Let's assume that you own a phone that is under surveillance.
If you do a factory reset, after a few days the mobile is compromised again.
All stalkeware tools fail.
You are nearly sure your organization is using a surveillance provider with zero-day exploits, probably SMS ones.
You can root the device to ls all files with date and size.

Would be useful to compare two ls snapshots, first once device is reseted, and second after a couple of weeks?
What advice will you provide to do that?

This repository only provides indicators of compromise, not tooling around them.

You might be interested in this comment.