Case Study 2 — The Phone That Could Not Be Saved

A widow's only copy of her late husband's last videos lived on a locked, modern iPhone with no backup. Another shop had already charged her $900 to "chip-off and recover it," and failed. This is the cautionary contrast to the easy win: the encryption wall is real, it does not negotiate, and the most important skill in the room is the honest, kind "no."

Background

The phone in this case is the one that opens the chapter. A woman set her late husband's iPhone on the bench — two generations old, the back slightly swollen from a failing battery, dead since the funeral four months earlier. On it, she believed, were the last videos of him, voicemails she had never deleted, and a photo from the lake that she had never printed. There was no backup. He had never plugged the phone into a computer. He had switched off iCloud because he did not trust "the cloud." She did not know the passcode.

She had already been somewhere else first. A storefront repair shop had taken the phone for two weeks and $900, told her they would "chip-off the memory and extract everything," and then returned it with an apology and a vague explanation about "the encryption being too new." She arrived at your bench believing two contradictory things at once: that the data was extractable by someone competent, and that she had been failed by someone incompetent. Part of your job — the human part, theme #6 of this book made painfully literal — was to tell her a harder truth than either.

This is the deliberate contrast to Case Study 1. There, a living, AFU phone with a trusted laptop was a thirty-minute win. Here, a dead, never-backed-up, modern iPhone with an unknown passcode is the wall — and no amount of skill, money, or equipment moves it.

The investigation, and the wall

You ran the same triage tree, and it terminated quickly. Authority was the first question, and it was answered carefully: she was the spouse and, with the estate's executor's written authorization, the lawful party to attempt recovery — but authority to try is not capability to succeed. The device powered on only to a black, swollen state; the battery had to be replaced before it would even reach the lock screen. Once it did, the situation was unambiguous: a Secure Enclave iPhone, BFU (it had fully discharged and rebooted months ago, so no keys were live), passcode unknown, encryption on by default.

Why the previous shop's chip-off was doomed is worth stating in the plain language you used with her. The iPhone's files are encrypted with keys that ultimately depend on a secret — the UID — fused into the Secure Enclave on the logic board. The flash chip (the NAND) holds only ciphertext and an encrypted keybag; the secret that unlocks the keybag never leaves the SEP and cannot be read or copied:

   What a chip-off of this iPhone physically recovers:
   ───────────────────────────────────────────────────
   NAND package  ─────▶  ~64 GB of AES-encrypted bytes  +  encrypted keybag
                          (the "safe", perfectly copied)

   What it does NOT recover:
   ───────────────────────────────────────────────────
   UID key  ──────▶  fused inside the Secure Enclave, never readable,
                     and the NAND is cryptographically PAIRED to THIS SEP
                     (a donor board's SEP produces different keys → nothing)

So the $900 chip-off, even performed flawlessly, could only ever have produced "a perfect copy of an unbreakable safe." The escalating delays and attempt limits that would defeat any passcode guessing live inside the SEP, not in the NAND, so the 2016-era "NAND mirroring" trick that beat the SEP-less iPhone 5c does nothing here either. The technology changed; the principle — learn where the secret physically lives — is what tells you the job is impossible before you pick up a soldering iron.

You did not stop at "no" without first squeezing every legitimate avenue, and you documented each as you closed it:

  • Computer backup? You searched her laptop and his — MobileSync\Backup\ on the Windows machine, Library/Application Support/MobileSync/Backup/ on the Mac. Nothing. He had genuinely never synced.
  • Cloud account? iCloud Backup was off; the account, when the executor pursued it, held no device backup and no Photos library. His distrust of "the cloud" had been thorough.
  • Trusted computer for an AFU pull? Irrelevant — the phone was long since BFU, and no pairing record existed anyway.
  • Removable card? iPhones have no card slot.
  • Digital Legacy? You explained Apple's Digital Legacy program (a designated Legacy Contact plus a death certificate) as the sanctioned route to an Apple account — but he had named no Legacy Contact, and the account held nothing to retrieve regardless.

Every branch ended in the same place. The data on the phone was intact — every bit of those last videos still physically present in the NAND — and permanently unreadable. You told her so: clearly, specifically, and without false hope. You did not charge her for the impossible attempt. You replaced the swollen battery at cost so the phone was at least safe to keep, confirmed once more that it reached only the passcode prompt, and walked her through the one thing that was in her power — preserving the device untouched in case, years from now, the legal-forensic landscape shifts (a possibility you described honestly as unlikely, not as a sales hook).

The analysis

  1. The wall is mathematics, not effort. For a modern, passcode-protected, encrypted iPhone with no backup and no passcode, recovery is not hard — it is impossible by legitimate means. No bench, budget, or skill changes the outcome, because the missing element is a key that exists nowhere you can reach.

  2. Chip-off on a Secure Enclave iPhone is theater. The data's keys depend on the UID inside the SEP, and the NAND is paired to that SEP. A flawless desolder yields ciphertext and a donor board cannot help. The previous shop either did not understand this or did — and the difference between those two is the difference between incompetence and fraud.

  3. Exhaust — and document — the legitimate avenues before you say no. Backup, cloud, trusted-computer AFU pull, card, Digital Legacy: each was checked and each was recorded as closed. The honest "no" is credible precisely because it is the end of a thorough search, not a shrug at the start of one.

  4. The honest "no" is a complete professional finding and an act of care. "The data cannot be recovered" lets a grieving person stop paying for hope and begin to grieve the loss. Stringing her along through a sequence of paid "attempts" would have been the cruelest possible service dressed as the kindest.

  5. Recovery is not forensics, and neither is fraud. The only context in which a locked phone's passcode is legitimately attacked is forensics under legal authority, with tools that are model-, version-, and state-dependent and that frequently fail even in that arena (Chapter 24). That is not a service a private recovery shop can sell, and pretending otherwise — as the first shop did — is exactly the conduct Chapter 28 — Ethics warns against.

Discussion questions

  1. The first shop charged $900 for a chip-off that could not work. Distinguish the two possibilities — they did not understand the Secure Enclave, or they did — and describe what your obligations are toward the client in each case. Does it change what you tell her?

  2. The husband's distrust of "the cloud" is what doomed the recovery. Argue both sides: in what ways did his choice protect his data, and in what way did it destroy it? How does this connect to "crypto erase" being good security advice?

  3. Walk the exact same intake but change one fact: the phone is AFU when it arrives (it never fully discharged). Does the answer change? What would you attempt, and what would still be off-limits without the passcode?

  4. You replaced the battery at cost and preserved the device rather than declaring it worthless. Was that the right call, or does it risk feeding false hope? How would you phrase the "preserve it, but do not count on it" conversation?

  5. ⭐ Suppose that six months later law enforcement, investigating an unrelated matter, lawfully seizes this exact phone under a warrant. Explain why a forensic lab might now attempt what you could not — and why "might" is doing enormous work in that sentence. What separates their authority and toolset from yours, and why is success still far from guaranteed?