As discussed in section 3, ArtEx is an open-source tool that is great for triage and forensic validation. In this example, we used ArtEx to validate our predictions on when an iPhone X running iOS 14.2 was wiped. As the slide shows, we select Device Wipe and are presented with a datetime for the wiping activity. Additionally, we can click on the file under Source and examine the native data. On the highlighted line, you will see the magic words, “this is an erase install.” A very important aspect of this file that was detected by Heather Mahalik and Ian Whiffin, as stated in their blog, is that this file stores all data in Pacific time.¹ It must be converted manually to the local time for the user. This log shows the time of 13:26:30 but the device was wiped at 16:26:30 since the user lives in Eastern time.

Reference:

[1] https://for585.com/wipeartifacts