The call came from a woman in her late fifties. Her husband had died of a sudden cardiac event three weeks earlier, and she was trying to recover the last videos he had taken of their grandchildren — a birthday party, a backyard barbecue, an ordinary Tuesday that turned out to be his last.

His iPhone 14 was locked. She didn't know the passcode. He had never set up Family Sharing, never turned on iCloud Photos, never set up a Legacy Contact in Apple's settings. She had tried the dates that mattered to him — birthdays, their anniversary, the year they moved to Canada — and gotten nowhere. On her twelfth attempt, the phone disabled itself.

This is one of the most common cases we receive. And it is also one of the most misunderstood.

What Most People Believe (and Why It's Wrong)

There's a persistent idea — reinforced by crime dramas and tech news headlines — that forensics labs can simply "crack" a locked iPhone. Hand it over, wait a few days, get the data back.

The reality is more complicated. Modern iPhones are, by design, among the most difficult storage devices in the world to extract data from without the owner's cooperation. Apple built it that way deliberately, and the security is real.

Understanding what a forensics lab can actually do requires understanding what's standing in the way.

The Lock Is Not Just Software

When you set a passcode on an iPhone, you're not just creating a login screen. You're triggering a hardware encryption system built into the chip itself.

Every iPhone since the 5s contains a dedicated security processor called the Secure Enclave. Its only job is to manage cryptographic keys. The key that decrypts your data is derived from two things: a hardware identifier burned into the chip at the factory, and your passcode. The Secure Enclave holds one half; your passcode provides the other.

This means the data on the device is encrypted at rest. Without both halves of the key, the contents of the flash storage are unreadable — just random-looking bytes. And because one half of the key never leaves the chip, the decryption cannot happen anywhere else. You cannot pull the storage chip, attach it to another machine, and read the contents. You cannot clone the device and brute-force it in parallel. The decryption must happen on that specific phone.

The Secure Enclave also enforces attempt limits. After six wrong passcode attempts, the phone introduces mandatory wait times — one minute, then five, then fifteen, then sixty. If the device owner had enabled "Erase Data After 10 Attempts," the phone wipes itself on the tenth failure. If not, the phone will keep enforcing delays indefinitely.

On an iPhone with a six-digit numeric passcode, there are one million possible combinations. At sixty-second delay intervals, methodically trying every combination would take well over a year — assuming the phone never erased itself, and assuming you could somehow automate the attempts, which the Secure Enclave is specifically designed to prevent.

This is not a weakness in Apple's implementation. It is working exactly as intended.

What "Brute Force" Actually Means in a Lab

When forensics professionals talk about brute-forcing a locked iPhone, they don't mean typing in passcodes manually. They use specialized hardware tools — purpose-built devices that connect to the iPhone and attempt to interact with the Secure Enclave at a lower level than the normal software interface.

The two most significant tools in this space are Cellebrite Premium and GrayKey (developed by Grayshift). Both are enterprise-grade, law enforcement-oriented tools that cost tens of thousands of dollars and are sold only to vetted agencies and certified forensics firms.

These tools exploit implementation-level vulnerabilities in the Secure Enclave's boot process or iOS itself — vulnerabilities that Apple patches with each major iOS update. Their effectiveness is therefore directly tied to the iOS version running on the device and the chip generation.

Here is the honest picture as of mid-2026:

The woman who called us had her husband's iPhone 14 on iOS 17. It was the hardest category we work with.

BFU vs. AFU: The State of the Device Matters Enormously

One of the most important variables — and one that families rarely know about — is whether the phone had been unlocked since its last reboot.

When an iPhone is first powered on, or immediately after a restart, it enters a state called BFU — Before First Unlock. In this state, the vast majority of the device's data remains fully encrypted. Even if a forensics tool successfully bypasses the passcode, it can only see a fraction of the phone's content: basic metadata, some system files, and certain low-security app data.

Once the owner has entered their passcode at least once after a reboot, the phone transitions to AFU — After First Unlock. In this state, the encryption keys for most user data are held in memory. This makes forensic extraction dramatically more useful. If a device is seized or received in AFU state and kept powered on, the accessible data is far richer.

Most phones received from grieving families have been sitting on a charger for days or weeks. They may have auto-restarted due to software updates, or they may have been intentionally rebooted when family members tried various passcode combinations. If the device is in BFU state, even a successful extraction yields limited results.

The husband's iPhone 14 had been powered on and off multiple times since his death. It was firmly in BFU state. Whatever extraction path existed, it would reach only a portion of the data.

The Path We Actually Recommend First

Before any forensic tool is considered, every case involving a deceased person should begin with Apple's Digital Legacy program.

Apple introduced Digital Legacy in iOS 15.2. It allows iPhone owners to designate specific people — Legacy Contacts — who can request access to their iCloud account after death. With a death certificate and the access key generated when the Legacy Contact was set up, Apple will transfer the iCloud data to the surviving contact within a few weeks.

If no Legacy Contact was set up (as in this case), family members can still apply directly to Apple with a death certificate and proof of relationship. Apple reviews these requests and, in many cases, will provide access to the iCloud account — including iCloud Photos, iCloud Drive, Notes, and Messages (if iCloud Messages was enabled).

This process does not unlock the physical device. But if the deceased person had iCloud backups or iCloud Photos enabled, it may provide exactly what the family is looking for without any forensic work at all.

In this case, the husband had iCloud Photos enabled but had not used iCloud for backups. Apple's Digital Legacy process gave his wife access to 4,200 photographs — including the birthday party, the barbecue, and the Tuesday that turned out to be his last. The videos she was looking for were there.

The physical phone, for the purposes of her photos, was irrelevant.

When Apple's Process Isn't Enough

Digital Legacy covers iCloud data. It does not cover what exists only on the physical device: notes that were never synced, messages on apps without cloud backup, voice memos, locally saved files, or data from apps that don't connect to iCloud.

For families in this situation — where the irreplaceable content is on the device and nowhere else — a forensic examination of the physical phone may be the only option.

The realistic outcomes depend on the variables above: device model, iOS version, device state, and passcode type. We assess all of these before making any commitment to a client about what's achievable.

In cases where forensic extraction is possible, we perform a full logical or physical extraction using professional tools, document our methodology, and return the data in a format the family can actually use — not a raw evidence package, but organized, readable files.

In cases where the device is forensically inaccessible — an iPhone 15 on current iOS, a device in BFU with no known extraction path — we say so clearly, before any invoice is issued. We would rather disappoint a family early than take their money for work that cannot succeed.

A Note on Legality

Accessing another person's device without authorization is a criminal offence in Canada under the Criminal Code and the PIPEDA framework. The death of the owner does not automatically transfer access rights.

The appropriate parties to authorize forensic access to a deceased person's device are the estate executor (identified in the will), the next of kin, or a court order. We require documentation confirming authorization before beginning any examination — not as a procedural formality, but because chain of custody matters if the data is ever needed in an estate dispute, a legal proceeding, or a coroner's inquiry.

What You Should Do If You're in This Situation

If you have a loved one's locked iPhone and need to access it:

  1. Do not keep guessing the passcode. Every failed attempt burns one of your limited tries and risks triggering the erase function. Stop at five or six and contact a professional.
  2. Keep the device charged and powered on. Do not restart it. AFU state preserves more recoverable data than BFU.
  3. Contact Apple first. Apply for Digital Legacy access with a death certificate. Even if you don't think the data is in iCloud, it's worth checking — many people have cloud backup enabled and don't know it.
  4. If Apple's process doesn't cover what you need, speak to a forensics lab before assuming the phone is a dead end. Outcomes depend heavily on the specific device and software version.

The phone sitting in your drawer may be accessible. It may not be. The only honest answer requires looking at the specific device.

We work with families, estate lawyers, and administrators on next-of-kin device access. Every case starts with a scoped consultation before any work begins. Contact us to discuss your situation.