Bumps version

* Added Documentation for Encrypted Iphone Backup with Finder on MacOS

* Added details on where to check the backups after completion and added screenshots for the process

* Added location of backups

.github/workflows/python-package.yml

@@ -27,6 +27,7 @@ jobs:
         python-version: ${{ matrix.python-version }}
     - name: Install dependencies
       run: |
+        python -m pip install --upgrade setuptools
         python -m pip install --upgrade pip
         python -m pip install flake8 pytest safety stix2 pytest-mock
         if [ -f requirements.txt ]; then pip install -r requirements.txt; fi

Dockerfile

@@ -1,4 +1,4 @@
-FROM ubuntu:20.04
+FROM ubuntu:22.04
 
 # Ref. https://github.com/mvt-project/mvt
 
@@ -7,13 +7,12 @@ LABEL vcs-url="https://github.com/mvt-project/mvt"
 LABEL description="MVT is a forensic tool to look for signs of infection in smartphone devices."
 
 ENV PIP_NO_CACHE_DIR=1
+ENV DEBIAN_FRONTEND=noninteractive
 
 # Fixing major OS dependencies
 # ----------------------------
 RUN apt update \
-  && apt install -y python3 python3-pip libusb-1.0-0-dev \
-  && apt install -y wget unzip\ 
-  && DEBIAN_FRONTEND=noninteractive apt-get -y install default-jre-headless \
+  && apt install -y python3 python3-pip libusb-1.0-0-dev wget unzip default-jre-headless adb \
 
 # Install build tools for libimobiledevice
 # ----------------------------------------
@@ -67,18 +66,9 @@ RUN mkdir /opt/abe \
 # Create alias for abe
   && echo 'alias abe="java -jar /opt/abe/abe.jar"' >> ~/.bashrc
 
-# Install Android Platform Tools 
-# ------------------------------ 
-
-RUN mkdir /opt/android \
-  && wget -q https://dl.google.com/android/repository/platform-tools-latest-linux.zip \
-  && unzip platform-tools-latest-linux.zip -d /opt/android \
-# Create alias for adb 
-  && echo 'alias adb="/opt/android/platform-tools/adb"' >> ~/.bashrc 
-
 # Generate adb key folder 
 # ------------------------------ 
-RUN mkdir /root/.android && /opt/android/platform-tools/adb keygen /root/.android/adbkey
+RUN mkdir /root/.android && adb keygen /root/.android/adbkey
 
 # Setup investigations environment
 # --------------------------------

docs/docker.md

@@ -1,4 +1,4 @@
-Using Docker simplifies having all the required dependencies and tools (including most recent versions of [libimobiledevice](https://libimobiledevice.org)) readily installed.
+Using Docker simplifies having all the required dependencies and tools (including most recent versions of [libimobiledevice](https://libimobiledevice.org)) readily installed. Note that this requires a Linux host, as Docker for Windows and Mac [doesn't support passing through USB devices](https://docs.docker.com/desktop/faqs/#can-i-pass-through-a-usb-device-to-a-container).
 
 Install Docker following the [official documentation](https://docs.docker.com/get-docker/).
 
@@ -10,11 +10,6 @@ cd mvt
 docker build -t mvt .
 ```
 
-Optionally, you may need to specify your platform to Docker in order to build successfully (Apple M1)
-```bash
-docker build --platform amd64 -t mvt .
-```
-
 Test if the image was created successfully:
 
 ```bash

docs/ios/backup/itunes.md

@@ -1,16 +1,41 @@
 # Backup with iTunes app
 
-It is possible to do an iPhone backup by using iTunes on Windows or macOS computers (in most recent versions of macOS, this feature is included in Finder).
+It is possible to do an iPhone backup by using iTunes on Windows or macOS computers (in most recent versions of macOS, this feature is included in Finder, see below).
 
 To do that:
 
-* Make sure iTunes is installed.
-* Connect your iPhone to your computer using a Lightning/USB cable.
-* Open the device in iTunes (or Finder on macOS).
-* If you want to have a more accurate detection, ensure that the encrypted backup option is activated and choose a secure password for the backup.
-* Start the backup and wait for it to finish (this may take up to 30 minutes).
+1. Make sure iTunes is installed.
+2. Connect your iPhone to your computer using a Lightning/USB cable.
+3. Open the device in iTunes (or Finder on macOS).
+4. If you want to have a more accurate detection, ensure that the encrypted backup option is activated and choose a secure password for the backup.
+5. Start the backup and wait for it to finish (this may take up to 30 minutes).
 
 ![](../../../img/macos-backup.jpg)
 _Source: [Apple Support](https://support.apple.com/en-us/HT211229)_
 
-* Once the backup is done, find its location and copy it to a place where it can be analyzed by MVT. On Windows, the backup can be stored either in `%USERPROFILE%\Apple\MobileSync\` or `%USERPROFILE%\AppData\Roaming\Apple Computer\MobileSync\`. On macOS, the backup is stored in `~/Library/Application Support/MobileSync/`.
+Once the backup is done, find its location and copy it to a place where it can be analyzed by MVT. On Windows, the backup can be stored either in `%USERPROFILE%\Apple\MobileSync\` or `%USERPROFILE%\AppData\Roaming\Apple Computer\MobileSync\`. On macOS, the backup is stored in `~/Library/Application Support/MobileSync/`.
+
+# Backup with Finder
+
+On more recent MacOS versions, this feature is included in Finder. To do a backup:
+
+1. Launch Finder on your Mac.
+2. Connect your iPhone to your Mac using a Lightning/USB cable.
+3. Select your device from the list of devices located at the bottom of the left side bar labeled "locations".
+4. In the General tab, select `Back up all the data on your iPhone to this Mac` from the options under the Backups section.
+5. Check the box that says `Encrypt local backup`. If it is your first time selecting this option, you may need to enter a password to encrypt the backup.
+
+![](../../../img/macos-backup2.png)
+_Source: [Apple Support](https://support.apple.com/en-us/HT211229)_
+
+6. Click `Back Up Now` to start the back-up process.
+7. The encrypted backup for your iPhone should now start. Once the process finishes, you can check the backup by opening `Finder`, clicking on the `General` tab, then click on `Manage Backups`. Now you should see a list of your backups like the image below:
+
+![](../../../img/macos-backups.png)
+_Source: [Apple Support](https://support.apple.com/en-us/HT211229)_
+
+If your backup has a lock next to it like in the image above, then the backup is encrypted. You should also see the date and time when the encrypted backup was created. The backup files are stored in `~/Library/Application Support/MobileSync/`.
+
+## Notes:
+
+- Remember to keep the backup encryption password that you created safe, since without it you will not be able to access/modify/decrypt the backup file.

docs/ios/backup/libimobiledevice.md

@@ -3,10 +3,10 @@
 If you have correctly [installed libimobiledevice](../install.md) you can easily generate an iTunes backup using the `idevicebackup2` tool included in the suite. First, you might want to ensure that backup encryption is enabled (**note: encrypted backup contain more data than unencrypted backups**):
 
 ```bash
-idevicebackup2 -i backup encryption on
+idevicebackup2 -i encryption on
 ```
 
-Note that if a backup password was previously set on this device, you might need to use the same or change it. You can try changing password using `idevicebackup2 -i backup changepw`, or by turning off encryption (`idevicebackup2 -i backup encryption off`) and turning it back on again.
+Note that if a backup password was previously set on this device, you might need to use the same or change it. You can try changing password using `idevicebackup2 -i changepw`, or by turning off encryption (`idevicebackup2 -i encryption off`) and turning it back on again.
 
 If you are not able to recover or change the password, you should try to disable encryption and obtain an unencrypted backup.
 

mvt/__init__.py

@@ -1,4 +1,4 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

mvt/android/__init__.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/cli.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
@@ -11,11 +11,13 @@ from rich.logging import RichHandler
 from mvt.common.cmd_check_iocs import CmdCheckIOCS
 from mvt.common.help import (HELP_MSG_FAST, HELP_MSG_IOC,
                              HELP_MSG_LIST_MODULES, HELP_MSG_MODULE,
-                             HELP_MSG_OUTPUT, HELP_MSG_SERIAL)
+                             HELP_MSG_OUTPUT, HELP_MSG_SERIAL,
+                             HELP_MSG_HASHES)
 from mvt.common.logo import logo
 from mvt.common.updates import IndicatorsUpdates
 
 from .cmd_check_adb import CmdAndroidCheckADB
+from .cmd_check_androidqf import CmdAndroidCheckAndroidQF
 from .cmd_check_backup import CmdAndroidCheckBackup
 from .cmd_check_bugreport import CmdAndroidCheckBugreport
 from .cmd_download_apks import DownloadAPKs
@@ -29,6 +31,7 @@ LOG_FORMAT = "[%(name)s] %(message)s"
 logging.basicConfig(level="INFO", format=LOG_FORMAT, handlers=[
     RichHandler(show_path=False, log_time_format="%X")])
 log = logging.getLogger(__name__)
+CONTEXT_SETTINGS = dict(help_option_names=['-h', '--help'])
 
 
 #==============================================================================
@@ -50,7 +53,8 @@ def version():
 #==============================================================================
 # Command: download-apks
 #==============================================================================
-@cli.command("download-apks", help="Download all or only non-system installed APKs")
+@cli.command("download-apks", help="Download all or only non-system installed APKs",
+             context_settings=CONTEXT_SETTINGS)
 @click.option("--serial", "-s", type=str, help=HELP_MSG_SERIAL)
 @click.option("--all-apks", "-a", is_flag=True,
               help="Extract all packages installed on the phone, including system packages")
@@ -99,7 +103,8 @@ def download_apks(ctx, all_apks, virustotal, output, from_file, serial):
 #==============================================================================
 # Command: check-adb
 #==============================================================================
-@cli.command("check-adb", help="Check an Android device over adb")
+@cli.command("check-adb", help="Check an Android device over adb",
+             context_settings=CONTEXT_SETTINGS)
 @click.option("--serial", "-s", type=str, help=HELP_MSG_SERIAL)
 @click.option("--iocs", "-i", type=click.Path(exists=True), multiple=True,
               default=[], help=HELP_MSG_IOC)
@@ -121,15 +126,16 @@ def check_adb(ctx, serial, iocs, output, fast, list_modules, module):
 
     cmd.run()
 
-    if len(cmd.timeline_detected) > 0:
+    if cmd.detected_count > 0:
         log.warning("The analysis of the Android device produced %d detections!",
-                    len(cmd.timeline_detected))
+                    cmd.detected_count)
 
 
 #==============================================================================
 # Command: check-bugreport
 #==============================================================================
-@cli.command("check-bugreport", help="Check an Android Bug Report")
+@cli.command("check-bugreport", help="Check an Android Bug Report",
+             context_settings=CONTEXT_SETTINGS)
 @click.option("--iocs", "-i", type=click.Path(exists=True), multiple=True,
               default=[], help=HELP_MSG_IOC)
 @click.option("--output", "-o", type=click.Path(exists=False),
@@ -139,9 +145,10 @@ def check_adb(ctx, serial, iocs, output, fast, list_modules, module):
 @click.argument("BUGREPORT_PATH", type=click.Path(exists=True))
 @click.pass_context
 def check_bugreport(ctx, iocs, output, list_modules, module, bugreport_path):
+    # Always generate hashes as bug reports are small.
     cmd = CmdAndroidCheckBugreport(target_path=bugreport_path,
                                    results_path=output, ioc_files=iocs,
-                                   module_name=module)
+                                   module_name=module, hashes=True)
 
     if list_modules:
         cmd.list_modules()
@@ -151,15 +158,16 @@ def check_bugreport(ctx, iocs, output, list_modules, module, bugreport_path):
 
     cmd.run()
 
-    if len(cmd.timeline_detected) > 0:
+    if cmd.detected_count > 0:
         log.warning("The analysis of the Android bug report produced %d detections!",
-                    len(cmd.timeline_detected))
+                    cmd.detected_count)
 
 
 #==============================================================================
 # Command: check-backup
 #==============================================================================
-@cli.command("check-backup", help="Check an Android Backup")
+@cli.command("check-backup", help="Check an Android Backup",
+             context_settings=CONTEXT_SETTINGS)
 @click.option("--iocs", "-i", type=click.Path(exists=True), multiple=True,
               default=[], help=HELP_MSG_IOC)
 @click.option("--output", "-o", type=click.Path(exists=False),
@@ -168,8 +176,9 @@ def check_bugreport(ctx, iocs, output, list_modules, module, bugreport_path):
 @click.argument("BACKUP_PATH", type=click.Path(exists=True))
 @click.pass_context
 def check_backup(ctx, iocs, output, list_modules, backup_path):
+    # Always generate hashes as backups are generally small.
     cmd = CmdAndroidCheckBackup(target_path=backup_path, results_path=output,
-                                ioc_files=iocs)
+                                ioc_files=iocs, hashes=True)
 
     if list_modules:
         cmd.list_modules()
@@ -179,15 +188,48 @@ def check_backup(ctx, iocs, output, list_modules, backup_path):
 
     cmd.run()
 
-    if len(cmd.timeline_detected) > 0:
+    if cmd.detected_count > 0:
         log.warning("The analysis of the Android backup produced %d detections!",
-                    len(cmd.timeline_detected))
+                    cmd.detected_count)
+
+
+#==============================================================================
+# Command: check-androidqf
+#==============================================================================
+@cli.command("check-androidqf", help="Check data collected with AndroidQF",
+             context_settings=CONTEXT_SETTINGS)
+@click.option("--iocs", "-i", type=click.Path(exists=True), multiple=True,
+              default=[], help=HELP_MSG_IOC)
+@click.option("--output", "-o", type=click.Path(exists=False),
+              help=HELP_MSG_OUTPUT)
+@click.option("--list-modules", "-l", is_flag=True, help=HELP_MSG_LIST_MODULES)
+@click.option("--module", "-m", help=HELP_MSG_MODULE)
+@click.option("--hashes", "-H", is_flag=True, help=HELP_MSG_HASHES)
+@click.argument("ANDROIDQF_PATH", type=click.Path(exists=True))
+@click.pass_context
+def check_androidqf(ctx, iocs, output, list_modules, module, hashes, androidqf_path):
+    cmd = CmdAndroidCheckAndroidQF(target_path=androidqf_path,
+                                   results_path=output, ioc_files=iocs,
+                                   module_name=module, hashes=hashes)
+
+    if list_modules:
+        cmd.list_modules()
+        return
+
+    log.info("Checking AndroidQF acquisition at path: %s", androidqf_path)
+
+    cmd.run()
+
+    if cmd.detected_count > 0:
+        log.warning("The analysis of the AndroidQF acquisition produced %d detections!",
+                    cmd.detected_count)
 
 
 #==============================================================================
 # Command: check-iocs
 #==============================================================================
-@cli.command("check-iocs", help="Compare stored JSON results to provided indicators")
+@cli.command("check-iocs", help="Compare stored JSON results to provided indicators",
+             context_settings=CONTEXT_SETTINGS)
 @click.option("--iocs", "-i", type=click.Path(exists=True), multiple=True,
               default=[], help=HELP_MSG_IOC)
 @click.option("--list-modules", "-l", is_flag=True, help=HELP_MSG_LIST_MODULES)
@@ -208,7 +250,8 @@ def check_iocs(ctx, iocs, list_modules, module, folder):
 #==============================================================================
 # Command: download-iocs
 #==============================================================================
-@cli.command("download-iocs", help="Download public STIX2 indicators")
+@cli.command("download-iocs", help="Download public STIX2 indicators",
+             context_settings=CONTEXT_SETTINGS)
 def download_indicators():
     ioc_updates = IndicatorsUpdates()
     ioc_updates.update()

mvt/android/cmd_check_adb.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/cmd_check_androidqf.py

@@ -0,0 +1,34 @@
+# Mobile Verification Toolkit (MVT)
+# Copyright (c) 2021-2023 Claudio Guarnieri.
+# Use of this software is governed by the MVT License 1.1 that can be found at
+#   https://license.mvt.re/1.1/
+
+import logging
+from typing import Optional
+
+from mvt.common.command import Command
+
+from .modules.androidqf import ANDROIDQF_MODULES
+
+log = logging.getLogger(__name__)
+
+
+class CmdAndroidCheckAndroidQF(Command):
+
+    def __init__(
+        self,
+        target_path: Optional[str] = None,
+        results_path: Optional[str] = None,
+        ioc_files: Optional[list] = None,
+        module_name: Optional[str] = None,
+        serial: Optional[str] = None,
+        fast_mode: Optional[bool] = False,
+        hashes: Optional[bool] = False,
+    ) -> None:
+        super().__init__(target_path=target_path, results_path=results_path,
+                         ioc_files=ioc_files, module_name=module_name,
+                         serial=serial, fast_mode=fast_mode, hashes=hashes,
+                         log=log)
+
+        self.name = "check-androidqf"
+        self.modules = ANDROIDQF_MODULES

mvt/android/cmd_check_backup.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
@@ -9,7 +9,7 @@ import os
 import sys
 import tarfile
 from pathlib import Path
-from typing import Callable, Optional
+from typing import Callable, Optional, List
 
 from rich.prompt import Prompt
 
@@ -17,6 +17,7 @@ from mvt.android.parsers.backup import (AndroidBackupParsingError,
                                         InvalidBackupPassword, parse_ab_header,
                                         parse_backup_file)
 from mvt.common.command import Command
+from mvt.android.modules.backup.base import BackupExtraction
 
 from .modules.backup import BACKUP_MODULES
 
@@ -33,19 +34,24 @@ class CmdAndroidCheckBackup(Command):
         module_name: Optional[str] = None,
         serial: Optional[str] = None,
         fast_mode: Optional[bool] = False,
+        hashes: Optional[bool] = False,
     ) -> None:
         super().__init__(target_path=target_path, results_path=results_path,
                          ioc_files=ioc_files, module_name=module_name,
-                         serial=serial, fast_mode=fast_mode, log=log)
+                         serial=serial, fast_mode=fast_mode, hashes=hashes,
+                         log=log)
 
         self.name = "check-backup"
         self.modules = BACKUP_MODULES
 
-        self.backup_type = None
-        self.backup_archive = None
-        self.backup_files = []
+        self.backup_type: str = ""
+        self.backup_archive: Optional[tarfile.TarFile] = None
+        self.backup_files: List[str] = []
 
     def init(self) -> None:
+        if not self.target_path:
+            return
+
         if os.path.isfile(self.target_path):
             self.backup_type = "ab"
             with open(self.target_path, "rb") as handle:
@@ -86,7 +92,7 @@ class CmdAndroidCheckBackup(Command):
                          "Android Backup (.ab) file")
             sys.exit(1)
 
-    def module_init(self, module: Callable) -> None:
+    def module_init(self, module: BackupExtraction) -> None:  # type: ignore[override]
         if self.backup_type == "folder":
             module.from_folder(self.target_path, self.backup_files)
         else:

mvt/android/cmd_check_bugreport.py

@@ -1,15 +1,16 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
 import logging
 import os
 from pathlib import Path
-from typing import Callable, Optional
+from typing import Callable, Optional, List
 from zipfile import ZipFile
 
 from mvt.common.command import Command
+from mvt.android.modules.bugreport.base import BugReportModule
 
 from .modules.bugreport import BUGREPORT_MODULES
 
@@ -26,19 +27,24 @@ class CmdAndroidCheckBugreport(Command):
         module_name: Optional[str] = None,
         serial: Optional[str] = None,
         fast_mode: Optional[bool] = False,
+        hashes: Optional[bool] = False,
     ) -> None:
         super().__init__(target_path=target_path, results_path=results_path,
                          ioc_files=ioc_files, module_name=module_name,
-                         serial=serial, fast_mode=fast_mode, log=log)
+                         serial=serial, fast_mode=fast_mode, hashes=hashes,
+                         log=log)
 
         self.name = "check-bugreport"
         self.modules = BUGREPORT_MODULES
 
-        self.bugreport_format = None
-        self.bugreport_archive = None
-        self.bugreport_files = []
+        self.bugreport_format: str = ""
+        self.bugreport_archive: Optional[ZipFile] = None
+        self.bugreport_files: List[str] = []
 
     def init(self) -> None:
+        if not self.target_path:
+            return
+
         if os.path.isfile(self.target_path):
             self.bugreport_format = "zip"
             self.bugreport_archive = ZipFile(self.target_path)
@@ -53,8 +59,12 @@ class CmdAndroidCheckBugreport(Command):
                                                 parent_path)
                     self.bugreport_files.append(file_path)
 
-    def module_init(self, module: Callable) -> None:
+    def module_init(self, module: BugReportModule) -> None:  # type: ignore[override]
         if self.bugreport_format == "zip":
             module.from_zip(self.bugreport_archive, self.bugreport_files)
         else:
             module.from_folder(self.target_path, self.bugreport_files)
+
+    def finish(self) -> None:
+        if self.bugreport_archive:
+            self.bugreport_archive.close()

mvt/android/cmd_download_apks.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/__init__.py

@@ -1,4 +1,4 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

mvt/android/modules/adb/__init__.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/adb/base.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
@@ -138,7 +138,8 @@ class AndroidExtraction(MVTModule):
         :returns: Boolean indicating whether a `su` binary is present or not
 
         """
-        return bool(self._adb_command("command -v su"))
+        result = self._adb_command("command -v su && su -c true")
+        return bool(result) and "Permission denied" not in result
 
     def _adb_root_or_die(self) -> None:
         """Check if we have a `su` binary, otherwise raise an Exception."""
@@ -272,7 +273,7 @@ class AndroidExtraction(MVTModule):
         self._adb_command(f"rm -f {new_remote_path}")
 
     def _generate_backup(self, package_name: str) -> bytes:
-        self.log.warning("Please check phone and accept Android backup prompt. "
+        self.log.info("Please check phone and accept Android backup prompt. "
                       "You may need to set a backup password. \a")
 
         # TODO: Base64 encoding as temporary fix to avoid byte-mangling over
@@ -300,7 +301,7 @@ class AndroidExtraction(MVTModule):
             except InvalidBackupPassword:
                 self.log.error("You provided the wrong password! Please try again...")
 
-        self.log.warn("All attempts to decrypt backup with password failed!")
+        self.log.error("All attempts to decrypt backup with password failed!")
 
         return None
 

mvt/android/modules/adb/chrome_history.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/adb/dumpsys_accessibility.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/adb/dumpsys_activities.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/adb/dumpsys_appops.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/adb/dumpsys_battery_daily.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/adb/dumpsys_battery_history.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/adb/dumpsys_dbinfo.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/adb/dumpsys_full.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/adb/dumpsys_receivers.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/adb/files.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
@@ -84,8 +84,12 @@ class Files(AndroidExtraction):
             output = self._adb_command(cmd)
 
             for file_line in output.splitlines():
+                file_info = file_line.rstrip().split(" ", 5)
+                if len(file_line) < 6:
+                    self.log.info("Skipping invalid file info - %s", file_line.rstrip())
+                    continue
                 [unix_timestamp, mode, size,
-                 owner, group, full_path] = file_line.rstrip().split(" ", 5)
+                 owner, group, full_path] = file_info
                 mod_time = convert_unix_to_iso(unix_timestamp)
 
                 self.results.append({

mvt/android/modules/adb/getprop.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/adb/logcat.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 

mvt/android/modules/adb/packages.py

@@ -1,10 +1,10 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
 import logging
-from typing import Optional, Union
+from typing import Optional, Union, List
 
 from rich.console import Console
 from rich.progress import track
@@ -39,7 +39,7 @@ DANGEROUS_PERMISSIONS = [
     "android.permission.USE_SIP",
     "com.android.browser.permission.READ_HISTORY_BOOKMARKS",
 ]
-ROOT_PACKAGES = [
+ROOT_PACKAGES: List[str] = [
     "com.noshufou.android.su",
     "com.noshufou.android.su.elite",
     "eu.chainfire.supersu",
@@ -66,6 +66,23 @@ ROOT_PACKAGES = [
     "com.kingouser.com",
     "com.topjohnwu.magisk",
 ]
+SECURITY_PACKAGES = [
+    "com.policydm",
+    "com.samsung.android.app.omcagent",
+    "com.samsung.android.securitylogagent",
+    "com.sec.android.soagent",
+]
+SYSTEM_UPDATE_PACKAGES = [
+    "com.android.updater",
+    "com.google.android.gms",
+    "com.huawei.android.hwouc",
+    "com.lge.lgdmsclient",
+    "com.motorola.ccc.ota",
+    "com.oneplus.opbackup",
+    "com.oppo.ota",
+    "com.transsion.systemupdate",
+    "com.wssyncmldm",
+]
 
 
 class Packages(AndroidExtraction):
@@ -122,6 +139,14 @@ class Packages(AndroidExtraction):
                 self.detected.append(result)
                 continue
 
+            if result["package_name"] in SECURITY_PACKAGES and result["disabled"]:
+                self.log.warning("Found a security package disabled: \"%s\"",
+                                 result["package_name"])
+
+            if result["package_name"] in SYSTEM_UPDATE_PACKAGES and result["disabled"]:
+                self.log.warning("System OTA update package \"%s\" disabled on the phone",
+                                 result["package_name"])
+
             if not self.indicators:
                 continue
 
@@ -192,7 +217,6 @@ class Packages(AndroidExtraction):
 
     @staticmethod
     def parse_package_for_details(output: str) -> dict:
-        # Get only the package information
         lines = []
         in_packages = False
         for line in output.splitlines():

mvt/android/modules/adb/processes.py

@@ -1,5 +1,5 @@
 # Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Copyright (c) 2021-2023 Claudio Guarnieri.
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
@@ -30,7 +30,21 @@ class Processes(AndroidExtraction):
             return
 
         for result in self.results:
-            ioc = self.indicators.check_app_id(result.get("name", ""))
+            proc_name = result.get("proc_name", "")
+            if not proc_name:
+                continue
+
+            # Skipping this process because of false positives.
+            if result["proc_name"] == "gatekeeperd":
+                continue
+
+            ioc = self.indicators.check_app_id(proc_name)
+            if ioc:
+                result["matched_indicator"] = ioc
+                self.detected.append(result)
+                continue
+
+            ioc = self.indicators.check_process(proc_name)
             if ioc:
                 result["matched_indicator"] = ioc
                 self.detected.append(result)
@@ -38,7 +52,7 @@ class Processes(AndroidExtraction):
     def run(self) -> None:
         self._adb_connect()
 
-        output = self._adb_command("ps -e")
+        output = self._adb_command("ps -A")
 
         for line in output.splitlines()[1:]:
             line = line.strip()