Acknowledgments

The greatest thanks belong to @JayeLTee , who discovered the leak, clearly recognised the severity and started the chain of events that led to the closure of the leak.

Special thanks to "Dissent Doe" of DataBreaches.net for reaching out to the Bozeman Police Department, who responded promptly by calling her to get IP addresses and details so they could investigate and follow up. They made contact with the state lab, who notified the police that they had just heard from the vendor and had unplugged everything while they investigated.

Thanks to the FBI and Bozeman PD for the prompt and professional contact. Beside them, no official that was contacted reached out.

I also wish to thank (in alphabetical order) Abraham, Andy, Ben, Cody, Dhruv, Emma, Frank, Harlo, Jeff, Jerry, JollyOrc, Judie, Royce, Russ and Rysiek for providing assistance. If I omitted someone, I apologise for the oversight. The communication turned into a frenzy on June 17th and some may have escaped the analysis for my PostMortem.

Closing Remarks

It is clearly necessary that we have at least one public contact in each country that investigates and closes data leaks reported to them. The effort to close even the worst leaks is unbearable and currently rests on the shoulders of security researchers and their supporting environment.

Time spent on this leak from my side (without the time for this report) is 12+ hours. My best estimate on the effort of all people involved closing this leak would be in the multiple hundreds of hours. The amount of time spent by the person responsible for the leaking system on security issues: None.

I assume the the leak is somehow tied to the DOJ Montana. This is not 100% sure, but i received multiple indicators that they are closely connected the leak.

There were more attempts to reach official contacts than documented here in the PostMortem. The list only includes those I could pinpoint with a reasonable degree of certainty.

I will not answer questions on how the forensics software works. This is out of scope for me. If you want to keep your phone safe: make it stay in the BFU state most of the time, choose a long and complex PIN, avoid cloud backups and do not install tracking apps.

I do not know if the share was writeable for everyone. This is also out of scope. Therefore I cannot say how difficult it would have been to manipulate an investigation. But my guess would be, that at least for a skilled atacker this would seem quite possible.

Purpose of the PostMortem is to provide an opportunity to learn for the affected party and those in danger of making similar mistakes. Futhermore I feel responsible to give all the people involved some closure.

Analysis

This is not a complete failure analysis. This are only my observations. A full detailed analysis is most likely to be even more shocking.

Failures:

• The PC with that kind information should never have been "internet facing" (architecture mistake)
• The informations do not belong on any file share (organisational mistake)
• Shares should never allow unauthenticated access (configuration mistake)
• The information should never have been stored unencrypted (lack of data security)
• Incoming SMB traffic should never be allowed to such a network (firewall policy mistake).
• Any such network should include a monitoring of the external attack surface that could easily identify such a leak (lack of posture management, lack of attack surface management).
• It was out of scope for our involvement, but is very likely that the systems could have been used to compromise any attached network
• SUMMARY: A complete and utter failure of IT-Security on the technical and organisational level for that lab

Impact

It can be safely assumed (due to duration and easiness to discover) that all data on those shares is now in the hands of inttelligence services with non-friendly attitude towards the United States of America (e.g. Russia, China)

3/4

Timeline

• May 14th 2025: Scanner of Security Researcher flags a public SMB share for inspection (leak open at latest at this date)
  • IP addresses involved: 216.220.10.217 and 216.220.10.222
• June 5th 2025: Security Researcher analyses the SMB share and discovers phone dumpy created with Graykey. Some data is mere hours old, therefore this is a live leak.
• In between: File names show that some investigations are tied to child abuse as directories contain "CSAM" as part of the directory names.
  • Remark: Usually investigations are identified by three parameters in thge file name: type of crime, location and some keyword (optional). In case of major crimes, using those identifiers one could easily identify those crime through press reports.
  • One directory name seemed to indicate the dump to be done from a police officers phone who comitted suicide.
• June 12th 2025: As the Security Researcher could not identify a clear owner and previous contacts to CISA and FBI didn't produce any reply, he contacts me and asks for support. I receive as supporting material:
  • One extraction report by Graykey for "Policy Violation" investigation
  • List of file names in the leak
• June 12th 2025 06:42 UTC: Asking friends in my environment for contacts in the U.S. to help with this leak.
• June 12th 2025 ~19:00 UTC: Start discussing the leak with journalists in the U.S. Due to the CSAM topic, there is great reluctance to engage.
• June 13th 2025, 19:20 UTC: From the extraction report I assume that this investigation is done by the Cascade County Police Department. I attempt to contact Sheriff Jesse Slaughter him by: mobile (spoke on his voice box), text message (iMessage) and email. As of today there is no answer.
• June 17th 2025, 07:22 UTC: A second security researcher informs the Bozeman PD about one of their investigations to be in the leak
• June 17th 2025: Second security researcher also reaches out to the former Attorney General and former Governor of Montana Steve Bullock via LinkedIn to help with the leak. As of today there is no answer.
• June 17th 2025, 08:47 UTC: Bozeman PD reaches out to the second security researcher
• June 17th 2025, 09:10 UTC: My initial post on Mastodon (https://infosec.exchange/@masek/114697924639525296) asking for help
• June 17th 2025, 11:36 UTC: On recommendation received, I contacted the Attorney General of Montana by Email. As of today there is no answer.
• June 17th 2025 12:46 UTC: Former FBI employee offers to create a contact.
• June 17th 2025, 16:20 UTC: Contact with employees of the software vendor (came through the SM post above). I provide them with serial# from the extraction report and additional information in the next 30min. They say they identified the owner of the license and will attempt to contact them.
• June 17th 2025, 17:21 UTC: On recommendation received, I contacted the County Attorney of Lewis and Clark Counry. As of today there is no answer.
• June 17th 2025, ~20:00 UTC: Initial two-way contact with FBI
• June 17th 2025, ~20:00 UTC: Leak is closed (according to my information the communication chain through the vendor and Bozeman PD reached the lab at pretty the same time)
• June 18th 2025 between 08:42 and 16:11 UTC: Further communication with the FBI