mirror of https://github.com/mvt-project/mvt.git
Temporarily removed mvt-ios check-usb command
This commit is contained in:
parent
459ff8c51c
commit
3cdc6da428
|
@ -20,7 +20,6 @@ from mvt.common.updates import IndicatorsUpdates
|
|||
|
||||
from .cmd_check_backup import CmdIOSCheckBackup
|
||||
from .cmd_check_fs import CmdIOSCheckFS
|
||||
from .cmd_check_usb import CmdIOSCheckUSB
|
||||
from .decrypt import DecryptBackup
|
||||
from .modules.backup import BACKUP_MODULES
|
||||
from .modules.fs import FS_MODULES
|
||||
|
@ -216,34 +215,3 @@ def check_iocs(ctx, iocs, list_modules, module, folder):
|
|||
def download_iocs():
|
||||
ioc_updates = IndicatorsUpdates()
|
||||
ioc_updates.update()
|
||||
|
||||
|
||||
#==============================================================================
|
||||
# Command: check-usb
|
||||
#==============================================================================
|
||||
@cli.command("check-usb", help="Extract artifacts from a live iPhone through USB / lockdown")
|
||||
@click.option("--serial", "-s", type=str, help=HELP_MSG_SERIAL)
|
||||
@click.option("--iocs", "-i", type=click.Path(exists=True), multiple=True,
|
||||
default=[], help=HELP_MSG_IOC)
|
||||
@click.option("--output", "-o", type=click.Path(exists=False), help=HELP_MSG_OUTPUT)
|
||||
@click.option("--fast", "-f", is_flag=True, help=HELP_MSG_FAST)
|
||||
@click.option("--list-modules", "-l", is_flag=True, help=HELP_MSG_LIST_MODULES)
|
||||
@click.option("--module", "-m", help=HELP_MSG_MODULE)
|
||||
# TODO: serial
|
||||
# @click.argument("BACKUP_PATH", type=click.Path(exists=True))
|
||||
@click.pass_context
|
||||
def check_usb(ctx, serial, iocs, output, fast, list_modules, module):
|
||||
cmd = CmdIOSCheckUSB(results_path=output, ioc_files=iocs,
|
||||
module_name=module, fast_mode=fast,
|
||||
serial=serial)
|
||||
|
||||
if list_modules:
|
||||
cmd.list_modules()
|
||||
return
|
||||
|
||||
log.info("Checking iPhone through USB, this may take a while")
|
||||
cmd.run()
|
||||
|
||||
if len(cmd.timeline_detected) > 0:
|
||||
log.warning("The analysis of the data produced %d detections!",
|
||||
len(cmd.timeline_detected))
|
||||
|
|
|
@ -1,46 +0,0 @@
|
|||
# Mobile Verification Toolkit (MVT)
|
||||
# Copyright (c) 2021-2022 Claudio Guarnieri.
|
||||
# Use of this software is governed by the MVT License 1.1 that can be found at
|
||||
# https://license.mvt.re/1.1/
|
||||
|
||||
import logging
|
||||
import sys
|
||||
|
||||
from pymobiledevice3.exceptions import ConnectionFailedError
|
||||
from pymobiledevice3.lockdown import LockdownClient
|
||||
|
||||
from mvt.common.command import Command
|
||||
|
||||
from .modules.usb import USB_MODULES
|
||||
|
||||
log = logging.getLogger(__name__)
|
||||
|
||||
|
||||
class CmdIOSCheckUSB(Command):
|
||||
|
||||
name = "check-usb"
|
||||
modules = USB_MODULES
|
||||
|
||||
def __init__(self, target_path: str = None, results_path: str = None,
|
||||
ioc_files: list = [], module_name: str = None, serial: str = None,
|
||||
fast_mode: bool = False):
|
||||
super().__init__(target_path=target_path, results_path=results_path,
|
||||
ioc_files=ioc_files, module_name=module_name,
|
||||
serial=serial, fast_mode=fast_mode, log=log)
|
||||
self.lockdown = None
|
||||
|
||||
def init(self):
|
||||
try:
|
||||
if self.serial:
|
||||
self.lockdown = LockdownClient(udid=self.serial)
|
||||
else:
|
||||
self.lockdown = LockdownClient()
|
||||
except ConnectionRefusedError:
|
||||
log.error("Unable to connect to the device over USB. Try to unplug, plug the device and start again.")
|
||||
sys.exit(-1)
|
||||
except ConnectionFailedError:
|
||||
log.error("Unable to connect to the device %s", self.serial)
|
||||
sys.exit(-1)
|
||||
|
||||
def module_init(self, module):
|
||||
module.lockdown = self.lockdown
|
|
@ -1,10 +0,0 @@
|
|||
# Mobile Verification Toolkit (MVT)
|
||||
# Copyright (c) 2021-2022 Claudio Guarnieri.
|
||||
# Use of this software is governed by the MVT License 1.1 that can be found at
|
||||
# https://license.mvt.re/1.1/
|
||||
|
||||
from .applications import Applications
|
||||
from .device_info import DeviceInfo
|
||||
from .processes import Processes
|
||||
|
||||
USB_MODULES = [Applications, DeviceInfo, Processes]
|
|
@ -1,46 +0,0 @@
|
|||
# Mobile Verification Toolkit (MVT)
|
||||
# Copyright (c) 2021-2022 Claudio Guarnieri.
|
||||
# Use of this software is governed by the MVT License 1.1 that can be found at
|
||||
# https://license.mvt.re/1.1/
|
||||
|
||||
import logging
|
||||
|
||||
from pymobiledevice3.services.installation_proxy import \
|
||||
InstallationProxyService
|
||||
|
||||
from .base import IOSUSBExtraction
|
||||
|
||||
|
||||
class Applications(IOSUSBExtraction):
|
||||
"""This class extracts all applications installed on the phone"""
|
||||
|
||||
def __init__(self, file_path: str = None, target_path: str = None,
|
||||
results_path: str = None, fast_mode: bool = False,
|
||||
log: logging.Logger = None, results: list = []) -> None:
|
||||
super().__init__(file_path=file_path, target_path=target_path,
|
||||
results_path=results_path, fast_mode=fast_mode,
|
||||
log=log, results=results)
|
||||
|
||||
def check_indicators(self) -> None:
|
||||
if not self.indicators:
|
||||
return
|
||||
|
||||
for result in self.results:
|
||||
ioc = self.indicators.check_app_id(result["CFBundleIdentifier"])
|
||||
if ioc:
|
||||
result["matched_indicator"] = ioc
|
||||
self.detected.append(result)
|
||||
|
||||
def run(self) -> None:
|
||||
user_apps = InstallationProxyService(lockdown=self.lockdown).get_apps("User")
|
||||
for user_app in user_apps:
|
||||
user_app["type"] = "user"
|
||||
|
||||
system_apps = InstallationProxyService(lockdown=self.lockdown).get_apps("System")
|
||||
for system_app in system_apps:
|
||||
system_app["type"] = "system"
|
||||
|
||||
self.results = user_apps + system_apps
|
||||
|
||||
self.log.info("Identified %d applications installed on the device",
|
||||
len(self.results))
|
|
@ -1,25 +0,0 @@
|
|||
# Mobile Verification Toolkit (MVT)
|
||||
# Copyright (c) 2021-2022 Claudio Guarnieri.
|
||||
# Use of this software is governed by the MVT License 1.1 that can be found at
|
||||
# https://license.mvt.re/1.1/
|
||||
|
||||
import logging
|
||||
|
||||
from mvt.common.module import MVTModule
|
||||
|
||||
log = logging.getLogger(__name__)
|
||||
|
||||
|
||||
class IOSUSBExtraction(MVTModule):
|
||||
"""This class provides a base for all iOS USB extraction modules."""
|
||||
|
||||
def __init__(self, file_path: str = None, target_path: str = None,
|
||||
results_path: str = None, fast_mode: bool = False,
|
||||
log: logging.Logger = None, results: list = []) -> None:
|
||||
super().__init__(file_path=file_path, target_path=target_path,
|
||||
results_path=results_path, fast_mode=fast_mode,
|
||||
log=log, results=results)
|
||||
|
||||
self.device = None
|
||||
self.serial = None
|
||||
self.lockdown = None
|
|
@ -1,39 +0,0 @@
|
|||
# Mobile Verification Toolkit (MVT)
|
||||
# Copyright (c) 2021-2022 Claudio Guarnieri.
|
||||
# Use of this software is governed by the MVT License 1.1 that can be found at
|
||||
# https://license.mvt.re/1.1/
|
||||
|
||||
import base64
|
||||
import logging
|
||||
|
||||
from mvt.ios.versions import latest_ios_version
|
||||
|
||||
from .base import IOSUSBExtraction
|
||||
|
||||
|
||||
class DeviceInfo(IOSUSBExtraction):
|
||||
"""This class extracts all processes running on the phone."""
|
||||
|
||||
def __init__(self, file_path: str = None, target_path: str = None,
|
||||
results_path: str = None, fast_mode: bool = False,
|
||||
log: logging.Logger = None, results: list = []) -> None:
|
||||
super().__init__(file_path=file_path, target_path=target_path,
|
||||
results_path=results_path, fast_mode=fast_mode,
|
||||
log=log, results=results)
|
||||
|
||||
def run(self) -> None:
|
||||
self.results = self.lockdown.all_values
|
||||
|
||||
for entry in self.results:
|
||||
if isinstance(self.results[entry], bytes):
|
||||
self.results[entry] = base64.b64encode(self.results[entry])
|
||||
elif isinstance(self.results[entry], dict):
|
||||
for second_entry in self.results[entry]:
|
||||
if isinstance(self.results[entry][second_entry], bytes):
|
||||
self.results[entry][second_entry] = base64.b64encode(self.results[entry][second_entry])
|
||||
|
||||
if "ProductVersion" in self.results:
|
||||
latest = latest_ios_version()
|
||||
if self.results["ProductVersion"] != latest["version"]:
|
||||
self.log.warning("This phone is running an outdated iOS version: %s (latest is %s)",
|
||||
self.results["ProductVersion"], latest['version'])
|
|
@ -1,42 +0,0 @@
|
|||
# Mobile Verification Toolkit (MVT)
|
||||
# Copyright (c) 2021-2022 Claudio Guarnieri.
|
||||
# Use of this software is governed by the MVT License 1.1 that can be found at
|
||||
# https://license.mvt.re/1.1/
|
||||
|
||||
import logging
|
||||
|
||||
from pymobiledevice3.services.os_trace import OsTraceService
|
||||
|
||||
from .base import IOSUSBExtraction
|
||||
|
||||
|
||||
class Processes(IOSUSBExtraction):
|
||||
"""This class extracts all processes running on the phone."""
|
||||
|
||||
def __init__(self, file_path: str = None, target_path: str = None,
|
||||
results_path: str = None, fast_mode: bool = False,
|
||||
log: logging.Logger = None, results: list = []) -> None:
|
||||
super().__init__(file_path=file_path, target_path=target_path,
|
||||
results_path=results_path, fast_mode=fast_mode,
|
||||
log=log, results=results)
|
||||
|
||||
def check_indicators(self) -> None:
|
||||
if not self.indicators:
|
||||
return
|
||||
|
||||
for result in self.results:
|
||||
ioc = self.indicators.check_process(result["name"])
|
||||
if ioc:
|
||||
result["matched_indicator"] = ioc
|
||||
self.detected.append(result)
|
||||
|
||||
def run(self) -> None:
|
||||
processes = OsTraceService(lockdown=self.lockdown).get_pid_list().get("Payload")
|
||||
for pid in processes:
|
||||
self.results.append({
|
||||
"pid": pid,
|
||||
"name": processes[pid]["ProcessName"]
|
||||
})
|
||||
|
||||
self.log.info("Identified %d processes running on the device",
|
||||
len(self.results))
|
|
@ -33,7 +33,6 @@ install_requires =
|
|||
adb-shell >=0.4.2
|
||||
libusb1 >=2.0.1
|
||||
cryptography >=36.0.1
|
||||
pymobiledevice3 >=1.23.9
|
||||
pyyaml >=6.0
|
||||
|
||||
[options.packages.find]
|
||||
|
|
|
@ -1,35 +0,0 @@
|
|||
# Mobile Verification Toolkit (MVT)
|
||||
# Copyright (c) 2021-2022 Claudio Guarnieri.
|
||||
# Use of this software is governed by the MVT License 1.1 that can be found at
|
||||
# https://license.mvt.re/1.1/
|
||||
|
||||
import logging
|
||||
|
||||
from pymobiledevice3.lockdown import LockdownClient
|
||||
|
||||
from mvt.common.module import run_module
|
||||
from mvt.ios.modules.usb.applications import Applications
|
||||
|
||||
|
||||
class TestUSBApplication:
|
||||
def test_run(self, mocker):
|
||||
mocker.patch("pymobiledevice3.lockdown.LockdownClient.start_service")
|
||||
mocker.patch("pymobiledevice3.usbmux.select_device")
|
||||
mocker.patch("pymobiledevice3.service_connection.ServiceConnection.create")
|
||||
mocker.patch(
|
||||
"pymobiledevice3.lockdown.LockdownClient.query_type",
|
||||
return_value="com.apple.mobile.lockdown")
|
||||
mocker.patch(
|
||||
"pymobiledevice3.lockdown.LockdownClient.validate_pairing",
|
||||
return_value=True)
|
||||
mocker.patch(
|
||||
"pymobiledevice3.services.installation_proxy.InstallationProxyService.get_apps",
|
||||
return_value=[{"CFBundleIdentifier": "com.bad.app"}]
|
||||
)
|
||||
|
||||
lockdown = LockdownClient()
|
||||
|
||||
m = Applications(log=logging)
|
||||
m.lockdown = lockdown
|
||||
run_module(m)
|
||||
assert len(m.results) == 2
|
|
@ -1,34 +0,0 @@
|
|||
# Mobile Verification Toolkit (MVT)
|
||||
# Copyright (c) 2021-2022 Claudio Guarnieri.
|
||||
# Use of this software is governed by the MVT License 1.1 that can be found at
|
||||
# https://license.mvt.re/1.1/
|
||||
|
||||
import logging
|
||||
|
||||
from pymobiledevice3.lockdown import LockdownClient
|
||||
|
||||
from mvt.common.module import run_module
|
||||
from mvt.ios.modules.usb.device_info import DeviceInfo
|
||||
|
||||
|
||||
class TestUSBDeviceInfo:
|
||||
def test_run(self, mocker):
|
||||
mocker.patch("pymobiledevice3.usbmux.select_device")
|
||||
mocker.patch("pymobiledevice3.service_connection.ServiceConnection.create")
|
||||
mocker.patch(
|
||||
"pymobiledevice3.lockdown.LockdownClient.query_type",
|
||||
return_value="com.apple.mobile.lockdown")
|
||||
mocker.patch(
|
||||
"pymobiledevice3.lockdown.LockdownClient.validate_pairing",
|
||||
return_value=True)
|
||||
mocker.patch(
|
||||
"pymobiledevice3.lockdown.LockdownClient.get_value",
|
||||
return_value={'DeviceClass': 'iPhone', 'ProductVersion': '14.3'}
|
||||
)
|
||||
|
||||
lockdown = LockdownClient()
|
||||
|
||||
m = DeviceInfo(log=logging)
|
||||
m.lockdown = lockdown
|
||||
run_module(m)
|
||||
assert len(m.results) == 2
|
|
@ -1,29 +0,0 @@
|
|||
# Mobile Verification Toolkit (MVT)
|
||||
# Copyright (c) 2021-2022 Claudio Guarnieri.
|
||||
# Use of this software is governed by the MVT License 1.1 that can be found at
|
||||
# https://license.mvt.re/1.1/
|
||||
|
||||
import logging
|
||||
|
||||
from mvt.common.indicators import Indicators
|
||||
from mvt.common.module import run_module
|
||||
from mvt.ios.modules.usb.processes import Processes
|
||||
|
||||
|
||||
class TestUSBProcesses:
|
||||
def test_run(self, mocker, indicator_file):
|
||||
mocker.patch("pymobiledevice3.services.base_service.BaseService.__init__")
|
||||
mocker.patch(
|
||||
"pymobiledevice3.services.os_trace.OsTraceService.get_pid_list",
|
||||
return_value={"Payload": {"1": {"ProcessName": "storebookkeeperd"}, "1854": {"ProcessName": "cfprefssd"}}}
|
||||
)
|
||||
|
||||
ind = Indicators(log=logging)
|
||||
ind.parse_stix2(indicator_file)
|
||||
ind.ioc_collections[0]["processes"].append("cfprefssd")
|
||||
|
||||
m = Processes(log=logging)
|
||||
m.indicators = ind
|
||||
run_module(m)
|
||||
assert len(m.results) == 2
|
||||
assert len(m.detected) == 1
|
Loading…
Reference in New Issue