diff --git a/README.md b/README.md index 862daeb..c4da85c 100644 --- a/README.md +++ b/README.md @@ -5,15 +5,13 @@ # Mobile Verification Toolkit [![](https://img.shields.io/pypi/v/mvt)](https://pypi.org/project/mvt/) +[![](https://img.shields.io/badge/docs-blue.svg)](https://mvt.readthedocs.io) Mobile Verification Toolkit (MVT) is a collection of utilities to simplify and automate the process of gathering forensic traces helpful to identify a potential compromise of Android and iOS devices. It has been developed and released by the [Amnesty International Security Lab](https://www.amnesty.org/en/tech/) in July 2021 in the context of the [Pegasus project](https://forbiddenstories.org/about-the-pegasus-project/) along with [a technical forensic methodology and forensic evidence](https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/). -*Warning*: this tool has been released as a forensic tool for technologists and investigators. Using it requires understanding the basics of forensic analysis and using command-line tools. - -[Please check out the documentation.](https://mvt.readthedocs.io/en/latest/) - +*Warning*: MVT is a forensic research tool intended for technologists and investigators. Using it requires understanding the basics of forensic analysis and using command-line tools. This is not intended for end-user self-assessment. If you are concerned with the security of your device please seek expert assistance. ## Installation diff --git a/mvt/common/module.py b/mvt/common/module.py index 3e5a19c..f4dffcd 100644 --- a/mvt/common/module.py +++ b/mvt/common/module.py @@ -109,17 +109,19 @@ class MVTModule(object): """ for result in self.results: record = self.serialize(result) - if type(record) == list: - self.timeline.extend(record) - else: - self.timeline.append(record) + if record: + if type(record) == list: + self.timeline.extend(record) + else: + self.timeline.append(record) for detected in self.detected: record = self.serialize(detected) - if type(record) == list: - self.timeline_detected.extend(record) - else: - self.timeline_detected.append(record) + if record: + if type(record) == list: + self.timeline_detected.extend(record) + else: + self.timeline_detected.append(record) # De-duplicate timeline entries self.timeline = self.timeline_deduplicate(self.timeline) diff --git a/mvt/ios/modules/fs/manifest.py b/mvt/ios/modules/fs/manifest.py index d5c1c74..64484ec 100644 --- a/mvt/ios/modules/fs/manifest.py +++ b/mvt/ios/modules/fs/manifest.py @@ -40,6 +40,8 @@ class Manifest(IOSExtraction): def serialize(self, record): records = [] + if "modified" not in record or "statusChanged" not in record: + return for ts in set([record["created"], record["modified"], record["statusChanged"]]): macb = "" macb += "M" if ts == record["modified"] else "-" @@ -63,12 +65,15 @@ class Manifest(IOSExtraction): for result in self.results: if not "relativePath" in result: continue - - if os.path.basename(result["relativePath"]) == "com.apple.CrashReporter.plist" and result["domain"] == "RootDomain": - self.log.warning("Found a potentially suspicious \"com.apple.CrashReporter.plist\" file created in RootDomain") - self.detected.append(result) + if not result["relativePath"]: continue + if result["domain"]: + if os.path.basename(result["relativePath"]) == "com.apple.CrashReporter.plist" and result["domain"] == "RootDomain": + self.log.warning("Found a potentially suspicious \"com.apple.CrashReporter.plist\" file created in RootDomain") + self.detected.append(result) + continue + if self.indicators.check_file(result["relativePath"]): self.log.warning("Found a known malicious file at path: %s", result["relativePath"]) self.detected.append(result)