Check iPhone for Pegasus

Hello,

We need to scan a clients iphone for Pegasus. What is the quickest way to handle this?

You would probably want to look at Mobile Verification Toolkit (MVT) from Amnesty International:

mvt-project/mvt: MVT is a forensic tool to look for signs of infection in smartphone devices (github.com)

You can start by obtaining a file system dump or an iTunes backup—using the mobile forensics tool of your choice or even with something like libimobiledevice in a pinch.

For instance, here is how you can create an iTunes backup with libimobiledevice:

idevicebackup2 backup encryption on
idevicebackup2 backup --full /path/to/backup/

If you have an iTunes backup, you can run MVT against it as follows:

mvt-ios check-backup -i pegasus.stix2 -o <folder for JSON results> <backup path>

Similarly, you can run MVT against a file system dump as follows:

mvt-ios check-fs -i pegasus.stix2 -o <folder for JSON results> <path to filesystem dump>

Here are some more details regarding MVT usage:

Check a Backup with mvt-ios - Mobile Verification Toolkit

Check a Filesystem Dump with mvt-ios - Mobile Verification Toolkit

You can obtain the STIX2 file defining a list of malicious indicators from here:

investigations/2021-07-18_nso at master · AmnestyTech/investigations (github.com)

The above repo also contains raw lists of email addresses, files, domains, etc. that comprise the Pegasus indicators list. These can be used with mobile forensics tools independently of MVT if needed.

Good luck :smiley:

3 Likes

I’ll also drop a link to Amnesty International’s Forensic Methodology Report re: catching NSO Group’s Pegasus in case it is helpful to anyone.

2 Likes

Super helpful summary thanks!