diff --git a/content/posts/knowledge/Mobile Verification Toolkit for Android and iOS.md b/content/posts/knowledge/Mobile Verification Toolkit for Android and iOS.md index 51637ce..838bacb 100644 --- a/content/posts/knowledge/Mobile Verification Toolkit for Android and iOS.md +++ b/content/posts/knowledge/Mobile Verification Toolkit for Android and iOS.md @@ -34,7 +34,7 @@ While an even more thorough scan can be performed by rooting Android and jailbre Regardless, it should be noted that Android devices currently provide far less diagnostic information that iOS/iPadOS devices and so `mvt` capabilities are correspondingly diminished. -Overall, it should be clear from the command line outputs if any known compromises are detected. Additional output details at conclusion will also then provided in the format of a timeline CSV and an assortment of JSON files. If any files ending with “_detected.json” are present, this implies your device shows evidence of past and/or present compromise using the currently available list indicators. +Overall, it should be clear from the command line outputs if any known compromises are detected. Additional output details at conclusion will also then provided in the format of a timeline CSV and an assortment of JSON files. If any files ending with “_detected.json” are present, this implies your device shows evidence of past and/or present compromise using the currently available list of known indicators. ## Privilege escalation from user error It should be recognised that [MVT's documentation](https://docs.mvt.re/en/latest/introduction) states that "MVT is not intended for end-user self-assessment". We believe this statement is far more than just a standard policy disclosure. @@ -47,11 +47,13 @@ Overall, the disclaimer is more than reasonable since on the balance of probabil Therefore we highlight a few strict requirements prior to using `mvt`. First ensure you have full control over the desktop/laptop used to conduct the scan, do not use shared or work computers. The desktop/laptop operating system must also be hardened as much as feasibly possible. -Next, for transferring internal mobile device content, ensure the data is only ever copied to encrypted storage media. Never under any situation use a unencrypted device to store and analyse the mobile device data since data recovery of ‘deleted’ files is very mature profession. +Next, for transferring internal mobile device content, ensure the data is only ever copied to encrypted storage media. Never under any situation use a unencrypted device to store and analyse the mobile device data since data recovery of ‘deleted’ files is very mature profession [[12](https://en.wikipedia.org/wiki/Data_recovery), [13](https://en.wikipedia.org/wiki/Data_erasure), [14](https://docs.bleachbit.org/doc/shred-files-and-wipe-disks.html)]. -For maximum privacy the author advises the use of [VeraCrypt](https://www.veracrypt.fr/en/Home.html) volumes as these enable robust cross-platform compatibility allowing the seamless construction of containers with pre-determined size using unmodified existing desktop OS installations. Additionally, while there are countless alternatives methods to securely store data such as other disk encryption software or even the use of RAM disks, we ultimately leave this decision to the reader. Regarding the default recommendation of VeraCrypt, there exists substantial evidence from very experienced and well-established practitioners [[1](https://blog.elcomsoft.com/2020/01/a-comprehensive-guide-on-securing-your-system-archives-and-documents/), [2](https://blog.elcomsoft.com/2020/03/breaking-veracrypt-containers/), [3](https://blog.elcomsoft.com/2021/06/breaking-veracrypt-obtaining-and-extracting-on-the-fly-encryption-keys/)] detailing its strengths (despite some theoretical limitations discussed across various online forum threads). +For maximum privacy the author advises the use of [VeraCrypt](https://www.veracrypt.fr/en/Home.html) volumes as these enable robust cross-platform compatibility allowing the seamless construction of containers with pre-determined size using unmodified existing desktop OS installations. Additionally, while there are countless alternatives methods to securely store data such as other disk encryption software or even the use of RAM disks, we ultimately leave this decision to the reader. Regarding the recommendation of VeraCrypt, there exists substantial evidence from very experienced and well-established ([nation-state-sponsored](https://www.elcomsoft.com/company.html)) practitioners [[15](https://blog.elcomsoft.com/2020/01/a-comprehensive-guide-on-securing-your-system-archives-and-documents/), [16](https://blog.elcomsoft.com/2020/03/breaking-veracrypt-containers/), [17](https://blog.elcomsoft.com/2021/06/breaking-veracrypt-obtaining-and-extracting-on-the-fly-encryption-keys/)] detailing its strengths (despite some theoretical limitations discussed across various online forum threads). In short, the 75 possible unique combinations of [symmetric encryption algorithms](https://www.veracrypt.fr/en/Encryption%20Algorithms.html) and [hashing algorithms](https://www.veracrypt.fr/en/Hash%20Algorithms.html) (without any specifics being stored in the disk header), variable [PIM](https://www.veracrypt.fr/en/Personal%20Iterations%20Multiplier%20(PIM).html) selection, and also the ability to create [hidden volumes](https://www.veracrypt.fr/en/Hidden%20Volume.html) are only some of the reasons that make VeraCrypt a good default choice. -If using VeraCrypt, simply create a new volume prior to a scan and only use this volume for all `mvt` related data. For typical devices the required VeraCrypt volume size for `mvt` outputs depends on the length of history of the device, allocating 1GB should generally be more than sufficient for most cases involving Android devices. For iOS/iPadOS devices, since the entire contents of the devices must also be transferred, allocated volume size must be sufficiently greater than double the size of the all data stored on the mobile devices. Upon completion of the scans, you can transfer `mvt` outputs to other secure similarly storage media for logging purposes, then dismount and delete the VeraCrypt volume which will assist in preventing forensic data recovery. +If using VeraCrypt, simply create a new volume prior to a scan and only use this volume for all `mvt` related data. For typical devices the required VeraCrypt volume size for `mvt` outputs depends on the length of history of the device, allocating 1GB should generally be more than sufficient for most cases involving Android devices. For iOS/iPadOS devices, since the entire contents of the devices must also be transferred, allocated volume size must be sufficiently greater than double the size of the all data stored on the mobile devices. + +Upon completion of the scans, there are two paths one may take if no intrusions are detected. The first involves simply dismounting and deleting the VeraCrypt volume which will assist in preventing forensic data recovery. The second involves retaining `mvt` outputs and other desirable data and transferring them to other similarly secure storage media for logging purposes. In the unlikely event intrusions are detected, you should retain all associated evidence and (ideally) must cease using the device. To emphasise again, extreme care must be taken with the handling and storage of all `mvt` related data. Any leak of this data would be very dangerous as it provides extraordinary amounts of detail regarding the internal contents of the mobile device, the overwhelming of which is even impossible to access on-device. @@ -61,7 +63,7 @@ If you are using `mvt` purely due to a mixture of paranoia and curiosity, after While `mvt` is a very handy tool and periodic scans should be performed with a frequency proportional to your threat model, it is once again only a detection tool based on [known indicators](https://deploy-preview-86--privsec-dev.netlify.app/posts/knowledge/badness-enumeration/) of compromise. It is also reasonable to assume that once indicators are publicly exposed, sophisticated threat actors will take steps to modify their existing spyware and potentially even temporarily erase it from your device in order to avoid detection. This can be very clearly seen through the time-evolution of NSO Group’s Pegasus infrastructure ([Section 9.3](https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/)) where known malicious domains are quickly replaced. More recently there appears to be shift to using cloud service providers. -Therefore, as with “anti-virus” programs, `mvt` is simply a detection tool with no explicit preventive capabilities, but unlike them, `mvt` does not require extensive administrative permissions at runtime and can be used in a purely offline manner with no telemetry. +Therefore, as with “anti-virus” programs, `mvt` is simply a detection tool with no explicit preventive capabilities. Note that while `mvt` still require extensive administrative permissions at runtime for extracting data from both Android and iOS devices, the software can be used in a purely offline manner with zero built-in telemetry. ## Advanced extensions