Mobile Verification Toolkit: Forensic analysis of Android and iOS devices to identify compromise

Mobile Verification Toolkit (MVT) is a collection of utilities to simplify and automate the process of gathering forensic traces helpful to identify a potential compromise of Android and iOS devices.

MVT supports using public indicators of compromise (IOCs) to scan mobile devices for potential traces of targeting or infection by known spyware campaigns. MVT is a forensic research tool intended for technologists and investigators. Using it requires understanding the basics of forensic analysis and using command-line tools. MVT is not intended for end-user self-assessment.

It was developed and released by the Amnesty International Security Lab in July 2021 in the context of the Pegasus Project, along with a technical forensic methodology. It continues to be maintained by Amnesty International and other contributors.

Mobile Verification Toolkit key features

MVT’s capabilities are continuously evolving, but some of its key features include:

• Decrypt encrypted iOS backups.
• Process and parse records from numerous iOS system and apps databases, logs, and system analytics.
• Extract installed applications from Android devices.
• Extract diagnostic information from Android devices through the adb protocol.
• Compare extracted records to a provided list of malicious indicators in STIX2 format.
• Generate JSON logs of extracted records and separate JSON logs of all detected malicious traces.
• Generate a unified chronological timeline of extracted records, along with a timeline of all detected malicious traces.

Mobile Verification Toolkit is available for download on GitHub. The developers do not want MVT to enable privacy violations of non-consenting individuals. To achieve this, MVT is released under its license.