mirror of
https://github.com/mvt-project/mvt.git
synced 2026-07-04 12:07:52 +02:00
First commit
This commit is contained in:
@@ -0,0 +1,24 @@
|
||||
# Checking an Android Device
|
||||
|
||||
In order to use `mvt-android` you need to connect your Android device to your computer. You will then need to [enable USB debugging](https://developer.android.com/studio/debug/dev-options#enable>) on the Android device.
|
||||
|
||||
If this is the first time you connect to this device, you will need to approve the authentication keys through a prompt that will appear on your Android device.
|
||||
|
||||
Now you can launch `mvt-android` and specify the `download-apks` command and the path to the folder where you want to store the extracted data:
|
||||
|
||||
```bash
|
||||
mvt-android download-apks --output /path/to/folder
|
||||
```
|
||||
|
||||
Optionally, you can decide to enable lookups of the SHA256 hash of all the extracted APKs on [VirusTotal](https://www.virustotal.com) and/or [Koodous](https://www.koodous.com). While these lookups do not provide any conclusive assessment on all of the extracted APKs, they might highlight any known malicious ones:
|
||||
|
||||
```bash
|
||||
mvt-android download-apks --output /path/to/folder --virustotal
|
||||
mvt-android download-apks --output /path/to/folder --koodous
|
||||
```
|
||||
|
||||
Or, to launch all available lookups::
|
||||
|
||||
```bash
|
||||
mvt-android download-apks --output /path/to/folder --all-checks
|
||||
```
|
||||
@@ -0,0 +1,13 @@
|
||||
<p align="center">
|
||||
<img src="./mvt.png" width="300" />
|
||||
</p>
|
||||
|
||||
# Mobile Verification Toolkit
|
||||
|
||||
Mobile Verification Toolkit (MVT) is a tool to facilitate the [consensual forensic analysis](introduction.md#consensual-forensics) of Android and iOS devices, for the purpose of identifying traces of compromise.
|
||||
|
||||
In this documentation you will find instructions on how to install and run the `mvt-ios` and `mvt-android` commands, and guidance on how to interpret the extracted results.
|
||||
|
||||
## Resources
|
||||
|
||||
[:fontawesome-brands-python: Python Package](https://pypi.org/project/mvt){: .md-button .md-button--primary } [:fontawesome-brands-github: GitHub](https://github.com/mvt-project/mvt){: .md-button }
|
||||
@@ -0,0 +1,43 @@
|
||||
# Installation
|
||||
|
||||
Before proceeding, please note that mvt requires Python 3.6+ to run. While it should be available on most operating systems, please make sure of that before proceeding.
|
||||
|
||||
## Dependencies on Linux
|
||||
|
||||
First install some basic dependencies that will be necessary to build all required tools:
|
||||
|
||||
```bash
|
||||
sudo apt install python3 python3-pip libusb-1.0-0
|
||||
```
|
||||
|
||||
*libusb-1.0-0* is not required if you intend to only use `mvt-ios` and not `mvt-android`.
|
||||
|
||||
## Dependencies on Mac
|
||||
|
||||
Running MVT on Mac requires Xcode and [homebrew](https://brew.sh) to be installed.
|
||||
|
||||
In order to install dependencies use:
|
||||
|
||||
```bash
|
||||
brew install python3 libusb
|
||||
```
|
||||
|
||||
*libusb* is not required if you intend to only use `mvt-ios` and not `mvt-android`.
|
||||
|
||||
## Installing MVT
|
||||
|
||||
If you haven't done so, you can add this to your `.bashrc` or `.zshrc` file in order to add locally installed Pypi binaries to your `$PATH`:
|
||||
|
||||
```bash
|
||||
export PATH=$PATH:~/.local/bin
|
||||
```
|
||||
|
||||
Then you can install MVT directly:
|
||||
|
||||
```bash
|
||||
git clone https://github.com/mvt-project/mvt.git
|
||||
cd mvt
|
||||
pip3 install .
|
||||
```
|
||||
|
||||
You now should have the `mvt-ios` and `mvt-android` utilities installed.
|
||||
@@ -0,0 +1,17 @@
|
||||
# Introduction
|
||||
|
||||
Mobile Verification Toolkit (MVT) is a collection of utilities designed to facilitate the consensual forensic acquisition of iOS and Android devices for the purpose of identifying any signs of compromise. MVT's capabilities are continuously evolving, but some of its key features include:
|
||||
|
||||
- Decrypt encrypted iOS backups.
|
||||
- Process and parse records from numerous iOS system and apps databases, logs and system analytics.
|
||||
- Extract installed applications from Android devices.
|
||||
- Extract diagnostic information from Android devices through the adb protocol.
|
||||
- Compare extracted records to a provided list of malicious indicators in STIX2 format.
|
||||
- Generate JSON logs of extracted records, and separate JSON logs of all detected malicious traces.
|
||||
- Generate a unified chronological timeline of extracted records, along with a timeline all detected malicious traces.
|
||||
|
||||
## Consensual Forensics
|
||||
|
||||
While MVT is capable of extracting and processing various types of very personal records typically found on a mobile phone (such as calls history, SMS and WhatsApp messages, etc.), this is intended to help identify potential attack vectors such as malicious SMS messages leading to exploitation.
|
||||
|
||||
MVT's purpose is not to facilitate adversial forensics of non-consenting individuals' devices. The use of MVT and derivative products to extract and/or analyse data originating from devices used by individuals not consenting to the procedure is explicitly prohibited in the [license](license.md).
|
||||
@@ -0,0 +1,63 @@
|
||||
# Check a Backup with mvt-ios
|
||||
|
||||
The backup might take some time. It is best to make sure the phone remains unlocked during the backup process. Afterwards, a new folder will be created under the path you specified using the UDID of the iPhone you backed up.
|
||||
|
||||
## Decrypting a backup
|
||||
|
||||
In case you have an encrypted backup, you will need to decrypt it first. This can be done with `mvt-ios` as well:
|
||||
|
||||
$ mvt-ios decrypt-backup --help
|
||||
Usage: mvt-ios decrypt-backup [OPTIONS] BACKUP_PATH
|
||||
|
||||
Decrypt an encrypted iTunes backup
|
||||
|
||||
Options:
|
||||
-d, --destination TEXT Path to the folder where to store the decrypted
|
||||
backup [required]
|
||||
|
||||
-p, --password TEXT Password to use to decrypt the backup NOTE: This
|
||||
argument is mutually exclusive with arguments:
|
||||
[key_file].
|
||||
|
||||
-k, --key-file PATH File containing raw encryption key to use to decrypt
|
||||
the backup NOTE: This argument is mutually exclusive
|
||||
with arguments: [password].
|
||||
|
||||
--help Show this message and exit.
|
||||
|
||||
You can specify either a password via command-line or pass a key file, and you need to specify a destination path where the decrypted backup will be stored. Following is an example usage of `decrypt-backup`:
|
||||
|
||||
```bash
|
||||
mvt-ios decrypt-backup -p password -d /path/to/decrypted /path/to/backup
|
||||
```
|
||||
|
||||
## Run `mvt-ios` on a Backup
|
||||
|
||||
Once you have a decrypted backup available for analysis you can use the `check-backup` subcommand:
|
||||
|
||||
$ mvt-ios check-backup --help
|
||||
Usage: mvt-ios check-backup [OPTIONS] BACKUP_PATH
|
||||
|
||||
Extract artifacts from an iTunes backup
|
||||
|
||||
Options:
|
||||
-i, --iocs PATH Path to indicators file
|
||||
-o, --output PATH Specify a path to a folder where you want to store JSON
|
||||
results
|
||||
|
||||
-f, --fast Avoid running time/resource consuming features
|
||||
-l, --list-modules Print list of available modules and exit
|
||||
-m, --module TEXT Name of a single module you would like to run instead of
|
||||
all
|
||||
|
||||
--help Show this message and exit.
|
||||
|
||||
Following is a basic usage of `check-backup`:
|
||||
|
||||
```bash
|
||||
mvt-ios check-backup --output /path/to/output/ /path/to/backup/udid/
|
||||
```
|
||||
|
||||
This command will create a few JSON files containing the results from the extraction. If you do not specify a `--output` option, `mvt-ios` will just process the data without storing results on disk.
|
||||
|
||||
Through the `--iocs` argument you can specify a [STIX2](https://oasis-open.github.io/cti-documentation/stix/intro) file defining a list of malicious indicators to check against the records extracted from the backup by mvt. Any matches will be highlighted in the terminal output as well as saved in the output folder using a "*_detected*" suffix to the JSON file name.
|
||||
@@ -0,0 +1 @@
|
||||
# Backup with iTunes app
|
||||
@@ -0,0 +1,15 @@
|
||||
# Backup with libimobiledevice
|
||||
|
||||
If you have correctly [installed libimobiledevice](../install.md) you can easily generate an iTunes backup using the `idevicebackup2` tool included in the suite. First, you might want to ensure that backup encryption is enabled (**note: encrypted backup contain more data than unencrypted backups**):
|
||||
|
||||
```bash
|
||||
idevicebackup2 backup encryption on
|
||||
```
|
||||
|
||||
Note that if a backup password was previously set on this device, you might need to use the same or change it. You can try changing password using `idevicebackup2 backup changepw` or resetting the password by resetting only the settings through the iPhone's Settings app.
|
||||
|
||||
Once ready, you can proceed performing the backup:
|
||||
|
||||
```bash
|
||||
idevicebackup2 backup --full /path/to/backup/
|
||||
```
|
||||
@@ -0,0 +1,30 @@
|
||||
# Check a Filesystem Dump with `mvt-ios`
|
||||
|
||||
When you are ready, you can proceed running `mvt-ios` against the filesystemp dump or mount point:
|
||||
|
||||
$ mvt-ios check-fs --help
|
||||
Usage: mvt-ios check-fs [OPTIONS] DUMP_PATH
|
||||
|
||||
Extract artifacts from a full filesystem dump
|
||||
|
||||
Options:
|
||||
-i, --iocs PATH Path to indicators file
|
||||
-o, --output PATH Specify a path to a folder where you want to store JSON
|
||||
results
|
||||
|
||||
-f, --fast Avoid running time/resource consuming features
|
||||
-l, --list-modules Print list of available modules and exit
|
||||
-m, --module TEXT Name of a single module you would like to run instead of
|
||||
all
|
||||
|
||||
--help Show this message and exit.
|
||||
|
||||
Following is an example of basic usage of `check-fs`:
|
||||
|
||||
```bash
|
||||
mvt-ios check-fs /path/to/filesystem/dump/ --output /path/to/output/
|
||||
```
|
||||
|
||||
This command will create a few JSON files containing the results from the extraction. If you do not specify a `--output` option, `mvt-ios` will just process the data without storing results on disk.
|
||||
|
||||
Through the `--iocs` argument you can specify a [STIX2](https://oasis-open.github.io/cti-documentation/stix/intro) file defining a list of malicious indicators to check against the records extracted from the backup by mvt. Any matches will be highlighted in the terminal output as well as saved in the output folder using a "*_detected*" suffix to the JSON file name.
|
||||
@@ -0,0 +1,48 @@
|
||||
# Dumping the filesystem
|
||||
|
||||
While iTunes backup provide a lot of very useful databases and diagnistic data, in some cases you might want to jailbreak the device and perform a full filesystem dump. In that case, you should take a look at [checkra1n](https://checkra.in/), which provides an easy way to obtain root on most recent iPhone models.
|
||||
|
||||
!!! warning
|
||||
Before you checkra1n any device, make sure you take a full backup, and that you are prepared to do a full factory reset before restoring it. Even after using checkra1n's "Restore System", some traces of the jailbreak are still left on the device and [apps with anti-jailbreaks will be able to detect them](https://github.com/checkra1n/BugTracker/issues/279) and stop functioning.
|
||||
|
||||
After having jailbroken the device, you should be able to access the phone over ssh. In order to do this you will typically need to use iproxy, which on Debian/Ubuntu systems can be installed with `libusbmuxd-tools`. Run the command:
|
||||
|
||||
```bash
|
||||
iproxy 2222 44
|
||||
```
|
||||
|
||||
Now you will be able to ssh as root to localhost on port 2222 and password `alpine`. Note: if you used a jailbreak other than checkra1n, you might need to specify a different port number instead of 44.
|
||||
|
||||
At this point you need to get access to the content of the device from your computer. One way is to run a command like `ssh root@localhost -p 2222 tar czf - /private > dump.tar.gz` which will save a tarball on the host of the */private/* folder from the phone. This will take a while.
|
||||
|
||||
Alternatively, you can try run `sftp-server` for iOS and mount the filesystem locally using `sshfs`.
|
||||
|
||||
|
||||
## Use `sshfs` on iOS
|
||||
|
||||
If you decide to try to use sshfs, you first have to download locally a compiled copy of sftp-server:
|
||||
|
||||
```bash
|
||||
wget https://github.com/dweinstein/openssh-ios/releases/download/v7.5/sftp-server
|
||||
```
|
||||
|
||||
Then upload the binary to the iPhone:
|
||||
|
||||
```bash
|
||||
scp -P2222 sftp-server root@localhost:.
|
||||
```
|
||||
|
||||
You will need to ssh into the device and set some entitlements in order to allow `sftp-server` to run. This entitlements can be copied from an existing binary:
|
||||
|
||||
```bash
|
||||
chmod +x sftp-server
|
||||
ldid -e /binpack/bin/sh > /tmp/sh-ents
|
||||
ldid -S /tmp/sh-ents sftp-server
|
||||
```
|
||||
|
||||
Now you can create a folder on the host and use it as a mount point (**note:** do not create this folder in /tmp/):
|
||||
|
||||
```bash
|
||||
mkdir root_mount
|
||||
sshfs -p 2222 -o sftp_server=/var/root/sftp-server root@localhost:/ root_mount
|
||||
```
|
||||
@@ -0,0 +1,55 @@
|
||||
# Install libimobiledevice
|
||||
|
||||
Before proceeding with doing any acquisition of iOS devices we recommend installing [libimobiledevice](https://www.libimobiledevice.org/) utilities. These utilities will become useful when extracting crash logs and generating iTunes backups. Because the utilities and its libraries are subject to frequent changes in response to new versions of iOS, you might want to consider compiling libimobiledevice utilities from sources. Otherwise, if available, you can try installing packages available in your distribution:
|
||||
|
||||
```bash
|
||||
sudo apt install libimobiledevice-utils
|
||||
```
|
||||
|
||||
On Mac, you can try installing it from brew:
|
||||
|
||||
```bash
|
||||
brew install --HEAD libimobiledevice
|
||||
```
|
||||
|
||||
If you have a reasonably recent version of libimobiledevice in your package manager, it might work straight out of the box. Try connecting your iOS device to your computer via USB and run:
|
||||
|
||||
```bash
|
||||
ideviceinfo
|
||||
```
|
||||
|
||||
If you encounter unexpected issues, uninstall the packages and try compiling libimobiledevcice from sources.
|
||||
|
||||
## Compile libimobiledevice from sources
|
||||
|
||||
!!! warning
|
||||
The following instructions are a best effort. The installation from source requires several steps, and it is likely some have been forgotten here and that won't work for you. You will likely need to fiddle around a bit before getting this right.
|
||||
|
||||
Make sure you have uninstalled all the libimobiledevice tools from your package manage:
|
||||
|
||||
```bash
|
||||
sudo apt remove --purge libimobiledevice-utils libimobiledevice-dev libimobiledevice6 libplist-dev libplist3 libusbmuxd-dev libusbmuxd-tools libusbmuxd4 libusbmuxd6 usbmuxd
|
||||
```
|
||||
|
||||
Firstly you need to install [libplist](https://github.com/libimobiledevice/libplist). Then you can install [libusbmuxd](https://github.com/libimobiledevice/libusbmuxd).
|
||||
|
||||
Now you should be able to to download and install the actual suite of tools at [https://github.com/libimobiledevice/libimobiledevice](https://github.com/libimobiledevice/libimobiledevice).
|
||||
|
||||
You can now also build and install [usbmuxd](https://github.com/libimobiledevice/usbmuxd).
|
||||
|
||||
## Making sure everything works fine.
|
||||
|
||||
Once the idevice tools are available you can check if everything works fine by connecting your iOS device and running:
|
||||
|
||||
```bash
|
||||
ideviceinfo
|
||||
```
|
||||
|
||||
This should some many details on the connected iOS device. If you are connecting the device to your laptop for the first time, it will require to unlock and enter the PIN code on the mobile device. If it complains that no device is connected and the mobile device is indeed plugged in through the USB cable, you might need to do this first, although typically the pairing is automatically done when connecting the device:
|
||||
|
||||
```bash
|
||||
sudo usbmuxd -f -d
|
||||
idevicepair pair
|
||||
```
|
||||
|
||||
Again, it will ask to unlock the phone and enter the PIN code.
|
||||
@@ -0,0 +1,15 @@
|
||||
# iOS Forensic Methodology
|
||||
|
||||
Before jumping into acquiring and analyzing data from an iOS device, you should evaluate what is your precise plan of action. Because multiple options are available to you, you should define and familiarize with the most effective forensic methodology in each case.
|
||||
|
||||
#### Filesystem Dump
|
||||
|
||||
You will need to decide whether to attempt to jailbreak the device and obtain a full filesystem dump, or not.
|
||||
|
||||
While access the full filesystem allows to extact data that would otherwise be unavailable, it might not always be possible to jailbreak a certain iPhone model or version of iOS. In addition, depending on the type of jailbreak available, doing so might compromise some important records, pollute others, or potentially cause unintended malfunctioning of the device later in case it is used again.
|
||||
|
||||
If you are not expected to return the phone, you might want to consider to attempt a jailbreak after having exhausted all other options, including a backup.
|
||||
|
||||
#### iTunes Backup
|
||||
|
||||
An alternative option is to generate an iTunes backup (in most recent version of mac OS, they are no longer launched from iTunes, but directly from Finder). While backups only provide a subset of the files stored on the device, in many cases it might be sufficient to at least detect some suspicious artifacts. Backups encrypted with a password will have some additional interesting records not available in unencrypted ones, such as Safari history, Safari state, etc.
|
||||
@@ -0,0 +1,278 @@
|
||||
# Records extracted by `mvt-ios`
|
||||
|
||||
In this page you can find a (reasonably) up-to-date breakdown of the files created by MVT when performing an analysis of logs, backups or filesystem dumps.
|
||||
|
||||
## Records extracted by `check-fs` or `check-backup`
|
||||
|
||||
### `cache_files.json`
|
||||
|
||||
!!! info "Availability"
|
||||
Backup: :material-close:
|
||||
Full filesystem dump: :material-check:
|
||||
|
||||
This JSON file is created by mvt-ios' `CacheFiles` module. The module extracts records from all SQLite database files stored on disk with the name *Cache.db*. These databases typically contain data from iOS' [internal URL caching](https://developer.apple.com/documentation/foundation/nsurlcache). Through this module you might be able to recover records of HTTP requests and responses performed my applications as well as system services, that would otherwise be unavailable. For example, you might see HTTP requests part of an exploitation chain performed by an iOS service attempting to download a first stage malicious payload.
|
||||
|
||||
If indicators are provided through the command-line, they are checked against the requested URL. Any matches are stored in *cache_files_detected.json*.
|
||||
|
||||
---
|
||||
|
||||
### `calls.json`
|
||||
|
||||
!!! info "Availability"
|
||||
Backup: :material-check:
|
||||
Full filesystem dump: :material-check:
|
||||
|
||||
This JSON file is created by mvt-ios' `Calls` module. The module extracts records from a SQLite database located at */private/var/mobile/Library/CallHistoryDB/CallHistory.storedata*, which contains records of incoming and outgoing calls, including from messaging apps such as WhatsApp or Skype.
|
||||
|
||||
---
|
||||
|
||||
### `chrome_favicon.json`
|
||||
|
||||
!!! info "Availability"
|
||||
Backup: :material-check:
|
||||
Full filesystem dump: :material-check:
|
||||
|
||||
This JSON file is created by mvt-ios' `ChromeFavicon` module. The module extracts records from a SQLite database located at */private/var/mobile/Containers/Data/Application/\*/Library/Application Support/Google/Chrome/Default/Favicons*, which contains a mapping of favicons' URLs and the visited URLs which loaded them.
|
||||
|
||||
If indicators are provided through the command-line, they are checked against both the favicon URL and the visited URL. Any matches are stored in *chrome_favicon_detected.json*.
|
||||
|
||||
---
|
||||
|
||||
### `chrome_history.json`
|
||||
|
||||
!!! info "Availability"
|
||||
Backup: :material-check:
|
||||
Full filesystem dump: :material-check:
|
||||
|
||||
This JSON file is created by mvt-ios' `ChromeHistory` module. The module extracts records from a SQLite database located at */private/var/mobile/Containers/Data/Application/\*/Library/Application Support/Google/Chrome/Default/History*, which contains a history of URL visits.
|
||||
|
||||
If indicators a provided through the command-line, they are checked against the visited URL. Any matches are stored in *chrome_history_detected.json*.
|
||||
|
||||
---
|
||||
|
||||
### `contacts.json`
|
||||
|
||||
!!! info "Availability"
|
||||
Backup: :material-check:
|
||||
Full filesystem dump: :material-check:
|
||||
|
||||
This JSON file is created by mvt-ios' `Contacts` module. The module extracts records from a SQLite database located at */private/var/mobile/Library/AddressBook/AddressBook.sqlitedb*, which contains records from the phone's address book. While this database obviously would not contain any malicious indicators per se, you might want to use it to compare records from other apps (such as iMessage, SMS, etc.) to filter those originating from unknown origins.
|
||||
|
||||
---
|
||||
|
||||
### `firefox_favicon.json`
|
||||
|
||||
!!! info "Availability"
|
||||
Backup: :material-check:
|
||||
Full filesystem dump: :material-check:
|
||||
|
||||
This JSON file is created by mvt-ios' `FirefoxFavicon` module. The module extracts records from a SQLite database located at */private/var/mobile/profile.profile/browser.db*, which contains a mapping of favicons' URLs and the visited URLs which loaded them.
|
||||
|
||||
If indicators are provided through the command-line, they are checked against both the favicon URL and the visited URL. Any matches are stored in *firefox_favicon_detected.json*.
|
||||
|
||||
---
|
||||
|
||||
### `firefox_history.json`
|
||||
|
||||
!!! info "Availability"
|
||||
Backup: :material-check:
|
||||
Full filesystem dump: :material-check:
|
||||
|
||||
This JSON file is created by mvt-ios' `FirefoxHistory` module. The module extracts records from a SQLite database located at */private/var/mobile/profile.profile/browser.db*, which contains a history of URL visits.
|
||||
|
||||
If indicators a provided through the command-line, they are checked against the visited URL. Any matches are stored in *firefox_history_detected.json*.
|
||||
|
||||
---
|
||||
|
||||
### `id_status_cache.json`
|
||||
|
||||
!!! info "Availability"
|
||||
Backup: :material-check:
|
||||
Full filesystem dump: :material-check:
|
||||
|
||||
This JSON file is created by mvt-ios' `IDStatusCache` module. The module extracts records from a plist file located at */private/var/mobile/Library/Preferences/com.apple.identityservices.idstatuscache.plist*, which contains a cache of Apple user ID authentication. This chance will indicate when apps like Facetime and iMessage first established contacts with other registered Apple IDs. This is significant because it might contain traces of malicious accounts involved in exploitation of those apps.
|
||||
|
||||
---
|
||||
|
||||
### `interaction_c.json`
|
||||
|
||||
!!! info "Availability"
|
||||
Backup: :material-check:
|
||||
Full filesystem dump: :material-check:
|
||||
|
||||
This JSON file is created by mvt-ios' `InteractionC` module. The module extracts records from a SQLite database located at */private/var/mobile/Library/CoreDuet/People/interactionC.db*, which contains details about user interactions with installed apps.
|
||||
|
||||
---
|
||||
|
||||
### `locationd_clients.json`
|
||||
|
||||
!!! info "Availability"
|
||||
Backup: :material-check:
|
||||
Full filesystem dump: :material-check:
|
||||
|
||||
This JSON file is created by mvt-ios' `LocationdClients` module. The module extracts records from a plist file located at */private/var/mobile/Library/Caches/locationd/clients.plist*, which contains a cache of apps which requested access to location services.
|
||||
|
||||
---
|
||||
|
||||
### `manifest.json`
|
||||
|
||||
!!! info "Availability"
|
||||
Backup: :material-check:
|
||||
Full filesystem dump: :material-close:
|
||||
|
||||
This JSON file is created by mvt-ios' `Manifest` module. The module extracts records from the SQLite database *Manifest.db* contained in iTunes backups, and which indexes the locally backed-up files to the original paths on the iOS device.
|
||||
|
||||
If indicators are provided through the command-line, they are checked against the original relative path in case. In some cases, there might be records of files created containing a domain name in their name, for example in the case of browser cache folders. Any matches are stored in *manifest_detected.json*.
|
||||
|
||||
---
|
||||
|
||||
### `datausage.json`
|
||||
|
||||
!!! info "Availability"
|
||||
Backup: :material-check:
|
||||
Full filesystem dump: :material-check:
|
||||
|
||||
This JSON file is created by mvt-ios' `Datausage` module. The module extracts records from a SQLite database located */private/var/wireless/Library/Databases/DataUsage.sqlite*, which contains a history of data usage by processes running on the system. Besides the network statistics, these records are particularly important because they might show traces of malicious process executions and the relevant timeframe. In particular, processes which do not have a valid bundle ID might require particular attention.
|
||||
|
||||
If indicators are provided through the command-line, they are checked against the process names. Any matches are stored in *datausage_detected.json*. If running on a full filesystem dump and if the `--fast` flag was not enabled by command-line, mvt-ios will highlight processes which look suspicious and check the presence of a binary file of the same name in the dump.
|
||||
|
||||
---
|
||||
|
||||
### `netusage.json`
|
||||
|
||||
!!! info "Availability"
|
||||
Backup: :material-close:
|
||||
Full filesystem dump: :material-check:
|
||||
|
||||
This JSON file is created by mvt-ios' `Netusage` module. The module extracts records from a SQLite database located */private/var/networkd/netusage.sqlite*, which contains a history of data usage by processes running on the system. Besides the network statistics, these records are particularly important because they might show traces of malicious process executions and the relevant timeframe. In particular, processes which do not have a valid bundle ID might require particular attention.
|
||||
|
||||
If indicators are provided through the command-line, they are checked against the process names. Any matches are stored in *netusage_detected.json*. If running on a full filesystem dump and if the `--fast` flag was not enabled by command-line, mvt-ios will highlight processes which look suspicious and check the presence of a binary file of the same name in the dump.
|
||||
|
||||
---
|
||||
|
||||
### `safari_browser_state.json`
|
||||
|
||||
!!! info "Availability"
|
||||
Backup: :material-check:
|
||||
Full filesystem dump: :material-check:
|
||||
|
||||
This JSON file is created by mvt-ios' `SafariBrowserState` module. The module extracts records from the SQLite databases located at */private/var/mobile/Library/Safari/BrowserState.db* or */private/var/mobile/Containers/Data/Application/\*/Library/Safari/BrowserState.db*, which contain records of opened tabs.
|
||||
|
||||
If indicators a provided through the command-line, they are checked against the visited URL. Any matches are stored in *safari_browser_state_detected.json*.
|
||||
|
||||
---
|
||||
|
||||
### `safari_favicon.json`
|
||||
|
||||
!!! info "Availability"
|
||||
Backup: :material-close:
|
||||
Full filesystem dump: :material-check:
|
||||
|
||||
This JSON file is created by mvt-ios' `SafariFavicon` module. The module extracts records from the SQLite databases located at */private/var/mobile/Library/Image Cache/Favicons/Favicons.db* or */private/var/mobile/Containers/Data/Application/\*/Library/Image Cache/Favicons/Favicons.db*, which contain mappings of favicons' URLs and the visited URLs which loaded them.
|
||||
|
||||
If indicators are provided through the command-line, they are checked against both the favicon URL and the visited URL. Any matches are stored in *safari_favicon_detected.json*.
|
||||
|
||||
---
|
||||
|
||||
### `safari_history.json`
|
||||
|
||||
!!! info "Availability"
|
||||
Backup: :material-check:
|
||||
Full filesystem dump: :material-check:
|
||||
|
||||
This JSON file is created by mvt-ios' `SafariHistory` module. The module extracts records from the SQLite databases located at */private/var/mobile/Library/Safari/History.db* or */private/var/mobile/Containers/Data/Application/\*/Library/Safari/History.db*, which contain a history of URL visits.
|
||||
|
||||
If indicators are provided through the command-line, they are checked against the visited URL. Any matches are stored in *safari_history_detected.json*.
|
||||
|
||||
---
|
||||
|
||||
### `sms.json`
|
||||
|
||||
!!! info "Availability"
|
||||
Backup: :material-check:
|
||||
Full filesystem dump: :material-check:
|
||||
|
||||
This JSON file is created by mvt-ios' `SMS` module. The module extracts a list of SMS messages containing HTTP links from the SQLite database located at */private/var/mobile/Library/SMS/sms.db*.
|
||||
|
||||
If indicators are provided through the command-line, they are checked against the extracted HTTP links. Any matches are stored in *sms_detected.json*.
|
||||
|
||||
---
|
||||
|
||||
### `sms_attachments.json`
|
||||
|
||||
!!! info "Availability"
|
||||
Backup: :material-check:
|
||||
Full filesystem dump: :material-check:
|
||||
|
||||
This JSON file is created by mvt-ios' `SMSAttachments` module. The module extracts details about attachments sent via SMS or iMessage from the same database used by the `SMS` module. These records might be useful to indicate unique patterns that might be indicative of exploitation attempts leveraging potential vulnerabilities in file format parsers or other forms of file handling by the Messages app.
|
||||
|
||||
---
|
||||
|
||||
### `version_history.json`
|
||||
|
||||
!!! info "Availability"
|
||||
Backup: :material-close:
|
||||
Full filesystem dump: :material-check:
|
||||
|
||||
This JSON file is created by mvt-ios' `IOSVersionHistory` module. The module extracts records of iOS software updates from analytics plist files located at */private/var/db/analyticsd/Analytics-Journal-\*.ips*.
|
||||
|
||||
---
|
||||
|
||||
### `webkit_indexeddb.json`
|
||||
|
||||
!!! info "Availability"
|
||||
Backup: :material-close:
|
||||
Full filesystem dump: :material-check:
|
||||
|
||||
This JSON file is created by mvt-ios' `WebkitIndexedDB` module. The module extracts a list of file and folder names located at the following path */private/var/mobile/Containers/Data/Application/\*/Library/WebKit/WebsiteData/IndexedDB*, which contains IndexedDB files created by any app installed on the device.
|
||||
|
||||
If indicators are provided through the command-line, they are checked against the extracted names. Any matches are stored in *webkit_indexeddb_detected.json*.
|
||||
|
||||
---
|
||||
|
||||
### `webkit_local_storage.json`
|
||||
|
||||
!!! info "Availability"
|
||||
Backup: :material-close:
|
||||
Full filesystem dump: :material-check:
|
||||
|
||||
This JSON file is created by mvt-ios' `WebkitLocalStorage` module. The module extracts a lsit of file and folder names located at the following path */private/var/mobile/Containers/Data/Application/\*/Library/WebKit/WebsiteData/LocalStorage/*, which contains local storage files created by any app installed on the device.
|
||||
|
||||
If indicators are provided through the command-line, they are checked against the extracted names. Any matches are stored in *webkit_local_storage_detected.json*.
|
||||
|
||||
---
|
||||
|
||||
### `webkit_safari_view_service.json`
|
||||
|
||||
!!! info "Availability"
|
||||
Backup: :material-close:
|
||||
Full filesystem dump: :material-check:
|
||||
|
||||
This JSON file is created by mvt-ios' `WebkitSafariViewService` module. The module extracts a list of file and folder names located at the following path */private/var/mobile/Containers/Data/Application/\*/SystemData/com.apple.SafariViewService/Library/WebKit/WebsiteData/*, which contains files cached by SafariVewService.
|
||||
|
||||
If indicators are provided through the command-line, they are checked against the extracted names. Any matches are stored in *webkit_safari_view_service_detected.json*.
|
||||
|
||||
---
|
||||
|
||||
### `webkit_session_resource_log.json`
|
||||
|
||||
!!! info "Availability"
|
||||
Backup: :material-check:
|
||||
Full filesystem dump: :material-check:
|
||||
|
||||
This JSON file is created by mvt-ios' `WebkitSessionResourceLog` module. The module extracts records from plist files with the name *full_browsing_session_resourceLog.plist*, which contain records of resources loaded by different domains visited.
|
||||
|
||||
If indicators are provided through the command-line, they are checked against the extract domains. Any matches are stored in *webkit_session_resource_log_detected.json*.
|
||||
|
||||
---
|
||||
|
||||
### `whatsapp.json`
|
||||
|
||||
!!! info "Availability"
|
||||
Backup: :material-check:
|
||||
Full filesystem dump: :material-check:
|
||||
|
||||
This JSON file is created by mvt-ios' `WhatsApp` module. The module extracts a list of WhatsApp messages containing HTTP links from the SQLite database located at *private/var/mobile/Containers/Shared/AppGroup/\*/ChatStorage.sqlite*.
|
||||
|
||||
If indicators are provided through the command-line, they are checked against the extracted HTTP links. Any matches are stored in *whatsapp_detected.json*.
|
||||
|
||||
@@ -0,0 +1,9 @@
|
||||
# MVT License
|
||||
|
||||
The purpose of MVT is to facilitate the ***consensual forensic analysis*** of devices of those who might be targets of sophisticated mobile spyware attacks, especially members of civil society and marginalized communities. We do not want MVT to enable privacy violations of non-consenting individuals. Therefore, the goal of this license is to prohibit the use of MVT (and any other software licensed the same) for the purpose of *adversarial forensics*.
|
||||
|
||||
In order to achieve this, MVT is released under an adaptation of [Mozilla Public License v2.0](https://www.mozilla.org/MPL). This modified license includes a new clause 3.0, "Consensual Use Restriction" which permits the use of the licensed software (and any *"Larger Work"* derived from it) exclusively with the explicit consent of the person/s whose data is being extracted and/or analysed (*"Data Owner"*).
|
||||
|
||||
**Please note:** because this license imposes some use restrictions, software using it infringes *"freedom 0"* of Free Software Foundation's [*"Free Software Definition"*](https://www.gnu.org/philosophy/free-sw.en.html), and therefore can not be considered "Free Software" according to FSF. Similarly, it might infringe the *"No Discrimination Against Fields of Endeavor"* criteria in Open Source Initiative's [*"Open Source Definition"*](https://opensource.org/osd), therefore software using this license might also not be considered "Open Source" according to OSI.
|
||||
|
||||
[Read the LICENSE](https://github.com/mvt-project/mvt/blob/main/LICENSE)
|
||||
Binary file not shown.
|
After Width: | Height: | Size: 24 KiB |
Reference in New Issue
Block a user