New to Linux/Ubuntu and I'm using Hirsute Hippo 21.04. I want to use the Mobile Verification Toolkit.
These are the instructions I have:
Decrypting a backup
In case you have an encrypted backup, you will need to decrypt it first. This can be done with mvt-ios as well:
$ mvt-ios decrypt-backup --help
Usage: mvt-ios decrypt-backup [OPTIONS] BACKUP_PATH
Decrypt an encrypted iTunes backup
Options:
-d, --destination TEXT Path to the folder where to store the decrypted
backup [required]
-p, --password TEXT Password to use to decrypt the backup (or, set
MVT_IOS_BACKUP_PASSWORD environment variable)
NOTE: This argument is mutually exclusive with
arguments: [key_file].
-k, --key-file PATH File containing raw encryption key to use to decrypt
the backup NOTE: This argument is mutually exclusive
with arguments: [password].
--help Show this message and exit.
You can specify the password in the environment variable MVT_IOS_BACKUP_PASSWORD, or via command-line argument, or you can pass a key file. You need to specify a destination path where the decrypted backup will be stored. If a password cannot be found and no key file is specified, MVT will ask for a password. Following is an example usage of decrypt-backup sending the password via an environment variable:
MVT_IOS_BACKUP_PASSWORD="mypassword" mvt-ios decrypt-backup -d /path/to/decrypted /path/to/backup
Run mvt-ios on a Backup
Once you have a decrypted backup available for analysis you can use the check-backup subcommand:
$ mvt-ios check-backup --help
Usage: mvt-ios check-backup [OPTIONS] BACKUP_PATH
Extract artifacts from an iTunes backup
Options:
-i, --iocs PATH Path to indicators file
-o, --output PATH Specify a path to a folder where you want to store JSON
results
-f, --fast Avoid running time/resource consuming features
-l, --list-modules Print list of available modules and exit
-m, --module TEXT Name of a single module you would like to run instead of
all
--help Show this message and exit.
Following is a basic usage of check-backup:
mvt-ios check-backup --output /path/to/output/ /path/to/backup/udid/
This command will create a few JSON files containing the results from the extraction. If you do not specify a --output option, mvt-ios will just process the data without storing results on disk.
Through the --iocs argument you can specify a STIX2 file defining a list of malicious indicators to check against the records extracted from the backup by mvt. Any matches will be highlighted in the terminal output as well as saved in the output folder using a "_detected" suffix to the JSON file name.
I'm having trouble running the decryption command in terminal.
I get the following:
a@a:~/Peg/mvt$ mvt-ios decrypt-backup -d ~/Peg/iPhonedecryp
Usage: mvt-ios decrypt-backup [OPTIONS] BACKUP_PATH
Try 'mvt-ios decrypt-backup --help' for help.
Error: Missing argument 'BACKUP_PATH'.
What am I doing incorrectly?
