The cases that we are involved often include the examination of mobile phones that have been factory reset before they were seized or handed over for review and the device may contain no or limited user data.
Rather than stopping the examination as soon as it becomes apparent that the phone was reset and contains little or no user created data, it can be beneficial to the proceedings to identify when the phone had been reset.
Part of the factory reset process of an Android mobile phone involves the data being securely erased, meaning that information prior to the event may not be recoverable. In addition to this, when the phone completes the reset process, the time/date setting is the default, which in this example case of a Samsung Galaxy S8 Plus was 1st January 2019. This makes it difficult to identify exactly when the Android device was reset, particularly if the handset is switched off at that point.
Once the user begins the configuration process of the phone, including connecting it to a network, whether that be a wireless connection or a phone network, then, by default, the phone will automatically and accurately set the time from an external source.
It was found that one of the first application to be installed by default as part of the Android operating system was the GoogleQuickSearchBox that included a database named Cookies and Web Data and the creation date of those databases were found to be some of the first actions of the system during the installation process after the reset and prior to the device being configured for use.
Also created are the appusage.db and telephonyspam.db databases that handle application usage over the mobile network and spam caller list respectively.
The creation time/date of the database files within those locations indicates the point of first startup after the device was reset.
When the user configures the phone for use with a Google account, the phone creates 2 databases named after the account at the path data/Root/data/com.google.android.gm/databases/ with the prefix mailstore and internal. The creation date of those databases relates to the point of configuration of the device with that account.
About Athena Forensics
For information on our digital forensic services or if you require any advice or assistance please contact a member of our team on 0330 123 4448 or via email on firstname.lastname@example.org, further details are available on our contact us page.
Our client’s confidentiality is of the utmost importance. All correspondence is treated with discretion, from initial contact to the conclusion of any computer forensic investigation.
Our digital forensics experts are fully aware of the significance and importance of the information that they encounter and we have been accredited to ISO 9001 for 10 years.
Our forensic experts are all security cleared and we offer non-disclosure agreements if required. Our premises along with our security procedures have been inspected and approved by law enforcement agencies.
Athena Forensics do not disclose personal information to other companies or suppliers.