The scenario comes up across different case types — estates, family disputes, workplace investigations, insurance matters. A locked iPhone arrives, or a client calls before sending one. Before they get to the legal situation, they mention something almost as an aside: they tried a few guesses. A birthday. A pet's name. A significant date. "Just the obvious ones," they say. "Couldn't have been more than a handful."

A handful on an iPhone is not a handful. It can be everything.

When that device arrives at our lab and we connect it to our forensic workstation, the screen often tells us exactly what those guesses cost: iPhone is disabled. One or two attempts remain before the Secure Enclave destroys the decryption key and the contents of the device become permanently unrecoverable.

We have to tell the client we cannot proceed.

The scenarios in this article are illustrative composites drawn from patterns across many engagements — not descriptions of any specific case or client.

What the attempt counter actually is

Most people think of iPhone passcode lockouts as a nuisance — the brief timeout that appears when a child gets hold of a phone and mashes the screen. That mental model is wrong in a way that costs people evidence.

The attempt counter is enforced not by iOS software, but by Apple's Secure Enclave Processor — a dedicated security chip that is physically separate from the main CPU and runs its own firmware. The Secure Enclave holds the cryptographic keys that protect the entire contents of the device. Without those keys, the data on the NAND storage is random-looking encrypted ciphertext. With them, it's your messages, photos, notes, and financial records.

The Secure Enclave enforces the attempt counter in hardware. No software exploit, no forensic tool, no firmware modification can reset it or bypass it from outside the chip. The counter is the counter. When it reaches zero, the chip destroys the key material it holds — and without those keys, the data is mathematically unrecoverable. Not difficult to recover. Not recoverable with better equipment. Unrecoverable.

The attempt ladder

Apple's default lockout behaviour increases in severity with each wrong attempt:

Wrong attempts What happens Forensic consequence
1 – 5 Immediate retry permitted None — full window still open
6 iPhone disabled for 1 minute Attempt budget reduced to 4
7 iPhone disabled for 5 minutes Attempt budget reduced to 3
8 iPhone disabled for 15 minutes Attempt budget reduced to 2
9 iPhone disabled for 60 minutes Attempt budget reduced to 1
10 iPhone is permanently disabled — or erased, if "Erase Data" is on Data unrecoverable

The timeout delays are not just inconvenient — they are rate-limiting mechanisms that make systematic guessing take days or weeks for short codes and years or centuries for longer ones. But those delays only matter when you're working from a clean slate. If a client has already used seven of ten attempts before the phone reaches us, we have three guesses left to work with. Three. On a device that could have any combination imaginable as its passcode.

The “Erase Data” setting changes everything

There are two possible outcomes at attempt ten, and they are not the same.

On most consumer iPhones, "Erase Data After 10 Failed Attempts" is off by default. On those devices, attempt ten produces a permanently disabled state — the screen displays "iPhone is disabled, connect to a computer" — but the encrypted data is still there on the NAND storage, behind a Secure Enclave that will not accept any more guesses without being reset through Apple's factory restore process. Factory restore erases the device. The data is gone not because it was deleted, but because the key is gone.

On devices where the user explicitly enabled the Erase Data setting — common among security-conscious users, corporate-managed devices, and anyone who followed the security guidance Apple has published for years — attempt ten actively wipes the device. iOS deletes the encryption key, marks the storage blocks as free, and begins the erase process immediately. The data isn't just locked behind a missing key; the key has been deliberately destroyed and the storage overwritten.

In either case, the practical forensic result is the same: there is nothing left to recover.

What forensic tools can and cannot do

Clients sometimes arrive at our lab having read about professional forensic tools capable of passcode recovery on iPhones. They assume that once the device is in our hands, the attempt counter no longer matters — that professional tools bypass Apple's security and work outside the normal rules.

They do not. Every legitimate passcode recovery technique for current-generation iPhones, whether used by law enforcement or private forensic laboratories, works through the Secure Enclave. The chip itself must evaluate each candidate passcode and report whether it matches. Each evaluation consumes one attempt. Professional tools automate and optimize this process, but they cannot bypass the counter any more than a finger pressing the screen can. (Devices with Apple's A11 chip or earlier — iPhone X and older — have a different security architecture with some additional forensic options; if your device falls into that category, the picture is more nuanced. For any iPhone released from 2018 onward, there is no known method that removes attempts from the counter without consuming them.)

On modern iPhone hardware, the Secure Enclave also enforces a minimum time delay between attempts in firmware — independent of the lockout timer visible on screen. This hardware-enforced delay means that even with optimized professional tooling, passcode recovery on current-generation devices is measured in hours or days for short numeric codes, and is not feasible at all for longer alphanumeric passcodes.

When a client pre-burns eight or nine attempts before bringing us the device, they have not merely slowed us down. They have reduced our effective attempt window to one or two guesses — a window in which no systematic recovery is possible. We would need to know the passcode to use those remaining attempts safely.

What we can recover without the passcode

A locked iPhone in what forensics practitioners call BFU (Before First Unlock) state — meaning the device has been powered off or restarted and the passcode has not yet been entered once — is significantly more limited than a device in AFU (After First Unlock) state. But it is not nothing.

From a BFU iPhone, depending on the device and iOS version, we may be able to extract:

This is a fraction of what a full filesystem extraction yields. The messages, photos, encrypted notes, financial app data, and deleted file remnants that are typically the focus of forensic investigations are encrypted under keys that require the passcode to derive. Without the passcode, that content is not accessible.

The alternative path is through the cloud. If the device was configured with iCloud Backup, the most recent backup held on Apple's servers may be producible through a legal process or accessible via a privacy data request under the account holder's credentials. But iCloud backups are point-in-time snapshots, not live mirrors — and they exclude certain categories of data that are only stored locally on the device. They are also unavailable if the user had iCloud Backup disabled, had run out of iCloud storage, or had not backed up recently.

The scenario we see most often

The estate scenario from the opening of this article is one version. The more common version involves a workplace investigation.

An employee is terminated under suspicion of misconduct. HR seizes the company-issued iPhone. Before anyone calls legal counsel — before anyone calls us — someone tries a few guesses. Common numbers. Workplace-related codes. Things that seem obvious in the moment.

By the time the device arrives at our lab, it has been through seven or eight attempts. The screen is locked. The team wants a full extraction of messages, emails, and documents. We have to explain that those guesses — each individually harmless-seeming — have together put the investigation in a position where any further attempt risks permanent destruction of the evidence they are trying to preserve.

In those cases, we can sometimes still proceed — carefully, with a detailed risk briefing to counsel and explicit written authorization to continue — using the remaining attempts on passcodes that are statistically most likely for that individual. But the margin for error is gone. And if we exhaust the remaining attempts without finding the right code, the investigation ends there.

The right protocol when a locked device becomes evidence

The guidance here is straightforward and does not require technical expertise to follow:

  1. Do not touch the passcode field. Not even once. Not even to "try the obvious ones." There are no free guesses.
  2. Put the device in airplane mode immediately — or better, turn it off completely. A connected device can receive a remote wipe command. A powered-off device cannot. If the device needs to stay on for operational reasons, airplane mode prevents remote erasure while preserving the current state.
  3. Place it in a sealed evidence bag and note the time, the battery level if visible, and who has had access to it.
  4. Contact forensic counsel or a certified mobile forensics examiner before doing anything else. The passcode recovery window and the BFU/AFU state of the device both matter enormously for what we can do, and we need to know the device's exact state before we touch it.

If you are a lawyer who has just been handed a locked iPhone by a client, the same rules apply. Your client almost certainly tried a few guesses before retaining you. Find out how many before you commit to a forensic examination strategy. The answer changes what is possible.

When it's already too late

We receive inquiries from people who have already hit ten attempts, or who received a device that had already been wiped before they understood what was happening. In those cases, the honest answer is that the on-device evidence is gone.

That is not always the end of the road. Depending on what the investigation is actually about, there may be recoverable paths:

None of these are substitutes for a full device extraction. But they are often enough to reconstruct the key facts of an investigation, and in our experience, they are underutilized because clients assume that a wiped phone means a dead investigation.

It does not. It means the investigation has to work harder and look elsewhere. We can help with that. What we cannot do is recover data that the Secure Enclave has already destroyed.


Data Rescue Labs performs iOS and Android forensic examinations for law firms, corporations, and individuals across Canada. If you have a locked device that may contain evidence — and you haven't touched the passcode — call us before you do anything else. Our Mobile Forensics team handles time-sensitive device preservation and passcode recovery. Open a case for an immediate consultation.