New to Linux/Ubuntu and I'm using Hirsute Hippo 21.04. I want to use the Mobile Verification Toolkit.
These are the instructions I have:
Decrypting a backup
In case you have an encrypted backup, you will need to decrypt it first. This can be done with mvt-ios as well:
$ mvt-ios decrypt-backup
Usage: mvt-ios decrypt-backup [OPTIONS] BACKUP_PATH
Decrypt an encrypted iTunes backup
Options:
-d,
backup [required]
-p,
MVT_IOS_BACKUP_PASSWORD environment variable)
NOTE: This argument is mutually exclusive with
arguments: [key_file].
-k,
the backup NOTE: This argument is mutually exclusive
with arguments: [password].
You can specify the password in the environment variable MVT_IOS_BACKUP_PASSWORD
, or via command-line argument, or you can pass a key file. You need to specify a destination path where the decrypted backup will be stored. If a password cannot be found and no key file is specified, MVT will ask for a password. Following is an example usage of decrypt-backup
sending the password via an environment variable:
MVT_IOS_BACKUP_PASSWORD="mypassword" mvt-ios decrypt-backup -d /path/to/decrypted /path/to/backup
Run mvt-ios
on a Backup
Once you have a decrypted backup available for analysis you can use the check-backup
subcommand:
$ mvt-ios check-backup
Usage: mvt-ios check-backup [OPTIONS] BACKUP_PATH
Extract artifacts from an iTunes backup
Options:
-i,
-o,
results
-f,
-l,
-m,
all
Following is a basic usage of check-backup
:
mvt-ios check-backup --output /path/to/output/ /path/to/backup/udid/
This command will create a few JSON files containing the results from the extraction. If you do not specify a --output
option, mvt-ios
will just process the data without storing results on disk.
Through the --iocs
argument you can specify a STIX2 file defining a list of malicious indicators to check against the records extracted from the backup by mvt. Any matches will be highlighted in the terminal output as well as saved in the output folder using a "_detected" suffix to the JSON file name.
I'm having trouble running the decryption command in terminal.
I get the following:
a@a:~/Peg/mvt$ mvt-ios decrypt-backup -d ~/Peg/iPhonedecryp
Usage: mvt-ios decrypt-backup [OPTIONS] BACKUP_PATH
Try 'mvt-ios decrypt-backup --help' for help.
Error: Missing argument 'BACKUP_PATH'.
What am I doing incorrectly?