iPhone analysis for the Pegasus spyware

In this post I will show you how I analyzed my iPhone for the Pegasus spyware.
I’ll be using the iPhone 12 Pro Max and the MacBook Pro 16 and the macOS Monetery 12.1.

I’ll use the free open-source forensic software ‘Mobile Verification Toolkit’ from Amnesty International to check my iPhone.
This software also exist for Android.

First of all, we will first need to make a backup for our iPhone.
The software would also work on a running device, but it would need to be jailbroken.
The backup method doesn’t require that.
Your backup should be encrypted since that way it will contain much more data to analyze.

Your saved passwords
Wi-Fi settings
Website history
Health data
Call history

You can either use an existing backup or create one by connecting the iPhone to a computer.
In recent macOS versions, backups are created in the Finder (not iTunes).
You need to make sure the checkmark at ‘Encrypt local backup’ is set.

Once you’ve marked it, click on “Back Up Now”.
If you have a lot of data on your iPhone, it will take time.

I will use the “Homebrew” package manager for the installation.
MVT requires the package ‘git’, ‘python3’ and ‘libusb’ to run.

So we will install these using homebrew in a terminal window.

Once these are installed, clone the github repository using git.

git clone https://github.com/mvt-project/mvt.git

Navigate to the newly created folder mvt using cd command.
And install the cloned repository using python3 with pip3 install ..

When it finishes installing, we will be able to decrypt our backup using mvt-ios.

mvt-ios decrypt-backup -p ‘YourPassword’ -d <destination_decrypt> <path_to_our_backup>

And that will start the process.

Running the command might take a while and make sure there is enough space for the whole backup.

Once it’s done, it is recommended to remove the command history of Terminal with history -p command.
Because it now contains our backup password in clear text.
And you should also change it in Finder asap.