Apple iPhone Lockdown Mode Prevents FBI Forensic Extraction of Seized Journalist Device
Court filings in a US leak investigation indicate the FBI was unable to forensically extract data from Washington Post reporter Hannah Natanson’s iPhone because Apple’s Lockdown Mode was enabled. The government document states the FBI’s Computer Analysis Response Team (CART) “could not extract that device,” offering a rare, real-world data point on Lockdown Mode’s effectiveness against at least some standard law-enforcement mobile forensics workflows.
The filings also describe limited recovery from the device’s SIM card via a CART tool that produced an auto-generated HTML report containing only the phone number, and note the FBI paused further extraction attempts due to a court “Standstill Order.” The search and seizure occurred amid an investigation into government contractor Aurelio Perez-Lugones, whom prosecutors believe was a source for classified information; investigators also reviewed Signal messages between Perez-Lugones and the reporter as part of the case. Apple positions Lockdown Mode (introduced in 2022 for iPhone/iPad/Mac) as a high-risk protection that reduces attack surface by restricting attachments, inbound FaceTime from unknown contacts, certain web technologies, and other features.

Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Lockdown Mode prevents FBI data extraction from seized iPhone
After the seizure, the FBI was unable to extract data from the journalist's locked iPhone because Apple's Lockdown Mode was enabled. Multiple reports described the case as an example of Lockdown Mode frustrating law-enforcement forensic access.
FBI seizes Washington Post reporter's iPhone
The FBI seized a Washington Post journalist's iPhone during an investigation. The reporting identifies this seizure as the incident in which investigators later tried to access data on the device.
Apple introduces iPhone Lockdown Mode
Apple released Lockdown Mode as an optional iPhone security feature designed for people at high risk of targeted attacks, sharply restricting device functionality to reduce the attack surface. Later reporting noted the feature can also impede some forensic extraction methods against locked devices.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
iPhone Lockdown Mode protects your data, even from the FBI - here's how to use it | ZDNET
zdnet.com
Open sourceiPhone Lockdown Mode Protects Washington Post Reporter - Schneier on Security
schneier.com
Open sourceFBI stymied by Apple's Lockdown Mode after seizing journalist's iPhone - Ars Technica
arstechnica.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.


