How do commercial mobile‑forensics vendors like Cellebrite and Grayshift extract data from locked iPhones, and how often do law‑enforcement agencies use them?

1. How extraction methods break down: logical vs. physical vs. exploit-assisted

For modern iPhones a true non‑jailbroken bit‑for‑bit physical image over USB is generally not possible on devices with A5 and later chips, so vendors often rely on logical file‑system extractions that pull available files and application data exposed by the operating system ^[1]. Vendors advertise additional “professional services” or exploit chains that can retrieve more data by taking advantage of vulnerabilities in iOS or device boot modes—Cellebrite promotes advanced logical file system techniques, Checkm8‑style methods, and DFU‑mode workflows while GrayKey has been described in leaks and reporting as using exploit capabilities to unlock and extract data ^{[4] [5] [6]}.

2. Passcode attacks, brute‑forcing and BFU/AFU distinctions

When examiners cannot get a device owner to unlock a phone, MDFTs may attempt to brute‑force the passcode; GrayKey historically claimed fast brute‑force when a device had been unlocked at least once after reboot, reporting speeds of roughly tens of passcodes per second for some iOS versions, and vendors distinguish data visible “before first unlock” (BFU) from richer “after first unlock” (AFU) artifacts that become available once the user enters their passcode after a reboot ^{[7] [2] [3]}.

3. Spyware‑style persistence and “HideUI” tactics

Beyond one‑time extraction, some vendors market or are reported to supply tools that install persistent code to capture future interactions: Upturn reports Grayshift’s HideUI as software that can be placed on a phone to record future password entries, effectively functioning like local spyware to obtain credentials over time ^[2].

4. What vendors claim and how companies market capabilities

Cellebrite publicly markets UFED Premium and related products as on‑premise solutions that can access a wide range of iOS devices and file systems, and states ongoing capability updates to support newer iOS versions, while Grayshift’s GrayKey is sold to law enforcement and has been touted as particularly effective on iPhones in prior reporting ^{[6] [8] [9]}. These claims come from vendor literature and industry coverage, and independent technical audits sometimes question or clarify the limits of such claims ^{[1] [10]}.

5. Defensive changes by Apple and the cat‑and‑mouse dynamic

Apple has implemented mitigations—most prominently USB Restricted Mode and other hardening steps—that the industry says have hindered some tools like GrayKey, prompting vendors to develop new exploits and techniques in response as documented in security coverage and company statements ^{[11] [5]}.

6. How often law enforcement uses these tools and who buys them

Multiple reporting and the Upturn survey indicate that many law enforcement agencies purchase MDFTs from multiple vendors (Cellebrite, Grayshift, MSAB, Magnet, AccessData, Oxygen), and single GrayKey units have been reported to cost in the tens of thousands of dollars—evidence of broad institutional adoption though not a precise usage rate ^{[3] [2]}. Public disclosures, isolated leaks, and vendor marketing show widespread procurement and routine use in investigations, but consolidated, up‑to‑date national statistics on how frequently agencies use these devices per case are not available in the provided sources ^{[3] [5]}.

7. Limitations, contested claims and legal context

Technical researchers and privacy groups caution that vendor statements can overstate capabilities and that different iOS versions and device models materially affect success rates, meaning not every locked iPhone is equally accessible; Privacy International and other analysts note that some advertised “physical” extractions may be overstated and that extraction methods and success vary with hardware and software generations ^[1]. Courts, warrants, and policy debates over limits and oversight are active but specifics of legal frequency or restrictions are not fully detailed in the available reporting ^{[1] [3]}.

8. Bottom line: powerful tools, important unknowns

Cellebrite, Grayshift and peer vendors supply law enforcement with a toolbox ranging from logical extraction and automated artifact analysis to exploit‑assisted unlocking and even persistent capture techniques; these tools are widely purchased and used by agencies, but public records and technical analyses leave gaps about exact success rates, per‑case usage frequency, and the full technical details behind the most aggressive bypass methods ^{[2] [3] [1]}.