Bumped version

As discussed in #147

README.md

@@ -15,38 +15,20 @@ It has been developed and released by the [Amnesty International Security Lab](h
 
 ## Installation
 
-MVT can be installed from sources or conveniently using:
+MVT can be installed from sources or from [PyPi](https://pypi.org/project/mvt/) (you will need some dependencies, check the [documentation](https://docs.mvt.re/en/latest/install.html)):
 
 ```
 pip3 install mvt
 ```
 
-You will need some dependencies, so please check the [documentation](https://docs.mvt.re/en/latest/install.html).
-
 Alternatively, you can decide to run MVT and all relevant tools through a [Docker container](https://docs.mvt.re/en/latest/docker.html).
 
-**Please note:** [MVT does not currently support running natively on Windows.](https://docs.mvt.re/en/latest/install.html#mvt-on-windows)
+**Please note:** MVT is best run on Linux or Mac systems. [It does not currently support running natively on Windows.](https://docs.mvt.re/en/latest/install.html#mvt-on-windows)
 
 ## Usage
 
-MVT provides two commands `mvt-ios` and `mvt-android` with the following subcommands available:
-
-* `mvt-ios`:
-    * `check-backup`: Extract artifacts from an iTunes backup
-    * `check-fs`: Extract artifacts from a full filesystem dump
-    * `check-iocs`: Compare stored JSON results to provided indicators
-    * `decrypt-backup`:  Decrypt an encrypted iTunes backup
-    * `extract-key`: Extract decryption key from an iTunes backup
-* `mvt-android`:
-    * `check-backup`: Check an Android Backup
-    * `download-apks`: Download all or non-safelisted installed APKs
-
-Check out [the documentation to see how to use them](https://docs.mvt.re/).
+MVT provides two commands `mvt-ios` and `mvt-android`. [Check out the documentation to learn how to use them!](https://docs.mvt.re/).
 
 ## License
 
-The purpose of MVT is to facilitate the ***consensual forensic analysis*** of devices of those who might be targets of sophisticated mobile spyware attacks, especially members of civil society and marginalized communities. We do not want MVT to enable privacy violations of non-consenting individuals. Therefore, the goal of this license is to prohibit the use of MVT (and any other software licensed the same) for the purpose of *adversarial forensics*.
-
-In order to achieve this, MVT is released under an adaptation of [Mozilla Public License v2.0](https://www.mozilla.org/MPL). This modified license includes a new clause 3.0, "Consensual Use Restriction" which permits the use of the licensed software (and any *"Larger Work"* derived from it) exclusively with the explicit consent of the person/s whose data is being extracted and/or analysed (*"Data Owner"*).
-
-[Read the LICENSE](https://github.com/mvt-project/mvt/blob/main/LICENSE)
+The purpose of MVT is to facilitate the ***consensual forensic analysis*** of devices of those who might be targets of sophisticated mobile spyware attacks, especially members of civil society and marginalized communities. We do not want MVT to enable privacy violations of non-consenting individuals.  In order to achieve this, MVT is released under its own license. [Read more here.](https://docs.mvt.re/en/latest/license.html)

mvt/android/cli.py

@@ -28,7 +28,7 @@ log = logging.getLogger(__name__)
 
 # Help messages of repeating options.
 OUTPUT_HELP_MESSAGE = "Specify a path to a folder where you want to store JSON results"
-
+SERIAL_HELP_MESSAGE = "Specify a device serial number or HOST:PORT connection string"
 
 #==============================================================================
 # Main
@@ -42,6 +42,7 @@ def cli():
 # Download APKs
 #==============================================================================
 @cli.command("download-apks", help="Download all or non-safelisted installed APKs installed on the device")
+@click.option("--serial", "-s", type=str, help=SERIAL_HELP_MESSAGE)
 @click.option("--all-apks", "-a", is_flag=True,
               help="Extract all packages installed on the phone, even those marked as safe")
 @click.option("--virustotal", "-v", is_flag=True, help="Check packages on VirusTotal")
@@ -51,7 +52,7 @@ def cli():
               help="Specify a path to a folder where you want to store the APKs")
 @click.option("--from-file", "-f", type=click.Path(exists=True),
               help="Instead of acquiring from phone, load an existing packages.json file for lookups (mainly for debug purposes)")
-def download_apks(all_apks, virustotal, koodous, all_checks, output, from_file):
+def download_apks(all_apks, virustotal, koodous, all_checks, output, from_file, serial):
     try:
         if from_file:
             download = DownloadAPKs.from_json(from_file)
@@ -64,6 +65,8 @@ def download_apks(all_apks, virustotal, koodous, all_checks, output, from_file):
                     sys.exit(-1)
 
             download = DownloadAPKs(output_folder=output, all_apks=all_apks)
+            if serial:
+                download.serial = serial
             download.run()
 
         packages = download.packages
@@ -85,12 +88,13 @@ def download_apks(all_apks, virustotal, koodous, all_checks, output, from_file):
 # Checks through ADB
 #==============================================================================
 @cli.command("check-adb", help="Check an Android device over adb")
+@click.option("--serial", "-s", type=str, help=SERIAL_HELP_MESSAGE)
 @click.option("--iocs", "-i", type=click.Path(exists=True), help="Path to indicators file")
 @click.option("--output", "-o", type=click.Path(exists=False),
               help="Specify a path to a folder where you want to store JSON results")
 @click.option("--list-modules", "-l", is_flag=True, help="Print list of available modules and exit")
 @click.option("--module", "-m", help="Name of a single module you would like to run instead of all")
-def check_adb(iocs, output, list_modules, module):
+def check_adb(iocs, output, list_modules, module, serial):
     if list_modules:
         log.info("Following is the list of available check-adb modules:")
         for adb_module in ADB_MODULES:
@@ -119,6 +123,8 @@ def check_adb(iocs, output, list_modules, module):
             continue
 
         m = adb_module(output_folder=output, log=logging.getLogger(adb_module.__module__))
+        if serial:
+            m.serial = serial
 
         if iocs:
             indicators.log = m.log
@@ -138,10 +144,11 @@ def check_adb(iocs, output, list_modules, module):
 # Check ADB backup
 #==============================================================================
 @cli.command("check-backup", help="Check an Android Backup")
+@click.option("--serial", "-s", type=str, help=SERIAL_HELP_MESSAGE)
 @click.option("--iocs", "-i", type=click.Path(exists=True), help="Path to indicators file")
 @click.option("--output", "-o", type=click.Path(exists=False), help=OUTPUT_HELP_MESSAGE)
 @click.argument("BACKUP_PATH", type=click.Path(exists=True))
-def check_backup(iocs, output, backup_path):
+def check_backup(iocs, output, backup_path, serial):
     log.info("Checking ADB backup located at: %s", backup_path)
 
     if output and not os.path.exists(output):
@@ -168,6 +175,9 @@ def check_backup(iocs, output, backup_path):
         m = module(base_folder=backup_path, output_folder=output,
                    log=logging.getLogger(module.__module__))
 
+        if serial:
+            m.serial = serial
+
         if iocs:
             indicators.log = m.log
             m.indicators = indicators

mvt/android/modules/adb/base.py

@@ -11,13 +11,13 @@ import sys
 import tempfile
 import time
 
-from adb_shell.adb_device import AdbDeviceUsb
+from adb_shell.adb_device import AdbDeviceTcp, AdbDeviceUsb
 from adb_shell.auth.keygen import keygen, write_public_keyfile
 from adb_shell.auth.sign_pythonrsa import PythonRSASigner
 from adb_shell.exceptions import AdbCommandFailureException, DeviceAuthError
 from usb1 import USBErrorAccess, USBErrorBusy
 
-from mvt.common.module import MVTModule, InsufficientPrivileges
+from mvt.common.module import InsufficientPrivileges, MVTModule
 
 log = logging.getLogger(__name__)
 
@@ -29,17 +29,12 @@ class AndroidExtraction(MVTModule):
 
     def __init__(self, file_path=None, base_folder=None, output_folder=None,
                  fast_mode=False, log=None, results=[]):
-        """Initialize Android extraction module.
-        :param file_path: Path to the database file to parse
-        :param base_folder: Path to a base folder containing an Android dump
-        :param output_folder: Path to the folder where to store extraction
-                              results
-        """
         super().__init__(file_path=file_path, base_folder=base_folder,
                          output_folder=output_folder, fast_mode=fast_mode,
                          log=log, results=results)
 
         self.device = None
+        self.serial = None
 
     def _adb_check_keys(self):
         """Make sure Android adb keys exist.
@@ -59,7 +54,19 @@ class AndroidExtraction(MVTModule):
             priv_key = handle.read()
 
         signer = PythonRSASigner("", priv_key)
-        self.device = AdbDeviceUsb()
+
+        # If no serial was specified or if the serial does not seem to be
+        # a HOST:PORT definition, we use the USB transport.
+        if not self.serial or ":" not in self.serial:
+            self.device = AdbDeviceUsb(serial=self.serial)
+        # Otherwise we try to use the TCP transport.
+        else:
+            addr = self.serial.split(":")
+            if len(addr) < 2:
+                raise ValueError("TCP serial number must follow the format: `address:port`")
+
+            self.device = AdbDeviceTcp(addr[0], int(addr[1]),
+                                       default_transport_timeout_s=30.)
 
         while True:
             try:
@@ -105,7 +112,7 @@ class AndroidExtraction(MVTModule):
         """Check if we have a `su` binary, otherwise raise an Exception.
         """
         if not self._adb_check_if_root():
-            raise InsufficientPrivileges("The Android device does not seem to have a `su` binary. Cannot run this module.")
+            raise InsufficientPrivileges("This module is optionally available in case the device is already rooted. Do NOT root your own device!")
 
     def _adb_command_as_root(self, command):
         """Execute an adb shell command.

mvt/android/modules/adb/chrome_history.py

@@ -20,7 +20,7 @@ class ChromeHistory(AndroidExtraction):
     """This module extracts records from Android's Chrome browsing history."""
 
     def __init__(self, file_path=None, base_folder=None, output_folder=None,
-                 fast_mode=False, log=None, results=[]):
+                 serial=None, fast_mode=False, log=None, results=[]):
         super().__init__(file_path=file_path, base_folder=base_folder,
                          output_folder=output_folder, fast_mode=fast_mode,
                          log=log, results=results)

mvt/android/modules/adb/dumpsys_batterystats.py

@@ -14,7 +14,7 @@ class DumpsysBatterystats(AndroidExtraction):
     """This module extracts stats on battery consumption by processes."""
 
     def __init__(self, file_path=None, base_folder=None, output_folder=None,
-                 fast_mode=False, log=None, results=[]):
+                 serial=None, fast_mode=False, log=None, results=[]):
         super().__init__(file_path=file_path, base_folder=base_folder,
                          output_folder=output_folder, fast_mode=fast_mode,
                          log=log, results=results)

mvt/android/modules/adb/dumpsys_packages.py

@@ -14,7 +14,7 @@ class DumpsysPackages(AndroidExtraction):
     """This module extracts stats on installed packages."""
 
     def __init__(self, file_path=None, base_folder=None, output_folder=None,
-                 fast_mode=False, log=None, results=[]):
+                 serial=None, fast_mode=False, log=None, results=[]):
         super().__init__(file_path=file_path, base_folder=base_folder,
                          output_folder=output_folder, fast_mode=fast_mode,
                          log=log, results=results)

mvt/android/modules/adb/dumpsys_procstats.py

@@ -14,7 +14,7 @@ class DumpsysProcstats(AndroidExtraction):
     """This module extracts stats on memory consumption by processes."""
 
     def __init__(self, file_path=None, base_folder=None, output_folder=None,
-                 fast_mode=False, log=None, results=[]):
+                 serial=None, fast_mode=False, log=None, results=[]):
         super().__init__(file_path=file_path, base_folder=base_folder,
                          output_folder=output_folder, fast_mode=fast_mode,
                          log=log, results=results)

mvt/android/modules/adb/packages.py

@@ -16,7 +16,7 @@ class Packages(AndroidExtraction):
     """This module extracts the list of installed packages."""
 
     def __init__(self, file_path=None, base_folder=None, output_folder=None,
-                 fast_mode=False, log=None, results=[]):
+                 serial=None, fast_mode=False, log=None, results=[]):
         super().__init__(file_path=file_path, base_folder=base_folder,
                          output_folder=output_folder, fast_mode=fast_mode,
                          log=log, results=results)

mvt/android/modules/adb/processes.py

@@ -13,7 +13,7 @@ class Processes(AndroidExtraction):
     """This module extracts details on running processes."""
 
     def __init__(self, file_path=None, base_folder=None, output_folder=None,
-                 fast_mode=False, log=None, results=[]):
+                 serial=None, fast_mode=False, log=None, results=[]):
         super().__init__(file_path=file_path, base_folder=base_folder,
                          output_folder=output_folder, fast_mode=fast_mode,
                          log=log, results=results)
@@ -21,7 +21,7 @@ class Processes(AndroidExtraction):
     def run(self):
         self._adb_connect()
 
-        output = self._adb_command("ps")
+        output = self._adb_command("ps -e")
 
         for line in output.split("\n")[1:]:
             line = line.strip()

mvt/android/modules/adb/rootbinaries.py

@@ -16,7 +16,7 @@ class RootBinaries(AndroidExtraction):
     """This module extracts the list of installed packages."""
 
     def __init__(self, file_path=None, base_folder=None, output_folder=None,
-                 fast_mode=False, log=None, results=[]):
+                 serial=None, fast_mode=False, log=None, results=[]):
         super().__init__(file_path=file_path, base_folder=base_folder,
                          output_folder=output_folder, fast_mode=fast_mode,
                          log=log, results=results)

mvt/android/modules/adb/sms.py

@@ -43,7 +43,7 @@ class SMS(AndroidExtraction):
     """This module extracts all SMS messages containing links."""
 
     def __init__(self, file_path=None, base_folder=None, output_folder=None,
-                 fast_mode=False, log=None, results=[]):
+                 serial=None, fast_mode=False, log=None, results=[]):
         super().__init__(file_path=file_path, base_folder=base_folder,
                          output_folder=output_folder, fast_mode=fast_mode,
                          log=log, results=results)
@@ -102,15 +102,11 @@ class SMS(AndroidExtraction):
         log.info("Extracted a total of %d SMS messages containing links", len(self.results))
 
     def run(self):
-        # Checking the SMS database path
-        try:
-            if (self._adb_check_file_exists(os.path.join("/", SMS_BUGLE_PATH))):
-                self.SMS_DB_TYPE = 1
-                self._adb_process_file(os.path.join("/", SMS_BUGLE_PATH), self._parse_db)
-            elif (self._adb_check_file_exists(os.path.join("/", SMS_MMSSMS_PATH))):
-                self.SMS_DB_TYPE = 2
-                self._adb_process_file(os.path.join("/", SMS_MMSSMS_PATH), self._parse_db)
-            else:
-                self.log.error("No SMS database found")
-        except Exception as e:
-            self.log.error(e)
+        if (self._adb_check_file_exists(os.path.join("/", SMS_BUGLE_PATH))):
+            self.SMS_DB_TYPE = 1
+            self._adb_process_file(os.path.join("/", SMS_BUGLE_PATH), self._parse_db)
+        elif (self._adb_check_file_exists(os.path.join("/", SMS_MMSSMS_PATH))):
+            self.SMS_DB_TYPE = 2
+            self._adb_process_file(os.path.join("/", SMS_MMSSMS_PATH), self._parse_db)
+        else:
+            self.log.error("No SMS database found")

mvt/android/modules/adb/whatsapp.py

@@ -20,7 +20,7 @@ class Whatsapp(AndroidExtraction):
     """This module extracts all WhatsApp messages containing links."""
 
     def __init__(self, file_path=None, base_folder=None, output_folder=None,
-                 fast_mode=False, log=None, results=[]):
+                 serial=None, fast_mode=False, log=None, results=[]):
         super().__init__(file_path=file_path, base_folder=base_folder,
                          output_folder=output_folder, fast_mode=fast_mode,
                          log=log, results=results)
@@ -82,7 +82,4 @@ class Whatsapp(AndroidExtraction):
         self.results = messages
 
     def run(self):
-        try:
-            self._adb_process_file(os.path.join("/", WHATSAPP_PATH), self._parse_db)
-        except Exception as e:
-            self.log.error(e)
+        self._adb_process_file(os.path.join("/", WHATSAPP_PATH), self._parse_db)

mvt/common/module.py

@@ -154,7 +154,7 @@ def run_module(module):
         module.log.exception("The run() procedure of module %s was not implemented yet!",
                              module.__class__.__name__)
     except InsufficientPrivileges as e:
-        module.log.info("Insufficient privileges for module %s: %s", module.__class.__name__, e)
+        module.log.info("Insufficient privileges for module %s: %s", module.__class__.__name__, e)
     except DatabaseNotFoundError as e:
         module.log.info("There might be no data to extract by module %s: %s",
                         module.__class__.__name__, e)
@@ -168,7 +168,13 @@ def run_module(module):
         try:
             module.check_indicators()
         except NotImplementedError:
+            module.log.info("The %s module does not support checking for indicators",
+                            module.__class__.__name__)
             pass
+        else:
+            if module.indicators and not module.detected:
+                module.log.info("The %s module produced no detections!",
+                                module.__class__.__name__)
 
         try:
             module.to_timeline()

mvt/ios/cli.py

@@ -5,7 +5,6 @@
 
 import logging
 import os
-import sys
 import tarfile
 
 import click
@@ -53,28 +52,33 @@ def cli():
               help="File containing raw encryption key to use to decrypt the backup",
               mutually_exclusive=["password"])
 @click.argument("BACKUP_PATH", type=click.Path(exists=True))
-def decrypt_backup(destination, password, key_file, backup_path):
+@click.pass_context
+def decrypt_backup(ctx, destination, password, key_file, backup_path):
     backup = DecryptBackup(backup_path, destination)
 
     if key_file:
         if PASSWD_ENV in os.environ:
-            log.info(f"Ignoring {PASSWD_ENV} environment variable, using --key-file '{key_file}' instead")
+            log.info("Ignoring environment variable, using --key-file '%s' instead",
+                     PASSWD_ENV, key_file)
 
         backup.decrypt_with_key_file(key_file)
     elif password:
         log.info("Your password may be visible in the process table because it was supplied on the command line!")
 
         if PASSWD_ENV in os.environ:
-            log.info(f"Ignoring {PASSWD_ENV} environment variable, using --password argument instead")
+            log.info("Ignoring %s environment variable, using --password argument instead",
+                     PASSWD_ENV)
 
         backup.decrypt_with_password(password)
     elif PASSWD_ENV in os.environ:
-        log.info(f"Using password from {PASSWD_ENV} environment variable")
+        log.info("Using password from %s environment variable", PASSWD_ENV)
         backup.decrypt_with_password(os.environ[PASSWD_ENV])
     else:
         sekrit = Prompt.ask("Enter backup password", password=True)
         backup.decrypt_with_password(sekrit)
 
+    if not backup.can_process():
+        ctx.exit(1)
     backup.process_backup()
 
 
@@ -96,9 +100,10 @@ def extract_key(password, backup_path, key_file):
         log.info("Your password may be visible in the process table because it was supplied on the command line!")
 
         if PASSWD_ENV in os.environ:
-            log.info(f"Ignoring {PASSWD_ENV} environment variable, using --password argument instead")
+            log.info("Ignoring %s environment variable, using --password argument instead",
+                     PASSWD_ENV)
     elif PASSWD_ENV in os.environ:
-        log.info(f"Using password from {PASSWD_ENV} environment variable")
+        log.info("Using password from %s environment variable", PASSWD_ENV)
         password = os.environ[PASSWD_ENV]
     else:
         password = Prompt.ask("Enter backup password", password=True)
@@ -120,7 +125,8 @@ def extract_key(password, backup_path, key_file):
 @click.option("--list-modules", "-l", is_flag=True, help="Print list of available modules and exit")
 @click.option("--module", "-m", help="Name of a single module you would like to run instead of all")
 @click.argument("BACKUP_PATH", type=click.Path(exists=True))
-def check_backup(iocs, output, fast, backup_path, list_modules, module):
+@click.pass_context
+def check_backup(ctx, iocs, output, fast, backup_path, list_modules, module):
     if list_modules:
         log.info("Following is the list of available check-backup modules:")
         for backup_module in BACKUP_MODULES:
@@ -135,7 +141,7 @@ def check_backup(iocs, output, fast, backup_path, list_modules, module):
             os.makedirs(output)
         except Exception as e:
             log.critical("Unable to create output folder %s: %s", output, e)
-            sys.exit(-1)
+            ctx.exit(1)
 
     if iocs:
         # Pre-load indicators for performance reasons.
@@ -177,7 +183,8 @@ def check_backup(iocs, output, fast, backup_path, list_modules, module):
 @click.option("--list-modules", "-l", is_flag=True, help="Print list of available modules and exit")
 @click.option("--module", "-m", help="Name of a single module you would like to run instead of all")
 @click.argument("DUMP_PATH", type=click.Path(exists=True))
-def check_fs(iocs, output, fast, dump_path, list_modules, module):
+@click.pass_context
+def check_fs(ctx, iocs, output, fast, dump_path, list_modules, module):
     if list_modules:
         log.info("Following is the list of available check-fs modules:")
         for fs_module in FS_MODULES:
@@ -192,7 +199,7 @@ def check_fs(iocs, output, fast, dump_path, list_modules, module):
             os.makedirs(output)
         except Exception as e:
             log.critical("Unable to create output folder %s: %s", output, e)
-            sys.exit(-1)
+            ctx.exit(1)
 
     if iocs:
         # Pre-load indicators for performance reasons.

mvt/ios/decrypt.py

@@ -4,6 +4,7 @@
 #   https://license.mvt.re/1.1/
 
 import binascii
+import glob
 import logging
 import os
 import shutil
@@ -28,6 +29,9 @@ class DecryptBackup:
         self._backup = None
         self._decryption_key = None
 
+    def can_process(self) -> bool:
+        return self._backup is not None
+        
     def process_backup(self):
         if not os.path.exists(self.dest_path):
             os.makedirs(self.dest_path)
@@ -73,6 +77,17 @@ class DecryptBackup:
         """
         log.info("Decrypting iOS backup at path %s with password", self.backup_path)
 
+        if not os.path.exists(os.path.join(self.backup_path, "Manifest.plist")):
+            possible = glob.glob(os.path.join(self.backup_path, "*", "Manifest.plist"))
+            if len(possible) == 1:
+                newpath = os.path.dirname(possible[0])
+                log.warning("No Manifest.plist in %s, using %s instead.",
+                            self.backup_path, newpath)
+                self.backup_path = newpath
+            elif len(possible) > 1:
+                log.critical("No Manifest.plist in %s, and %d Manifest.plist files in subdirs. Please choose one!",
+                             self.backup_path, len(possible))
+                return
         try:
             self._backup = iOSbackup(udid=os.path.basename(self.backup_path),
                                      cleartextpassword=password,
@@ -81,7 +96,8 @@ class DecryptBackup:
             if isinstance(e, KeyError) and len(e.args) > 0 and e.args[0] == b"KEY":
                 log.critical("Failed to decrypt backup. Password is probably wrong.")
             elif isinstance(e, FileNotFoundError) and os.path.basename(e.filename) == "Manifest.plist":
-                log.critical(f"Failed to find a valid backup at {self.backup_path}. Did you point to the right backup path?")
+                log.critical("Failed to find a valid backup at %s. Did you point to the right backup path?",
+                             self.backup_path)
             else:
                 log.exception(e)
                 log.critical("Failed to decrypt backup. Did you provide the correct password? Did you point to the right backup path?")

mvt/ios/modules/fs/base.py

@@ -17,9 +17,15 @@ from mvt.common.module import (DatabaseCorruptedError, DatabaseNotFoundError,
 class IOSExtraction(MVTModule):
     """This class provides a base for all iOS filesystem/backup extraction modules."""
 
-    is_backup = False
-    is_fs_dump = False
-    is_sysdiagnose = False
+    def __init__(self, file_path=None, base_folder=None, output_folder=None,
+                 fast_mode=False, log=None, results=[]):
+        super().__init__(file_path=file_path, base_folder=base_folder,
+                         output_folder=output_folder, fast_mode=fast_mode,
+                         log=log, results=results)
+
+        self.is_backup = False
+        self.is_fs_dump = False
+        self.is_sysdiagnose = False
 
     def _is_database_malformed(self, file_path):
         # Check if the database is malformed.

mvt/ios/modules/fs/net_base.py

@@ -15,6 +15,12 @@ from .base import IOSExtraction
 class NetBase(IOSExtraction):
     """This class provides a base for DataUsage and NetUsage extraction modules."""
 
+    def __init__(self, file_path=None, base_folder=None, output_folder=None,
+                 fast_mode=False, log=None, results=[]):
+        super().__init__(file_path=file_path, base_folder=base_folder,
+                         output_folder=output_folder, fast_mode=fast_mode,
+                         log=log, results=results)
+
     def _extract_net_data(self):
         conn = sqlite3.connect(self.file_path)
         cur = conn.cursor()
@@ -203,6 +209,15 @@ class NetBase(IOSExtraction):
         self.results = sorted(self.results, key=operator.itemgetter("first_isodate"))
 
     def check_indicators(self):
+        # Check for manipulated process records.
+        # TODO: Catching KeyError for live_isodate for retro-compatibility.
+        #       This is not very good.
+        try:
+            self.check_manipulated()
+            self.find_deleted()
+        except KeyError:
+            pass
+
         if not self.indicators:
             return
 
@@ -218,12 +233,3 @@ class NetBase(IOSExtraction):
 
             if self.indicators.check_process(proc_name):
                 self.detected.append(result)
-
-        # Check for manipulated process records.
-        # TODO: Catching KeyError for live_isodate for retro-compatibility.
-        #       This is not very good.
-        try:
-            self.check_manipulated()
-            self.find_deleted()
-        except KeyError:
-            pass

setup.py

@@ -8,7 +8,7 @@ import os
 from setuptools import find_packages, setup
 
 __package_name__ = "mvt"
-__version__ = "1.0.16"
+__version__ = "1.1.0"
 __description__ = "Mobile Verification Toolkit"
 
 this_directory = os.path.abspath(os.path.dirname(__file__))