When performing forensic tasks on Apple devices, the order in which you enter device modes can make a big difference. While DFU mode is necessary for certain extractions, especially using checkm8, going straight into DFU might not be your best option. Starting with Recovery Mode offers several advantages that make it a safer, faster approach. By entering Recovery Mode first, you reduce the risk of unexpected data changes, minimize delays, and ensure the device stays in a stable state. Let’s take a closer look at why starting with Recovery Mode is the better approach for your extraction process.

Why DFU?

DFU mode is critical for many forensic procedures, particularly those that rely on hardware-level exploits such as checkm8 or checkra1n (used for iPhone 5 to iPhone X extractions). DFU is also required when performing passcode unlocks, though this is currently supported only for the iPhone 4, 5, and 5c. You may also need DFU mode for limited “Before First Unlock” (BFU) extractions on some devices, which are useful for bypassing the device’s passcode restrictions before any data can be accessed. Additionally, DFU can be used to reset a locked phone, although keep in mind that this will trigger an iCloud lock and erase all the data on the device.

Note: starting with the iPhone 8, 8 Plus, and iPhone X, a Raspberry Pi Pico can be used to automate DFU entry, while devices with broken buttons will require disassembly.

Why Recovery?

When exploiting the bootloader vulnerability, experts often find greater success if they first switch the device to Recovery Mode before entering DFU. This process works well for most models, including devices as old as the iPhone 5 and as new as the iPhone 8.

Recovery Mode is well-documented and widely understood. In The True Meaning of iOS Recovery, DFU and SOS Modes for Mobile Forensics, we provide comprehensive instructions for getting devices into Recovery Mode. On the other hand, DFU is an undocumented mode, which makes it more challenging to execute correctly. In our DFU Mode Cheat Sheet, we’ve compiled known procedures for entering DFU, but it’s still a tricky mode to access, requiring perfect timing. If you miss the timing, the device will simply reboot instead of entering DFU.

The Risks of Rebooting

Allowing a device to reboot into the main OS can introduce several risks. Whether intentional or accidental, rebooting a device during forensic work can result in data changes that interfere with your extraction process. In an unprotected or non-isolated environment, the device might automatically reconnect to a wireless network, triggering cloud backups or data syncs that you don’t want to happen mid-extraction.

Even without an internet connection, a reboot can still create new logs or overwrite existing ones. Additionally, for apps that store data temporarily (e.g. “disappearing messages” in some messengers), a reboot could result in premature data deletion or overwriting.

This is where Recovery Mode offers a significant advantage. Recovery Mode is easier to access and much faster to initiate, reducing the risk of these unwanted changes. By starting with Recovery Mode, you ensure that the device is in a stable state, minimizing the chances of data changes during the extraction process.

Recovery Mode also provides a faster way to restart the device. This is particularly useful for devices like the Apple Watch, where a normal reboot can take much longer. If the device fails to enter DFU mode and reboots into normal mode instead, it could lead to delays and complications. Starting with Recovery Mode helps you avoid this and keeps your extraction process on track.

Finally, if may be a good idea if store the device long-term in such a way that Recovery Mode activates automatically during each boot. This can be achieved by flipping the “autoboot” flag with iOS Forensic Toolkit while in Recovery, as explained in Forensically Sound checkm8 Extraction: Repeatable, Verifiable and Safe.

Conclusion

Starting with Recovery Mode before attempting DFU is a simple yet effective step in ensuring smoother, more reliable forensic extractions. It helps minimize the risk of unexpected data changes, avoids delays, and keeps the device in a stable state. Whether you’re working with older devices using checkm8 or handling passcode unlocks, taking the time to enter Recovery Mode first can save you time and headaches down the line.