Chapter 11 — Key Takeaways

The big idea

On phones, the comforting law of the earlier recovery chapters meets its exception. On hard drives and even SSDs, the operating principle is deleted is not destroyed — the data outlives the pointer and you can chase it down. On a modern, passcode-protected smartphone, the principle becomes encrypted is not accessible — the data is intact, every bit present, and yet unreadable because the key is bound to hardware you cannot extract. Competent mobile recovery is therefore not a technique but a decision tree: pursue the easy, high-yield wins first (backups, cloud, removable cards, broken-screen workarounds), then the physical jobs (board repair, screen swaps), and recognize the wall when you hit it — because saying "the data cannot be recovered," quickly and kindly, is itself the skill.

Run the triage tree, not a single technique

Five questions sort almost every job, in this order:

  1. Who is asking, and can they prove ownership? No clear authority → it is a legal or forensic question, not a recovery job.
  2. Is there a backup? This resolves most cases happily; ask it first.
  3. What state is the device in — boots? screen works? water/physical damage?
  4. Is it locked and encrypted? On modern hardware these are the same question, and the answer is almost always "yes."
  5. What device, exactly, and how old? A 2012 unencrypted handset and a 2024 flagship are different planets.

What works, what walls — a quick map

Situation Path Outcome
Computer (iTunes/Finder) backup exists Parse Manifest.db; copy files by SHA1(domain-relativePath) Easiest, highest yield
Cloud backup, owner has credentials + 2FA Restore / re-sync / authenticated download Strong — unless iCloud ADP (E2E)
Portable SD card (FAT32/exFAT) Image behind write-blocker; carve (JPEG FF D8 FF, HEIC ftypheic) Works — deleted is not destroyed
Broken screen, device AFU, trusted computer Pairing record → backup without the screen; or scrcpy/screen swap Works — it is an I/O problem
Water/physical damage Power off; isopropyl/ultrasonic; revive the original board Often works if board survives
Old/unencrypted device ISP / JTAG / chip-off → carve plaintext Works on the unencrypted corner
Modern encrypted phone, passcode unknown, no backup WALL. Effectively impossible
Factory-reset modern phone Crypto erase — key gone, ciphertext permanent

The two ideas that explain everything

  • AFU vs. BFU. After First Unlock = keys live in memory, data decryptable in place (until reboot). Before First Unlock = even the OS sees ciphertext. Keep a cooperative AFU phone powered and un-rebooted; a dead-battery reboot drops it to BFU and re-locks the lot.
  • The secret lives in silicon. iPhone keys depend on the UID fused in the Secure Enclave; Android keys live in the TEE/StrongBox. The NAND holds only ciphertext, and on iPhone it is paired to its SEP — so chip-off, JTAG, ISP, and EDL all return ciphertext on an encrypted device, and a NAND transplant is futile.

One artifact, two postures

A backup, an SD card, a Manifest.db, a carved JPEG — the same artifact is recovery when the owner asks for their data and forensics when it might land in court. The bytes are identical; only authority, goal, and rigor differ. Flip into the forensic posture (image, hash, chain of custody) the instant a job might become contested.

You can now…

  • ☐ Triage a mobile job by ownership, backup, device state, and encryption — and tell the success branch from the honest "no."
  • ☐ Locate and parse iTunes/Finder backups by hand, proving the SHA1(domain-relativePath) storage rule.
  • ☐ Choose the right Android path — adb/scrcpy for cooperative/live devices, chip-level only for unencrypted ones — and explain why chip-off yields ciphertext otherwise.
  • ☐ Recover photos from a portable SD card by carving, while spotting an encrypted adopted card you cannot read off-device.
  • ☐ Explain the encryption wall, crypto erase, AFU/BFU, and the Secure Enclave model to a non-technical client in plain language.

Looking ahead

Chapter 12 — Ransomware Recovery. The same honesty about limits, scaled from one locked phone to a whole locked business: the third anchor case, where the backups are stale, the shadow copies are gone, and you recover what you can from unencrypted slack and hard choices.

One sentence to carry forward: On modern phones the data is rarely deleted — it is encrypted, and the most valuable thing you can do is know exactly where the front door is and admit, plainly and kindly, when there isn't one.