Understanding Mobile Device Lock States in Forensic Extractions

Understanding the lock state of a mobile device—BFU or AFU—is key to maximizing the amount of recoverable data in any forensic investigation. With encryption becoming more sophisticated, the window of opportunity to access certain types of data is narrowing. By recognizing these states and acting accordingly, investigators can ensure that valuable digital evidence is preserved and extracted effectively.

When a mobile device is collected as digital evidence, one of the most critical factors to consider is its lock state. Whether the phone is running iOS or Android, its lock state plays a major role in how much data can be extracted. Devices may be in one of two primary states: Before First Unlock (BFU) or After First Unlock (AFU). These states determine how much information is accessible during forensic analysis, due to the implementation of file-based encryption (FBE) in modern mobile operating systems.

Why Lock States Matter

Modern mobile operating systems—starting from Android 7.0 and required from Android 10 onward, and all supported iOS versions—use file-based encryption. This security model ensures that different files on a device are encrypted with unique keys that are only accessible after the user enters their passcode at least once after a reboot.

Because of this, if a device is in the BFU state, much of the user-generated data remains encrypted and unavailable, even with forensic tools. On the other hand, if the device is in AFU state, more data becomes accessible. Recognizing and preserving a device’s lock state is essential in maximizing evidence collection.

BFU vs. AFU Extractions: What’s the Difference?

BFU: Before First Unlock

A mobile device is in the BFU (Before First Unlock) state when it has been restarted or powered off and has not yet had its screen lock passcode entered. In this state, the encryption keys necessary to unlock the majority of the file system remain inaccessible.

iOS Behavior in BFU:

• Notification Center, Control Center, and widgets are disabled.
• Face ID/Touch ID won’t work until the passcode is entered.
• Attempting to unlock prompts the message: “Your passcode is required when iPhone restarts.”

Android Behavior in BFU:

• Access to Quick Settings, camera, and phone features is restricted.
• The lock screen typically displays a “Phone restarted” notification and the message: “Use PIN after restart.”

In this state, forensic tools can only extract a small subset of data—mainly limited to system logs, cached images, and some application-level metadata. While this information may be limited, it can still offer valuable leads depending on the context of the investigation.

AFU: After First Unlock

Once a user unlocks the device after a reboot, it enters the AFU (After First Unlock) state. In this state, the encryption keys are loaded into memory, allowing forensic tools to access significantly more data than in BFU.

Indicators of AFU State:

• Full access to iOS features like the Control Center, widgets, Face ID, and app notifications.
• On Android, Quick Settings, notifications, and app data become available.

An AFU extraction can yield approximately 95% of the data accessible via a Full Filesystem extraction. This includes:

• Text messages
• Call logs
• Photos and videos
• App data (e.g., WhatsApp, Signal)
• Web browsing history
• Social media interactions

However, some sensitive data like Apple Mail, Apple Health records, and granular location data remain inaccessible without the passcode and are only available through a Full Filesystem extraction.

Forensic investigators should make every effort to keep a device powered on if it is in the AFU state. Powering off the device will revert it back to BFU, potentially locking away large amounts of user data.