Data Recovery from a Locked or Encrypted Phone: Screen Passcode, FBE Encryption and Forensic Unlock
The phone is physically intact but no one knows the screen passcode, or the device is fully encrypted. This is very different from a cracked screen or a water-damaged phone: the data is not lost, it is locked behind encryption. We honestly explain modern Android file-based encryption (FBE), the iPhone Secure Enclave, the limits of passcode cracking and what forensic unlock tools like Cellebrite can and cannot do, with sources.
Data Recovery from a Locked or Encrypted Phone: Screen Passcode, FBE Encryption and Forensic Unlock
Quick answer: Recovering data from a locked phone is a completely different problem from a broken or water-damaged phone. The device works physically, but the screen passcode is unknown or the data is locked with hardware-based encryption. On modern phones data is decrypted not when the device powers on but when the correct passcode is entered; so even if data is read without the passcode, it is encrypted and meaningless. On Android, file-based encryption (FBE) ties the key to the user's screen lock; on iPhone, the Secure Enclave protects the key and rate-limits wrong attempts in hardware. So the way to recover data from a locked phone is usually not physical repair but either knowing the passcode or the specific device/version combinations supported by forensic unlock tools like Cellebrite. Honestly: on many current devices with a strong passcode, recovery may be impossible, and this should be said plainly.
When a phone's screen cracks or it falls in water, the problem is in the hardware and can be solved by repair; we covered this in phone won't turn on, cracked screen recovery and phone fell in water first response. A locked phone is a different world: the hardware is intact, the real obstacle is cryptography. This article addresses the "the phone works but I cannot open it" situation, how modern encryption works and the realistic expectation.
Why modern phone encryption is so strong
A decade ago, recovering data from a phone usually meant removing the chip (chip-off) and reading the raw memory. Today this has changed, because both Android and iOS encrypt all user data by default and tie the encryption key to the user's screen lock.
On Android, file-based encryption (FBE), defined in the AOSP documentation, encrypts each file with different keys, and credential-encrypted storage is decrypted only after the user unlocks the screen. So even if you power the device on, user data stays encrypted until the passcode is entered.
On iPhone, per Apple Platform Security documentation, encryption keys are protected by the Secure Enclave, a separate security chip on the mainboard. The Secure Enclave combines the passcode with the hardware identity; so even if the memory is moved to another device the key does not come out, and wrong passcode attempts are delayed at the hardware level. This makes quickly trying millions of combinations (brute force) practically impossible.
The "I read the data but it is encrypted" problem
The practical consequence of this architecture is: physically reading the memory of a locked phone (for example with chip-off) no longer works on its own, because the data obtained is encrypted. We explained what chip-off is and when it is still valuable in what is chip-off, who does it and eMMC/UFS embedded storage data recovery. On an encrypted device, removing the chip usually gives only a meaningless pile of encrypted bytes; without the key this data cannot be decrypted.
So on a locked phone the real question is not "how do I read the memory" but "how do I get the key." The key can be reached in three ways: knowing the correct passcode, exploiting a weakness supported by the manufacturer or a forensic tool, or, if none exist, honestly not recovering the data.
Forensic unlock tools: what they can and cannot do
Cellebrite, GrayKey and similar mobile forensic tools offer passcode cracking or lock-bypass methods for specific device model and operating system version combinations. These are not magic: they are always limited to a specific device/version/patch level, are in a constant cat-and-mouse with manufacturer security updates, and are usually licensed only to authorized bodies (law enforcement, forensic labs). We explained in detail what Cellebrite UFED is, its scope and its licensing situation in Turkey in what is Cellebrite UFED, mobile forensic alternatives and Cellebrite UFED Turkey institutions licensing.
The critical truth is: the list of devices these tools support constantly changes. While an old Android or a specific iOS version is supported, the latest device with a strong passcode is usually not supported. So "Cellebrite opens every phone" is not true; what they can open depends on gaps the manufacturers have not yet closed.
Realistic expectation and honesty
The most important principle in data recovery is honesty: on a current phone that is locked and encrypted with a strong passcode, recovery is often impossible. A service that tells you "we open every locked phone" is either mistaken or misleading. At DSET we first determine the device model, operating system version and patch level, and honestly say whether known methods apply to that combination. In some cases (a simple pattern lock, a known weakness, or the owner knowing the passcode) recovery is possible; in some it is not.
An important note: trying to open an unauthorized device is a legal matter. Forensic examination or unlocking of a phone is done only at the request of the device owner or an authorized body (court, prosecutor), with written authorization. For the legal framework of the forensic process see the digital forensics process, KVKK and chain of custody.
What to do and not do with a locked phone
- Do not turn the device off. On modern phones, data is more deeply encrypted on the first boot after a restart (before first unlock state); a device that is on and has been unlocked once is more amenable to some methods.
- Do not guess the passcode. Many wrong attempts can trigger delay, lockout or data wipe on some devices.
- Check backups. Even if the actual data is locked on the phone, an iCloud, Google or computer backup may be the easiest way to reach the data; see iCloud data recovery.
- Authorization and ownership. Have the examination done only at the owner's or an authorized body's request, with written permission.
- Expert assessment. Have an expert determine the device model and version and give a realistic success expectation.
Frequently Asked Questions
If you remove and read the memory of a locked phone, do you get the data? On a modern encrypted device, no; the data obtained is encrypted and cannot be decrypted without the key. Chip-off is meaningful only on old, unencrypted or weakly protected devices.
Does Cellebrite open every phone? No. The devices it can open depend on the model, OS version and patch level and constantly change; the latest devices with a strong passcode usually cannot be opened.
I know the passcode but the screen is broken, can the data be recovered? That is now a hardware problem and can usually be solved; see cracked-screen phone data recovery.
Can I have someone else's phone opened? Only at the owner's or an authorized body's (court, prosecutor) request, with written authorization. Otherwise it is unlawful.
Sources
- NIST SP 800-101 Rev 1, Guidelines on Mobile Device Forensics: https://csrc.nist.gov/pubs/sp/800/101/r1/final
- Apple Platform Security (Secure Enclave and data protection): https://support.apple.com/guide/security/welcome/web
- Android, File-Based Encryption (FBE): https://source.android.com/docs/security/features/encryption/file-based
- Cellebrite (mobile forensics): https://cellebrite.com/
For a realistic and honest assessment of your locked or encrypted device, contact DSET.
Kimliğinizi doğrulayın
Yetkilendirilmiş erişim alanı. Tüm giriş denemeleri kayıt altına alınır.