Clients who believe their phone has been hacked are often right about something being wrong, and wrong about what it is. The first job of an investigation is to separate genuine compromise from account sharing, remembered passwords, poorly configured backups and, occasionally, coercive access by someone in the household.
What we look for
- Unknown configuration profiles, MDM enrolments and enterprise certificates on iOS.
- Sideloaded apps, accessibility service abuse and hidden device administrators on Android.
- Unrecognised sessions on linked accounts, particularly Google, Apple, WhatsApp and iCloud.
- Indicators of commercial spyware, where the case profile justifies a targeted check.
What clients should do the moment they suspect it
Stop using the device. Do not factory reset it. Do not change passwords from the same device. If sensitive proceedings are in contemplation, get the phone to an examiner before anything else. A reset destroys most of the evidence that would have identified the intruder.
Well meaning IT support that wipes and rebuilds the device is often the single largest cause of failed hacking investigations.

