#NSBCS.110 - Mobile Phone Forensics: The Hidden Asset in Your Legal and Investigative Toolkit

Written By Shane Bell
 

Mobile Phone Forensics: The Hidden Asset in Your Legal and Investigative Toolkit

In today's digital age, our smartphones contain more evidence of our daily lives than any filing cabinet ever could. Yet mobile phone forensics remains one of the most under-utilised evidence sources available to Australian businesses and legal professionals.

Our law enforcement and military grade mobile phone forensics capability allows us to extract, preserve, and analyse data from smartphones in a forensically sound manner that stands up in Australian courts.

A phone extraction provides a comprehensive picture including app artifacts, metadata, and hidden communications that might otherwise remain undiscovered.

Common Scenarios Where Mobile Forensics Delivers Results

Scenarios Common Findings
Employee Misconduct Unauthorised file transfers, confidential data shared with competitors, screenshots of sensitive documents, after-hours conduct
IP Disputes When documents were accessed/photographed/shared, evidence of data theft, breaches of restraint of trade
Fraud Investigations Banking app transactions, suspicious communications, photos of altered documents, calculator history revealing unreported figures
Harassment Claims Timeline of communications, deleted messages, context through metadata, evidence supporting or refuting claims
Employment Disputes Proof of warnings were received, performance issue documentation, misconduct evidence for Fair Work proceedings
Insurance Claims Location data contradicting injury claims, photos with timestamps, social media activity, inconsistencies in reported events
Regulatory Compliance Evidence of trading compliance, consumer protection adherence, communications relevant to compliance investigations

What Can Be Extracted

A full file system extraction recovers far more than what you can see by scrolling through a phone:

Communications & Contacts

  • Active and deleted text messages, iMessages, WhatsApp, emails

  • Call logs with timestamps and duration

  • Contact lists (including recovered deleted entries)

Multimedia & Documents

  • Photos and videos with metadata (date, location, camera details)

  • Documents, notes, calendar entries

  • Voice memos and recordings

Digital Activity

  • App data from social media, banking, navigation, rideshare services

  • Web browsing history and search queries

  • Application installation and usage patterns

Location & Movement

  • GPS coordinates and frequently visited locations

  • Wi-Fi connection history

  • Movement patterns over time

Accessing Locked Devices

  • Success rate will depend on the make, model and operating system version

  • Given the sensitivity surrounding this capability, it will require a valid court order in order to proceed with attempting to unlock a device.

Our Approach: Fast, Professional, Legally Sound

Using industry-leading technology, we can extract data from the latest devices (iPhone 17, Samsung Galaxy S25) running current operating systems. When prerequisites are met, extractions typically complete by the next day.

What We Need From You:

  • Written consent from device owner (or court order)

  • All passcodes and credentials (PINs, passwords, pattern locks)

  • Operational device in working condition

Understanding the Limitations

What's Typically Recoverable:

  • Messages, emails, app communications (unless deleted long ago)

  • Photos/videos still present on device

  • Application data and usage history

  • Location history and call logs

  • Documents, notes, calendar entries

What's Difficult or Impossible:

  • Deleted photos/videos on modern devices (encryption keys immediately purged)

  • Data from factory-reset devices

  • Deleted iOS messages from iOS 12 onwards

  • Data from devices disabled after 10 failed passcode attempts

Best Practices for Evidence Preservation

When your situation may related to mobile evidence, consider the following:

  • Act quickly before devices are wiped or upgraded

  • Keep devices powered on if already in use

  • Use signal-blocking bags to prevent remote wiping

  • Don't browse the device yourself (may overwrite deleted data)

  • Secure older devices owned by same person (passcodes often reused)

  • Obtain proper authorisation via written consent or court order

  • Engage experts early rather than attempting DIY solutions

The Cost-Benefit Reality

A mobile forensics extraction typically costs a fraction of a single day's barrister fees, yet can:

  • Resolve matters quickly, avoiding months of uncertainty

  • Prevent unfair dismissal claims with definitive evidence

  • Prove breach of contract in commercial disputes

  • Demonstrate due diligence to regulators

  • Avoid protracted discovery and escalating legal costs

For businesses and law firms managing client costs, our streamlined consent-based extraction process delivers maximum value without unnecessary complexity.

Taking the Next Step

If you're facing an employment dispute, commercial litigation, internal investigation, or compliance matter where smartphone data could be relevant, don't let critical evidence disappear.

Contact our digital forensics team for a confidential consultation. We'll explain the process, discuss realistic outcomes for your specific circumstances, and provide transparent fee estimates with no obligation.

For urgent matters or confidential consultations, contact us directly. Our team is experienced in working with solicitors, barristers, corporate counsel, HR departments, and compliance teams across Australia.

What we read this week

  • Notepad++ Hosting Breach Attributed to China-Linked Lotus Blossom Hacking Group - A China‑linked group known as Lotus Blossom has been tied to the recent breach of the hosting infrastructure used by Notepad++, enabling the delivery of a new backdoor called Chrysalis to selected users. Attackers hijacked update traffic between June and December 2025 by exploiting weak verification checks in older Notepad++ versions, an issue fixed in version 8.8.9 released in December 2025. Attacker’s access was terminated on December 2, after which Notepad++ migrated to a more secure hosting provider and rotated all credentials.

  • CISA: VMware ESXi Flaw Now Exploited in Ransomware Attacks - CISA has confirmed that ransomware groups are now exploiting CVE‑2025‑22225, a high‑severity VMware ESXi arbitrary‑write flaw that allows sandbox escape and was originally patched as an actively exploited zero‑day in March 2025. The vulnerability affects multiple VMware products, including ESXi, vSphere, Fusion, Workstation, and Cloud Foundation, and can be chained with related bugs for full VM escape by attackers with elevated access. Huntress previously reported that threat actors had been abusing these flaws in zero‑day attacks since early 2024. CISA has added the vulnerability to its known exploited vulnerabilities (KEV) list and continues to mandate rapid patching as VMware weaknesses remain a frequent target for ransomware operations.

  • 8-Minute Access: AI Accelerates Breach of AWS Environment - Throughout an attack that occurred on November 28, 2025, threat actors leveraged large language models (LLM) and used exposed AWS credentials found in public S3 buckets to gain initial access, escalate privileges and moved laterally across 19 AWS principals in under 10 minutes. According to the Sysdig Threat Research Team, LLMs supported threats actors to automate reconnaissance, generate code, and make rapid decisions, ultimately exfiltrating data, abusing GPU resources, and hijacking Amazon Bedrock models. The attack highlighted both the accelerating speed enabled by AI and the critical risk of leaving long‑term credentials exposed.

  • React2Shell Exploitation Undergoes Significant Change in Threat Activity - A critical React Server Components flaw tracked as CVE‑2025‑55182 continues to see heavy exploitation, with researchers noting a sharp shift as more than half of recent attack traffic now comes from just two IP addresses. GreyNoise detected over 1.4 million exploit attempts in a week, largely targeting developer infrastructure exposed to the internet. The two dominant sources appear to be deploying cryptominers and opening reverse shells, and researchers warn that unpatched organisations should assume they have been targeted.

  • CISA Orders Federal Agencies to Patch Exploited SolarWinds Bug by Friday - A critical flaw tracked as CVE‑2025‑40551 with a severity score of CVSS 9.8 in SolarWinds Web Help Desk (WHD) is being actively exploited, prompting Cybersecurity & Infrastructure Security Agency (CISA) to mandate patching of the vulnerability for federal agencies. The vulnerability, discovered by security researchers at Horizon3.ai, is the latest in a chain of bypasses related to an earlier 2024 bug tracked as CVE‑2024‑28986. SolarWinds has issued fixes in WHD version 2026.1, addressing this and several related security issues, and CISA has also added the flaw to the KEV catalog.

References
Shane Bell
Next

#NSBCS.109 - From the desk of the CEO | A strong, shared start to 2026