mirror of
https://github.com/mvt-project/mvt.git
synced 2024-06-25 22:08:55 +00:00
Merge branch 'main' of github.com:mvt-project/mvt
This commit is contained in:
commit
404edfee9a
|
@ -5,15 +5,13 @@
|
|||
# Mobile Verification Toolkit
|
||||
|
||||
[![](https://img.shields.io/pypi/v/mvt)](https://pypi.org/project/mvt/)
|
||||
[![](https://img.shields.io/badge/docs-blue.svg)](https://mvt.readthedocs.io)
|
||||
|
||||
Mobile Verification Toolkit (MVT) is a collection of utilities to simplify and automate the process of gathering forensic traces helpful to identify a potential compromise of Android and iOS devices.
|
||||
|
||||
It has been developed and released by the [Amnesty International Security Lab](https://www.amnesty.org/en/tech/) in July 2021 in the context of the [Pegasus project](https://forbiddenstories.org/about-the-pegasus-project/) along with [a technical forensic methodology and forensic evidence](https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/).
|
||||
|
||||
*Warning*: this tool has been released as a forensic tool for technologists and investigators. Using it requires understanding the basics of forensic analysis and using command-line tools.
|
||||
|
||||
[Please check out the documentation.](https://mvt.readthedocs.io/en/latest/)
|
||||
|
||||
*Warning*: MVT is a forensic research tool intended for technologists and investigators. Using it requires understanding the basics of forensic analysis and using command-line tools. This is not intended for end-user self-assessment. If you are concerned with the security of your device please seek expert assistance.
|
||||
|
||||
## Installation
|
||||
|
||||
|
|
|
@ -109,17 +109,19 @@ class MVTModule(object):
|
|||
"""
|
||||
for result in self.results:
|
||||
record = self.serialize(result)
|
||||
if type(record) == list:
|
||||
self.timeline.extend(record)
|
||||
else:
|
||||
self.timeline.append(record)
|
||||
if record:
|
||||
if type(record) == list:
|
||||
self.timeline.extend(record)
|
||||
else:
|
||||
self.timeline.append(record)
|
||||
|
||||
for detected in self.detected:
|
||||
record = self.serialize(detected)
|
||||
if type(record) == list:
|
||||
self.timeline_detected.extend(record)
|
||||
else:
|
||||
self.timeline_detected.append(record)
|
||||
if record:
|
||||
if type(record) == list:
|
||||
self.timeline_detected.extend(record)
|
||||
else:
|
||||
self.timeline_detected.append(record)
|
||||
|
||||
# De-duplicate timeline entries
|
||||
self.timeline = self.timeline_deduplicate(self.timeline)
|
||||
|
|
|
@ -40,6 +40,8 @@ class Manifest(IOSExtraction):
|
|||
|
||||
def serialize(self, record):
|
||||
records = []
|
||||
if "modified" not in record or "statusChanged" not in record:
|
||||
return
|
||||
for ts in set([record["created"], record["modified"], record["statusChanged"]]):
|
||||
macb = ""
|
||||
macb += "M" if ts == record["modified"] else "-"
|
||||
|
@ -63,12 +65,15 @@ class Manifest(IOSExtraction):
|
|||
for result in self.results:
|
||||
if not "relativePath" in result:
|
||||
continue
|
||||
|
||||
if os.path.basename(result["relativePath"]) == "com.apple.CrashReporter.plist" and result["domain"] == "RootDomain":
|
||||
self.log.warning("Found a potentially suspicious \"com.apple.CrashReporter.plist\" file created in RootDomain")
|
||||
self.detected.append(result)
|
||||
if not result["relativePath"]:
|
||||
continue
|
||||
|
||||
if result["domain"]:
|
||||
if os.path.basename(result["relativePath"]) == "com.apple.CrashReporter.plist" and result["domain"] == "RootDomain":
|
||||
self.log.warning("Found a potentially suspicious \"com.apple.CrashReporter.plist\" file created in RootDomain")
|
||||
self.detected.append(result)
|
||||
continue
|
||||
|
||||
if self.indicators.check_file(result["relativePath"]):
|
||||
self.log.warning("Found a known malicious file at path: %s", result["relativePath"])
|
||||
self.detected.append(result)
|
||||
|
|
Loading…
Reference in New Issue
Block a user