A defendant hands over an iPhone. Your job is to extract the evidence. Simple, right?
Not even close.
The acquisition method you choose determines not just what you find — it determines what you miss. And in civil litigation, what you miss can cost your client the case.
iPhone forensics has three main acquisition tiers: logical, advanced logical, and full file system. Each one produces a fundamentally different evidence set. A logical extraction of an iPhone might give you 200 text messages. A full file system extraction of that same phone might give you 2,400 — including deleted content, metadata, and artifacts your opposing counsel never expected you to find.
This guide breaks down every acquisition level, the tools that run them, the device states that affect success rates, and what artifacts each method captures. If you’re doing civil work and you’re not thinking about this at the start of every examination, you’re leaving evidence on the table.
BFU vs. AFU: The Device State Problem
Before we talk about acquisition methods, we need to talk about device state. It’s the variable that overrides everything else.
BFU (Before First Unlock) is exactly what it sounds like — the device has powered on but has never been unlocked since the last boot. The vast majority of the file system is encrypted with keys that are not loaded into memory. Even with the most sophisticated tools on the market, BFU devices yield very limited data.
AFU (After First Unlock) is the state most iPhones are in when you receive them for examination. The user has unlocked the device at least once since the last boot. Encryption keys for most files are now loaded into memory (protected class “B” files are decrypted on first unlock and stay decrypted until reboot). This is the state you want.
Why does this matter for civil examiners? Because how you handle a device from the moment you receive it changes everything. If someone powers down the phone during transport — intentionally or accidentally — you may go from AFU to BFU and lose access to the bulk of extractable data.
Best practice: Place the device in a Faraday bag immediately to prevent remote wipe. Do not power it down. Do not let it lock and then run out of battery. Get it into your lab and start acquisition while the device remains in AFU state.
There’s a third state worth knowing: SFU (Secure Enclave File Under). Some researchers use this to describe the state after a user has set a longer passcode or after an iOS update has forced re-authentication. The practical takeaway is the same — authenticated, AFU state is your window for extraction.
Logical Acquisition: What You Get, What You Don’t
Logical acquisition connects to the device via USB and uses Apple’s own backup protocol to extract data. This is the same mechanism that powers iTunes and Finder backups on macOS.
What logical extraction captures:
- SMS and iMessage conversations (in the backup)
- Contacts, calendars, call logs
- Notes
- Photos and videos (originals, including EXIF metadata)
- App data for apps that allow backup
- Voicemails
What logical extraction does NOT capture:
- Keychain data (passwords, encryption keys) — unless you create an encrypted backup
- Health data — only available in encrypted backups
- Safari saved passwords
- Third-party app data that opts out of backup
- Any data in the “protected” classes that requires on-device decryption
- Deleted data
- System logs and diagnostic data
- Location history beyond what’s in standard app data
Logical is fast, non-destructive, and doesn’t require passcode bypass. For many civil matters — a basic business email dispute, a custody case where you only need message history — it’s sufficient.
But understand its ceiling.
Cellebrite UFED and Magnet AXIOM both support logical acquisition. The process is largely identical across tools because it’s using Apple’s protocol. Tool choice at this level matters less than it does at higher acquisition tiers.
Advanced Logical: The Middle Ground That Matters
Advanced logical acquisition goes beyond the standard backup protocol. The most significant capability: it extracts the crash logs, shared app containers, and certain system artifacts that standard logical misses.
Some tools refer to this as “file system” access via AFC (Apple File Conduit), which exposes the media partition. This gives you:
- The full photo library including thumbnails and recently deleted photos (up to 30 days)
- Shared app group containers (where some messaging apps store data outside their sandboxes)
- Crash reports and system diagnostic data
- Application caches
What it still does NOT give you:
- The full /private/var directory
- Protected app sandboxes
- Keychain
- Deleted data from most databases
- System partition artifacts
Advanced logical requires the device to be in AFU state and, in most cases, requires the device to be unlocked (or at minimum, the lockdown certificate/pairing record from a trusted computer).
This is often the practical maximum for civil examiners working without law enforcement tools or specialized exploit-based solutions.
Full File System Acquisition: The Gold Standard
Full file system (FFS) extraction gives you everything — or as close to everything as current technology allows. You get the entire /private/var directory, the full application sandbox for every installed app, the keychain, system logs, location history, deleted SQLite records, and much more.
The trade-off: getting there requires bypassing Apple’s security architecture. There are two main paths.
Path 1: Checkm8 and the bootrom exploit
Checkm8 is a hardware-level bootrom exploit discovered in 2019 by a researcher known as axi0mX. Because it exploits a flaw in the hardware bootrom — not the software — Apple cannot patch it with iOS updates.
Affected devices: A5 through A11 chips. That’s iPhone 4S through iPhone X.
What this means in practice: If you’re examining an iPhone X or older, checkm8-based tools can achieve full file system extraction without knowing the device passcode — even in BFU state for some data classes, though AFU state is still preferable.
Cellebrite offers checkm8-based FFS extraction through UFED. The tool handles the exploit process and packages the output into a format compatible with their parsing software.
GrayKey (developed by Grayshift, now owned by Axon) also uses bootrom-level techniques combined with proprietary passcode cracking to achieve full file system access on a broader range of devices. GrayKey pricing is not public, but licensing runs in the tens of thousands of dollars annually. This is law enforcement-oriented tooling. Civil examiners rarely have direct access — but if you’re working alongside law enforcement or a firm that’s licensed, know what it can do.
Path 2: Passcode-Based FFS via Cellebrite Premium
For newer devices (A12 and later — iPhone XS and newer), there is no known public bootrom exploit as of 2026. Full file system acquisition requires either knowing the passcode, cracking the passcode, or using premium commercial services.
Cellebrite Premium is Cellebrite’s high-end offering that includes advanced unlocking capabilities for current-generation iPhones. This isn’t a tool you install — it’s a solution stack that involves proprietary hardware and frequently updated software. Pricing is enterprise-level and access is restricted.
For civil examiners without Premium access, the practical ceiling on modern iPhones is advanced logical unless:
- You know the passcode
- You have a pairing record from a trusted computer (which enables some advanced extraction on locked devices)
- You’re coordinating with law enforcement who has Premium access
What FFS Actually Gives You
Let’s get concrete. Here are the artifacts available at full file system level that you simply cannot get otherwise:
Deleted messages. SQLite databases maintain deleted records in “free pages” until those pages are overwritten. In sms.db (iMessage), WhatsApp’s ChatStorage.sqlite, and other messaging databases, deleted messages may persist as recoverable fragments. The recovery isn’t guaranteed — it depends on database activity since deletion — but the potential is real.
Location history. The consolidated location data in /private/var/root/Library/Caches/locationd/ contains detailed location information that doesn’t appear in logical backups. Significant locations, route tracking, and cell tower associations are all here.
Keychain. Passwords, encryption keys, authentication tokens. In civil litigation involving trade secret theft or unauthorized access, keychain artifacts can be decisive.
Application sandbox data. Every installed app has a sandboxed container at /private/var/mobile/Containers/Data/Application/[UUID]/. Full file system access means you can examine the complete database, cache, and document storage of every single app — not just what those apps allow to be backed up.
System logs and diagnostic data. The /private/var/log/ directory and related areas contain system events, application crashes, and usage patterns. These can establish device activity timelines even when explicit message or media evidence is absent.
KDBX/Keybag artifacts. Advanced examiners can use these to verify encryption key derivation and validate the chain of custody for encrypted content.
Tool Comparison: Cellebrite UFED vs. Magnet AXIOM vs. GrayKey
These three tools dominate the professional market. Here’s an honest comparison at each acquisition tier:
Cellebrite UFED
- Logical: Excellent. Industry standard. Parses thousands of app types.
- Advanced Logical: Strong. AFC extraction and pairing-record-based access.
- Full File System (A11 and older): Strong via checkm8 integration.
- Full File System (A12+): Requires Premium tier. Standard UFED won’t get you there on locked modern iPhones.
- Pricing: UFED licensing starts around $15,000/year for standard. Premium is substantially higher.
Magnet AXIOM
- Logical and Advanced Logical: Excellent parsing and artifact correlation. AXIOM’s timeline view and connection mapping are genuinely superior for analysis workflows.
- Full File System: AXIOM is primarily a parsing/analysis platform. It can ingest FFS images acquired by other tools. On its own, it relies on similar extraction mechanisms as UFED for actual acquisition.
- Pricing: Comparable to UFED. Often used in combination with Cellebrite for acquisition + analysis workflow.
GrayKey
- Designed primarily for law enforcement passcode cracking and FFS acquisition on modern devices.
- Not typically available to civil examiners directly.
- If opposing counsel claims GrayKey results in a civil matter, understand what that means: they likely coordinated with law enforcement or have a law enforcement client with access.
- Offers mobile forensic extraction services for civil examiners who need full file system results without owning enterprise licensing.
- Worth knowing as an option when you need FFS capabilities on a one-off basis.
Artifact Coverage Matrix
Here’s a plain-language breakdown of what each acquisition level captures across common evidence categories in civil cases:
| Artifact | Logical | Advanced Logical | Full File System |
|---|---|---|---|
| iMessages (active) | Yes | Yes | Yes |
| iMessages (deleted) | No | No | Possible |
| Call logs | Yes | Yes | Yes |
| WhatsApp messages | Partial | Partial | Full |
| Signal messages | No | No | Limited (see Signal article) |
| Photos + EXIF | Yes | Yes | Yes |
| Deleted photos | No | Yes (30 days) | Yes + fragments |
| Location history | No | Partial | Full |
| Keychain | Encrypted backup only | No | Yes |
| Health data | Encrypted backup only | No | Yes |
| Safari history | Encrypted backup only | Partial | Full |
| Email cache | App dependent | Partial | Full |
| App databases (e.g., Gmail cache) | App dependent | Partial | Full |
| System logs | No | No | Yes |
Chain of Custody Considerations for Each Method
Different acquisition methods carry different chain of custody implications. This matters enormously in civil litigation.
Logical extraction via the standard backup protocol is non-invasive and leaves no forensic footprint on the device. This is the safest method from a “I didn’t alter the device” standpoint.
Advanced logical using AFC or pairing records similarly doesn’t modify device data. However, the use of pairing records raises questions if the opposing party disputes how you obtained them.
Checkm8-based FFS requires booting the device into a special mode. Done correctly with a write-blocked process, it doesn’t alter user data. But the process does interact with the device at a low level, and you need to document your methodology thoroughly. The chain of custody documentation should specify:
- The tool version used
- The exact process executed
- Hash values of the acquisition output
- Device serial number and iOS version
- Device state at time of acquisition (BFU/AFU)
For civil matters subject to Daubert v. Merrell Dow Pharmaceuticals, Inc., 509 U.S. 579 (1993) standards, your methodology must be documented well enough to withstand scrutiny. “I used Cellebrite” is not sufficient. “I used Cellebrite UFED version 7.X, the device was in AFU state, I acquired via checkm8 FFS, the acquisition hash was [SHA256], and I’ve retained the original extraction file” — that holds up.
What to Do When You Can’t Get Full File System
Most civil examiners working without law enforcement cooperation will hit a ceiling with modern, passcode-protected iPhones. Here’s the decision tree:
Step 1: Request the passcode as part of discovery. In civil litigation, this is often the simplest path. A court order can compel disclosure of a device passcode. This is cleaner than technical bypass from an authentication standpoint.
Step 2: Check for pairing records on associated computers. If you have access to the custodian’s computer (which you should if you’re doing comprehensive digital forensics), the iTunes/Finder pairing record may be present. This enables advanced extraction on some device/iOS combinations.
Step 3: Pursue encrypted backup. An encrypted iTunes backup captures keychain, health data, and Safari passwords that an unencrypted backup misses. If the device will pair with a computer, this is a major upgrade from standard logical. See our deep-dive on encrypted iTunes backups for civil examiners.
Step 4: Coordinate with law enforcement if criminal overlap exists. In cases with both civil and criminal dimensions, law enforcement may have GrayKey or Cellebrite Premium access. Be careful about the legal framework governing any shared evidence.
Step 5: Use cloud data to supplement. iCloud backups, Google account data, and carrier records can fill gaps that device-level extraction can’t. See iCloud vs. on-device evidence strategy for a full breakdown.
iOS Version and Hardware: The Moving Target
Apple changes the security architecture with every major iOS release. What worked for full file system extraction on iOS 15 may not work on iOS 17. This is not an exaggeration — Cellebrite has released updates that temporarily lost capability on certain iOS versions and then regained it.
As of April 2026, the broad picture looks like this:
- iPhone 5s through iPhone X (A7–A11): Checkm8 bootrom exploit allows FFS extraction regardless of iOS version. Passcode cracking with GrayKey or equivalent tools is possible. These devices are aging but still appear in civil cases.
- iPhone XS through iPhone 16 (A12+): No public bootrom exploit. FFS requires known passcode or premium commercial tools. Locked devices with unknown passcodes are a significant challenge.
- iPhone 16 (A18): Latest generation. Premium tools are continually updated to address new hardware, but there’s typically a lag. Don’t assume current-generation extraction is possible until you’ve confirmed capability with your tool vendor.
Keep current with Cellebrite’s support matrix and the mobile forensics community (DFIR.training, ForensicFocus forums) for the latest device/iOS capability information.
Practical Workflow for Civil Examiners
Here’s the workflow I recommend for every iPhone examination in civil matters:
- Document device state on receipt. Battery level, locked/unlocked status, visible alerts on screen, Faraday bag placement. Photograph everything.
- Determine device model and iOS version. Check against your tool’s support matrix before you start. Know what’s achievable before you claim anything to counsel.
- Attempt advanced logical first. This is lowest-risk and often sufficient. Use UFED or AXIOM, document your process, hash the output.
- Evaluate FFS feasibility. Can you achieve it? Do you have the passcode? Is it a checkm8-eligible device? Will counsel pursue a court order for the passcode?
- Supplement with encrypted backup if device will cooperate. Create the encrypted backup, document the process, preserve the file.
- Report what you got and what you couldn’t get. Honest reporting of acquisition limitations is part of sound forensic practice. If you couldn’t get full file system, say so. Explain why. Explain what that means for the evidence scope.
- Cross-reference with cloud data. Device examination plus cloud data plus carrier records gives the fullest picture.
The goal isn’t to use the most powerful tool available. The goal is to use the right tool, document it properly, and report honestly about what the data does and doesn’t show.
Certifications and Standards for Mobile Forensic Examiners
If you’re doing this work in civil litigation and planning to testify, credentials matter. The relevant certifications in mobile forensics:
- CCE (Certified Computer Examiner) — Issued by the ISFCE. Covers mobile forensics as part of a broader digital forensics examination framework.
- CFCE (Certified Forensic Computer Examiner) — Issued by the IACIS. Practical examination required. Well-regarded in litigation contexts.
- EnCE (EnCase Certified Examiner) — OpenText’s vendor certification. Respected but more tool-specific.
- Cellebrite Certified Mobile Examiner (CCME) — Vendor certification directly relevant to iPhone and Android mobile work. Cellebrite also offers CCPA (Cellebrite Certified Physical Analyst) for advanced techniques.
For civil litigation, having at least one of the first two (CCE or CFCE) alongside relevant vendor certifications puts you in a defensible position on expert witness qualifications.
The Bottom Line
iPhone forensics is not a pick-up-and-plug-in operation. The device state you receive it in, the hardware generation, the iOS version, and the acquisition tools you have access to all combine to determine what evidence is actually recoverable.
Logical extraction is safe and fast but has a hard ceiling. Full file system extraction is the gold standard but requires either older hardware, the device passcode, or premium commercial capabilities.
Know what you’re working with before you start. Document every step. Report honestly about what you got — and what you couldn’t get.
The cases that go sideways aren’t the ones where the examiner found nothing. They’re the ones where the examiner overclaimed what they found, or didn’t know enough to go back for more.
For questions about mobile forensic examination in civil matters, contact Derick Downs at Digital Forensics Today or visit ExtractPhone for professional mobile forensic extraction services.
