Unfortunately, Android devices are quite varied, which leads to the complexity and the number of files that could pinpoint the time of wipe. But let’s assume, similar to our iOS example, that our user was savvy enough to try to recreate artifacts on the system to disguise evidence of a wipe. Using third-party activity and correlating those artifacts with system activity, is still possible.

In the example above, the file created in the usagestats directory at data/system/usagestats/0/weekly/############# has a created date that closely corresponds with the time of wipe/restore; however, when our user logged back into the device using a Gmail account, many Google artifacts from dates prior to the wipe were recreated on the device.

What is nice about the usagestats directory is that applications that have been deleted will not have their content removed from the usagestats activity. This is a great place to start investigating not only the presence, but also the usage of certain applications.