riots to use it as evidence in court. 
To investigate the content on mobile devices German police forces mostly use a "Universal Forensics Extraction Device" (UFED) manufactured by the Israeli company Cellebrite,  a platform combining hardware and software which allows the extraction of all data stored on the device.
Cellebrite calls it the "complete extraction of existing, hidden and deleted data" containing call history, SMS, contacts, calendar, email, media files, geotags, and location information remaining from WiFi, cell tower and navigation connections.  This "All-inclusive Mobile Forensic Solution" is itself a "field-ready" mobile system. According to Cellebrite, it bypasses passwords but it is unclear if the application can break encryption as well.
German security forces have also purchased applications from Russian company Elcomsoft for password cracking.  The Federal Criminal Police (BKA) uses "Distributed Password Recovery", the Federal Customs Authority (ZKA) the "Phone Password Breaker". For accessing data on hard disks that are password-protected the BKA purchased "PC-3000" from ACE Laboratory.  To deal with Android systems, IOS and cloud data the ZKA uses the software "Lantern" developed by Katana Forensics;  the BKA applies "Extraction Wizard" from Swedish company Microsystemation. According to the company it works on smartphones, satellite navigation devices, MP3 players and tablets.
Contributed by Matthias Monroy. If you would like to contribute to News Online please get in touch.
Katrin McGuaran and Kees Hudig, 'Refugee protests in Europe: fighting for the right to stay', Statewatch Journal, vol 23 no 3/4, February 2014
'Anger and ultimatums over raids on migrants in Hamburg', Statewatch News Online, October 2013
 Kate Connolly, 'Killing of Eritrean refugee in Dresden exposes racial tensions in Germany', The Guardian, 15 January 2015
 'Gewalt und Zerstörung! 600 Randalierer verwüsten Leipzig', MOPO24, 16 January 2015
 '[LE] Polizeiliche Überwachungsmaßnahme nach Sponti', linksunten.indymedia.org, 15 January 2015
 '[LE] Angriff auf Polizeiposten', linksunten.indymedia.org, 7 January 2015
 Philip Oltermann, 'German police urged to re-investigate asylum seeker's death in custody', The Guardian, 12 November 2013
 An anti-repression group noted on their Twitter account that in 2012 the police seized mobile phones from protestors kettled during a ‘Blockupy’ protest in Frankfurt. The number of phones taken is unknown, but it appears that data found on the devices led to some house raids in December 2014. See: AG AntiRep Blockupy, Twitter post, 17 January 2015
 Gregg Benzow, 'Cyber sweep costs Dresden police chief his job', Deutsche Welle, 26 June 2011
 'Linksextreme bekennen sich zu Randalen in Leipzig – Polizei beschlagnahmt Handys', LVZ Online, 16 January 2015
 'Cracker in Uniform: Polizisten knacken Passwörter und Platten', Heise Online, 12 November 2014
 Cellebrite, 'UFED Touch Ultimate', company brochure
 Elcomsoft, 'Produkt-Katalog 2013'
 ACE Laboratory, 'Data recovery from HDD'
 Katana Forensics, 'LANTERN Device Acquisition and Analysis'
© Statewatch ISSN 1756-851X. Personal usage as private individuals/"fair dealing" is allowed. We also welcome links to material on our site. Usage by those working for organisations is allowed only if the organisation holds an appropriate licence from the relevant reprographic rights organisation (eg: Copyright Licensing Agency in the UK) with such usage being subject to the terms and conditions oof that licence and to local copyright law. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement.