Logo Defensive Lab Agency
Defensive Lab Agency

How to backup and analyse iOS devices against Pegasus IOCs using Docker and MVT

This guide gives you a step-by-step procedure to conduct forensic analysis of an iOS device using Mobile Verification Toolkit (MVT) created by Amnesty Tech team.

This guide is written and maintained by Esther Onfroy & Abir Ghattas.

Why?

People are struggling to analyze iOS devices due to the complexity of the procedure on Linux. We have decided to use Docker because latest versions of iOS require the use of a version of libimobiledevice which is not available on Linux yet. We use libimobiledevice to backup the iOS device instead of using iTunes.

This guide has been successfully tested on Ubuntu 20.04 with:

  • iOS 13.5.1
  • iOS 14.5
  • iOS 14.7

Requirements

  • A Debian-based operating system
  • A root access on your computer
  • Docker already installed
  • Knowledge in Linux command-line

Follow each step in the same terminal session.

Prepare your computer

1. Create a directory for your investigations
mkdir Pegasus_investigations
cd Pegasus_investigations
2. Prepare directory structure
mkdir ioc backup decrypted checked
3. Retrieve IOC provided by Amnesty International
wget https://raw.githubusercontent.com/AmnestyTech/investigations/master/2021-07-18_nso/pegasus.stix2 -O ioc/pegasus.stix2

If you want to learn more about the IOC, check the Amnesty Tech repository.

4. Retrieve the Dockerfile
wget https://raw.githubusercontent.com/mvt-project/mvt/main/Dockerfile -O Dockerfile
5. Build the Docker image

Depending on you setup, we would have to be root from this step to the end of the investigation.

docker build -t mvt .

Prepare the iOS device to be analyzed

6. Plug your iOS device to your computer

Do not unplug it until the end of the backup procedure and be sure to keep the device unlocked

7. Stop the USB mixer
systemctl stop usbmuxd

This command could take a bit of time, just wait.

8. Start the Docker container
docker run -it --privileged --rm -v /dev/bus/usb:/dev/bus/usb --net=host \
  -v $PWD/ioc:/home/cases/ioc \
  -v $PWD/decrypted:/home/cases/decrypted \
  -v $PWD/checked:/home/cases/checked \
  -v $PWD/backup:/home/cases/backup \
  mvt

Now any command you run will be executed inside the container.

9. Start the USB mixer
usbmuxd

The iOS device may be asking you if you trust the connected computer, trust it.

10. Check if the iOS is recognized
ideviceinfo

Backup the iOS device

11. Turn backup encryption on
idevicebackup2 backup encryption on -i
12. Backup the iOS device
idevicebackup2 backup --full backup/

Once done, you can unplug the iOS device. Run ls -l backup to get the name of the backup.

Analyze the backup

13. Decrypt the backup
mvt-ios decrypt-backup -p <backup password> -d decrypted backup/<backup name>

For more details and options, check the MVT documentation and the note regarding the backup password. If you have backed up this phone using iTunes, the backup password is the same as the one you provided in iTunes.

14. Analyze the backup
mvt-ios check-backup -o checked --iocs ioc/pegasus.stix2 decrypted
15. Check the results
ls -l checked

The folder checked contains several JSON files. Any IOC matches are stored in JSON files suffixed by _detected.

16. Exit the container
exit
17. Save the outputs

If you want to keep the files generated during the forensic procedure, backup the following folders:

  • backup containing the iOS backup
  • decrypted containing the decrypted backup
  • checked containing the results of MVT analysis