A (simpler?) tutorial.
("An unprecedented leak of more than 50,000 phone numbers selected for surveillance by the customers of the israeli company NSO Group shows how this technology has been systematically abused for years. The Forbidden Stories consortium and Amnesty International had access to records of phone numbers selected by NSO clients in more than 50 countries since 2016." ~ https://forbiddenstories.org/about-the-pegasus-project/)
Needed:
- iPhone
- USB Cable to connect iPhone with Laptop
- Laptop MacOS (to create iPhone encrypted backup)
- Laptop with Ubuntu Linux (to run the MVT Pegasus spyware checker)
- Internet access to download required software.
- Patience, because there is a lot of waiting.
Heads up: Replace username "x", and directory "/home/x" for the ones in your system. And for UDID replace it with the iphone's 40-digit sequence of letters and numbers. Also, be sure the Ubuntu system has at least two times the space of the iPhone backup.
On Ubuntu run these commands, one line at the time:
sudo apt updatesudo apt upgradesudo apt install python3-pipsudo apt install libusd-1.0-0sudo apt install sqlite3sudo apt install gitexport PATH=$PATH:~/.local/binmkdir -p /home/x/reposcd /home/x/reposgit clone https://github.com/mvt-project/mvt.gitcd mvtFor the following command, please include the dot at the end of the line:
pip3 install .Now, still in Ubuntu, install the libimobiledevice utils:
sudo apt install libimobiledevice-utilsTo check if libimobiledevice-utils works, connect the iPhone to the Ubuntu computer.
If the first time connecting the iPhone, make sure the phone the phone is unlocked and that "Trust" button be pressed, so the connection between the iPhone and Ubuntu be allowed. Then run this command:
ideviceinfoThe output of the above command should have shown the iPhone's information.
Using the USB cable connect the iPhone to the MacOS computer. Create the iPhone backup, savind it on the Desktop area. The result should be a folder named "backup". Choose a encrypted and with a password.
Instructions on how: https://support.apple.com/en-us/HT205220
Next upload the "backup" folder to the Ubuntu laptop:
rsync -HPSavx /home/x/Desktop/backup -e ssh -p 22 x@:/home/x/Desktop Now back on Ubuntu user's Desktop area create a folder named: "decrypted-backup".
mkdir -p /home/x/Desktop/decrypted-backup Now let's decrypt the backup. The password set during the backup process is now needed. When done, the decrypted files will be in "decrypted-backup" folder.:
mvt-ios decrypt-backup -d /home/x/Desktop/decrypted-backup /home/x/Desktop/backupIf mvt-ios can't find the source folder, you may need to add the iPhone's UDID number as the last directory on the path, syntax: /home/x/Desktop/backup/UDID. Use this command to find the iPhone's UDID:
ideviceinfo | grep UniqueDeviceIDChange directory:
cd /home/x/repos/mvt/mvt/iosNow download the pegasus.stix2 file from the AmnestyTech github content repo:
wget https://raw.githubusercontent.com/AmnestyTech/investigations/master/2021-07-18_nso/pegasus.stix2 Now the final step, run the following command to check for Pegasus spyware traces:
mvt-ios check-fs /home/x/Desktop/decrypted-backup/ --output /home/x/Desktop/output/Besides the results shown on the screen, files with the results should be in the "output" folder.
Thank you.
---------------------------------------------------------------------------------------
Tutorial based 100% on: https://docs.mvt.re/en/latest/index.html and https://github.com/mvt-project/mvt
Comments/Corrections/etc (twitter): @danarauz
TAGS: #MobileVerificationToolkit #mvt #pegasus #spyware #amnistytech #mvt-project #nso #pegasusSpyware #surveillance #spying