A common question in mobile device investigations is deceptively simple: when was this phone last factory reset? The answer matters. It can establish a timeline of evidence preservation, prove or disprove claims about device wipes, and confirm whether activity predating a certain date could possibly survive on the device.
We recently worked a case involving an unlocked Samsung Galaxy A16 5G where this was exactly the question. Here's how we answered it.
The Cellebrite starting point — and its limits
The first move in a case like this is a full extraction parsed in Cellebrite Physical Analyzer. Searching the activity timeline for the word "reset" returns hits in two distinct categories: entries simply labeled "Reset" and entries labeled "Factory Reset." Anyone working a case like this for the first time runs straight into the obvious question — what's the difference between the two?
In Cellebrite's activity timeline, a generic "Reset" entry typically refers to a soft reset: a reboot, a system restart, or a routine recovery event that does not wipe user data. The on/off history of the phone produces a long trail of these — every power cycle leaves a trace. A "Factory Reset" entry, on the other hand, represents the destructive --wipe_data operation that erases user data and returns the device to a clean state.
But Cellebrite's activity labels are a starting hypothesis, not proof. To confirm a true factory reset and pin down its exact timing, we need to verify the underlying artifacts.
The three-signature test
A genuine Android factory reset leaves a distinctive fingerprint that no OTA software update can replicate. Within a span of roughly 99 seconds on the date in question, three independent artifact sources on this device agreed.
First, Samsung's recovery log (efs/recovery/history) recorded the literal text PANIC: Hard Reset Hook — the kernel-level entry written when a --wipe_data recovery operation begins.
Second, 81 seconds later, a brand-new yearly usage-statistics database was initialized at data/system/usagestats/0/yearly/. A factory reset wipes the entire /data partition, including all existing usage stats. A fresh yearly bucket appearing at this moment can only happen on a clean filesystem.
Third, 98 seconds after the recovery log entry, data/system/packages.xml was rebuilt — and every single system app on the device was re-stamped to that exact moment. Package manager doesn't behave this way during an OTA update; only on first boot after a /data wipe.
These three artifacts only co-occur during a true factory reset. Any one of them in isolation could be ambiguous. All three together, within a 99-second window, is the unambiguous signature.
Corroborating evidence: the restored backup
After confirming the reset itself, we wanted to understand what happened next. The device's WiFi configuration store (WifiConfigStore3.xml) revealed several dozen saved networks, all marked HasEverConnected=false with identical reboot counts. This is the textbook signature of a bulk restore from Google backup during the post-reset setup wizard — the networks had been imported from the cloud, but the device hadn't yet physically connected to any of them at the moment they were written to the file.
This told us the owner restored their data after the wipe and continued using the device normally from that point forward.
Ruling out device-identity tampering
For thoroughness, we cross-referenced the on-device identifiers — IMEI, serial number, model code, production date — against Samsung's official IMEI lookup service. Every field that could be cross-checked matched exactly: manufacturer, marketing name, both IMEIs, serial number, model number, production date, ship date, country of sale. There were no discrepancies between Samsung's records and the data extracted from the device.
This independent corroboration ruled out the possibility that the device had been spoofed or that we were looking at artifacts from a different physical handset than the one on the table.
Where to look on a case like this
For anyone working a similar question, these are the on-device locations worth pulling:
efs/recovery/historyandefs/recovery/extra_history— kernel-level reset and reboot recordsefs/FactoryApp/andefs/imei/— manufacturing and carrier identifiersdata/system/packages.xml— the package manager's record of when each system app was last toucheddata/system/users/0.xmlanduserlist.xml— user account creation timestampsdata/system/usagestats/0/— usage-tracking buckets at daily, weekly, monthly, and yearly granularitydata/system/dropbox/SYSTEM_BOOT@*— boot recordsaccounts.xml— connected accountsWifiConfigStore3.xml— saved-network restoration evidence
The takeaway
A label on a Cellebrite activity line is a hypothesis, not a conclusion. Confirming a factory reset — and distinguishing it from a routine reboot, an OTA update, or any other system event — requires triangulating multiple independent artifacts that can only line up the way they do for a real --wipe_data operation. When all three signatures land within a hundred-second window and corroborating evidence shows a backup restoration in the hours that followed, you have a defensible, court-ready conclusion about when the device was wiped and what happened next.
Case details have been generalized to protect client confidentiality. Published with client consent.
Need to establish a wipe timeline on a device in your matter? Our Mobile Forensics and Litigation Support teams handle this work — open a case to discuss yours.