README.md

MVT Pegasus Spyware Checker Tutorial

A (simpler?) tutorial.

("An unprecedented leak of more than 50,000 phone numbers selected for surveillance by the customers of the israeli company NSO Group shows how this technology has been systematically abused for years. The Forbidden Stories consortium and Amnesty International had access to records of phone numbers selected by NSO clients in more than 50 countries since 2016." ~ https://forbiddenstories.org/about-the-pegasus-project/)


Needed:

• iPhone
• USB Cable to connect iPhone with Laptop
• Laptop MacOS (to create iPhone encrypted backup)
• Laptop with Ubuntu Linux (to run the MVT Pegasus spyware checker)
• Internet access to download required software.
• Patience, because there is a lot of waiting.

Heads up: Replace username "x", and directory "/home/x" for the ones in your system. And for UDID replace it with the iphone's 40-digit sequence of letters and numbers. Also, be sure the Ubuntu system has at least two times the space of the iPhone backup.

The Process Starts Here

On Ubuntu run these commands, one line at the time:
sudo apt update
sudo apt upgrade
sudo apt install python3-pip
sudo apt install libusd-1.0-0
sudo apt install sqlite3
sudo apt install git
export PATH=$PATH:~/.local/bin
mkdir -p /home/x/repos
cd /home/x/repos
git clone https://github.com/mvt-project/mvt.git
cd mvt

For the following command, please include the dot at the end of the line:
pip3 install .

Now, still in Ubuntu, install the libimobiledevice utils:
sudo apt install libimobiledevice-utils

To check if libimobiledevice-utils works, connect the iPhone to the Ubuntu computer.
If the first time connecting the iPhone, make sure the phone the phone is unlocked and that "Trust" button be pressed, so the connection between the iPhone and Ubuntu be allowed. Then run this command:
ideviceinfo
The output of the above command should have shown the iPhone's information.

Using the USB cable connect the iPhone to the MacOS computer. Create the iPhone backup, savind it on the Desktop area. The result should be a folder named "backup". Choose a encrypted and with a password.
Instructions on how: https://support.apple.com/en-us/HT205220

Next upload the "backup" folder to the Ubuntu laptop:
rsync -HPSavx /home/x/Desktop/backup -e ssh -p 22 x@:/home/x/Desktop

Now back on Ubuntu user's Desktop area create a folder named: "decrypted-backup".
mkdir -p /home/x/Desktop/decrypted-backup

Now let's decrypt the backup. The password set during the backup process is now needed. When done, the decrypted files will be in "decrypted-backup" folder.:
mvt-ios decrypt-backup -d /home/x/Desktop/decrypted-backup /home/x/Desktop/backup

If mvt-ios can't find the source folder, you may need to add the iPhone's UDID number as the last directory on the path, syntax: /home/x/Desktop/backup/UDID. Use this command to find the iPhone's UDID:
ideviceinfo | grep UniqueDeviceID

Change directory:
cd /home/x/repos/mvt/mvt/ios

Now download the pegasus.stix2 file from the AmnestyTech github content repo:
wget https://raw.githubusercontent.com/AmnestyTech/investigations/master/2021-07-18_nso/pegasus.stix2

Now the final step, run the following command to check for Pegasus spyware traces:
mvt-ios check-fs /home/x/Desktop/decrypted-backup/ --output /home/x/Desktop/output/

Besides the results shown on the screen, files with the results should be in the "output" folder.

Thank you.
---------------------------------------------------------------------------------------
Tutorial based 100% on: https://docs.mvt.re/en/latest/index.html and https://github.com/mvt-project/mvt
Comments/Corrections/etc (twitter): @danarauz
TAGS: #MobileVerificationToolkit #mvt #pegasus #spyware #amnistytech #mvt-project #nso #pegasusSpyware #surveillance #spying