Mobile Forensics: Parsing that Pesky BFU Extraction

"Gold jacket, green jacket, who gives a shit?" - Happy Gilmore (Happy Gilmore)

We have a standing policy in our lab... process EVERY extraction... even those damned pesky BFUs.  Why?  Because Stone Cold said so!  Are you going to find the cash cow?  Probably not, but you can ride that gravy train all the way to dysfunction junction and come up with a nugget that may unlock Pandora's box.

First let's discuss what a BFU extraction is.  BFU, cold, bricked, dud, doozy, piece of monkey shit, etc. I've heard different terminology for this state of a device.  BFU stands for "Before First Unlock" and it is a term widely used across the mobile forensics community.  Barney-style it means that a phone has been powered off and that a user has not entered their passcode in the device to bring it out of it's most secure state.  This is a term used across the board for iPhones and Androids.  It means that a device is not going to give you access to the majority of the information contained within itself.  This isn't, however, the end to this story.

It feels like yesterday, because it was, that we took a BFU device and unlocked it using information from the extraction.  If you haven't yet, read my post on Commonly Used Passcodes, it's a good read and will shed some light on the access side of things.  Long story short, we took a BFU extraction, located the owners email address ( and were able to gain access to the device using 4422 as the passcode.  With the device unlocked, we obtained a full file extraction which proved fruitful for prosecution.  This won't always be the case, but had we not moved forward with the BFU extraction, we would have never come across that sliver of information used to gain entry.

BFU Extractions also offer a plethora of information in the form of user accounts for cloud-based services.  iCloud, Google Drive, Instagram, Facebook, etc., you can subpoena these services for all cloud-based and service-based information to help fill in the gaps.  Most people know about this part, and well, in certain circumstances, taking this approach is a necessary evil depending on your investigation.  

My favorite part about BFU extractions are the app data that is obtained... because not all apps are created equal in the realm of security.  App developers, not operating system developers, are in charge of app security.  Snapchat for one let's data seep through into BFU extractions, as well as some location-based apps, giving you just enough information to further any leads in your investigation.  Some apps require a passcode to be entered to access their data, other's leave the key under the mat, but some just leave the door unlocked and wide-ass open.

Does parsing a BFU suck, especially when nothing fruitful is uncovered from it? Abso-fucking-lutely, however, if we didn't parse each and every BFU that came through our lab, our success rate would be Happy Gilmore before he learned how to putt.  So don't toss those pesky BFU's in the recycle bin, because you may be throwing away information that can help you move down the fairway.

Damn you people. Go back to your shanties.