It's typically easier to the get the passcode before getting the keys, although we found it odd that Get Keys was step 4 and Get Passcode was Step 5.

Obtaining the passcode uses a brute force attack (continuously entering four digit combinations until it finds the right one -- this is done at a system level so it isn't susceptible to the 10 entry restriction that users have when physically tapping numbers into the device). It reported entering 3.2 or 3.3 p/s (which we assume means passwords per second) so can take quite a while (it took about 15 minutes to get the passcode -- this is saved in a separate text file).

Finally you can reboot the device, and use the device keys to decrypt the Disk and Keychain (to access the keys). You no longer need the iOS device to be connected at this point, this enables you to access the files you have stored to your computer. This saves a separate user file (typically called User-Decrypted.DMG that you can browse.) If you are using a Jailbroken phone you might not have to decrypt the original User.dmg file (so it's worth checking).

In all it's by no means a simple process, but not one that is beyond somebody with a reasonable amount of computer knowledge and an ability to carefully read the instructions. There is a manual mode that enables you to do each step with a wide range of options and features, but we found the Guided Access Mode walked us fairly effortlessly through the whole process.

Once you've got everything off of the phone you end up with a viewable DMG user file that you can open and browse on a Mac like any other volume. Most files are found within the Mobile folder, which contains Applications, Library, and Media.