Terminal forensics in large mobile networks is a vital activity for identifying compromised devices and analyzing malicious actions. In contrast, the study described here begins with the domain of terminal forensics as the primary focus, rather than the threat itself. This paper proposes a new multi-criteria decision-making (MCDM) model that integrates complex picture fuzzy sets (CPFS) with the combinative distance-based assessment (CODAS), referred to throughout as complex picture fuzzy CODAS (CPF-CODAS). The aim is to assist in forensic analysis for detecting mobile botnet command and control (C&C) systems. The CPF-CODAS model accounts for the uncertainty, hesitation, and complex numerical values involved in expert decision-making, using degrees of membership as positive, neutral, and negative values. An illustrative forensic case study is constructed where three mobile devices are evaluated by three cybersecurity professionals based on six key parameters related to botnet activity. The results demonstrate that the model can effectively distinguish suspicious devices and support the use of the CPF-CODAS approach in terminal forensics of mobile networks. The robustness, symmetry, and advantages of this model over existing MCDM methods are confirmed through sensitivity and comparison analyses. In conclusion, this paper introduces a novel probabilistic decision-support tool that digital forensic specialists can incorporate into their workflow to proactively identify and prevent actions of mobile botnet C&C servers.