Mobile Verification Toolkit: consensual forensic analysis of Android and iOS devices

Tool made in colla­bo­ra­tion with Amnesty Inter­na­ti­o­nal after the disco­ve­ring of massive Pega­sus attack.

Mobile Veri­fi­ca­tion Tool­kit (MVT) is a tool to faci­li­tate the consen­sual foren­sic analy­sis of Android and iOS devi­ces, for the purpose of iden­tifying traces of compro­mise.

In this docu­men­ta­tion you will find instruc­ti­ons on how to install and run the mvt-ios and mvt-android commands, and guidance on how to inter­pret the extrac­ted results.

Resour­ces

GitHub Python Package

Intro­duc­tion

Mobile Veri­fi­ca­tion Tool­kit (MVT) is a collec­tion of utili­ties desig­ned to faci­li­tate the consen­sual foren­sic acqui­si­tion of iOS and Android devi­ces for the purpose of iden­tifying any signs of compro­mise. MVT’s capa­bi­li­ties are conti­nu­ously evol­ving, but some of its key featu­res include:

• Decrypt encryp­ted iOS backups.
• Process and parse records from nume­rous iOS system and apps data­ba­ses, logs and system analy­tics.
• Extract insta­lled appli­ca­ti­ons from Android devi­ces.
• Extract diag­nos­tic infor­ma­tion from Android devi­ces through the adb proto­col.
• Compare extrac­ted records to a provi­ded list of mali­ci­ous indi­ca­tors in STIX2 format.
• Gene­rate JSON logs of extrac­ted records, and sepa­rate JSON logs of all detec­ted mali­ci­ous traces.
• Gene­rate a unified chro­no­lo­gi­cal time­line of extrac­ted records, along with a time­line all detec­ted mali­ci­ous traces.

MVT is a foren­sic rese­arch tool inten­ded for tech­no­lo­gists and inves­ti­ga­tors. Using it requi­res unders­tan­ding the basics of foren­sic analy­sis and using command-line tools. MVT is not inten­ded for end-user self-assess­ment. If you are concer­ned with the secu­rity of your device please seek expert assis­tance.

Consen­sual Foren­sics

While MVT is capa­ble of extrac­ting and proces­sing vari­ous types of very perso­nal records typi­cally found on a mobile phone (such as calls history, SMS and What­sApp messa­ges, etc.), this is inten­ded to help iden­tify poten­tial attack vectors such as mali­ci­ous SMS messa­ges leading to exploi­ta­tion.

MVT’s purpose is not to faci­li­tate adver­sa­rial foren­sics of non-consen­ting indi­vi­du­als’ devi­ces. The use of MVT and deri­va­tive products to extract and/or analyse data origi­na­ting from devi­ces used by indi­vi­du­als not consen­ting to the proce­dure is expli­citly prohi­bi­ted in the license.

Foto: Howie Shia