Understanding Mobile Device Lock States in Forensic Extractions

Understanding Mobile Device Lock States in Forensic Extractions

Apr 17, 2025 | Featured, Resources

Understanding the lock state of a mobile device—BFU or AFU—is key to maximizing the amount of recoverable data in any forensic investigation. With encryption becoming more sophisticated, the window of opportunity to access certain types of data is narrowing. By recognizing these states and acting accordingly, investigators can ensure that valuable digital evidence is preserved and extracted effectively.

When a mobile device is collected as digital evidence, one of the most critical factors to consider is its lock state. Whether the phone is running iOS or Android, its lock state plays a major role in how much data can be extracted. Devices may be in one of two primary states: Before First Unlock (BFU) or After First Unlock (AFU). These states determine how much information is accessible during forensic analysis, due to the implementation of file-based encryption (FBE) in modern mobile operating systems.

Why Lock States Matter

Modern mobile operating systems—starting from Android 7.0 and required from Android 10 onward, and all supported iOS versions—use file-based encryption. This security model ensures that different files on a device are encrypted with unique keys that are only accessible after the user enters their passcode at least once after a reboot.

Because of this, if a device is in the BFU state, much of the user-generated data remains encrypted and unavailable, even with forensic tools. On the other hand, if the device is in AFU state, more data becomes accessible. Recognizing and preserving a device’s lock state is essential in maximizing evidence collection.

BFU vs. AFU Extractions: What’s the Difference?

Attribute BFU Extraction AFU Extraction
Lock State Before passcode is entered after reboot After passcode is entered post-reboot
User Data Access Very limited Substantial (~95% of filesystem)
Type of Data System logs, metadata, cached content Chats, photos, browsing history, app data
Key Limitation No access to encrypted file keys Keys are in memory, files are accessible

Best Practices for Digital Evidence Collection

Preserve the Lock State

If the device is in AFU, do everything possible to keep it powered on. AFU iPhones need to be preserved within 72 hours of seizure to ensure the device’s data is obtainable. The Teel Tech Canada services team has these capabilities.

Avoid Reboots

A reboot can reset the state to BFU and lock away critical data.

Isolate the Device

Use Faraday bags to prevent remote wipes or data syncing. Airplane mode on newer model phones no longer keeps the device off the network.

Document Everything

Note the lock state, battery level, and any interaction with the device.

Consult Experts

If you’re unsure about the lock state or extraction potential, contact our office to learn more.

Enquire About Our Services

BFU: Before First Unlock

A mobile device is in the BFU (Before First Unlock) state when it has been restarted or powered off and has not yet had its screen lock passcode entered. In this state, the encryption keys necessary to unlock the majority of the file system remain inaccessible.

iOS Behavior in BFU:

  • Notification Center, Control Center, and widgets are disabled.
  • Face ID/Touch ID won’t work until the passcode is entered.
  • Attempting to unlock prompts the message: “Your passcode is required when iPhone restarts.”

Android Behavior in BFU:

  • Access to Quick Settings, camera, and phone features is restricted.
  • The lock screen typically displays a “Phone restarted” notification and the message: “Use PIN after restart.”

In this state, forensic tools can only extract a small subset of data—mainly limited to system logs, cached images, and some application-level metadata. While this information may be limited, it can still offer valuable leads depending on the context of the investigation.

Photo courtedy of Dakota University DigForCE Lab

AFU: After First Unlock

Once a user unlocks the device after a reboot, it enters the AFU (After First Unlock) state. In this state, the encryption keys are loaded into memory, allowing forensic tools to access significantly more data than in BFU.

Indicators of AFU State:

  • Full access to iOS features like the Control Center, widgets, Face ID, and app notifications.
  • On Android, Quick Settings, notifications, and app data become available.

An AFU extraction can yield approximately 95% of the data accessible via a Full Filesystem extraction. This includes:

  • Text messages
  • Call logs
  • Photos and videos
  • App data (e.g., WhatsApp, Signal)
  • Web browsing history
  • Social media interactions

However, some sensitive data like Apple Mail, Apple Health records, and granular location data remain inaccessible without the passcode and are only available through a Full Filesystem extraction.

Forensic investigators should make every effort to keep a device powered on if it is in the AFU state. Powering off the device will revert it back to BFU, potentially locking away large amounts of user data.

Photo courtedy of Dakota University DigForCE Lab

Full Filesystem Extractions: The Ideal Scenario

The most complete form of mobile device data collection is a Full Filesystem extraction. This type of extraction is possible only when the passcode is known or can be brute-forced using validated forensic methods and tools.

A Full Filesystem extraction provides access to:

  • All user-generated data
  • Secure databases (Apple Mail, Health, Keychain)
  • Complete location history
  • Encrypted and protected app data

While AFU extractions offer a significant amount of evidence, Full Filesystem extractions are often the gold standard in digital forensics, especially in high-stakes cases where every data point counts.

How Teel Tech Canada Can Help!

Understanding the lock state of a mobile device—BFU or AFU—is key to maximizing the amount of recoverable data in any forensic investigation. With encryption becoming more sophisticated, the window of opportunity to access certain types of data is narrowing. By recognizing these states and acting accordingly, investigators can ensure that valuable digital evidence is preserved and extracted effectively.

At Teel Technologies, our forensic experts specialize in advanced mobile extractions, helping Law Enforcement, Military, and Government agencies access the crucial data needed for their case. Whether you’re facing a locked phone or need to perform a Full Filesystem extraction, our team is ready to assist.

Contact our services team to learn more!

    Vehicle Forensics: Overcoming Challenges with Advanced Acquisition Techniques

    Vehicle Forensics: Overcoming Challenges with Advanced Acquisition Techniques

    Oct 4, 2023 | Featured

    Webinar Overview

    In this hour long session we will discover more about the advanced acquisition and decoding techniques used to recover data from vehicle infotainment systems, navigation systems, and other electronic control units.

    We will explore advanced data extraction methods used by examiners when the major tools either don’t provide support, or the hardware is not in adequate condition to use standard acquisition techniques.

    In this session you will discover how to deal with data from 3 different chip types: eMMC, NAND, and NOR; receive an overview of ISP/ Direct eMMC as an advanced non-destructive data extraction method; and as a last resort, the Chip-Off process, which is considered the most destructive.

    This webinar will feature topics that are covered in the Teel Technologies Canada 5-Day Advanced Acquisition Vehicle Forensics Training.

    Learn More About Vehicle Forensics Training

    About the Presenter – Frank Corkery

    Sales & Forensic Services Teel Tech Canada/Europe

    Frank is a digital forensics examiner and technical sales representative for Teel Technologies Canada based in Ottawa, Ontario.  He has been with Teel since 2018. His focus is on  conducting and managing digital forensic investigations following industry standard methodology for a wide range of private, public and government organizations.  Frank also works with clients to support their needs for forensics hardware, software, and services.

      Investigating Mobile Phones, Smartwatches and Cloud with MOBILedit Forensic

      Investigating Mobile Phones, Smartwatches and Cloud with MOBILedit Forensic

      Jul 13, 2023 | Featured, Upcoming Events

      Webinar Overview

      Join us as we explore the latest developments in the forensic investigation of mobile phones, smartwatches and clouds with MOBILedit Forensic. Focusing on smartwatch analyzation, this webinar will go over how smartwatches can be examined to gain additional evidence and what that can mean for your investigations.

       

      Due to the information contained in this presentation, it is not publicly available. Please contact us at events@teeltechcanada for a viewing link.

      Request a Free 30 Day Trial or Learn More About MOBILedit

      About the Presenter – Anthony Wright

      Anthony currently works throughout Europe, North America, and Oceania supporting law enforcement agencies and digital investigators with their efforts in retrieving evidence from phones, smartwatches, and clouds. Before entering the field of digital forensics, Anthony was a foreign language teacher after earning a Bachelor of Arts in Germanic Studies and Criminal Justice at Colorado State University.

        Monolith Forensics | Webinar

        Monolith Forensics | Webinar

        Jul 19, 2022 | Featured, Upcoming Events

        3 Strategies to Reduce the Load on Your Digital Forensics Lab

        Every forensics lab has a series of workflows they need to manage that slows everything down.  We will discuss 3 major features in Monolith that are designed to ease the burden on the lab by streamlining some of these common workflows like evidence intake, case reporting, and metrics reporting.

        Learn More About Monolith Forensics

        About Matt Danner

        Matt Danner is the Owner/Founder of Monolith Forensics and the lead developer of Monolith, a case and evidence management system for digital forensics.  Before working on Monolith full time, he was a DFIR professional with 10 years of experience working for organizations in both the public and private sectors.  Matt regularly offers services as a forensics expert/consultant to clients to maintain his skill set and to stay on top of forensic trends and practices.

        Email: matt@monolithforensics.com
        Monolith Forensics on LinkedIn

          TALINO Forensic Workstation | Webinar

          TALINO Forensic Workstation | Webinar

          Mar 24, 2022 | Featured, Upcoming Events

          MARCH 31, 2022  – 11 am PDT / 2 pm EDT

          Join Teel Tech Canada host Frank Corkery and he discusses TALINO Forensic Workstations with Sumuri Senior Sales and Support Manager Sam Deckoff.

          In this 45 minute long deep dive into the TALINO Forensic Workstation, we’ll learn more about the overall design and components used, and discover how this machine was developed for forensic investigators by forensic investigators.

          This presentation will be followed by a Q&A.

          Learn More about Talino Forensic Worksattions

          About Sam Deckoff

          Sam joined SUMURI in July 2018. Before that, Sam worked as a Math instructor and tutor at Delaware Tech in Dover. He has degrees in Computer Network Engineering and Information Systems Management and is a Certified Forensic Computer Examiner. He has a solid 20 years of experience in building and fixing computers, making him a strong team leader for the TALINO Division as its Senior Manager. He’s an avid gamer and is a passionate fan of fighting games, speed running, and their communities.

            How RECON LAB Is Changing MacOS Analysis | Webinar

            How RECON LAB Is Changing MacOS Analysis | Webinar

            Feb 8, 2022 | Featured, Upcoming Events

            RECON LAB has a new look and some new updates!

             Join Teel Tech Canada hosts Frank Corkery,  Dave Burton, and SUMURI co-founder Steve Whalen as they take a look at all the new features that REOCN LAB 1.5.0 has to offer. With a new UI look and a whole host of new features, Steve will run you through how this new version of RECON LAB can change the way you do macOS analysis. 

             

            RECON LAB is SUMURI’s newest flagship forensic suite provides:

             

            • the most advanced Mac analysis and reporting available
            • is the first to introduce WYSIWYG Reporting with Chronological Analysis
            • supports for over 270 Unique Timestamps
            • and offers Windows, Mac, iOS, Android, and Google Takeout Automated Analysis
            Request a FREE 30-Day Trial

            About SUMURI Co-Founder Steve Whalen, CFCE

            • Has over 15 years of investigative experience as a trooper with the Delaware State Police.
            • First full-time Computer Forensic Examiner with the Delaware State Police – High Technology Crimes Unit.
            • Conducted examinations on thousands of different types of digital media and hundreds of investigations since 1997.
            • Recognized as a Certified Forensic Computer Examiner (CFCE) through the International Association of Computer Investigative Specialists (IACIS).
            • Regularly instructs law enforcement, government, and corporate examiners both nationally and internationally in computer forensics.
            • Recognized as a Certified Instructor in the fields of computer forensics, Anti-terrorism (cyber), law enforcement, and Internet Safety education.
            • Architect of PALADIN, RECON, CARBON software suites, and TALINO Forensic Workstations.
            • Founder and Chief Product Officer for SUMURI LLC