What Police Can Actually Extract From Your Phone in 2026
Cellebrite and GrayKey extractions pull every message, photo, location, and authentication token from your phone. A digital forensics and consumer cybersecurity guide with opsec hardening tips.
Founder of Valtik Studios. Penetration tester. Based in Connecticut, serving US mid-market.
What actually happens if the police take your phone
Most people think phone seizure means "they unlock it and look through it." The reality in 2026 is much more technical and much more thorough. Law enforcement doesn't "look through" your phone. They image it. The image goes to a forensic workstation running Cellebrite or GrayKey or Magnet Axiom or Oxygen. The tool extracts everything. Messages. Deleted messages. Location history. Deleted location history. App data. Photos. Contacts. Browser history. Keyboard autocomplete dictionary. Notification history. Screenshots they didn't know were there.
What they get depends on one specific factor: whether your phone was powered on and unlocked at any point since the last reboot. Two forensic states exist. The difference between them is the difference between "we got most of it" and "we got almost nothing."
The two states
Your phone exists in one of two forensic states:
AFU (After First Unlock). you've entered your passcode at least once since the last reboot. Encryption keys are in memory. Forensic tools can extract most data.
BFU (Before First Unlock). The phone has been rebooted and no passcode entered. Encryption keys are locked in the Secure Enclave. Extraction is dramatically harder.
This distinction matters more than anything else when police seize your phone.
What Cellebrite can do in 2026
Cellebrite's Spring 2026 release (UFED) supports:
- iPhone 17 and iOS 26. full filesystem extraction on AFU devices
- Drone forensics. flight logs, recorded video, GPS coordinates
- Cloud token extraction. pulling authentication tokens to access cloud backups
- App-level data. Signal, WhatsApp, Telegram message databases (if device is in AFU)
What GrayKey can do
GrayKey (now owned by Magnet Forensics) has more limited iPhone capabilities:
- iOS 18+: partial data only. some unencrypted files and metadata
- Older iOS: full filesystem access on AFU devices
- ICE signed a $3M contract with Magnet Forensics in September 2025
Apple's silent countermeasure
IOS 18.1 introduced "inactivity reboot". Your phone automatically restarts after 72 hours of inactivity. After reboot, it enters BFU state, locking all encryption keys. Apple never announced this feature publicly. It was discovered by security researcher Jiska Classen.
This directly counters the forensic playbook: police would seize a phone, keep it powered on and in a Faraday bag (to prevent remote wipe). And extract it days later while it remained in the easier AFU state. Now, after 72 hours, the phone locks itself.
Where the law stands
Courts are split on whether police can force you to use biometrics to unlock your phone:
- D.C. Circuit (2025): Forcing fingerprint unlock violates the Fifth Amendment
- Ninth Circuit (2024): Forced biometric unlock is NOT testimonial, so it's allowed
- The Supreme Court case that could have resolved this was mooted when all January 6 defendants were pardoned
Practical advice: Use a strong alphanumeric passcode, not Face ID or fingerprint alone. Disable biometrics before any encounter with law enforcement (hold power + volume on iPhone to trigger Emergency SOS, which also disables biometrics).
Want us to check your Mobile setup?
Our scanner detects this exact misconfiguration. plus dozens more across 38 platforms. Free website check available, no commitment required.