// first 10 minutes
lost or stolen device — quick-start
lost or stolen device — first 10 minutes. remote-wipe decision point. print this, check boxes, then run the primary tools.
checklist
- decide before acting: if you need forensic evidence (e.g., theft for insurance claim, unauthorized access investigation), do not remote-wipe yet.
- if immediate privacy protection is the priority, trigger remote wipe from Apple Find My, Google Find My Device, or MDM — and record the trigger timestamp.
- log the last known location ping from Find My, Google Maps Timeline, or carrier location service with exact UTC timestamp.
- change passwords for all accounts that were signed in on the device — start with email and banking.
- revoke trusted device status in Apple ID, Google account, and any banking apps that treat the device as an authenticator.
- pull the MDM enrollment record for the device — includes last-check-in timestamp and installed app list.
- check for any suspicious sign-in attempts on accounts after the device was lost — geographic anomalies relative to your own location.
- file a police report with the device serial number, IMEI, and last location — required for insurance and sometimes for carrier unlock blocks.
- contact carrier to flag the IMEI as lost or stolen — prevents resale and international unlocking.
- begin the primary tool path below — device recovery artifact analyzer.
primary tools
- 01ios pairing record forensic analyzerdrop itunes lockdown pairing plist · parse device and host certificates · escrow bag detection · pairing age and trust implications · csv json export · runs locally
- 02mobile device pairing record analyzerdrop ios lockdown pairing plist or android adb key files · parse device pairing credentials · identify which computers have been paired with the device · surface pairing timestamps and certificate details · runs locally
- 03ios jailbreak artifact detectordrop manifest db or path list · detect jailbreak indicators cydia sileo substrate · tool identification · removal hints · runs locally
- 04mobile factory reset evidence artifact detectordrop iOS backup Info.plist / Status.plist or Android recovery logs, getprop output, and filesystem listings · detect artifacts indicating a factory reset occurred · distinguish first-time setup from post-reset setup · surface data remnants that survived the reset · assess completeness of the wipe · runs locally
- 05mobile remote wipe artifact detectordrop iOS backup files, MDM enrollment plists, or Android DevicePolicyManager logs and logcat output · detect evidence of remote wipe commands being issued or executed · identify the wipe initiator (MDM, Find My iPhone, Google Find My Device, Samsung Find My Mobile) · surface wipe timing and scope · assess whether wipe was completed or interrupted · runs locally
- 06android factory reset artifact detectordrop recovery logs logcat getprop or path listings · detect factory reset evidence · recovery wipe timeline · mdm remote wipe · boot count · runs locally
- 07ios app install and uninstall timeline reconstructordrop manifest db applicationstate plists installd log · install uninstall upgrade timeline · mass uninstall alerts · runs locally
- 08unified login session reconstructordrop 4624 evtx · rdp logs · vpn logs · ssh logs · browser cookie databases · srum csv · build one unified session per user per day across all authentication sources · identify gaps · flag impossible sessions · runs locally