In this episode, we answer the top 10 questions surrounding wiped devices as well as methods to enable iOS reconstruction of activities and the creation of a timeline of events.

Questions include:

  1. How do you know if a device has been wiped?
  2. What data is recoverable from a wiped device?
  3. Has the device been reset?
  4. Has the device been tampered with? If, so was it on purpose?
  5. How to digitally retrace the steps of device activity?
  6. Does the type of data collection matter on wiped devices?
  7. Which files can you trust on a device?
  8. Is there data that can give dates and times in an understandable format?
  9. How did a user get to a certain location?
  10. What are the best ways to know when the device was wiped or first used?

Wiped iOS Device

Heather will use one of her own test mobile-device images to show you good files to start with when investigating iOS devices, including:

  • log.X – Examine content for “is an erase install”
  • log.X – Review the log
  • .obliterated – If it exists!
  • SQLitedb – Creation date of container
  • apple.purplebuddy.plist – “GuessedCountry” date
  • storedata and Notes.sqlite – Creation date

Wiped Android Device

We’ll look at Android devices in Episode 10.

Stay tuned for Heather’s blog on Cellebrite’s site and the submission to DFIR Review.

Send ideas to ibegtodfir (at)

Register for the next iBeg to DFIR episode here.

Share this post