Your device was seized. Here’s what they can extract in 6 hours.

Six hours is a conservative estimate. With the right equipment and an unlocked device, it’s faster.

What follows is what forensic extraction actually looks like from the other side of the table.

The first 15 minutes: physical access

The device is connected to a forensic extraction tool. Cellebrite UFED is the most common. GrayKey for iPhones in some jurisdictions. The tool attempts to bypass screen lock, either through known exploits specific to the device model and iOS or Android version, or by using a brute-force approach against a numeric PIN.

A six-digit PIN on a modern iPhone with USB Restricted Mode disabled can be bypassed in minutes with current tools if the device is below iOS 17.4. A strong alphanumeric passphrase without USB Restricted Mode enabled buys time. Not permanent protection. Time.

USB Restricted Mode, enabled in Settings, disables data transfer over the Lightning or USB-C port if the device has been locked for more than an hour. It significantly complicates the extraction process. Most journalists don’t know it exists.

The first hour: what survives encryption

A modern iPhone with a strong passcode is significantly harder to extract than people assume. Full-disk encryption means that without the passcode, the data is inaccessible even to Apple, even under court order.

What is not protected by device encryption: the SIM card. Your phone number, your call log as stored on the SIM, your contact list if stored on the SIM rather than the device. These are accessible immediately, without bypassing device encryption.

What is also not protected: cloud backups. If iCloud backup is enabled, a significant portion of your device data is sitting on Apple’s servers. Apple can and does respond to valid legal requests for iCloud data. Device encryption means nothing if the backup is in the cloud.

Hours two through four: the accounts

If the device is unlocked, active browser sessions are accessible. This includes any logged-in Gmail, WhatsApp Web, Slack, cloud storage, or other accounts that remain authenticated.

WhatsApp: end-to-end encrypted in transit. Backup is the vulnerability. If WhatsApp backup is enabled to iCloud or Google Drive, the backup is not end-to-end encrypted by default. The full message history is recoverable from the cloud without touching the device.

Signal: correctly used, the most resilient messaging app to physical device seizure. Disappearing messages mean there is less history to recover. A seized device with Signal and disappearing messages enabled contains significantly less recoverable communication history than any other messaging app.

Email: every email ever sent or received through a non-encrypted provider exists somewhere. On the device if not deleted. On the provider’s servers if deleted from the device. In the recipient’s inbox regardless of what the sender did.

Hours four through six: reconstruction

Forensic tools do not simply read files. They reconstruct deleted data from unallocated storage space. They read application databases that most users don’t know exist. They extract metadata from photos, showing where images were taken, when, and sometimes with what device in proximity.

A photo taken at a source meeting, even if never shared, may contain GPS coordinates in the EXIF metadata. If that photo is on the device or in the cloud backup, it places you at a location at a time.

What actually limits the extraction

A strong alphanumeric passphrase, not a PIN. Six characters is not enough. Ten or more, with mixed case and symbols, significantly extends the time required for brute-force approaches.

USB Restricted Mode enabled. One setting. Genuinely effective against the most common extraction tools. Settings > Face ID & Passcode > USB Accessories: OFF.

iCloud backup disabled for sensitive apps. Selective backup is available. Turning off backup entirely is more reliable.

Signal with disappearing messages. The history that doesn’t exist can’t be recovered.

A travel device: a phone used only for travel to high-risk environments, containing nothing that links to your identity or your sources, reset to factory settings before crossing any border. (See: border agents seized a journalist’s laptop.)

Frequently asked questions

What is Cellebrite UFED?

Cellebrite UFED (Universal Forensic Extraction Device) is the most widely used forensic extraction tool by law enforcement worldwide. It can bypass certain device locks and extract data including messages, photos, deleted files, and app databases from both Android and iOS devices.

Does iCloud backup compromise device encryption?

Yes. Device encryption protects data when your phone is off or locked. But if iCloud backup is enabled, a significant portion of your data is also stored on Apple’s servers and Apple can and does respond to valid legal requests.

What does USB Restricted Mode do?

USB Restricted Mode disables data transfer over the Lightning or USB-C port if the device has been locked for more than one hour. This prevents forensic extraction tools like Cellebrite from accessing the device without first unlocking it. Enable it in Settings > Face ID & Passcode > USB Accessories: OFF.

The thing nobody tells you

Most of what’s extractable from a seized device isn’t what you put there intentionally. It’s the metadata generated automatically by the operating system, the apps, and the network.

You cannot retroactively remove what’s already there. You can change what you generate from today forward. And you can make the access to what exists as difficult as possible before the moment it matters.

The question isn’t whether your device can be seized. It’s what they find when it is.

Affiliate disclosure: this article contains a link to Proton. We only affiliate with tools we use and trust.

There’s no perfect setup. Anyone selling you perfect is selling fear. The goal is simple: make yourself a harder target than the person next to you.