mirror of https://github.com/mvt-project/mvt.git
Improves documentation
This commit is contained in:
parent
da72dfe58e
commit
ce9ee09c2d
|
@ -0,0 +1,15 @@
|
|||
# .readthedocs.yaml
|
||||
# Read the Docs configuration file
|
||||
# See https://docs.readthedocs.io/en/stable/config-file/v2.html for details
|
||||
|
||||
# Required
|
||||
version: 2
|
||||
|
||||
mkdocs:
|
||||
configuration: mkdocs.yml
|
||||
|
||||
# Optionally set the version of Python and requirements required to build your docs
|
||||
python:
|
||||
version: 3.7
|
||||
install:
|
||||
- requirements: docs/requirements.txt
|
|
@ -0,0 +1,38 @@
|
|||
# Checking SMSs from Android backup
|
||||
|
||||
Some attacks against Android phones are done by sending malicious links by SMS. The Android backup feature does not allow to gather much information that can be interesting for a forensic analysis, but it can be used to extract SMSs and check them with MVT.
|
||||
|
||||
To do so, you need to connect your Android device to your computer. You will then need to [enable USB debugging](https://developer.android.com/studio/debug/dev-options#enable>) on the Android device.
|
||||
|
||||
If this is the first time you connect to this device, you will need to approve the authentication keys through a prompt that will appear on your Android device.
|
||||
|
||||
Then you can use adb to extract the backup for SMS only with the following command:
|
||||
|
||||
```bash
|
||||
adb backup com.android.providers.telephony
|
||||
```
|
||||
|
||||
You will need to approve the backup on the phone and potentially enter a password to encrypt the backup. The backup will then be stored in a file named `backup.ab`.
|
||||
|
||||
You will need to use [Android Backup Extractor](https://github.com/nelenkov/android-backup-extractor) to convert it to a readable file format. Make sure that java is installed on your system and use the following command:
|
||||
```bash
|
||||
java -jar ~/Download/abe.jar unpack backup.ab backup.tar
|
||||
tar xvf backup.tar
|
||||
```
|
||||
|
||||
(If the backup is encrypted, the password will be asked by Android Backup Extractor).
|
||||
|
||||
You can then extract SMSs containing links with MVT:
|
||||
|
||||
```bash
|
||||
$ mvt-android check-backup --output sms .
|
||||
16:18:38 INFO [mvt.android.cli] Checking ADB backup located at: .
|
||||
INFO [mvt.android.modules.backup.sms] Running module SMS...
|
||||
INFO [mvt.android.modules.backup.sms] Processing SMS backup
|
||||
file at ./apps/com.android.providers.telephony/d_f/000
|
||||
000_sms_backup
|
||||
16:18:39 INFO [mvt.android.modules.backup.sms] Extracted a total of
|
||||
64 SMS messages containing links
|
||||
```
|
||||
|
||||
Through the `--iocs` argument you can specify a [STIX2](https://oasis-open.github.io/cti-documentation/stix/intro) file defining a list of malicious indicators to check against the records extracted from the backup by mvt. Any matches will be highlighted in the terminal output.
|
|
@ -1,4 +1,4 @@
|
|||
# Checking an Android Device
|
||||
# Downloading APKs from an Android phone
|
||||
|
||||
In order to use `mvt-android` you need to connect your Android device to your computer. You will then need to [enable USB debugging](https://developer.android.com/studio/debug/dev-options#enable>) on the Android device.
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
# Methodology for Android forensic
|
||||
|
||||
For different technical reasons, it is more complex to do a forensic analysis of an Android phone.
|
||||
|
||||
Currently MVT allows to perform two different checks on an Android phone:
|
||||
|
||||
* Download APKs installed in order to analyze them
|
||||
* Extract Android backup in order to look for suspicious SMS
|
Binary file not shown.
After Width: | Height: | Size: 138 KiB |
|
@ -32,7 +32,13 @@ If you haven't done so, you can add this to your `.bashrc` or `.zshrc` file in o
|
|||
export PATH=$PATH:~/.local/bin
|
||||
```
|
||||
|
||||
Then you can install MVT directly:
|
||||
Then you can install MVT directly from [pypi](https://pypi.org/project/mvt/)
|
||||
|
||||
```bash
|
||||
pip install mvt
|
||||
```
|
||||
|
||||
Or from the source code:
|
||||
|
||||
```bash
|
||||
git clone https://github.com/mvt-project/mvt.git
|
||||
|
|
|
@ -52,7 +52,7 @@ Once you have a decrypted backup available for analysis you can use the `check-b
|
|||
|
||||
--help Show this message and exit.
|
||||
|
||||
Following is a basic usage of `check-backup`:
|
||||
Following is a basic usage of `check-backup`:
|
||||
|
||||
```bash
|
||||
mvt-ios check-backup --output /path/to/output/ /path/to/backup/udid/
|
||||
|
|
|
@ -1 +1,16 @@
|
|||
# Backup with iTunes app
|
||||
|
||||
It is possible to do an iPhone backup by using iTunes on Windows or Mac computers (in most recent versions of Mac OS, this feature is included in Finder).
|
||||
|
||||
To do that:
|
||||
|
||||
* Make sure iTunes is installed.
|
||||
* Connect your iPhone to your computer using a Lightning/USB cable.
|
||||
* Open the device in iTunes (or Finder on Mac OS).
|
||||
* If you want to have a more accurate detection, ensure that the encrypted backup option is activated and choose a secure password for the backup.
|
||||
* Start the backup and wait for it to finish (this may take up to 30 minutes).
|
||||
|
||||
![](../../../img/macos-backup.jpg)
|
||||
_Source: [Apple Support](https://support.apple.com/en-us/HT211229)_
|
||||
|
||||
* Once the backup is done, find its location and copy it to a place where it can be analyzed by `mvt`. On Windows, the backup can be stored either in `%USERPROFILE%\Apple\MobileSync\` or `%USERPROFILE%\AppData\Roaming\Apple Computer\MobileSync\`. On Mac OS, the backup is stored in `~/Library/Application Support/MobileSync/`.
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
mkdocs==1.2.1
|
||||
mkdocs-autorefs
|
||||
mkdocs-material
|
||||
mkdocs-material-extensions
|
||||
mkdocstrings
|
|
@ -39,5 +39,8 @@ nav:
|
|||
- Dumping the filesystem: "ios/filesystem/dump.md"
|
||||
- Check a Filesystem Dump with mvt-ios: "ios/filesystem/check.md"
|
||||
- Records extracted by mvt-ios: "ios/records.md"
|
||||
- MVT for Android: "android.md"
|
||||
- MVT for Android:
|
||||
- Android Forensic Methodology: "android/methodology.md"
|
||||
- Check APKs: "android/download_apks.md"
|
||||
- Check an Android Backup: "android/backup.md"
|
||||
- License: "license.md"
|
||||
|
|
Loading…
Reference in New Issue