Digital Forensics  ·  Field Reference
DFIR Reference Hub
Click a guide to open it  ·  Use the back button to return here
📱
iOS / iPhone Guide
Model ID from lock screen · iOS version visual reference · Lock screen forensic tells · iOS extraction methods with yield ratings
iPhone Models iOS Versions Extraction
🤖
Android Reference
Extraction methods by type · Android version security · OEM-specific approaches · FBE, FRP, EDL, Knox, Titan M explained
Extraction Methods By Manufacturer Key Concepts
All content in one file  ·  No internet required after load
iOS / iPhone Reference
Field Identification Guide

Phone Model & OS Spotter

Identify any iPhone or Android — even when locked  ·  iOS lock screen forensic reference

Quick Visual Key
Home ButtonFace IDNotchDynamic IslandUSB-CLightning
Fastest tells when locked:
Home button → pre-2017 or SE  ·  Notch → 2017–2022  ·  Pill (Dynamic Island) → 2022+ Pro, all 2023+  ·  USB-C → iPhone 15+
Home Button Era
Notch Era
Dynamic Island Era
Android ID Strategy
Alert slider → OnePlus  ·  Visor bar → Pixel 6+  ·  Bixby button → Samsung S10 and older  ·  Pure stock UI → Pixel  ·  Heavy skin → Samsung/Xiaomi
Spotting the iOS Version
Most reliable: Settings → General → About → Software Version. When locked, expand each card below for illustrated lock screen differences.
⚠ CRITICAL FORENSIC NOTES
USB Restricted Mode
iOS 11.4.1+
Plug in USB — if "Unlock iPhone to use accessories" appears after >1hr locked = 11.4.1+. Does NOT block checkm8.
Inactivity Reboot
iOS 18.1+
Auto-reboots to BFU after ~72hrs without unlock. Check intake time vs seizure time.
Lockdown Mode
iOS 16+
USB never enumerates at all, no config profiles — extreme hardening. Check Settings → Privacy → Lockdown Mode.
BFU vs AFU
All versions
Before First Unlock = keychain encrypted. Even with tools, extraction severely limited.
⚠ iOS EXTRACTION PREREQUISITES
Secure Enclave
All iPhones since 5s have a Secure Enclave (SEP) — a dedicated coprocessor that holds encryption keys. Keys never leave the SEP. A physical NAND dump alone cannot decrypt user data without SEP cooperation. No known bypass on modern hardware.
BFU vs AFU
Before First Unlock: Keychain locked, most databases encrypted, location/health data inaccessible. After First Unlock: Data class A/B accessible. Know your device state before choosing method. Inactivity Reboot (iOS 18.1+) returns to BFU after ~72hrs.
USB Restricted Mode
iOS 11.4.1+: after 1hr locked, USB accessories blocked. Does NOT stop checkm8 (bootrom). Does block Cellebrite/GrayKey USB-based methods on A12+ hardware. Plug test: if "Unlock iPhone to use accessories" appears = restricted.
Pairing Records
If device was previously paired with a trusted computer, a .plist pairing record exists. With this record + device in AFU state, advanced logical extraction is possible without passcode. Check investigator's/subject's computers.
Lockdown Mode
iOS 16+: USB never enumerates at all. No accessories prompt — device simply does nothing. No config profiles installable. Severely limits all USB-based methods including advanced logical.
Android Extraction Reference
Forensic Reference // Mobile
Android Extraction Reference
Extraction methods • OS security by version • OEM-specific approaches • Visual lock screen ID
⚠ Critical Android Forensic Notes
USB Debugging
Must be enabled in Developer Options for ADB access. Enabling it on a seized locked device is not possible without unlocking. If already enabled before seizure, ADB may work without authentication if the computer was previously trusted.
FRP Lock
Factory Reset Protection — after a factory reset, device requires the last signed-in Google account. Cannot bypass without credentials or specific exploits. Major obstacle post-wipe.
Bootloader Unlock
Wipes the device. OEM unlock must be enabled in Developer Options before fastboot can unlock it. On a seized device this option may be grayed out or require unlocking the screen to access.
CE vs DE Storage
Android 7+ uses File-Based Encryption. DE (Device Encrypted) storage is available after boot. CE (Credential Encrypted) storage — which holds most user data — is only available after first unlock. Equivalent to iOS BFU/AFU.
Adopted Storage
SD cards formatted as internal storage (Android 6+) are encrypted with a device-specific key. Card alone is unreadable without the host device.
OEM Identification Strategy
Manufacturer matters as much as Android version — the same Android 14 device has completely different extraction paths on a Pixel vs a Samsung vs a Xiaomi. Identify the OEM first, then apply the right method tree.
Extraction Method Decision Order
Try methods in this order based on what's available:
1. Logical (ADB) if USB debugging was enabled → 2. Cloud/backup extraction → 3. Chip/hardware-specific mode (EDL, BROM, Download Mode) → 4. JTAG/ISP → 5. Chip-off