Martin Seeger

Update 3: You can find my PostMortem here: https://infosec.exchange/@masek/114721620930871030

Update 2: As far as I can tell, the servers that caused the leak belonged to the DOJ in Montana. We reached them in two ways:

  • Through this post we got contact to the vendor of the software. With the Serial# (in the extraction reports) they could identify whom to call.
  • A friend had a contact in one of the affected police department and they reached out to the DOJ.

Thanks to this community I was also able to get a contact within the FBI. Furthermore some media contacted me and a lot of Mastodon users provided me with additional contacts.

Event though I contacted the AG in Monatana and one PD, no one has reached out to me from the DOJ side.

Update 1: Leak is closed. Will write more tomorrow. Thank you to everyone who helped.

Phone forensics

Usually law enforcement is very secretive about them analyzing the phones of suspects.

But a forensic lab in #montana is extremely transparent about it. They put the dump of every phone on a public share. Everyone with Internet access can access those dumps.

While I am usually a proponent of government transparency, this takes it a bit too far even for my taste.

Every phone dump is one directory and some case names can be easily connected to crime & death headline news in the U.S.

So for one case I am pretty sure, that I can even say which Sheriff is responsible for that one of the investigations.

I sent that Sheriff an email, i sent him a text message and I even spoke on his voicebox. I even sent him the extraction report from Graykey.

It is really frustrating that I get no response at all. The leak is still open.

The security researcher that found the leak also tried some contacts but had as little success as I do.

I personally believe that this leaks even constitutes a federal crime. Some cases have names ending on CSAM. The security researcher stayed away from any of those and I did not access the files on that server at all.

So does anybody know someone within the #fbi that would give a shit about that. I am getting very tired.

#graykey #cellebrite #forensics

Martin Seeger (@[email protected])

## PostMortem: Assumed DOJ Montana Leak of Phone Dumps ### Type of leak Highly confidential information on a public SMB share without authentication ### Threats from the leak I see the following threats: - Integrity and Confidentiality of investigations into serious crimes compromised - Privacy of U.S. citizens compromised (very likely to contain most intimate data) - Providing 3rd parties hostile to the U.S. with blackmail material 1/4

Infosec Exchange
Jun 17, 2025 at 9:10amWeb
Show threadSimon K-KJun 17, 2025

@masek moment:

Ist das bei denen aus Gründen der Transparenz vorgesehen oder hat da ein Schwammerl den falschen Netzwerkordner "erwischt"?

Show threadMartin SeegerJun 17, 2025

@LongJohn I think this has been done by someone who doesn't give a fuck for his work.

This should not be possible by error. The concept should have multiple barriers to prevent that.

Show threadSimon K-KJun 17, 2025
@masek may I ask for your sourcelink? I'm giggling with curiosity.
Show threadMartin SeegerJun 17, 2025
@LongJohn Not until it is closed. There is stuff, that is sounds several thousands degree to hot.
Show threadSimon K-KJun 17, 2025

@masek ah, I thought to a news article, not to the data.

I don't care for that.

Or is its that fresh, there are no stories about that yet? Damn

Show threadMartin SeegerJun 17, 2025
@LongJohn Last dump was about 10 days ago. So it is practically still dripping. Will think if I post links.
Show threadMatt PalmerJun 17, 2025
@masek sufficiently advanced incompetence is indistinguishable from malice.
Show threadcitizenAlexJun 17, 2025
@masek Everyday citizens need to be careful about their data and information security. No telling where your info will end up. Of course, innocent people can end up with their phones in the hands of police
Show threadDissent Doe  Jun 17, 2025

@masek If the forensics lab does business in Montana, the Montana Attorney General's Office might get involved and call them ... and then sue them civilly if there are violations of Montana privacy laws and data breach notification laws.

If you have phone options, maybe call the Montana Attorney General's Office of Consumer Protection and ask to speak to one of the attorneys there. I've done that with other states in other leak situations and have found it helpful at times.

Montana doesn't even have its own FBI field office. The one in Salt Lake City covers all of Utah and Montana and Idaho.

Show threadMartin SeegerJun 17, 2025

@PogoWasRight My problem: I have no idea how law enforcement ticks. In Germany getting that offline would be a peace of cake.

But they seem all busy with protests, throwing refugees into a meat grinder and making embarrassing parades.

Show threadDissent Doe  Jun 17, 2025

@masek Understood. If the lab is doing forensic work on cases being prosecuted in Montana criminal cases, then the state's Attorney General might really care. Alternatively, if the cases are in federal court in Montana, maybe the U.S.A.O's office there would be appropriate. I really don't have any sense of what data the researcher found to figure out who I'd call if I had found it.

And because the U.S. really doesn't have a comprehensive privacy protection/ data protection law, the leak is probably not a federal crime at all -- even though we might want it to be viewed as such.

Show threadMartin SeegerJun 17, 2025

@PogoWasRight

the leak is probably not a federal crime at all -- even though we might want it to be viewed as such.

Some cases are CSAM. So it is probable that the phones may contain related content. Putting that online is a criminal act in most civilized countries.

Show threadJerry 🦙💝🦙Jun 17, 2025
@masek @PogoWasRight minimally, I expect this is a CJIS violation. I need to figure out how to login to my infraguard account to find someone who cares…
Show threadVärldens bästa Kille™Jun 18, 2025
@jerry @masek @PogoWasRight Should be interesting for some lawyer, no? Seems like a lawsuit waiting to happen, big money etc.
Show threadgaryJun 17, 2025
@masek don't talk on the phone
Show threadMartin SeegerJun 17, 2025
@gary_alderson And don't store anything on it....
Show threadgaryJun 17, 2025
@masek the fbi is the minor player in this telecomm passion play
Show threadLeBlueElephantJun 17, 2025

@masek Maybe you might have some luck reporting it through one of the links on CISAs webpage?

https://www.dhs.gov/fusion-center-locations-and-contact-information

https://www.ic3.gov/ (FBI program)

https://www.cisa.gov/reporting-cyber-incident

Show threadJulie HughesJun 17, 2025
@masek Checking to see if I can get you a useful contact in Montana.
Show threadChip UnicornJun 17, 2025
@masek Let the FBI know that the forensic lab is distributing CSAM. They'll quickly take it down.
Show threadMartin SeegerJun 17, 2025
@Chip_Unicorn First the FBI needs to be willing to talk to me. I have been informed, that there is a lot of red tape around talking to foreign sources.
Show threadMartin SeegerJun 17, 2025
@Chip_Unicorn P.S. I suspect that CSAM may be in those files, but I do not know.
Show threadMark vWJun 17, 2025
@masek I suspect they did those phone searches with a judicial warrant (or at least some of them). I doubt the warrant authorizes disclosure of that information to the public. There may be torts and 1983 actions available to the victims,---if you can identify plaintiff(s). Also, the judge who authorized the warrants would be volcanically pissed. If particular warrants can be linked to particular disclosed information, then lawyers would probably descend like vultures upon rotting flesh.
Show threadAJun 17, 2025
@masek I would submit an abuse report for csam to the hosting company, they will either close it down, making them aware of the issue very fast, or forward to the company contact which is hopefully a monitored mailbox.
Show threadJohn MaxwellJun 17, 2025
@masek ty
Show threadFace ThumbJun 18, 2025

@masek > I personally believe that this leaks even constitutes a federal crime. Some cases have names ending on CSAM.

It certainly sounds like hosting/redistributing CSAM, pirated files, not to mention what else was being investigated, potentially national secrets, bomb making, citizen's nude photos, crypto wallets, photos of their kids, driver's licences/passports, browser logins/cookies, address books, corporate intellectual property. A treasure trove for cyber criminals and nation states.

Show threadMartin SeegerJun 18, 2025
@chrisp You can safely assume, Russia and China now have a copy of that data.
Show threadFace ThumbJun 18, 2025
@masek Every person and corporation in the US should be worried about what is being shared on these servers and other countries should be thinking about which of their own citizens this could affect. The TSA could have similar issues with warrantless searches at the border, this is just one of the reasons I'm not visiting the US until they've had a decent law abiding president for a few years and reverted some of the insanity. Maybe after the civil war.