Digital Forensic Use Case: Hacked Device

8-minute listen

When individuals suspect that their device has been hacked (also known as compromised), there are not many options for them to seek help. Law enforcement forensic labs already have backlogs anywhere from 6 to 25+ months for serious felony cases and unless a hacking investigation involves some other serious crime, the police most likely won’t investigate. It can be unnerving and even scary to think that someone has compromised your personal device.


Journalists and authors reach out to us more often than any other profession. We have talked to several investigative journalists who suspect their device has been hacked by an individual or organization trying to see what the journalist has uncovered or delete their draft stories altogether. Authors also seem to be the target of hacking, especially those that are writing books on topics that some would rather have left alone. Having good cybersecurity practices and offline backups is critically important to combat against hacking and malware like ransomware. We have some ideas on how to stay cybersecure elsewhere in our website.


Cyberattacks can happen in a variety of ways and may not always be apparent to an observant user. Sometimes though, there are clues to be aware of. In the hacking of personal devices, we generally see two ways cybercriminals compromise a device: 1) by gaining physical access to the device and installing malicious software (malware) on it, or 2) by tricking the user to install the malware – either through a link (like a phishing email) or a weaponized attachment. Some signs to lookout for include:

  • Call quality is poor
  • Data usage is higher than expected
  • Decrease in battery life that is unexpected
  • Files are missing or have been moved
  • For mobile devices, the device may be getting warm to the touch
  • If you have them, CD trays may open or close unexpectedly
  • Someone receives a message from your email or phone number that you didn’t send
  • Someone seems to know things about you or have knowledge of a private conversation that they should not have
  • The device is acting extremely sluggish
  • The device is not in the same location or in the same condition as you remember leaving it
  • There are unknown processes running on the device and the RAM and/or CPU utilization is high for no apparent reason
  • You notice new or unusual software, apps, or icons on the device
  • You receive a warning message from your device about a security issue
  • Your webcam activates on its own


If a hacker was able to compromise your device there are several things they may be able to do. The capabilities of the hacker is driven by the sophistication of the malware, the stability of the device’s network connection, and any security software or devices that impair or remove the malware’s ability to function. Here are a few things we have seen malware able to do on a victim’s device.

  • Clone all phone calls and text messages to the hacker’s device to read all messages and listen in to phone calls
  • Gain access to cloud-based accounts through the device, especially when passwords are saved on the device
  • Play sounds over the device
  • Record the screen of a mobile device or computer and send them to the hacker
  • Steal information from the devices such as web history, documents, pictures and videos, and more
  • Track the GPS movements of a mobile device
  • Turn on the microphone to listen in on conversations
  • Turn on the video camera / webcam of a mobile device or computer


Caveat: Each case is unique and these guidelines are intended for private individuals, not businesses or large enterprise organizations. Businesses and organizations should follow their incident response plan and consider different options on how to best respond to a cyberattack.

If you believe your computer or mobile device has been compromised, we recommend removing the device’s connectivity to the Internet immediately. This can be done by putting the device in airplane mode if it is connected via Wi-Fi, or unplugging its Ethernet cable. Remember other connections too, such as Bluetooth being used to connect a hotspot.


Once the immediate threat is mitigated by disconnecting from the Internet, consider what you may want to do next. If you want to have your computer or device investigated, contact the business you are interested in using for the investigation for next steps. If you want to contact law enforcement, do so at this time and take their advice on how to best preserve any evidence.


Some malware only lives in the Random Access Memory (RAM) of a device, so once the device is rebooted, the malware will be gone. You may try to reboot your device to see if the suspicious activity goes away, although this kind of malware is not as prevalent as malware that installs on the device. You should also consider doing a full system scan with your endpoint protection (e.g., antivirus / antimalware) software to see if it finds anything suspicious. There can be sophisticated malware such as rootkits that may not be detected even with an endpoint protection scan. While not as common, be aware that a clean scan result should not be your only sign that your computer is clean.

Related Posts

Leave a comment

Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.