iOS devices offer greater levels of encryption with each release. AES 256-bit encryption is hardware-level encryption stored between the flash memory and the system area in effaceable storage. The Apple A5–A13 chips offer the greatest amount of encryption and are the hardest to access when locked. The iOS device is encrypted with 256-bit AES encryption at the hardware level of the device. This encryption key is stored between the flash memory and system area on the iOS device. This area is referred to as "effaceable storage.”¹

Brute force attempts are no longer possible since Sept. 2013 when Secure Enclave was introduced – the exception here – GrayKey, Cellebrite Premium and CAS. They can get beyond the Secure Enclave.

The iPhone 4s, which debuted the A5 chip, featured beefed-up security, which decreased the number of commands available in the bootloader, making it more difficult to physically acquire the device. The A6–A13 chips have followed suit and have become even more secure. The iPhone 4 has an exploit (24kpwn) that was used to physically access the device and bypass a lock. In the A5, A6, and A7 chips, this exploit has been patched. This patch occurred well before the release of the iPhone 6 and the A8 chip. For the longest time, the A11 chip found in the iPhone X is extremely secure – until the checkm8 exploit was identified. Currently, there is no known exploit for the A13 chips in the iPhone 11 series devices.

iOS data encryption makes our lives even more difficult when attempting to recover files from unallocated space. When a file is created by the user, a unique encryption key is created for each file. This is referred to as the File Key. The File Key is created and controlled by the Master Key (File Protection Key), which resides in the effaceable storage on the iOS device. The Master Key can be wiped, which destroys the knowledge of the File Keys, thus encrypting all user data and rendering it unrecoverable. This prevents access to decrypting the user-created files on the iOS device. Thus, when a device wipe occurs, only the Master Key is erased. This makes wiping fast and effective.

The Class Key protects the File Key. The Class Key is stored in the metadata of the file. Finally, the device passcode and the UDID of the iOS device protect the Class Key. iOS encryption is explained in detail in Learning iOS Forensics, Second Edition.¹

Reference:

[1] Epifani and Stirparo, Learning iOS Forensics, Second Edition (Birmingham, UK: Packt, 2015).