How Forensic Investigators Can Find Meaningful Data From ‘Factory Reset’ Devices

We are excited to release the white paper of this year.

In this whitepaper, you can find the definition of Factory Reset, how its method differs by OS and device environment, why mobile forensic investigators should understand the important meanings of Factory Reset, and lastly, how MD-RED analyzes the log of Factory Reset.

When Factory Reset is executed, a record (log file) is left in a file for various actions performed on the system depending on the device environment. Not only recent records but also previous records exist, and in some cases, you can check Factory Reset method and Factory Reset time. Through this, it is possible to know when Factory Reset is executed and to determine whether the purpose of Factory Reset is for anti-forensics or destruction of evidence.

Therefore, Factory Reset records can be considered as very important artifacts because they can specify the user’s behavior from a forensic point of view.


01. Summary
02. How To execute Factory Reset?
03. Analysis of Factory Reset Log
04. Analysis Result of MD-RED
05. Conclusion
06. Appendix

Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.

Download – HancomWITH White paper ‘Factory Reset(iOS, Android)’ 

This is the preview version of the white paper, and if you want to find out the full version please contact our team.

Leave a Comment

Latest Articles