Bumps version

* Added Documentation for Encrypted Iphone Backup with Finder on MacOS

* Added details on where to check the backups after completion and added screenshots for the process

* Added location of backups

.github/workflows/flake8.yml

@@ -1,26 +0,0 @@
-name: Flake8
-
-on:
-  push:
-    paths:
-      - '*.py'
-
-jobs:
-  flake8_py3:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Setup Python
-        uses: actions/setup-python@v1
-        with:
-          python-version: 3.9
-          architecture: x64
-      - name: Checkout
-        uses: actions/checkout@master
-      - name: Install flake8
-        run: pip install flake8
-      - name: Run flake8
-        uses: suo/flake8-github-action@releases/v1
-        with:
-          checkName: 'flake8_py3'   # NOTE: this needs to be the same as the job name
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/python-package.yml

@@ -16,8 +16,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        # python-version: [3.7, 3.8, 3.9]
-        python-version: [3.8, 3.9]
+        python-version: ['3.8', '3.9', '3.10']
 
     steps:
     - uses: actions/checkout@v2
@@ -27,6 +26,7 @@ jobs:
         python-version: ${{ matrix.python-version }}
     - name: Install dependencies
       run: |
+        python -m pip install --upgrade setuptools
         python -m pip install --upgrade pip
         python -m pip install flake8 pytest safety stix2 pytest-mock
         if [ -f requirements.txt ]; then pip install -r requirements.txt; fi

.github/workflows/ruff.yml

@@ -0,0 +1,21 @@
+name: Ruff
+on: [push]
+
+jobs:
+  ruff_py3:
+    name: Ruff syntax check
+    runs-on: ubuntu-latest
+    steps:
+      - name: Setup Python
+        uses: actions/setup-python@v1
+        with:
+          python-version: 3.9
+          architecture: x64
+      - name: Checkout
+        uses: actions/checkout@master
+      - name: Install Dependencies
+        run: |
+          pip install ruff
+      - name: ruff
+        run: |
+          ruff check .

Makefile

@@ -1,5 +1,10 @@
 PWD = $(shell pwd)
 
+check:
+	flake8
+	pytest -q
+	ruff check -q .
+
 clean:
 	rm -rf $(PWD)/build $(PWD)/dist $(PWD)/mvt.egg-info
 

docs/install.md

@@ -54,7 +54,7 @@ Then you can install MVT directly from [pypi](https://pypi.org/project/mvt/)
 pip3 install mvt
 ```
 
-Or from the source code:
+If you want to have the latest features in development, you can install MVT directly from the source code. If you installed MVT previously from pypi, you should first uninstall it using `pip3 uninstall mvt` and then install from the source code:
 
 ```bash
 git clone https://github.com/mvt-project/mvt.git

docs/ios/backup/itunes.md

@@ -1,16 +1,41 @@
 # Backup with iTunes app
 
-It is possible to do an iPhone backup by using iTunes on Windows or macOS computers (in most recent versions of macOS, this feature is included in Finder).
+It is possible to do an iPhone backup by using iTunes on Windows or macOS computers (in most recent versions of macOS, this feature is included in Finder, see below).
 
 To do that:
 
-* Make sure iTunes is installed.
-* Connect your iPhone to your computer using a Lightning/USB cable.
-* Open the device in iTunes (or Finder on macOS).
-* If you want to have a more accurate detection, ensure that the encrypted backup option is activated and choose a secure password for the backup.
-* Start the backup and wait for it to finish (this may take up to 30 minutes).
+1. Make sure iTunes is installed.
+2. Connect your iPhone to your computer using a Lightning/USB cable.
+3. Open the device in iTunes (or Finder on macOS).
+4. If you want to have a more accurate detection, ensure that the encrypted backup option is activated and choose a secure password for the backup.
+5. Start the backup and wait for it to finish (this may take up to 30 minutes).
 
 ![](../../../img/macos-backup.jpg)
 _Source: [Apple Support](https://support.apple.com/en-us/HT211229)_
 
-* Once the backup is done, find its location and copy it to a place where it can be analyzed by MVT. On Windows, the backup can be stored either in `%USERPROFILE%\Apple\MobileSync\` or `%USERPROFILE%\AppData\Roaming\Apple Computer\MobileSync\`. On macOS, the backup is stored in `~/Library/Application Support/MobileSync/`.
+Once the backup is done, find its location and copy it to a place where it can be analyzed by MVT. On Windows, the backup can be stored either in `%USERPROFILE%\Apple\MobileSync\` or `%USERPROFILE%\AppData\Roaming\Apple Computer\MobileSync\`. On macOS, the backup is stored in `~/Library/Application Support/MobileSync/`.
+
+# Backup with Finder
+
+On more recent MacOS versions, this feature is included in Finder. To do a backup:
+
+1. Launch Finder on your Mac.
+2. Connect your iPhone to your Mac using a Lightning/USB cable.
+3. Select your device from the list of devices located at the bottom of the left side bar labeled "locations".
+4. In the General tab, select `Back up all the data on your iPhone to this Mac` from the options under the Backups section.
+5. Check the box that says `Encrypt local backup`. If it is your first time selecting this option, you may need to enter a password to encrypt the backup.
+
+![](../../../img/macos-backup2.png)
+_Source: [Apple Support](https://support.apple.com/en-us/HT211229)_
+
+6. Click `Back Up Now` to start the back-up process.
+7. The encrypted backup for your iPhone should now start. Once the process finishes, you can check the backup by opening `Finder`, clicking on the `General` tab, then click on `Manage Backups`. Now you should see a list of your backups like the image below:
+
+![](../../../img/macos-backups.png)
+_Source: [Apple Support](https://support.apple.com/en-us/HT211229)_
+
+If your backup has a lock next to it like in the image above, then the backup is encrypted. You should also see the date and time when the encrypted backup was created. The backup files are stored in `~/Library/Application Support/MobileSync/`.
+
+## Notes:
+
+- Remember to keep the backup encryption password that you created safe, since without it you will not be able to access/modify/decrypt the backup file.

mvt/__init__.py

@@ -1,4 +1,4 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

mvt/android/__init__.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/cli.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
@@ -9,7 +9,7 @@ import click
 from rich.logging import RichHandler
 
 from mvt.common.cmd_check_iocs import CmdCheckIOCS
-from mvt.common.help import (HELP_MSG_FAST, HELP_MSG_IOC,
+from mvt.common.help import (HELP_MSG_FAST, HELP_MSG_HASHES, HELP_MSG_IOC,
                              HELP_MSG_LIST_MODULES, HELP_MSG_MODULE,
                              HELP_MSG_OUTPUT, HELP_MSG_SERIAL)
 from mvt.common.logo import logo
@@ -30,6 +30,7 @@ LOG_FORMAT = "[%(name)s] %(message)s"
 logging.basicConfig(level="INFO", format=LOG_FORMAT, handlers=[
     RichHandler(show_path=False, log_time_format="%X")])
 log = logging.getLogger(__name__)
+CONTEXT_SETTINGS = dict(help_option_names=['-h', '--help'])
 
 
 #==============================================================================
@@ -51,7 +52,8 @@ def version():
 #==============================================================================
 # Command: download-apks
 #==============================================================================
-@cli.command("download-apks", help="Download all or only non-system installed APKs")
+@cli.command("download-apks", help="Download all or only non-system installed APKs",
+             context_settings=CONTEXT_SETTINGS)
 @click.option("--serial", "-s", type=str, help=HELP_MSG_SERIAL)
 @click.option("--all-apks", "-a", is_flag=True,
               help="Extract all packages installed on the phone, including system packages")
@@ -100,7 +102,8 @@ def download_apks(ctx, all_apks, virustotal, output, from_file, serial):
 #==============================================================================
 # Command: check-adb
 #==============================================================================
-@cli.command("check-adb", help="Check an Android device over adb")
+@cli.command("check-adb", help="Check an Android device over adb",
+             context_settings=CONTEXT_SETTINGS)
 @click.option("--serial", "-s", type=str, help=HELP_MSG_SERIAL)
 @click.option("--iocs", "-i", type=click.Path(exists=True), multiple=True,
               default=[], help=HELP_MSG_IOC)
@@ -130,7 +133,8 @@ def check_adb(ctx, serial, iocs, output, fast, list_modules, module):
 #==============================================================================
 # Command: check-bugreport
 #==============================================================================
-@cli.command("check-bugreport", help="Check an Android Bug Report")
+@cli.command("check-bugreport", help="Check an Android Bug Report",
+             context_settings=CONTEXT_SETTINGS)
 @click.option("--iocs", "-i", type=click.Path(exists=True), multiple=True,
               default=[], help=HELP_MSG_IOC)
 @click.option("--output", "-o", type=click.Path(exists=False),
@@ -140,9 +144,10 @@ def check_adb(ctx, serial, iocs, output, fast, list_modules, module):
 @click.argument("BUGREPORT_PATH", type=click.Path(exists=True))
 @click.pass_context
 def check_bugreport(ctx, iocs, output, list_modules, module, bugreport_path):
+    # Always generate hashes as bug reports are small.
     cmd = CmdAndroidCheckBugreport(target_path=bugreport_path,
                                    results_path=output, ioc_files=iocs,
-                                   module_name=module)
+                                   module_name=module, hashes=True)
 
     if list_modules:
         cmd.list_modules()
@@ -160,7 +165,8 @@ def check_bugreport(ctx, iocs, output, list_modules, module, bugreport_path):
 #==============================================================================
 # Command: check-backup
 #==============================================================================
-@cli.command("check-backup", help="Check an Android Backup")
+@cli.command("check-backup", help="Check an Android Backup",
+             context_settings=CONTEXT_SETTINGS)
 @click.option("--iocs", "-i", type=click.Path(exists=True), multiple=True,
               default=[], help=HELP_MSG_IOC)
 @click.option("--output", "-o", type=click.Path(exists=False),
@@ -169,8 +175,9 @@ def check_bugreport(ctx, iocs, output, list_modules, module, bugreport_path):
 @click.argument("BACKUP_PATH", type=click.Path(exists=True))
 @click.pass_context
 def check_backup(ctx, iocs, output, list_modules, backup_path):
+    # Always generate hashes as backups are generally small.
     cmd = CmdAndroidCheckBackup(target_path=backup_path, results_path=output,
-                                ioc_files=iocs)
+                                ioc_files=iocs, hashes=True)
 
     if list_modules:
         cmd.list_modules()
@@ -188,19 +195,21 @@ def check_backup(ctx, iocs, output, list_modules, backup_path):
 #==============================================================================
 # Command: check-androidqf
 #==============================================================================
-@cli.command("check-androidqf", help="Check data collected with AndroidQF")
+@cli.command("check-androidqf", help="Check data collected with AndroidQF",
+             context_settings=CONTEXT_SETTINGS)
 @click.option("--iocs", "-i", type=click.Path(exists=True), multiple=True,
               default=[], help=HELP_MSG_IOC)
 @click.option("--output", "-o", type=click.Path(exists=False),
               help=HELP_MSG_OUTPUT)
 @click.option("--list-modules", "-l", is_flag=True, help=HELP_MSG_LIST_MODULES)
 @click.option("--module", "-m", help=HELP_MSG_MODULE)
+@click.option("--hashes", "-H", is_flag=True, help=HELP_MSG_HASHES)
 @click.argument("ANDROIDQF_PATH", type=click.Path(exists=True))
 @click.pass_context
-def check_androidqf(ctx, iocs, output, list_modules, module, androidqf_path):
+def check_androidqf(ctx, iocs, output, list_modules, module, hashes, androidqf_path):
     cmd = CmdAndroidCheckAndroidQF(target_path=androidqf_path,
                                    results_path=output, ioc_files=iocs,
-                                   module_name=module)
+                                   module_name=module, hashes=hashes)
 
     if list_modules:
         cmd.list_modules()
@@ -218,7 +227,8 @@ def check_androidqf(ctx, iocs, output, list_modules, module, androidqf_path):
 #==============================================================================
 # Command: check-iocs
 #==============================================================================
-@cli.command("check-iocs", help="Compare stored JSON results to provided indicators")
+@cli.command("check-iocs", help="Compare stored JSON results to provided indicators",
+             context_settings=CONTEXT_SETTINGS)
 @click.option("--iocs", "-i", type=click.Path(exists=True), multiple=True,
               default=[], help=HELP_MSG_IOC)
 @click.option("--list-modules", "-l", is_flag=True, help=HELP_MSG_LIST_MODULES)
@@ -239,7 +249,8 @@ def check_iocs(ctx, iocs, list_modules, module, folder):
 #==============================================================================
 # Command: download-iocs
 #==============================================================================
-@cli.command("download-iocs", help="Download public STIX2 indicators")
+@cli.command("download-iocs", help="Download public STIX2 indicators",
+             context_settings=CONTEXT_SETTINGS)
 def download_indicators():
     ioc_updates = IndicatorsUpdates()
     ioc_updates.update()

mvt/android/cmd_check_adb.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/cmd_check_androidqf.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
@@ -23,10 +23,12 @@ class CmdAndroidCheckAndroidQF(Command):
         module_name: Optional[str] = None,
         serial: Optional[str] = None,
         fast_mode: Optional[bool] = False,
+        hashes: Optional[bool] = False,
     ) -> None:
         super().__init__(target_path=target_path, results_path=results_path,
                          ioc_files=ioc_files, module_name=module_name,
-                         serial=serial, fast_mode=fast_mode, log=log)
+                         serial=serial, fast_mode=fast_mode, hashes=hashes,
+                         log=log)
 
         self.name = "check-androidqf"
         self.modules = ANDROIDQF_MODULES

mvt/android/cmd_check_backup.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
@@ -9,10 +9,11 @@ import os
 import sys
 import tarfile
 from pathlib import Path
-from typing import Callable, Optional
+from typing import List, Optional
 
 from rich.prompt import Prompt
 
+from mvt.android.modules.backup.base import BackupExtraction
 from mvt.android.parsers.backup import (AndroidBackupParsingError,
                                         InvalidBackupPassword, parse_ab_header,
                                         parse_backup_file)
@@ -33,19 +34,24 @@ class CmdAndroidCheckBackup(Command):
         module_name: Optional[str] = None,
         serial: Optional[str] = None,
         fast_mode: Optional[bool] = False,
+        hashes: Optional[bool] = False,
     ) -> None:
         super().__init__(target_path=target_path, results_path=results_path,
                          ioc_files=ioc_files, module_name=module_name,
-                         serial=serial, fast_mode=fast_mode, log=log)
+                         serial=serial, fast_mode=fast_mode, hashes=hashes,
+                         log=log)
 
         self.name = "check-backup"
         self.modules = BACKUP_MODULES
 
-        self.backup_type = None
-        self.backup_archive = None
-        self.backup_files = []
+        self.backup_type: str = ""
+        self.backup_archive: Optional[tarfile.TarFile] = None
+        self.backup_files: List[str] = []
 
     def init(self) -> None:
+        if not self.target_path:
+            return
+
         if os.path.isfile(self.target_path):
             self.backup_type = "ab"
             with open(self.target_path, "rb") as handle:
@@ -86,7 +92,7 @@ class CmdAndroidCheckBackup(Command):
                          "Android Backup (.ab) file")
             sys.exit(1)
 
-    def module_init(self, module: Callable) -> None:
+    def module_init(self, module: BackupExtraction) -> None:  # type: ignore[override]
         if self.backup_type == "folder":
             module.from_folder(self.target_path, self.backup_files)
         else:

mvt/android/cmd_check_bugreport.py

@@ -1,14 +1,15 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
 import logging
 import os
 from pathlib import Path
-from typing import Callable, Optional
+from typing import List, Optional
 from zipfile import ZipFile
 
+from mvt.android.modules.bugreport.base import BugReportModule
 from mvt.common.command import Command
 
 from .modules.bugreport import BUGREPORT_MODULES
@@ -26,19 +27,24 @@ class CmdAndroidCheckBugreport(Command):
         module_name: Optional[str] = None,
         serial: Optional[str] = None,
         fast_mode: Optional[bool] = False,
+        hashes: Optional[bool] = False,
     ) -> None:
         super().__init__(target_path=target_path, results_path=results_path,
                          ioc_files=ioc_files, module_name=module_name,
-                         serial=serial, fast_mode=fast_mode, log=log)
+                         serial=serial, fast_mode=fast_mode, hashes=hashes,
+                         log=log)
 
         self.name = "check-bugreport"
         self.modules = BUGREPORT_MODULES
 
-        self.bugreport_format = None
-        self.bugreport_archive = None
-        self.bugreport_files = []
+        self.bugreport_format: str = ""
+        self.bugreport_archive: Optional[ZipFile] = None
+        self.bugreport_files: List[str] = []
 
     def init(self) -> None:
+        if not self.target_path:
+            return
+
         if os.path.isfile(self.target_path):
             self.bugreport_format = "zip"
             self.bugreport_archive = ZipFile(self.target_path)
@@ -53,7 +59,7 @@ class CmdAndroidCheckBugreport(Command):
                                                 parent_path)
                     self.bugreport_files.append(file_path)
 
-    def module_init(self, module: Callable) -> None:
+    def module_init(self, module: BugReportModule) -> None:  # type: ignore[override]
         if self.bugreport_format == "zip":
             module.from_zip(self.bugreport_archive, self.bugreport_files)
         else:

mvt/android/cmd_download_apks.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/__init__.py

@@ -1,4 +1,4 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

mvt/android/modules/adb/__init__.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/adb/base.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
@@ -138,7 +138,8 @@ class AndroidExtraction(MVTModule):
         :returns: Boolean indicating whether a `su` binary is present or not
 
         """
-        return bool(self._adb_command("command -v su"))
+        result = self._adb_command("command -v su && su -c true")
+        return bool(result) and "Permission denied" not in result
 
     def _adb_root_or_die(self) -> None:
         """Check if we have a `su` binary, otherwise raise an Exception."""

mvt/android/modules/adb/chrome_history.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
@@ -31,6 +31,7 @@ class ChromeHistory(AndroidExtraction):
         super().__init__(file_path=file_path, target_path=target_path,
                          results_path=results_path, fast_mode=fast_mode,
                          log=log, results=results)
+        self.results = []
 
     def serialize(self, record: dict) -> Union[dict, list]:
         return {
@@ -55,6 +56,7 @@ class ChromeHistory(AndroidExtraction):
         :param db_path: Path to the History database to process.
 
         """
+        assert isinstance(self.results, list)  # assert results type for mypy
         conn = sqlite3.connect(db_path)
         cur = conn.cursor()
         cur.execute("""

mvt/android/modules/adb/dumpsys_accessibility.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/adb/dumpsys_activities.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/adb/dumpsys_appops.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/adb/dumpsys_battery_daily.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/adb/dumpsys_battery_history.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/adb/dumpsys_dbinfo.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/adb/dumpsys_full.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/adb/dumpsys_receivers.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/adb/files.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
@@ -39,7 +39,7 @@ class Files(AndroidExtraction):
                          log=log, results=results)
         self.full_find = False
 
-    def serialize(self, record: dict) -> Union[dict, list]:
+    def serialize(self, record: dict) -> Union[dict, list, None]:
         if "modified_time" in record:
             return {
                 "timestamp": record["modified_time"],
@@ -62,6 +62,9 @@ class Files(AndroidExtraction):
                 self.detected.append(result)
 
     def backup_file(self, file_path: str) -> None:
+        if not self.results_path:
+            return
+
         local_file_name = file_path.replace("/", "_").replace(" ", "-")
         local_files_folder = os.path.join(self.results_path, "files")
         if not os.path.exists(local_files_folder):
@@ -79,13 +82,18 @@ class Files(AndroidExtraction):
                           file_path, local_file_path)
 
     def find_files(self, folder: str) -> None:
+        assert isinstance(self.results, list)
         if self.full_find:
             cmd = f"find '{folder}' -type f -printf '%T@ %m %s %u %g %p\n' 2> /dev/null"
             output = self._adb_command(cmd)
 
             for file_line in output.splitlines():
+                file_info = file_line.rstrip().split(" ", 5)
+                if len(file_line) < 6:
+                    self.log.info("Skipping invalid file info - %s", file_line.rstrip())
+                    continue
                 [unix_timestamp, mode, size,
-                 owner, group, full_path] = file_line.rstrip().split(" ", 5)
+                 owner, group, full_path] = file_info
                 mod_time = convert_unix_to_iso(unix_timestamp)
 
                 self.results.append({
@@ -117,8 +125,7 @@ class Files(AndroidExtraction):
         for entry in self.results:
             self.log.info("Found file in tmp folder at path %s",
                           entry.get("path"))
-            if self.results_path:
-                self.backup_file(entry.get("path"))
+            self.backup_file(entry.get("path"))
 
         for media_folder in ANDROID_MEDIA_FOLDERS:
             self.find_files(media_folder)

mvt/android/modules/adb/getprop.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
@@ -30,6 +30,16 @@ class Getprop(AndroidExtraction):
 
         self.results = {} if not results else results
 
+    def check_indicators(self) -> None:
+        if not self.indicators:
+            return
+
+        for result in self.results:
+            ioc = self.indicators.check_android_property_name(result.get("name", ""))
+            if ioc:
+                result["matched_indicator"] = ioc
+                self.detected.append(result)
+
     def run(self) -> None:
         self._adb_connect()
         output = self._adb_command("getprop")
@@ -38,13 +48,14 @@ class Getprop(AndroidExtraction):
         self.results = parse_getprop(output)
 
         # Alert if phone is outdated.
-        security_patch = self.results.get("ro.build.version.security_patch", "")
-        if security_patch:
-            patch_date = datetime.strptime(security_patch, "%Y-%m-%d")
+        for entry in self.results:
+            if entry.get("name", "") != "ro.build.version.security_patch":
+                continue
+            patch_date = datetime.strptime(entry["value"], "%Y-%m-%d")
             if (datetime.now() - patch_date) > timedelta(days=6*30):
                 self.log.warning("This phone has not received security updates "
                                  "for more than six months (last update: %s)",
-                                 security_patch)
+                                 entry["value"])
 
         self.log.info("Extracted %d Android system properties",
                       len(self.results))

mvt/android/modules/adb/logcat.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
@@ -30,9 +30,9 @@ class Logcat(AndroidExtraction):
         self._adb_connect()
 
         # Get the current logcat.
-        output = self._adb_command("logcat -d")
+        output = self._adb_command("logcat -d -b all \"*:V\"")
         # Get the locat prior to last reboot.
-        last_output = self._adb_command("logcat -L")
+        last_output = self._adb_command("logcat -L -b all \"*:V\"")
 
         if self.results_path:
             logcat_path = os.path.join(self.results_path,

mvt/android/modules/adb/packages.py

@@ -1,10 +1,10 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
 import logging
-from typing import Optional, Union
+from typing import List, Optional, Union
 
 from rich.console import Console
 from rich.progress import track
@@ -39,7 +39,7 @@ DANGEROUS_PERMISSIONS = [
     "android.permission.USE_SIP",
     "com.android.browser.permission.READ_HISTORY_BOOKMARKS",
 ]
-ROOT_PACKAGES = [
+ROOT_PACKAGES: List[str] = [
     "com.noshufou.android.su",
     "com.noshufou.android.su.elite",
     "eu.chainfire.supersu",

mvt/android/modules/adb/processes.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/adb/root_binaries.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/adb/selinux_status.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/adb/settings.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/adb/sms.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/adb/whatsapp.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/androidqf/__init__.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/androidqf/base.py

@@ -1,12 +1,12 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
 import fnmatch
 import logging
 import os
-from typing import Optional
+from typing import Any, Dict, List, Optional, Union
 
 from mvt.common.module import MVTModule
 
@@ -21,7 +21,7 @@ class AndroidQFModule(MVTModule):
         results_path: Optional[str] = None,
         fast_mode: Optional[bool] = False,
         log: logging.Logger = logging.getLogger(__name__),
-        results: Optional[list] = None
+        results: Union[List[Dict[str, Any]], Dict[str, Any], None] = None
     ) -> None:
         super().__init__(file_path=file_path, target_path=target_path,
                          results_path=results_path, fast_mode=fast_mode,

mvt/android/modules/androidqf/dumpsys_accessibility.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/androidqf/dumpsys_activities.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/androidqf/dumpsys_appops.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/androidqf/dumpsys_packages.py

@@ -1,17 +1,15 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
 import logging
-from datetime import datetime
-from typing import Optional, Union
+from typing import Any, Dict, List, Optional, Union
 
 from mvt.android.modules.adb.packages import (DANGEROUS_PERMISSIONS,
                                               DANGEROUS_PERMISSIONS_THRESHOLD,
                                               ROOT_PACKAGES)
 from mvt.android.parsers.dumpsys import parse_dumpsys_packages
-from mvt.common.utils import convert_datetime_to_iso
 
 from .base import AndroidQFModule
 
@@ -26,7 +24,7 @@ class DumpsysPackages(AndroidQFModule):
         results_path: Optional[str] = None,
         fast_mode: Optional[bool] = False,
         log: logging.Logger = logging.getLogger(__name__),
-        results: Optional[list] = None
+        results: Optional[List[Dict[str, Any]]] = None
     ) -> None:
         super().__init__(file_path=file_path, target_path=target_path,
                          results_path=results_path, fast_mode=fast_mode,

mvt/android/modules/androidqf/dumpsys_receivers.py

@@ -1,10 +1,10 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
 import logging
-from typing import Optional
+from typing import Any, Dict, List, Optional, Union
 
 from mvt.android.modules.adb.dumpsys_receivers import (
     INTENT_DATA_SMS_RECEIVED, INTENT_NEW_OUTGOING_CALL,
@@ -24,7 +24,7 @@ class DumpsysReceivers(AndroidQFModule):
         results_path: Optional[str] = None,
         fast_mode: Optional[bool] = False,
         log: logging.Logger = logging.getLogger(__name__),
-        results: Optional[list] = None
+        results: Union[List[Any], Dict[str, Any], None] = None
     ) -> None:
         super().__init__(file_path=file_path, target_path=target_path,
                          results_path=results_path, fast_mode=fast_mode,

mvt/android/modules/androidqf/getprop.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
@@ -7,7 +7,7 @@ import logging
 from datetime import datetime, timedelta
 from typing import Optional
 
-from mvt.android.parsers import getprop
+from mvt.android.parsers.getprop import parse_getprop
 
 from .base import AndroidQFModule
 
@@ -41,7 +41,17 @@ class Getprop(AndroidQFModule):
         super().__init__(file_path=file_path, target_path=target_path,
                          results_path=results_path, fast_mode=fast_mode,
                          log=log, results=results)
-        self.results = {}
+        self.results = []
+
+    def check_indicators(self) -> None:
+        if not self.indicators:
+            return
+
+        for result in self.results:
+            ioc = self.indicators.check_android_property_name(result.get("name", ""))
+            if ioc:
+                result["matched_indicator"] = ioc
+                self.detected.append(result)
 
     def run(self) -> None:
         getprop_files = self._get_files_by_pattern("*/getprop.txt")
@@ -52,15 +62,15 @@ class Getprop(AndroidQFModule):
         with open(getprop_files[0]) as f:
             data = f.read()
 
-        self.results = getprop.parse_getprop(data)
+        self.results = parse_getprop(data)
         for entry in self.results:
-            if entry in INTERESTING_PROPERTIES:
-                self.log.info("%s: %s", entry, self.results[entry])
-            if entry == "ro.build.version.security_patch":
-                last_patch = datetime.strptime(self.results[entry], "%Y-%m-%d")
+            if entry["name"] in INTERESTING_PROPERTIES:
+                self.log.info("%s: %s", entry["name"], entry["value"])
+            if entry["name"] == "ro.build.version.security_patch":
+                last_patch = datetime.strptime(entry["value"], "%Y-%m-%d")
                 if (datetime.now() - last_patch) > timedelta(days=6*31):
                     self.log.warning("This phone has not received security "
                                      "updates for more than six months "
-                                     "(last update: %s)", self.results[entry])
+                                     "(last update: %s)", entry["value"])
 
         self.log.info("Extracted a total of %d properties", len(self.results))

mvt/android/modules/androidqf/processes.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/androidqf/settings.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/androidqf/sms.py

@@ -1,7 +1,7 @@
-# Mobile Verification Toolkit (MVT) - Private
-# Copyright (c) 2021-2022 Claudio Guarnieri.
-# This file is part of MVT Private and its content is confidential.
-# Please refer to the project maintainers before sharing with others.
+# Mobile Verification Toolkit (MVT)
+# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Use of this software is governed by the MVT License 1.1 that can be found at
+#   https://license.mvt.re/1.1
 
 import getpass
 import logging

mvt/android/modules/backup/__init__.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/backup/base.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
@@ -7,7 +7,7 @@ import fnmatch
 import logging
 import os
 from tarfile import TarFile
-from typing import Optional
+from typing import List, Optional
 
 from mvt.common.module import MVTModule
 
@@ -32,14 +32,14 @@ class BackupExtraction(MVTModule):
         self.tar = None
         self.files = []
 
-    def from_folder(self, backup_path: str, files: list) -> None:
+    def from_folder(self, backup_path: Optional[str], files: List[str]) -> None:
         """
         Get all the files and list them
         """
         self.backup_path = backup_path
         self.files = files
 
-    def from_ab(self, file_path: str, tar: TarFile, files: list) -> None:
+    def from_ab(self, file_path: Optional[str], tar: Optional[TarFile], files: List[str]) -> None:
         """
         Extract the files
         """

mvt/android/modules/backup/sms.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/bugreport/__init__.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/bugreport/accessibility.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/bugreport/activities.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/bugreport/appops.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/bugreport/base.py

@@ -1,12 +1,12 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # See the file 'LICENSE' for usage and copying permissions, or find a copy at
 #   https://github.com/mvt-project/mvt/blob/main/LICENSE
 
 import fnmatch
 import logging
 import os
-from typing import Optional
+from typing import List, Optional
 from zipfile import ZipFile
 
 from mvt.common.module import MVTModule
@@ -28,16 +28,16 @@ class BugReportModule(MVTModule):
                          results_path=results_path, fast_mode=fast_mode,
                          log=log, results=results)
 
-        self.zip_archive = None
-        self.extract_path = None
-        self.extract_files = []
-        self.zip_files = []
+        self.zip_archive: Optional[ZipFile] = None
+        self.extract_path: Optional[str] = None
+        self.extract_files: List[str] = []
+        self.zip_files: List[str] = []
 
-    def from_folder(self, extract_path: str, extract_files: str) -> None:
+    def from_folder(self, extract_path: Optional[str], extract_files: List[str]) -> None:
         self.extract_path = extract_path
         self.extract_files = extract_files
 
-    def from_zip(self, zip_archive: ZipFile, zip_files: list) -> None:
+    def from_zip(self, zip_archive: Optional[ZipFile], zip_files: List[str]) -> None:
         self.zip_archive = zip_archive
         self.zip_files = zip_files
 

mvt/android/modules/bugreport/battery_daily.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/bugreport/battery_history.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/bugreport/dbinfo.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/bugreport/getprop.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/bugreport/packages.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/bugreport/receivers.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/parsers/__init__.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/parsers/backup.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/parsers/dumpsys.py

@@ -1,15 +1,16 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
 import re
 from datetime import datetime
+from typing import Any, Dict, List
 
 from mvt.common.utils import convert_datetime_to_iso
 
 
-def parse_dumpsys_accessibility(output: str) -> list:
+def parse_dumpsys_accessibility(output: str) -> List[Dict[str, str]]:
     results = []
 
     in_services = False
@@ -34,7 +35,7 @@ def parse_dumpsys_accessibility(output: str) -> list:
     return results
 
 
-def parse_dumpsys_activity_resolver_table(output: str) -> dict:
+def parse_dumpsys_activity_resolver_table(output: str) -> Dict[str, Any]:
     results = {}
 
     in_activity_resolver_table = False
@@ -138,7 +139,7 @@ def parse_dumpsys_battery_daily(output: str) -> list:
     return results
 
 
-def parse_dumpsys_battery_history(output: str) -> list:
+def parse_dumpsys_battery_history(output: str) -> List[Dict[str, Any]]:
     results = []
 
     for line in output.splitlines():
@@ -194,7 +195,7 @@ def parse_dumpsys_battery_history(output: str) -> list:
     return results
 
 
-def parse_dumpsys_dbinfo(output: str) -> list:
+def parse_dumpsys_dbinfo(output: str) -> List[Dict[str, Any]]:
     results = []
 
     rxp = re.compile(r'.*\[([0-9]{4}-[0-9]{2}-[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}\.[0-9]{3})\].*\[Pid:\((\d+)\)\](\w+).*sql\=\"(.+?)\"')  # pylint: disable=line-too-long
@@ -247,7 +248,7 @@ def parse_dumpsys_dbinfo(output: str) -> list:
     return results
 
 
-def parse_dumpsys_receiver_resolver_table(output: str) -> dict:
+def parse_dumpsys_receiver_resolver_table(output: str) -> Dict[str, Any]:
     results = {}
 
     in_receiver_resolver_table = False
@@ -304,7 +305,7 @@ def parse_dumpsys_receiver_resolver_table(output: str) -> dict:
     return results
 
 
-def parse_dumpsys_appops(output: str) -> list:
+def parse_dumpsys_appops(output: str) -> List[Dict[str, Any]]:
     results = []
     perm = {}
     package = {}
@@ -389,7 +390,7 @@ def parse_dumpsys_appops(output: str) -> list:
     return results
 
 
-def parse_dumpsys_package_for_details(output: str) -> dict:
+def parse_dumpsys_package_for_details(output: str) -> Dict[str, Any]:
     """
     Parse one entry of a dumpsys package information
     """
@@ -480,7 +481,7 @@ def parse_dumpsys_package_for_details(output: str) -> dict:
     return details
 
 
-def parse_dumpsys_packages(output: str) -> list:
+def parse_dumpsys_packages(output: str) -> List[Dict[str, Any]]:
     """
     Parse the dumpsys package service data
     """

mvt/android/parsers/getprop.py

@@ -1,13 +1,14 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
 import re
+from typing import Dict, List
 
 
-def parse_getprop(output: str) -> dict:
-    results = {}
+def parse_getprop(output: str) -> List[Dict[str, str]]:
+    results = []
     rxp = re.compile(r"\[(.+?)\]: \[(.+?)\]")
 
     for line in output.splitlines():
@@ -19,8 +20,10 @@ def parse_getprop(output: str) -> dict:
         if not matches or len(matches[0]) != 2:
             continue
 
-        key = matches[0][0]
-        value = matches[0][1]
-        results[key] = value
+        entry = {
+            "name": matches[0][0],
+            "value": matches[0][1]
+        }
+        results.append(entry)
 
     return results

mvt/common/__init__.py

@@ -1,4 +1,4 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

mvt/common/cmd_check_iocs.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
@@ -30,6 +30,7 @@ class CmdCheckIOCS(Command):
         self.name = "check-iocs"
 
     def run(self) -> None:
+        assert self.target_path is not None
         all_modules = []
         for entry in self.modules:
             if entry not in all_modules:

mvt/common/command.py

@@ -1,19 +1,20 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
-import hashlib
 import json
 import logging
 import os
 import sys
 from datetime import datetime
-from typing import Callable, Optional
+from typing import Optional
 
 from mvt.common.indicators import Indicators
-from mvt.common.module import run_module, save_timeline
-from mvt.common.utils import convert_datetime_to_iso
+from mvt.common.module import MVTModule, run_module, save_timeline
+from mvt.common.utils import (convert_datetime_to_iso,
+                              generate_hashes_from_path,
+                              get_sha256_from_file_path)
 from mvt.common.version import MVT_VERSION
 
 
@@ -27,6 +28,7 @@ class Command:
         module_name: Optional[str] = None,
         serial: Optional[str] = None,
         fast_mode: Optional[bool] = False,
+        hashes: Optional[bool] = False,
         log: logging.Logger = logging.getLogger(__name__),
     ) -> None:
         self.name = ""
@@ -49,6 +51,8 @@ class Command:
 
         self.detected_count = 0
 
+        self.hashes = hashes
+        self.hash_values = []
         self.timeline = []
         self.timeline_detected = []
 
@@ -107,45 +111,29 @@ class Command:
             if ioc_file_path and ioc_file_path not in info["ioc_files"]:
                 info["ioc_files"].append(ioc_file_path)
 
-        # TODO: Revisit if setting this from environment variable is good
-        #       enough.
-        if self.target_path and os.environ.get("MVT_HASH_FILES"):
-            if os.path.isfile(self.target_path):
-                sha256 = hashlib.sha256()
-                with open(self.target_path, "rb") as handle:
-                    sha256.update(handle.read())
+        if self.target_path and (os.environ.get("MVT_HASH_FILES") or self.hashes):
+            self.generate_hashes()
 
-                info["hashes"].append({
-                    "file_path": self.target_path,
-                    "sha256": sha256.hexdigest(),
-                })
-            elif os.path.isdir(self.target_path):
-                for (root, _, files) in os.walk(self.target_path):
-                    for file in files:
-                        file_path = os.path.join(root, file)
-                        sha256 = hashlib.sha256()
-
-                        try:
-                            with open(file_path, "rb") as handle:
-                                sha256.update(handle.read())
-                        except FileNotFoundError:
-                            self.log.error("Failed to hash the file %s: might be a symlink",
-                                           file_path)
-                            continue
-                        except PermissionError:
-                            self.log.error("Failed to hash the file %s: permission denied",
-                                           file_path)
-                            continue
-
-                        info["hashes"].append({
-                            "file_path": file_path,
-                            "sha256": sha256.hexdigest(),
-                        })
+        info["hashes"] = self.hash_values
 
         info_path = os.path.join(self.results_path, "info.json")
         with open(info_path, "w+", encoding="utf-8") as handle:
             json.dump(info, handle, indent=4)
 
+        if self.target_path and (os.environ.get("MVT_HASH_FILES") or self.hashes):
+            info_hash = get_sha256_from_file_path(info_path)
+            self.log.info("Reference hash of the info.json file: \"%s\"", info_hash)
+
+    def generate_hashes(self) -> None:
+        """
+        Compute hashes for files in the target_path
+        """
+        if not self.target_path:
+            return
+
+        for file in generate_hashes_from_path(self.target_path, self.log):
+            self.hash_values.append(file)
+
     def list_modules(self) -> None:
         self.log.info("Following is the list of available %s modules:",
                       self.name)
@@ -155,7 +143,7 @@ class Command:
     def init(self) -> None:
         raise NotImplementedError
 
-    def module_init(self, module: Callable) -> None:
+    def module_init(self, module: MVTModule) -> None:
         raise NotImplementedError
 
     def finish(self) -> None:
@@ -203,10 +191,10 @@ class Command:
             self.timeline.extend(m.timeline)
             self.timeline_detected.extend(m.timeline_detected)
 
-        self._store_timeline()
-        self._store_info()
-
         try:
             self.finish()
         except NotImplementedError:
             pass
+
+        self._store_timeline()
+        self._store_info()

mvt/common/help.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
@@ -9,6 +9,7 @@ HELP_MSG_IOC = "Path to indicators file (can be invoked multiple time)"
 HELP_MSG_FAST = "Avoid running time/resource consuming features"
 HELP_MSG_LIST_MODULES = "Print list of available modules and exit"
 HELP_MSG_MODULE = "Name of a single module you would like to run instead of all"
+HELP_MSG_HASHES = "Generate hashes of all the files analyzed"
 
 # Android-specific.
 HELP_MSG_SERIAL = "Specify a device serial number or HOST:PORT connection string"

mvt/common/indicators.py

@@ -1,12 +1,12 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
 import json
 import logging
 import os
-from typing import Optional, Union
+from typing import Any, Dict, Iterator, List, Optional, Union
 
 from appdirs import user_data_dir
 
@@ -23,7 +23,7 @@ class Indicators:
 
     def __init__(self, log=logging.Logger) -> None:
         self.log = log
-        self.ioc_collections = []
+        self.ioc_collections: List[Dict[str, Any]] = []
         self.total_ioc_count = 0
 
     def _load_downloaded_indicators(self) -> None:
@@ -72,6 +72,7 @@ class Indicators:
             "files_sha256": [],
             "app_ids": [],
             "ios_profile_ids": [],
+            "android_property_names": [],
             "count": 0,
         }
 
@@ -121,6 +122,11 @@ class Indicators:
                                 ioc_coll=collection,
                                 ioc_coll_list=collection["ios_profile_ids"])
 
+        elif key == "android-property:name":
+            self._add_indicator(ioc=value,
+                                ioc_coll=collection,
+                                ioc_coll_list=collection["android_property_names"])
+
     def parse_stix2(self, file_path: str) -> None:
         """Extract indicators from a STIX2 file.
 
@@ -209,7 +215,7 @@ class Indicators:
         self.log.info("Loaded a total of %d unique indicators",
                       self.total_ioc_count)
 
-    def get_iocs(self, ioc_type: str) -> Union[dict, None]:
+    def get_iocs(self, ioc_type: str) -> Union[Iterator[Dict[str, Any]], None]:
         for ioc_collection in self.ioc_collections:
             for ioc in ioc_collection.get(ioc_type, []):
                 yield {
@@ -519,3 +525,23 @@ class Indicators:
                 return ioc
 
         return None
+
+    def check_android_property_name(self, property_name: str) -> Optional[dict]:
+        """Check the android property name against the list of indicators.
+
+        :param property_name: Name of the Android property
+        :type property_name: str
+        :returns: Indicator details if matched, otherwise None
+
+        """
+        if property_name is None:
+            return None
+
+        for ioc in self.get_iocs("android_property_names"):
+            if property_name.lower() == ioc["value"].lower():
+                self.log.warning("Found a known suspicious Android property \"%s\" "
+                                 "matching indicators from \"%s\"", property_name,
+                                 ioc["name"])
+                return ioc
+
+        return None

mvt/common/logo.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/common/module.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
@@ -7,7 +7,7 @@ import csv
 import logging
 import os
 import re
-from typing import Callable, Optional, Union
+from typing import Any, Dict, List, Optional, Union
 
 import simplejson as json
 
@@ -28,7 +28,7 @@ class MVTModule:
     """This class provides a base for all extraction modules."""
 
     enabled = True
-    slug = None
+    slug: Optional[str] = None
 
     def __init__(
         self,
@@ -37,7 +37,7 @@ class MVTModule:
         results_path: Optional[str] = None,
         fast_mode: Optional[bool] = False,
         log: logging.Logger = logging.getLogger(__name__),
-        results: Optional[list] = None
+        results: Union[List[Dict[str, Any]], Dict[str, Any], None] = None
     ) -> None:
         """Initialize module.
 
@@ -61,12 +61,12 @@ class MVTModule:
         self.log = log
         self.indicators = None
         self.results = results if results else []
-        self.detected = []
-        self.timeline = []
-        self.timeline_detected = []
+        self.detected: List[Dict[str, Any]] = []
+        self.timeline: List[Dict[str, str]] = []
+        self.timeline_detected: List[Dict[str, str]] = []
 
     @classmethod
-    def from_json(cls, json_path: str, log: logging.Logger = None):
+    def from_json(cls, json_path: str, log: logging.Logger):
         with open(json_path, "r", encoding="utf-8") as handle:
             results = json.load(handle)
             if log:
@@ -116,7 +116,7 @@ class MVTModule:
             with open(detected_json_path, "w", encoding="utf-8") as handle:
                 json.dump(self.detected, handle, indent=4, default=str)
 
-    def serialize(self, record: dict) -> Union[dict, list]:
+    def serialize(self, record: dict) -> Union[dict, list, None]:
         raise NotImplementedError
 
     @staticmethod
@@ -159,7 +159,7 @@ class MVTModule:
         raise NotImplementedError
 
 
-def run_module(module: Callable) -> None:
+def run_module(module: MVTModule) -> None:
     module.log.info("Running module %s...", module.__class__.__name__)
 
     try:

mvt/common/options.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/common/updates.py

@@ -1,11 +1,12 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
 import logging
 import os
 from datetime import datetime
+from typing import Optional, Tuple
 
 import requests
 import yaml
@@ -83,7 +84,7 @@ class IndicatorsUpdates:
         with open(self.latest_update_path, "w", encoding="utf-8") as handle:
             handle.write(str(timestamp))
 
-    def get_remote_index(self) -> dict:
+    def get_remote_index(self) -> Optional[dict]:
         url = self.github_raw_url.format(self.index_owner, self.index_repo,
                                          self.index_branch, self.index_path)
         res = requests.get(url)
@@ -94,7 +95,7 @@ class IndicatorsUpdates:
 
         return yaml.safe_load(res.content)
 
-    def download_remote_ioc(self, ioc_url: str) -> str:
+    def download_remote_ioc(self, ioc_url: str) -> Optional[str]:
         res = requests.get(ioc_url)
         if res.status_code != 200:
             log.error("Failed to download indicators file from %s (error %d)",
@@ -116,6 +117,9 @@ class IndicatorsUpdates:
             os.makedirs(MVT_INDICATORS_FOLDER)
 
         index = self.get_remote_index()
+        if not index:
+            return
+
         for ioc in index.get("indicators", []):
             ioc_type = ioc.get("type", "")
 
@@ -171,7 +175,7 @@ class IndicatorsUpdates:
 
         return latest_commit_ts
 
-    def should_check(self) -> (bool, int):
+    def should_check(self) -> Tuple[bool, int]:
         now = datetime.utcnow()
         latest_check_ts = self.get_latest_check()
         latest_check_dt = datetime.fromtimestamp(latest_check_ts)
@@ -182,7 +186,7 @@ class IndicatorsUpdates:
         if diff_hours >= INDICATORS_CHECK_FREQUENCY:
             return True, 0
 
-        return False, INDICATORS_CHECK_FREQUENCY - diff_hours
+        return False, int(INDICATORS_CHECK_FREQUENCY - diff_hours)
 
     def check(self) -> bool:
         self.set_latest_check()
@@ -197,6 +201,9 @@ class IndicatorsUpdates:
             return True
 
         index = self.get_remote_index()
+        if not index:
+            return False
+
         for ioc in index.get("indicators", []):
             if ioc.get("type", "") != "github":
                 continue

mvt/common/url.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/common/utils.py

@@ -1,15 +1,16 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
 import datetime
 import hashlib
+import os
 import re
-from typing import Union
+from typing import Any, Iterator, Union
 
 
-def convert_chrometime_to_datetime(timestamp: int) -> int:
+def convert_chrometime_to_datetime(timestamp: int) -> datetime.datetime:
     """Converts Chrome timestamp to a datetime.
 
     :param timestamp: Chrome timestamp as int.
@@ -50,7 +51,7 @@ def convert_unix_to_utc_datetime(
     return datetime.datetime.utcfromtimestamp(float(timestamp))
 
 
-def convert_unix_to_iso(timestamp: int) -> str:
+def convert_unix_to_iso(timestamp: Union[int, float, str]) -> str:
     """Converts a unix epoch to ISO string.
 
     :param timestamp: Epoc timestamp to convert.
@@ -122,24 +123,9 @@ def check_for_links(text: str) -> list:
     return re.findall(r"(?P<url>https?://[^\s]+)", text, re.IGNORECASE)
 
 
-def get_sha256_from_file_path(file_path: str) -> str:
-    """Calculate the SHA256 hash of a file from a file path.
-
-    :param file_path: Path to the file to hash
-    :returns: The SHA256 hash string
-
-    """
-    sha256_hash = hashlib.sha256()
-    with open(file_path, "rb") as handle:
-        for byte_block in iter(lambda: handle.read(4096), b""):
-            sha256_hash.update(byte_block)
-
-    return sha256_hash.hexdigest()
-
-
 # Note: taken from here:
 # https://stackoverflow.com/questions/57014259/json-dumps-on-dictionary-with-bytes-for-keys
-def keys_bytes_to_string(obj) -> str:
+def keys_bytes_to_string(obj: Any) -> Any:
     """Convert object keys from bytes to string.
 
     :param obj: Object to convert from bytes to string.
@@ -165,3 +151,46 @@ def keys_bytes_to_string(obj) -> str:
         new_obj[key] = value
 
     return new_obj
+
+
+def get_sha256_from_file_path(file_path: str) -> str:
+    """Calculate the SHA256 hash of a file from a file path.
+
+    :param file_path: Path to the file to hash
+    :returns: The SHA256 hash string
+
+    """
+    sha256_hash = hashlib.sha256()
+    with open(file_path, "rb") as handle:
+        for byte_block in iter(lambda: handle.read(4096), b""):
+            sha256_hash.update(byte_block)
+
+    return sha256_hash.hexdigest()
+
+
+def generate_hashes_from_path(path: str, log) -> Iterator[dict]:
+    """
+    Generates hashes of all files at the given path.
+
+    :params path: Path of the given folder or file
+    :returns: generator of dict {"file_path", "hash"}
+    """
+    if os.path.isfile(path):
+        hash_value = get_sha256_from_file_path(path)
+        yield {"file_path": path, "sha256": hash_value}
+    elif os.path.isdir(path):
+        for (root, _, files) in os.walk(path):
+            for file in files:
+                file_path = os.path.join(root, file)
+                try:
+                    sha256 = get_sha256_from_file_path(file_path)
+                except FileNotFoundError:
+                    log.error("Failed to hash the file %s: might be a symlink",
+                              file_path)
+                    continue
+                except PermissionError:
+                    log.error("Failed to hash the file %s: permission denied",
+                              file_path)
+                    continue
+
+                yield {"file_path": file_path, "sha256": sha256}

mvt/common/version.py

@@ -1,6 +1,6 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
-MVT_VERSION = "2.2.1"
+MVT_VERSION = "2.2.3"

mvt/common/virustotal.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/ios/__init__.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/ios/cli.py

@@ -1,8 +1,9 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
+import json
 import logging
 import os
 
@@ -11,12 +12,13 @@ from rich.logging import RichHandler
 from rich.prompt import Prompt
 
 from mvt.common.cmd_check_iocs import CmdCheckIOCS
-from mvt.common.help import (HELP_MSG_FAST, HELP_MSG_IOC,
+from mvt.common.help import (HELP_MSG_FAST, HELP_MSG_HASHES, HELP_MSG_IOC,
                              HELP_MSG_LIST_MODULES, HELP_MSG_MODULE,
                              HELP_MSG_OUTPUT)
 from mvt.common.logo import logo
 from mvt.common.options import MutuallyExclusiveOption
 from mvt.common.updates import IndicatorsUpdates
+from mvt.common.utils import generate_hashes_from_path
 
 from .cmd_check_backup import CmdIOSCheckBackup
 from .cmd_check_fs import CmdIOSCheckFS
@@ -33,6 +35,7 @@ log = logging.getLogger(__name__)
 
 # Set this environment variable to a password if needed.
 MVT_IOS_BACKUP_PASSWORD = "MVT_IOS_BACKUP_PASSWORD"
+CONTEXT_SETTINGS = dict(help_option_names=['-h', '--help'])
 
 
 #==============================================================================
@@ -54,7 +57,8 @@ def version():
 #==============================================================================
 # Command: decrypt-backup
 #==============================================================================
-@cli.command("decrypt-backup", help="Decrypt an encrypted iTunes backup")
+@cli.command("decrypt-backup", help="Decrypt an encrypted iTunes backup",
+             context_settings=CONTEXT_SETTINGS)
 @click.option("--destination", "-d", required=True,
               help="Path to the folder where to store the decrypted backup")
 @click.option("--password", "-p", cls=MutuallyExclusiveOption,
@@ -66,9 +70,10 @@ def version():
               help="File containing raw encryption key to use to decrypt "
                    "the backup",
               mutually_exclusive=["password"])
+@click.option("--hashes", "-H", is_flag=True, help=HELP_MSG_HASHES)
 @click.argument("BACKUP_PATH", type=click.Path(exists=True))
 @click.pass_context
-def decrypt_backup(ctx, destination, password, key_file, backup_path):
+def decrypt_backup(ctx, destination, password, key_file, hashes, backup_path):
     backup = DecryptBackup(backup_path, destination)
 
     if key_file:
@@ -99,11 +104,22 @@ def decrypt_backup(ctx, destination, password, key_file, backup_path):
 
     backup.process_backup()
 
+    if hashes:
+        info = {"encrypted": [], "decrypted": []}
+        for file in generate_hashes_from_path(backup_path, log):
+            info["encrypted"].append(file)
+        for file in generate_hashes_from_path(destination, log):
+            info["decrypted"].append(file)
+        info_path = os.path.join(destination, "info.json")
+        with open(info_path, "w+", encoding="utf-8") as handle:
+            json.dump(info, handle, indent=4)
+
 
 #==============================================================================
 # Command: extract-key
 #==============================================================================
-@cli.command("extract-key", help="Extract decryption key from an iTunes backup")
+@cli.command("extract-key", help="Extract decryption key from an iTunes backup",
+             context_settings=CONTEXT_SETTINGS)
 @click.option("--password", "-p",
               help="Password to use to decrypt the backup (or, set "
                    f"{MVT_IOS_BACKUP_PASSWORD} environment variable)")
@@ -140,7 +156,8 @@ def extract_key(password, key_file, backup_path):
 #==============================================================================
 # Command: check-backup
 #==============================================================================
-@cli.command("check-backup", help="Extract artifacts from an iTunes backup")
+@cli.command("check-backup", help="Extract artifacts from an iTunes backup",
+             context_settings=CONTEXT_SETTINGS)
 @click.option("--iocs", "-i", type=click.Path(exists=True), multiple=True,
               default=[], help=HELP_MSG_IOC)
 @click.option("--output", "-o", type=click.Path(exists=False),
@@ -148,11 +165,13 @@ def extract_key(password, key_file, backup_path):
 @click.option("--fast", "-f", is_flag=True, help=HELP_MSG_FAST)
 @click.option("--list-modules", "-l", is_flag=True, help=HELP_MSG_LIST_MODULES)
 @click.option("--module", "-m", help=HELP_MSG_MODULE)
+@click.option("--hashes", "-H", is_flag=True, help=HELP_MSG_HASHES)
 @click.argument("BACKUP_PATH", type=click.Path(exists=True))
 @click.pass_context
-def check_backup(ctx, iocs, output, fast, list_modules, module, backup_path):
+def check_backup(ctx, iocs, output, fast, list_modules, module, hashes, backup_path):
     cmd = CmdIOSCheckBackup(target_path=backup_path, results_path=output,
-                            ioc_files=iocs, module_name=module, fast_mode=fast)
+                            ioc_files=iocs, module_name=module, fast_mode=fast,
+                            hashes=hashes)
 
     if list_modules:
         cmd.list_modules()
@@ -170,7 +189,8 @@ def check_backup(ctx, iocs, output, fast, list_modules, module, backup_path):
 #==============================================================================
 # Command: check-fs
 #==============================================================================
-@cli.command("check-fs", help="Extract artifacts from a full filesystem dump")
+@cli.command("check-fs", help="Extract artifacts from a full filesystem dump",
+             context_settings=CONTEXT_SETTINGS)
 @click.option("--iocs", "-i", type=click.Path(exists=True), multiple=True,
               default=[], help=HELP_MSG_IOC)
 @click.option("--output", "-o", type=click.Path(exists=False),
@@ -178,11 +198,13 @@ def check_backup(ctx, iocs, output, fast, list_modules, module, backup_path):
 @click.option("--fast", "-f", is_flag=True, help=HELP_MSG_FAST)
 @click.option("--list-modules", "-l", is_flag=True, help=HELP_MSG_LIST_MODULES)
 @click.option("--module", "-m", help=HELP_MSG_MODULE)
+@click.option("--hashes", "-H", is_flag=True, help=HELP_MSG_HASHES)
 @click.argument("DUMP_PATH", type=click.Path(exists=True))
 @click.pass_context
-def check_fs(ctx, iocs, output, fast, list_modules, module, dump_path):
+def check_fs(ctx, iocs, output, fast, list_modules, module, hashes, dump_path):
     cmd = CmdIOSCheckFS(target_path=dump_path, results_path=output,
-                        ioc_files=iocs, module_name=module, fast_mode=fast)
+                        ioc_files=iocs, module_name=module, fast_mode=fast,
+                        hashes=hashes)
 
     if list_modules:
         cmd.list_modules()
@@ -200,7 +222,8 @@ def check_fs(ctx, iocs, output, fast, list_modules, module, dump_path):
 #==============================================================================
 # Command: check-iocs
 #==============================================================================
-@cli.command("check-iocs", help="Compare stored JSON results to provided indicators")
+@cli.command("check-iocs", help="Compare stored JSON results to provided indicators",
+             context_settings=CONTEXT_SETTINGS)
 @click.option("--iocs", "-i", type=click.Path(exists=True), multiple=True,
               default=[], help=HELP_MSG_IOC)
 @click.option("--list-modules", "-l", is_flag=True, help=HELP_MSG_LIST_MODULES)
@@ -221,7 +244,8 @@ def check_iocs(ctx, iocs, list_modules, module, folder):
 #==============================================================================
 # Command: download-iocs
 #==============================================================================
-@cli.command("download-iocs", help="Download public STIX2 indicators")
+@cli.command("download-iocs", help="Download public STIX2 indicators",
+             context_settings=CONTEXT_SETTINGS)
 def download_iocs():
     ioc_updates = IndicatorsUpdates()
     ioc_updates.update()

mvt/ios/cmd_check_backup.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
@@ -24,10 +24,12 @@ class CmdIOSCheckBackup(Command):
         module_name: Optional[str] = None,
         serial: Optional[str] = None,
         fast_mode: Optional[bool] = False,
+        hashes: Optional[bool] = False,
     ) -> None:
         super().__init__(target_path=target_path, results_path=results_path,
                          ioc_files=ioc_files, module_name=module_name,
-                         serial=serial, fast_mode=fast_mode, log=log)
+                         serial=serial, fast_mode=fast_mode, hashes=hashes,
+                         log=log)
 
         self.name = "check-backup"
         self.modules = BACKUP_MODULES + MIXED_MODULES

mvt/ios/cmd_check_fs.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
@@ -24,10 +24,12 @@ class CmdIOSCheckFS(Command):
         module_name: Optional[str] = None,
         serial: Optional[str] = None,
         fast_mode: Optional[bool] = False,
+        hashes: Optional[bool] = False,
     ) -> None:
         super().__init__(target_path=target_path, results_path=results_path,
                          ioc_files=ioc_files, module_name=module_name,
-                         serial=serial, fast_mode=fast_mode, log=log)
+                         serial=serial, fast_mode=fast_mode, hashes=hashes,
+                         log=log)
 
         self.name = "check-fs"
         self.modules = FS_MODULES + MIXED_MODULES

mvt/ios/decrypt.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/ios/modules/__init__.py

@@ -1,4 +1,4 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

mvt/ios/modules/backup/__init__.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/ios/modules/backup/backup_info.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
@@ -9,7 +9,7 @@ import plistlib
 from typing import Optional
 
 from mvt.common.module import DatabaseNotFoundError
-from mvt.ios.versions import get_device_desc_from_id, latest_ios_version
+from mvt.ios.versions import get_device_desc_from_id, is_ios_version_outdated
 
 from ..base import IOSExtraction
 
@@ -63,7 +63,4 @@ class BackupInfo(IOSExtraction):
             self.results[field] = value
 
         if "Product Version" in info:
-            latest = latest_ios_version()
-            if info["Product Version"] != latest["version"]:
-                self.log.warning("This phone is running an outdated iOS version: %s (latest is %s)",
-                                 info["Product Version"], latest['version'])
+            is_ios_version_outdated(info["Product Version"], log=self.log)

mvt/ios/modules/backup/configuration_profiles.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/ios/modules/backup/manifest.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/ios/modules/backup/profile_events.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/ios/modules/base.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
@@ -152,7 +152,6 @@ class IOSExtraction(MVTModule):
         If a module requires to process multiple databases or files,
         you should use the helper functions above.
 
-        :param backup_id: iTunes backup database file's ID (or hash).
         :param root_paths: Glob patterns for files to seek in filesystem dump.
                            (Default value = [])
         :param backup_ids: Default value = None)

mvt/ios/modules/fs/__init__.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/ios/modules/fs/analytics.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/ios/modules/fs/analytics_ios_versions.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/ios/modules/fs/cache_files.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/ios/modules/fs/filesystem.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/ios/modules/fs/net_netusage.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/ios/modules/fs/safari_favicon.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/ios/modules/fs/shutdownlog.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/