BFU, or before first unlock, is a method for gaining access to an otherwise inaccessible device. Guessing the password on a locked device to obtain a full file system extraction is risky and you could disable or wipe the device. Do not just guess passcodes, even using UFED and checkm8. BFU mode can be leveraged via checkra1n (refer to the blog by Mattia Epifani: https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html) or UFED. Checkm8 has some restrictions that may impact if BFU is available or not.

  •  For Checkm8 to work on iPhone 8 and iPhone X, starting with iOS 14, the passcode must be removed before starting the extraction. Thus, BFU is irrelevant.

  •  For previous models (iPhone 6, 6s and 7) a BFU extraction is possible with iOS 14 and iOS 15.

Thus, iPhone 7 and below, BFU is possible regardless of the iOS version. On iPhone 8 and iPhone X, BFU is possible up to iOS 13.

In order to obtain a BFU image using UFED, it’s pretty simple. When prompted to enter the password and you don’t know it – select Cancel and then opt to complete a BFU extraction. From there, dig through the dump for clues as to what the password may be.