iPhone analysis for the Pegasus spyware

In this post I will show you how I analyzed my iPhone for the Pegasus spyware.
I’ll be using the iPhone 12 Pro Max and the MacBook Pro 16 and the macOS Monetery 12.1.

I’ll use the free open-source forensic software ‘Mobile Verification Toolkit’ from Amnesty International to check my iPhone.
This software also exist for Android.

First of all, we will first need to make a backup for our iPhone.
The software would also work on a running device, but it would need to be jailbroken.
The backup method doesn’t require that.
Your backup should be encrypted since that way it will contain much more data to analyze.

  • Your saved passwords
  • Wi-Fi settings
  • Website history
  • Health data
  • Call history

You can either use an existing backup or create one by connecting the iPhone to a computer.
In recent macOS versions, backups are created in the Finder (not iTunes).
You need to make sure the checkmark at ‘Encrypt local backup’ is set.

Encrypt local backup

Once you’ve marked it, click on “Back Up Now”.
If you have a lot of data on your iPhone, it will take time.

I will use the “Homebrew” package manager for the installation.
MVT requires the package ‘git’, ‘python3’ and ‘libusb’ to run.

So we will install these using homebrew in a terminal window.

brew install git python3 libusb

Once these are installed, clone the github repository using git.

git clone https://github.com/mvt-project/mvt.git

Navigate to the newly created folder mvt using cd command.
And install the cloned repository using python3 with pip3 install ..

cd mvt, pip3 install .

When it finishes installing, we will be able to decrypt our backup using mvt-ios.

mvt-ios decrypt-backup -p ‘YourPassword’ -d <destination_decrypt> <path_to_our_backup>

And that will start the process.

Running the command might take a while and make sure there is enough space for the whole backup.

Once it’s done, it is recommended to remove the command history of Terminal with history -p command.
Because it now contains our backup password in clear text.
And you should also change it in Finder asap.

Change password

At this point we have an unencrypted copy of the iPhone backup, ready to be analyzed.

Now we need to clone the repository investigations of Amnesty Tech.

git clone https://github.com/AmnestyTech/investigations.git

The final step is to check our backup using mvt-ios command.

mvt-ios check-backup -i investigations/2021-07-18_nso/pegasus.stix2 -o <output_destination> <path_to_our_decrypted_backup_folder>

And the process will begin.

It should also notify you if it found an infection.
Not all warnings are cause of concern.

Once the process is complete, it will create a csv file called timeline.


I will open the file using the Numbers app to read its contents.


This is my timeline file, it doesn’t look like I have an infection, but all the information here is really worth to see.

Hope you enjoyed going through this process with me.
Feel free to comment.

-Chai Geydarov

1 thought on “iPhone analysis for the Pegasus spyware”

Leave a Comment