Locked iOS Device: Data Availability On BFU States Extraction
Locked iOS Device: Data Availability On BFU States Extraction
p-ISSN : 2231-3850 Adly Gilang Kurnia et al / Indian Journal of Computer Science and Engineering (IJCSE)
Abstract
Globally, Apple iOS has 17.3% of smartphone market share, which aligns with the findings from Cellebrite
in 2024. It highlights iOS devices as dominant digital evidence in digital forensics investigations. However,
accessing the data in locked iOS devices remains a significant challenge due to limited data accessibility.
This study evaluates the effectiveness of Before First Unlock (BFU) extraction in recovering user data from
locked devices. We compare data availability and integrity between BFU and Full File System (FFS)
extractions using mobile forensics tools and file hash comparison. The analysis revealed a 63.48% match
rate (338,062 of 532,509 files) between BFU and FFS extractions, indicating some data loss in BFU. While
some documents were recoverable, critical application data was inaccessible. This highlights the limitations
of BFU extraction in retrieving complete datasets from locked iOS devices. However, the recovered data
with verified integrity remains valuable for forensic investigations.
Keywords: Digital forensics; locked iOS device; Before First Unlock (BFU) extraction; data availability;
data integrity
1. Introduction
Digital forensics plays a critical role in law enforcement by providing methods for collecting, analyzing, and
presenting digital evidence in court. However, the rise of mobile devices, particularly iOS devices with robust
security features, has significantly increased the complexity of digital evidence acquisition. Studies as seen in the
Fig. 1 , indicate that smartphone is the most common evidence. Fig. 2 showed locked iOS devices pose a major
challenge, constituting up to 73% of the access difficulties encountered during investigations [1][2].
One of the biggest difficulties for forensic investigators is accessing data on locked iOS devices, especially
those protected by fingerprint or facial recognition. Apple's strong security measures, including full-disk
encryption and secure boot processes, make data acquisition particularly challenging on devices in the "Before
First Unlock" (BFU) state [3]. This complexity is further amplified by the potential use of counter-forensic
techniques that impede data recovery efforts.
The state of a device at seizure significantly impacts recoverable data. Understanding the limitations of BFU
data extraction is crucial for investigators to optimize their approach and maximize the potential for acquiring
valuable evidence. In contrast, devices unlocked at the time of seizure (After First Unlock - AFU) offer greater
accessibility to user data. BFU also presents a significant challenge due to data encryption, rendering traditional
techniques ineffective. While AFU offers some level of decrypted data access, it might still have limitations.
Understanding these lock state differences, and the resulting data accessibility variations is crucial for digital
forensics professionals [4].
2. Related Works
Several studies have focused on discussing locked mobile devices that are related to this research and used as
references. Herrera L. A. [5] discusses about shutting down an iOS device transitions it from AFU to BFU, which
affects the amount of data that can be forensically retrieved from the device. This transition in device state
highlights the importance of understanding the implications of AFU and BFU states on the forensic analysis
process, as it directly influences the extent of data that can be accessed and examined by forensic specialists.
AL-Dowihi, L. W. et al [6] discuss about preserving evidence and acquiring data from locked iOS devices,
particularly in the BFU state, underscores the importance of understanding and handling devices in this critical
state for forensic analysis. The discussion emphasizes the significance of proper evidence preservation and data
acquisition techniques for locked devices, which align with the challenges and opportunities presented by the BFU
phase in mobile forensics.
Fukami, A. et al [7] discuss the importance of understanding the device state in relation to After First Unlock
(AFU) and Before First Unlock (BFU) when dealing with biometric authentication methods on modern mobile
devices. It explains that in most cases, biometric authentication only works when the target device is in the AFU
state and not equipped with advanced security features like inactivity-time detection measures. They also mention
the implications of the BFU state, where a password, passcode, or pattern-drawing is required to unlock the device
and enable biometric authentication. Additionally, it highlights the presence of a "panic" password option in some
smartphones that can execute hidden rules, potentially leading to data loss if used instead of the legitimate
unlocking password prior to data extraction. The paper emphasizes the importance of considering the device’s
state and security features when conducting forensic examinations involving biometric authentication methods.
Katalov, V. [8] discusses the accessibility attributes related to keychain items based on the device's unlock
status, including After First Unlock (AFU) and Before First Unlock (BFU) states. It explains that keychain items
marked with the kSecAttrAccessibleAlways attribute are always accessible, even if the device is locked or in the
BFU state and are extractable during the BFU extraction process. Additionally, it mentions that keychain records
protected with the kSecAttrAccessibleAlways attribute do not require the user's screen lock password to decrypt,
making them accessible even before the device is unlocked for the first time. These details highlight the
importance of understanding the different accessibility states of keychain items in locked or unlocked devices for
forensic analysis and data extraction purposes.
Alendal, G. et al [9] researched specifically mentions the "before-first-unlock (BFU) state" in the context of
their attack. The attack demonstrated in the study works on powered off devices, known as the BFU state, without
requiring knowledge of user credentials. This highlights the significance of the attack being able to bypass the
security of the eSE in the BFU state, emphasizing the vulnerability of the system even before it is unlocked for
the first time.
Alendal, G. [10] doctoral thesis explores the challenges and techniques related to accessing data on mobile
phones in different states such as Before First Unlock (BFU) and After First Unlock (AFU). The research focuses
on bypassing encryption, security measures, and exploiting vulnerabilities to acquire forensically valuable data
from locked devices, especially in the BFU state where the device does not need to be powered on or unlocked.
By analyzing security vulnerabilities and attack paths, the thesis provides insights into the complexities and
strategies involved in accessing user data on mobile phones under various security states.
Fikri, A. et al [11] discuss about the performance differences between Dalvik and ART, this can be crucial for
forensic analysts when dealing with locked devices. By knowing how these runtime environments handle data
processing and memory management, analysts can potentially develop more effective methods to access and
extract data from locked Android devices. The insights gained from the study can help optimize data recovery
processes, leading to quicker and more successful extraction of data from locked devices in forensic investigations.
Mobile forensics involves the collection, preservation, analysis, and presentation of digital evidence from
mobile devices. However, iOS devices present unique challenges due to their inherent security features. Apple
utilizes a combination of full-disk encryption, secure boot processes, and sandboxing to safeguard user data [3].
Additionally, biometric authentication further complicates data access, as unlocking often requires fingerprints or
facial recognition which investigators may not possess.
The locked state of a device plays a critical role in iOS forensics. The BFU state, where the device remains
locked since its last power cycle, presents the most significant challenge for data extraction. When you turn off
your iPhone, it enters BFU mode and remains there until you unlock it. In locked iOS devices, content is securely
encrypted until the user enters their screen lock passcode. This is required in order to generate the encryption key
which is needed to decrypt the iOS device’s file system. Almost all the content of an iOS device is encrypted until
the point when the user unlocks it to enable the phone to start up [12]. This difficulty arises from two key factors:
first, data encryption. In this scenario, most user data reside in an encrypted state, rendering traditional forensic
techniques used for unencrypted devices largely ineffective. Second, the potential risks associated with
unauthorized data extraction from locked devices necessitate the implementation of robust countermeasures to
prevent data breaches and unauthorized access [13].
This research aims to bridge the knowledge gap regarding data availability and integrity of extractability data
on BFU iOS devices. By analysing the user data, the challenges associated with data extraction, and potential
mitigation strategies, this research seeks to provide valuable insights for law enforcement agencies and digital
forensic practitioners when dealing with locked iOS devices in the BFU state.
The forensic process involves four main steps: collection, examination, analysis, and reporting [16].
Collection: Gathering data from various sources while following guidelines to preserve its integrity [16].
Examination: Using tools to examine the collected data in detail, looking for evidence related to the incident
[16].
Analysis: Using methods to draw conclusions from the examined data and determine its significance [16].
Reporting: Documenting the findings, actions taken, tools used, and providing recommendations for
improvement [16].
This process helps investigators systematically analyse digital evidence in a way that is reliable and can be
used in legal proceedings.
While the checkm8 could be combined with tools like checkra1n and libmobiledevice, forensic investigator
can gain access to semi-encrypted data on certain iPhone models through jailbreak, even when the device is locked
[17]. However, checkm8 method has limitations in device and iOS version compatibility, we aimed to explore the
potential of BFU data extraction capabilities for future forensic applications. In the unlocked state, data will be
extracted using the Full File System method.
Full File System extraction will include the file structure of the device, collecting the folders, sub-folders, and
their data. This generates more data than the Logical extraction and can be used for further examination—the deep
dive [18]. The target device for this research was an Apple iPhone X with iOS 15.6.1 and 64 GB of storage as
seen in Fig. 4. After the extractions are completed, the image of the devices will be imported to Oxygen Forensics
Detective to be analyzed further.
4. Analysis Results
This chapter presents the results obtained from the data extraction processes outlined in the materials and method
section. The analysis focuses on comparing the effectiveness of data extraction between the Before First Unlock
(BFU) and Full Filesystem (FFS) methods. Additionally, a file hash comparison analysis was conducted to assess
data integrity.
The size of the extracted image is around 27.6 GB of 64GB device capacity. By comparing the size, we could
see just around 40% of the media obtained in BFU locked device extraction. The extracted data was imported into
Oxygen Forensic Detective (OFD) to gain a preliminary understanding of the recoverable files and applications.
Fig. 7 and Fig. 8data that could be recovered by OFD at this stage, this doesn't necessarily imply limitations in
recoverable data. Other applications might require deeper analysis with additional forensic tools.
Similar to the BFU extraction, the data from the FFS extraction was imported into OFD for a preliminary
overview. As seen in the Fig. 10 and Fig. 11, the import process identified numerous installed applications on the
device. While OFD may not be able to fully parse the data from all applications, this initial exploration suggests
a rich potential for further analysis that could support the investigation.
A file hash comparison analysis was conducted by using the SHA-1 hashing algorithm to ensure data integrity
and identify discrepancies between the BFU and FFS extractions. This analysis compared unique hash values for
each file extracted from both methods, verifying if the corresponding files remained unaltered during the
extraction processes. The results of the comparison are summarized as follows:
Total Files Analyzed: 436.479 files were obtained from the BFU extraction, 78.877 files identified as known
files as seen in Fig. 15. The hash list was generated and 338.203 unique SHA-1 hash were listed including the
system files.
Matched Files in FFS Extraction: from 338.203 hash listed from the BFU extraction exhibited, matched hash
values in the FFS extraction data. This indicates a high degree of consistency between two extraction methods
for most of the recovered files as seen in Table 1.
Unmatched Files: A total of 141 hash displayed discrepancies in their hash values between the BFU and FFS
extractions. These discrepancies shown in Table 1 likely represent system-generated files prone to frequent
updates (logs, cache, metadata, etc.).
Table 2 showcases the types of data recoverable from both extractions. While the variety of recoverable data
may be comparable to the FFS extraction, not all files and folders were recovered due to encryption and restricted
access to system data.
Further analysis from the device identification, both BFU and FFS extraction successfully obtain the
information like OS version, phone name, serial number, IMEI, MSISDN, until the Apple ID that registered in
the device. Even the allocated storage information is obtained with some detail category like application size,
book, logs, user data, music, photo and camera roll. The different in is only advertising ID that obtained in FFS
extraction.
In the BFU extraction, the keychain information was not obtained this might be due to different protection
levels such as "Complete Protection (kSecAttrAccessibleWhenUnlocked)" and "Protected Until First User
Authentication (kSecAttrAccessibleAfterFirstUnlock)". These protection classes determine when the keychain
items are accessible, either when the device is unlocked or after the first user authentication [21][22].
Keychain protection classes determine when the class is accessible. Below are current data protection classes
from the Apple Security Guide [3]:
Complete Protection (kSecAttrAccessibleWhenUnlocked): The default value for keychain items added
without explicitly setting an accessibility constant. Developers use this protection level when the application
needs access to the keychain data only when the application is in the foreground. When used, the keychain
item data can be accessible only when the device is unlocked. Keychain data items with this attribute migrate
to a new device when using encrypted backup.
Protected Until First User Authentication (kSecAttrAccessibleAfterFirstUnlock): similar to Complete
Protection but keychain items are available to the users after they first unlock the device. The keychain items
are stored in an encrypted format on a disk and cannot be accessed until after the device has booted and until
the first device unlocks.
Protected when passcode enabled (kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly): Developers use
this protection level when the application needs access to the keychain data only when the application is in the
foreground and needs additional security. When used, the keychain item data can be accessible only when the
device is unlocked and a passcode is enabled on the device. Data cannot be stored on the device keychain
when the pin code is not set on the device. The keychain data items with this attribute never migrate to a new
device. If the pin code is disabled, the keychain item data gets deleted.
No Protection (kSecAttrAccessibleAlways): When this protection level is used, the data in the keychain item
is always accessible even when the device is locked.
5. Discussion
The research on extracting data from locked iOS devices in Before First Unlock (BFU) states has provided
valuable insights into the challenges and opportunities associated with digital forensics in iOS environments. The
comparison between the Before First Unlock (BFU) and Full Filesystem (FFS) extraction methods has shed light
on the effectiveness of data recovery and integrity assessment. The analysis results indicate that while the BFU
extraction may have limitations in extracting the encrypted applications, it still holds potential for further
investigation. On the other hand, the Full Filesystem extraction revealed a rich array of installed applications,
suggesting a wealth of forensic evidence for analysis.
The file hash comparison analysis conducted to ensure data integrity between the BFU and FFS extractions is
a crucial step in validating the extracted data. By employing the SHA-1 hashing algorithm, the research has
demonstrated a systematic approach to verifying the integrity of extracted files, which is essential for maintaining
the admissibility of evidence in legal proceedings.
Some other techniques that done for locked devices is physical data extraction methods, such as chip-off
analysis, where the memory chip is physically removed from the device to extract and reconstruct human-readable
data [23]. But even the low-level data extraction techniques like Chip-Off have become more challenging in recent
years due to manufacturers' focus on enhancing user security [23][24].
Another way to extract data from iOS devices is from the iCloud backup. Some tools like the iPhone Backup
Extractor as another tool designed for iOS devices, enabling the extraction of files from iPhone backups and
iCloud for various data types, including contacts, messages, multimedia, calendars, notes, and more [25][26]. But
this method requires investigators to confiscate the iCloud account and restore the data to the spare iOS device to
decrypt the data.
For another reference, in Android operating system, bypassing pattern locks could be done with rooting
Android devices, extracting the gesture.key file, and using rainbow tables to crack pattern locks. This could be
importance of forensic analysis in accessing data on locked Android devices and provides a methodology for
forensic investigators to analyze and bypass pattern locks effectively [27]. This reference could be used to learn
and try to bruteforce the passcode in iOS.
Acknowledgements
This research is fully funded by Ministry of Communication and Information Technology, Indonesia – Domestic
Master Scholarship Program.
Conflict of Interests
The authors do not have conflicts of interest to declare. We certify that the submission is original work and is not
under review at any other publication.
References
[1] Cellebrite. (2024). Industry Trends Survey 2024. Cellebrite. Retrieved from: https://cellebrite.com/en/industry-trends-survey-2024/
[2] Krishnan, S., Zhou, B., & An, M. K. (2019). Smartphone forensic challenges.
[3] Apple Inc. (2021). Apple Platform Security Guide. Retrieved from https://help.apple.com/pdf/security/en_US/apple-platform-security-
guide.pdf
[4] Campbell, W. (2023, August 23). BFU and AFU Lock States. DigiForce Lab.
[5] Herrera, L. A. (2020, June). Challenges of acquiring mobile devices while minimizing the loss of usable forensics data. In 2020 8th
International Symposium on Digital Forensics and Security (ISDFS) (pp. 1-5). IEEE.
[6] Alomari, Mariam & Alogaiel, Razan & Alghulayqah, Hana & Alsadah, Sharifa & Al-Dowihi, Lulwah & Alahmadi, Resal & Alattas,
Hussain. (2023). Mobile investigation; Forensics analysis of iOS devices. 10.13140/RG.2.2.16584.60169.
[7] Fukami, A., Stoykova, R., & Geradts, Z. (2021). A new model for forensic data extraction from encrypted mobile devices. Forensic
Science International: Digital Investigation, 38, 301169.
[8] Katalov, V. (2021). Extracting and Decrypting iOS Keychain: Physical, Logical and Cloud Options Explored. DFIR Review.
[9] Alendal, G., Axelsson, S., & Dyrkolbotn, G. O. (2021). Chip chop—smashing the mobile phone secure chip for fun and digital forensics.
Forensic Science International: Digital Investigation, 37, 301191.
[10] Alendal, G. (2022). Digital Forensic Acquisition of mobile phones in the Era of Mandatory Security: Offensive Techniques, Security
Vulnerabilities and Exploitation.
[11] Fikri, A., Presekal, A., Harwahyu, R., & Sari, R. F. (2018, November). Performance comparison of dalvik and ART on different android-
based mobile devices. In 2018 International Seminar on Research of Information Technology and Intelligent Systems (ISRITI) (pp. 439-
442). IEEE.
[12] Cellebrite Digital Intelligence Glossary. BFU iPhone - Mobile Device Forensics. Available: https://cellebrite.com/en/glossary/bfu-
iphone-mobile-device-forensics/
[13] Junttila, A. (2023). Countermeasures against digital forensics of handheld devices, computers and services.
[14] Grance, T. , Chevalier, S. , Scarfone, K. and Dang, H. (2006), Guide to Integrating Forensic Techniques into Incident Response, Special
Publication (NIST SP), National Institute of Standards and Technology, Gaithersburg, MD, [online],
https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=50875 (Accessed March 29, 2024)
[15] Ayers, R., Brothers, S., & Jansen, W. (2014). NIST Special Publication 800-101 Revision 1: Guidelines on Mobile Device Forensics.
U.S. Department of Commerce. National Institute of Standards and Technology.
[16] Umar, R., Riadi, I., & Muthohirin, B. F. (2019). Live forensics of tools on android devices for email forensics. TELKOMNIKA
(Telecommunication Computing Electronics and Control), 17(4), 1803-1809.
[17] Wu, J., Chen, G., Xu, Y., Li, G., & Liu, Q. (2021, December). A research of digital forensic method based on the Checkm8 heap
vulnerability. In 2021 IEEE 2nd International Conference on Information Technology, Big Data and Artificial Intelligence (ICIBA)
(Vol. 2, pp. 164-168). IEEE.
[18] Ogden, D. (2017). Mobile Device Forensics: Beyond Call Logs and Text Messages. US Att'ys Bull., 65, 11.
[19] Current RDS hash sets. NIST. (2024, March 1). https://www.nist.gov/itl/ssd/software-quality-group/national-software-reference-library-
nsrl/nsrl-download/current-rds
[20] Cellebrite. What Can Be Recovered From BFU Data Collection. Available: https://cellebrite.com/en/what-can-be-recovered-from-bfu-
data-collection/
[21] Shetty, D. (2017). Hacking iOS Applications: a detailed testing guide [PDF]. Retrieved from
https://web.securityinnovation.com/hubfs/iOS%20Hacking%20Guide.pdf
[22] V. Katalov, “BFU Extraction: Forensic Analysis of Locked and Disabled iPhones,” ElcomSoft blog, 26-Dec-2019. [Online]. Available:
https://blog.elcomsoft.com/2019/12/bfu-extraction-forensic-analysis-of-locked-and-disabled-iphones/.
[23] Karjagi, A. J., & Quadri, S. (2023). Design Of A Framework For Data Extraction And Analysis From Android-Embedded Smartphones.
Russian Law Journal, 11(3).
[24] MacLeod, M. (Year). Discussing How Manufacturers’ Focus on Device Security Can Hinder Mobile Forensic Investigations. Retrieved
from https://supermairio.github.io/assets/pdfs/Mobile_Forensics_Essay.pdf
[25] Dodevska, Marina & Dımıtrova, Vesna & Dobreva, Jovana & Mollakuqe, Elissa. (2023). Android vs iOS phone forensics: tools and
techniques.
[26] Zinkus, M., Jois, T. M., & Green, M. (2021). Data Security on Mobile Devices: Current State of the Art, Open Problems, and Proposed
Solutions. arXiv preprint arXiv:2105.12613.
[27] Rao, V. V., & Chakravarthy, A. S. N. (2016, December). Analysis and bypassing of pattern lock in android smartphone. In 2016 IEEE
International Conference on Computational Intelligence and Computing Research (ICCIC) (pp. 1-3). IEEE.
Authors Profile
Adly Gilang Kurnia, postgraduate student at Universitas Indonesia who is
pursuing master’s degree from Department of Electrical Engineering at
Universitas Indonesia. His currently research is in Computer Science, focused
on Cyber Forensics including computer, mobile and network forensics.