A disputed email, an unexplained bank transfer or a confidential file appearing outside the business can change the course of a case quickly. The top signs of device compromise are not always dramatic, and a single symptom rarely proves unauthorised access. What matters is recognising a pattern, responding proportionately and preserving the device and its data in a way that does not damage potential evidence.
For solicitors, organisations and private clients, the immediate question is often not simply whether a phone or computer has been hacked. It is whether activity can be attributed reliably, when access may have occurred, what data was exposed or altered, and whether the available evidence will withstand scrutiny. Those questions require careful investigation rather than assumption.
Top signs of device compromise
Unrecognised account activity and security alerts
Security notifications are often the first visible indicator. These may include password reset messages that were not requested, alerts for sign-ins from unfamiliar locations, new multi-factor authentication prompts, or notices that recovery details have changed. A user may also find unfamiliar forwarding rules in their email account, new devices listed as signed in, or messages marked as read without their knowledge.
These events can indicate that an account has been accessed, but they do not automatically establish that the physical device itself is compromised. A reused password, a phishing page or an exposed cloud session may be the cause. The distinction matters: an account-access investigation and a device examination involve different evidence sources, timeframes and preservation steps.
Record the date and time of each alert, retain the original messages, and take clear photographs or screenshots where appropriate. Do not rely solely on screenshots, however. They can support an account, but underlying account logs, device artefacts and message headers may carry greater evidential weight.
New software, browser changes or unfamiliar device settings
Unexpected applications, browser extensions, management profiles, remote-access tools or changes to security settings warrant prompt attention. On a mobile phone, this may appear as an unfamiliar configuration profile, a new device administrator setting or permissions granted to an application that has no obvious reason to access messages, location data, accessibility functions or the microphone.
On a computer, warning signs can include a changed browser home page, unknown extensions, security software being disabled, new user accounts, modified remote-desktop settings or programs launching automatically at start-up. An attacker may use legitimate remote-support software rather than obvious malware, particularly where access is intended to blend into ordinary system activity.
Equally, not every unfamiliar item is malicious. Business devices may receive centrally managed updates, and software can be installed by an authorised IT provider. Before deleting an application or resetting a setting, establish who has administrative responsibility and whether the change can be explained. Removing it may also destroy artefacts that would assist an investigation.
Performance changes that do not fit normal use
A device becoming slow, hot or unusually short of battery life is a common concern. Repeated crashes, excessive data consumption, unexplained pop-ups and unusually active cooling fans can also raise suspicion. These symptoms may be consistent with malicious software, background monitoring or unauthorised remote activity.
They are also consistent with ageing hardware, low storage, an operating-system update, legitimate backups or a poorly designed application. Technical symptoms alone are therefore weak evidence. Their significance increases when they coincide with unauthorised account activity, suspicious network connections or evidence that sensitive information has been accessed.
Avoid treating a factory reset as a routine cure. It may resolve a practical problem, but it can remove recoverable data, log records and indicators needed to determine what happened. Where litigation, disciplinary action, fraud or criminal conduct may follow, preservation should take priority over convenience.
Files, messages or transactions that the user cannot explain
Unfamiliar documents, altered file timestamps, deleted communications, unexpected sent messages and changed cloud-storage permissions are all potentially significant. In a workplace context, relevant indicators can include confidential material copied to personal storage, unauthorised forwarding of commercially sensitive emails, altered access rights or activity on a departing employee’s account.
In private matters, a person may discover messages sent from their account, location sharing enabled without consent or intimate material accessed or distributed. It is vital not to jump from the existence of an event to an allegation against a particular person. Several people may have known a password, used a shared device or had access to a cloud account. Proper attribution depends on the digital trail, not suspicion alone.
Unusual network or remote-access behaviour
Repeated connections to unfamiliar networks, unexpected virtual private network activity, new network profiles or remote-access sessions outside normal working hours may justify further enquiry. In an organisational setting, firewall records, endpoint logs, cloud audit logs and authentication records can help establish whether the activity was expected and from where it originated.
Remote access is not inherently improper. It is routinely used by IT teams and hybrid workers. The relevant questions are whether the tool was authorised, whether the account used was legitimate, what actions were performed, and whether those actions align with the user’s role and normal patterns of work.
Why symptoms are not proof
The most damaging errors in suspected compromise cases occur when an initial concern is presented as a settled fact. A phishing email may create fear without resulting in access. A foreign login alert may reflect a mobile network route or a legitimate travel connection. A deleted file may be the result of retention settings, synchronisation conflict or ordinary user action.
This does not mean the warning signs should be dismissed. It means they should be investigated with a defined evidential question in mind. Was there unauthorised access? Which account, device or service was involved? What data was viewed, copied, changed or exfiltrated? Can the activity be linked to a user, an IP address, a device identifier or another reliable source?
A forensic examination may correlate artefacts from the device with email, cloud and network records. It can identify relevant applications, recover certain deleted material where technically possible, examine browser and system activity, and establish a defensible chronology. The scope should be proportionate to the dispute. A contained personal-account concern may not require the same response as a suspected insider theft of client data.
Preserve evidence before attempting a fix
Once compromise is suspected, well-intentioned action can make an investigation harder. Repeatedly opening files, clearing browser history, installing cleaning tools, changing numerous settings or allowing several people to handle the device can alter the very evidence needed later.
The appropriate response depends on the risk. If there is an active threat to funds, client information or safety, immediate containment may be necessary. This can include contacting the bank, securing critical accounts through a known-clean device, notifying the responsible IT team and preventing further access. Document each step: who acted, when they acted, what was changed and why.
Where there is no immediate danger, preserve the position first. Keep the device secure, limit access, retain associated chargers and storage media, and avoid connecting it to unnecessary networks. Do not ask the suspected individual to inspect or explain the device before obtaining advice if there is a risk of deletion, interference or escalation.
For corporate matters, issue an appropriate preservation notice and identify relevant custodians, accounts, cloud services and backup sources. A narrow, documented collection plan is often more defensible than an indiscriminate search of personal data. Legal obligations, employment rights, privacy considerations and the purpose of the investigation should all inform the approach.
Chain of custody is part of the evidence
A technically interesting finding is of limited value if nobody can explain where the device came from, who controlled it and how the data was acquired. Chain of custody records the handling of an item from collection through examination and reporting. It helps demonstrate that the material examined is the material relevant to the case, and that it has not been altered without record.
Forensic acquisition should be carried out using methods appropriate to the device, operating system and circumstances. The examiner should document the process, preserve original material where possible, work from verified forensic copies and distinguish facts from interpretation in the final report. This discipline is particularly important where findings may be relied upon in civil proceedings, criminal matters, internal hearings or settlement negotiations.
Computer Forensics Lab approaches suspected compromise with that evidential purpose in mind: establishing what can be supported by the data, what remains uncertain, and how the findings can be presented clearly to legal and investigative decision-makers.
When to instruct a forensic specialist
Specialist assistance is usually justified where the issue involves alleged hacking, employee misconduct, fraud, harassment, intellectual property, disputed communications or material likely to be used in proceedings. It is also prudent where a device has already been handled by multiple parties, where data may have been deleted, or where the opposing side is likely to challenge authenticity or attribution.
A forensic specialist can advise on urgent preservation, define a proportionate scope, acquire data in a controlled manner and provide an independent report. Early advice is often the difference between a question that can be answered from evidence and one that remains clouded by avoidable changes to the device.
A suspicious device should be treated neither as proof of wrongdoing nor as an ordinary IT inconvenience. Preserve what is there, record what has happened, contain genuine risk, and let the available evidence determine the next step.
