Mobile Verification Toolkit v2.5 releases: forensic tool to look for signs of infection in smartphone devices

Mobile Verification Toolkit

Mobile Verification Toolkit (MVT) is a collection of utilities to simplify and automate the process of gathering forensic traces helpful to identify a potential compromise of Android and iOS devices.

It has been developed and released by the Amnesty International Security Lab in July 2021 in the context of the Pegasus project along with a technical forensic methodology and forensic evidence.

Warning: this tool has been released as a forensic tool for a technical audience. Using it requires some technical skills such as understanding the basics of forensic analysis and using command-line tools.

MVT’s capabilities are continuously evolving, but some of its key features include:

• Decrypt encrypted iOS backups.
• Process and parse records from numerous iOS system and apps databases, logs, and system analytics.
• Extract installed applications from Android devices.
• Extract diagnostic information from Android devices through the adb protocol.
• Compare extracted records to a provided list of malicious indicators in STIX2 format.
• Generate JSON logs of extracted records, and separate JSON logs of all detected malicious traces.
• Generate a unified chronological timeline of extracted records, along with a timeline of all detected malicious traces.

iOS Forensic Methodology

Before jumping into acquiring and analyzing data from an iOS device, you should evaluate what is your precise plan of action. Because multiple options are available to you, you should define and familiarize yourself with the most effective forensic methodology in each case.

Filesystem Dump

You will need to decide whether to attempt to jailbreak the device and obtain a full filesystem dump, or not.

While access the full filesystem allows to extract data that would otherwise be unavailable, it might not always be possible to jailbreak a certain iPhone model or version of iOS. In addition, depending on the type of jailbreak available, doing so might compromise some important records, pollute others, or potentially cause unintended malfunctioning of the device later in case it is used again.

If you are not expected to return the phone, you might want to consider to attempt a jailbreak after having exhausted all other options, including a backup.

iTunes Backup

An alternative option is to generate an iTunes backup (in the most recent version of Mac OS, they are no longer launched from iTunes, but directly from Finder). While backups only provide a subset of the files stored on the device, in many cases it might be sufficient to at least detect some suspicious artifacts. Backups encrypted with a password will have some additional interesting records not available in unencrypted ones, such as Safari history, Safari state, etc.

Methodology for Android forensic

For different technical reasons, it is more complex to do a forensic analysis of an Android phone.

Currently, MVT allows to perform two different checks on an Android phone:

• Download APKs installed in order to analyze them
• Extract Android backup in order to look for suspicious SMS

Changelog v2.5

• [auto] Update iOS releases and versions by @github-actions in #437
• Impovements for SMS module by @DonnchaC in #438
• Add uri=True in mvt/ios/modules/base.py by @msx98 in #442
• Circular reference in SMS module serialization by @roaree in #444
• dumpsys_accessibility.py: Spell accessibility correctly by @cclauss in #441
• [auto] Update iOS releases and versions by @github-actions in #439

Install & Use

Copyright © 2021 MVT Project Developers