Digital Forensics: Exactly What They Can Pull From Your Devices

What mobile forensics actually does

Your phone is the most complete record of your life that has ever existed, by a large margin. Photos, location history, messages (including deleted ones), financial data, health data, app-specific data, authentication tokens, browser history, Wi-Fi networks connected to over months of travel, Bluetooth pairings, and the full cryptographic state of your authenticator apps. A modern iPhone 16 Pro holds around 1 terabyte of the most intimate data a human can produce.

Mobile forensics is the science of pulling all of it off. Sometimes under a court order, sometimes with a warrant, sometimes with consent, and in certain jurisdictions, without any of the above. The dominant tools are Cellebrite (Israeli), Magnet Forensics (Canadian), Oxygen Forensic (Russian-origin, since relocated), and GrayShift / GrayKey (US-only, law-enforcement restricted).

This post walks through what can be extracted from your phone, the technical mechanisms behind extraction, the device-state difference that controls *everything*, and which defenses actually hold up.

BFU vs AFU: the state that changes everything

The single most important distinction in mobile forensics is BFU vs. AFU.

• BFU (Before First Unlock). The device has been powered on but has not been unlocked since boot. On iOS and recent Android, the Class A and Class B file protection keys are not yet loaded into RAM. Most user data on disk is encrypted with keys derived from your passcode combined with a hardware-bound secret. Without the passcode, the data is cryptographically inaccessible.
• AFU (After First Unlock). The device has been unlocked at least once since boot. The Class C keys are now in RAM and stay there until the device reboots. Most user data is now readable because the keys are present in memory.

Every extraction method and every success rate depends on which state the phone was seized in.

Practical consequence. If your phone is seized and you're worried about extraction, reboot it. Don't unlock it. Keep it powered on in BFU indefinitely. A BFU iPhone is dramatically harder to extract than an AFU one.

Apple added the Inactivity Reboot feature in iOS 18.1 (November 2024). Phones automatically reboot into BFU after roughly 72 hours of no unlock. This one feature has ruined thousands of active law-enforcement extractions. Cellebrite's internal documentation leaked in 2024 called it the biggest blow to forensic access since Secure Enclave was introduced.

Cellebrite responded in Spring 2026 with Safeguard Mode, which tries to keep seized iPhones awake and in AFU by periodically injecting keep-alive events. Efficacy is disputed and depends on iOS version.

Cellebrite UFED: three extraction tiers

Cellebrite UFED (Universal Forensic Extraction Device) is the most widely deployed mobile forensics tool in the world. US federal agencies, local police departments, and foreign intelligence services all use it. Hardware cost: roughly $10,000. Annual license: $3,000 to $4,000. ICE's 2023 contract with Cellebrite was worth $6.2 million over five years.

UFED extracts data at three tiers of increasing depth:

Tier 1: Logical Extraction. An over-the-wire pull via the phone's normal backup API (Apple Mobile Backup, Android Debug Bridge, or ADB). You get whatever would end up in a standard iTunes/iCloud or ADB backup: contacts, messages, call logs, photos, app data that participates in backup. Requires the device to be unlocked (AFU). No exploit needed. Fast — 15 to 30 minutes.

Tier 2: File System Extraction. Exploits a weakness in the device or its backup mechanism to pull the full file system instead of just the backup-participating subset. Includes app sandboxes, caches, system logs, and SQLite databases that aren't part of standard backup. Requires AFU plus a working extraction chain. Moderate — 1 to 3 hours.

Tier 3: Physical Extraction. A full bit-for-bit image of the device's flash storage, including unallocated space and residual deleted data. Historically this required chip-off (physically desoldering the NAND). Modern tools use software exploits instead. Slow and device-specific. On older devices, or on Checkm8-vulnerable iPhones (A5 through A11, iPhone 4s through iPhone X, all BFU-vulnerable), this can extract encrypted data for offline cracking later.

The iPhone reality by model

iPhone X and older (Checkm8 vulnerable). A boot-level SoC vulnerability that can't be patched because it lives in ROM. Enables BFU physical extraction and offline passcode brute force. Any Checkm8-era iPhone can be fully extracted given enough time, usually days to weeks for a strong passcode.

iPhone XS through iPhone 13 on iOS older than 16.2. Various exploit chains have been sold to Cellebrite and GrayKey to enable AFU extraction. BFU is much harder, but has been achieved on specific iOS versions.

iPhone 14 and newer on current iOS. AFU extraction has been demonstrated on specific patch levels. BFU extraction, as of April 2026, isn't publicly claimed by any vendor on current iOS. This is why Inactivity Reboot matters. It forces the device into the state no one can (publicly) extract.

iPhone 17 / iOS 26 (Spring 2026). Cellebrite's leaked roadmap claims support, but the AFU window keeps shrinking each release. Apple ships hardening in nearly every point release.

GrayKey: faster, narrower, law-enforcement only

GrayKey (by Magnet Forensics, formerly GrayShift) is an iPhone-specific extraction tool restricted to US and allied law enforcement. A single box sits in the forensic lab and plugs into seized phones.

What it does well. Fast AFU extraction on supported iOS versions. Same-day access is routine. Full extractions in under an hour on tier-1 supported models. No internet connection required, which is a key selling point for evidence handling.

Pricing. $15,000 to $30,000 upfront depending on tier. Annual license $15,000+. Restricted sales to law enforcement only; civilian labs and foreign non-ally agencies cannot obtain it.

What GrayKey can't do. Recent iPhone models on the latest iOS in BFU state. Same limitation as Cellebrite.

Android: the open door

Every major Android manufacturer has shipped devices with exploitable extraction vectors in the last five years. Samsung, Xiaomi, OnePlus, Google Pixel, Motorola, Huawei, all of them. The extraction chains are well-documented and get continuously updated.

Root causes:

• More attack surface (diverse hardware across thousands of models)
• Weaker file-system-level encryption than iOS Data Protection
• Frequent OEM-introduced vulnerabilities in bootloader and TEE implementations
• Slower security patch cadence on non-Pixel devices
• Carriers and OEMs often delay or skip patches entirely

Practical reality. Nearly every non-Pixel, non-GrapheneOS Android phone in the wild can be extracted in some fashion, either BFU or AFU, by a forensic vendor with current exploit chains.

GrapheneOS is the notable exception

GrapheneOS is a hardened Android distribution for Pixel devices, maintained by Daniel Micay and a small team. It ships with an aggressive hardening stack: hardened memory allocator, exec-based spawning, verified boot integrity, a stripped-down attack surface, and rapid adoption of upstream mitigations.

Cellebrite's leaked internal document (April 2024). GrapheneOS on a current Pixel, running a current GrapheneOS build, is not extractable by Cellebrite UFED. Three zero-day attempts were listed in the leaked doc as blocked by GrapheneOS mitigations. As of April 2026, no public claim of extraction against current GrapheneOS exists.

What this means practically.

• BFU extraction: not publicly possible
• AFU extraction: not publicly possible
• Physical extraction: hardware plus encryption block it

GrapheneOS users still have to worry about targeted zero-days from nation-state actors (NSO Group, Cytrox, Intellexa) that may not have been sold to forensic vendors yet. But for local law enforcement using off-the-shelf Cellebrite UFED, a current Pixel running GrapheneOS with a strong passcode is, operationally speaking, a brick.

Caveat: GrapheneOS still participates in Google Play Services through a sandboxed compatibility layer if you install them. Using a Google account on GrapheneOS reintroduces cloud-sync data exposure that no amount of local hardening can mitigate.

What gets pulled when extraction succeeds

On a successful AFU extraction of a modern phone (iPhone or Android), the forensic examiner typically walks away with:

• All messages: SMS, iMessage, Signal (if unlocked), WhatsApp, Telegram, Discord. Deleted messages from SQLite WAL files. Attachments.
• All photos and videos: including deleted items still in the recently-deleted folder. EXIF metadata with GPS coordinates. Thumbnails persist after main file deletion.
• Full location history: iOS Significant Locations, Google Location History, app-specific location caches (Uber, Lyft, DoorDash, Strava, weather apps). Often reconstructable to minute-by-minute resolution over years.
• Browser history + cached content: Safari, Chrome, all installed browsers. Often reveals incognito history through system-level caches.
• Authentication tokens: Keychain (iOS), Android KeyStore contents, cookies, OAuth tokens for banking, email, social media, crypto exchanges, password managers. Depending on the extraction tier, a forensic examiner can authenticate into your accounts after the extraction.
• Health data: heart rate, blood pressure, menstrual cycle, steps, sleep patterns, workouts, medications logged.
• Financial data: Apple Pay / Google Pay transaction history. Banking app caches. Stock trading history.
• App-specific data: Uber ride history, Tinder matches, dating app chat logs, food delivery orders, home automation device lists, hotel bookings, flight history, Wi-Fi networks connected to (and often their passwords).
• Keyboard typing cache: iOS QuickType and Android Gboard cache recent typed content — including items typed into incognito tabs, passwords, and messages that were later deleted.
• Clipboard history: cross-device Universal Clipboard content on iOS, Gboard clipboard history on Android.

Total data volume is typically 50 GB to 500 GB depending on device use.

Cloud is the bigger exposure

Here's the often-overlooked fact. The phone is one piece. iCloud, Google Takeout, and Microsoft 365 backups hold a larger, more complete, more historical copy of your data. They can usually be subpoenaed directly from the provider without ever touching your device.

iCloud backups, prior to the enablement of Advanced Data Protection (iOS 16.2+, December 2022), are encrypted with keys Apple holds and can hand to law enforcement under warrant. With ADP enabled, Apple no longer holds the keys and cannot decrypt. But most users never turned ADP on.

Google Takeout provides an even more comprehensive historical archive: 10+ years of Gmail, Google Drive, Photos, Maps, YouTube history, Assistant queries, Home automation logs, Play Store app list and usage.

Reality. If law enforcement wants your data, subpoenaing Apple or Google is far easier than extracting your device. The phone matters mostly when the subpoena path is blocked or unavailable.

Private forensics pricing

Mobile forensic examinations performed by private firms (not law enforcement) run:

• Standard mobile exam: $1,575 - $2,975
• Hourly rate: $150 - $500/hour
• Complex, contested cases: $50,000 - $100,000+

Legal use cases: divorce discovery, employment disputes, internal corporate investigations, civil litigation. Private labs operate under the same technical toolchain as law enforcement but are restricted from the LE-only GrayKey tier.

Anti-forensics that actually works

Rank-ordered by effectiveness against Cellebrite-class extraction.

1. GrapheneOS on a current Pixel. The single best defense. Not hypothetically strong, but tested and documented as blocking current tooling.
2. iPhone in BFU state. Reboot before seizure. The Inactivity Reboot feature does this automatically after 72 hours, but if you know seizure is imminent, reboot deliberately.
3. Strong passcode. Minimum 8 digits. 10+ alphanumeric is far harder to brute-force than a 6-digit PIN. Cellebrite's brute-force speed against modern iPhones in BFU state is roughly 1 attempt every 10-20 seconds (Secure Enclave throttling). 6 digits = 10^6 attempts = up to 230 days. 10 alphanumeric = infeasible in any realistic timeframe.
4. Enable iCloud Advanced Data Protection. Removes cloud backup as an extraction vector.
5. Don't use face or fingerprint biometrics in high-risk environments. Law enforcement has broad latitude to compel biometric unlock in the U.S., and much less latitude to compel a passcode. Turn off Face ID / Touch ID before entering a risk environment, or use the iOS Emergency SOS hold (five rapid presses of the side button) which temporarily disables biometrics.
6. Signal, with disappearing messages and screen security enabled. Even if the device gets extracted, expired messages are gone from Signal's DB.
7. Separate device for high-risk activities. A $300 second phone with GrapheneOS, Signal, and nothing else is a superior operational security posture compared to hardening a single primary device.

Doesn't meaningfully help:

• "Secure delete" apps (flash storage does not support secure delete in the way HDDs do; TRIM handles it inconsistently)
• Factory reset in AFU (may still leave recoverable data)
• Jailbreaking (usually reduces security)
• VPN (irrelevant to physical extraction)
• "Anti-forensic" apps marketed on app stores (snake oil)

SSD / Flash and the TRIM question

The USNA 2025 paper confirmed it. Once a modern flash controller executes TRIM (internal garbage collection of unused blocks), the data is practically unrecoverable. Chip-off attacks return the post-TRIM state, which is zeros. This is why mobile forensic tools focus on live extraction of unallocated space *before* TRIM runs rather than after-the-fact chip recovery.

Practical implication. A phone that's been running for a few hours after deletion of sensitive data has usually already TRIMmed the relevant blocks. The forensic examiner then relies on SQLite WAL journals, app-specific caches, and cloud backups instead of flash-level recovery.

Cold boot and RAM forensics

If a device gets seized with power still on and in AFU, RAM contains the unlocked file system keys. Chilling the RAM chips (liquid nitrogen in dramatic demos, canned air held upside-down in practice) can extend bit retention long enough to remove the chips, solder them to a reader, and extract the keys.

Tools: Volatility, Rekall. Academic research still active. In practice, rare because the device has to be seized with power on AND the examiner has to act within minutes.

The honest takeaway

If your threat model is local law enforcement with a warrant and standard tooling, GrapheneOS on a current Pixel with a 10+ character passcode or iPhone in BFU with a long alphanumeric passcode and ADP enabled is operationally adequate.

If your threat model is a tier-1 nation-state with NSO-grade zero-day capability, every phone is vulnerable. The mitigation is operational. Don't use a phone for the most sensitive activity. Use air-gapped systems. Compartmentalize identities across separate devices.

Most people's threat model is the first one. Most people have none of these mitigations in place.

Sources

1. [Cellebrite UFED Documentation](https://cellebrite.com/en/ufed/)
2. [GrayKey — Magnet Forensics](https://www.magnetforensics.com/products/magnet-graykey/)
3. [iOS 18 Inactivity Reboot — 404 Media coverage (Nov 2024)](https://www.404media.co/iphones-now-auto-restart-to-protect-your-data-from-thieves/)
4. [GrapheneOS Cellebrite Leak Analysis (April 2024)](https://grapheneos.org/)
5. [Checkm8 — Axi0mX Original Publication (2019)](https://github.com/axi0mX/ipwndfu)
6. [Apple Platform Security Guide — Apple (2024)](https://support.apple.com/guide/security/welcome/web)
7. [iOS Data Protection Classes — Apple Developer Docs](https://developer.apple.com/documentation/uikit/protecting_the_user_s_privacy/encrypting_your_app_s_files)
8. [USNA Flash TRIM Recovery Paper (2025)](https://www.usna.edu/CS/academic-security/)
9. [ICE Cellebrite Contract Disclosure — LookoutCUSA / PCMag Coverage](https://www.pcmag.com/news/ice-signed-62-million-contract-with-cellebrite-phone-unlocker)