Start with the Right Foundations
Before diving into the types of data we can recover from smartphones, whether it’s an iPhone, Samsung Galaxy, Google Pixel, HTC, or Motorola, there are a few critical points you need to think through first.
If you’re reading this, chances are you searched something like “how to retrieve evidence from an employee’s smartphone.” But simply having access to a device isn’t the same as having the legal right to its data. This question is best addressed by issuing company-owned phones and not allowing business to be conducted on personal devices.
There are certainly software tools you can install on personal phones to control business data, remotely wipe, or track use. But from a pure evidence collection standpoint, nothing beats having physical access to a company-owned, unlocked smartphone that was used by your employee.
Why an Electronic Device Policy Is Critical
Owning the phone is just the start. It’s smart to have a clear Electronic Device Policy in place. This should spell out:
- The device is company property, provided for business use.
- The company has the right to access data on the phone at any time.
- Attempts to overwrite data, factory reset, or otherwise destroy information on the device are direct policy violations.
- Passcodes or PIN codes must be provided to the company.
Having such a policy is not only common sense, it can also be crucial if you later need to justify accessing data or explain why a wiped phone supports an inference of wrongdoing.
(And, as always, we’re not lawyers, but we’ve seen firsthand how policies like this protect companies.)
What We Typically Recover
Once we’ve confirmed you own the device and have the right to examine it, we typically create a forensic image of the phone. From there, we analyze the data for evidence relevant to your case.
Here’s what that can include:
Text messages and call logs
Deleted or not, text conversations can show communications that support or reveal misconduct. Call logs often provide useful details like the frequency and duration of calls.
Voicemails
Many don’t realize voicemails, especially on iPhones, can actually be stored on the device itself. That means we can retrieve, listen to, and even recover deleted voicemails.
Installed and deleted apps
The list of apps (both current and previously removed) can point us to additional places to search for evidence.
Location data
Knowing where a phone has been can be powerful. This might confirm activities inconsistent with what an employee claims.
Photos and videos
Sometimes these are simple snapshots that fill in a timeline. Other times, they’re pictures of documents or proprietary materials the user tried to sneak out by avoiding email or USB drives.
Secure messaging apps
Programs like Viber or WhatsApp don’t inherently prove wrongdoing, but data from them can add context or reinforce other evidence.
The Overlooked Angle: Computers the Phone Trusts
Another angle many overlook is how smartphones often sync with computers. Even if an employee just plugged in to charge, the phone may have synced with their personal or company machine.
This opens two key points:
- If the phone synced to a company computer, we can often retrieve much of the same data from backups.
- If it synced to their personal computer, we may find logs on the phone showing what computers it trusts. That can help build the case for why you should get access to review those personal systems, especially if your intellectual property might be stored there.
Putting It All Together
A smartphone can contain a goldmine of evidence, from texts and voicemails to photos and GPS history. And sometimes, it’s the attempt to hide or delete this data, wiping the device, scrubbing texts, or removing call logs, that tells the most damning story.
If you have a situation like this, reach out. We can help figure out the best approach to secure the data and build a stronger case.
About Swailes Computer Forensics
Swailes Computer Forensics provides expert digital forensic services to law firms, corporations, and organizations nationwide. Our work includes investigations into intellectual property theft, employee misconduct, data breaches, and more. With decades of experience and a commitment to integrity and clarity, we help clients uncover critical evidence and take informed action.
If you’re facing a potential case of employee data theft or have concerns about unauthorized activity, contact us for a confidential consultation.