What Actually Happens When a Border Agent Searches Your Phone
The three meaningfully different things that can happen to your phone at a border crossing — manual inspection, forensic extraction, and cloud-cache exposure — and the single most important technical fact: Before First Unlock state.
The phrase "border device search" conjures a specific image: an agent scrolling through photos, looking for something incriminating. That image is not wrong, but it captures only the least sophisticated version of what can happen. The full picture is considerably more invasive, and understanding it is what separates useful preparation from security theater.
There are three meaningfully different things that can happen to your phone at a border crossing. Each has different capabilities, different legal standards attached, and different implications for what you need to do before you travel.
Level one: the manual search
A basic search, in CBP's terminology, is what most people experience when their device is examined. An officer takes the phone — usually already unlocked, because they have asked you to unlock it — and looks through it. They scroll the camera roll. They open apps. They read messages. They look at contacts.
This is unsophisticated by technical standards and limited by time. A cursory manual search might take five minutes. A thorough one might take thirty. An officer can cover a lot of ground in thirty minutes on a phone with a camera roll of thousands of photos and years of messages — but they are working at human speed, looking at what is immediately visible, and limited to what the apps show on screen.
Manual searches can still be deeply exposing. They can reveal source identities in a journalist's messages, client identities in a lawyer's email, sensitive photographs, political or religious affiliations, personal relationships. They are not harmless. But they are also not the most powerful tool available.
Level two: forensic extraction
An advanced search, again in CBP's terminology, involves connecting the device to external equipment to extract, copy, or analyze its contents. This is where forensic tools enter the picture, and where the gap between what people imagine and what is technically possible becomes significant.
CBP has publicly documented contracts with several forensic tool vendors. The primary ones are:
Cellebrite — an Israeli company that markets its UFED (Universal Forensic Extraction Device) and Cellebrite Premium products to law enforcement and border agencies worldwide. Cellebrite Premium is specifically marketed for unlocking, decrypting, and extracting data from iOS and Android devices, including devices that have a passcode the operator does not know. CBP procurement records show ongoing Cellebrite contracts.
Magnet Graykey — formerly GrayKey, made by Grayshift until that company merged with Magnet Forensics in 2023. Graykey became well known when it was reported to be able to unlock iPhones that Apple itself said were inaccessible. Magnet markets Graykey as a mobile forensic access tool for encrypted or inaccessible iOS and Android devices.
MSAB XRY — a Swedish company whose XRY product line is used by law enforcement globally. DHS Science & Technology has published test results for XRY tools. MSAB markets XRY Pro for mobile extraction and location-based evidence analysis.
Magnet AXIOM and Oxygen — additional forensic platforms capable of extracting and analyzing data from devices and backups. EPIC reported CBP has contracts with Magnet Forensics and described Oxygen as capable of backup password recovery and deleted-data recovery.
When an officer connects one of these tools to your phone, the extraction process can pull — depending on the tool, the device model, the iOS version, and the phone's state — contacts, call logs, SMS and iMessage databases, photos, videos, app databases, browser history, email cached locally, notes, files, cloud account tokens, thumbnails, deleted-file remnants, and system metadata.
In July 2025, WIRED reported that CBP issued a request for information seeking tools able to process text messages, pictures, videos, contacts, encrypted-app chats, "hidden language" in texts, specific objects in videos, and patterns across large datasets. The ambition is not limited to what is on the screen. It is the totality of what can be technically recovered.
The Washington Post reported that CBP has copied contacts, call logs, messages, and photos from travelers' phones and stored them in a searchable government database. Records in CBP's Automated Targeting System have a documented fifteen-year retention period.
The single most important technical fact: BFU state
Before we go further, there is one piece of technical knowledge that has more practical impact on your security than almost anything else in this series. It concerns the difference between two states your iPhone can be in when a forensic tool attempts to extract data.
BFU — Before First Unlock. This means the phone has been powered on, but has not been unlocked even once since it booted up. The screen may be showing. The device is technically on. But the encryption keys that protect most of your data are not yet available in memory. On modern iPhones, a significant portion of data is stored under encryption that only becomes accessible after you unlock the phone for the first time after a reboot. Cellebrite's own published materials acknowledge that BFU extraction "should theoretically contain only system data" — a substantially limited dataset.
AFU — After First Unlock. This means the phone has been unlocked at least once since the last reboot and is currently just screen-locked. The encryption keys for most data are available in memory or through system services. Forensic tools operating against an AFU device can reach significantly more data, depending on the device model, iOS version, passcode strength, and current exploit availability.
The practical recommendation that follows from this is specific and actionable: power your phone completely off before you reach the inspection point. Not just lock it — power it off. When the officer asks you to turn it on, it will reboot into BFU state. If they then ask you to unlock it, the phone will move into AFU state; but between a fully-off phone and a phone that has been sitting unlocked in your pocket, the BFU window is the most protected state you can be in.
This is not a guarantee of protection. Forensic tools evolve and their capabilities are not always publicly known. But BFU vs. AFU is a real and documented distinction in extraction capability, and powering off is free.
Cloud access: the overlooked exposure
CBP's current Directive 3340-049B says officers should disable network connectivity before searching a device — put it in airplane mode — to limit the search to locally stored content and not deliberately access cloud-only data. This is an important limitation, and it is real as a policy matter.
But the practical exposure from cloud sync is not limited to what happens while the phone is connected to the network. The issue is what is cached locally.
If your phone is logged into iCloud, locally cached data may include your full photo library (depending on your iCloud Photos setting), recent emails, synced notes, Safari history, health data, calendar entries, and app data from iCloud-connected apps. If you use Google Photos, Google Drive, Dropbox, or similar services and have offline access enabled, files from those services may be on the device even without a network connection.
A forensic tool scanning your device does not distinguish between files you put there intentionally and files that arrived through automatic sync. It sees what is there.
The cloud access problem also extends to account tokens — the authentication credentials stored on your device that allow apps to connect to their corresponding accounts. Even if your email is not cached locally in a readable way, the token that allows an app to access your email account might be. Princeton University's guidance for international travelers notes that practical access to signed-in apps may expose online accounts even when the legal status of cloud-only searches is theoretically unsettled.
What forensic tools actually find
The forensic picture is not just what you can see on your phone's screen. It includes what has been deleted and not fully overwritten, what has been cached by apps even when those apps show nothing, and what the system itself has recorded about your device use.
Photos may retain EXIF metadata — GPS coordinates, timestamp, device model — unless the app that handled them stripped it. Messaging apps may retain deleted-message database entries, thumbnails, sender IDs, group membership records, and attachment names even after the messages themselves are "deleted" from the app. A forensic timeline tool can reconstruct your device activity from these artifacts in ways that the human-visible app interface does not suggest.
This is not cause for panic. For most travelers, most of the time, a border agent's practical interest in the contents of your phone is limited. But "limited practical interest" is not the same as "no access" — and if your phone contains professional, legal, or personal content you care about protecting, the difference matters.
The next two parts of this series deal with what to do about it: the clean phone strategy, and what happens when an agent wants you to unlock a device that contains something you would prefer they not see.
Previously: Part 1 — Your phone is the most searchable thing you carry.
Next: Part 3 — The clean phone strategy. What it is, who actually uses it, what it costs, and what the alternatives are.