Valtik Studios
Back to blog
Mobilehigh2026-04-1514 min

What Police Can Actually Extract From Your Phone in 2026

Cellebrite and GrayKey extractions pull every message, photo, location, and authentication token from your phone. A digital forensics and consumer cybersecurity guide with opsec hardening tips.

The two states of your phone

Your phone exists in one of two forensic states:

AFU (After First Unlock). you've entered your passcode at least once since the last reboot. Encryption keys are in memory. Forensic tools can extract most data.

BFU (Before First Unlock). The phone has been rebooted and no passcode entered. Encryption keys are locked in the Secure Enclave. Extraction is dramatically harder.

This distinction matters more than anything else when police seize your phone.

What Cellebrite can do in 2026

Cellebrite's Spring 2026 release (UFED) supports:

  • iPhone 17 and iOS 26. full filesystem extraction on AFU devices
  • Drone forensics. flight logs, recorded video, GPS coordinates
  • Cloud token extraction. pulling authentication tokens to access cloud backups
  • App-level data. Signal, WhatsApp, Telegram message databases (if device is in AFU)

What GrayKey can do

GrayKey (now owned by Magnet Forensics) has more limited iPhone capabilities:

  • iOS 18+: partial data only. some unencrypted files and metadata
  • Older iOS: full filesystem access on AFU devices
  • ICE signed a $3M contract with Magnet Forensics in September 2025

Apple's silent countermeasure

iOS 18.1 introduced "inactivity reboot". Your phone automatically restarts after 72 hours of inactivity. After reboot, it enters BFU state, locking all encryption keys. Apple never announced this feature publicly. It was discovered by security researcher Jiska Classen.

This directly counters the forensic playbook: police would seize a phone, keep it powered on and in a Faraday bag (to prevent remote wipe), and extract it days later while it remained in the easier AFU state. Now, after 72 hours, the phone locks itself.

Where the law stands

Courts are split on whether police can force you to use biometrics to unlock your phone:

  • D.C. Circuit (2025): Forcing fingerprint unlock violates the Fifth Amendment
  • Ninth Circuit (2024): Forced biometric unlock is NOT testimonial, so it's allowed
  • The Supreme Court case that could have resolved this was mooted when all January 6 defendants were pardoned

Practical advice: Use a strong alphanumeric passcode, not Face ID or fingerprint alone. Disable biometrics before any encounter with law enforcement (hold power + volume on iPhone to trigger Emergency SOS, which also disables biometrics).

cellebritedigital forensicsmobile securityopsecdata privacyconsumer cybersecurityprivacyresearch

Want us to check your Mobile setup?

Our scanner detects this exact misconfiguration. plus dozens more across 38 platforms. Free website check available, no commitment required.

Free Security CheckRequest Full Audit
Related Reading
Forensics17 min
Digital Forensics: Exactly What They Can Pull From Your Devices
Cellebrite and GrayKey extract every message, location, authentication token, and deleted file from your phone — when the device is in AFU s
Apple10 min
Apple's Secret Feature That's Breaking Police Forensic Tools
Apple's iOS 18.1 Inactivity Reboot feature automatically returns iPhones to BFU state after 72 hours, blocking Cellebrite extractions. The b
Signal11 min
Your iPhone Remembers Your Signal Messages Even After You Delete Them
Signal notifications on iOS expose message previews that survive device extraction even with disappearing messages enabled. A mobile securit