MVT is a forensic tool to look for signs of infection in smartphone devices

Overview

Mobile Verification Toolkit

Mobile Verification Toolkit (MVT) is a collection of utilities to simplify and automate the process of gathering forensic traces helpful to identify a potential compromise of Android and iOS devices.

Please check out the documentation.

Installation

First you need to install dependencies, on Linux sudo apt install python3 python3-pip libusb-1.0-0 or on MacOS brew install python3 libusb.

Then you can install mvt from pypi with pip install mvt, or directly form sources:

git clone https://github.com/mvt-project/mvt.git
cd mvt
pip3 install .

Usage

MVT provides two commands mvt-ios and mvt-android with the following subcommands available:

  • mvt-ios:
    • check-backup: Extract artifacts from an iTunes backup
    • check-fs: Extract artifacts from a full filesystem dump
    • check-iocs: Compare stored JSON results to provided indicators
    • decrypt-backup: Decrypt an encrypted iTunes backup
  • mvt-android:
    • check-backup: Check an Android Backup
    • download-apks: Download all or non-safelisted installed APKs

Check out the documentation to see how to use them.

License

The purpose of MVT is to facilitate the consensual forensic analysis of devices of those who might be targets of sophisticated mobile spyware attacks, especially members of civil society and marginalized communities. We do not want MVT to enable privacy violations of non-consenting individuals. Therefore, the goal of this license is to prohibit the use of MVT (and any other software licensed the same) for the purpose of adversarial forensics.

In order to achieve this, MVT is released under an adaptation of Mozilla Public License v2.0. This modified license includes a new clause 3.0, "Consensual Use Restriction" which permits the use of the licensed software (and any "Larger Work" derived from it) exclusively with the explicit consent of the person/s whose data is being extracted and/or analysed ("Data Owner").

Read the LICENSE

Comments
  • Koodous API doesn't work anymore

    Koodous API doesn't work anymore

         INFO     [mvt.android.download_apks] Found non-system package with name
                  "com.microsoft.teams" installed by "com.android.vending" on   
                  2022-05-11 14:24:27                                           
         ERROR    [mvt.android.lookups.virustotal] Unfortunately VirusTotal     
                  lookup is disabled until further notice, due to unresolved    
                  issues with the API service.                                  
         INFO     [mvt.android.lookups.koodous] Looking up all extracted files  
                  on Koodous (www.koodous.com)                                  
         INFO     [mvt.android.lookups.koodous] This might take a while...      
    

    Looking up 151 packages... ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 0% -:--:-- Traceback (most recent call last): File "/home/vicpala/.local/lib/python3.10/site-packages/requests/models.py", line 910, in json return complexjson.loads(self.text, **kwargs) File "/home/vicpala/.local/lib/python3.10/site-packages/simplejson/init.py", line 525, in loads return _default_decoder.decode(s) File "/home/vicpala/.local/lib/python3.10/site-packages/simplejson/decoder.py", line 373, in decode raise JSONDecodeError("Extra data", s, end, len(s)) simplejson.errors.JSONDecodeError: Extra data: line 1 column 5 - line 2 column 1 (char 4 - 19)

    During handling of the above exception, another exception occurred:

    Traceback (most recent call last): File "/home/vicpala/.local/bin/mvt-android", line 8, in sys.exit(cli()) File "/usr/lib/python3/dist-packages/click/core.py", line 1128, in call return self.main(*args, **kwargs) File "/usr/lib/python3/dist-packages/click/core.py", line 1053, in main rv = self.invoke(ctx) File "/usr/lib/python3/dist-packages/click/core.py", line 1659, in invoke return _process_result(sub_ctx.command.invoke(sub_ctx)) File "/usr/lib/python3/dist-packages/click/core.py", line 1395, in invoke return ctx.invoke(self.callback, **ctx.params) File "/usr/lib/python3/dist-packages/click/core.py", line 754, in invoke return __callback(*args, **kwargs) File "/usr/lib/python3/dist-packages/click/decorators.py", line 26, in new_func return f(get_current_context(), *args, **kwargs) File "/home/vicpala/.local/lib/python3.10/site-packages/mvt/android/cli.py", line 93, in download_apks download.run() File "/home/vicpala/.local/lib/python3.10/site-packages/mvt/android/download_apks.py", line 181, in run self.get_packages() File "/home/vicpala/.local/lib/python3.10/site-packages/mvt/android/download_apks.py", line 117, in get_packages m.run() File "/home/vicpala/.local/lib/python3.10/site-packages/mvt/android/modules/adb/packages.py", line 266, in run koodous_lookup(packages_to_lookup) File "/home/vicpala/.local/lib/python3.10/site-packages/mvt/android/lookups/koodous.py", line 34, in koodous_lookup report = res.json() File "/home/vicpala/.local/lib/python3.10/site-packages/requests/models.py", line 917, in json raise RequestsJSONDecodeError(e.msg, e.doc, e.pos) requests.exceptions.JSONDecodeError: [Errno Extra data] 404 page not found : 4 vicpala@vicpala-H97N-WIFI:~/mvt$

    bug android 
    opened by vicpala 24
  • Make a windows version please

    Make a windows version please

    Most people use windows as their main OS and find linux confusing. If you want the most people possible to check their devices for this stuff you need a tool that works on the operating system they use.

    opened by BimboPolitics 23
  • Older versions of Android miss -U argument in pm list packages

    Older versions of Android miss -U argument in pm list packages

    Hi Tried mvt-android download-apks on phone but result:

    NFO     [mvt.android.download_apks] Retrieving list of installed      
                      packages...                                                   
    11:51:17 INFO     [mvt.android.download_apks] Extracted at total of 0 installed 
                      package names                                                 
    11:51:18 INFO     [mvt.android.download_apks] Starting extraction of installed  
                      APKs at folder xxxxxxxx                              
             INFO     [mvt.android.download_apks] Selected only 0 packages which are
                      not marked as system                                          
             INFO     [mvt.android.download_apks] No packages were selected for     
                      download            
    

    although apks are certainly installed and works OK with other phones

    ( this is a suspicious phone, almost certain) best regards

    bug 
    opened by noprey21 18
  • SQL Injection - Leads to false positive results -

    SQL Injection - Leads to false positive results -

    MVT-Tool is not hashing DataUsage.sqlite when it is using it as a method to check for IOCs.

    It is possible to inject data into the ZPROCESS table and fake an infection based on the fact that MVT-Tool is looking only for keywords.

    Prep:

    You can download the CSV I used to inject here https://github.com/jonathandata1/Pegasus-CatalanGate-False-Positives/blob/main/IOC_CSV/ZPROCESS_2.csv

    0d609c54856a9bb2d56729df1d68f2958a88426b = DataUsage.sqlite

    1. Make an encrypted backup
    2. decrypt with mvt tool
    3. cd into the decrypted backup folder
    4. sqlite3 0d609c54856a9bb2d56729df1d68f2958a88426b ".import --csv ZPROCESS_2.csv ZPROCESS"

    I was able to create false positive results for all processes listed in the Amnesty Investigations. To prove that this method works to forge false positive results for the processes, I added a record that was not part of the processes.

    The CSV file injected into the sqlite db contains this record at the end

    236 | 7 | 3 | 482697172.9 | 482697172.9 | com.apple.CrashReporter.plist | com.apple.CrashReporter.plist -- | -- | -- | -- | -- | -- | --

    The MVT-Tool does not recognize this as an indicator of compromise for processes but successfully recognizes all 80 processes as malicious.

    Result

    Without having the physical device, and without hashing the databases suspected to hold the IOCs, reliance on a backup provided by a client or a backup taken by a 3rd party forensics team cannot guarantee the integrity of the backup.

    Picture1.png

    opened by jonathandata1 16
  • Error: mvt-android download-apks --output

    Error: mvt-android download-apks --output

    Hello,

    So I'm not a develop and I need some help trying to debug my phone. I currently have my android in developer mode with USB debugging enabled. I downloaded Xcode and Homebrew on my MacBook Pro using the terminal and everything was fine until I tried to run the mvt-android code. When I try to run this code

    mvt-android download-apks --output /path/to/folder

    I just see" quote " in the terminal and I don't know what it's asking me to enter. I keep checking the folder that I created to store the APKs but nothing has been added to it.

    What am I doing wrong?

    opened by SnaSana111 16
  • Legitimate Apple Apps can be seen as malicious - False Positive Results

    Legitimate Apple Apps can be seen as malicious - False Positive Results

    Legitimate Apple Apps can be seen as malicious

    Setting Up

    I performed the following to achieve the forgery.

    1. Downloaded the Appium iOS Test App https://github.com/appium/ios-test-app
    2. Load the test app into Xcode
    3. I changed the Display Name to Phone Diagnostics and named the Bundle Identifier Diagnosticd. Diagnosticd is one of the malicious indicators of compromise found in the STIX2 file created by Amnesty International Forging MVT-Tool Results
    4. This is an example of what the app looks like on the deviceForging MVT-Tool Results - App installed
    5. idevicebackup2 encryption on 123
    6. idevicebackup2 backup --full .
    7. mkdir decrypt
    8. mkdir results
    9. mvt-ios decrypt-backup -d decrypt/ -p 123 0137152d6c6b1fe5cc8af13f34f123e080128445/
    10. mvt-ios check-backup -o results/ decrypt/

    Results

    Watch the video here

    # False Positive Pegasus Spyware Forging With MVT-Tool

    WARNING [mvt.ios.cli] The analysis of the backup produced 2 detections!

    WARNING [mvt.ios.modules.mixed.locationd] Found a known suspicious process name "Diagnosticd" matching indicators from "Pegasus" WARNING [mvt.ios.modules.mixed.locationd] Found a suspicious process name in LocationD entry Diagnosticd WARNING [mvt.ios.modules.mixed.osanalytics_addaily] Found a known suspicious process name "Diagnosticd" matching indicators from "Pegasus"

    MVT-Tool is only looking for a text name, there is no logic or reasoning behind the software that is supposed to detect Pegasus Spyware.

    The results generated by the MVT-Tool do not show The CFBundleDisplayName of the malicious process

    The application is only looking for the "BundleId"

    This is an example output from the results file generated by MVT-Tool { "BundleId": "Diagnosticd", "SupportedAuthorizationMask": 1, "Executable": "/private/var/containers/Bundle/Application/F0DD3918-FD87-4733-A89A-7B32A0B13C2C/Dignosticd.app/Dignosticd", "Registered": "/private/var/containers/Bundle/Application/F0DD3918-FD87-4733-A89A-7B32A0B13C2C/Dignosticd.app/Dignosticd", "package": "Diagnosticd", "matched_indicator": { "value": "Diagnosticd", "type": "processes", "name": "Pegasus", "stix2_file_name": "raw.githubusercontent.com_AmnestyTech_investigations_master_2021-07-18_nso_pegasus.stix2" }

    If you run the following command with the physical iPhone you will see that Diagnosticd is the identifier for a legitimate iPhone App.

    ideviceinstaller --list-apps CFBundleIdentifier, CFBundleVersion, CFBundleDisplayName Diagnosticd, "1.0", "Phone Diagnostics"

    Conclusion

    • Without physical devices a proper iOS mobile forensics examination and analysis cannot be performed
    • Legitimate Apple App store applications can be mistaken as Pegasus processes because MVT-Tool disregards the Application Name
    opened by jonathandata1 14
  • mvt-android cannot check-adb - Libusb_error_Timeout[-7]

    mvt-android cannot check-adb - Libusb_error_Timeout[-7]

    Hi,

    first and foremost great work. I cloned the repo and did everything to install it properly. Debug mode is on and connected via usb. I executetd the following command:

    mvt-android check-adb

    The endresult is the following:

    Could not receive data from first 950751bf (timeout 5000ms):LIBUSB_ERROR_TIMEOUT [-7].

    There is nothing that should block it. I even checked if i can access my phone. Any clues here ?

    Thanks in advance

    android 
    opened by UN1337KN0WN 14
  • [ubuntu on wsl] usb1.USBErrorOther: LIBUSB_ERROR_OTHER [-99]

    [ubuntu on wsl] usb1.USBErrorOther: LIBUSB_ERROR_OTHER [-99]

    I'm still new to this all of this, and I've tried to search the web for a solution without any success. so here I am making a fool of myself and posting my issue here to hopefully find a solution for (because I REALLY need to make sure my phone doesn't have this software in it as it may pose a risk to my life) my device doesn't show up when I try the adb devices command, even though I downloaded the adb driver on windows. can I please be walked through this like the noob I am thank you very much for your effort

    android windows 
    opened by MajdShoots 12
  • "plistlib.InvalidFileException: Invalid file" error loops forever

    it runs ok for a rsync filesystem copy with check-fs but fails with check-backup after successfully decrypting an itunes backup

             INFO     [mvt.ios.modules.backup.backup_info] The BackupInfo module does not support checking for indicators
             INFO     [mvt.ios.modules.backup.configuration_profiles] Running module ConfigurationProfiles...
             INFO     [mvt.ios.modules.backup.configuration_profiles] Extracted details about 11 configuration profiles
             INFO     [mvt.ios.modules.backup.configuration_profiles] The ConfigurationProfiles module does not support checking for indicators
             INFO     [mvt.ios.modules.backup.manifest] Running module Manifest...
             INFO     [mvt.ios.modules.backup.manifest] Found Manifest.db database at path: /srv/temp/mvt/Manifest.db
             ERROR    [mvt.ios.modules.backup.manifest] Error reading manifest file metadata
                      Traceback (most recent call last):
                        File "/usr/local/lib/python3.6/dist-packages/mvt/ios/modules/backup/manifest.py", line 118, in run
                          file_plist = plistlib.load(io.BytesIO(file_data["file"]))
                        File "/usr/lib/python3.6/plistlib.py", line 1015, in load
                          return p.parse(fp)
                        File "/usr/lib/python3.6/plistlib.py", line 626, in parse
                          return self._read_object(top_object)
                        File "/usr/lib/python3.6/plistlib.py", line 741, in _read_object
                          result[self._read_object(k)] = self._read_object(o)
                        File "/usr/lib/python3.6/plistlib.py", line 741, in _read_object
                          result[self._read_object(k)] = self._read_object(o)
                        File "/usr/lib/python3.6/plistlib.py", line 744, in _read_object
                          raise InvalidFileException()
                      plistlib.InvalidFileException: Invalid file
    
    
    opened by mailinglists35 11
  • LIBUSB timeout error

    LIBUSB timeout error

    i always get this error: 07:15:27 CRITICAL [mvt.android.modules.adb.base] Could not receive data from first 149d1947 (timeout 5000ms): LIBUSB_ERROR_TIMEOUT [-7] idk how to solve this i am using a garbage OPPO maybe thats why pls help.

    opened by realunkn0wn 11
  • mvt-ios decrypt backup issue with certain password.

    mvt-ios decrypt backup issue with certain password.

    Running on BigSur, when executing mvt-ios decrypt-backup, python errors are generated when specifying passwords trailing with the 'bang' aka '!' character. Let me know if you want an screen shots etc. Thanks!

    opened by samsonho 11
  • iOS Pegasus spyware sample request - MVT methods lack a control

    iOS Pegasus spyware sample request - MVT methods lack a control

    I am requesting an iOS Pegasus spyware sample to be shared with everyone as there is no control to test against. Furthermore, there is no logic built into the MVT-Tool or documentation explaining why specific modules are being checked or why certain processes are considered malicious.

    Next, there is no information about the success to error rates that can be expected, no list of iOS versions that have been studied, no table of documentation for false positive results that have been identified, and there are no specific conditions that need to be met in order to properly identify a device with your tool.

    As I had mentioned before, Enabling Wifi and Disabling Wi-Fi yield different results https://github.com/mvt-project/mvt/issues/319

    I am a professional in information security, I am a computer scientist, I am paid for my speciality in forensics investigations, I meet all of the criteria in the MVT-Tool disclaimer, and I cannot find a reproducible methodology describing why the MVT-Tool is functioning as it is.

    Warning: MVT is a forensic research tool intended for technologists and investigators. Using it requires understanding the basics of forensic analysis and using command-line tools. This is not intended for end-user self-assessment. If you are concerned with the security of your device please seek expert assistance.

    Everything I am asking for is logical and not unreasonable. I have read your forensics methodology, and there is nothing in the methodology that can be reproduced or validated. The methodology is based on assumptions.

    Amnesty has acknowledged many false positives but has never corrected any of the reports or provided a methodology update.

    For example this [false positive]

    (https://github.com/AmnestyTech/investigations/commit/1c694217c3efb4e40f34822b6ef99a7b5bd8a064) was removed without any reasoning why. That false positive impacted the cases of 2 people Amnesty identified to be infected with Pegasus. Omar Radi and Claude Mangin

    | Country | Name | Date | Pegasus Indicator of Compromise | |---------|---------------|--------------------|-----------------------------------------| | Morocco | Omar Radi | 2019-09-13 17:02:35 | com.apple.softwareupdateservicesd.plist | | France | Claude Mangin | 2020-10-08 8:40:42 | com.apple.softwareupdateservicesd.plist |

    After Amnesty found the false positive indicator, what actions were taken regarding the 2 people you had identified to be infected with the removed indicator? Please provide your documentation. How did your method for identification change? What did you find wrong with the now removed indicator?

    We cannot progress in science without data to show where we have failed and succeeded.

    I am open to discussion, please don't close this ticket out because you have personal issues with me, please set those issues aside and let us focus on the science.

    Respectfully, Jonathan Scott

    opened by jonathandata1 2
  • Request for example of log output for an infected device in documentation

    Request for example of log output for an infected device in documentation

    I managed to embarass myself by mistaking the output of the script loading the .STIX2 files as and indication that the device was infected i.e.

    INFO [mvt.ios.cmd_check_backup] Extracted 1547 indicators for collection with name "Pegasus" ...

    I think it would be really helpful to include a visual example of what the log output for an infected device looks like at the end of the "Check a backup with mvt-ios" documentation page.

    https://docs.mvt.re/en/latest/ios/backup/check/

    e.g an image like this

    https://teguh.co/static/99db988b40d1f3994f06983d8baee869/37ff2/iosfinal.png

    And/or possibly to include a line at the very end of the log output that either says that some evidence of malware was found, or to confirm that no evidence was found and the device can be trusted.

    opened by ajjrice 0
  • Create ios_GUI.py

    Create ios_GUI.py

    initial version, added a small gui with tkinter to simplify the process. Only iOS is implemented. Auto download from STIX2 files. Implement decrypt and check back up steps in one click button. No commands in cmd are necessary.
    Auto install from mvt libs via pip if there are not installed.

    opened by ntosis 0
  • Highlight missing backup files

    Highlight missing backup files

    In some cases, you can check an incomplete backup, in that case it would be great to highlight files that should be in the backup (exist in the Manifest) but are not in the folder. I have for instance done that with c5ccaef0c4d6fb228b558756e8f34e3ccd477db2 for the SafariBrowserState module, but it should be possible to have this done automatically in the base class. I am also not sure if it should be an error or just an info.

    enhancement ios 
    opened by Te-k 0
  • add pure-python-adb interface to mvt-android

    add pure-python-adb interface to mvt-android

    added pure-python-adb support as a replacement for adb-shell in mvt-android.

    adb-shell had troubles with tcp-based adb connections (tls is unsupported), while ppadb is not affected by the connection type because it communicates to the local adb server (and the adb server is responsible for communicating with the device).

    still not well tested (+no error/exception handling), but seems to work.

    opened by tothi 2
Owner
null
A forensic collection tool written in Python.

CHIRP A forensic collection tool written in Python. Watch the video overview ?? Table of Contents ?? Table of Contents ?? About ?? Getting Started Pre

Cybersecurity and Infrastructure Security Agency 1k Dec 9, 2022
Detection tool of malware(s) by checksum (useful for forensic)

?? malware_checker.py Detection tool of malware(s) by checksum (useful for forensic) ?? Dependencies installation $ pip3 install -r requirements.txt

Fayred 1 Jan 30, 2022
Tool to scan for RouterOS (Mikrotik) forensic artifacts and vulnerabilities.

RouterOS Scanner Forensics tool for Mikrotik devices. Search for suspicious properties and weak security points that need to be fixed on the router. T

Microsoft 823 Dec 21, 2022
Analyse a forensic target (such as a directory) to find and report files found and not found from CIRCL hashlookup public service

Analyse a forensic target (such as a directory) to find and report files found and not found from CIRCL hashlookup public service. This tool can help a digital forensic investigator to know the context, origin of specific files during a digital forensic investigation.

hashlookup 96 Dec 20, 2022
Looks at Python code to search for things which look "dodgy" such as passwords or diffs

dodgy Dodgy is a very basic tool to run against your codebase to search for "dodgy" looking values. It is a series of simple regular expressions desig

Landscape 112 Nov 25, 2022
Small python script to look for common vulnerabilities on SMTP server.

BrokenSMTP BrokenSMTP is a python3 BugBounty/Pentesting tool to look for common vulnerabilities on SMTP server. Supported Vulnerability : Spoofing - T

null 39 Dec 16, 2022
adb - A tool that allows you to search for vulnerable android devices across the world and exploit them.

adb - An exploitation tool for android devices. A tool that allows you to search for vulnerable android devices across the world and exploit them. Fea

null 136 Jan 2, 2023
An OSINT tool that searches for devices directly connected to the internet (IoT) with a user specified query. It returns results for Webcams, Traffic lights, Refridgerators, Smart TVs etc.

An OSINT tool that searches for devices directly connected to the internet (IoT) with a user specified query. It returns results for Webcams, Traffic

Richard Mwewa 48 Nov 20, 2022
Dahua IPC/VTH/VTO devices auth bypass exploit

CVE-2021-33044 Dahua IPC/VTH/VTO devices auth bypass exploit About: The identity authentication bypass vulnerability found in some Dahua products duri

Ashish Kunwar 23 Dec 2, 2022
A repository to detect the ARP spoofing in any devices and prevent Man in the Middle(MITM) attack using Python3

arp_spoof_detector A repository to detect the ARP spoofing in any devices and prevent Man in the Middle(MITM) attack using Python3 Usage: git clone ht

Surya Das N 1 Oct 30, 2021
Vulnerability Scanner & Auto Exploiter You can use this tool to check the security by finding the vulnerability in your website or you can use this tool to Get Shells

About create a target list or select one target, scans then exploits, done! Vulnnr is a Vulnerability Scanner & Auto Exploiter You can use this tool t

Nano 108 Dec 4, 2021
All in One CRACKER911181's Tool. This Tool For Hacking and Pentesting. 🎭

All in One CRACKER911181's Tool. This Tool For Hacking and Pentesting. ??

Cracker 331 Jan 1, 2023
Facebook account cloning/hacking advanced tool + dictionary attack added | Facebook automation tool

loggef Facebook automation tool, Facebook account hacking and cloning advanced tool + dictionary attack added Warning Use this tool for educational pu

Md Josif Khan 149 Aug 10, 2022
labsecurity is a tool that brings together python scripts made for ethical hacking, in a single tool, through a console interface

labsecurity labsecurity is a tool that brings together python scripts made for ethical hacking, in a single tool, through a console interface. Warning

Dylan Meca 16 Dec 8, 2022
All in One CRACKER911181's Tool. This Tool For Hacking and Pentesting.🎭

This is A Python & Bash Programming Based Termux-Tool Created By CRACKER911181. This Tool Created For Hacking and Pentesting. If You Use This Tool To Evil Purpose,The Owner Will Never be Responsible For That.

CRACKER911181 1 Jan 10, 2022
A tool to brute force a gmail account. Use this tool to crack multiple accounts

A tool to brute force a gmail account. Use this tool to crack multiple accounts. This tool is developed to crack multiple accounts

Saad 12 Dec 30, 2022
Osint-Tool - Information collection tool in python

Osint-Tool Herramienta para la recolección de información Pronto más opciones In

null 3 Apr 9, 2022
An auxiliary tool for iot vulnerability hunter

firmeye - IoT固件漏洞挖掘工具 firmeye 是一个 IDA 插件,基于敏感函数参数回溯来辅助漏洞挖掘。我们知道,在固件漏洞挖掘中,从敏感/危险函数出发,寻找其参数来源,是一种很有效的漏洞挖掘方法,但程序中调用敏感函数的地方非常多,人工分析耗时费力,通过该插件,可以帮助排除大部分的安全

Firmy Yang 171 Nov 28, 2022
DNS hijacking via dead records automation tool

DeadDNS Multi-threaded DNS hijacking via dead records automation tool How it works 1) Dig provided subdomains file for dead DNS records. 2) Dig the fo

null 45 Dec 20, 2022