When an iPhone becomes central to a legal matter such as employment dispute, family law, commercial litigation, clients often ask the same question: what can actually be recovered?
The answer depends on the device, how it's been used since the relevant events, and the extraction method available. But in many cases, significantly more can be recovered than people expect.
What Standard Phone Access Shows vs Forensic Extraction
Looking at a phone normally shows you current content—messages visible in the app, photos in the camera roll, recent calls.
Forensic extraction goes deeper. It accesses the underlying databases where iOS stores information, including data that's been deleted from the user interface but remains on the device.
Think of it like this: deleting a message removes it from view, but the underlying data often persists until iOS needs that storage space for something else. Forensic tools can surface that hidden data.
Categories of Recoverable Data
Messages and Communications
Forensic extraction can recover:
- iMessages and SMS texts, including many deleted conversations
- WhatsApp messages, even after deletion from the app
- Signal messages (with limitations depending on settings)
- Telegram, Facebook Messenger, and other chat apps
- Email content and attachments
- Voicemail recordings
Recovery success varies. Messages deleted recently have higher recovery rates than those deleted months ago. Some apps with strong encryption—like Signal with disappearing messages enabled—are more resistant to recovery.
Location Evidence
iPhones continuously log location data that users rarely see:
- Significant locations (places the phone has detected you visit regularly)
- GPS coordinates embedded in photos and videos
- Wi-Fi connection history (which networks the device has connected to, and when)
- Cell tower connections
- Bluetooth device pairings with timestamps
This data can establish where a device was at specific times—valuable in matters where movements are disputed.
App Activity and Usage
Beyond message content, forensic analysis can reveal:
- When apps were installed, opened, and used
- Search history within apps
- Browser history and deleted browsing data
- Notes, including deleted notes
- Calendar entries
- Health and fitness data
- Screen time and usage patterns
Photos and Media
The camera roll shows current photos. Forensic extraction can also recover:
- Deleted photos (iOS retains these in a hidden database)
- Metadata showing when and where each photo was taken
- Edit history on modified images
- Screenshots
- Downloaded media from apps
Financial and Business Data
Depending on what apps are installed:
- Banking app activity
- Payment records
- Cryptocurrency wallet data
- Business communications
- Document access history
Factors That Affect Recovery
Time Since Deletion
The sooner a device is forensically imaged after relevant events, the better. iOS eventually overwrites deleted data when storage space is needed. A phone examined within days of deletion has better recovery prospects than one examined months later.
Device Model and iOS Version
Newer iPhones have stronger encryption. Older devices (iPhone 6, 7, 8) often allow more complete extraction than recent models. iOS updates can also affect what's accessible.
This doesn't mean newer phones can't be examined, but the extraction methods and recovery rates may differ.
How the Phone Has Been Used
A phone that's been factory reset and restored presents different challenges than one that's simply had messages deleted. Heavy use after the relevant period can overwrite deleted data.
Passcode and Security Settings
Access to the device matters. A phone handed over with the passcode allows fuller extraction than a locked device. There are lawful forensic techniques for accessing locked devices, but success depends on model and iOS version.
What Courts Accept
For evidence to be useful in legal proceedings, it needs to be collected properly. This means:
- Chain of custody documentation from the moment the device is secured
- Forensic imaging that creates a verified copy without altering the original
- Documented methodology that can withstand scrutiny
- Expert reporting that explains findings in accessible terms
Forensic evidence from iPhones is routinely accepted in Australian courts—Federal Court, state Supreme and District courts, and various tribunals. The key is proper collection and documentation.
Limitations and Honest Expectations
Not everything is recoverable. Some realistic limitations:
- Messages deleted long ago and overwritten are gone permanently
- End-to-end encrypted apps with strong security may resist extraction
- Factory reset devices have significantly reduced recovery prospects
- Some data exists only in iCloud, not on the device itself
- Locked devices with unknown passcodes present additional challenges
A good forensic examiner will assess recovery likelihood before you commit to a full investigation, so you can make informed decisions about whether to proceed.
When to Engage a Forensic Examiner
If an iPhone may contain evidence relevant to a legal matter, consider engaging a forensic examiner:
- Before the device is used further — every day of normal use risks overwriting deleted data
- Before attempting DIY recovery — improper handling can compromise evidence or admissibility
- Early in the matter — forensic examination takes time, and court deadlines don't wait
An initial consultation can help you understand what's likely recoverable and whether forensic examination makes sense for your specific matter.
Related Posts
Lvl 17, Angel Place,
123 Pitt Street,
Sydney
NSW 2000
(02) 7230 1350