The research into detecting iOS wipe times conducted by Ian Whiffin, Jared Barnhart, and Heather Mahalik sparked a companion project from Android researcher, Josh Hickman. Detecting evidence of a wipe or the booting into an Android OS after a factory reset can prove to be slightly more difficult due to the existence of so many variants of the open-source operating system. However, Josh pulled together a large collection of Android artifacts which contain evidence of wiping activity. Many of these files will require a full filesystem acquisition or physical access to the rooted Android device.

Josh’s research (conducted on a Pixel and a Samsung variant) can be found on his blog, https://thebinaryhick.blog/2021/08/19/wipeout-detecting-android-factory-resets/, but some of the highlights have been included here.

The persistent_properties file file at /data/property/ is available on both manufacturers tested (Samsung and Pixel). It should contain  a reboot,factory_reset, (followed by a unix epoch timestamp). This, however, is a first in, first out artifact; if rebooted more than three times, the evidence of wipe (factory_reset) timestamp is eliminated. If you only see multiple reboot,userrequested (along with timestamp) indicators, it is possible that your suspect device has been rebooted more than three times, thus flushing the artifact associated with the factory reset. This artifact can also be accessed from a non-rooted Android device by running ADB queries. Selecting “Collect Basic Information” using Mattia Epifani's Android Triage script will output results of this information to a text file for review.²

The directory, /data/misc/bootstat/, should exist on multiple manufactured Android devices (to include the Samsung and Pixel) and is a relatively new artifact available in Android version 11+. The directory contains the files factory_reset as well as last_boot_time_utc. The modified timestamps for those files are reflective of when the activity occurred, even though the files themselves are empty.

The next two artifacts are relevant to Samsung devices only

/efs/recovery/history  will log wipe events for every wipe that occurred on a device after the “–-wipe_data” identifier along with a corresponding timestamp. This file appears to track multiple wipes and may vary slightly depending on whether the wipe was conducted via the phone UI or by entering the system recovery.

And finally, /data/system/users/service/data/eRR.p, which is also unique to Samsung, tracks device wipes and subsequent reasons (ex: recovery, userrequested, adb) The timestamps are stored in UTC based on the device time bias.

References:

[1] https://thebinaryhick.blog/2021/08/19/wipeout-detecting-android-factory-resets/

[2] https://github.com/RealityNet/android_triage