Well, so did I in my last post. Thanks to a friend, I can at least give you a method that a forensics provider could have used to determine the 4-6 digit pass code on that phone. It is not pretty or elegant, but it is a practical solution with the right infrastructure. We all know that the forensic image of the phone will wipe itself if you put in the wrong passcode 10 times. The first five tries can be made without delay and tries 6-10 have increasing wait times up to 60 minutes. They could just make LOTS of copies of the iPhone image and make 6 attempts on each before deleting that image and moving to the next. With enterprise class storage, connectivity, virtual machines and some scripting software it would just take time to run through the 1,000-10,000 code combinations. If you think that making copies of the large forensic image would be impractical, a 64 GB file should take roughly 93 seconds on a SATA III drive pushing 6 Gbit/s. This kind of brute force hack takes resources, time and a certain level of scripting expertise, but it only works if the phone has not deleted the encryption keys already. This method is burdensome enough to put it outside the normal proportionality/reasonableness limits in typical civil discovery. It requires either a very long time or the resources of a global service provider/governmental actor. This reinforces the need for proper mobile device termination/upgrade policies and procedures to protect sensitive data when devices leave the company.