iOS Acquisition and Analysis

iOS forensics is shaped by a tightly integrated hardware security model.

• Secure Enclave (SEP) — isolated coprocessor holding key material; passcode attempts are rate-limited in hardware.
• Data Protection — per-file encryption keys tied to the passcode and device UID.
• Sandboxing — each app confined to its own container.

This means brute-forcing a passcode is throttled by the SEP, and a raw flash dump is ciphertext. Lawful access usually relies on the device being cooperatively unlocked or in an AFU state.

Every file is assigned a protection class that controls when its key is available.

• Complete — key wiped shortly after device locks (most protected).
• Complete Until First User Authentication — key available after first unlock (the common AFU default).
• No Protection — key always available (rare).

This is why AFU matters on iOS: files in the until-first-authentication class become readable, unlocking the bulk of user data.