How to Prove an iPhone Was Wiped: A Step-By-Step Guide

Reza Rafati
Estimated read time 3 min read

Ever wondered how to confirm that an iPhone has actually been wiped clean? You’re not alone. Ensuring that a device has been completely erased is crucial, especially if you’re planning to sell it, donate it, or just hand it down to someone else.

While the iPhone does generate some files after a wipe, these aren’t immediately clear indicators of a wipe’s timing. So, how do you go about it? Don’t worry, we’ve got you covered.

Why You Should Care About Verifying a Wipe

Let’s get one thing clear: wiping your iPhone is not just about hitting the ‘Erase All Content and Settings’ button1. True, the device may seem empty, but there are hidden files that can tell you whether a wipe has been carried out and when it happened.

We believe understanding these files is crucial for both peace of mind and potential legal requirements, such as proving that you have wiped all data before selling or recycling the device.

The “.obliterated” File

After an iPhone has been wiped, a file named “.obliterated” is usually generated. This file is a sort of ‘receipt’ that confirms a wipe has been done2.

Screenshot made by @inversecos
Screenshot made by @inversecos

Where to Find It

  • Location: /private/var/root

Note: While this file proves that a wipe has been performed, it does not provide the timestamp of when the wipe occurred.

The “containermanagerd.log” File: Your Go-To for Timestamps

If you’re interested in knowing the exact time when the wipe was carried out, the “containermanagerd.log” file is your best bet.

Where to Find It

  • Location: private/var/root/Library/Logs/MobileContainerManager
Screenshot made by @inversecos
Screenshot made by @inversecos

This log file stores not only the timestamp of the wipe but also logs for other events like software upgrades. So, you get a clear timeline of what has been done on the device.

Quick cheatsheet

Before we go any further, let’s summarize this important information in a table tha t you can use easily.

FileLocationPurpose
.obliterated/private/var/rootProves a wipe has been performed
containermanagerd.logprivate/var/root/Library/Logs/MobileContainerManagerProvides the timestamp of the wipe

Steps to Access These Files

  1. Jailbreak Your iPhone: Unfortunately, you can’t access these files on a standard iPhone. Jailbreaking will give you the required permissions.
  2. Use Terminal or SSH: Navigate to the folders using a terminal or SSH client.
  3. Locate the Files: Once inside the folders, look for the .obliterated and containermanagerd.log files.
  4. Check the Logs: Open the containermanagerd.log file to check the timestamp against the wipe event.

Conclusion

So there you have it. If you were skeptical about whether the iPhone was truly wiped, these hidden files should put your doubts to rest.

  1. https://support.apple.com/guide/iphone/erase-iphone-iph7a2a9399b/ios ↩︎
  2. https://twitter.com/inversecos/status/1706204549328015514 ↩︎
Think This Is Crucial Info? Share to Inform Others!
Avatar for Reza Rafati
Reza Rafati https://cyberwarzone.com

Reza Rafati, based in the Netherlands, is the founder of Cyberwarzone.com. An industry professional providing insightful commentary on infosec, cybercrime, cyberwar, and threat intelligence, Reza dedicates his work to bolster digital defenses and promote cyber awareness.

You May Also Like

More From Author

+ There are no comments

Add yours