This guide is intended for journalists and folks who have reason to believe they’ve been targeted with spyware. If you think your iPhone is compromised, you need to take a snapshot of its contents as soon as possible.
Make sure you have docker and git installed on your system
git clone https://github.com/mvt-project/mvt.git && cd mvt
docker build -t mvt .Plug in your iPhone and start the container
sudo systemctl stop usbmuxd.service
mkdir -p iphone
docker run -it --privileged -v /dev/bus/usb:/dev/bus/usb -v $(pwd)/iphone:/home/cases/iphone mvtYour device will prompt you for your passcode and ask if you trust your computer. Tap yes.
usbmuxd
idevidepair pairAfter pairing you should see the following output:
SUCCESS: Paired with device <DEVICE>Run ideviceinfo to make sure your device is
recognized
We’ll need to enable encryption to dump a complete backup. Run the command below and confirm your encryption key. Save this somewhere safe. You’ll need it to decrypt your backup later on.
idevicebackup2 -i encryption onAfter confirming from your device, you should see the following output:
Backup encryption has been enabled successfully.mkdir -p iphone/backup
idevicebackup2 backup --full iphone/backupAfter creating a full backup, you should see something like the following:
Received x files from device.
Backup Successful.Run ls -al iphone/backup/* to confirm the encrypted
backup exists.
The forensics team over at Amnesty International maintains a list of IOCs from their technical investigations. We’ll check our artifacts against these for any matches.
mvt-ios download-iocsThis will prompt you for the encryption key you created earlier.
mkdir -p iphone/decrypted
mvt-ios decrypt-backup -d iphone/decrypted iphone/backupRun ls -al iphone/decrypted/* to confirm the backup was
decrypted successfully.
The scan will check your communication patterns (call logs, text messages, WhatsApp) and browser history against those previously extracted from known compromised devices.
mkdir -p iphone/scan
mvt-ios check-backup -o iphone/scan iphone/decryptedThis will populate the scan directory with a number of
json files for you to analyze.
Run ls -al iphone/scan | grep detected to check for any
matches.
This will take some time. Wait for it to finish.
find iphone/decrypted -type f -exec shred -u --random-source=/dev/urandom {} \;
rm -rf iphone/decrypted && exitIf you detect a match, you should assume that your device is compromised and act accordingly. Note however that malware moves fast and more recent variants are built to evade known indicators. In any case, keep your encrypted backup somewhere safe and reach out to a forensics specialist for help. A full file system dump will be much more informative.