DFIR Review

Upgrade From NULL—Detecting iOS Wipe Artifacts



White papers
  • Apple
  • DFIR Review
  • iOS
Cellebrite Physical Analyzer

One of the most common questions we have been asked is “How do I know when an iOS device was wiped?” Wiping is a solid way of trampling potential evidence on a device. Over the years, we have seen some savvy moves to try to cover wiping a device and having the act be detected. These include:

  1. Wiping the device far enough in advance and conducting as much activity as possible to create noise on the device and make it look “used.” Like Ruth did on the Cellebrite CTF.

  2. Wiping the device and pushing old backup data to it to make it look “used”.

  3. Wiping a device and pushing someone else’s data to it to make it look “used.”

In this blog, we want to help you quickly identify if an iOS device was wiped. Keep in mind, a wipe doesn’t mean something nefarious occurred as there are legitimate reasons to wipe a device. We are simply helping you determine the “when” and we leave you with the fun part of determining the “why” behind the wipe.