Mobile Verification Toolkit: Forensic analysis of Android and iOS devices to identify compromises
Mobile Verification Toolkit (MVT) is a set of utilities to simplify and automate the process of collecting forensic traces useful for identifying potential compromise of Android and iOS devices.
MVT supports the use of public indicators of compromise (IOCs) to scan mobile devices for potential traces of targeting or infection by known spyware campaigns. MVT is a forensic research tool for technologists and investigators. Using it requires understanding the basics of forensic analysis and using command line tools. MVT is not intended for end-user self-assessment.
It was developed and published by the Amnesty International Security Lab in July 2021 as part of the Pegasus project, accompanied by a forensic technical methodology. It continues to be maintained by Amnesty International and other contributors.
Main Features of Mobile Verification Toolkit
MVT’s capabilities are continually evolving, but some of its key features include:
- Decrypt encrypted iOS backups.
- Process and analyze records from numerous iOS system databases, logs and scans.
- Extract installed apps from Android devices.
- Extract diagnostic information from Android devices via adb protocol.
- Compare the extracted records to a provided list of malicious indicators in STIX2 format.
- Generate JSON logs of extracted records and separate JSON logs of all detected malicious traces.
- Generate a unified chronological timeline of extracted records, as well as a timeline of all detected malicious traces.
The Mobile Verification Toolkit is available for download at GitHub. The developers do not want MVT to allow violations of the privacy of non-consenting individuals. To achieve this, MVT is published under its Licence.
