mvt-project / mvt Goto Github PK

MVT (Mobile Verification Toolkit) helps with conducting forensics of mobile devices in order to find signs of a potential compromise.

Home Page: https://mvt.re

License: Other

Makefile 0.06% Python 99.30% Dockerfile 0.59% Shell 0.05%

android forensics forensics-tools ios mobile security

mvt's People

Contributors

Stargazers

Watchers

Forkers

robertomalatesta teamsixoneseven samyghannad propellingbits sgwd tiwaryshailesh thebigplate zoobacsi cybersecops memii maciejmacko jonlh22 antonlydike ua-solsen jmcmullen lunakk-pl azhdar mjsrog piratas-cl mhdtbc j-chacko avineshwar siddeyg dlassociates jereviikari febrezo ntvvvv itsignacioportal krv00 bdpreom mahuton shakahl eugeniorj ggalancs karimlouk almostlunatic nasa03 gabrugamer raptor446 goshawk22 eagleanurag crazykid95 zommak daboxou rjroot fajnytomaszek arayofcode 3453-315h anupkd ashish870-coder blackpantheros atb00ker jwmarshall simohaitof tychodaimon mmaaxx1 zakarialounes openprunus reclaimeritrea runasand recurrence sashka3076 jengyic gravitasse ilanuk zsottya prakhar64 alevikpes amrocrm knsamati trendingtechnology rajibb rtz-ufa alikarbasicom j0k2r ktaranov mrezqi jackypromax dariush doctorwho12345 nanotek sneak71 cherrera0001 tonyle9 agigleux guardianofknowledge sanjayws alvarosamudio ramkp jaedukseo superiu cartelli ginolucianorojo1993 niedfelj arjuna-bandara wedusk101 okcprime theotherside ductuan1618 exalgebra

mvt's Issues

advice: adb repo version in debian buster is too old for mvt

hi, this is not an issue, is an advice for user running debian buster,

mvt was throwing me errors (on Debian Buster) that I couldn't debug, until I finally read that the adb error was due to the version, so I downloaded the latest version to successfully run the software

actual adb version:

Android Debug Bridge version 1.0.41
Version 31.0.2-7242960

thanks for this tool

Incomplete LICENSE file

See https://github.com/mvt-project/mvt/blob/main/LICENSE#L385

 This Source Code Form is subject to the terms of the MVT License,
  v. 1.0. If a copy of the MVT License was not distributed with this
  file, You can obtain one at TODO.

Type Error "got an unexpected keyword argument 'prompt_required'"

Hi, i just cloned the repo and installed MVT v 1.0.11.
Sadly, I get following error

Traceback (most recent call last):
  File "/home/user/.local/bin/mvt-ios", line 5, in <module>
    from mvt.ios import cli
  File "/home/user/.local/lib/python3.8/site-packages/mvt/ios/__init__.py", line 6, in <module>
    from .cli import cli
  File "/home/user/.local/lib/python3.8/site-packages/mvt/ios/cli.py", line 53, in <module>
    def decrypt_backup(destination, password, key_file, backup_path):
  File "/usr/lib/python3/dist-packages/click/decorators.py", line 173, in decorator
    _param_memo(f, OptionClass(param_decls, **option_attrs))
  File "/home/user/.local/lib/python3.8/site-packages/mvt/common/options.py", line 23, in __init__
    super(MutuallyExclusiveOption, self).__init__(*args, **kwargs)
  File "/usr/lib/python3/dist-packages/click/core.py", line 1547, in __init__
    Parameter.__init__(self, param_decls, type=type, **attrs)
TypeError: __init__() got an unexpected keyword argument 'prompt_required'

has anyone got an idea how to fix that or how to get it running?

Tools for Analysis of APKs after download

Using mvt-android download-apks, a user is able to download the APKs on an android phone. However, the documentation does not point users to any useful tools to subsequently analyze the APKs once they have been downloaded.

Are there such tools available?
Are they integrated into MVT?
Are there any useful verified 3rd party tools?

Any information would be helpful.
The given instructions only indicate how to use VirusTotal, Koodous or "All Checks" while downloading, without specifying how to run those after downloading, or what All Checks include.

mvt-android cannot check-adb - Libusb_error_Timeout[-7]

Hi,

first and foremost great work.
I cloned the repo and did everything to install it properly. Debug mode is on and connected via usb. I executetd the following command:

mvt-android check-adb

The endresult is the following:

Could not receive data from first 950751bf (timeout 5000ms):LIBUSB_ERROR_TIMEOUT [-7].

There is nothing that should block it. I even checked if i can access my phone.
Any clues here ?

Thanks in advance

check-adb throws error "The Android device does not seem to have a `su` binary. Cannot run this module."

Running the check-adb command fails because of missing su binary on the device.

$ mvt-android check-adb
11:06:01 INFO     [mvt.android.cli] Checking Android through adb bridge                       
         INFO     [mvt.android.modules.adb.chrome_history] Running module ChromeHistory...    
11:06:02 ERROR    [mvt.android.modules.adb.chrome_history] Error in running extraction from   
                  module ChromeHistory: The Android device does not seem to have a `su`       
                  binary. Cannot run this module.                                             
                  Traceback (most recent call last):                                          
                    File "/tmp/mvt/mvt/common/module.py", line 134, in run_module             
                      module.run()                                                            
                    File "/tmp/mvt/mvt/android/modules/adb/chrome_history.py", line 69, in run
                      self._adb_process_file(os.path.join("/", CHROME_HISTORY_PATH),          
                    File "/tmp/mvt/mvt/android/modules/adb/base.py", line 135, in             
                  _adb_process_file                                                           
                      self._adb_root_or_die()                                                 
                    File "/tmp/mvt/mvt/android/modules/adb/base.py", line 105, in             
                  _adb_root_or_die                                                            
                      raise Exception("The Android device does not seem to have a `su` binary.
                  Cannot run this module.")                                                   
                  Exception: The Android device does not seem to have a `su` binary. Cannot   
                  run this module.                                                            
         INFO     [mvt.android.modules.adb.sms] Running module SMS...                         
11:06:03 ERROR    [mvt.android.modules.adb.sms] The Android device does not seem to have a    
                  `su` binary. Cannot run this module.                                        
         INFO     [mvt.android.modules.adb.whatsapp] Running module Whatsapp...               
11:06:04 ERROR    [mvt.android.modules.adb.whatsapp] The Android device does not seem to have 
                  a `su` binary. Cannot run this module.                                      
         INFO     [mvt.android.modules.adb.processes] Running module Processes...             
         INFO     [mvt.android.modules.adb.processes] Extracted records on a total of 1       
                  processes                                                                   
         INFO     [mvt.android.modules.adb.dumpsys_batterystats] Running module               
                  DumpsysBatterystats...                                                      
11:06:05 INFO     [mvt.android.modules.adb.dumpsys_procstats] Running module                  
                  DumpsysProcstats...                                                         
11:06:06 INFO     [mvt.android.modules.adb.dumpsys_packages] Running module DumpsysPackages...
11:06:07 INFO     [mvt.android.modules.adb.packages] Running module Packages...               
11:06:21 INFO     [mvt.android.modules.adb.packages] Extracted at total of 256 installed      
                  package names                                                               
         INFO     [mvt.android.modules.adb.rootbinaries] Running module RootBinaries...

DatabaseError on mvt-ios decrypt-backup

Command

I am running the following command:
mvt-ios decrypt-backup -p {password-placeholder} -d ./mvt-backup ~/Library/Application\ Support/MobileSync/Backup/{device-id}

Error log

The command above fails and produces the log below

Traceback (most recent call last):
  File "/usr/local/bin/mvt-ios", line 8, in <module>
    sys.exit(cli())
  File "/usr/local/lib/python3.9/site-packages/click/core.py", line 1137, in __call__
    return self.main(*args, **kwargs)
  File "/usr/local/lib/python3.9/site-packages/click/core.py", line 1062, in main
    rv = self.invoke(ctx)
  File "/usr/local/lib/python3.9/site-packages/click/core.py", line 1668, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/usr/local/lib/python3.9/site-packages/click/core.py", line 1404, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/usr/local/lib/python3.9/site-packages/click/core.py", line 763, in invoke
    return __callback(*args, **kwargs)
  File "/usr/local/lib/python3.9/site-packages/mvt/ios/cli.py", line 56, in decrypt_backup
    backup.decrypt_with_password(password)
  File "/usr/local/lib/python3.9/site-packages/mvt/ios/decrypt.py", line 83, in decrypt_with_password
    self._process_backup()
  File "/usr/local/lib/python3.9/site-packages/mvt/ios/decrypt.py", line 36, in _process_backup
    for item in self._backup.getBackupFilesList():
  File "/usr/local/lib/python3.9/site-packages/iOSbackup/__init__.py", line 399, in getBackupFilesList
    backupFiles = catalog.cursor().execute(f"SELECT * FROM Files ORDER BY domain,relativePath").fetchall()
sqlite3.DatabaseError: file is not a database

Error in extraction: unable to open database file

mvt-ios check-backup on a new backup created with idevicebackup2 backup --full and decrypted with mvt-ios decrypt-backup returns the following error:

INFO [mvt.ios.cli] Checking iTunes backup located at: ./decrypted INFO [mvt.ios.modules.fs.safari_browserstate] Running module SafariBrowserState... INFO [mvt.ios.modules.fs.safari_browserstate] Found Safari browser state database at path: ./decrypted/3a/3a47b0981ed7c10f3e2800aa66bac96a3b5db28e ERROR [mvt.ios.modules.fs.safari_browserstate] Error in running extraction from module SafariBrowserState: unable to open database file Traceback (most recent call last): File "/usr/local/lib/python3.9/site-packages/mvt/common/module.py", line 134, in run_module module.run() File "/usr/local/lib/python3.9/site-packages/mvt/ios/modules/fs/safari_browserstate.py", line 65, in run cur.execute("""SELECT sqlite3.OperationalError: unable to open database file

Of course I tried proposed solution with .clone sqlite command

Spywaee

Device is busy error

I am testing mvt on my laptop and I am getting the following error:

$ mvt-android download-apks --output ./download-apks --virustotal
18:07:38 CRITICAL [mvt.android.modules.adb.base] Device is busy, maybe run `adb kill-server` and try again.

I think adb is working ok, because afterwards I can run a complex command such as:

# see installed applications:
$ adb shell "pm list packages -u -3" | cut -f 2 -d ":" | sort > installed-applications-$(date +%Y%m%d).info

and it works ok.

I 've also tried

$ adb kill-server
$ adb devices
# make sure permissions are given so that adb can see the device

but I got the error again.

I am running this on Fedora Silverblue 34 with the latest platform-tools 31.0.2 provided from Google.
My phone is a Le eco le pro 3 (zl1) running Lineage OS 18.1 with Gapps and Magisk.

Error on running check-iocs: 'SYSDIAGNOSE_MODULES' is not defined

To reproduce run the command on an ios backup.

mvt-ios check-iocs --iocs iocs.stix2 ./bkp-folder

on line 175 of mvt/ios/cli.py I see BACKUP_MODULES + FS_MODULES + SYSDIAGNOSE_MODULES where the first two are imported from modules.fs and SYSDIAGNOSE_MODULES is not defined anywhere.

Android check-backup

my decrypted sms are in this path after abe.jar process from backup.ab to backup.tar, then extracted files get dumped to the below path.

C:\adb\backup\apps\com.android.providers.telephony\d_f

My error, check-backup is not seeing them. I did not use a password to backup, since it was not required.

[Android] Fix path to su binary

Path for su binary is hardcoded in _adb_check_if_root() (in the file android/modules/adb/base.py) as /sbin/su. It's not the only possible location of this binary. On my device running Android 11 rooted with Magisk the path is /system/bin/su. According this StackOverflow answer you should check about 40 paths where su binary can be placed by different root providers, or find some other way to check the device is rooted.

Decrypt-backup fails despite right password

Ubuntu 20.02 LTS - installed mvt from source. Enabled backup encryption and set password, took full backup. When I try to decrypt, it fails. If I change the password, it succeeds, so I know it's the right password.

mvt-ios decrypt-backup -p password -d ~/Documents/iphone/00008101-0002*************/ ~/Documents/iphone/output"

``forensics@forensics:~/mvt$ mvt-ios decrypt-backup -p ******** -d ~/Documents/iphone/00008101-************/ ~/Documents/iphone/output
15:31:48 INFO     [mvt.ios.decrypt] Decrypting iOS backup at path              
                  /home/forensics/Documents/iphone/output with password        
         ERROR    [mvt.ios.decrypt] [Errno 2] No such file or directory:       
                  '/home/forensics/Documents/iphone/output/Manifest.plist'     
                  Traceback (most recent call last):                           
                    File "/home/forensics/.local/lib/python3.8/site-packages/mv
                  t/ios/decrypt.py", line 75, in decrypt_with_password         
                      self._backup =                                           
                  iOSbackup(udid=os.path.basename(self.backup_path),           
                    File "/home/forensics/.local/lib/python3.8/site-packages/iO
                  Sbackup/__init__.py", line 172, in __init__                  
                      self.loadManifest()                                      
                    File "/home/forensics/.local/lib/python3.8/site-packages/iO
                  Sbackup/__init__.py", line 1055, in loadManifest             
                      self.date=iOSbackup.convertTime(os.path.getmtime(manifest
                  File), since2001=False)                                      
                    File "/usr/lib/python3.8/genericpath.py", line 55, in      
                  getmtime                                                     
                      return os.stat(filename).st_mtime                        
                  FileNotFoundError: [Errno 2] No such file or directory:      
                  '/home/forensics/Documents/iphone/output/Manifest.plist'     
         CRITICAL [mvt.ios.decrypt] Failed to decrypt backup. Did you provide  
                  the correct password?

MVT

Make a windows version please

Most people use windows as their main OS and find linux confusing. If you want the most people possible to check their devices for this stuff you need a tool that works on the operating system they use.

mvt-android command not recognized after instllation

I was just curious to check this out since I was reading about the Pegasus story just yesterday.

I did enable developper mode and went through the different steps, though it seems that even after installing mvt with python doesn't git access to mvt-android nor mvt-ios.
It doesn't seem to detect it or to recognize the commands (I have a backup of android to anaylyze).
"'mvt' n’est pas reconnu en tant que commande interne
ou externe, un programme exécutable ou un fichier de commandes."

I may have forgotten something but I don't see what...
Feel free to answer.

Some apks fail to download

When running mvt-android download-apks --output /path/to/folder --all-checks I get this output on some apks (all the juicy preinstalled system ones) :

         ERROR    [mvt.android.download_apks] Failed to pull package file from                
                  /vendor/app/CACertService/CACertService.apk: Unable to download file        
                  /vendor/app/CACertService/CACertService.apk: Command failed: open failed:   
                  Permission denied                                                           
                  Traceback (most recent call last):                                          
                    File "/tmp/mvt/mvt/android/modules/adb/base.py", line 121, in             
                  _adb_download                                                               
                      self.device.pull(remote_path, local_path, progress_callback)            
                    File "/run/user/1000/tmp.VgD6fU9ccG/lib/python3.8/site-packages/adb_shell/
                  adb_device.py", line 893, in pull                                           
                      self._pull(device_path, stream, progress_callback, adb_info,            
                  filesync_info)                                                              
                    File "/run/user/1000/tmp.VgD6fU9ccG/lib/python3.8/site-packages/adb_shell/
                  adb_device.py", line 918, in _pull                                          
                      for cmd_id, _, data in self._filesync_read_until([constants.DATA],      
                  [constants.DONE], adb_info, filesync_info):                                 
                    File "/run/user/1000/tmp.VgD6fU9ccG/lib/python3.8/site-packages/adb_shell/
                  adb_device.py", line 1381, in _filesync_read_until                          
                      cmd_id, header, data = self._filesync_read(expected_ids + finish_ids,   
                  adb_info, filesync_info)                                                    
                    File "/run/user/1000/tmp.VgD6fU9ccG/lib/python3.8/site-packages/adb_shell/
                  adb_device.py", line 1320, in _filesync_read                                
                      raise exceptions.AdbCommandFailureException('Command failed:            
                  {}'.format(reason))                                                         
                  adb_shell.exceptions.AdbCommandFailureException: Command failed: open       
                  failed: Permission denied                                                   
                                                                                              
                  During handling of the above exception, another exception occurred:         
                                                                                              
                  Traceback (most recent call last):                                          
                    File "/tmp/mvt/mvt/android/download_apks.py", line 138, in                
                  pull_package_file                                                           
                      self._adb_download(remote_path, local_path,                             
                    File "/tmp/mvt/mvt/android/modules/adb/base.py", line 123, in             
                  _adb_download                                                               
                      raise Exception(f"Unable to download file {remote_path}: {e}")          
                  Exception: Unable to download file                                          
                  /vendor/app/CACertService/CACertService.apk: Command failed: open failed:   
                  Permission denied

Grabing dumps

This might be a dumb thing but I don't know how to do it.
How do I grab the dump from my iphone to be able to run mvt-ios properly?

Error with key

I have installed your program and adb and synced adb with my phone to generate key so device is enabled in adb. But I still get following error:

eugene@ubuntu:~$ mvt-android download-apks --output /home/eugene/Downloads
Traceback (most recent call last):
File "/home/eugene/.local/bin/mvt-android", line 8, in
sys.exit(cli())
File "/usr/lib/python3/dist-packages/click/core.py", line 764, in call
return self.main(*args, **kwargs)
File "/usr/lib/python3/dist-packages/click/core.py", line 717, in main
rv = self.invoke(ctx)
File "/usr/lib/python3/dist-packages/click/core.py", line 1137, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/usr/lib/python3/dist-packages/click/core.py", line 956, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/usr/lib/python3/dist-packages/click/core.py", line 555, in invoke
return callback(*args, **kwargs)
File "/home/eugene/.local/lib/python3.8/site-packages/mvt/android/cli.py", line 62, in download_apks
download.run()
File "/home/eugene/.local/lib/python3.8/site-packages/mvt/android/download_apks.py", line 208, in run
self._adb_connect()
File "/home/eugene/.local/lib/python3.8/site-packages/mvt/android/modules/adb/base.py", line 53, in _adb_connect
self._adb_check_keys()
File "/home/eugene/.local/lib/python3.8/site-packages/mvt/android/modules/adb/base.py", line 45, in _adb_check_keys
keygen(ADB_KEY_PATH)
File "/home/eugene/.local/lib/python3.8/site-packages/adb_shell/auth/keygen.py", line 248, in keygen
with open(filepath, 'wb') as private_key_file:
FileNotFoundError: [Errno 2] No such file or directory: '/home/eugene/.android/adbkey'

mvt-android check-adb -> CRITICAL [mvt.android.modules.adb.base] Could not receive data from first 961AX0GH0L (timeout 5000ms): LIBUSB_ERROR_TIMEOUT [-7]

16:29:01 INFO [mvt.android.cli] Checking Android through adb bridge         
         INFO [mvt.android.modules.adb.chrome_history] Running module       
         ChromeHistory...                                              
16:29:06 CRITICAL [mvt.android.modules.adb.base] Could not receive data from    
                  first 961AX0GH0L (timeout 5000ms): LIBUSB_ERROR_TIMEOUT [-7]

Automatically fix malformed db issues

Common problem in backups, see #25

Check if Pegasus virus infected a device

Url variable looks like it has a typo in virustotal.py

url = f"https://www.virustotal.com/partners/sysinternals/file-reports?apikey={apikey}"

Is that f supposed to be there before the open quote for that string?

Issue with Doc SSL Certificate

Hi, I think you are aware of this but I cannot go to the documentation due to a cert error.

Thanks for what you did!

List of malicious indicators

Hi, So I need a list of malicious indicators to make use of this app? If so, where can I find one.

Hardcoded API Key for VirusTotal

Hello,

I believe it is an error to hardcode the apikey for virustotal api requests (see https://github.com/mvt-project/mvt/blob/main/mvt/android/lookups/virustotal.py#L16).

You might want to let the end user provide one through a config option instead.

file not found

Hello, when I executed this command 'mvt-android download-apks --output apks', I got this error:
FileNotFoundError: [Errno 2] No such file or directory: '/home/username/.android/adbkey'

Do you know how to solve that bug?

[iOS] mvt-ios check-iocs returns "Error: Missing argument 'FOLDER'."

Hi,

mvt-ios check-backup --output /Users/user/Desktop/mvt_out /Users/user/Library/Application\ Support/MobileSync/Backup/<udid>

creates files in /Users/user/Desktop/mvt_out

chrome_favicon.json
chrome_history.json
contacts.json
datausage.json
id_status_cache.json
manifest.json
sms_attachments.json
sms.json
timeline.csv
whatsapp.json

mvt-ios check-iocs --iocs /Users/user/Desktop/mvt_out returns an error:

Usage: mvt-ios check-iocs [OPTIONS] FOLDER
Try 'mvt-ios check-iocs --help' for help.

Error: Missing argument 'FOLDER'.

mvt-ios check-iocs --help :

Usage: mvt-ios check-iocs [OPTIONS] FOLDER

  Compare stored JSON results to provided indicators

Options:
  -i, --iocs PATH     Path to indicators file  [required]
  -l, --list-modules  Print list of available modules and exit
  -m, --module TEXT   Name of a single module you would like to run instead of
                      all
  --help              Show this message and exit.

What am I doing wrong?

Check backup fails to produce output iOS 14 unencrypted backup

Ubuntu 20.04 Python 3.8.10

forensics@forensics-XPS-13-9365:~/mvt$ mvt-ios check-backup --output ~/Documents/iphone/output ~/Documents/iphone/00008020-001D54200101002E/
15:41:59 INFO     [mvt.ios.cli] Checking iTunes backup located at:             
                  /home/forensics/Documents/iphone/00008020-001D54200101002E/  
         INFO     [mvt.ios.modules.fs.safari_browserstate] Running module      
                  SafariBrowserState...                                        
         ERROR    [mvt.ios.modules.fs.safari_browserstate] There might be no   
                  data to extract by module SafariBrowserState: Unable to find 
                  the module's database file                                   
         INFO     [mvt.ios.modules.fs.safari_history] Running module           
                  SafariHistory...                                             
         ERROR    [mvt.ios.modules.fs.safari_history] There might be no data to
                  extract by module SafariHistory: Unable to find the module's 
                  database file                                                
         INFO     [mvt.ios.modules.fs.net_datausage] Running module            
                  Datausage...                                                 
         INFO     [mvt.ios.modules.fs.net_datausage] Found DataUsage database  
                  at path: /home/forensics/Documents/iphone/00008020-001D542001
                  01002E/0d/0d609c54856a9bb2d56729df1d68f2958a88426b           
         INFO     [mvt.ios.modules.fs.net_datausage] Extracted information on  
                  7133 processes                                               
15:42:00 INFO     [mvt.ios.modules.fs.sms] Running module SMS...               
         INFO     [mvt.ios.modules.fs.sms] Found SMS database at path: /home/fo
                  rensics/Documents/iphone/00008020-001D54200101002E/3d/3d0d7e5
                  fb2ce288813306e4d4636395e047a3d28                            
15:42:01 INFO     [mvt.ios.modules.fs.sms] Extracted a total of 745 SMS        
                  messages containing links                                    
         INFO     [mvt.ios.modules.fs.sms_attachments] Running module          
                  SMSAttachments...                                            
         INFO     [mvt.ios.modules.fs.sms_attachments] Found SMS database at   
                  path: /home/forensics/Documents/iphone/00008020-001D542001010
                  02E/3d/3d0d7e5fb2ce288813306e4d4636395e047a3d28              
         INFO     [mvt.ios.modules.fs.sms_attachments] Extracted a total of    
                  3483 SMS attachments                                         
         INFO     [mvt.ios.modules.fs.chrome_history] Running module           
                  ChromeHistory...                                             
         INFO     [mvt.ios.modules.fs.chrome_history] Found Chrome history     
                  database at path: /home/forensics/Documents/iphone/00008020-0
                  01D54200101002E/fa/faf971ce92c3ac508c018dce1bef2a8b8e9838f1  
         INFO     [mvt.ios.modules.fs.chrome_history] Extracted a total of 60  
                  history items                                                
         INFO     [mvt.ios.modules.fs.chrome_favicon] Running module           
                  ChromeFavicon...                                             
         INFO     [mvt.ios.modules.fs.chrome_favicon] Found Chrome favicon     
                  cache database at path: /home/forensics/Documents/iphone/0000
                  8020-001D54200101002E/55/55680ab883d0fdcffd94f959b1632e5fbbb1
                  8c5b                                                         
         INFO     [mvt.ios.modules.fs.chrome_favicon] Extracted a total of 42  
                  favicon records                                              
         INFO     [mvt.ios.modules.fs.webkit_session_resource_log] Running     
                  module WebkitSessionResourceLog...                           
Traceback (most recent call last):
  File "/home/forensics/.local/bin/mvt-ios", line 8, in <module>
    sys.exit(cli())
  File "/usr/lib/python3/dist-packages/click/core.py", line 764, in __call__
    return self.main(*args, **kwargs)
  File "/usr/lib/python3/dist-packages/click/core.py", line 717, in main
    rv = self.invoke(ctx)
  File "/usr/lib/python3/dist-packages/click/core.py", line 1137, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/usr/lib/python3/dist-packages/click/core.py", line 956, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/usr/lib/python3/dist-packages/click/core.py", line 555, in invoke
    return callback(*args, **kwargs)
  File "/home/forensics/.local/lib/python3.8/site-packages/mvt/ios/cli.py", line 102, in check_backup
    run_module(m)
  File "/home/forensics/.local/lib/python3.8/site-packages/mvt/common/module.py", line 146, in run_module
    module.check_indicators()
  File "/home/forensics/.local/lib/python3.8/site-packages/mvt/ios/modules/fs/webkit_session_resource_log.py", line 84, in check_indicators
    if self.indicators.check_domains(all_origins):
AttributeError: 'NoneType' object has no attribute 'check_domains'

Error: Missing argument 'BACKUP_PATH'.

I have copied my encrypted backup file from ~/library/Applicationsupport/mobilesync/Backup
to desktop.
then i'm typing this command to decrypt the file mvt-ios decrypt-backup -p PASSWORD -d ~/Desktop/Backup

and i'm getting this error:

`Usage: mvt-ios decrypt-backup [OPTIONS] BACKUP_PATH
Try 'mvt-ios decrypt-backup --help' for help.

Error: Missing argument 'BACKUP_PATH'.

Path Error

I'm really struggling with this error, I cannot see anything wrong with the path I'm using (Mac Catalina, iPhone 8) I've substituted and underscore for the space in the Application Support directory as it does not like the space. Backup was made non-encrypted.

 mvt-ios check-backup --output /Users/myusername/Downloads/ /Users/myusername/Library/Application_Support/MobileSync/Backup/9991553689f396bfc931039407d593096102ff4b/

Error: Invalid value for 'BACKUP_PATH': Path '/Users/myusername/Library/Application_Support/MobileSync/Backup/9991553689f396bfc931039407d593096102ff4b/' does not exist.

Graphical interface for MVT

Do we need a GUI?
What problems would we try to solve with it?
What exactly would we want to see in such a GUI? Would it only bee a graphical representation of the same outputs of the CLI, or, for example, a browsable view of the produced JSON results? Or something else entirely?

Your views and suggestions are very much welcome!

[Ubuntu] LIBUSB_ERROR_TIMEOUT [-7] error message

mvt-android download-apks --output /path/to/folder returns a CRITICAL error message:

CRITICAL [mvt.android.modules.adb.base] Could not receive data from    
                  first ########## (timeout 5000ms): LIBUSB_ERROR_TIMEOUT [-7]

same error message with mvt-android check-adb command

Ubuntu 20.10

SMS Module: UnicodeEncodeError: 'charmap' codec can't encode characters in position 320-321: character maps to <undefined>

The SMS Module is erroring out for me. The backup was created with iTunes:

21:44:00 INFO     [mvt.ios.cli] Checking iTunes backup located at: **REDACTED**
         INFO     [mvt.ios.modules.fs.sms] Running module SMS...
         INFO     [mvt.ios.modules.fs.sms] Found SMS database at path: **REDACTED**
21:44:02 INFO     [mvt.ios.modules.fs.sms] Extracted a total of 1710 SMS messages containing links
Traceback (most recent call last):
  File "C:\Python39\Scripts\mvt-ios-script.py", line 33, in <module>
    sys.exit(load_entry_point('mvt==1.0.11', 'console_scripts', 'mvt-ios')())
  File "c:\python39\lib\site-packages\click\core.py", line 1137, in __call__
    return self.main(*args, **kwargs)
  File "c:\python39\lib\site-packages\click\core.py", line 1062, in main
    rv = self.invoke(ctx)
  File "c:\python39\lib\site-packages\click\core.py", line 1668, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "c:\python39\lib\site-packages\click\core.py", line 1404, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "c:\python39\lib\site-packages\click\core.py", line 763, in invoke
    return __callback(*args, **kwargs)
  File "c:\python39\lib\site-packages\mvt\ios\cli.py", line 108, in check_backup
    save_timeline(timeline, os.path.join(output, "timeline.csv"))
  File "c:\python39\lib\site-packages\mvt\common\module.py", line 167, in save_timeline
    csvoutput.writerow([
  File "c:\python39\lib\encodings\cp1252.py", line 19, in encode
    return codecs.charmap_encode(input,self.errors,encoding_table)[0]
UnicodeEncodeError: 'charmap' codec can't encode characters in position 320-321: character maps to <undefined>

mvt-ios error in iOSbackup

When using mvt-ios decrypt-backup, an exception error arise stopping the process

Exception ignored in: <function iOSbackup.del at 0x110652820>
Traceback (most recent call last):
File "/usr/local/lib/python3.9/site-packages/iOSbackup/init.py", line 132, in del
self.close()
File "/usr/local/lib/python3.9/site-packages/iOSbackup/init.py", line 138, in close
os.remove(self.manifestDB)
TypeError: remove: path should be string, bytes or os.PathLike, not NoneType

Wrong folder for command on Android

In the example shown on the documentation the destination folder is sms for the command mvt-android check-backup --output sms . but instead it should be apps, which consequently the correct command would be mvt-android check-backup --output apps .... Although you can always rename the folder if you want, in my opinion it is more appropriate to recommend the correct destination in the documentation.

As you can see after extracting my backup:

NameError: name 'SYSDIAGNOSE_MODULES' is not defined

Getting this error trying to use stix file from Amnesty, what am I doing wrong.

mvt-ios check-iocs --iocs /mnt/c/Users/bucks/Desktop/MVT/pegasus.stix2 /mnt/c/Users/bucks/Desktop/MVT/output

1st arg location of stix file
2nd arg directory for output

ITunes output JSON files all in /mnt/c/Users/bucks/Desktop/MVT

Had to upgrade Rich logging

This is not an issue.

Not sure if 'requires' are wrong or if I mixed up between local and system python packages but I had to manually upgrade rich module from git.

The error you get if rich logging is too is in cli.py (at the very start). "unexpected keyword argument 'log_time_format'"

alain@server2:~/dev/git.cloned/mvt/dev/mvt/2021-07-19$ mvt-android download-apks --output .
Traceback (most recent call last):
File "/home1/alain/.local/bin/mvt-android", line 5, in
from mvt.android import cli
File "/home1/alain/.local/lib/python3.8/site-packages/mvt/android/init.py", line 6, in
from .cli import cli
File "/home1/alain/.local/lib/python3.8/site-packages/mvt/android/cli.py", line 24, in
RichHandler(show_path=False, log_time_format="%X")])
TypeError: init() got an unexpected keyword argument 'log_time_format'

Then during rich install.

Installing collected packages: rich
Attempting uninstall: rich
Found existing installation: rich 9.8.2
Uninstalling rich-9.8.2:
Successfully uninstalled rich-9.8.2
Successfully installed rich-10.6.0

How to fix "module 'mmap' has no attribute 'PROT_READ'" on Windows

I found an error message when I want to decrypt the encrypted iTunes backup:
ERROR [mvt.ios.decrypt] Failed to decrypt file XYZ/XYZ/XYZ: module 'mmap' has no attribute 'PROT_READ'
I experienced this error on a Windows machine. After some digging I found this relevant stackoverflow post:
https://stackoverflow.com/questions/13500434/loading-file-in-memory-using-python
After changes in the getFileEncryptedCopy function of the iOSbackup module, decryption works beautifully.

iOSbackup repo
From:

mappedInFile = mmap.mmap(inFile.fileno(), length=0, prot=mmap.PROT_READ)

To:

mappedInFile = mmap.mmap(inFile.fileno(), length=0, access=mmap.ACCESS_READ)

Hope I could help you with this information. 😃

Error in running extraction from module SMS: database disk image is malformed

Running mvt-ios check-backup on a backup newly created idevicebackup2 backup --full and decrypted with mvt-ios decrypt-backup produced the following error:

         INFO     [mvt.ios.modules.fs.sms] Found SMS database at path: Backup/3d/3d0d7e5fb2ce288813306e4d4636395e047a3d28
         ERROR    [mvt.ios.modules.fs.sms] Error in running extraction from module SMS: database disk image is malformed
                  Traceback (most recent call last):
                    File "/usr/local/lib/python3.9/site-packages/mvt/common/module.py", line 134, in run_module
                      module.run()
                    File "/usr/local/lib/python3.9/site-packages/mvt/ios/modules/fs/sms.py", line 57, in run
                      cur.execute("""
                  sqlite3.DatabaseError: database disk image is malformed

Analysis on other payloads works as expected (calls, chrome_favicon etc.).
The device in question has a history that goes back to 2009, so perhaps this is caused by an older attachment format?
(idevicebackup2 1.3.1, mvt at 425d83e).

Probably should be a discussion but you don't have it turned on...

Any reason you haven't put this under https://github.com/amnesty? Think that would be a good idea really just as an example;

https://twitter.com/Hammered_Glass/status/1416828070804271105?s=20

And

https://twitter.com/danielyang92/status/1416876353794813962?s=20

I know some people will never be happy but seems like starting a whole new org is maybe unhelpful...

Question: What is ProtectedDomain in the iOS manifest.json file?

In the manifest.json file from iOS backup, contains values with domain as ProtectedDomain. Any tips on what are these domains/files? the relativePath value is empty in some of these.

NotADirectoryError while check-backup

Hi,
It throws this:

○ → mvt-android check-backup --output apps/com.android.providers.telephony/d_f/000000_sms_backup .
14:21:10 INFO     [mvt.android.cli] Checking ADB backup located at: .                                                   
         INFO     [mvt.android.modules.backup.sms] Running module SMS...                                                
         INFO     [mvt.android.modules.backup.sms] Processing SMS backup file at                                        
                  ./apps/com.android.providers.telephony/d_f/000000_sms_backup                                          
         INFO     [mvt.android.modules.backup.sms] Extracted a total of 168 SMS messages containing links               
Traceback (most recent call last):
  File "/home/user/.local/bin/mvt-android", line 8, in <module>
    sys.exit(cli())
  File "/home/user/.local/lib/python3.9/site-packages/click/core.py", line 1137, in __call__
    return self.main(*args, **kwargs)
  File "/home/user/.local/lib/python3.9/site-packages/click/core.py", line 1062, in main
    rv = self.invoke(ctx)
  File "/home/user/.local/lib/python3.9/site-packages/click/core.py", line 1668, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/home/user/.local/lib/python3.9/site-packages/click/core.py", line 1404, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/home/user/.local/lib/python3.9/site-packages/click/core.py", line 763, in invoke
    return __callback(*args, **kwargs)
  File "/home/user/.local/lib/python3.9/site-packages/mvt/android/cli.py", line 156, in check_backup
    run_module(m)
  File "/home/user/.local/lib/python3.9/site-packages/mvt/common/module.py", line 155, in run_module
    module.save_to_json()
  File "/home/user/.local/lib/python3.9/site-packages/mvt/common/module.py", line 84, in save_to_json
    with open(results_json_path, "w") as handle:
NotADirectoryError: [Errno 20] Not a directory: 'apps/com.android.providers.telephony/d_f/000000_sms_backup/sms.json'

Also when I try to make the folder myself:

○ → mkdir apps/com.android.providers.telephony/d_f/000000_sms_backup
mkdir: no se puede crear el directorio «apps/com.android.providers.telephony/d_f/000000_sms_backup»: El fichero ya existe

(File already exists)
It's making the folder with same name of the file.

Update:
My bad.
I changed folders; output and source.
This helped to solve: #32 (comment)

No superuser binary detected. Are you rooted?

When I write:
"$ sudo apt install python3"
The Termux says that:

"superuser binary detected.
Are you rooted?"
Is it mandatory to root to run this program??

Mvt

mvt-ios decrypt backup issue with certain password.

Running on BigSur, when executing mvt-ios decrypt-backup, python errors are generated when specifying passwords trailing with the 'bang' aka '!' character. Let me know if you want an screen shots etc. Thanks!

Infection kit

Improve message in mvt-ios decrypt-backup if wrong folder

It is confusing, see #28

Error: mvt-android download-apks --output

Hello,

So I'm not a develop and I need some help trying to debug my phone. I currently have my android in developer mode with USB debugging enabled. I downloaded Xcode and Homebrew on my MacBook Pro using the terminal and everything was fine until I tried to run the mvt-android code. When I try to run this code

mvt-android download-apks --output /path/to/folder

I just see" quote " in the terminal and I don't know what it's asking me to enter. I keep checking the folder that I created to store the APKs but nothing has been added to it.