Mobile Verification Toolkit (MVT) is a collection of utilities designed to facilitate iOS and Android devices for the purpose of identifying any signs of compromise. MVT's capabilities are continuously evolving, but some of its key features include:
Android devices provide much less observability than iOS . Android stores very little diagnostic information useful to triage potential compromises, and because of this, mvt-android capabilities are limited as well.
Before jumping into acquiring and analyzing data from an iOS device, you should evaluate what is your precise plan of action. Because multiple options are available to you, you should define and familiarize with the most effective forensic methodology in each case.
You will need to decide whether to attempt to jailbreak the device and obtain a full filesystem dump, or not.
While accessing the full filesystem allows extracting data that would otherwise be unavailable, it might not always be possible to jailbreak a certain iPhone model or version of iOS. In addition, depending on the type of jailbreak available, doing so might compromise some important records, pollute others, or potentially cause unintended malfunctioning of the device later in case it is used again.
If you are not expected to return the phone, you might want to consider attempting a jailbreak after having exhausted all other options, including a backup.
An alternative option is to generate an iTunes backup (in most recent version of macOS, they are no longer launched from iTunes, but directly from Finder). While backups only provide a subset of the files stored on the device, in many cases it might be sufficient to at least detect some suspicious artifacts. Backups encrypted with a password will have some additional interesting records not available in unencrypted ones, such as Safari history, Safari state, etc.
Before proceeding, please note that MVT requires Python 3.6+ to run. While it should be available on most operating systems, please make sure of that before proceeding.
First install some basic dependencies that will be necessary to build all required tools:
sudo apt install python3 python3-pip libusb-1.0-0 sqlite3libusb-1.0-0 is not required if you intend to only use mvt-ios and not mvt-android.
When working with Android devices you should additionally install Android SDK Platform Tools. If you prefer to install a package made available by your distribution of choice, please make sure the version is recent to ensure compatibility with modern Android devices.
Running MVT on macOS requires Xcode and homebrew to be installed.
In order to install dependencies use:
brew install python3 libusb sqlite3libusb is not required if you intend to only use mvt-ios and not mvt-android.
When working with Android devices you should additionally install Android SDK Platform Tools:
brew install --cask android-platform-toolsOr by downloading the official binary releases.
MVT does not currently officially support running natively on Windows. While most functionality should work out of the box, there are known issues especially with mvt-android.
It is recommended to try installing and running MVT from Windows Subsystem Linux (WSL) and follow Linux installation instructions for your distribution of choice.
If you haven't done so, you can add this to your .bashrc or .zshrc file in order to add locally installed PyPI binaries to your $PATH:
export PATH=$PATH:~/.local/binThen you can install MVT directly from PyPI:
pip3 install mvtIf you want to have the latest features in development, you can install MVT directly from the source code. If you installed MVT previously from pypi, you should first uninstall it using pip3 uninstall mvt and then install from the source code:
git clone https://github.com/mvt-project/mvt.git
cd mvt
pip3 install .You now should have the mvt-ios and mvt-android utilities installed.
While iTunes backup provides a lot of very useful databases and diagnostic data, in some cases you might want to jailbreak the device and perform a full filesystem dump. In that case, you should take a look at checkra1n, which provides an easy way to obtain root on most recent iPhone models.
Warning: Before you checkra1n any device, make sure you take a full backup, and that you are prepared to do a full factory reset before restoring it. Even after using checkra1n's "Restore System," some traces of the jailbreak are still left on the device and apps with anti-jailbreaks will be able to detect them and stop functioning.
After having jailbroken the device, you should be able to access the phone over ssh. In order to do this, you will typically need to use iproxy, which on Debian/Ubuntu systems can be installed with libusbmuxd-tools. Run the command:
iproxy 2222 44Now you will be able to ssh as root to localhost on port 2222 and password alpine. Note: if you used a jailbreak other than checkra1n, you might need to specify a different port number instead of 44.
At this point, you need to get access to the content of the device from your computer. One way is to run a command like ssh root@localhost -p 2222 tar czf - /private > dump.tar.gz, which will save a tarball on the host of the /private/ folder from the phone. This will take a while.
Alternatively, you can try to run sftp-server for iOS and mount the filesystem locally using sshfs.
sshfs on iOSIf you decide to try to use sshfs, you first have to download locally a compiled copy of sftp-server:
wget https://github.com/dweinstein/openssh-ios/releases/download/v7.5/sftp-serverThen upload the binary to the iPhone:
scp -P2222 sftp-server root@localhost:.You will need to ssh into the device and set some entitlements to allow sftp-server to run. These entitlements can be copied from an existing binary:
chmod +x sftp-server
ldid -e /binpack/bin/sh > /tmp/sh-ents
ldid -S /tmp/sh-ents sftp-serverNow you can create a folder on the host and use it as a mount point (note: do not create this folder in /tmp/):
mkdir root_mount
sshfs -p 2222 -o sftp_server=/var/root/sftp-server root@localhost:/ root_mountmvt-iosWhen you are ready, you can proceed running mvt-ios against the filesystem dump or mount point:
$ mvt-ios check-fs --help
Usage: mvt-ios check-fs [OPTIONS] DUMP_PATH
Extract artifacts from a full filesystem dump
Options:
-i, --iocs PATH Path to indicators file
-o, --output PATH Specify a path to a folder where you want to store JSON
results
-f, --fast Avoid running time/resource consuming features
-l, --list-modules Print list of available modules and exit
-m, --module TEXT Name of a single module you would like to run instead of
all
--help Show this message and exit.Following is an example of basic usage of check-fs:
mvt-ios check-fs /path/to/filesystem/dump/ --output /path/to/output/This command will create a few JSON files containing the results from the extraction. If you do not specify a --output option, mvt-ios will just process the data without storing results on disk.
Through the --iocs argument, you can specify a STIX2 file defining a list of malicious indicators to check against the records extracted from the backup by mvt. Any matches will be highlighted in the terminal output as well as saved in the output folder using a "*_detected*" suffix to the JSON file name.
mvt-iosIn this page you can find a (reasonably) up-to-date breakdown of the files created by MVT when performing an analysis of logs, backups or filesystem dumps.
check-fs or check-backupanalytics.json!!! info "Availability" Backup (if encrypted): :material-close: Full filesystem dump: :material-check:
This JSON file is created by mvt-ios' Analytics module. The module extracts records from the plists inside the SQLite databases located at private/var/Keychains/Analytics/\.db*, which contain various analytics information regarding networking, certificate-pinning, TLS, etc. failures.
If indicators are provided through the command-line, processes and domains are checked against all fields of the plist. Any matches are stored in analytics_detected.json.
applications.json!!! info "Availability" Backup: :material-check: Full filesystem dump: :material-check:
This JSON file is created by mvt-ios' Applications module. The module extracts the list of applications installed on the device from the Info.plist file in backup, or from the iTunesMetadata.plist files in a file system dump. These records contains detailed information on the source and installation of the app.
If indicators are provided through the command-line, processes and application ids are checked against the app name of each application. It also flags any applications not installed from the AppStore. Any matches are stored in applications_detected.json.
backup_info.json!!! info "Availability" Backup: :material-check: Full filesystem dump: :material-close:
This JSON file is created by mvt-ios' BackupInfo module. The module extracts some details about the backup and the device, such as name, phone number, IMEI, product type and version.
cache_files.json!!! info "Availability" Backup: :material-close: Full filesystem dump: :material-check:
This JSON file is created by mvt-ios' CacheFiles module. The module extracts records from all SQLite database files stored on disk with the name Cache.db. These databases typically contain data from iOS' internal URL caching. Through this module you might be able to recover records of HTTP requests and responses performed my applications as well as system services, that would otherwise be unavailable. For example, you might see HTTP requests part of an exploitation chain performed by an iOS service attempting to download a first stage malicious payload.
If indicators are provided through the command-line, they are checked against the requested URL. Any matches are stored in cache_files_detected.json.
calendar.json!!! info "Availability" Backup: :material-check: Full filesystem dump: :material-check:
This JSON file is created by mvt-ios' Calendar module. This module extracts all CalendarItems from the Calendar.sqlitedb database. This database contains all calendar entries from the different calendars installed on the phone.
If indicators are provided through the command-line, email addresses are checked against the inviter's email of the different events. Any matches are stored in calendar_detected.json.
calls.json!!! info "Availability" Backup (if encrypted): :material-check: Full filesystem dump: :material-check:
This JSON file is created by mvt-ios' Calls module. The module extracts records from a SQLite database located at /private/var/mobile/Library/CallHistoryDB/CallHistory.storedata, which contains records of incoming and outgoing calls, including from messaging apps such as WhatsApp or Skype.
chrome_favicon.json!!! info "Availability" Backup: :material-check: Full filesystem dump: :material-check:
This JSON file is created by mvt-ios' ChromeFavicon module. The module extracts records from a SQLite database located at /private/var/mobile/Containers/Data/Application/\/Library/Application Support/Google/Chrome/Default/Favicons*, which contains a mapping of favicons' URLs and the visited URLs which loaded them.
If indicators are provided through the command-line, they are checked against both the favicon URL and the visited URL. Any matches are stored in chrome_favicon_detected.json.
chrome_history.json!!! info "Availability" Backup: :material-check: Full filesystem dump: :material-check:
This JSON file is created by mvt-ios' ChromeHistory module. The module extracts records from a SQLite database located at /private/var/mobile/Containers/Data/Application/\/Library/Application Support/Google/Chrome/Default/History*, which contains a history of URL visits.
If indicators are provided through the command-line, they are checked against the visited URL. Any matches are stored in chrome_history_detected.json.
configuration_profiles.json!!! info "Availability" Backup: :material-check: Full filesystem dump: :material-close:
This JSON file is created by mvt-ios' ConfigurationProfiles module. The module extracts details about iOS configuration profiles that have been installed on the device. These should include both default iOS as well as third-party profiles.
If indicators are provided through the command-line, they are checked against the configuration profile UUID to identify any known malicious profiles. Any matches are stored in configuration_profiles_detected.json.
contacts.json!!! info "Availability" Backup: :material-check: Full filesystem dump: :material-check:
This JSON file is created by mvt-ios' Contacts module. The module extracts records from a SQLite database located at /private/var/mobile/Library/AddressBook/AddressBook.sqlitedb, which contains records from the phone's address book. While this database obviously would not contain any malicious indicators per se, you might want to use it to compare records from other apps (such as iMessage, SMS, etc.) to filter those originating from unknown origins.
firefox_favicon.json!!! info "Availability" Backup: :material-check: Full filesystem dump: :material-check:
This JSON file is created by mvt-ios' FirefoxFavicon module. The module extracts records from a SQLite database located at /private/var/mobile/profile.profile/browser.db, which contains a mapping of favicons' URLs and the visited URLs which loaded them.
If indicators are provided through the command-line, they are checked against both the favicon URL and the visited URL. Any matches are stored in firefox_favicon_detected.json.
firefox_history.json!!! info "Availability" Backup: :material-check: Full filesystem dump: :material-check:
This JSON file is created by mvt-ios' FirefoxHistory module. The module extracts records from a SQLite database located at /private/var/mobile/profile.profile/browser.db, which contains a history of URL visits.
If indicators are provided through the command-line, they are checked against the visited URL. Any matches are stored in firefox_history_detected.json.
global_preferences.json!!! info "Availability" Backup: :material-check: Full filesystem dump: :material-check:
This JSON file is created by mvt-ios' GlobalPreferences module. The module extracts records from a Plist file located at /private/var/mobile/Library/Preferences/.GlobalPreferences.plist, which contains a system preferences including if Lockdown Mode is enabled.
id_status_cache.json!!! info "Availability" Backup (before iOS 14.7): :material-check: Full filesystem dump: :material-check:
This JSON file is created by mvt-ios' IDStatusCache module. The module extracts records from a plist file located at /private/var/mobile/Library/Preferences/com.apple.identityservices.idstatuscache.plist, which contains a cache of Apple user ID authentication. This chance will indicate when apps like Facetime and iMessage first established contacts with other registered Apple IDs. This is significant because it might contain traces of malicious accounts involved in exploitation of those apps.
Starting from iOS 14.7.0, this file is empty or absent.
shortcuts.json!!! info "Availability" Backup: :material-check: Full filesystem dump: :material-check:
This JSON file is created by mvt-ios' Shortcuts module. The module extracts records from an SQLite database located at /private/var/mobile/Library/Shortcuts/Shortcuts.sqlite, which contains records about the Shortcuts application. Shortcuts are a built-in iOS feature which allows users to automation certain actions on their device. In some cases the legitimate Shortcuts app may be abused by spyware to maintain persistence on an infected devices.
interaction_c.json!!! info "Availability" Backup (if encrypted): :material-check: Full filesystem dump: :material-check:
This JSON file is created by mvt-ios' InteractionC module. The module extracts records from a SQLite database located at /private/var/mobile/Library/CoreDuet/People/interactionC.db, which contains details about user interactions with installed apps.
locationd_clients.json!!! info "Availability" Backup: :material-check: Full filesystem dump: :material-check:
This JSON file is created by mvt-ios' LocationdClients module. The module extracts records from a plist file located at /private/var/mobile/Library/Caches/locationd/clients.plist, which contains a cache of apps which requested access to location services.
manifest.json!!! info "Availability" Backup: :material-check: Full filesystem dump: :material-close:
This JSON file is created by mvt-ios' Manifest module. The module extracts records from the SQLite database Manifest.db contained in iTunes backups, and which indexes the locally backed-up files to the original paths on the iOS device.
If indicators are provided through the command-line, they are checked against the original relative path in case. In some cases, there might be records of files created containing a domain name in their name, for example in the case of browser cache folders. Any matches are stored in manifest_detected.json.
os_analytics_ad_daily.json!!! info "Availability" Backup: :material-check: Full filesystem dump: :material-check:
This JSON file is created by mvt-ios' OSAnalyticsADDaily module. The module extracts records from a plist located private/var/mobile/Library/Preferences/com.apple.osanalytics.addaily.plist, which contains a history of data usage by processes running on the system. Besides the network statistics, these records are particularly important because they might show traces of malicious process executions and the relevant timeframe.
If indicators are provided through the command-line, they are checked against the process names. Any matches are stored in os_analytics_ad_daily_detected.json.
datausage.json!!! info "Availability" Backup: :material-check: Full filesystem dump: :material-check:
This JSON file is created by mvt-ios' Datausage module. The module extracts records from a SQLite database located /private/var/wireless/Library/Databases/DataUsage.sqlite, which contains a history of network data usage by processes running on the system. It does not log network traffic through WiFi (the fields WIFI_IN and WIFI_OUT are always empty), and the WWAN_IN and WWAN_OUT fields are stored in bytes. Besides the network statistics, these records are particularly important because they might show traces of malicious process executions and the relevant timeframe. In particular, processes which do not have a valid bundle ID might require particular attention.
If indicators are provided through the command-line, they are checked against the process names. Any matches are stored in datausage_detected.json. If running on a full filesystem dump and if the --fast flag was not enabled by command-line, mvt-ios will highlight processes which look suspicious and check the presence of a binary file of the same name in the dump.
netusage.json!!! info "Availability" Backup: :material-close: Full filesystem dump: :material-check:
This JSON file is created by mvt-ios' Netusage module. The module extracts records from a SQLite database located /private/var/networkd/netusage.sqlite, which contains a history of data usage by processes running on the system. Besides the network statistics, these records are particularly important because they might show traces of malicious process executions and the relevant timeframe. In particular, processes which do not have a valid bundle ID might require particular attention.
If indicators are provided through the command-line, they are checked against the process names. Any matches are stored in netusage_detected.json. If running on a full filesystem dump and if the --fast flag was not enabled by command-line, mvt-ios will highlight processes which look suspicious and check the presence of a binary file of the same name in the dump.
profile_events.json!!! info "Availability" Backup: :material-check: Full filesystem dump: :material-close:
This JSON file is created by mvt-ios' ProfileEvents module. The module extracts a timeline of configuration profile operations. For example, it should indicate when a new profile was installed from the Settings app, or when one was removed.
safari_browser_state.json!!! info "Availability" Backup (if encrypted): :material-check: Full filesystem dump: :material-check:
This JSON file is created by mvt-ios' SafariBrowserState module. The module extracts records from the SQLite databases located at /private/var/mobile/Library/Safari/BrowserState.db or /private/var/mobile/Containers/Data/Application/\/Library/Safari/BrowserState.db*, which contain records of opened tabs.
If indicators are provided through the command-line, they are checked against the visited URL. Any matches are stored in safari_browser_state_detected.json.
safari_favicon.json!!! info "Availability" Backup: :material-close: Full filesystem dump: :material-check:
This JSON file is created by mvt-ios' SafariFavicon module. The module extracts records from the SQLite databases located at /private/var/mobile/Library/Image Cache/Favicons/Favicons.db or /private/var/mobile/Containers/Data/Application/\/Library/Image Cache/Favicons/Favicons.db*, which contain mappings of favicons' URLs and the visited URLs which loaded them.
If indicators are provided through the command-line, they are checked against both the favicon URL and the visited URL. Any matches are stored in safari_favicon_detected.json.
safari_history.json!!! info "Availability" Backup (if encrypted): :material-check: Full filesystem dump: :material-check:
This JSON file is created by mvt-ios' SafariHistory module. The module extracts records from the SQLite databases located at /private/var/mobile/Library/Safari/History.db or /private/var/mobile/Containers/Data/Application/\/Library/Safari/History.db*, which contain a history of URL visits.
If indicators are provided through the command-line, they are checked against the visited URL. Any matches are stored in safari_history_detected.json.
shutdown_log.json!!! info "Availability" Backup (if encrypted): :material-close: Full filesystem dump: :material-check:
This JSON file is created by mvt-ios' ShutdownLog module. The module extracts records from the shutdown log located at private/var/db/diagnostics/shutdown.log. When shutting down an iPhone, a SIGTERM will be sent to all processes runnning. The shutdown.log file will log any process (with its pid and path) that did not shut down after the SIGTERM was sent.
If indicators are provided through the command-line, they are checked against the paths. Any matches are stored in shutdown_log_detected.json.
sms.json!!! info "Availability" Backup: :material-check: Full filesystem dump: :material-check:
This JSON file is created by mvt-ios' SMS module. The module extracts a list of SMS messages from the SQLite database located at /private/var/mobile/Library/SMS/sms.db.
If indicators are provided through the command-line, they are checked against the extracted HTTP links. Any matches are stored in sms_detected.json.
sms_attachments.json!!! info "Availability" Backup: :material-check: Full filesystem dump: :material-check:
This JSON file is created by mvt-ios' SMSAttachments module. The module extracts details about attachments sent via SMS or iMessage from the same database used by the SMS module. These records might be useful to indicate unique patterns that might be indicative of exploitation attempts leveraging potential vulnerabilities in file format parsers or other forms of file handling by the Messages app.
tcc.json!!! info "Availability" Backup: :material-check: Full filesystem dump: :material-check:
This JSON file is created by mvt-ios' TCC module. The module extracts records from a SQLite database located at /private/var/mobile/Library/TCC/TCC.db, which contains a list of which services such as microphone, camera, or location, apps have been granted or denied access to.
version_history.json!!! info "Availability" Backup: :material-close: Full filesystem dump: :material-check:
This JSON file is created by mvt-ios' IOSVersionHistory module. The module extracts records of iOS software updates from analytics plist files located at /private/var/db/analyticsd/Analytics-Journal-\.ips*.
webkit_indexeddb.json!!! info "Availability" Backup: :material-close: Full filesystem dump: :material-check:
This JSON file is created by mvt-ios' WebkitIndexedDB module. The module extracts a list of file and folder names located at the following path /private/var/mobile/Containers/Data/Application/\/Library/WebKit/WebsiteData/IndexedDB*, which contains IndexedDB files created by any app installed on the device.
If indicators are provided through the command-line, they are checked against the extracted names. Any matches are stored in webkit_indexeddb_detected.json.
webkit_local_storage.json!!! info "Availability" Backup: :material-close: Full filesystem dump: :material-check:
This JSON file is created by mvt-ios' WebkitLocalStorage module. The module extracts a list of file and folder names located at the following path /private/var/mobile/Containers/Data/Application/\/Library/WebKit/WebsiteData/LocalStorage/*, which contains local storage files created by any app installed on the device.
If indicators are provided through the command-line, they are checked against the extracted names. Any matches are stored in webkit_local_storage_detected.json.
webkit_resource_load_statistics.json!!! info "Availability" Backup: :material-check: Full filesystem dump: :material-check:
This JSON file is created by mvt-ios WebkitResourceLoadStatistics module. The module extracts records from available WebKit ResourceLoadStatistics observations.db SQLite3 databases. These records should indicate domain names contacted by apps, including a timestamp.
If indicators are provided through the command-line, they are checked against the extracted domain names. Any matches are stored in webkit_resource_load_statistics_detected.json.
webkit_safari_view_service.json!!! info "Availability" Backup: :material-close: Full filesystem dump: :material-check:
This JSON file is created by mvt-ios' WebkitSafariViewService module. The module extracts a list of file and folder names located at the following path /private/var/mobile/Containers/Data/Application/\/SystemData/com.apple.SafariViewService/Library/WebKit/WebsiteData/*, which contains files cached by SafariVewService.
If indicators are provided through the command-line, they are checked against the extracted names. Any matches are stored in webkit_safari_view_service_detected.json.
webkit_session_resource_log.json!!! info "Availability" Backup: :material-check: Full filesystem dump: :material-check:
This JSON file is created by mvt-ios' WebkitSessionResourceLog module. The module extracts records from plist files with the name full_browsing_session_resourceLog.plist, which contain records of resources loaded by different domains visited.
If indicators are provided through the command-line, they are checked against the extract domains. Any matches are stored in webkit_session_resource_log_detected.json.
whatsapp.json!!! info "Availability" Backup: :material-check: Full filesystem dump: :material-check:
This JSON file is created by mvt-ios' WhatsApp module. The module extracts a list of WhatsApp messages from the SQLite database located at private/var/mobile/Containers/Shared/AppGroup/\/ChatStorage.sqlite*.
If indicators are provided through the command-line, they are checked against the extracted HTTP links. Any matches are stored in whatsapp_detected.json.