Mobile Forensics for Litigation: What’s Actually Recoverable From a Smartphone

The Message That Won the Case

"The matter hinged on a single text message."

A family law colleague described a property settlement that turned on proving when one party knew about a particular asset. The knowledge was allegedly communicated via WhatsApp. Fourteen months earlier. The phone had been upgraded twice since then.

"Is there any way to recover it?"

The short answer was yes. The message existed in an iCloud backup that predated both phone upgrades. It took forensic extraction and analysis to find it, but it was there — complete with timestamp, read receipt, and enough metadata to authenticate it for evidentiary purposes.

Mobile forensics surprises people. The persistence of data on smartphones — and in the cloud ecosystems surrounding them — exceeds what most lawyers expect. But so does the complexity of extracting it properly.

What Modern Smartphones Actually Store

To understand mobile forensics, you need to understand just how much data a smartphone contains.  There is also a difference in what data can be recovered from  a standard iPhone backup vs an encrypted one. Call history being one example of what can be obtained from an encrypted backup.

Communications
- SMS and MMS messages (including deleted)
- iMessage / RCS chat messages
- WhatsApp, Signal, Telegram, and other messaging apps
- Email (often synced from multiple accounts)
- Voicemail recordings and transcripts
- Call logs with duration, timestamps, and contact matching

Location Data
- GPS coordinates from photos (EXIF data)
- Significant locations (places frequently visited)
- WiFi connection history (which reveals locations)
- Cell tower connections (approximate location over time)
- App-specific location data (Uber trips, food delivery, check-ins)

User Activity
- Browser history and cached pages
- Search queries
- App usage patterns and screen time
- Keyboard dictionary and predictive text data
- Clipboard history
- Screenshots

Media
- Photos and videos (including deleted)
- Voice recordings
- Downloaded files
- Streaming app history

Application Data
- Banking app transaction records
- Dating app messages and matches
- Health and fitness data
- Notes and reminders
- Calendar entries

Most of this data persists even after deletion — at least for a time. And much of it is also backed up to cloud services, creating additional extraction opportunities.

The Extraction Process

Mobile forensic extraction isn't a single process. It's a hierarchy of methods, each with different capabilities and limitations.

Logical Extraction

The most straightforward method. We create a backup of the device (like an iTunes or Android backup) and analyse its contents. This captures most user data, including messages, contacts, photos, and app data.

Limitations: Only extracts data the backup process is designed to capture. Deleted data typically not recovered. Requires device passcode or user cooperation.

Advanced Logical / File System Extraction

Goes deeper than standard backups by accessing the device's file system directly. This can recover some deleted data, database files, and system artifacts not included in regular backups.

Limitations: Requires device to be unlocked. Some encryption may limit access. Varies significantly by device model and OS version.

Physical Extraction

Creates a bit-for-bit copy of the device's storage — similar to forensic imaging of a computer hard drive. This captures everything, including deleted data that hasn't been overwritten.

Limitations: Increasingly difficult on modern devices due to hardware encryption. May require exploiting security vulnerabilities. Not possible on all device/OS combinations.

Cloud Extraction

Extracts data from cloud services (iCloud, Google Account) rather than the device itself. Often captures historical data, including from previous devices.

Limitations: Requires account credentials or legal process to the provider. Two-factor authentication complicates access. Some data may not sync to cloud.

Chip-Off and Advanced Techniques

For damaged devices or cases requiring maximum recovery, physical removal and direct reading of memory chips is sometimes possible.

Limitations: Expensive, time-consuming, may damage device. Only used for high-value cases.

What "Deleted" Actually Means

This is where mobile forensics gets interesting.

When you delete a message or photo on a smartphone, several things happen — and several things don't.

What typically happens:
- The item disappears from the user interface
- The database record may be marked as deleted
- The item may move to a "recently deleted" folder

What typically doesn't happen:
- The underlying data is not immediately overwritten
- Database records often persist in "free" space
- Cloud backups retain the data until overwritten
- Cached copies may exist in multiple locations

The result: deleted data is often recoverable, but the window varies.

On a heavily-used iPhone with limited storage, deleted data may be overwritten within days. On a phone with plenty of free space and infrequent use, deleted messages from years ago may still be present.

This is why timing matters. The longer you wait to extract, the more deleted data gets permanently overwritten.

The WhatsApp Question

"But WhatsApp is end-to-end encrypted — you can't get those messages, right?"

This is a common misconception.

End-to-end encryption protects messages in transit. It prevents interception between sender and recipient. It does not prevent forensic extraction from the devices at either end.

When we extract a phone with WhatsApp installed, we can typically recover:

- Complete message history (including deleted messages in many cases)
- Media files (photos, videos, voice notes)
- Contact information and group membership
- Message timestamps and read receipts
- Call logs

The same applies to Signal, Telegram, and other encrypted messaging apps. The encryption protects the communication channel, not the device storage.

Cloud backups add another dimension. WhatsApp offers iCloud and Google Drive backup options. These backups are not end-to-end encrypted by default (though WhatsApp now offers an encrypted backup option). If the user has cloud backup enabled without encryption, their complete message history may be accessible through cloud extraction.

Chain of Custody and Admissibility

For evidence to be admissible, you need to demonstrate it wasn't altered between extraction and presentation.

This is where professional mobile forensics differs from someone simply scrolling through a phone and taking screenshots.

Forensic extraction establishes:

- When the extraction occurred
- What tools and methods were used
- Hash values (digital fingerprints) proving data integrity
- Documented chain of custody from extraction to analysis

Screenshots don't establish:
- Whether the device was the original source
- Whether messages were altered or fabricated
- The complete context (what came before and after)
- Technical metadata supporting authenticity

Courts are increasingly sophisticated about digital evidence. Opposing counsel can and will challenge evidence that lacks proper forensic foundation.  If mobile evidence becomes central to your matter, you may need expert witness testimony to explain the extraction methodology and authenticate findings.

Timing Matters More Than You Think

Mobile forensics has windows that close.

Device-level windows:
- Deleted data gets overwritten as new data is created
- iOS "recently deleted" albums empty after 30 days
- App caches clear periodically
- Factory reset significantly reduces recovery potential

Cloud-level windows:
- iCloud backups overwrite previous versions
- Google Photos trash empties after 60 days
- Cloud service retention policies vary
- Account deletion removes cloud data

Legal process windows:
- Preservation letters don't stop automatic deletion processes
- Device replacement destroys access to old device data
- International data requests take months

The practical implication: if you think mobile evidence might be relevant, extract early. Waiting until discovery to think about mobile devices often means the evidence is degraded or gone.

When to Consider Mobile Forensics

Mobile forensics isn't appropriate for every matter. It's a specialised process with associated costs. But it should be considered when:

Employment Disputes
- Alleged misuse of confidential information
- Harassment or bullying claims
- Proof of communications outside work systems
- Timeline of events and knowledge

Commercial Litigation
- Breach of contract (what was communicated, when)
- Fraud allegations (location data, financial app activity)
- Partnership disputes (informal agreements via message)

Family Law
- Asset disclosure (banking apps, crypto wallets)
- Parenting matters (location, communications)
- Domestic violence (threatening messages, location tracking)

Regulatory Investigations
- Compliance with record-keeping requirements
- Proof of knowledge or intent
- Timeline reconstruction

Criminal Defence
- Alibi evidence (location data)
- Exculpatory communications
- Challenging prosecution evidence

Working With Forensic Experts

Effective mobile forensics requires collaboration between legal teams and forensic experts.

Before extraction:
- Identify custodians and devices early
- Issue preservation notices immediately
- Determine extraction scope (full device vs. specific data)
- Consider privilege and irrelevant personal data
- Obtain proper authorisation (consent, court order, etc.)

During extraction:
- Maintain chain of custody documentation
- Use write-blocking and forensic tools
- Create verification hashes
- Document any access limitations

After extraction:
- Targeted analysis (not fishing expeditions)
- Proper handling of privileged material
- Expert reports suitable for evidentiary purposes
- Secure storage of extracted data

The Bottom Line

Mobile phones are often the most valuable source of evidence in modern litigation. They contain communications, location data, financial records, and user activity that no other source captures.

But mobile evidence is also fragile, time-sensitive, and technically complex to extract properly.

The firms that get mobile forensics right start early, engage specialists, and treat mobile devices with the same evidentiary seriousness as documents and emails.

The firms that get it wrong wait too long, rely on screenshots, and discover in cross-examination that their evidence lacks foundation.

If you're dealing with a matter where mobile evidence might be relevant, or you want to discuss mobile forensics capability for your practice, schedule a discussion or call us on 02 7230 1350.