Digital Forensics FAQ: 30 Plain-English Answers for 2026

1. Can you recover deleted text messages from an iPhone in 2026?

It depends on three variables: how recently the message was deleted, whether iCloud Backup or iCloud Messages was enabled at the time, and which iOS version the phone is running. On iOS 26, deleted iMessages and SMS first move to the Messages “Recently Deleted” folder for 30 days. During that window everything is recoverable through standard logical acquisition. After 30 days Apple permanently purges the records and the underlying SQLite database runs compaction routines that overwrite the free-list pages. On modern A15 and newer chipsets, low-level carving of overwritten APFS blocks is impractical because each file is encrypted with a key the OS destroys at delete time. The realistic recovery paths after the 30-day window are an iCloud Backup made before deletion, a paired Mac or computer backup, or the corresponding messages from the other party’s device.

Sources: Apple Platform Security Guide (2025); DFIR Review, “Alternate Location for Deleted SMS/iMessage Data” (2022).

2. What is iOS 26 Recently Deleted and why does it matter for forensics?

iOS 26 keeps deleted Photos and Messages in a Recently Deleted folder for 30 days before automatic permanent purge. Forensic examiners can recover everything in that folder via standard logical acquisition. Once the 30-day timer expires, modern Apple Silicon devices run APFS compaction and key destruction, so direct device recovery generally fails. The clock starts the moment the user first taps Delete inside the app, not when the phone is seized, so a device delivered to an examiner 35 days after a deletion is functionally past the window.

Source: Apple Platform Security Guide.

3. Can deleted iPhone messages be recovered after the 30-day purge?

Directly off the device, generally no on iPhone 13 and newer running iOS 17 or later. The combination of APFS copy-on-write, the SQLite VACUUM and WAL checkpoint cycle, and hardware-enforced per-file key destruction means free-list pages are normally overwritten or unreadable. The remaining lawful recovery paths are an iCloud Backup created before the deletion, a paired computer or Mac backup made before deletion, the corresponding messages on the other party’s phone, and carrier metadata (which proves a message existed but never contains content for iMessage). For carrier SMS, AT&T does not store content at all, Verizon keeps content only 3 to 5 days, and T-Mobile generally does not store it after delivery.

Sources: Apple Platform Security Guide; POTs and PANs “Telco Rules for Subpoenas” (Oct 2025).

4. What is the difference between BFU and AFU on an iPhone?

BFU means “Before First Unlock”: the device has rebooted and has not yet been unlocked once with the passcode. In BFU, only Class D protected data is reachable, so contacts, messages, photos, and most app data are encrypted and unavailable. AFU means “After First Unlock”: the user has unlocked at least once since boot, so Class B and Class C keys are loaded into the Secure Enclave and most user data is reachable to an authorized examiner. iOS 18 added an inactivity-reboot feature that returns an idle phone to BFU after roughly 72 hours, a behavior law enforcement labs documented in November 2024. The practical consequence: time matters, and a seized phone left to sit can lock itself back down.

Sources: Apple Platform Security Guide; SecurityAffairs (Nov 8, 2024).

5. Does iCloud Advanced Data Protection block forensic recovery?

Advanced Data Protection (ADP) makes most iCloud categories end-to-end encrypted, including iCloud Backup, iCloud Drive, Photos, Notes, Reminders, Safari, and Wallet. When ADP is on, Apple does not hold the encryption keys and cannot produce plaintext content in response to any legal process, including a search warrant. Without ADP, Apple can still produce iCloud Backup contents (which include synced Messages when iCloud Messages is enabled) under a valid warrant. ADP is opt-in and remains available to U.S. users as of 2026; Apple withdrew the feature for new UK users in February 2025 after a UK government order.

Sources: Apple Legal Process Guidelines U.S. (Oct 2025); TechCrunch (Feb 21, 2025).

6. What is included in an iCloud Backup in 2026?

A standard iCloud Backup includes device settings, app data, Camera Roll photos and videos, iMessage and SMS/MMS when iCloud Messages is enabled, call history, voicemail, HomeKit configuration, and most third-party app data unless the developer opted out. It does not include data already separately synced to iCloud (Contacts, Calendars, Notes, iCloud Drive, iCloud Photos when those services are on), Apple Pay card numbers, or Face ID and Touch ID biometric data. With ADP enabled, the entire backup is end-to-end encrypted and unavailable to Apple.

Source: Apple Platform Security Guide – iCloud Backup Security.

7. Does iOS 26 keep deleted photos longer than 30 days?

No. Photos deleted in iOS 26 move to the Photos Recently Deleted album for exactly 30 days, then are permanently removed. If the user manually empties Recently Deleted, the 30-day window collapses immediately. After permanent deletion on Apple Silicon devices, the per-file encryption keys are destroyed and the underlying APFS blocks are eligible for reuse, which is why we tell clients to preserve and not browse the photo library if a deletion is in question.

Source: Apple Platform Security Guide.

8. Can a forensic examiner break the passcode on a current iPhone?

Not in any reliable, general way on modern hardware. iPhone 13 and newer use the A15 or later Secure Enclave Processor, which enforces an exponentially increasing delay between passcode attempts and is hardware-bound. The publicly demonstrated checkm8-class boot ROM exploit applies only to A11 and earlier devices. For current devices, the practical path is consent, a lawful unlock by the device owner, an AFU acquisition while the device is still live, or escalating to an advanced mobile acquisition platform whose capabilities are not guaranteed and degrade with each iOS release.

Source: Apple Platform Security Guide; published forensic research (Sept 2025).

9. Can deleted text messages be recovered from an Android phone?

Sometimes. On current Android 16 devices, all standard messaging apps store data in Credential-Encrypted (CE) storage that is only readable after the user enters the lock screen credential. With a lawful unlock and recent enough deletion, a logical or advanced logical acquisition often recovers SMS, RCS, and chat-app messages from local SQLite databases, WAL files, and shared preferences. Older messages may also be recoverable from Google account data through Google Takeout (with the account holder’s credentials) or through legal process to Google, depending on what the user had synced.

Sources: Android Open Source Project – File-Based Encryption; Google Workspace data retention docs.

10. What is the difference between Device-Encrypted and Credential-Encrypted storage on Android?

Android uses File-Based Encryption with two domains. Device-Encrypted (DE) storage is available immediately after boot, before any user authentication, and supports Direct Boot features such as alarms and accessibility settings. Credential-Encrypted (CE) storage is unlocked only after the user enters the PIN, password, or biometric. The bulk of user data, including messages, photos, and app databases, lives in CE storage and is unreadable without that credential. This is the Android counterpart to the iOS BFU/AFU model.

Source: Android Open Source Project – File-Based Encryption.

11. Can examiners do a full file system extraction on a locked Pixel 9 or Galaxy S25 in 2026?

Not reliably. Locked, stock-firmware Pixel 9 and Galaxy S25 devices running Android 16 present hardware-backed encryption that is broadly comparable to a locked iPhone. Bootloader unlocking on these devices triggers a data wipe. Some Android devices remain extractable in narrow scenarios (older Android versions, vendor-specific exploits, developer-mode devices, or unlocked devices with consent). For practical investigation planning, assume that a locked current-flagship Android requires either consent, lawful unlock, or a specialized vendor pathway, and budget accordingly.

Source: Digital Forensics IT, “Exploring Data Extraction from iOS and Android” (Sept 2025).

12. How long does Google keep deleted account data?

Google’s published policy is that deleted content is removed from production systems within roughly 60 days, with some backups retained for additional time before final destruction. For active accounts, Workspace audit logs (Admin, Drive, Gmail, Meet, Chat) are kept for about 180 days and administrators cannot shorten that window. For incident response, treat 180 days as the working preservation budget for Workspace events and act fast.

Source: Google Workspace Help – Data Retention and Lag Times.

13. Can law enforcement read your Signal messages?

Signal does not keep server-side message content, so a subpoena or warrant served on Signal produces almost nothing of substance (typically the date the account was created and the date of last connection). Signal messages can still be reached forensically through the endpoint devices themselves when those devices are in AFU state and lawfully accessed. There is also a documented operating-system side channel: iOS notification databases sometimes retain Signal disappearing-message previews even after the message has self-deleted in Signal. That is an iOS artifact, not a Signal protocol flaw.

Sources: Signal subpoena responses; RedSecLabs case study (2025); HKA published analysis (2025).

14. Are WhatsApp messages recoverable from iCloud or Google Drive?

It depends on whether the user enabled WhatsApp End-to-End Encrypted Backup. If E2E Backup is off, the iCloud or Google Drive backup contains a WhatsApp database file that can be acquired with the right legal process and a decryption key tied to the user’s account; this is a common evidence path in family-law and white-collar cases. If E2E Backup is on, the backup is encrypted with a key held only by the user (or stored in WhatsApp’s hardware security module under a user passphrase), and neither Apple, Google, nor Meta can produce plaintext.

Source: WhatsApp E2E Backup Security Whitepaper.

15. Does Telegram cooperate with law enforcement in 2026?

Yes, substantially more than it used to. Following the September 2024 policy change after the arrest of CEO Pavel Durov, Telegram updated its privacy policy to cooperate with valid legal requests for any criminal matter, not just terrorism. In calendar year 2024 Telegram disclosed phone numbers and IP addresses for 2,253 U.S. users in response to 900 U.S. law enforcement requests. Standard cloud chats are not end-to-end encrypted and can be produced server side under a sufficient legal order. “Secret chats” remain end-to-end encrypted and device-bound and are not retrievable from the server.

Source: Andrea Fortuna, “Telegram Forensics” (May 2026).

16. How long do U.S. cell carriers keep call detail records and text messages?

Retention varies by carrier and category. Federal regulation (47 C.F.R. §42.6) requires a minimum 18-month retention of toll records. In practice AT&T retains call detail metadata for approximately seven years; Verizon retains call metadata for roughly one to seven years depending on the data type; T-Mobile retains call metadata for about two years. Text message content is generally not retained by AT&T, kept by Verizon for only about 3 to 5 days, and generally not retained by T-Mobile after delivery. Tower and per-call location data retention is shorter and varies by carrier and network generation.

Source: AT&T Transparency Report (Feb 2026); Verizon 1H 2024 Transparency Report; POTs and PANs (Oct 2025).

17. Do cell carriers keep the actual content of text messages?

For traditional SMS and MMS, the practical answer is mostly no. AT&T has publicly stated it does not store text content. Verizon retains text content for only about 3 to 5 days after delivery. T-Mobile generally does not retain text content after delivery. For RCS messages (the modern protocol that iOS 18 adopted), the content does not pass through the carrier’s SMS center at all and is not retained by the carrier. iMessage content never touches the carrier because it travels over Apple’s encrypted infrastructure.

Source: POTs and PANs (Oct 2025); AT&T Transparency Report.

18. What is cell-site location information and when is a warrant required?

Cell-Site Location Information (CSLI) is the historical record of which cell towers a phone connected to over time. The U.S. Supreme Court in Carpenter v. United States, 585 U.S. 296 (2018), held that the government must generally obtain a search warrant supported by probable cause to access seven days or more of historical CSLI. Real-time precision location and detailed tower triangulation data (NELOS, PCMD, RTT) are treated under the same Fourth Amendment framework in most jurisdictions.

Source: Carpenter v. United States, 585 U.S. 296 (2018).

19. How long does an audit log live in Microsoft 365 by default?

For tenants on Purview Audit Standard (the default included with most M365 and O365 subscriptions), the Unified Audit Log retains events for 180 days for events generated on or after October 17, 2023. Events from before that date may still be at the prior 90-day limit. Purview Audit Premium (included with E5) extends retention for Exchange, SharePoint, OneDrive, and Entra ID activity to one year by default, and an add-on SKU can extend retention up to ten years.

Source: Microsoft Learn – Purview Audit Solutions.

20. How long does Google Workspace keep admin and Drive audit logs?

Most Google Workspace log event types (Admin, Drive, Gmail, Meet, Chat) are retained for approximately 180 days. Administrators cannot delete log data or shorten the retention period. Some token, OAuth, and Takeout job logs follow shorter or different windows. The practical takeaway: a 180-day preservation request is the working minimum for any suspected Workspace incident.

Source: Google Workspace Help – Data Retention and Lag Times.

21. How long does AWS CloudTrail keep events by default?

AWS CloudTrail Event History keeps management events for the past 90 days per Region in every account, by default. To preserve events beyond 90 days, an organization must configure a Trail that delivers events to an S3 bucket (where retention is governed by lifecycle policy) or to a comparable log lake. For active incident response, assume nothing beyond 90 days exists unless a Trail was already configured.

Source: AWS CloudTrail documentation.

22. Can police search my phone without a warrant?

In nearly all situations involving an arrest, no. The U.S. Supreme Court held unanimously in Riley v. California, 573 U.S. 373 (2014), that officers must get a warrant before searching the digital contents of a cell phone seized incident to arrest. Limited exceptions exist for some border searches of devices (subject to ongoing circuit splits), genuine consent, and true emergencies, but the default rule is warrant-required.

Source: Riley v. California, 573 U.S. 373 (2014).

23. What is FRE 902(14) and why does it matter to forensic reports?

Federal Rule of Evidence 902(14), effective December 1, 2017, allows a record copied from an electronic device or storage medium to be self-authenticated by a written certification that the copy was produced by a process of digital identification (typically hash verification) and that the process is accurate. Combined with FRE 902(13) for system-generated records, properly certified forensic extracts and cloud exports can be admitted at trial without the examiner taking the witness stand, provided the opposing party received the required advance notice.

Source: Federal Judicial Center – 2017 FRE amendments.

24. How are digital records authenticated in Florida courts?

Florida courts apply a three-section framework. Fla. Stat. §90.901 sets the basic authentication requirement: evidence sufficient to support a finding that the matter is what its proponent claims. Fla. Stat. §90.902 lists categories of self-authenticating evidence, including certified copies of public records and certain certified business records. Fla. Stat. §90.803(6) is the business records exception to hearsay, the doctrine that admits carrier records, cloud platform records, server logs, and similar regularly kept digital data through a custodian or qualified witness.

Source: Florida Statutes §§90.901, 90.902, 90.803(6).

25. How much does digital forensics cost?

For typical consumer and family-law matters, our Standard engagements run $2,000 to $3,000, covering one device with logical acquisition, examiner analysis, and a written report. Enhanced engagements involving multiple devices or cloud accounts run $3,000 to $4,000. Premium engagements involving expert witness work, contested civil or criminal litigation, complex multi-cloud incident response, or trial testimony begin at $4,500 and scale with scope. Pricing is fixed-fee whenever practical so the client sees one number, not an hourly meter.

26. How long does a digital forensics investigation take?

A single-device consumer engagement typically takes 7 to 14 calendar days from device receipt to delivered report. Multi-device or cloud-included matters typically take 2 to 4 weeks. Expert witness engagements with depositions and trial schedules run on the case’s litigation calendar, often months. True emergency intake (active threat to safety, time-sensitive court deadline, ongoing breach) can be triaged within 24 to 72 hours.

27. How big is cybercrime in 2024 and 2025?

Per the FBI Internet Crime Complaint Center 2024 Annual Report (published April 23, 2025), Americans reported $16.6 billion in cybercrime losses across 859,532 complaints, a 33 percent year-over-year increase and a new record. Investment fraud led at $6.57 billion, Business Email Compromise was $2.77 billion, and tech-support fraud was $1.46 billion. Americans 60 and older alone reported $4.8 billion in losses across 147,127 complaints.

Source: FBI IC3 2024 Annual Report (Apr 23, 2025).

28. What was the average cost of a data breach in 2025?

Per the IBM Cost of a Data Breach Report 2025 (published July 30, 2025), the global average cost of a data breach was $4.44 million, the first decline in five years. The United States average rose to a new record of $10.22 million. The global mean time to identify plus contain a breach was 241 days. Healthcare was the costliest sector at $7.42 million average and the longest lifecycle at 279 days. Organizations that used AI and automation in security operations saved on average $1.9 million per incident.

Source: IBM Cost of a Data Breach Report 2025.

29. How big is the financial sextortion problem in 2026?

NCMEC’s CyberTipline received approximately 100 financial sextortion reports per day in 2024, the same year the FBI IC3 logged 86,415 extortion complaints with $143.2 million in losses. NCMEC has confirmed at least 36 teen suicides connected to sextortion victimization since 2021. CyberTipline reports involving generative AI content rose 1,325 percent in 2024. In September 2025, FinCEN issued a formal notice to U.S. financial institutions on disrupting financial sextortion payment flows.

Source: NCMEC 2024 in Numbers (May 8, 2025); FBI IC3 2024; FinCEN Notice (Sept 8, 2025).

30. Do I need to preserve evidence before calling a forensic examiner?

Yes. The single most important first step is to stop using the device or account in question. Do not delete anything, do not run cleanup tools, do not factory reset, and do not let an opposing party have unsupervised access. If the matter is heading toward litigation, your counsel should issue a written litigation hold. The next step is a forensically sound acquisition by a qualified examiner; from that point forward all analysis happens on the working copy and the original is sealed.