The Pegasus is one of the most popular spyware. To perform investigation on devices, we will need to verify if the following exploits may have been used. Firstly, let’s get familiar with the tools and background of the spyware.
Pre-requisites: Mobile Verification Toolkit(MVT), Android Debug Bridge(ADB)
Identification of possible Pegasus infection on android and iPhone may be a little bit complicated on a windows platform. For this, we can use the toolkit MVT. According to their website “Mobile Verification Toolkit (MVT) is a collection of utilities to simplify and automate the process of gathering forensic traces helpful to identify a potential compromise of Android and iOS devices.” Another important task is to enable the developer and debugging mode before performing this.
pip3 install mvt
sudo apt install python3 python3-pip libusb-1.0-0 (dependencies on Linux)
The Trident Exploit Chain consists of three main CVE’s to be exploited in order to detect the spyware.
2. Unzip it in C:/platform-tools
3. Connect your device and perform the command “adb devices”, it will ask permission on your device. Once the permission is granted, the device shall be listed as shown below.
2. We will then need to convert the backed up data into readable format. To do this, we must download a jar file “abe.jar”. This can be found here.
4. Use PoweShell to untar the backed up file. Created a directory and used the command “tar -xzvf \path\to\backup.tar”
6. We can notice a sms.json file being created.
The file sms.json contains numerous links that has been sent via sms. These links can be used to look through various OSINT to verify if they are malicious.
Finding malicious APKs
Take a backup and check for downloaded apk files.
Command used: mvt-android download-apks –output \path\to\backup\
A list of statistics regarding battery, packages and process stats will be extracted as shown below. The CVE’s have been listed earlier in this document. They can be further used to identify useful information.
2. After downloading the libimobile tool, extract to a convenient location. Open up the cmd with privilege mode. Put in the command “ideviceinfo.exe” to see the following information about the connected device.
5. I have also created a backup via iTunes. Once the backup is finished, the backup folder will appear in %USERPROFILE%\Apple\MobileSync\ or %USERPROFILE%\AppData\Roaming\Apple Computer\MobileSync\. The steps to backup an IPhone can be found here.
It is possible that the encryption had led to no modules to be run. However, since this was not fruitful, I decided to backup the device again. Only this time, I decided to not encrypt the backup. It is highly important to understand that encrypting the backup file is one of the most effective methods to avoid data tampering and should always be considered.
7. Performed a backup of another device without encryption.
9. JSON files created in the output folder. It appears that the mvt modules have successfully extracted required information.
Figure 23: IOCs module of MVT
According to the mvt project, “Any matches will be highlighted in the terminal output as well as saved in the output folder using a “_detected” suffix to the JSON file name.” So far, mvt has not detected any suspicious activity on this mobile device(IPhone).
Limitations of investigation
Although the research may have been conducted successfully, it will not be wise to undermine the limitations of this research. Some of the limitations are:
Non-rooted and non-jailbroken devices are and may be prone to illegal steps of investigation. Even though, technically sound, ethical reasons may limit the research.
Authorization from any device or app owner will be needed. This may not always be feasible and may put the investigation to a halt or even a stop.
Manual analysis and investigations may effect the performance of investigations as it is highly unlikely to analyze thousands of processes and hundreds of downloaded APKs.
Encryption and backing up of devices are needed to be conducted with highest caution as to prevent data tampering and compromise the digital data gathering process – acquisition. This in turn is very likely to further contaminate the whole digital forensics process and investigation.