Bumped version

Squashed commit of the following:

commit c0d9e8d5d188c13e7e5ec0612e99bfb7e25f47d4
Author: Donncha Ó Cearbhaill <donncha.ocearbhaill@amnesty.org>
Date:   Fri Jan 7 16:05:12 2022 +0100

    Update name of indicators JSON file

commit f719e49c5f942cef64931ecf422b6a6e7b8c9f17
Author: Donncha Ó Cearbhaill <donncha.ocearbhaill@amnesty.org>
Date:   Fri Jan 7 15:38:03 2022 +0100

    Do not set indicators option on module if no indicators were loaded

commit a289eb8de936f7d74c6c787cbb8daf5c5bec015c
Author: Donncha Ó Cearbhaill <donncha.ocearbhaill@amnesty.org>
Date:   Fri Jan 7 14:43:00 2022 +0100

    Simplify code for loading IoCs

commit 0804563415ee80d76c13d3b38ffe639fa14caa14
Author: Donncha Ó Cearbhaill <donncha.ocearbhaill@amnesty.org>
Date:   Fri Jan 7 13:43:47 2022 +0100

    Add metadata to IoC entries

commit 97d0e893c1a0736c4931363ff40f09a030b90cf6
Author: tek <tek@randhome.io>
Date:   Fri Dec 17 16:43:09 2021 +0100

    Implements automated loading of indicators

commit c381e14df92ae4d7d846a1c97bcf6639cc526082
Author: tek <tek@randhome.io>
Date:   Fri Dec 17 12:41:15 2021 +0100

    Improves download-indicators

commit b938e02ddfd0b916fd883f510b467491a4a84e5f
Author: tek <tek@randhome.io>
Date:   Fri Dec 17 01:44:26 2021 +0100

    Adds download-indicators for mvt-ios and mvt-android

Dockerfile

@@ -38,12 +38,15 @@ RUN apt update \
 # Build libimobiledevice
 # ----------------------
 RUN git clone https://github.com/libimobiledevice/libplist \
+  && git clone https://github.com/libimobiledevice/libimobiledevice-glue \
   && git clone https://github.com/libimobiledevice/libusbmuxd \
   && git clone https://github.com/libimobiledevice/libimobiledevice \
   && git clone https://github.com/libimobiledevice/usbmuxd \
 
   && cd libplist && ./autogen.sh && make && make install && ldconfig \
 
+  && cd ../libimobiledevice-glue && PKG_CONFIG_PATH=/usr/local/lib/pkgconfig ./autogen.sh --prefix=/usr && make && make install && ldconfig \
+
   && cd ../libusbmuxd && PKG_CONFIG_PATH=/usr/local/lib/pkgconfig ./autogen.sh && make && make install && ldconfig \
 
   && cd ../libimobiledevice && PKG_CONFIG_PATH=/usr/local/lib/pkgconfig ./autogen.sh --enable-debug && make && make install && ldconfig \
@@ -51,7 +54,7 @@ RUN git clone https://github.com/libimobiledevice/libplist \
   && cd ../usbmuxd && PKG_CONFIG_PATH=/usr/local/lib/pkgconfig ./autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --runstatedir=/run && make && make install \
 
   # Clean up.
-  && cd .. && rm -rf libplist libusbmuxd libimobiledevice usbmuxd
+  && cd .. && rm -rf libplist libimobiledevice-glue libusbmuxd libimobiledevice usbmuxd
 
 # Installing MVT
 # --------------

README.md

@@ -15,15 +15,15 @@ It has been developed and released by the [Amnesty International Security Lab](h
 
 ## Installation
 
-MVT can be installed from sources or from [PyPi](https://pypi.org/project/mvt/) (you will need some dependencies, check the [documentation](https://docs.mvt.re/en/latest/install.html)):
+MVT can be installed from sources or from [PyPi](https://pypi.org/project/mvt/) (you will need some dependencies, check the [documentation](https://docs.mvt.re/en/latest/install/)):
 
 ```
 pip3 install mvt
 ```
 
-Alternatively, you can decide to run MVT and all relevant tools through a [Docker container](https://docs.mvt.re/en/latest/docker.html).
+Alternatively, you can decide to run MVT and all relevant tools through a [Docker container](https://docs.mvt.re/en/latest/docker/).
 
-**Please note:** MVT is best run on Linux or Mac systems. [It does not currently support running natively on Windows.](https://docs.mvt.re/en/latest/install.html#mvt-on-windows)
+**Please note:** MVT is best run on Linux or Mac systems. [It does not currently support running natively on Windows.](https://docs.mvt.re/en/latest/install/#mvt-on-windows)
 
 ## Usage
 
@@ -31,4 +31,4 @@ MVT provides two commands `mvt-ios` and `mvt-android`. [Check out the documentat
 
 ## License
 
-The purpose of MVT is to facilitate the ***consensual forensic analysis*** of devices of those who might be targets of sophisticated mobile spyware attacks, especially members of civil society and marginalized communities. We do not want MVT to enable privacy violations of non-consenting individuals.  In order to achieve this, MVT is released under its own license. [Read more here.](https://docs.mvt.re/en/latest/license.html)
+The purpose of MVT is to facilitate the ***consensual forensic analysis*** of devices of those who might be targets of sophisticated mobile spyware attacks, especially members of civil society and marginalized communities. We do not want MVT to enable privacy violations of non-consenting individuals.  In order to achieve this, MVT is released under its own license. [Read more here.](https://docs.mvt.re/en/latest/license/)

docs/android/backup.md

@@ -22,7 +22,7 @@ adb backup -all
 
 ## Unpack the backup
 
-In order to reliable unpack th [Android Backup Extractor (ABE)](https://github.com/nelenkov/android-backup-extractor) to convert it to a readable file format. Make sure that java is installed on your system and use the following command:
+In order to unpack the backup, use [Android Backup Extractor (ABE)](https://github.com/nelenkov/android-backup-extractor) to convert it to a readable file format. Make sure that java is installed on your system and use the following command:
 
 ```bash
 java -jar ~/path/to/abe.jar unpack backup.ab backup.tar
@@ -31,6 +31,8 @@ tar xvf backup.tar
 
 If the backup is encrypted, ABE will prompt you to enter the password.
 
+Alternatively, [ab-decrypt](https://github.com/joernheissler/ab-decrypt) can be used for that purpose.
+
 ## Check the backup
 
 You can then extract SMSs containing links with MVT:

docs/iocs.md

@@ -28,9 +28,19 @@ The `--iocs` option can be invoked multiple times to let MVT import multiple STI
 mvt-ios check-backup --iocs ~/iocs/malware1.stix --iocs ~/iocs/malware2.stix2 /path/to/backup
 ```
 
+It is also possible to load STIX2 files automatically from the environment variable `MVT_STIX2`:
+
+```bash
+export MVT_STIX2="/home/user/IOC1.stix2:/home/user/IOC2.stix2"
+```
+
 ## Known repositories of STIX2 IOCs
 
 - The [Amnesty International investigations repository](https://github.com/AmnestyTech/investigations) contains STIX-formatted IOCs for:
     - [Pegasus](https://en.wikipedia.org/wiki/Pegasus_(spyware)) ([STIX2](https://raw.githubusercontent.com/AmnestyTech/investigations/master/2021-07-18_nso/pegasus.stix2))
+    - [Predator from Cytrox](https://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/) ([STIX2](https://raw.githubusercontent.com/AmnestyTech/investigations/master/2021-12-16_cytrox/cytrox.stix2))
+- [This repository](https://github.com/Te-k/stalkerware-indicators) contains IOCs for Android stalkerware including [a STIX MVT-compatible file](https://raw.githubusercontent.com/Te-k/stalkerware-indicators/master/stalkerware.stix2).
+
+You can automaticallly download the latest public indicator files with the command `mvt-ios download-iocs` or `mvt-android download-iocs`.
 
 Please [open an issue](https://github.com/mvt-project/mvt/issues/) to suggest new sources of STIX-formatted IOCs.

docs/ios/records.md

@@ -4,10 +4,22 @@ In this page you can find a (reasonably) up-to-date breakdown of the files creat
 
 ## Records extracted by `check-fs` or `check-backup`
 
+### `analytics.json`
+
+!!! info "Availability"
+    Backup (if encrypted): :material-close:
+    Full filesystem dump: :material-check:
+
+This JSON file is created by mvt-ios' `Analytics` module. The module extracts records from the plists inside the SQLite databases located at *private/var/Keychains/Analytics/\*.db*, which contain various analytics information regarding networking, certificate-pinning, TLS, etc. failures.
+
+If indicators are provided through the command-line, processes and domains are checked against all fields of the plist. Any matches are stored in *analytics_detected.json*.
+
+---
+
 ### `backup_info.json`
 
 !!! info "Availabiliy"
-    Backup: :material-check:  
+    Backup: :material-check:
     Full filesystem dump: :material-close:
 
 This JSON file is created by mvt-ios' `BackupInfo` module. The module extracts some details about the backup and the device, such as name, phone number, IMEI, product type and version.
@@ -17,7 +29,7 @@ This JSON file is created by mvt-ios' `BackupInfo` module. The module extracts s
 ### `cache_files.json`
 
 !!! info "Availability"
-    Backup: :material-close:  
+    Backup: :material-close:
     Full filesystem dump: :material-check:
 
 This JSON file is created by mvt-ios' `CacheFiles` module. The module extracts records from all SQLite database files stored on disk with the name *Cache.db*. These databases typically contain data from iOS' [internal URL caching](https://developer.apple.com/documentation/foundation/nsurlcache). Through this module you might be able to recover records of HTTP requests and responses performed my applications as well as system services, that would otherwise be unavailable. For example, you might see HTTP requests part of an exploitation chain performed by an iOS service attempting to download a first stage malicious payload.
@@ -29,7 +41,7 @@ If indicators are provided through the command-line, they are checked against th
 ### `calls.json`
 
 !!! info "Availability"
-    Backup (if encrypted): :material-check:  
+    Backup (if encrypted): :material-check:
     Full filesystem dump: :material-check:
 
 This JSON file is created by mvt-ios' `Calls` module. The module extracts records from a SQLite database located at */private/var/mobile/Library/CallHistoryDB/CallHistory.storedata*, which contains records of incoming and outgoing calls, including from messaging apps such as WhatsApp or Skype.
@@ -39,7 +51,7 @@ This JSON file is created by mvt-ios' `Calls` module. The module extracts record
 ### `chrome_favicon.json`
 
 !!! info "Availability"
-    Backup: :material-check:  
+    Backup: :material-check:
     Full filesystem dump: :material-check:
 
 This JSON file is created by mvt-ios' `ChromeFavicon` module. The module extracts records from a SQLite database located at */private/var/mobile/Containers/Data/Application/\*/Library/Application Support/Google/Chrome/Default/Favicons*, which contains a mapping of favicons' URLs and the visited URLs which loaded them.
@@ -51,29 +63,31 @@ If indicators are provided through the command-line, they are checked against bo
 ### `chrome_history.json`
 
 !!! info "Availability"
-    Backup: :material-check:  
+    Backup: :material-check:
     Full filesystem dump: :material-check:
 
 This JSON file is created by mvt-ios' `ChromeHistory` module. The module extracts records from a SQLite database located at */private/var/mobile/Containers/Data/Application/\*/Library/Application Support/Google/Chrome/Default/History*, which contains a history of URL visits.
 
-If indicators a provided through the command-line, they are checked against the visited URL. Any matches are stored in *chrome_history_detected.json*.
+If indicators are provided through the command-line, they are checked against the visited URL. Any matches are stored in *chrome_history_detected.json*.
 
 ---
 
 ### `configuration_profiles.json`
 
 !!! info "Availability"
-    Backup: :material-check:  
+    Backup: :material-check:
     Full filesystem dump: :material-close:
 
 This JSON file is created by mvt-ios' `ConfigurationProfiles` module. The module extracts details about iOS configuration profiles that have been installed on the device. These should include both default iOS as well as third-party profiles.
 
+If indicators are provided through the command-line, they are checked against the configuration profile UUID to identify any known malicious profiles. Any matches are stored in *configuration_profiles_detected.json*.
+
 ---
 
 ### `contacts.json`
 
 !!! info "Availability"
-    Backup: :material-check:  
+    Backup: :material-check:
     Full filesystem dump: :material-check:
 
 This JSON file is created by mvt-ios' `Contacts` module. The module extracts records from a SQLite database located at */private/var/mobile/Library/AddressBook/AddressBook.sqlitedb*, which contains records from the phone's address book. While this database obviously would not contain any malicious indicators per se, you might want to use it to compare records from other apps (such as iMessage, SMS, etc.) to filter those originating from unknown origins.
@@ -83,7 +97,7 @@ This JSON file is created by mvt-ios' `Contacts` module. The module extracts rec
 ### `firefox_favicon.json`
 
 !!! info "Availability"
-    Backup: :material-check:  
+    Backup: :material-check:
     Full filesystem dump: :material-check:
 
 This JSON file is created by mvt-ios' `FirefoxFavicon` module. The module extracts records from a SQLite database located at */private/var/mobile/profile.profile/browser.db*, which contains a mapping of favicons' URLs and the visited URLs which loaded them.
@@ -95,19 +109,19 @@ If indicators are provided through the command-line, they are checked against bo
 ### `firefox_history.json`
 
 !!! info "Availability"
-    Backup: :material-check:  
+    Backup: :material-check:
     Full filesystem dump: :material-check:
 
 This JSON file is created by mvt-ios' `FirefoxHistory` module. The module extracts records from a SQLite database located at */private/var/mobile/profile.profile/browser.db*, which contains a history of URL visits.
 
-If indicators a provided through the command-line, they are checked against the visited URL. Any matches are stored in *firefox_history_detected.json*.
+If indicators are provided through the command-line, they are checked against the visited URL. Any matches are stored in *firefox_history_detected.json*.
 
 ---
 
 ### `id_status_cache.json`
 
 !!! info "Availability"
-    Backup (before iOS 14.7): :material-check:  
+    Backup (before iOS 14.7): :material-check:
     Full filesystem dump: :material-check:
 
 This JSON file is created by mvt-ios' `IDStatusCache` module. The module extracts records from a plist file located at */private/var/mobile/Library/Preferences/com.apple.identityservices.idstatuscache.plist*, which contains a cache of Apple user ID authentication. This chance will indicate when apps like Facetime and iMessage first established contacts with other registered Apple IDs. This is significant because it might contain traces of malicious accounts involved in exploitation of those apps.
@@ -116,10 +130,20 @@ Starting from iOS 14.7.0, this file is empty or absent.
 
 ---
 
+### `shortcuts.json`
+
+!!! info "Availability"
+    Backup: :material-check:
+    Full filesystem dump: :material-check:
+
+This JSON file is created by mvt-ios' `Shortcuts` module. The module extracts records from an SQLite database located at */private/var/mobile/Library/Shortcuts/Shortcuts.sqlite*, which contains records about the Shortcuts application. Shortcuts are a built-in iOS feature which allows users to automation certain actions on their device. In some cases the legitimate Shortcuts app may be abused by spyware to maintain persistence on an infected devices.
+
+---
+
 ### `interaction_c.json`
 
 !!! info "Availability"
-    Backup (if encrypted): :material-check:  
+    Backup (if encrypted): :material-check:
     Full filesystem dump: :material-check:
 
 This JSON file is created by mvt-ios' `InteractionC` module. The module extracts records from a SQLite database located at */private/var/mobile/Library/CoreDuet/People/interactionC.db*, which contains details about user interactions with installed apps.
@@ -129,7 +153,7 @@ This JSON file is created by mvt-ios' `InteractionC` module. The module extracts
 ### `locationd_clients.json`
 
 !!! info "Availability"
-    Backup: :material-check:  
+    Backup: :material-check:
     Full filesystem dump: :material-check:
 
 This JSON file is created by mvt-ios' `LocationdClients` module. The module extracts records from a plist file located at */private/var/mobile/Library/Caches/locationd/clients.plist*, which contains a cache of apps which requested access to location services.
@@ -139,7 +163,7 @@ This JSON file is created by mvt-ios' `LocationdClients` module. The module extr
 ### `manifest.json`
 
 !!! info "Availability"
-    Backup: :material-check:  
+    Backup: :material-check:
     Full filesystem dump: :material-close:
 
 This JSON file is created by mvt-ios' `Manifest` module. The module extracts records from the SQLite database *Manifest.db* contained in iTunes backups, and which indexes the locally backed-up files to the original paths on the iOS device.
@@ -151,7 +175,7 @@ If indicators are provided through the command-line, they are checked against th
 ### `os_analytics_ad_daily.json`
 
 !!! info "Availability"
-    Backup: :material-check:  
+    Backup: :material-check:
     Full filesystem dump: :material-check:
 
 This JSON file is created by mvt-ios' `OSAnalyticsADDaily` module. The module extracts records from a plist located *private/var/mobile/Library/Preferences/com.apple.osanalytics.addaily.plist*, which contains a history of data usage by processes running on the system. Besides the network statistics, these records are particularly important because they might show traces of malicious process executions and the relevant timeframe.
@@ -163,7 +187,7 @@ If indicators are provided through the command-line, they are checked against th
 ### `datausage.json`
 
 !!! info "Availability"
-    Backup: :material-check:  
+    Backup: :material-check:
     Full filesystem dump: :material-check:
 
 This JSON file is created by mvt-ios' `Datausage` module. The module extracts records from a SQLite database located */private/var/wireless/Library/Databases/DataUsage.sqlite*, which contains a history of data usage by processes running on the system. Besides the network statistics, these records are particularly important because they might show traces of malicious process executions and the relevant timeframe. In particular, processes which do not have a valid bundle ID might require particular attention.
@@ -175,7 +199,7 @@ If indicators are provided through the command-line, they are checked against th
 ### `netusage.json`
 
 !!! info "Availability"
-    Backup: :material-close:  
+    Backup: :material-close:
     Full filesystem dump: :material-check:
 
 This JSON file is created by mvt-ios' `Netusage` module. The module extracts records from a SQLite database located */private/var/networkd/netusage.sqlite*, which contains a history of data usage by processes running on the system. Besides the network statistics, these records are particularly important because they might show traces of malicious process executions and the relevant timeframe. In particular, processes which do not have a valid bundle ID might require particular attention.
@@ -187,7 +211,7 @@ If indicators are provided through the command-line, they are checked against th
 ### `profile_events.json`
 
 !!! info "Availability"
-    Backup: :material-check:  
+    Backup: :material-check:
     Full filesystem dump: :material-close:
 
 This JSON file is created by mvt-ios' `ProfileEvents` module. The module extracts a timeline of configuration profile operations. For example, it should indicate when a new profile was installed from the Settings app, or when one was removed.
@@ -197,19 +221,19 @@ This JSON file is created by mvt-ios' `ProfileEvents` module. The module extract
 ### `safari_browser_state.json`
 
 !!! info "Availability"
-    Backup (if encrypted): :material-check:  
+    Backup (if encrypted): :material-check:
     Full filesystem dump: :material-check:
 
 This JSON file is created by mvt-ios' `SafariBrowserState` module. The module extracts records from the SQLite databases located at */private/var/mobile/Library/Safari/BrowserState.db* or */private/var/mobile/Containers/Data/Application/\*/Library/Safari/BrowserState.db*, which contain records of opened tabs.
 
-If indicators a provided through the command-line, they are checked against the visited URL. Any matches are stored in *safari_browser_state_detected.json*.
+If indicators are provided through the command-line, they are checked against the visited URL. Any matches are stored in *safari_browser_state_detected.json*.
 
 ---
 
 ### `safari_favicon.json`
 
 !!! info "Availability"
-    Backup: :material-close:  
+    Backup: :material-close:
     Full filesystem dump: :material-check:
 
 This JSON file is created by mvt-ios' `SafariFavicon` module. The module extracts records from the SQLite databases located at */private/var/mobile/Library/Image Cache/Favicons/Favicons.db* or */private/var/mobile/Containers/Data/Application/\*/Library/Image Cache/Favicons/Favicons.db*, which contain mappings of favicons' URLs and the visited URLs which loaded them.
@@ -221,7 +245,7 @@ If indicators are provided through the command-line, they are checked against bo
 ### `safari_history.json`
 
 !!! info "Availability"
-    Backup (if encrypted): :material-check:  
+    Backup (if encrypted): :material-check:
     Full filesystem dump: :material-check:
 
 This JSON file is created by mvt-ios' `SafariHistory` module. The module extracts records from the SQLite databases located at */private/var/mobile/Library/Safari/History.db* or */private/var/mobile/Containers/Data/Application/\*/Library/Safari/History.db*, which contain a history of URL visits.
@@ -230,10 +254,22 @@ If indicators are provided through the command-line, they are checked against th
 
 ---
 
+### `shutdown_log.json`
+
+!!! info "Availability"
+    Backup (if encrypted): :material-close:
+    Full filesystem dump: :material-check:
+
+This JSON file is created by mvt-ios' `ShutdownLog` module. The module extracts records from the shutdown log located at *private/var/db/diagnostics/shutdown.log*. When shutting down an iPhone, a SIGTERM will be sent to all processes runnning. The `shutdown.log` file will log any process (with its pid and path) that did not shut down after the SIGTERM was sent.
+
+If indicators are provided through the command-line, they are checked against the paths. Any matches are stored in *shutdown_log_detected.json*.
+
+---
+
 ### `sms.json`
 
 !!! info "Availability"
-    Backup: :material-check:  
+    Backup: :material-check:
     Full filesystem dump: :material-check:
 
 This JSON file is created by mvt-ios' `SMS` module. The module extracts a list of SMS messages containing HTTP links from the SQLite database located at */private/var/mobile/Library/SMS/sms.db*.
@@ -245,7 +281,7 @@ If indicators are provided through the command-line, they are checked against th
 ### `sms_attachments.json`
 
 !!! info "Availability"
-    Backup: :material-check:  
+    Backup: :material-check:
     Full filesystem dump: :material-check:
 
 This JSON file is created by mvt-ios' `SMSAttachments` module. The module extracts details about attachments sent via SMS or iMessage from the same database used by the `SMS` module. These records might be useful to indicate unique patterns that might be indicative of exploitation attempts leveraging potential vulnerabilities in file format parsers or other forms of file handling by the Messages app.
@@ -255,7 +291,7 @@ This JSON file is created by mvt-ios' `SMSAttachments` module. The module extrac
 ### `tcc.json`
 
 !!! info "Availability"
-    Backup: :material-check:  
+    Backup: :material-check:
     Full filesystem dump: :material-check:
 
 This JSON file is created by mvt-ios' `TCC` module. The module extracts records from a SQLite database located at */private/var/mobile/Library/TCC/TCC.db*, which contains a list of which services such as microphone, camera, or location, apps have been granted or denied access to.
@@ -265,7 +301,7 @@ This JSON file is created by mvt-ios' `TCC` module. The module extracts records
 ### `version_history.json`
 
 !!! info "Availability"
-    Backup: :material-close:  
+    Backup: :material-close:
     Full filesystem dump: :material-check:
 
 This JSON file is created by mvt-ios' `IOSVersionHistory` module. The module extracts records of iOS software updates from analytics plist files located at */private/var/db/analyticsd/Analytics-Journal-\*.ips*.
@@ -275,7 +311,7 @@ This JSON file is created by mvt-ios' `IOSVersionHistory` module. The module ext
 ### `webkit_indexeddb.json`
 
 !!! info "Availability"
-    Backup: :material-close:  
+    Backup: :material-close:
     Full filesystem dump: :material-check:
 
 This JSON file is created by mvt-ios' `WebkitIndexedDB` module. The module extracts a list of file and folder names located at the following path */private/var/mobile/Containers/Data/Application/\*/Library/WebKit/WebsiteData/IndexedDB*, which contains IndexedDB files created by any app installed on the device.
@@ -287,7 +323,7 @@ If indicators are provided through the command-line, they are checked against th
 ### `webkit_local_storage.json`
 
 !!! info "Availability"
-    Backup: :material-close:  
+    Backup: :material-close:
     Full filesystem dump: :material-check:
 
 This JSON file is created by mvt-ios' `WebkitLocalStorage` module. The module extracts a list of file and folder names located at the following path */private/var/mobile/Containers/Data/Application/\*/Library/WebKit/WebsiteData/LocalStorage/*, which contains local storage files created by any app installed on the device.
@@ -299,7 +335,7 @@ If indicators are provided through the command-line, they are checked against th
 ### `webkit_resource_load_statistics.json`
 
 !!! info "Availability"
-    Backup: :material-check:  
+    Backup: :material-check:
     Full filesystem dump: :material-check:
 
 This JSON file is created by mvt-ios `WebkitResourceLoadStatistics` module. The module extracts records from available WebKit ResourceLoadStatistics *observations.db* SQLite3 databases. These records should indicate domain names contacted by apps, including a timestamp.
@@ -311,7 +347,7 @@ If indicators are provided through the command-line, they are checked against th
 ### `webkit_safari_view_service.json`
 
 !!! info "Availability"
-    Backup: :material-close:  
+    Backup: :material-close:
     Full filesystem dump: :material-check:
 
 This JSON file is created by mvt-ios' `WebkitSafariViewService` module. The module extracts a list of file and folder names located at the following path */private/var/mobile/Containers/Data/Application/\*/SystemData/com.apple.SafariViewService/Library/WebKit/WebsiteData/*, which contains files cached by SafariVewService.
@@ -323,7 +359,7 @@ If indicators are provided through the command-line, they are checked against th
 ### `webkit_session_resource_log.json`
 
 !!! info "Availability"
-    Backup: :material-check:  
+    Backup: :material-check:
     Full filesystem dump: :material-check:
 
 This JSON file is created by mvt-ios' `WebkitSessionResourceLog` module. The module extracts records from plist files with the name *full_browsing_session_resourceLog.plist*, which contain records of resources loaded by different domains visited.
@@ -335,7 +371,7 @@ If indicators are provided through the command-line, they are checked against th
 ### `whatsapp.json`
 
 !!! info "Availability"
-    Backup: :material-check:  
+    Backup: :material-check:
     Full filesystem dump: :material-check:
 
 This JSON file is created by mvt-ios' `WhatsApp` module. The module extracts a list of WhatsApp messages containing HTTP links from the SQLite database located at *private/var/mobile/Containers/Shared/AppGroup/\*/ChatStorage.sqlite*.

docs/requirements.txt

@@ -1,4 +1,4 @@
-mkdocs==1.2.1
+mkdocs==1.2.3
 mkdocs-autorefs
 mkdocs-material
 mkdocs-material-extensions

mvt/android/cli.py

@@ -9,8 +9,10 @@ import os
 import click
 from rich.logging import RichHandler
 
-from mvt.common.help import *
-from mvt.common.indicators import Indicators, IndicatorsFileBadFormat
+from mvt.common.help import (HELP_MSG_FAST, HELP_MSG_IOC,
+                             HELP_MSG_LIST_MODULES, HELP_MSG_MODULE,
+                             HELP_MSG_OUTPUT, HELP_MSG_SERIAL)
+from mvt.common.indicators import Indicators, download_indicators_files
 from mvt.common.logo import logo
 from mvt.common.module import run_module, save_timeline
 
@@ -26,6 +28,7 @@ logging.basicConfig(level="INFO", format=LOG_FORMAT, handlers=[
     RichHandler(show_path=False, log_time_format="%X")])
 log = logging.getLogger(__name__)
 
+
 #==============================================================================
 # Main
 #==============================================================================
@@ -34,6 +37,14 @@ def cli():
     logo()
 
 
+#==============================================================================
+# Command: version
+#==============================================================================
+@cli.command("version", help="Show the currently installed version of MVT")
+def version():
+    return
+
+
 #==============================================================================
 # Download APKs
 #==============================================================================
@@ -96,10 +107,11 @@ def download_apks(ctx, all_apks, virustotal, koodous, all_checks, output, from_f
               default=[], help=HELP_MSG_IOC)
 @click.option("--output", "-o", type=click.Path(exists=False),
               help=HELP_MSG_OUTPUT)
+@click.option("--fast", "-f", is_flag=True, help=HELP_MSG_FAST)
 @click.option("--list-modules", "-l", is_flag=True, help=HELP_MSG_LIST_MODULES)
 @click.option("--module", "-m", help=HELP_MSG_MODULE)
 @click.pass_context
-def check_adb(ctx, iocs, output, list_modules, module, serial):
+def check_adb(ctx, iocs, output, fast, list_modules, module, serial):
     if list_modules:
         log.info("Following is the list of available check-adb modules:")
         for adb_module in ADB_MODULES:
@@ -117,13 +129,7 @@ def check_adb(ctx, iocs, output, list_modules, module, serial):
             ctx.exit(1)
 
     indicators = Indicators(log=log)
-    for ioc_path in iocs:
-        try:
-            indicators.parse_stix2(ioc_path)
-        except IndicatorsFileBadFormat as e:
-            log.critical(e)
-            ctx.exit(1)
-    log.info("Loaded a total of %d indicators", indicators.ioc_count)
+    indicators.load_indicators_files(iocs)
 
     timeline = []
     timeline_detected = []
@@ -131,14 +137,14 @@ def check_adb(ctx, iocs, output, list_modules, module, serial):
         if module and adb_module.__name__ != module:
             continue
 
-        m = adb_module(output_folder=output, log=logging.getLogger(adb_module.__module__))
+        m = adb_module(output_folder=output, fast_mode=fast,
+                       log=logging.getLogger(adb_module.__module__))
+        if indicators.ioc_count:
+            m.indicators = indicators
+            m.indicators.log = m.log
         if serial:
             m.serial = serial
 
-        if iocs:
-            indicators.log = m.log
-            m.indicators = indicators
-
         run_module(m)
         timeline.extend(m.timeline)
         timeline_detected.extend(m.timeline_detected)
@@ -171,31 +177,31 @@ def check_backup(ctx, iocs, output, backup_path, serial):
             ctx.exit(1)
 
     indicators = Indicators(log=log)
-    for ioc_path in iocs:
-        try:
-            indicators.parse_stix2(ioc_path)
-        except IndicatorsFileBadFormat as e:
-            log.critical(e)
-            ctx.exit(1)
-    log.info("Loaded a total of %d indicators", indicators.ioc_count)
+    indicators.load_indicators_files(iocs)
 
     if os.path.isfile(backup_path):
         log.critical("The path you specified is a not a folder!")
 
         if os.path.basename(backup_path) == "backup.ab":
-            log.info("You can use ABE (https://github.com/nelenkov/android-backup-extractor) " \
+            log.info("You can use ABE (https://github.com/nelenkov/android-backup-extractor) "
                      "to extract 'backup.ab' files!")
         ctx.exit(1)
 
     for module in BACKUP_MODULES:
         m = module(base_folder=backup_path, output_folder=output,
                    log=logging.getLogger(module.__module__))
-
+        if indicators.ioc_count:
+            m.indicators = indicators
+            m.indicators.log = m.log
         if serial:
             m.serial = serial
 
-        if iocs:
-            indicators.log = m.log
-            m.indicators = indicators
-
         run_module(m)
+
+
+#==============================================================================
+# Command: download-iocs
+#==============================================================================
+@cli.command("download-iocs", help="Download public STIX2 indicators")
+def download_indicators():
+    download_indicators_files(log)

mvt/android/download_apks.py

@@ -7,17 +7,16 @@ import json
 import logging
 import os
 
-import pkg_resources
 from tqdm import tqdm
 
 from mvt.common.module import InsufficientPrivileges
-from mvt.common.utils import get_sha256_from_file_path
 
 from .modules.adb.base import AndroidExtraction
 from .modules.adb.packages import Packages
 
 log = logging.getLogger(__name__)
 
+
 # TODO: Would be better to replace tqdm with rich.progress to reduce
 #       the number of dependencies. Need to investigate whether
 #       it's possible to have a similar callback system.
@@ -139,7 +138,7 @@ class DownloadAPKs(AndroidExtraction):
                     packages_selection.append(package)
 
             log.info("Selected only %d packages which are not marked as system",
-                len(packages_selection))
+                     len(packages_selection))
 
         if len(packages_selection) == 0:
             log.info("No packages were selected for download")
@@ -158,37 +157,16 @@ class DownloadAPKs(AndroidExtraction):
             log.info("[%d/%d] Package: %s", counter, len(packages_selection),
                      package["package_name"])
 
-            # Get the file path for the specific package.
-            try:
-                output = self._adb_command(f"pm path {package['package_name']}")
-                output = output.strip().replace("package:", "")
-                if not output:
-                    continue
-            except Exception as e:
-                log.exception("Failed to get path of package %s: %s",
-                              package["package_name"], e)
-                self._adb_reconnect()
-                continue
-
             # Sometimes the package path contains multiple lines for multiple apks.
             # We loop through each line and download each file.
-            for path in output.split("\n"):
-                device_path = path.strip()
-                file_path = self.pull_package_file(package["package_name"],
-                                                   device_path)
-                if not file_path:
+            for package_file in package["files"]:
+                device_path = package_file["path"]
+                local_path = self.pull_package_file(package["package_name"],
+                                                    device_path)
+                if not local_path:
                     continue
 
-                file_info = {
-                    "path": device_path,
-                    "local_name": file_path,
-                    "sha256": get_sha256_from_file_path(file_path),
-                }
-
-                if "files" not in package:
-                    package["files"] = [file_info,]
-                else:
-                    package["files"].append(file_info)
+                package_file["local_path"] = local_path
 
         log.info("Download of selected packages completed")
 

mvt/android/lookups/koodous.py

@@ -13,6 +13,7 @@ from rich.text import Text
 
 log = logging.getLogger(__name__)
 
+
 def koodous_lookup(packages):
     log.info("Looking up all extracted files on Koodous (www.koodous.com)")
     log.info("This might take a while...")
@@ -32,7 +33,7 @@ def koodous_lookup(packages):
             res = requests.get(url)
             report = res.json()
 
-            row = [package["package_name"], file["local_name"]]
+            row = [package["package_name"], file["path"]]
 
             if "package_name" in report:
                 trusted = "no"

mvt/android/lookups/virustotal.py

@@ -13,6 +13,7 @@ from rich.text import Text
 
 log = logging.getLogger(__name__)
 
+
 def get_virustotal_report(hashes):
     apikey = "233f22e200ca5822bd91103043ccac138b910db79f29af5616a9afe8b6f215ad"
     url = f"https://www.virustotal.com/partners/sysinternals/file-reports?apikey={apikey}"
@@ -36,6 +37,7 @@ def get_virustotal_report(hashes):
         log.error("Unexpected response from VirusTotal: %s", res.status_code)
         return None
 
+
 def virustotal_lookup(packages):
     log.info("Looking up all extracted files on VirusTotal (www.virustotal.com)")
 
@@ -48,6 +50,7 @@ def virustotal_lookup(packages):
     total_unique_hashes = len(unique_hashes)
 
     detections = {}
+
     def virustotal_query(batch):
         report = get_virustotal_report(batch)
         if not report:
@@ -75,7 +78,7 @@ def virustotal_lookup(packages):
 
     for package in packages:
         for file in package.get("files", []):
-            row = [package["package_name"], file["local_name"]]
+            row = [package["package_name"], file["path"]]
 
             if file["sha256"] in detections:
                 detection = detections[file["sha256"]]

mvt/android/modules/adb/__init__.py

@@ -4,6 +4,7 @@
 #   https://license.mvt.re/1.1/
 
 from .chrome_history import ChromeHistory
+from .dumpsys_accessibility import DumpsysAccessibility
 from .dumpsys_batterystats import DumpsysBatterystats
 from .dumpsys_full import DumpsysFull
 from .dumpsys_packages import DumpsysPackages
@@ -18,6 +19,6 @@ from .sms import SMS
 from .whatsapp import Whatsapp
 
 ADB_MODULES = [ChromeHistory, SMS, Whatsapp, Processes,
-               DumpsysBatterystats, DumpsysProcstats,
+               DumpsysAccessibility, DumpsysBatterystats, DumpsysProcstats,
                DumpsysPackages, DumpsysReceivers, DumpsysFull,
                Packages, RootBinaries, Logcat, Files]

mvt/android/modules/adb/base.py

@@ -25,6 +25,7 @@ log = logging.getLogger(__name__)
 ADB_KEY_PATH = os.path.expanduser("~/.android/adbkey")
 ADB_PUB_KEY_PATH = os.path.expanduser("~/.android/adbkey.pub")
 
+
 class AndroidExtraction(MVTModule):
     """This class provides a base for all Android extraction modules."""
 
@@ -41,7 +42,7 @@ class AndroidExtraction(MVTModule):
     def _adb_check_keys():
         """Make sure Android adb keys exist."""
         if not os.path.isdir(os.path.dirname(ADB_KEY_PATH)):
-            os.path.makedirs(os.path.dirname(ADB_KEY_PATH))
+            os.makedirs(os.path.dirname(ADB_KEY_PATH))
 
         if not os.path.exists(ADB_KEY_PATH):
             keygen(ADB_KEY_PATH)
@@ -56,7 +57,10 @@ class AndroidExtraction(MVTModule):
         with open(ADB_KEY_PATH, "rb") as handle:
             priv_key = handle.read()
 
-        signer = PythonRSASigner("", priv_key)
+        with open(ADB_PUB_KEY_PATH, "rb") as handle:
+            pub_key = handle.read()
+
+        signer = PythonRSASigner(pub_key, priv_key)
 
         # If no serial was specified or if the serial does not seem to be
         # a HOST:PORT definition, we use the USB transport.
@@ -86,7 +90,7 @@ class AndroidExtraction(MVTModule):
             except OSError as e:
                 if e.errno == 113 and self.serial:
                     log.critical("Unable to connect to the device %s: did you specify the correct IP addres?",
-                              self.serial)
+                                 self.serial)
                     sys.exit(-1)
             else:
                 break
@@ -108,7 +112,7 @@ class AndroidExtraction(MVTModule):
         :returns: Output of command
 
         """
-        return self.device.shell(command)
+        return self.device.shell(command, read_timeout_s=200.0)
 
     def _adb_check_if_root(self):
         """Check if we have a `su` binary on the Android device.
@@ -132,7 +136,7 @@ class AndroidExtraction(MVTModule):
 
         """
         return self._adb_command(f"su -c {command}")
-    
+
     def _adb_check_file_exists(self, file):
         """Verify that a file exists.
 
@@ -166,7 +170,7 @@ class AndroidExtraction(MVTModule):
                 self._adb_download_root(remote_path, local_path, progress_callback)
             else:
                 raise Exception(f"Unable to download file {remote_path}: {e}")
-    
+
     def _adb_download_root(self, remote_path, local_path, progress_callback=None):
         try:
             # Check if we have root, if not raise an Exception.
@@ -191,7 +195,7 @@ class AndroidExtraction(MVTModule):
 
             # Delete the copy on /sdcard/.
             self._adb_command(f"rm -rf {new_remote_path}")
-            
+
         except AdbCommandFailureException as e:
             raise Exception(f"Unable to download file {remote_path}: {e}")
 

mvt/android/modules/adb/chrome_history.py

@@ -16,6 +16,7 @@ log = logging.getLogger(__name__)
 
 CHROME_HISTORY_PATH = "data/data/com.android.chrome/app_chrome/Default/History"
 
+
 class ChromeHistory(AndroidExtraction):
     """This module extracts records from Android's Chrome browsing history."""
 
@@ -33,6 +34,14 @@ class ChromeHistory(AndroidExtraction):
             "data": f"{record['id']} - {record['url']} (visit ID: {record['visit_id']}, redirect source: {record['redirect_source']})"
         }
 
+    def check_indicators(self):
+        if not self.indicators:
+            return
+
+        for result in self.results:
+            if self.indicators.check_domain(result["url"]):
+                self.detected.append(result)
+
     def _parse_db(self, db_path):
         """Parse a Chrome History database file.
 

mvt/android/modules/adb/dumpsys_accessibility.py

@@ -0,0 +1,53 @@
+# Mobile Verification Toolkit (MVT)
+# Copyright (c) 2021 The MVT Project Authors.
+# Use of this software is governed by the MVT License 1.1 that can be found at
+#   https://license.mvt.re/1.1/
+
+import io
+import logging
+import os
+
+from .base import AndroidExtraction
+
+log = logging.getLogger(__name__)
+
+
+class DumpsysAccessibility(AndroidExtraction):
+    """This module extracts stats on accessibility."""
+
+    def __init__(self, file_path=None, base_folder=None, output_folder=None,
+                 serial=None, fast_mode=False, log=None, results=[]):
+        super().__init__(file_path=file_path, base_folder=base_folder,
+                         output_folder=output_folder, fast_mode=fast_mode,
+                         log=log, results=results)
+
+    def run(self):
+        self._adb_connect()
+
+        stats = self._adb_command("dumpsys accessibility")
+
+        in_services = False
+        for line in stats.split("\n"):
+            if line.strip().startswith("installed services:"):
+                in_services = True
+                continue
+
+            if not in_services:
+                continue
+
+            if line.strip() == "}":
+                break
+
+            service = line.split(":")[1].strip()
+            log.info("Found installed accessibility service \"%s\"", service)
+
+        if self.output_folder:
+            acc_path = os.path.join(self.output_folder,
+                                      "dumpsys_accessibility.txt")
+            with io.open(acc_path, "w", encoding="utf-8") as handle:
+                handle.write(stats)
+
+            log.info("Records from dumpsys accessibility stored at %s",
+                     acc_path)
+
+        self._adb_disconnect()

mvt/android/modules/adb/dumpsys_batterystats.py

@@ -10,6 +10,7 @@ from .base import AndroidExtraction
 
 log = logging.getLogger(__name__)
 
+
 class DumpsysBatterystats(AndroidExtraction):
     """This module extracts stats on battery consumption by processes."""
 
@@ -30,7 +31,7 @@ class DumpsysBatterystats(AndroidExtraction):
                 handle.write(stats)
 
             log.info("Records from dumpsys batterystats stored at %s",
-                      stats_path)
+                     stats_path)
 
         history = self._adb_command("dumpsys batterystats --history")
         if self.output_folder:

mvt/android/modules/adb/dumpsys_full.py

@@ -10,6 +10,7 @@ from .base import AndroidExtraction
 
 log = logging.getLogger(__name__)
 
+
 class DumpsysFull(AndroidExtraction):
     """This module extracts stats on battery consumption by processes."""
 
@@ -30,6 +31,6 @@ class DumpsysFull(AndroidExtraction):
                 handle.write(stats)
 
             log.info("Full dumpsys output stored at %s",
-                      stats_path)
+                     stats_path)
 
         self._adb_disconnect()

mvt/android/modules/adb/dumpsys_procstats.py

@@ -10,6 +10,7 @@ from .base import AndroidExtraction
 
 log = logging.getLogger(__name__)
 
+
 class DumpsysProcstats(AndroidExtraction):
     """This module extracts stats on memory consumption by processes."""
 

mvt/android/modules/adb/dumpsys_receivers.py

@@ -4,7 +4,6 @@
 #   https://license.mvt.re/1.1/
 
 import logging
-import os
 
 from .base import AndroidExtraction
 
@@ -15,6 +14,7 @@ ACTION_SMS_RECEIVED = "android.provider.Telephony.SMS_RECEIVED"
 ACTION_DATA_SMS_RECEIVED = "android.intent.action.DATA_SMS_RECEIVED"
 ACTION_PHONE_STATE = "android.intent.action.PHONE_STATE"
 
+
 class DumpsysReceivers(AndroidExtraction):
     """This module extracts details on receivers for risky activities."""
 
@@ -67,16 +67,16 @@ class DumpsysReceivers(AndroidExtraction):
 
             if activity == ACTION_NEW_OUTGOING_SMS:
                 self.log.info("Found a receiver to intercept outgoing SMS messages: \"%s\"",
-                    receiver)
+                              receiver)
             elif activity == ACTION_SMS_RECEIVED:
                 self.log.info("Found a receiver to intercept incoming SMS messages: \"%s\"",
-                    receiver)
+                              receiver)
             elif activity == ACTION_DATA_SMS_RECEIVED:
                 self.log.info("Found a receiver to intercept incoming data SMS message: \"%s\"",
-                    receiver)
+                              receiver)
             elif activity == ACTION_PHONE_STATE:
                 self.log.info("Found a receiver monitoring telephony state: \"%s\"",
-                    receiver)
+                              receiver)
 
             self.results.append({
                 "activity": activity,

mvt/android/modules/adb/files.py

@@ -3,31 +3,121 @@
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
+import datetime
 import logging
-import os
+import stat
+
+from mvt.common.utils import convert_timestamp_to_iso
 
 from .base import AndroidExtraction
 
 log = logging.getLogger(__name__)
 
+
 class Files(AndroidExtraction):
-    """This module extracts the list of installed packages."""
+    """This module extracts the list of files on the device."""
 
     def __init__(self, file_path=None, base_folder=None, output_folder=None,
                  serial=None, fast_mode=False, log=None, results=[]):
         super().__init__(file_path=file_path, base_folder=base_folder,
                          output_folder=output_folder, fast_mode=fast_mode,
                          log=log, results=results)
+        self.full_find = None
+
+    def find_path(self, file_path):
+        """Checks if Android system supports full find command output"""
+        # Check find command params on first run
+        # Run find command with correct args and parse results.
+
+        # Check that full file printf options are suppported on first run.
+        if self.full_find is None:
+            output = self._adb_command("find '/' -maxdepth 1 -printf '%T@ %m %s %u %g %p\n' 2> /dev/null")
+            if not (output or output.strip().splitlines()):
+                # Full  find command failed to generate output, fallback to basic file arguments
+                self.full_find = False
+            else:
+                self.full_find = True
+
+        found_files = []
+        if self.full_find is True:
+            # Run full file command and collect additonal file information.
+            output = self._adb_command(f"find '{file_path}' -printf '%T@ %m %s %u %g %p\n' 2> /dev/null")
+            for file_line in output.splitlines():
+                [unix_timestamp, mode, size, owner, group, full_path] = file_line.rstrip().split(" ", 5)
+                mod_time = convert_timestamp_to_iso(datetime.datetime.utcfromtimestamp(int(float(unix_timestamp))))
+                found_files.append({
+                    "path": full_path,
+                    "modified_time": mod_time,
+                    "mode": mode,
+                    "is_suid": (int(mode, 8) & stat.S_ISUID) == 2048,
+                    "is_sgid": (int(mode, 8) & stat.S_ISGID) == 1024,
+                    "size": size,
+                    "owner": owner,
+                    "group": group,
+                })
+        else:
+            # Run a basic listing of file paths.
+            output = self._adb_command(f"find '{file_path}' 2> /dev/null")
+            for file_line in output.splitlines():
+                found_files.append({
+                    "path": file_line.rstrip()
+                })
+
+        return found_files
+
+    def serialize(self, record):
+        if "modified_time" in record:
+            return {
+                "timestamp": record["modified_time"],
+                "module": self.__class__.__name__,
+                "event": "file_modified",
+                "data": record["path"],
+            }
+
+    def check_suspicious(self):
+        """Check for files with suspicious permissions"""
+        for result in sorted(self.results, key=lambda item: item["path"]):
+            if result.get("is_suid"):
+                self.log.warning("Found an SUID file in a non-standard directory \"%s\".",
+                                 result["path"])
+                self.detected.append(result)
+
+    def check_indicators(self):
+        """Check file list for known suspicious files or suspicious properties"""
+        self.check_suspicious()
+        if not self.indicators:
+            return
+
+        for result in self.results:
+            if self.indicators.check_file_name(result["path"]):
+                self.log.warning("Found a known suspicous filename at path: \"%s\"", result["path"])
+                self.detected.append(result)
+
+            if self.indicators.check_file_path(result["path"]):
+                self.log.warning("Found a known suspicous file at path: \"%s\"", result["path"])
+                self.detected.append(result)
 
     def run(self):
         self._adb_connect()
+        found_file_paths = []
 
-        output = self._adb_command("find / -type f 2> /dev/null")
-        if output and self.output_folder:
-            files_txt_path = os.path.join(self.output_folder, "files.txt")
-            with open(files_txt_path, "w") as handle:
-                handle.write(output)
+        DATA_PATHS = ["/data/local/tmp/", "/sdcard/", "/tmp/"]
+        for path in DATA_PATHS:
+            file_info = self.find_path(path)
+            found_file_paths.extend(file_info)
 
-            log.info("List of visible files stored at %s", files_txt_path)
+        # Store results
+        self.results.extend(found_file_paths)
+        self.log.info("Found %s files in primary Android data directories.", len(found_file_paths))
+
+        if self.fast_mode:
+            self.log.info("Flag --fast was enabled: skipping full file listing")
+        else:
+            self.log.info("Flag --fast was not enabled: processing full file listing. "
+                          "This may take a while...")
+            output = self.find_path("/")
+            if output and self.output_folder:
+                self.results.extend(output)
+                log.info("List of visible files stored in files.json")
 
         self._adb_disconnect()

mvt/android/modules/adb/packages.py

@@ -12,6 +12,7 @@ from .base import AndroidExtraction
 
 log = logging.getLogger(__name__)
 
+
 class Packages(AndroidExtraction):
     """This module extracts the list of installed packages."""
 
@@ -41,19 +42,54 @@ class Packages(AndroidExtraction):
         return records
 
     def check_indicators(self):
+        if not self.indicators:
+            return
+
         root_packages_path = os.path.join("..", "..", "data", "root_packages.txt")
         root_packages_string = pkg_resources.resource_string(__name__, root_packages_path)
         root_packages = root_packages_string.decode("utf-8").split("\n")
+        root_packages = [rp.strip() for rp in root_packages]
 
-        for root_package in root_packages:
-            root_package = root_package.strip()
-            if not root_package:
-                continue
-
-            if root_package in self.results:
+        for result in self.results:
+            if result["package_name"] in root_packages:
                 self.log.warning("Found an installed package related to rooting/jailbreaking: \"%s\"",
-                                 root_package)
-                self.detected.append(root_package)
+                                 result["package_name"])
+                self.detected.append(result)
+            if result["package_name"] in self.indicators.ioc_app_ids:
+                self.log.warning("Found a malicious package name: \"%s\"",
+                                 result["package_name"])
+                self.detected.append(result)
+                for file in result["files"]:
+                    if file["sha256"] in self.indicators.ioc_files_sha256:
+                        self.log.warning("Found a malicious APK: \"%s\" %s",
+                                         result["package_name"],
+                                         file["sha256"])
+                        self.detected.append(result)
+
+    def _get_files_for_package(self, package_name):
+        output = self._adb_command(f"pm path {package_name}")
+        output = output.strip().replace("package:", "")
+        if not output:
+            return []
+
+        package_files = []
+        for file_path in output.split("\n"):
+            file_path = file_path.strip()
+
+            md5 = self._adb_command(f"md5sum {file_path}").split(" ")[0]
+            sha1 = self._adb_command(f"sha1sum {file_path}").split(" ")[0]
+            sha256 = self._adb_command(f"sha256sum {file_path}").split(" ")[0]
+            sha512 = self._adb_command(f"sha512sum {file_path}").split(" ")[0]
+
+            package_files.append({
+                "path": file_path,
+                "md5": md5,
+                "sha1": sha1,
+                "sha256": sha256,
+                "sha512": sha512,
+            })
+
+        return package_files
 
     def run(self):
         self._adb_connect()
@@ -85,6 +121,8 @@ class Packages(AndroidExtraction):
             first_install = dumpsys[1].split("=")[1].strip()
             last_update = dumpsys[2].split("=")[1].strip()
 
+            package_files = self._get_files_for_package(package_name)
+
             self.results.append({
                 "package_name": package_name,
                 "file_name": file_name,
@@ -96,6 +134,7 @@ class Packages(AndroidExtraction):
                 "disabled": False,
                 "system": False,
                 "third_party": False,
+                "files": package_files,
             })
 
         cmds = [

mvt/android/modules/adb/processes.py

@@ -9,6 +9,7 @@ from .base import AndroidExtraction
 
 log = logging.getLogger(__name__)
 
+
 class Processes(AndroidExtraction):
     """This module extracts details on running processes."""
 

mvt/android/modules/adb/rootbinaries.py

@@ -12,6 +12,7 @@ from .base import AndroidExtraction
 
 log = logging.getLogger(__name__)
 
+
 class RootBinaries(AndroidExtraction):
     """This module extracts the list of installed packages."""
 

mvt/android/modules/adb/sms.py

@@ -15,12 +15,12 @@ log = logging.getLogger(__name__)
 
 SMS_BUGLE_PATH = "data/data/com.google.android.apps.messaging/databases/bugle_db"
 SMS_BUGLE_QUERY = """
-SELECT 
+SELECT
     ppl.normalized_destination AS number,
     p.timestamp AS timestamp,
-CASE WHEN m.sender_id IN 
+CASE WHEN m.sender_id IN
 (SELECT _id FROM participants WHERE contact_id=-1)
-THEN 2 ELSE 1 END incoming, p.text AS text 
+THEN 2 ELSE 1 END incoming, p.text AS text
 FROM messages m, conversations c, parts p,
         participants ppl, conversation_participants cp
 WHERE (m.conversation_id = c._id)
@@ -31,14 +31,15 @@ WHERE (m.conversation_id = c._id)
 
 SMS_MMSSMS_PATH = "data/data/com.android.providers.telephony/databases/mmssms.db"
 SMS_MMSMS_QUERY = """
-SELECT 
+SELECT
     address AS number,
     date_sent AS timestamp,
     type as incoming,
-    body AS text 
+    body AS text
 FROM sms;
 """
 
+
 class SMS(AndroidExtraction):
     """This module extracts all SMS messages containing links."""
 
@@ -62,7 +63,7 @@ class SMS(AndroidExtraction):
             return
 
         for message in self.results:
-            if not "text" in message:
+            if "text" not in message:
                 continue
 
             message_links = check_for_links(message["text"])
@@ -77,7 +78,7 @@ class SMS(AndroidExtraction):
         """
         conn = sqlite3.connect(db_path)
         cur = conn.cursor()
-        
+
         if (self.SMS_DB_TYPE == 1):
             cur.execute(SMS_BUGLE_QUERY)
         elif (self.SMS_DB_TYPE == 2):

mvt/android/modules/adb/whatsapp.py

@@ -16,6 +16,7 @@ log = logging.getLogger(__name__)
 
 WHATSAPP_PATH = "data/data/com.whatsapp/databases/msgstore.db"
 
+
 class Whatsapp(AndroidExtraction):
     """This module extracts all WhatsApp messages containing links."""
 
@@ -39,7 +40,7 @@ class Whatsapp(AndroidExtraction):
             return
 
         for message in self.results:
-            if not "data" in message:
+            if "data" not in message:
                 continue
 
             message_links = check_for_links(message["data"])

mvt/android/modules/backup/__init__.py

@@ -5,4 +5,4 @@
 
 from .sms import SMS
 
-BACKUP_MODULES = [SMS,]
+BACKUP_MODULES = [SMS]

mvt/android/modules/backup/sms.py

@@ -24,7 +24,7 @@ class SMS(MVTModule):
             return
 
         for message in self.results:
-            if not "body" in message:
+            if "body" not in message:
                 continue
 
             message_links = check_for_links(message["body"])

mvt/common/indicators.py

@@ -3,26 +3,31 @@
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
+import io
 import json
 import os
 
+import requests
+from appdirs import user_data_dir
+
 from .url import URL
 
 
-class IndicatorsFileBadFormat(Exception):
-    pass
-
 class Indicators:
     """This class is used to parse indicators from a STIX2 file and provide
     functions to compare extracted artifacts to the indicators.
     """
 
     def __init__(self, log=None):
+        self.data_dir = user_data_dir("mvt")
         self.log = log
         self.ioc_domains = []
         self.ioc_processes = []
         self.ioc_emails = []
         self.ioc_files = []
+        self.ioc_files_sha256 = []
+        self.ioc_app_ids = []
+        self.ios_profile_ids = []
         self.ioc_count = 0
 
     def _add_indicator(self, ioc, iocs_list):
@@ -30,20 +35,57 @@ class Indicators:
             iocs_list.append(ioc)
             self.ioc_count += 1
 
+    def _load_downloaded_indicators(self):
+        if not os.path.isdir(self.data_dir):
+            return False
+
+        for f in os.listdir(self.data_dir):
+            if f.lower().endswith(".stix2"):
+                self.parse_stix2(os.path.join(self.data_dir, f))
+
+    def _check_stix2_env_variable(self):
+        """
+        Checks if a variable MVT_STIX2 contains path to STIX Files
+        """
+        if "MVT_STIX2" not in os.environ:
+            return False
+
+        paths = os.environ["MVT_STIX2"].split(":")
+        for path in paths:
+            if os.path.isfile(path):
+                self.parse_stix2(path)
+            else:
+                self.log.info("Invalid STIX2 path %s in MVT_STIX2 environment variable", path)
+
+    def load_indicators_files(self, files):
+        """
+        Load a list of indicators files
+        """
+        for file_path in files:
+            if os.path.isfile(file_path):
+                self.parse_stix2(file_path)
+            else:
+                self.log.warning("This indicators file %s does not exist", file_path)
+
+        # Load downloaded indicators and any indicators from env variable
+        self._load_downloaded_indicators()
+        self._check_stix2_env_variable()
+        self.log.info("Loaded a total of %d unique indicators", self.ioc_count)
+
     def parse_stix2(self, file_path):
         """Extract indicators from a STIX2 file.
 
         :param file_path: Path to the STIX2 file to parse
         :type file_path: str
-        """
-        self.log.info("Parsing STIX2 indicators file at path %s",
-                      file_path)
 
+        """
+        self.log.info("Parsing STIX2 indicators file at path %s", file_path)
         with open(file_path, "r") as handle:
             try:
                 data = json.load(handle)
             except json.decoder.JSONDecodeError:
-                raise IndicatorsFileBadFormat("Unable to parse STIX2 indicators file, the file seems malformed or in the wrong format")
+                self.log.critical("Unable to parse STIX2 indicator file. The file is malformed or in the wrong format.")
+                return
 
         for entry in data.get("objects", []):
             if entry.get("type", "") != "indicator":
@@ -66,6 +108,15 @@ class Indicators:
             elif key == "file:name":
                 self._add_indicator(ioc=value,
                                     iocs_list=self.ioc_files)
+            elif key == "app:id":
+                self._add_indicator(ioc=value,
+                                    iocs_list=self.ioc_app_ids)
+            elif key == "configuration-profile:id":
+                self._add_indicator(ioc=value,
+                                    iocs_list=self.ios_profile_ids)
+            elif key == "file:hashes.sha256":
+                self._add_indicator(ioc=value,
+                                    iocs_list=self.ioc_files_sha256)
 
     def check_domain(self, url) -> bool:
         """Check if a given URL matches any of the provided domain indicators.
@@ -74,6 +125,7 @@ class Indicators:
         :type url: str
         :returns: True if the URL matched an indicator, otherwise False
         :rtype: bool
+
         """
         # TODO: If the IOC domain contains a subdomain, it is not currently
         # being matched.
@@ -103,7 +155,7 @@ class Indicators:
             else:
                 # If it's not shortened, we just use the original URL object.
                 final_url = orig_url
-        except Exception as e:
+        except Exception:
             # If URL parsing failed, we just try to do a simple substring
             # match.
             for ioc in self.ioc_domains:
@@ -145,6 +197,7 @@ class Indicators:
         :type urls: list
         :returns: True if any URL matched an indicator, otherwise False
         :rtype: bool
+
         """
         if not urls:
             return False
@@ -163,6 +216,7 @@ class Indicators:
         :type process: str
         :returns: True if process matched an indicator, otherwise False
         :rtype: bool
+
         """
         if not process:
             return False
@@ -188,6 +242,7 @@ class Indicators:
         :type processes: list
         :returns: True if process matched an indicator, otherwise False
         :rtype: bool
+
         """
         if not processes:
             return False
@@ -205,6 +260,7 @@ class Indicators:
         :type email: str
         :returns: True if email address matched an indicator, otherwise False
         :rtype: bool
+
         """
         if not email:
             return False
@@ -215,7 +271,7 @@ class Indicators:
 
         return False
 
-    def check_file(self, file_path) -> bool:
+    def check_file_name(self, file_path) -> bool:
         """Check the provided file path against the list of file indicators.
 
         :param file_path: File path or file name to check against file
@@ -223,13 +279,82 @@ class Indicators:
         :type file_path: str
         :returns: True if the file path matched an indicator, otherwise False
         :rtype: bool
+
         """
         if not file_path:
             return False
 
         file_name = os.path.basename(file_path)
         if file_name in self.ioc_files:
-            self.log.warning("Found a known suspicious file: \"%s\"", file_path)
             return True
 
         return False
+
+    # TODO: The difference between check_file_name() and check_file_path()
+    #       needs to be more explicit and clear. Probably, the two should just
+    #       be combined into one function.
+    def check_file_path(self, file_path) -> bool:
+        """Check the provided file path against the list of file indicators.
+
+        :param file_path: File path or file name to check against file
+        indicators
+        :type file_path: str
+        :returns: True if the file path matched an indicator, otherwise False
+        :rtype: bool
+
+        """
+        if not file_path:
+            return False
+
+        for ioc_file in self.ioc_files:
+            # Strip any trailing slash from indicator paths to match directories.
+            if file_path.startswith(ioc_file.rstrip("/")):
+                return True
+
+        return False
+
+    def check_profile(self, profile_uuid) -> bool:
+        """Check the provided configuration profile UUID against the list of indicators.
+
+        :param profile_uuid: Profile UUID to check against configuration profile indicators
+        :type profile_uuid: str
+        :returns: True if the UUID in indicator list, otherwise False
+        :rtype: bool
+
+        """
+        if profile_uuid in self.ios_profile_ids:
+            return True
+
+        return False
+
+
+def download_indicators_files(log):
+    """
+    Download indicators from repo into MVT app data directory
+    """
+    data_dir = user_data_dir("mvt")
+    if not os.path.isdir(data_dir):
+        os.makedirs(data_dir, exist_ok=True)
+
+    # Download latest list of indicators from the MVT repo.
+    res = requests.get("https://github.com/mvt-project/mvt/raw/main/public_indicators.json")
+    if res.status_code != 200:
+        log.warning("Unable to find retrieve list of indicators from the MVT repository.")
+        return
+
+    for ioc_entry in res.json():
+        ioc_url = ioc_entry["stix2_url"]
+        log.info("Downloading indicator file '%s' from '%s'", ioc_entry["name"], ioc_url)
+
+        res = requests.get(ioc_url)
+        if res.status_code != 200:
+            log.warning("Could not find indicator file '%s'", ioc_url)
+            continue
+
+        clean_file_name = ioc_url.lstrip("https://").replace("/", "_")
+        ioc_path = os.path.join(data_dir, clean_file_name)
+
+        # Write file to disk. This will overwrite any older version of the STIX2 file.
+        with io.open(ioc_path, "w") as f:
+            f.write(res.text)
+        log.info("Saved indicator file to '%s'", os.path.basename(ioc_path))

mvt/common/logo.py

@@ -16,7 +16,7 @@ def logo():
 
     try:
         latest_version = check_for_updates()
-    except:
+    except Exception:
         pass
     else:
         if latest_version:

mvt/common/module.py

@@ -10,21 +10,21 @@ import re
 
 import simplejson as json
 
-from .indicators import Indicators
-
 
 class DatabaseNotFoundError(Exception):
     pass
 
+
 class DatabaseCorruptedError(Exception):
     pass
 
+
 class InsufficientPrivileges(Exception):
     pass
 
+
 class MVTModule(object):
-    """This class provides a base for all extraction modules.
-    """
+    """This class provides a base for all extraction modules."""
 
     enabled = True
     slug = None
@@ -66,8 +66,7 @@ class MVTModule(object):
             return cls(results=results, log=log)
 
     def get_slug(self):
-        """Use the module's class name to retrieve a slug
-        """
+        """Use the module's class name to retrieve a slug"""
         if self.slug:
             return self.slug
 
@@ -77,12 +76,13 @@ class MVTModule(object):
     def check_indicators(self):
         """Check the results of this module against a provided list of
         indicators.
+
+
         """
         raise NotImplementedError
 
     def save_to_json(self):
-        """Save the collected results to a json file.
-        """
+        """Save the collected results to a json file."""
         if not self.output_folder:
             return
 
@@ -112,6 +112,7 @@ class MVTModule(object):
         """Serialize entry as JSON to deduplicate repeated entries
 
         :param timeline: List of entries from timeline to deduplicate
+
         """
         timeline_set = set()
         for record in timeline:
@@ -141,8 +142,7 @@ class MVTModule(object):
         self.timeline_detected = self._deduplicate_timeline(self.timeline_detected)
 
     def run(self):
-        """Run the main module procedure.
-        """
+        """Run the main module procedure."""
         raise NotImplementedError
 
 
@@ -190,6 +190,7 @@ def save_timeline(timeline, timeline_path):
 
     :param timeline: List of records to order and store
     :param timeline_path: Path to the csv file to store the timeline to
+
     """
     with io.open(timeline_path, "a+", encoding="utf-8") as handle:
         csvoutput = csv.writer(handle, delimiter=",", quotechar="\"")

mvt/common/url.py

@@ -250,6 +250,7 @@ SHORTENER_DOMAINS = [
     "zz.gd",
 ]
 
+
 class URL:
 
     def __init__(self, url):
@@ -268,11 +269,12 @@ class URL:
         :type url: str
         :returns: Domain name extracted from URL
         :rtype: str
+
         """
         # TODO: Properly handle exception.
         try:
             return get_tld(self.url, as_object=True, fix_protocol=True).parsed_url.netloc.lower().lstrip("www.")
-        except:
+        except Exception:
             return None
 
     def get_top_level(self):
@@ -282,18 +284,22 @@ class URL:
         :type url: str
         :returns: Top-level domain name extracted from URL
         :rtype: str
+
         """
         # TODO: Properly handle exception.
         try:
             return get_tld(self.url, as_object=True, fix_protocol=True).fld.lower()
-        except:
+        except Exception:
             return None
 
     def check_if_shortened(self) -> bool:
         """Check if the URL is among list of shortener services.
 
+
         :returns: True if the URL is shortened, otherwise False
+
         :rtype: bool
+
         """
         if self.domain.lower() in SHORTENER_DOMAINS:
             self.is_shortened = True
@@ -301,8 +307,7 @@ class URL:
         return self.is_shortened
 
     def unshorten(self):
-        """Unshorten the URL by requesting an HTTP HEAD response.
-        """
+        """Unshorten the URL by requesting an HTTP HEAD response."""
         res = requests.head(self.url)
         if str(res.status_code).startswith("30"):
             return res.headers["Location"]

mvt/common/utils.py

@@ -16,6 +16,7 @@ def convert_mactime_to_unix(timestamp, from_2001=True):
     :param from_2001: bool: Whether to (Default value = True)
     :param from_2001: Default value = True)
     :returns: Unix epoch timestamp.
+
     """
     if not timestamp:
         return None
@@ -42,8 +43,9 @@ def convert_chrometime_to_unix(timestamp):
     :param timestamp: Chrome timestamp as int.
     :type timestamp: int
     :returns: Unix epoch timestamp.
+
     """
-    epoch_start = datetime.datetime(1601, 1 , 1)
+    epoch_start = datetime.datetime(1601, 1, 1)
     delta = datetime.timedelta(microseconds=timestamp)
     return epoch_start + delta
 
@@ -55,21 +57,25 @@ def convert_timestamp_to_iso(timestamp):
     :type timestamp: int
     :returns: ISO timestamp string in YYYY-mm-dd HH:MM:SS.ms format.
     :rtype: str
+
     """
     try:
         return timestamp.strftime("%Y-%m-%d %H:%M:%S.%f")
     except Exception:
         return None
 
+
 def check_for_links(text):
     """Checks if a given text contains HTTP links.
 
     :param text: Any provided text.
     :type text: str
     :returns: Search results.
+
     """
     return re.findall("(?P<url>https?://[^\s]+)", text, re.IGNORECASE)
 
+
 def get_sha256_from_file_path(file_path):
     """Calculate the SHA256 hash of a file from a file path.
 
@@ -84,6 +90,7 @@ def get_sha256_from_file_path(file_path):
 
     return sha256_hash.hexdigest()
 
+
 # Note: taken from here:
 # https://stackoverflow.com/questions/57014259/json-dumps-on-dictionary-with-bytes-for-keys
 def keys_bytes_to_string(obj):
@@ -92,6 +99,7 @@ def keys_bytes_to_string(obj):
     :param obj: Object to convert from bytes to string.
     :returns: Object converted to string.
     :rtype: str
+
     """
     new_obj = {}
     if not isinstance(obj, dict):

mvt/common/version.py

@@ -6,7 +6,8 @@
 import requests
 from packaging import version
 
-MVT_VERSION = "1.2.8"
+MVT_VERSION = "1.4.2"
+
 
 def check_for_updates():
     res = requests.get("https://pypi.org/pypi/mvt/json")

mvt/ios/cli.py

@@ -10,8 +10,10 @@ import click
 from rich.logging import RichHandler
 from rich.prompt import Prompt
 
-from mvt.common.help import *
-from mvt.common.indicators import Indicators, IndicatorsFileBadFormat
+from mvt.common.help import (HELP_MSG_FAST, HELP_MSG_IOC,
+                             HELP_MSG_LIST_MODULES, HELP_MSG_MODULE,
+                             HELP_MSG_OUTPUT)
+from mvt.common.indicators import Indicators, download_indicators_files
 from mvt.common.logo import logo
 from mvt.common.module import run_module, save_timeline
 from mvt.common.options import MutuallyExclusiveOption
@@ -30,6 +32,7 @@ log = logging.getLogger(__name__)
 # Set this environment variable to a password if needed.
 PASSWD_ENV = "MVT_IOS_BACKUP_PASSWORD"
 
+
 #==============================================================================
 # Main
 #==============================================================================
@@ -38,6 +41,14 @@ def cli():
     logo()
 
 
+#==============================================================================
+# Command: version
+#==============================================================================
+@cli.command("version", help="Show the currently installed version of MVT")
+def version():
+    return
+
+
 #==============================================================================
 # Command: decrypt-backup
 #==============================================================================
@@ -146,13 +157,7 @@ def check_backup(ctx, iocs, output, fast, backup_path, list_modules, module):
             ctx.exit(1)
 
     indicators = Indicators(log=log)
-    for ioc_path in iocs:
-        try:
-            indicators.parse_stix2(ioc_path)
-        except IndicatorsFileBadFormat as e:
-            log.critical(e)
-            ctx.exit(1)
-    log.info("Loaded a total of %d indicators", indicators.ioc_count)
+    indicators.load_indicators_files(iocs)
 
     timeline = []
     timeline_detected = []
@@ -163,8 +168,7 @@ def check_backup(ctx, iocs, output, fast, backup_path, list_modules, module):
         m = backup_module(base_folder=backup_path, output_folder=output, fast_mode=fast,
                           log=logging.getLogger(backup_module.__module__))
         m.is_backup = True
-
-        if iocs:
+        if indicators.ioc_count:
             m.indicators = indicators
             m.indicators.log = m.log
 
@@ -209,13 +213,7 @@ def check_fs(ctx, iocs, output, fast, dump_path, list_modules, module):
             ctx.exit(1)
 
     indicators = Indicators(log=log)
-    for ioc_path in iocs:
-        try:
-            indicators.parse_stix2(ioc_path)
-        except IndicatorsFileBadFormat as e:
-            log.critical(e)
-            ctx.exit(1)
-    log.info("Loaded a total of %d indicators", indicators.ioc_count)
+    indicators.load_indicators_files(iocs)
 
     timeline = []
     timeline_detected = []
@@ -227,8 +225,7 @@ def check_fs(ctx, iocs, output, fast, dump_path, list_modules, module):
                       log=logging.getLogger(fs_module.__module__))
 
         m.is_fs_dump = True
-
-        if iocs:
+        if indicators.ioc_count:
             m.indicators = indicators
             m.indicators.log = m.log
 
@@ -269,13 +266,7 @@ def check_iocs(ctx, iocs, list_modules, module, folder):
     log.info("Checking stored results against provided indicators...")
 
     indicators = Indicators(log=log)
-    for ioc_path in iocs:
-        try:
-            indicators.parse_stix2(ioc_path)
-        except IndicatorsFileBadFormat as e:
-            log.critical(e)
-            ctx.exit(1)
-    log.info("Loaded a total of %d indicators", indicators.ioc_count)
+    indicators.load_indicators_files(iocs)
 
     for file_name in os.listdir(folder):
         name_only, ext = os.path.splitext(file_name)
@@ -293,11 +284,19 @@ def check_iocs(ctx, iocs, list_modules, module, folder):
 
             m = iocs_module.from_json(file_path,
                                       log=logging.getLogger(iocs_module.__module__))
-
-            m.indicators = indicators
-            m.indicators.log = m.log
+            if indicators.ioc_count:
+                m.indicators = indicators
+                m.indicators.log = m.log
 
             try:
                 m.check_indicators()
             except NotImplementedError:
                 continue
+
+
+#==============================================================================
+# Command: download-iocs
+#==============================================================================
+@cli.command("download-iocs", help="Download public STIX2 indicators")
+def download_indicators():
+    download_indicators_files(log)

mvt/ios/decrypt.py

@@ -14,6 +14,7 @@ from iOSbackup import iOSbackup
 
 log = logging.getLogger(__name__)
 
+
 class DecryptBackup:
     """This class provides functions to decrypt an encrypted iTunes backup
     using either a password or a key file.

mvt/ios/modules/backup/configuration_profiles.py

@@ -1,15 +1,20 @@
+
 # Mobile Verification Toolkit (MVT)
 # Copyright (c) 2021 The MVT Project Authors.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
+import os
 import plistlib
 from base64 import b64encode
 
+from mvt.common.utils import convert_timestamp_to_iso
+
 from ..base import IOSExtraction
 
 CONF_PROFILES_DOMAIN = "SysSharedContainerDomain-systemgroup.com.apple.configurationprofiles"
 
+
 class ConfigurationProfiles(IOSExtraction):
     """This module extracts the full plist data from configuration profiles."""
 
@@ -19,23 +24,73 @@ class ConfigurationProfiles(IOSExtraction):
                          output_folder=output_folder, fast_mode=fast_mode,
                          log=log, results=results)
 
+    def serialize(self, record):
+        if not record["install_date"]:
+            return
+
+        payload_name = record['plist'].get('PayloadDisplayName')
+        payload_description = record['plist'].get('PayloadDescription')
+        return {
+            "timestamp": record["install_date"],
+            "module": self.__class__.__name__,
+            "event": "configuration_profile_install",
+            "data": f"{record['plist']['PayloadType']} installed: {record['plist']['PayloadUUID']} - {payload_name}: {payload_description}"
+        }
+
+    def check_indicators(self):
+        if not self.indicators:
+            return
+
+        for result in self.results:
+            if result["plist"].get("PayloadUUID"):
+                payload_content = result["plist"]["PayloadContent"][0]
+
+                # Alert on any known malicious configuration profiles in the indicator list.
+                if self.indicators.check_profile(result["plist"]["PayloadUUID"]):
+                    self.log.warning(f"Found a known malicious configuration profile \"{result['plist']['PayloadDisplayName']}\" with UUID '{result['plist']['PayloadUUID']}'.")
+                    self.detected.append(result)
+                    continue
+
+                # Highlight suspicious configuration profiles which may be used to hide notifications.
+                if payload_content["PayloadType"] in ["com.apple.notificationsettings"]:
+                    self.log.warning(f"Found a potentially suspicious configuration profile \"{result['plist']['PayloadDisplayName']}\" with payload type '{payload_content['PayloadType']}'.")
+                    self.detected.append(result)
+                    continue
+
     def run(self):
         for conf_file in self._get_backup_files_from_manifest(domain=CONF_PROFILES_DOMAIN):
+            conf_rel_path = conf_file["relative_path"]
+            # Filter out all configuration files that are not configuration profiles.
+            if not conf_rel_path or not os.path.basename(conf_rel_path).startswith("profile-"):
+                continue
+
             conf_file_path = self._get_backup_file_from_id(conf_file["file_id"])
             if not conf_file_path:
                 continue
 
             with open(conf_file_path, "rb") as handle:
-                conf_plist = plistlib.load(handle)
+                try:
+                    conf_plist = plistlib.load(handle)
+                except Exception:
+                    conf_plist = {}
 
             if "SignerCerts" in conf_plist:
                 conf_plist["SignerCerts"] = [b64encode(x) for x in conf_plist["SignerCerts"]]
+            if "PushTokenDataSentToServerKey" in conf_plist:
+                conf_plist["PushTokenDataSentToServerKey"] = b64encode(conf_plist["PushTokenDataSentToServerKey"])
+            if "LastPushTokenHash" in conf_plist:
+                conf_plist["LastPushTokenHash"] = b64encode(conf_plist["LastPushTokenHash"])
+            if "PayloadContent" in conf_plist:
+                for x in range(len(conf_plist["PayloadContent"])):
+                    if "PERSISTENT_REF" in conf_plist["PayloadContent"][x]:
+                        conf_plist["PayloadContent"][x]["PERSISTENT_REF"] = b64encode(conf_plist["PayloadContent"][x]["PERSISTENT_REF"])
 
             self.results.append({
                 "file_id": conf_file["file_id"],
                 "relative_path": conf_file["relative_path"],
                 "domain": conf_file["domain"],
                 "plist": conf_plist,
+                "install_date": convert_timestamp_to_iso(conf_plist.get("InstallDate")),
             })
 
         self.log.info("Extracted details about %d configuration profiles", len(self.results))

mvt/ios/modules/backup/manifest.py

@@ -28,8 +28,8 @@ class Manifest(IOSExtraction):
         """Unserialized plist objects can have keys which are str or byte types
         This is a helper to try fetch a key as both a byte or string type.
 
-        :param dictionary: param key:
-        :param key: 
+        :param dictionary:
+        :param key:
 
         """
         return dictionary.get(key.encode("utf-8"), None) or dictionary.get(key, None)
@@ -38,7 +38,7 @@ class Manifest(IOSExtraction):
     def _convert_timestamp(timestamp_or_unix_time_int):
         """Older iOS versions stored the manifest times as unix timestamps.
 
-        :param timestamp_or_unix_time_int: 
+        :param timestamp_or_unix_time_int:
 
         """
         if isinstance(timestamp_or_unix_time_int, datetime.datetime):
@@ -72,7 +72,7 @@ class Manifest(IOSExtraction):
             return
 
         for result in self.results:
-            if not "relative_path" in result:
+            if "relative_path" not in result:
                 continue
             if not result["relative_path"]:
                 continue
@@ -83,7 +83,7 @@ class Manifest(IOSExtraction):
                     self.detected.append(result)
                     continue
 
-            if self.indicators.check_file(result["relative_path"]):
+            if self.indicators.check_file_name(result["relative_path"]):
                 self.log.warning("Found a known malicious file at path: %s", result["relative_path"])
                 self.detected.append(result)
                 continue
@@ -133,7 +133,7 @@ class Manifest(IOSExtraction):
                         "owner": self._get_key(file_metadata, "UserID"),
                         "size": self._get_key(file_metadata, "Size"),
                     })
-                except:
+                except Exception:
                     self.log.exception("Error reading manifest file metadata for file with ID %s and relative path %s",
                                        file_data["fileID"], file_data["relativePath"])
                     pass

mvt/ios/modules/backup/profile_events.py

@@ -11,6 +11,7 @@ from ..base import IOSExtraction
 
 CONF_PROFILES_EVENTS_RELPATH = "Library/ConfigurationProfiles/MCProfileEvents.plist"
 
+
 class ProfileEvents(IOSExtraction):
     """This module extracts events related to the installation of configuration
     profiles.

mvt/ios/modules/base.py

@@ -26,27 +26,28 @@ class IOSExtraction(MVTModule):
         self.is_fs_dump = False
         self.is_sysdiagnose = False
 
-    def _recover_sqlite_db_if_needed(self, file_path):
+    def _recover_sqlite_db_if_needed(self, file_path, forced=False):
         """Tries to recover a malformed database by running a .clone command.
 
         :param file_path: Path to the malformed database file.
 
         """
         # TODO: Find a better solution.
-        conn = sqlite3.connect(file_path)
-        cur = conn.cursor()
+        if not forced:
+            conn = sqlite3.connect(file_path)
+            cur = conn.cursor()
 
-        try:
-            recover = False
-            cur.execute("SELECT name FROM sqlite_master WHERE type='table';")
-        except sqlite3.DatabaseError as e:
-            if "database disk image is malformed" in str(e):
-                recover = True
-        finally:
-            conn.close()
+            try:
+                recover = False
+                cur.execute("SELECT name FROM sqlite_master WHERE type='table';")
+            except sqlite3.DatabaseError as e:
+                if "database disk image is malformed" in str(e):
+                    recover = True
+            finally:
+                conn.close()
 
-        if not recover:
-            return
+            if not recover:
+                return
 
         self.log.info("Database at path %s is malformed. Trying to recover...", file_path)
 

mvt/ios/modules/fs/__init__.py

@@ -3,14 +3,17 @@
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
+from .analytics import Analytics
 from .cache_files import CacheFiles
 from .filesystem import Filesystem
 from .net_netusage import Netusage
 from .safari_favicon import SafariFavicon
+from .shutdownlog import ShutdownLog
 from .version_history import IOSVersionHistory
 from .webkit_indexeddb import WebkitIndexedDB
 from .webkit_localstorage import WebkitLocalStorage
 from .webkit_safariviewservice import WebkitSafariViewService
 
-FS_MODULES = [CacheFiles, Filesystem, Netusage, SafariFavicon, IOSVersionHistory,
-              WebkitIndexedDB, WebkitLocalStorage, WebkitSafariViewService,]
+FS_MODULES = [CacheFiles, Filesystem, Netusage, Analytics, SafariFavicon, ShutdownLog,
+              IOSVersionHistory, WebkitIndexedDB, WebkitLocalStorage,
+              WebkitSafariViewService]

mvt/ios/modules/fs/analytics.py

@@ -0,0 +1,119 @@
+# Mobile Verification Toolkit (MVT)
+# Copyright (c) 2021 The MVT Project Authors.
+# Use of this software is governed by the MVT License 1.1 that can be found at
+#   https://license.mvt.re/1.1/
+
+import plistlib
+import sqlite3
+
+from mvt.common.utils import convert_mactime_to_unix, convert_timestamp_to_iso
+
+from ..base import IOSExtraction
+
+ANALYTICS_DB_PATH = [
+    "private/var/Keychains/Analytics/*.db",
+]
+
+
+class Analytics(IOSExtraction):
+    """This module extracts information from the private/var/Keychains/Analytics/*.db files."""
+
+    def __init__(self, file_path=None, base_folder=None, output_folder=None,
+                 fast_mode=False, log=None, results=[]):
+        super().__init__(file_path=file_path, base_folder=base_folder,
+                         output_folder=output_folder, fast_mode=fast_mode,
+                         log=log, results=results)
+
+    def serialize(self, record):
+        return {
+            "timestamp": record["timestamp"],
+            "module": self.__class__.__name__,
+            "event": record["artifact"],
+            "data": f"{record}",
+        }
+
+    def check_indicators(self):
+        if not self.indicators:
+            return
+
+        for result in self.results:
+            for ioc in self.indicators.ioc_processes:
+                for key in result.keys():
+                    if ioc == result[key]:
+                        self.log.warning("Found mention of a malicious process \"%s\" in %s file at %s",
+                                         ioc, result["artifact"], result["timestamp"])
+                        self.detected.append(result)
+                        break
+            for ioc in self.indicators.ioc_domains:
+                for key in result.keys():
+                    if ioc in str(result[key]):
+                        self.log.warning("Found mention of a malicious domain \"%s\" in %s file at %s",
+                                         ioc, result["artifact"], result["timestamp"])
+                        self.detected.append(result)
+                        break
+
+    def _extract_analytics_data(self):
+        artifact = self.file_path.split("/")[-1]
+
+        conn = sqlite3.connect(self.file_path)
+        cur = conn.cursor()
+
+        try:
+            cur.execute("""
+                SELECT
+                    timestamp,
+                    data
+                FROM hard_failures
+                UNION
+                SELECT
+                    timestamp,
+                    data
+                FROM soft_failures
+                UNION
+                SELECT
+                    timestamp,
+                    data
+                FROM all_events;
+            """)
+        except sqlite3.OperationalError:
+            cur.execute("""
+                SELECT
+                    timestamp,
+                    data
+                FROM hard_failures
+                UNION
+                SELECT
+                    timestamp,
+                    data
+                FROM soft_failures;
+            """)
+
+        for row in cur:
+            if row[0] and row[1]:
+                timestamp = convert_timestamp_to_iso(convert_mactime_to_unix(row[0], False))
+                data = plistlib.loads(row[1])
+                data["timestamp"] = timestamp
+            elif row[0]:
+                timestamp = convert_timestamp_to_iso(convert_mactime_to_unix(row[0], False))
+                data = {}
+                data["timestamp"] = timestamp
+            elif row[1]:
+                timestamp = ""
+                data = plistlib.loads(row[1])
+                data["timestamp"] = timestamp
+            data["artifact"] = artifact
+
+            self.results.append(data)
+
+        self.results = sorted(self.results, key=lambda entry: entry["timestamp"])
+
+        cur.close()
+        conn.close()
+
+        self.log.info("Extracted information on %d analytics data from %s", len(self.results), artifact)
+
+    def run(self):
+        for file_path in self._get_fs_files_from_patterns(ANALYTICS_DB_PATH):
+            self.file_path = file_path
+            self.log.info("Found Analytics database file at path: %s", file_path)
+            self._extract_analytics_data()

mvt/ios/modules/fs/cache_files.py

@@ -38,7 +38,7 @@ class CacheFiles(IOSExtraction):
             for item in items:
                 if self.indicators.check_domain(item["url"]):
                     if key not in self.detected:
-                        self.detected[key] = [item,]
+                        self.detected[key] = [item, ]
                     else:
                         self.detected[key].append(item)
 
@@ -54,7 +54,7 @@ class CacheFiles(IOSExtraction):
             return
 
         key_name = os.path.relpath(file_path, self.base_folder)
-        if not key_name in self.results:
+        if key_name not in self.results:
             self.results[key_name] = []
 
         for row in cur:

mvt/ios/modules/fs/filesystem.py

@@ -28,8 +28,8 @@ class Filesystem(IOSExtraction):
         return {
             "timestamp": record["modified"],
             "module": self.__class__.__name__,
-            "event": "file_modified",
-            "data": record["file_path"],
+            "event": "entry_modified",
+            "data": record["path"],
         }
 
     def check_indicators(self):
@@ -37,19 +37,46 @@ class Filesystem(IOSExtraction):
             return
 
         for result in self.results:
-            if self.indicators.check_file(result["file_path"]):
+            if self.indicators.check_file(result["path"]):
+                self.log.warning("Found a known malicious file name at path: %s", result["path"])
                 self.detected.append(result)
 
+            if self.indicators.check_file_path(result["path"]):
+                self.log.warning("Found a known malicious file path at path: %s", result["path"])
+                self.detected.append(result)
+
+            # If we are instructed to run fast, we skip this.
+            if self.fast_mode:
+                self.log.info("Flag --fast was enabled: skipping extended search for suspicious files/processes")
+            else:
+                for ioc in self.indicators.ioc_processes:
+                    parts = result["path"].split("/")
+                    if ioc in parts:
+                        self.log.warning("Found a known malicious file/process at path: %s", result["path"])
+                        self.detected.append(result)
+
     def run(self):
         for root, dirs, files in os.walk(self.base_folder):
+            for dir_name in dirs:
+                try:
+                    dir_path = os.path.join(root, dir_name)
+                    result = {
+                        "path": os.path.relpath(dir_path, self.base_folder),
+                        "modified": convert_timestamp_to_iso(datetime.datetime.utcfromtimestamp(os.stat(dir_path).st_mtime)),
+                    }
+                except Exception:
+                    continue
+                else:
+                    self.results.append(result)
+
             for file_name in files:
                 try:
                     file_path = os.path.join(root, file_name)
                     result = {
-                        "file_path": os.path.relpath(file_path, self.base_folder),
+                        "path": os.path.relpath(file_path, self.base_folder),
                         "modified": convert_timestamp_to_iso(datetime.datetime.utcfromtimestamp(os.stat(file_path).st_mtime)),
                     }
-                except:
+                except Exception:
                     continue
                 else:
                     self.results.append(result)

mvt/ios/modules/fs/net_netusage.py

@@ -12,6 +12,7 @@ NETUSAGE_ROOT_PATHS = [
     "private/var/networkd/db/netusage.sqlite"
 ]
 
+
 class Netusage(NetBase):
     """This class extracts data from netusage.sqlite and attempts to identify
     any suspicious processes if running on a full filesystem dump.

mvt/ios/modules/fs/safari_favicon.py

@@ -14,6 +14,7 @@ SAFARI_FAVICON_ROOT_PATHS = [
     "private/var/mobile/Containers/Data/Application/*/Library/Image Cache/Favicons/Favicons.db",
 ]
 
+
 class SafariFavicon(IOSExtraction):
     """This module extracts all Safari favicon records."""
 

mvt/ios/modules/fs/shutdownlog.py

@@ -0,0 +1,82 @@
+# Mobile Verification Toolkit (MVT)
+# Copyright (c) 2021 The MVT Project Authors.
+# Use of this software is governed by the MVT License 1.1 that can be found at
+#   https://license.mvt.re/1.1/
+
+from mvt.common.utils import convert_mactime_to_unix, convert_timestamp_to_iso
+
+from ..base import IOSExtraction
+
+SHUTDOWN_LOG_PATH = [
+    "private/var/db/diagnostics/shutdown.log",
+]
+
+
+class ShutdownLog(IOSExtraction):
+    """This module extracts processes information from the shutdown log file."""
+
+    def __init__(self, file_path=None, base_folder=None, output_folder=None,
+                 fast_mode=False, log=None, results=[]):
+        super().__init__(file_path=file_path, base_folder=base_folder,
+                         output_folder=output_folder, fast_mode=fast_mode,
+                         log=log, results=results)
+
+    def serialize(self, record):
+        return {
+            "timestamp": record["isodate"],
+            "module": self.__class__.__name__,
+            "event": "shutdown",
+            "data": f"Client {record['client']} with PID {record['pid']} was running when the device was shut down",
+        }
+
+    def check_indicators(self):
+        if not self.indicators:
+            return
+
+        for result in self.results:
+            for ioc in self.indicators.ioc_processes:
+                parts = result["client"].split("/")
+                if ioc in parts:
+                    self.log.warning("Found mention of a known malicious process \"%s\" in shutdown.log",
+                                     ioc)
+                    self.detected.append(result)
+
+    def process_shutdownlog(self, content):
+        current_processes = []
+        for line in content.split("\n"):
+            line = line.strip()
+
+            if line.startswith("remaining client pid:"):
+                current_processes.append({
+                    "pid": line[line.find("pid: ")+5:line.find(" (")],
+                    "client": line[line.find("(")+1:line.find(")")],
+                })
+            elif line.startswith("SIGTERM: "):
+                try:
+                    mac_timestamp = int(line[line.find("[")+1:line.find("]")])
+                except ValueError:
+                    try:
+                        start = line.find(" @")+2
+                        mac_timestamp = int(line[start:start+10])
+                    except Exception:
+                        mac_timestamp = 0
+
+                timestamp = convert_mactime_to_unix(mac_timestamp, from_2001=False)
+                isodate = convert_timestamp_to_iso(timestamp)
+
+                for current_process in current_processes:
+                    self.results.append({
+                        "isodate": isodate,
+                        "pid": current_process["pid"],
+                        "client": current_process["client"],
+                    })
+
+                current_processes = []
+
+        self.results = sorted(self.results, key=lambda entry: entry["isodate"])
+
+    def run(self):
+        self._find_ios_database(root_paths=SHUTDOWN_LOG_PATH)
+        self.log.info("Found shutdown log at path: %s", self.file_path)
+        with open(self.file_path, "r") as handle:
+            self.process_shutdownlog(handle.read())

mvt/ios/modules/fs/version_history.py

@@ -14,6 +14,7 @@ IOS_ANALYTICS_JOURNAL_PATHS = [
     "private/var/db/analyticsd/Analytics-Journal-*.ips",
 ]
 
+
 class IOSVersionHistory(IOSExtraction):
     """This module extracts iOS update history from Analytics Journal log files."""
 

mvt/ios/modules/fs/webkit_indexeddb.py

@@ -9,6 +9,7 @@ WEBKIT_INDEXEDDB_ROOT_PATHS = [
     "private/var/mobile/Containers/Data/Application/*/Library/WebKit/WebsiteData/IndexedDB",
 ]
 
+
 class WebkitIndexedDB(WebkitBase):
     """This module looks extracts records from WebKit IndexedDB folders,
     and checks them against any provided list of suspicious domains.

mvt/ios/modules/fs/webkit_localstorage.py

@@ -9,6 +9,7 @@ WEBKIT_LOCALSTORAGE_ROOT_PATHS = [
     "private/var/mobile/Containers/Data/Application/*/Library/WebKit/WebsiteData/LocalStorage/",
 ]
 
+
 class WebkitLocalStorage(WebkitBase):
     """This module looks extracts records from WebKit LocalStorage folders,
     and checks them against any provided list of suspicious domains.

mvt/ios/modules/fs/webkit_safariviewservice.py

@@ -9,6 +9,7 @@ WEBKIT_SAFARIVIEWSERVICE_ROOT_PATHS = [
     "private/var/mobile/Containers/Data/Application/*/SystemData/com.apple.SafariViewService/Library/WebKit/WebsiteData/",
 ]
 
+
 class WebkitSafariViewService(WebkitBase):
     """This module looks extracts records from WebKit LocalStorage folders,
     and checks them against any provided list of suspicious domains.

mvt/ios/modules/mixed/__init__.py

@@ -16,6 +16,7 @@ from .net_datausage import Datausage
 from .osanalytics_addaily import OSAnalyticsADDaily
 from .safari_browserstate import SafariBrowserState
 from .safari_history import SafariHistory
+from .shortcuts import Shortcuts
 from .sms import SMS
 from .sms_attachments import SMSAttachments
 from .tcc import TCC
@@ -27,4 +28,4 @@ MIXED_MODULES = [Calls, ChromeFavicon, ChromeHistory, Contacts, FirefoxFavicon,
                  FirefoxHistory, IDStatusCache, InteractionC, LocationdClients,
                  OSAnalyticsADDaily, Datausage, SafariBrowserState, SafariHistory,
                  TCC, SMS, SMSAttachments, WebkitResourceLoadStatistics,
-                 WebkitSessionResourceLog, Whatsapp,]
+                 WebkitSessionResourceLog, Whatsapp, Shortcuts]

mvt/ios/modules/mixed/calls.py

@@ -16,6 +16,7 @@ CALLS_ROOT_PATHS = [
     "private/var/mobile/Library/CallHistoryDB/CallHistory.storedata"
 ]
 
+
 class Calls(IOSExtraction):
     """This module extracts phone calls details"""
 
@@ -45,7 +46,7 @@ class Calls(IOSExtraction):
                 ZDATE, ZDURATION, ZLOCATION, ZADDRESS, ZSERVICE_PROVIDER
             FROM ZCALLRECORD;
         """)
-        names = [description[0] for description in cur.description]
+        # names = [description[0] for description in cur.description]
 
         for row in cur:
             self.results.append({

mvt/ios/modules/mixed/chrome_favicon.py

@@ -19,6 +19,7 @@ CHROME_FAVICON_ROOT_PATHS = [
     "private/var/mobile/Containers/Data/Application/*/Library/Application Support/Google/Chrome/Default/Favicons",
 ]
 
+
 class ChromeFavicon(IOSExtraction):
     """This module extracts all Chrome favicon records."""
 

mvt/ios/modules/mixed/chrome_history.py

@@ -13,12 +13,12 @@ from ..base import IOSExtraction
 CHROME_HISTORY_BACKUP_IDS = [
     "faf971ce92c3ac508c018dce1bef2a8b8e9838f1",
 ]
-
 # TODO: Confirm Chrome database path.
 CHROME_HISTORY_ROOT_PATHS = [
     "private/var/mobile/Containers/Data/Application/*/Library/Application Support/Google/Chrome/Default/History",
 ]
 
+
 class ChromeHistory(IOSExtraction):
     """This module extracts all Chome visits."""
 

mvt/ios/modules/mixed/contacts.py

@@ -14,6 +14,7 @@ CONTACTS_ROOT_PATHS = [
     "private/var/mobile/Library/AddressBook/AddressBook.sqlitedb",
 ]
 
+
 class Contacts(IOSExtraction):
     """This module extracts all contact details from the phone's address book."""
 

mvt/ios/modules/mixed/firefox_favicon.py

@@ -17,6 +17,7 @@ FIREFOX_HISTORY_ROOT_PATHS = [
     "private/var/mobile/profile.profile/browser.db",
 ]
 
+
 class FirefoxFavicon(IOSExtraction):
     """This module extracts all Firefox favicon"""
 
@@ -39,8 +40,8 @@ class FirefoxFavicon(IOSExtraction):
             return
 
         for result in self.results:
-            if (self.indicators.check_domain(result.get("url", "")) or 
-                self.indicators.check_domain(result.get("history_url", ""))):
+            if (self.indicators.check_domain(result.get("url", "")) or
+                    self.indicators.check_domain(result.get("history_url", ""))):
                 self.detected.append(result)
 
     def run(self):

mvt/ios/modules/mixed/firefox_history.py

@@ -17,6 +17,7 @@ FIREFOX_HISTORY_ROOT_PATHS = [
     "private/var/mobile/profile.profile/browser.db",
 ]
 
+
 class FirefoxHistory(IOSExtraction):
     """This module extracts all Firefox visits and tries to detect potential
     network injection attacks.

mvt/ios/modules/mixed/idstatuscache.py

@@ -18,6 +18,7 @@ IDSTATUSCACHE_ROOT_PATHS = [
     "private/var/mobile/Library/IdentityServices/idstatuscache.plist",
 ]
 
+
 class IDStatusCache(IOSExtraction):
     """Extracts Apple Authentication information from idstatuscache.plist"""
 
@@ -91,5 +92,5 @@ class IDStatusCache(IOSExtraction):
                 self.file_path = idstatuscache_path
                 self.log.info("Found IDStatusCache plist at path: %s", self.file_path)
                 self._extract_idstatuscache_entries(self.file_path)
-            
+
         self.log.info("Extracted a total of %d ID Status Cache entries", len(self.results))

mvt/ios/modules/mixed/interactionc.py

@@ -16,6 +16,7 @@ INTERACTIONC_ROOT_PATHS = [
     "private/var/mobile/Library/CoreDuet/People/interactionC.db",
 ]
 
+
 class InteractionC(IOSExtraction):
     """This module extracts data from InteractionC db."""
 
@@ -54,8 +55,8 @@ class InteractionC(IOSExtraction):
                 "timestamp": record[ts],
                 "module": self.__class__.__name__,
                 "event": ts,
-                "data": f"[{record['bundle_id']}] {record['account']} - from {record['sender_display_name']} " \
-                        f"({record['sender_identifier']}) to {record['recipient_display_name']} " \
+                "data": f"[{record['bundle_id']}] {record['account']} - from {record['sender_display_name']} "
+                        f"({record['sender_identifier']}) to {record['recipient_display_name']} "
                         f"({record['recipient_identifier']}): {record['content']}"
             })
             processed.append(record[ts])
@@ -123,8 +124,7 @@ class InteractionC(IOSExtraction):
                 LEFT JOIN Z_2INTERACTIONRECIPIENT ON ZINTERACTIONS.Z_PK== Z_2INTERACTIONRECIPIENT.Z_3INTERACTIONRECIPIENT
                 LEFT JOIN ZCONTACTS RECEIPIENTCONACT ON Z_2INTERACTIONRECIPIENT.Z_2RECIPIENTS== RECEIPIENTCONACT.Z_PK;
         """)
-
-        names = [description[0] for description in cur.description]
+        # names = [description[0] for description in cur.description]
 
         for row in cur:
             self.results.append({

mvt/ios/modules/mixed/locationd.py

@@ -17,6 +17,7 @@ LOCATIOND_ROOT_PATHS = [
     "private/var/root/Library/Caches/locationd/clients.plist"
 ]
 
+
 class LocationdClients(IOSExtraction):
     """Extract information from apps who used geolocation."""
 

mvt/ios/modules/mixed/net_datausage.py

@@ -12,6 +12,7 @@ DATAUSAGE_ROOT_PATHS = [
     "private/var/wireless/Library/Databases/DataUsage.sqlite",
 ]
 
+
 class Datausage(NetBase):
     """This class extracts data from DataUsage.sqlite and attempts to identify
     any suspicious processes if running on a full filesystem dump.

mvt/ios/modules/mixed/osanalytics_addaily.py

@@ -16,6 +16,7 @@ OSANALYTICS_ADDAILY_ROOT_PATHS = [
     "private/var/mobile/Library/Preferences/com.apple.osanalytics.addaily.plist",
 ]
 
+
 class OSAnalyticsADDaily(IOSExtraction):
     """Extract network usage information by process, from com.apple.osanalytics.addaily.plist"""
 
@@ -34,14 +35,14 @@ class OSAnalyticsADDaily(IOSExtraction):
             "event": "osanalytics_addaily",
             "data": record_data,
         }
-    
+
     def check_indicators(self):
         if not self.indicators:
             return
 
         for result in self.results:
             if self.indicators.check_process(result["package"]):
-                    self.detected.append(result)
+                self.detected.append(result)
 
     def run(self):
         self._find_ios_database(backup_ids=OSANALYTICS_ADDAILY_BACKUP_IDS,

mvt/ios/modules/mixed/safari_browserstate.py

@@ -19,6 +19,7 @@ SAFARI_BROWSER_STATE_ROOT_PATHS = [
     "private/var/mobile/Containers/Data/Application/*/Library/Safari/BrowserState.db",
 ]
 
+
 class SafariBrowserState(IOSExtraction):
     """This module extracts all Safari browser state records."""
 
@@ -47,7 +48,7 @@ class SafariBrowserState(IOSExtraction):
                 self.detected.append(result)
                 continue
 
-            if not "session_data" in result:
+            if "session_data" not in result:
                 continue
 
             for session_entry in result["session_data"]:
@@ -58,17 +59,26 @@ class SafariBrowserState(IOSExtraction):
         conn = sqlite3.connect(db_path)
 
         cur = conn.cursor()
-        cur.execute("""
-            SELECT
-                tabs.title,
-                tabs.url,
-                tabs.user_visible_url,
-                tabs.last_viewed_time,
-                tab_sessions.session_data
-            FROM tabs
-            JOIN tab_sessions ON tabs.uuid = tab_sessions.tab_uuid
-            ORDER BY tabs.last_viewed_time;
-        """)
+        try:
+            cur.execute("""
+                SELECT
+                    tabs.title,
+                    tabs.url,
+                    tabs.user_visible_url,
+                    tabs.last_viewed_time,
+                    tab_sessions.session_data
+                FROM tabs
+                JOIN tab_sessions ON tabs.uuid = tab_sessions.tab_uuid
+                ORDER BY tabs.last_viewed_time;
+            """)
+        except sqlite3.OperationalError:
+            # Old version iOS <12 likely
+            cur.execute("""
+                SELECT
+                    title, url, user_visible_url, last_viewed_time, session_data
+                FROM tabs
+                ORDER BY last_viewed_time;
+            """)
 
         for row in cur:
             session_entries = []

mvt/ios/modules/mixed/safari_history.py

@@ -17,6 +17,7 @@ SAFARI_HISTORY_ROOT_PATHS = [
     "private/var/mobile/Containers/Data/Application/*/Library/Safari/History.db",
 ]
 
+
 class SafariHistory(IOSExtraction):
     """This module extracts all Safari visits and tries to detect potential
     network injection attacks.
@@ -62,7 +63,7 @@ class SafariHistory(IOSExtraction):
                     continue
 
                 self.log.info("Found HTTP redirect to different domain: \"%s\" -> \"%s\"",
-                         origin_domain, redirect_domain)
+                              origin_domain, redirect_domain)
 
                 redirect_time = convert_mactime_to_unix(redirect["timestamp"])
                 origin_time = convert_mactime_to_unix(result["timestamp"])

mvt/ios/modules/mixed/shortcuts.py

@@ -0,0 +1,112 @@
+# Mobile Verification Toolkit (MVT)
+# Copyright (c) 2021 The MVT Project Authors.
+# Use of this software is governed by the MVT License 1.1 that can be found at
+#   https://license.mvt.re/1.1/
+
+import io
+import itertools
+import plistlib
+import sqlite3
+
+from mvt.common.utils import (check_for_links, convert_mactime_to_unix,
+                              convert_timestamp_to_iso)
+
+from ..base import IOSExtraction
+
+SHORTCUT_BACKUP_IDS = [
+    "5b4d0b44b5990f62b9f4d34ad8dc382bf0b01094",
+]
+SHORTCUT_ROOT_PATHS = [
+    "private/var/mobile/Library/Shortcuts/Shortcuts.sqlite",
+]
+
+
+class Shortcuts(IOSExtraction):
+    """This module extracts all info about SMS/iMessage attachments."""
+
+    def __init__(self, file_path=None, base_folder=None, output_folder=None,
+                 fast_mode=False, log=None, results=[]):
+        super().__init__(file_path=file_path, base_folder=base_folder,
+                         output_folder=output_folder, fast_mode=fast_mode,
+                         log=log, results=results)
+
+    def serialize(self, record):
+        found_urls = ""
+        if record["action_urls"]:
+            found_urls = "- URLs in actions: {}".format(", ".join(record["action_urls"]))
+
+        return {
+            "timestamp": record["isodate"],
+            "module": self.__class__.__name__,
+            "event": "shortcut",
+            "data": f"iOS Shortcut '{record['shortcut_name']}': {record['description']} {found_urls}"
+        }
+
+    def check_indicators(self):
+        if not self.indicators:
+            return
+
+        for action in self.results:
+            if self.indicators.check_domains(action["action_urls"]):
+                self.detected.append(action)
+
+    def run(self):
+        self._find_ios_database(backup_ids=SHORTCUT_BACKUP_IDS,
+                                root_paths=SHORTCUT_ROOT_PATHS)
+        self.log.info("Found Shortcuts database at path: %s", self.file_path)
+
+        conn = sqlite3.connect(self.file_path)
+        conn.text_factory = bytes
+        cur = conn.cursor()
+        try:
+            cur.execute("""
+                SELECT
+                    ZSHORTCUT.Z_PK as "shortcut_id",
+                    ZSHORTCUT.ZNAME as "shortcut_name",
+                    ZSHORTCUT.ZCREATIONDATE as "created_date",
+                    ZSHORTCUT.ZMODIFICATIONDATE as "modified_date",
+                    ZSHORTCUT.ZACTIONSDESCRIPTION as "description",
+                    ZSHORTCUTACTIONS.ZDATA as "action_data"
+                FROM ZSHORTCUT
+                LEFT JOIN ZSHORTCUTACTIONS ON ZSHORTCUTACTIONS.ZSHORTCUT == ZSHORTCUT.Z_PK;
+            """)
+        except sqlite3.OperationalError:
+            # Table ZSHORTCUT does not exist
+            self.log.info("Invalid shortcut database format, skipping...")
+            cur.close()
+            conn.close()
+            return
+
+        names = [description[0] for description in cur.description]
+
+        for item in cur:
+            shortcut = {}
+            # We store the value of each column under the proper key.
+            for index, value in enumerate(item):
+                shortcut[names[index]] = value
+
+            action_data = plistlib.load(io.BytesIO(shortcut.pop("action_data", [])))
+            actions = []
+            for action_entry in action_data:
+                action = {}
+                action["identifier"] = action_entry["WFWorkflowActionIdentifier"]
+                action["parameters"] = action_entry["WFWorkflowActionParameters"]
+
+                # URLs might be in multiple fields, do a simple regex search across the parameters
+                extracted_urls = check_for_links(str(action["parameters"]))
+
+                # Remove quoting characters that may have been captured by the regex
+                action["urls"] = [url.rstrip("',") for url in extracted_urls]
+                actions.append(action)
+
+            # pprint.pprint(actions)
+            shortcut["isodate"] = convert_timestamp_to_iso(convert_mactime_to_unix(shortcut.pop("created_date")))
+            shortcut["modified_date"] = convert_timestamp_to_iso(convert_mactime_to_unix(shortcut["modified_date"]))
+            shortcut["parsed_actions"] = len(actions)
+            shortcut["action_urls"] = list(itertools.chain(*[action["urls"] for action in actions]))
+            self.results.append(shortcut)
+
+        cur.close()
+        conn.close()
+
+        self.log.info("Extracted a total of %d Shortcuts", len(self.results))

mvt/ios/modules/mixed/sms.py

@@ -18,6 +18,7 @@ SMS_ROOT_PATHS = [
     "private/var/mobile/Library/SMS/sms.db",
 ]
 
+
 class SMS(IOSExtraction):
     """This module extracts all SMS messages containing links."""
 
@@ -50,25 +51,44 @@ class SMS(IOSExtraction):
                                 root_paths=SMS_ROOT_PATHS)
         self.log.info("Found SMS database at path: %s", self.file_path)
 
-        conn = sqlite3.connect(self.file_path)
-        cur = conn.cursor()
-        cur.execute("""
-            SELECT
-                message.*,
-                handle.id as "phone_number"
-            FROM message, handle
-            WHERE handle.rowid = message.handle_id;
-        """)
+        try:
+            conn = sqlite3.connect(self.file_path)
+            cur = conn.cursor()
+            cur.execute("""
+                SELECT
+                    message.*,
+                    handle.id as "phone_number"
+                FROM message, handle
+                WHERE handle.rowid = message.handle_id;
+            """)
+            # Force the query early to catch database issues
+            items = list(cur)
+        except sqlite3.DatabaseError as e:
+            conn.close()
+            if "database disk image is malformed" in str(e):
+                self._recover_sqlite_db_if_needed(self.file_path, forced=True)
+                conn = sqlite3.connect(self.file_path)
+                cur = conn.cursor()
+                cur.execute("""
+                    SELECT
+                        message.*,
+                        handle.id as "phone_number"
+                    FROM message, handle
+                    WHERE handle.rowid = message.handle_id;
+                """)
+                items = list(cur)
+            else:
+                raise e
         names = [description[0] for description in cur.description]
 
-        for item in cur:
+        for item in items:
             message = {}
             for index, value in enumerate(item):
                 # We base64 escape some of the attributes that could contain
                 # binary data.
                 if (names[index] == "attributedBody" or
-                    names[index] == "payload_data" or
-                    names[index] == "message_summary_info") and value:
+                        names[index] == "payload_data" or
+                        names[index] == "message_summary_info") and value:
                     value = b64encode(value).decode()
 
                 # We store the value of each column under the proper key.
@@ -82,12 +102,16 @@ class SMS(IOSExtraction):
             if not message.get("text", None):
                 message["text"] = ""
 
-            # Extract links from the SMS message.
-            message_links = check_for_links(message.get("text", ""))
-
-            # If we find links in the messages or if they are empty we add them to the list.
-            if message_links or message.get("text", "").strip() == "":
+            if message.get("text", "").startswith("ALERT: State-sponsored attackers may be targeting your iPhone"):
+                self.log.warn("Apple warning about state-sponsored attack received on the %s", message["isodate"])
                 self.results.append(message)
+            else:
+                # Extract links from the SMS message.
+                message_links = check_for_links(message.get("text", ""))
+
+                # If we find links in the messages or if they are empty we add them to the list.
+                if message_links or message.get("text", "").strip() == "":
+                    self.results.append(message)
 
         cur.close()
         conn.close()

mvt/ios/modules/mixed/sms_attachments.py

@@ -17,6 +17,7 @@ SMS_ROOT_PATHS = [
     "private/var/mobile/Library/SMS/sms.db",
 ]
 
+
 class SMSAttachments(IOSExtraction):
     """This module extracts all info about SMS/iMessage attachments."""
 
@@ -45,7 +46,7 @@ class SMSAttachments(IOSExtraction):
         cur.execute("""
             SELECT
                 attachment.ROWID as "attachment_id",
-				attachment.*,
+                attachment.*,
                 message.service as "service",
                 handle.id as "phone_number"
             FROM attachment
@@ -73,7 +74,7 @@ class SMSAttachments(IOSExtraction):
             attachment["filename"] = attachment["filename"] or "NULL"
 
             if (attachment["filename"].startswith("/var/tmp/") and attachment["filename"].endswith("-1") and
-                attachment["direction"] == "received"):
+                    attachment["direction"] == "received"):
                 self.log.warn(f"Suspicious iMessage attachment '{attachment['filename']}' on {attachment['isodate']}")
                 self.detected.append(attachment)
 

mvt/ios/modules/mixed/tcc.py

@@ -17,6 +17,11 @@ TCC_ROOT_PATHS = [
     "private/var/mobile/Library/TCC/TCC.db",
 ]
 
+AUTH_VALUE_OLD = {
+    0: "denied",
+    1: "allowed"
+}
+
 AUTH_VALUES = {
     0: "denied",
     1: "unknown",
@@ -38,6 +43,7 @@ AUTH_REASONS = {
     12: "app_type_policy",
 }
 
+
 class TCC(IOSExtraction):
     """This module extracts records from the TCC.db SQLite database."""
 
@@ -47,37 +53,96 @@ class TCC(IOSExtraction):
                          output_folder=output_folder, fast_mode=fast_mode,
                          log=log, results=results)
 
+    def serialize(self, record):
+        if "last_modified" in record:
+            if "allowed_value" in record:
+                msg = f"Access to {record['service']} by {record['client']} {record['allowed_value']}"
+            else:
+                msg = f"Access to {record['service']} by {record['client']} {record['auth_value']}"
+            return {
+                "timestamp": record["last_modified"],
+                "module": self.__class__.__name__,
+                "event": "AccessRequest",
+                "data": msg
+            }
+
     def process_db(self, file_path):
         conn = sqlite3.connect(file_path)
         cur = conn.cursor()
-        cur.execute("""SELECT 
-            service, client, client_type, auth_value, auth_reason, last_modified
-        FROM access;""")
+        db_version = "v3"
+        try:
+            cur.execute("""SELECT
+                service, client, client_type, auth_value, auth_reason, last_modified
+            FROM access;""")
+        except sqlite3.OperationalError:
+            # v2 version
+            try:
+                cur.execute("""SELECT
+                    service, client, client_type, allowed, prompt_count, last_modified
+                    FROM access;""")
+                db_version = "v2"
+            except sqlite3.OperationalError:
+                cur.execute("""SELECT
+                    service, client, client_type, allowed, prompt_count
+                    FROM access;""")
+                db_version = "v1"
+
 
         for row in cur:
             service = row[0]
             client = row[1]
             client_type = row[2]
             client_type_desc = "bundle_id" if client_type == 0 else "absolute_path"
-            auth_value = row[3]
-            auth_value_desc = AUTH_VALUES.get(auth_value, "")
-            auth_reason = row[4]
-            auth_reason_desc = AUTH_REASONS.get(auth_reason, "unknown")
-            last_modified = convert_timestamp_to_iso(datetime.utcfromtimestamp((row[5])))
+            if db_version == "v3":
+                auth_value = row[3]
+                auth_value_desc = AUTH_VALUES.get(auth_value, "")
+                auth_reason = row[4]
+                auth_reason_desc = AUTH_REASONS.get(auth_reason, "unknown")
+                last_modified = convert_timestamp_to_iso(datetime.utcfromtimestamp((row[5])))
 
-            if service in ["kTCCServiceMicrophone", "kTCCServiceCamera"]:
-                device = "microphone" if service == "kTCCServiceMicrophone" else "camera"
-                self.log.info("Found client \"%s\" with access %s to %s on %s by %s",
-                              client, auth_value_desc, device, last_modified, auth_reason_desc)
+                if service in ["kTCCServiceMicrophone", "kTCCServiceCamera"]:
+                    device = "microphone" if service == "kTCCServiceMicrophone" else "camera"
+                    self.log.info("Found client \"%s\" with access %s to %s on %s by %s",
+                                client, auth_value_desc, device, last_modified, auth_reason_desc)
 
-            self.results.append({
-                "service": service,
-                "client": client,
-                "client_type": client_type_desc,
-                "auth_value": auth_value_desc,
-                "auth_reason_desc": auth_reason_desc,
-                "last_modified": last_modified,
-            })
+                self.results.append({
+                    "service": service,
+                    "client": client,
+                    "client_type": client_type_desc,
+                    "auth_value": auth_value_desc,
+                    "auth_reason_desc": auth_reason_desc,
+                    "last_modified": last_modified,
+                })
+            else:
+                allowed_value = row[3]
+                allowed_desc = AUTH_VALUE_OLD.get(allowed_value, "")
+                prompt_count = row[4]
+                if db_version == "v2":
+                    last_modified = convert_timestamp_to_iso(datetime.utcfromtimestamp((row[5])))
+                    if service in ["kTCCServiceMicrophone", "kTCCServiceCamera"]:
+                        device = "microphone" if service == "kTCCServiceMicrophone" else "camera"
+                        self.log.info("Found client \"%s\" with access %s to %s at %s",
+                                    client, allowed_desc, device, last_modified)
+                    self.results.append({
+                        "service": service,
+                        "client": client,
+                        "client_type": client_type_desc,
+                        "allowed_value": allowed_desc,
+                        "prompt_count": prompt_count,
+                        "last_modified": last_modified
+                    })
+                else:
+                    if service in ["kTCCServiceMicrophone", "kTCCServiceCamera"]:
+                        device = "microphone" if service == "kTCCServiceMicrophone" else "camera"
+                        self.log.info("Found client \"%s\" with access %s to %s",
+                                    client, allowed_desc, device)
+                    self.results.append({
+                        "service": service,
+                        "client": client,
+                        "client_type": client_type_desc,
+                        "allowed_value": allowed_desc,
+                        "prompt_count": prompt_count
+                    })
 
         cur.close()
         conn.close()

mvt/ios/modules/mixed/webkit_resource_load_statistics.py

@@ -17,6 +17,7 @@ WEBKIT_RESOURCELOADSTATICS_ROOT_PATHS = [
     "private/var/mobile/Containers/Data/Application/*/SystemData/com.apple.SafariViewService/Library/WebKit/WebsiteData/observations.db",
 ]
 
+
 class WebkitResourceLoadStatistics(IOSExtraction):
     """This module extracts records from WebKit ResourceLoadStatistics observations.db."""
     # TODO: Add serialize().
@@ -38,7 +39,7 @@ class WebkitResourceLoadStatistics(IOSExtraction):
             for item in items:
                 if self.indicators.check_domain(item["registrable_domain"]):
                     if key not in self.detected:
-                        self.detected[key] = [item,]
+                        self.detected[key] = [item, ]
                     else:
                         self.detected[key].append(item)
 
@@ -55,7 +56,7 @@ class WebkitResourceLoadStatistics(IOSExtraction):
         except sqlite3.OperationalError:
             return
 
-        if not key in self.results:
+        if key not in self.results:
             self.results[key] = []
 
         for row in cur:
@@ -76,7 +77,8 @@ class WebkitResourceLoadStatistics(IOSExtraction):
                 for backup_file in self._get_backup_files_from_manifest(relative_path=WEBKIT_RESOURCELOADSTATICS_BACKUP_RELPATH):
                     db_path = self._get_backup_file_from_id(backup_file["file_id"])
                     key = f"{backup_file['domain']}/{WEBKIT_RESOURCELOADSTATICS_BACKUP_RELPATH}"
-                    self._process_observations_db(db_path=db_path, key=key)
+                    if db_path:
+                        self._process_observations_db(db_path=db_path, key=key)
             except Exception as e:
                 self.log.info("Unable to search for WebKit observations.db: %s", e)
         elif self.is_fs_dump:

mvt/ios/modules/mixed/webkit_session_resource_log.py

@@ -20,6 +20,7 @@ WEBKIT_SESSION_RESOURCE_LOG_ROOT_PATHS = [
     "private/var/mobile/Library/WebClips/*/Storage/full_browsing_session_resourceLog.plist",
 ]
 
+
 class WebkitSessionResourceLog(IOSExtraction):
     """This module extracts records from WebKit browsing session
     resource logs, and checks them against any provided list of

mvt/ios/modules/mixed/whatsapp.py

@@ -20,6 +20,7 @@ WHATSAPP_ROOT_PATHS = [
     "private/var/mobile/Containers/Shared/AppGroup/*/ChatStorage.sqlite",
 ]
 
+
 class Whatsapp(IOSExtraction):
     """This module extracts all WhatsApp messages containing links."""
 
@@ -31,11 +32,14 @@ class Whatsapp(IOSExtraction):
 
     def serialize(self, record):
         text = record.get("ZTEXT", "").replace("\n", "\\n")
+        links_text = ""
+        if record["links"]:
+            links_text = " - Embedded links: " + ", ".join(record["links"])
         return {
             "timestamp": record.get("isodate"),
             "module": self.__class__.__name__,
             "event": "message",
-            "data": f"{text} from {record.get('ZFROMJID', 'Unknown')}",
+            "data": f"\'{text}\' from {record.get('ZFROMJID', 'Unknown')}{links_text}",
         }
 
     def check_indicators(self):
@@ -43,8 +47,7 @@ class Whatsapp(IOSExtraction):
             return
 
         for message in self.results:
-            message_links = check_for_links(message.get("ZTEXT", ""))
-            if self.indicators.check_domains(message_links):
+            if self.indicators.check_domains(message["links"]):
                 self.detected.append(message)
 
     def run(self):
@@ -54,26 +57,49 @@ class Whatsapp(IOSExtraction):
 
         conn = sqlite3.connect(self.file_path)
         cur = conn.cursor()
-        cur.execute("SELECT * FROM ZWAMESSAGE;")
+
+        # Query all messages and join tables which can contain media attachments and links
+        cur.execute("""
+            SELECT
+                ZWAMESSAGE.*,
+                ZWAMEDIAITEM.ZAUTHORNAME,
+                ZWAMEDIAITEM.ZMEDIAURL,
+                ZWAMESSAGEDATAITEM.ZCONTENT1,
+                ZWAMESSAGEDATAITEM.ZCONTENT2,
+                ZWAMESSAGEDATAITEM.ZMATCHEDTEXT,
+                ZWAMESSAGEDATAITEM.ZSUMMARY,
+                ZWAMESSAGEDATAITEM.ZTITLE
+            FROM ZWAMESSAGE
+            LEFT JOIN ZWAMEDIAITEM ON ZWAMEDIAITEM.ZMESSAGE = ZWAMESSAGE.Z_PK
+            LEFT JOIN ZWAMESSAGEDATAITEM ON ZWAMESSAGEDATAITEM.ZMESSAGE = ZWAMESSAGE.Z_PK;
+        """)
         names = [description[0] for description in cur.description]
 
-        for message in cur:
-            new_message = {}
-            for index, value in enumerate(message):
-                new_message[names[index]] = value
+        for message_row in cur:
+            message = {}
+            for index, value in enumerate(message_row):
+                message[names[index]] = value
 
-            if not new_message.get("ZTEXT", None):
-                continue
+            message["isodate"] = convert_timestamp_to_iso(convert_mactime_to_unix(message.get("ZMESSAGEDATE")))
+            message["ZTEXT"] = message["ZTEXT"] if message["ZTEXT"] else ""
 
-            # We convert Mac's silly timestamp again.
-            new_message["isodate"] = convert_timestamp_to_iso(convert_mactime_to_unix(new_message.get("ZMESSAGEDATE")))
+            # Extract links from the WhatsApp message. URLs can be stored in multiple fields/columns. Check each of them!
+            message_links = []
+            fields_with_links = ["ZTEXT", "ZMATCHEDTEXT", "ZMEDIAURL", "ZCONTENT1", "ZCONTENT2"]
+            for field in fields_with_links:
+                if message.get(field):
+                    message_links.extend(check_for_links(message.get(field, "")))
 
-            # Extract links from the WhatsApp message.
-            message_links = check_for_links(new_message["ZTEXT"])
+            # Remove WhatsApp internal media URLs
+            filtered_links = []
+            for link in message_links:
+                if not (link.startswith("https://mmg-fna.whatsapp.net/") or link.startswith("https://mmg.whatsapp.net/")):
+                    filtered_links.append(link)
 
-            # If we find messages, or if there's an empty message we add it to the list.
-            if new_message["ZTEXT"] and (message_links or new_message["ZTEXT"].strip() == ""):
-                self.results.append(new_message)
+            # If we find messages with links, or if there's an empty message we add it to the results list.
+            if filtered_links or (message.get("ZTEXT") or "").strip() == "":
+                message["links"] = list(set(filtered_links))
+                self.results.append(message)
 
         cur.close()
         conn.close()

mvt/ios/modules/net_base.py

@@ -39,7 +39,9 @@ class NetBase(IOSExtraction):
                 ZLIVEUSAGE.ZHASPROCESS,
                 ZLIVEUSAGE.ZTIMESTAMP
             FROM ZLIVEUSAGE
-            LEFT JOIN ZPROCESS ON ZLIVEUSAGE.ZHASPROCESS = ZPROCESS.Z_PK;
+            LEFT JOIN ZPROCESS ON ZLIVEUSAGE.ZHASPROCESS = ZPROCESS.Z_PK
+            UNION
+            SELECT ZFIRSTTIMESTAMP, ZTIMESTAMP, ZPROCNAME, ZBUNDLENAME, Z_PK, NULL, NULL, NULL, NULL, NULL, NULL, NULL FROM ZPROCESS WHERE Z_PK NOT IN (SELECT ZHASPROCESS FROM ZLIVEUSAGE);
         """)
 
         for row in cur:
@@ -68,7 +70,7 @@ class NetBase(IOSExtraction):
                 "wwan_out": row[8],
                 "live_id": row[9],
                 "live_proc_id": row[10],
-                "live_isodate": live_timestamp,
+                "live_isodate": live_timestamp if row[10] else first_isodate,
             })
 
         cur.close()
@@ -79,7 +81,7 @@ class NetBase(IOSExtraction):
     def serialize(self, record):
         record_data = f"{record['proc_name']} (Bundle ID: {record['bundle_id']}, ID: {record['proc_id']})"
         record_data_usage = record_data + f" WIFI IN: {record['wifi_in']}, WIFI OUT: {record['wifi_out']} - "  \
-                            f"WWAN IN: {record['wwan_in']}, WWAN OUT: {record['wwan_out']}"
+            f"WWAN IN: {record['wwan_in']}, WWAN OUT: {record['wwan_out']}"
 
         records = [{
             "timestamp": record["live_isodate"],
@@ -89,7 +91,7 @@ class NetBase(IOSExtraction):
         }]
 
         # Only included first_usage and current_usage records when a ZPROCESS entry exists.
-        if "MANIPULATED" not in record["proc_name"] and "MISSING" not in record["proc_name"]:
+        if "MANIPULATED" not in record["proc_name"] and "MISSING" not in record["proc_name"] and record["live_proc_id"] is not None:
             records.extend([
                 {
                     "timestamp": record["first_isodate"],
@@ -151,6 +153,8 @@ class NetBase(IOSExtraction):
                         msg = msg + " (However, the process name might have been truncated in the database)"
 
                     self.log.warning(msg)
+            if not proc["live_proc_id"]:
+                self.log.info(f"Found process entry in ZPROCESS but not in ZLIVEUSAGE : {proc['proc_name']} at {proc['live_isodate']}")
 
     def check_manipulated(self):
         """Check for missing or manipulate DB entries"""

mvt/ios/versions.py

@@ -38,6 +38,10 @@ IPHONE_MODELS = [
     {"identifier": "iPhone13,2", "description": "iPhone 12"},
     {"identifier": "iPhone13,3", "description": "iPhone 12 Pro"},
     {"identifier": "iPhone13,4", "description": "iPhone 12 Pro Max"},
+    {"identifier": "iPhone14,4", "description": "iPhone 13 Mini"},
+    {"identifier": "iPhone14,5", "description": "iPhone 13"},
+    {"identifier": "iPhone14,2", "description": "iPhone 13 Pro"},
+    {"identifier": "iPhone14,3", "description": "iPhone 13 Pro Max"},
 ]
 
 IPHONE_IOS_VERSIONS = [
@@ -223,13 +227,22 @@ IPHONE_IOS_VERSIONS = [
     {"build": "18G69", "version": "14.7"},
     {"build": "18G82", "version": "14.7.1"},
     {"build": "18H17", "version": "14.8"},
+    {"build": "18H107", "version": "14.8.1"},
+    {"build": "19A341", "version": "15.0"},
+    {"build": "19A346", "version": "15.0"},
+    {"build": "19A348", "version": "15.0.1"},
+    {"build": "19A404", "version": "15.0.2"},
+    {"build": "19B74", "version": "15.1"},
+    {"build": "19B81", "version": "15.1.1"},
 ]
 
+
 def get_device_desc_from_id(identifier, devices_list=IPHONE_MODELS):
     for model in IPHONE_MODELS:
         if identifier == model["identifier"]:
             return model["description"]
 
+
 def find_version_by_build(build):
     build = build.upper()
     for version in IPHONE_IOS_VERSIONS:

public_indicators.json

@@ -0,0 +1,14 @@
+[
+    {
+        "name": "NSO Group Pegasus Indicators of Compromise",
+        "source": "Amnesty International",
+        "reference": "https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/",
+        "stix2_url": "https://raw.githubusercontent.com/AmnestyTech/investigations/master/2021-07-18_nso/pegasus.stix2"
+    },
+    {
+        "name": "Cytrox Predator Spyware Indicators of Compromise",
+        "source": "Meta, Amnesty International, Citizen Lab",
+        "reference": "https://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/",
+        "stix2_url": "https://raw.githubusercontent.com/AmnestyTech/investigations/master/2021-12-16_cytrox/cytrox.stix2"
+    }
+]

setup.py

@@ -16,20 +16,22 @@ with open(readme_path, encoding="utf-8") as handle:
 
 requires = (
     # Base dependencies:
-    "click>=8.0.1",
-    "rich>=10.6.0",
+    "click>=8.0.3",
+    "rich>=10.12.0",
     "tld>=0.12.6",
-    "tqdm>=4.61.2",
+    "tqdm>=4.62.3",
     "requests>=2.26.0",
-    "simplejson>=3.17.3",
+    "simplejson>=3.17.5",
     "packaging>=21.0",
+    "appdirs>=1.4.4",
     # iOS dependencies:
-    "iOSbackup>=0.9.912",
+    "iOSbackup>=0.9.921",
     # Android dependencies:
-    "adb-shell>=0.4.0",
-    "libusb1>=1.9.3",
+    "adb-shell>=0.4.2",
+    "libusb1>=2.0.1",
 )
 
+
 def get_package_data(package):
     walk = [(dirpath.replace(package + os.sep, "", 1), filenames)
             for dirpath, dirnames, filenames in os.walk(package)
@@ -41,6 +43,7 @@ def get_package_data(package):
                           for filename in filenames])
     return {package: filepaths}
 
+
 setup(
     name="mvt",
     version=MVT_VERSION,