Improves documentation

This commit is contained in:
tek 2021-07-18 16:33:34 +02:00
parent da72dfe58e
commit ce9ee09c2d
10 changed files with 94 additions and 4 deletions

15
.readthedocs.yaml Normal file
View File

@ -0,0 +1,15 @@
# .readthedocs.yaml
# Read the Docs configuration file
# See https://docs.readthedocs.io/en/stable/config-file/v2.html for details
# Required
version: 2
mkdocs:
configuration: mkdocs.yml
# Optionally set the version of Python and requirements required to build your docs
python:
version: 3.7
install:
- requirements: docs/requirements.txt

38
docs/android/backup.md Normal file
View File

@ -0,0 +1,38 @@
# Checking SMSs from Android backup
Some attacks against Android phones are done by sending malicious links by SMS. The Android backup feature does not allow to gather much information that can be interesting for a forensic analysis, but it can be used to extract SMSs and check them with MVT.
To do so, you need to connect your Android device to your computer. You will then need to [enable USB debugging](https://developer.android.com/studio/debug/dev-options#enable>) on the Android device.
If this is the first time you connect to this device, you will need to approve the authentication keys through a prompt that will appear on your Android device.
Then you can use adb to extract the backup for SMS only with the following command:
```bash
adb backup com.android.providers.telephony
```
You will need to approve the backup on the phone and potentially enter a password to encrypt the backup. The backup will then be stored in a file named `backup.ab`.
You will need to use [Android Backup Extractor](https://github.com/nelenkov/android-backup-extractor) to convert it to a readable file format. Make sure that java is installed on your system and use the following command:
```bash
java -jar ~/Download/abe.jar unpack backup.ab backup.tar
tar xvf backup.tar
```
(If the backup is encrypted, the password will be asked by Android Backup Extractor).
You can then extract SMSs containing links with MVT:
```bash
$ mvt-android check-backup --output sms .
16:18:38 INFO [mvt.android.cli] Checking ADB backup located at: .
INFO [mvt.android.modules.backup.sms] Running module SMS...
INFO [mvt.android.modules.backup.sms] Processing SMS backup
file at ./apps/com.android.providers.telephony/d_f/000
000_sms_backup
16:18:39 INFO [mvt.android.modules.backup.sms] Extracted a total of
64 SMS messages containing links
```
Through the `--iocs` argument you can specify a [STIX2](https://oasis-open.github.io/cti-documentation/stix/intro) file defining a list of malicious indicators to check against the records extracted from the backup by mvt. Any matches will be highlighted in the terminal output.

View File

@ -1,4 +1,4 @@
# Checking an Android Device
# Downloading APKs from an Android phone
In order to use `mvt-android` you need to connect your Android device to your computer. You will then need to [enable USB debugging](https://developer.android.com/studio/debug/dev-options#enable>) on the Android device.

View File

@ -0,0 +1,8 @@
# Methodology for Android forensic
For different technical reasons, it is more complex to do a forensic analysis of an Android phone.
Currently MVT allows to perform two different checks on an Android phone:
* Download APKs installed in order to analyze them
* Extract Android backup in order to look for suspicious SMS

BIN
docs/img/macos-backup.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 138 KiB

View File

@ -32,7 +32,13 @@ If you haven't done so, you can add this to your `.bashrc` or `.zshrc` file in o
export PATH=$PATH:~/.local/bin
```
Then you can install MVT directly:
Then you can install MVT directly from [pypi](https://pypi.org/project/mvt/)
```bash
pip install mvt
```
Or from the source code:
```bash
git clone https://github.com/mvt-project/mvt.git

View File

@ -52,7 +52,7 @@ Once you have a decrypted backup available for analysis you can use the `check-b
--help Show this message and exit.
Following is a basic usage of `check-backup`:
Following is a basic usage of `check-backup`:
```bash
mvt-ios check-backup --output /path/to/output/ /path/to/backup/udid/

View File

@ -1 +1,16 @@
# Backup with iTunes app
It is possible to do an iPhone backup by using iTunes on Windows or Mac computers (in most recent versions of Mac OS, this feature is included in Finder).
To do that:
* Make sure iTunes is installed.
* Connect your iPhone to your computer using a Lightning/USB cable.
* Open the device in iTunes (or Finder on Mac OS).
* If you want to have a more accurate detection, ensure that the encrypted backup option is activated and choose a secure password for the backup.
* Start the backup and wait for it to finish (this may take up to 30 minutes).
![](../../../img/macos-backup.jpg)
_Source: [Apple Support](https://support.apple.com/en-us/HT211229)_
* Once the backup is done, find its location and copy it to a place where it can be analyzed by `mvt`. On Windows, the backup can be stored either in `%USERPROFILE%\Apple\MobileSync\` or `%USERPROFILE%\AppData\Roaming\Apple Computer\MobileSync\`. On Mac OS, the backup is stored in `~/Library/Application Support/MobileSync/`.

5
docs/requirements.txt Normal file
View File

@ -0,0 +1,5 @@
mkdocs==1.2.1
mkdocs-autorefs
mkdocs-material
mkdocs-material-extensions
mkdocstrings

View File

@ -39,5 +39,8 @@ nav:
- Dumping the filesystem: "ios/filesystem/dump.md"
- Check a Filesystem Dump with mvt-ios: "ios/filesystem/check.md"
- Records extracted by mvt-ios: "ios/records.md"
- MVT for Android: "android.md"
- MVT for Android:
- Android Forensic Methodology: "android/methodology.md"
- Check APKs: "android/download_apks.md"
- Check an Android Backup: "android/backup.md"
- License: "license.md"