- Remove timeline_detected and route to alertstore

- Add log_latest() call in root_binaries to log each alert
- Fix UnboundLocalError in cmd_check_androidqf by initializing bugreport variable
- Remove incorrect backup.close() call since load_backup() returns bytes
- Remove duplicate from_ab method in cmd_check_backup that was using old attributes

.github/dependabot.yml

@@ -0,0 +1,11 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  - package-ecosystem: "pip" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "weekly"

.github/workflows/black.yml

@@ -1,11 +0,0 @@
-name: Black
-on: [push]
-
-jobs:
-  black:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-      - uses: psf/black@stable
-        with:
-          options: "--check"

.github/workflows/mypy.yml

@@ -0,0 +1,23 @@
+name: Mypy
+on: workflow_dispatch
+
+jobs:
+  mypy_py3:
+    name: Mypy check
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: Setup Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: 3.9
+          cache: 'pip'
+      - name: Checkout
+        uses: actions/checkout@master
+      - name: Install Dependencies
+        run: |
+          pip install mypy
+      - name: mypy
+        run: |
+          make mypy

.github/workflows/publish-release-docker.yml

@@ -0,0 +1,61 @@
+#
+name: Create and publish a Docker image
+
+# Configures this workflow to run every time a release is published.
+on:
+  workflow_dispatch:
+  release:
+    types: [published]
+
+# Defines two custom environment variables for the workflow. These are used for the Container registry domain, and a name for the Docker image that this workflow builds.
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+# There is a single job in this workflow. It's configured to run on the latest available version of Ubuntu.
+jobs:
+  build-and-push-image:
+    runs-on: ubuntu-latest
+    # Sets the permissions granted to the `GITHUB_TOKEN` for the actions in this job.
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+      #
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      # Uses the `docker/login-action` action to log in to the Container registry registry using the account and password that will publish the packages. Once published, the packages are scoped to the account defined here.
+      - name: Log in to the Container registry
+        uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      # This step uses [docker/metadata-action](https://github.com/docker/metadata-action#about) to extract tags and labels that will be applied to the specified image. The `id` "meta" allows the output of this step to be referenced in a subsequent step. The `images` value provides the base name for the tags and labels.
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+      # This step uses the `docker/build-push-action` action to build the image, based on your repository's `Dockerfile`. If the build succeeds, it pushes the image to GitHub Packages.
+      # It uses the `context` parameter to define the build's context as the set of files located in the specified path. For more information, see "[Usage](https://github.com/docker/build-push-action#usage)" in the README of the `docker/build-push-action` repository.
+      # It uses the `tags` and `labels` parameters to tag and label the image with the output from the "meta" step.
+      - name: Build and push Docker image
+        id: push
+        uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+      # This step generates an artifact attestation for the image, which is an unforgeable statement about where and how it was built. It increases supply chain security for people who consume the image. For more information, see "[AUTOTITLE](/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds)."
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
+

.github/workflows/python-package.yml

@@ -1,52 +0,0 @@
-# This workflow will install Python dependencies, run tests and lint with a variety of Python versions
-# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions
-
-name: CI
-
-on:
-  push:
-    branches: [ main ]
-  pull_request:
-    branches: [ main ]
-
-jobs:
-  build:
-
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        python-version: ['3.8', '3.9', '3.10']  # , '3.11']
-
-    steps:
-    - uses: actions/checkout@v3
-    - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v4
-      with:
-        python-version: ${{ matrix.python-version }}
-    - name: Install dependencies
-      run: |
-        python -m pip install --upgrade setuptools
-        python -m pip install --upgrade pip
-        python -m pip install flake8 pytest safety stix2 pytest-mock pytest-cov
-        if [ -f requirements.txt ]; then pip install -r requirements.txt; fi
-        python -m pip install .
-    - name: Lint with flake8
-      run: |
-        # stop the build if there are Python syntax errors or undefined names
-        flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics
-        # exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide
-        flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics
-    - name: Safety checks
-      run: safety check
-    - name: Test with pytest and coverage
-      run: |
-        set -o pipefail
-        pytest --junitxml=pytest.xml --cov-report=term-missing:skip-covered --cov=mvt tests/ | tee pytest-coverage.txt
-    - name: Pytest coverage comment
-      continue-on-error: true # Workflows running on a fork can't post comments
-      uses: MishaKav/pytest-coverage-comment@main
-      if: github.event_name == 'pull_request'
-      with:
-        pytest-coverage-path: ./pytest-coverage.txt
-        junitxml-path: ./pytest.xml

.github/workflows/ruff.yml

@@ -4,16 +4,24 @@ on:
     branches: [ main ]
   pull_request:
     branches: [ main ]
+
 jobs:
   ruff_py3:
     name: Ruff syntax check
     runs-on: ubuntu-latest
+
     steps:
+      - uses: actions/checkout@v4
+      - name: Setup Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: 3.9
+          cache: 'pip'
       - name: Checkout
         uses: actions/checkout@master
       - name: Install Dependencies
         run: |
-          pip install --user ruff
+          pip install ruff
       - name: ruff
         run: |
-          ruff check --output-format github .
+          make ruff

.github/workflows/scripts/update-ios-releases.py

@@ -54,7 +54,7 @@ def parse_latest_ios_versions(rss_feed_text):
 
 
 def update_mvt(mvt_checkout_path, latest_ios_versions):
-    version_path = os.path.join(mvt_checkout_path, "mvt/ios/data/ios_versions.json")
+    version_path = os.path.join(mvt_checkout_path, "src/mvt/ios/data/ios_versions.json")
     with open(version_path, "r") as version_file:
         current_versions = json.load(version_file)
 

.github/workflows/tests.yml

@@ -0,0 +1,38 @@
+name: Tests
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+jobs:
+  build:
+    name: Run Python Tests
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        python-version: ['3.10', '3.11', '3.12', '3.13']
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v4
+        with:
+          python-version: ${{ matrix.python-version }}
+      - name: Install Python dependencies
+        run: |
+          make install
+          make test-requirements
+      - name: Test with pytest
+        run: |
+          set -o pipefail
+          make test-ci | tee pytest-coverage.txt
+
+      - name: Pytest coverage comment
+        continue-on-error: true # Workflows running on a fork can't post comments
+        uses: MishaKav/pytest-coverage-comment@main
+        if: github.event_name == 'pull_request'
+        with:
+          pytest-coverage-path: ./pytest-coverage.txt
+          junitxml-path: ./pytest.xml

.github/workflows/update-ios-data.yml

@@ -21,6 +21,7 @@ jobs:
           title: '[auto] Update iOS releases and versions'
           commit-message: Add new iOS versions and build numbers
           branch: auto/add-new-ios-releases
+          draft: true
           body: |
             This is an automated pull request to update the iOS releases and version numbers.
           add-paths: |

.safety-policy.yml

@@ -6,4 +6,6 @@
 security: # configuration for the `safety check` command
     ignore-vulnerabilities: # Here you can list multiple specific vulnerabilities you want to ignore (optionally for a time period)
         67599: # Example vulnerability ID
+            reason: disputed, inapplicable
+        70612:
             reason: disputed, inapplicable

CONTRIBUTING.md

@@ -1,19 +1,65 @@
-# Contributing
+# Contributing to Mobile Verification Toolkit (MVT)
 
-Thank you for your interest in contributing to Mobile Verification Toolkit (MVT)! Your help is very much appreciated.
+We greatly appreciate contributions to MVT!
+
+Your involvement, whether through identifying issues, improving functionality, or enhancing documentation, is very much appreciated. To ensure smooth collaboration and a welcoming environment, we've outlined some key guidelines for contributing below.
+
+## Getting started
+
+Contributing to an open-source project like MVT might seem overwhelming at first, but we're here to support you!
+
+ Whether you're a technologist, a frontline human rights defender, a field researcher, or someone new to consensual spyware forensics, there are many ways to make meaningful contributions.
+
+ Here's how you can get started:
+
+1. **Explore the codebase:**
+    - Browse the repository to get familar with MVT. Many MVT modules are simple in functionality and easy to understand.
+    - Look for `TODO:` or `FIXME:` comments in the code for areas that need attention.
+
+2. **Check Github issues:**
+    - Look for issues tagged with ["help wanted"](https://github.com/mvt-project/mvt/issues?q=is%3Aissue+is%3Aopen+label%3A%22help+wanted%22) or ["good first issue"](https://github.com/mvt-project/mvt/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22) to find tasks that are beginner-friendly or where input from the community would be helpful.
+
+3. **Ask for guidance:**
+
+    - If you're unsure where to start, feel free to open a [discussion](https://github.com/mvt-project/mvt/discussions) or comment on an issue.
+
+## How to contribute:
+
+1. **Report issues:**
+
+ - Found a bug? Please check existing issues to see if it's already reported. If not, open a new issue. Mobile operating systems and databases are constantly evolving, an new errors may appear spontaniously in new app versions.
+
+ **Please provide as much information as possible about the prodblem including: any error messages, steps to reproduce the problem, and any logs or screenshots that can help.**
 
 
-## Where to start
+2. **Suggest features:**
+    - If you have an idea for new functionality, create a feature request issue and describe your proposal.
 
-Starting to contribute to a somewhat complex project like MVT might seem intimidating. Unless you have specific ideas of new functionality you would like to submit, some good starting points are searching for `TODO:` and `FIXME:` comments throughout the code. Alternatively you can check if any GitHub issues existed marked with the ["help wanted"](https://github.com/mvt-project/mvt/issues?q=is%3Aissue+is%3Aopen+label%3A%22help+wanted%22) tag.
+3. **Submit code:**
+    - Fork the repository and create a new branch for your changes.
+    - Ensure your changes align with the code style guidelines (see below).
+    - Open a pull request (PR) with a clear description of your changes and link it to any relevant issues.
 
+4. **Documentation contributions:**
+    - Improving documentation is just as valuable as contributing code! If you notice gaps or inaccuracies in the documentation, feel free to submit changes or suggest updates.
 
 ## Code style
+Please follow these code style guidelines for consistency and readability:
 
-When contributing code to 
+- **Indentation**: use 4 spaces per tab.
+- **Quotes**: Use double quotes (`"`) by default. Use single quotes (`'`) for nested strings instead of escaping (`\"`), or when using f-formatting.
+- **Maximum line length**:
+    - Aim for lines no longer than 80 characters.
+    - Exceptions are allowed for long log lines or strings, which may extend up to 100 characters.
+    - Wrap lines that exceed 100 characters.
 
-- **Indentation**: we use 4-spaces tabs.
+Follow [PEP 8 guidelines](https://peps.python.org/pep-0008/) for indentation and overall Python code style. All MVT code is automatically linted with [Ruff](https://github.com/astral-sh/ruff) before merging.
 
-- **Quotes**: we use double quotes (`"`) as a default. Single quotes (`'`) can be favored with nested strings instead of escaping (`\"`), or when using f-formatting.
+Please check your code before opening a pull request by running `make ruff`
 
-- **Maximum line length**: we strongly encourage to respect a 80 characters long lines and to follow [PEP8 indentation guidelines](https://peps.python.org/pep-0008/#indentation) when having to wrap. However, if breaking at 80 is not possible or is detrimental to the readability of the code, exceptions are tolerated. For example, long log lines, or long strings can be extended to 100 characters long. Please hard wrap anything beyond 100 characters.
+
+## Community and support
+
+We aim to create a supportive and collaborative environment for all contributors. If you run into any challenges, feel free to reach out through the discussions or issues section of the repository.
+
+Your contributions, big or small, help improve MVT and are always appreciated.

Dockerfile

@@ -1,79 +1,158 @@
-FROM ubuntu:22.04
+# Base image for building libraries
+# ---------------------------------
+FROM ubuntu:22.04 as build-base
 
-# Ref. https://github.com/mvt-project/mvt
+ARG DEBIAN_FRONTEND=noninteractive
 
-LABEL url="https://mvt.re"
-LABEL vcs-url="https://github.com/mvt-project/mvt"
-LABEL description="MVT is a forensic tool to look for signs of infection in smartphone devices."
-
-ENV PIP_NO_CACHE_DIR=1
-ENV DEBIAN_FRONTEND=noninteractive
-
-# Fixing major OS dependencies
-# ----------------------------
-RUN apt update \
-  && apt install -y python3 python3-pip libusb-1.0-0-dev wget unzip default-jre-headless adb \
-
-# Install build tools for libimobiledevice
-# ----------------------------------------
+# Install build tools and dependencies
+RUN apt-get update \
+  && apt-get install -y \
   build-essential \
-  checkinstall \
   git \
   autoconf \
   automake \
   libtool-bin \
-  libplist-dev \
-  libusbmuxd-dev \
-  libssl-dev \
-  sqlite3 \
   pkg-config \
+  libcurl4-openssl-dev \
+  libusb-1.0-0-dev \
+  libssl-dev \
+  udev \
+  && rm -rf /var/lib/apt/lists/*
 
-# Clean up
+
+# libplist
 # --------
-  && apt-get clean \
-  && rm -rf /var/lib/apt/lists/* /var/cache/apt
+FROM build-base as build-libplist
+
+# Build
+RUN git clone https://github.com/libimobiledevice/libplist && cd libplist \
+  && ./autogen.sh && make -j "$(nproc)" && make install DESTDIR=/build \
+  && cd .. && rm -rf libplist
 
 
-# Build libimobiledevice
-# ----------------------
-RUN git clone https://github.com/libimobiledevice/libplist \
-  && git clone https://github.com/libimobiledevice/libimobiledevice-glue \
-  && git clone https://github.com/libimobiledevice/libusbmuxd \
-  && git clone https://github.com/libimobiledevice/libimobiledevice \
-  && git clone https://github.com/libimobiledevice/usbmuxd \
+# libimobiledevice-glue
+# ---------------------
+FROM build-base as build-libimobiledevice-glue
 
-  && cd libplist && ./autogen.sh && make && make install && ldconfig \
+# Install dependencies
+COPY --from=build-libplist /build /
 
-  && cd ../libimobiledevice-glue && PKG_CONFIG_PATH=/usr/local/lib/pkgconfig ./autogen.sh --prefix=/usr && make && make install && ldconfig \
+# Build
+RUN git clone https://github.com/libimobiledevice/libimobiledevice-glue && cd libimobiledevice-glue \
+  && ./autogen.sh && make -j "$(nproc)" && make install DESTDIR=/build \
+  && cd .. && rm -rf libimobiledevice-glue
 
-  && cd ../libusbmuxd && PKG_CONFIG_PATH=/usr/local/lib/pkgconfig ./autogen.sh && make && make install && ldconfig \
 
-  && cd ../libimobiledevice && PKG_CONFIG_PATH=/usr/local/lib/pkgconfig ./autogen.sh --enable-debug && make && make install && ldconfig \
+# libtatsu
+# --------
+FROM build-base as build-libtatsu
 
-  && cd ../usbmuxd && PKG_CONFIG_PATH=/usr/local/lib/pkgconfig ./autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --runstatedir=/run && make && make install \
+# Install dependencies
+COPY --from=build-libplist /build /
 
-  # Clean up.
-  && cd .. && rm -rf libplist libimobiledevice-glue libusbmuxd libimobiledevice usbmuxd
+# Build
+RUN git clone https://github.com/libimobiledevice/libtatsu && cd libtatsu \
+  && ./autogen.sh && make -j "$(nproc)" && make install DESTDIR=/build \
+  && cd .. && rm -rf libtatsu
 
-# Installing MVT
-# --------------
-RUN pip3 install git+https://github.com/mvt-project/mvt.git@main
+
+# libusbmuxd
+# ----------
+FROM build-base as build-libusbmuxd
+
+# Install dependencies
+COPY --from=build-libplist /build /
+COPY --from=build-libimobiledevice-glue /build /
+
+# Build
+RUN git clone https://github.com/libimobiledevice/libusbmuxd && cd libusbmuxd \
+  && ./autogen.sh && make -j "$(nproc)" && make install DESTDIR=/build \
+  && cd .. && rm -rf libusbmuxd
+
+
+# libimobiledevice
+# ----------------
+FROM build-base as build-libimobiledevice
+
+# Install dependencies
+COPY --from=build-libplist /build /
+COPY --from=build-libtatsu /build /
+COPY --from=build-libimobiledevice-glue /build /
+COPY --from=build-libusbmuxd /build /
+
+# Build
+RUN git clone https://github.com/libimobiledevice/libimobiledevice && cd libimobiledevice \
+  && ./autogen.sh --enable-debug && make -j "$(nproc)" && make install DESTDIR=/build \
+  && cd .. && rm -rf libimobiledevice
+
+
+# usbmuxd
+# -------
+FROM build-base as build-usbmuxd
+
+# Install dependencies
+COPY --from=build-libplist /build /
+COPY --from=build-libimobiledevice-glue /build /
+COPY --from=build-libusbmuxd /build /
+COPY --from=build-libimobiledevice /build /
+
+# Build
+RUN git clone https://github.com/libimobiledevice/usbmuxd && cd usbmuxd \
+  && ./autogen.sh --sysconfdir=/etc --localstatedir=/var --runstatedir=/run && make -j "$(nproc)" && make install DESTDIR=/build \
+  && cd .. && rm -rf usbmuxd && mv /build/lib /build/usr/lib
+
+
+# Create main image
+FROM ubuntu:24.04 as main
+
+LABEL org.opencontainers.image.url="https://mvt.re"
+LABEL org.opencontainers.image.documentation="https://docs.mvt.re"
+LABEL org.opencontainers.image.source="https://github.com/mvt-project/mvt"
+LABEL org.opencontainers.image.title="Mobile Verification Toolkit"
+LABEL org.opencontainers.image.description="MVT is a forensic tool to look for signs of infection in smartphone devices."
+LABEL org.opencontainers.image.licenses="MVT License 1.1"
+LABEL org.opencontainers.image.base.name=docker.io/library/ubuntu:22.04
+
+# Install runtime dependencies
+ARG DEBIAN_FRONTEND=noninteractive
+RUN apt-get update \
+  && apt-get install -y \
+  adb \
+  default-jre-headless \
+  libcurl4 \
+  libssl3 \
+  libusb-1.0-0 \
+  python3 \
+  sqlite3
+COPY --from=build-libplist /build /
+COPY --from=build-libimobiledevice-glue /build /
+COPY --from=build-libtatsu /build /
+COPY --from=build-libusbmuxd /build /
+COPY --from=build-libimobiledevice /build /
+COPY --from=build-usbmuxd /build /
+
+# Install mvt using the locally checked out source
+COPY . mvt/
+RUN apt-get update \
+   && apt-get install -y git python3-pip \
+   && PIP_NO_CACHE_DIR=1 pip3 install --break-system-packages ./mvt \
+   && apt-get remove -y python3-pip git && apt-get autoremove -y \
+   && rm -rf /var/lib/apt/lists/* \
+   && rm -rf mvt
 
 # Installing ABE
-# --------------
-RUN mkdir /opt/abe \
-  && wget https://github.com/nelenkov/android-backup-extractor/releases/download/master-20221109063121-8fdfc5e/abe.jar -O /opt/abe/abe.jar \
+ADD --checksum=sha256:a20e07f8b2ea47620aff0267f230c3f1f495f097081fd709eec51cf2a2e11632 \
+  https://github.com/nelenkov/android-backup-extractor/releases/download/master-20221109063121-8fdfc5e/abe.jar /opt/abe/abe.jar
 # Create alias for abe
-  && echo 'alias abe="java -jar /opt/abe/abe.jar"' >> ~/.bashrc
+RUN echo 'alias abe="java -jar /opt/abe/abe.jar"' >> ~/.bashrc
 
-# Generate adb key folder 
-# ------------------------------ 
-RUN mkdir /root/.android && adb keygen /root/.android/adbkey
+# Generate adb key folder
+RUN echo 'if [ ! -f /root/.android/adbkey ]; then adb keygen /root/.android/adbkey 2&>1 > /dev/null; fi' >> ~/.bashrc
+RUN mkdir /root/.android
 
 # Setup investigations environment
-# --------------------------------
 RUN mkdir /home/cases
-WORKDIR /home/cases 
+WORKDIR /home/cases
 RUN echo 'echo "Mobile Verification Toolkit @ Docker\n------------------------------------\n\nYou can find information about how to use this image for Android (https://github.com/mvt-project/mvt/tree/master/docs/android) and iOS (https://github.com/mvt-project/mvt/tree/master/docs/ios) in the official docs of the project.\n"' >> ~/.bashrc \
   && echo 'echo "Note that to perform the debug via USB you might need to give the Docker image access to the USB using \"docker run -it --privileged -v /dev/bus/usb:/dev/bus/usb mvt\" or, preferably, the \"--device=\" parameter.\n"' >> ~/.bashrc
 

Dockerfile.android

@@ -0,0 +1,36 @@
+# Create main image
+FROM python:3.10.14-alpine3.20 as main
+
+LABEL org.opencontainers.image.url="https://mvt.re"
+LABEL org.opencontainers.image.documentation="https://docs.mvt.re"
+LABEL org.opencontainers.image.source="https://github.com/mvt-project/mvt"
+LABEL org.opencontainers.image.title="Mobile Verification Toolkit (Android)"
+LABEL org.opencontainers.image.description="MVT is a forensic tool to look for signs of infection in smartphone devices."
+LABEL org.opencontainers.image.licenses="MVT License 1.1"
+LABEL org.opencontainers.image.base.name=docker.io/library/python:3.10.14-alpine3.20
+
+# Install runtime dependencies
+RUN apk add --no-cache \
+  android-tools \
+  git \
+  libusb \
+  openjdk11-jre-headless \
+  sqlite
+
+# Install mvt
+COPY ./ mvt
+RUN apk add --no-cache --virtual .build-deps gcc musl-dev \
+  && PIP_NO_CACHE_DIR=1 pip3 install ./mvt \
+  && apk del .build-deps gcc musl-dev && rm -rf ./mvt
+
+# Installing ABE
+ADD --checksum=sha256:a20e07f8b2ea47620aff0267f230c3f1f495f097081fd709eec51cf2a2e11632 \
+  https://github.com/nelenkov/android-backup-extractor/releases/download/master-20221109063121-8fdfc5e/abe.jar /opt/abe/abe.jar
+# Create alias for abe
+RUN echo 'alias abe="java -jar /opt/abe/abe.jar"' >> ~/.bashrc
+
+# Generate adb key folder
+RUN echo 'if [ ! -f /root/.android/adbkey ]; then adb keygen /root/.android/adbkey 2&>1 > /dev/null; fi' >> ~/.bashrc
+RUN mkdir /root/.android
+
+ENTRYPOINT [ "/usr/local/bin/mvt-android" ]

Dockerfile.ios

@@ -0,0 +1,137 @@
+# Base image for building libraries
+# ---------------------------------
+FROM ubuntu:22.04 as build-base
+
+ARG DEBIAN_FRONTEND=noninteractive
+
+# Install build tools and dependencies
+RUN apt-get update \
+  && apt-get install -y \
+  build-essential \
+  git \
+  autoconf \
+  automake \
+  libtool-bin \
+  pkg-config \
+  libcurl4-openssl-dev \
+  libusb-1.0-0-dev \
+  libssl-dev \
+  udev \
+  && rm -rf /var/lib/apt/lists/*
+
+
+# libplist
+# --------
+FROM build-base as build-libplist
+
+# Build
+RUN git clone https://github.com/libimobiledevice/libplist && cd libplist \
+  && ./autogen.sh && make -j "$(nproc)" && make install DESTDIR=/build \
+  && cd .. && rm -rf libplist
+
+
+# libimobiledevice-glue
+# ---------------------
+FROM build-base as build-libimobiledevice-glue
+
+# Install dependencies
+COPY --from=build-libplist /build /
+
+# Build
+RUN git clone https://github.com/libimobiledevice/libimobiledevice-glue && cd libimobiledevice-glue \
+  && ./autogen.sh && make -j "$(nproc)" && make install DESTDIR=/build \
+  && cd .. && rm -rf libimobiledevice-glue
+
+
+# libtatsu
+# --------
+FROM build-base as build-libtatsu
+
+# Install dependencies
+COPY --from=build-libplist /build /
+
+# Build
+RUN git clone https://github.com/libimobiledevice/libtatsu && cd libtatsu \
+  && ./autogen.sh && make -j "$(nproc)" && make install DESTDIR=/build \
+  && cd .. && rm -rf libtatsu
+
+
+# libusbmuxd
+# ----------
+FROM build-base as build-libusbmuxd
+
+# Install dependencies
+COPY --from=build-libplist /build /
+COPY --from=build-libimobiledevice-glue /build /
+
+# Build
+RUN git clone https://github.com/libimobiledevice/libusbmuxd && cd libusbmuxd \
+  && ./autogen.sh && make -j "$(nproc)" && make install DESTDIR=/build \
+  && cd .. && rm -rf libusbmuxd
+
+
+# libimobiledevice
+# ----------------
+FROM build-base as build-libimobiledevice
+
+# Install dependencies
+COPY --from=build-libplist /build /
+COPY --from=build-libtatsu /build /
+COPY --from=build-libimobiledevice-glue /build /
+COPY --from=build-libusbmuxd /build /
+
+# Build
+RUN git clone https://github.com/libimobiledevice/libimobiledevice && cd libimobiledevice \
+  && ./autogen.sh --enable-debug && make -j "$(nproc)" && make install DESTDIR=/build \
+  && cd .. && rm -rf libimobiledevice
+
+
+# usbmuxd
+# -------
+FROM build-base as build-usbmuxd
+
+# Install dependencies
+COPY --from=build-libplist /build /
+COPY --from=build-libimobiledevice-glue /build /
+COPY --from=build-libusbmuxd /build /
+COPY --from=build-libimobiledevice /build /
+
+# Build
+RUN git clone https://github.com/libimobiledevice/usbmuxd && cd usbmuxd \
+  && ./autogen.sh --sysconfdir=/etc --localstatedir=/var --runstatedir=/run && make -j "$(nproc)" && make install DESTDIR=/build \
+  && cd .. && rm -rf usbmuxd && mv /build/lib /build/usr/lib
+
+
+# Main image
+# ----------
+FROM python:3.10.14-alpine3.20 as main
+
+LABEL org.opencontainers.image.url="https://mvt.re"
+LABEL org.opencontainers.image.documentation="https://docs.mvt.re"
+LABEL org.opencontainers.image.source="https://github.com/mvt-project/mvt"
+LABEL org.opencontainers.image.title="Mobile Verification Toolkit (iOS)"
+LABEL org.opencontainers.image.description="MVT is a forensic tool to look for signs of infection in smartphone devices."
+LABEL org.opencontainers.image.licenses="MVT License 1.1"
+LABEL org.opencontainers.image.base.name=docker.io/library/python:3.10.14-alpine3.20
+
+# Install runtime dependencies
+RUN apk add --no-cache \
+  gcompat \
+  libcurl \
+  libssl3 \
+  libusb \
+  sqlite
+COPY --from=build-libplist /build /
+COPY --from=build-libimobiledevice-glue /build /
+COPY --from=build-libtatsu /build /
+COPY --from=build-libusbmuxd /build /
+COPY --from=build-libimobiledevice /build /
+COPY --from=build-usbmuxd /build /
+
+# Install mvt using the locally checked out source
+COPY ./ mvt
+RUN apk add --no-cache --virtual .build-deps git gcc musl-dev \
+  && PIP_NO_CACHE_DIR=1 pip3 install ./mvt \
+  && apk del .build-deps git gcc musl-dev && rm -rf ./mvt
+
+ENTRYPOINT [ "/usr/local/bin/mvt-ios" ]

Makefile

@@ -1,23 +1,44 @@
 PWD = $(shell pwd)
 
-check:
-	flake8
-	ruff check -q .
-	black --check .
-	pytest -q
+autofix:
+	ruff format .
+	ruff check --fix .
 
+check: ruff mypy
+
+ruff:
+	ruff format --check .
+	ruff check -q .
+
+mypy:
+	mypy
+
+test:
+	python3 -m pytest
+
+test-ci:
+	python3 -m pytest -v
+
+install:
+	python3 -m pip install --upgrade -e .
+
+test-requirements:
+	python3 -m pip install --upgrade --group dev
+
+generate-proto-parsers:
+	# Generate python parsers for protobuf files
+	PROTO_FILES=$$(find src/mvt/android/parsers/proto/ -iname "*.proto"); \
+	protoc -Isrc/mvt/android/parsers/proto/ --python_betterproto_out=src/mvt/android/parsers/proto/ $$PROTO_FILES
 
 clean:
-	rm -rf $(PWD)/build $(PWD)/dist $(PWD)/mvt.egg-info
+	rm -rf $(PWD)/build $(PWD)/dist $(PWD)/src/mvt.egg-info
 
 dist:
-	python3 setup.py sdist bdist_wheel
+	python3 -m pip install --upgrade build
+	python3 -m build
 
 upload:
 	python3 -m twine upload dist/*
 
 test-upload:
 	python3 -m twine upload --repository testpypi dist/*
-
-pylint:
-	pylint --rcfile=setup.cfg mvt

README.md

@@ -6,7 +6,7 @@
 
 [![](https://img.shields.io/pypi/v/mvt)](https://pypi.org/project/mvt/)
 [![Documentation Status](https://readthedocs.org/projects/mvt/badge/?version=latest)](https://docs.mvt.re/en/latest/?badge=latest)
-[![CI](https://github.com/mvt-project/mvt/actions/workflows/python-package.yml/badge.svg)](https://github.com/mvt-project/mvt/actions/workflows/python-package.yml)
+[![CI](https://github.com/mvt-project/mvt/actions/workflows/tests.yml/badge.svg)](https://github.com/mvt-project/mvt/actions/workflows/tests.yml)
 [![Downloads](https://pepy.tech/badge/mvt)](https://pepy.tech/project/mvt)
 
 Mobile Verification Toolkit (MVT) is a collection of utilities to simplify and automate the process of gathering forensic traces helpful to identify a potential compromise of Android and iOS devices.

dev/mvt-android

@@ -1,14 +0,0 @@
-#!/usr/bin/env python3
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-import os
-import sys
-
-sys.path.insert(0, os.path.dirname(os.path.dirname(os.path.abspath(__file__))))
-
-from mvt import android
-
-android.cli()

dev/mvt-ios

@@ -1,14 +0,0 @@
-#!/usr/bin/env python3
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2022 Claudio Guarnieri.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-import os
-import sys
-
-sys.path.insert(0, os.path.dirname(os.path.dirname(os.path.abspath(__file__))))
-
-from mvt import ios
-
-ios.cli()

docs/android/adb.md

@@ -1,42 +1,26 @@
-# Check over ADB
-
-In order to check an Android device over the [Android Debug Bridge (adb)](https://developer.android.com/studio/command-line/adb) you will first need to install [Android SDK Platform Tools](https://developer.android.com/studio/releases/platform-tools). If you have installed [Android Studio](https://developer.android.com/studio/) you should already have access to `adb` and other utilities.
-
-While many Linux distributions already package Android Platform Tools (for example `android-platform-tools-base` on Debian), it is preferable to install the most recent version from the official website. Packaged versions might be outdated and incompatible with most recent Android handsets.
-
-Next you will need to enable debugging on the Android device you are testing. [Please follow the official instructions on how to do so.](https://developer.android.com/studio/command-line/adb)
-
-## Connecting over USB
-
-The easiest way to check the device is over a USB transport. You will need to have USB debugging enabled and the device plugged into your computer. If everything is configured appropriately you should see your device when launching the command `adb devices`.
-
-Now you can try launching MVT with:
-
-```bash
-mvt-android check-adb --output /path/to/results
-```
-
-If you have previously started an adb daemon MVT will alert you and require you to kill it with `adb kill-server` and relaunch the command.
+# Deprecation of ADB command in MVT
 
 !!! warning
-    MVT relies on the Python library [adb-shell](https://pypi.org/project/adb-shell/) to connect to an Android device, which relies on libusb for the USB transport. Because of known driver issues, Windows users [are recommended](https://github.com/JeffLIrion/adb_shell/issues/118) to install appropriate drivers using [Zadig](https://zadig.akeo.ie/). Alternatively, an easier option might be to use the TCP transport and connect over Wi-Fi as describe next.
 
-## Connecting over Wi-FI
+    The `mvt-android check-adb` command has been deprecated and removed from MVT.
 
-When connecting to the device over USB is not possible or not working properly, an alternative option is to connect over the network. In order to do so, first launch an adb daemon at a fixed port number:
+The ability to analyze Android devices over ADB (`mvt-android check-adb`) has been removed from MVT due to several technical and forensic limitations.
 
-```bash
-adb tcpip 5555
-```
+## Reasons for Deprecation
 
-Then you can specify the IP address of the phone with the adb port number to MVT like so:
+1. **Inconsistent Data Collection Across Devices**
+   Android devices vary significantly in their system architecture, security policies, and available diagnostic logs. This inconsistency makes it difficult to ensure that MVT can reliably collect necessary forensic data across all devices.
 
-```bash
-mvt-android check-adb --serial 192.168.1.20:5555 --output /path/to/results
-```
+2. **Incomplete Forensic Data Acquisition**
+   The `check-adb` command did not retrieve a full forensic snapshot of all available data on the device. For example, critical logs such as the **full bugreport** were not systematically collected, leading to potential gaps in forensic analysis. This can be a serious problem in scenarios where the analyst only had one time access to the Android device.
 
-Where `192.168.1.20` is the correct IP address of your device.
+4. **Code Duplication and Difficulty Ensuring Consistent Behavior Across Sources**
+    Similar forensic data such as "dumpsys" logs were being loaded and parsed by MVT's ADB, AndroidQF and Bugreport commands. Multiple modules were needed to handle each source format which created duplication leading to inconsistent
+    behavior and difficulties in maintaining the code base.
 
-## MVT modules requiring root privileges
+5. **Alignment with iOS Workflow**
+   MVT’s forensic workflow for iOS relies on pre-extracted artifacts, such as iTunes backups or filesystem dumps, rather than preforming commands or interactions directly on a live device. Removing the ADB functionality ensures a more consistent methodology across both Android and iOS mobile forensic.
 
-Of the currently available `mvt-android check-adb` modules a handful require root privileges to function correctly. This is because certain files, such as browser history and SMS messages databases are not accessible with user privileges through adb. These modules are to be considered OPTIONALLY available in case the device was already jailbroken. **Do NOT jailbreak your own device unless you are sure of what you are doing!** Jailbreaking your phone exposes it to considerable security risks!
+## Alternative: Using AndroidQF for Forensic Data Collection
+
+To replace the deprecated ADB-based approach, forensic analysts should use [AndroidQF](https://github.com/mvt-project/androidqf) for comprehensive data collection, followed by MVT for forensic analysis. The workflow is outlined in the MVT [Android methodology](./methodology.md)

docs/android/download_apks.md

@@ -1,6 +1,6 @@
 # Downloading APKs from an Android phone
 
-MVT allows to attempt to download all available installed packages (APKs) in order to further inspect them and potentially identify any which might be malicious in nature.
+MVT allows you to attempt to download all available installed packages (APKs) from a device in order to further inspect them and potentially identify any which might be malicious in nature.
 
 You can do so by launching the following command:
 

docs/android/methodology.md

@@ -1,23 +1,53 @@
 # Methodology for Android forensic
 
-Unfortunately Android devices provide much less observability than their iOS cousins. Android stores very little diagnostic information useful to triage potential compromises, and because of this `mvt-android` capabilities are limited as well.
+Unfortunately Android devices provide fewer complete forensically useful datasources than their iOS cousins. Unlike iOS, the Android backup feature only provides a limited about of relevant data.
+
+Android diagnostic logs such as *bugreport files* can be inconsistent in format and structure across different Android versions and device  vendors. The limited diagnostic information available makes it difficult to triage potential compromises, and because of this `mvt-android` capabilities are limited as well.
 
 However, not all is lost.
 
-## Check installed Apps
+## Check Android devices with AndroidQF and MVT
 
-Because malware attacks over Android typically take the form of malicious or backdoored apps, the very first thing you might want to do is to extract and verify all installed Android packages and triage quickly if there are any which stand out as malicious or which might be atypical.
+The [AndroidQF](https://github.com/mvt-project/androidqf) tool can be used to collect a wide range of forensic artifacts from an Android device including an Android backup, a bugreport file, and a range of system logs. MVT natively supports analyzing the generated AndroidQF output for signs of device compromise.
 
-While it is out of the scope of this documentation to dwell into details on how to analyze Android apps, MVT does allow to easily and automatically extract information about installed apps, download copies of them, and quickly look them up on services such as [VirusTotal](https://www.virustotal.com).
+### Why Use AndroidQF?
 
-!!! info "Using VirusTotal"
-	Please note that in order to use VirusTotal lookups you are required to provide your own API key through the `MVT_VT_API_KEY` environment variable. You should also note that VirusTotal enforces strict API usage. Be mindful that MVT might consume your hourly search quota.
+- **Complete and raw data extraction**
+  AndroidQF collects full forensic artifacts using an on-device forensic collection agent, ensuring that no crucial data is overlooked. The data collection does not depended on the shell environment or utilities available on the device.
+
+- **Consistent and standardized output**
+  By collecting a predefined and complete set of forensic files, AndroidQF ensures consistency in data acquisition across different Android devices.
+
+- **Future-proof analysis**
+  Since the full forensic artifacts are preserved, analysts can extract new evidence or apply updated analysis techniques without requiring access to the original device.
+
+- **Cross-platform tool without dependencies**
+  AndroidQF is a standalone Go binary which can be used to remotely collect data from an Android device without the device owner needing to install MVT or a Python environment.
+
+### Workflow for Android Forensic Analysis with AndroidQF
+
+With AndroidQF the analysis process is split into a separate data collection and data analysis stages.
+
+1. **Extract Data Using AndroidQF**
+  Deploy the AndroidQF forensic collector to acquire all relevant forensic artifacts from the Android device.
+
+2. **Analyze Extracted Data with MVT**
+  Use the `mvt-android check-androidqf` command to perform forensic analysis on the extracted artifacts.
+
+By separating artifact collection from forensic analysis, this approach ensures a more reliable and scalable methodology for Android forensic investigations.
+
+For more information, refer to the [AndroidQF project documentation](https://github.com/mvt-project/androidqf).
 
 ## Check the device over Android Debug Bridge
 
-Some additional diagnostic information can be extracted from the phone using the [Android Debug Bridge (adb)](https://developer.android.com/studio/command-line/adb). `mvt-android` allows to automatically extract information including [dumpsys](https://developer.android.com/studio/command-line/dumpsys) results, details on installed packages (without download), running processes, presence of root binaries and packages, and more.
+The ability to analyze Android devices over ADB (`mvt-android check-adb`) has been removed from MVT.
 
+See the [Android ADB documentation](./adb.md) for more information.
 
 ## Check an Android Backup (SMS messages)
 
-Although Android backups are becoming deprecated, it is still possible to generate one. Unfortunately, because apps these days typically favor backup over the cloud, the amount of data available is limited. Currently, `mvt-android check-backup` only supports checking SMS messages containing links.
+Although Android backups are becoming deprecated, it is still possible to generate one. Unfortunately, because apps these days typically favor backup over the cloud, the amount of data available is limited.
+
+The `mvt-android check-androidqf` command will automatically check an Android backup and SMS messages if an SMS backup is included in the AndroidQF extraction.
+
+The  `mvt-android check-backup` command can also be used directly with an Android backup file.

docs/command_completion.md

@@ -0,0 +1,43 @@
+# Command Completion 
+
+MVT utilizes the [Click](https://click.palletsprojects.com/en/stable/) library for creating its command line interface. 
+
+Click provides tab completion support for Bash (version 4.4 and up), Zsh, and Fish.
+
+To enable it, you need to manually register a special function with your shell, which varies depending on the shell you are using.
+
+The following describes how to generate the command completion scripts and add them to your shell configuration. 
+
+> **Note: You will need to start a new shell for the changes to take effect.**
+
+### For Bash
+
+```bash
+# Generates bash completion scripts
+echo "$(_MVT_IOS_COMPLETE=bash_source mvt-ios)" > ~/.mvt-ios-complete.bash &&
+echo "$(_MVT_ANDROID_COMPLETE=bash_source mvt-android)" > ~/.mvt-android-complete.bash
+```
+
+Add the following to `~/.bashrc`:
+```bash
+# source mvt completion scripts
+. ~/.mvt-ios-complete.bash && .  ~/.mvt-android-complete.bash
+```
+
+### For Zsh
+
+```bash
+# Generates zsh completion scripts
+echo "$(_MVT_IOS_COMPLETE=zsh_source mvt-ios)" >  ~/.mvt-ios-complete.zsh &&
+echo "$(_MVT_ANDROID_COMPLETE=zsh_source mvt-android)" > ~/.mvt-android-complete.zsh
+```
+
+Add the following to `~/.zshrc`:
+```bash
+# source mvt completion scripts
+.  ~/.mvt-ios-complete.zsh  && .  ~/.mvt-android-complete.zsh
+```
+
+For more information, visit the official [Click Docs](https://click.palletsprojects.com/en/stable/shell-completion/#enabling-completion).
+
+

docs/docker.md

@@ -2,7 +2,22 @@ Using Docker simplifies having all the required dependencies and tools (includin
 
 Install Docker following the [official documentation](https://docs.docker.com/get-docker/).
 
-Once installed, you can clone MVT's repository and build its Docker image:
+Once Docker is installed, you can run MVT by downloading a prebuilt MVT Docker image, or by building a Docker image yourself from the MVT source repo.
+
+### Using the prebuilt Docker image
+
+```bash
+docker pull ghcr.io/mvt-project/mvt
+```
+
+You can then run the Docker container with:
+
+```
+docker run -it ghcr.io/mvt-project/mvt
+```
+
+
+### Build and run Docker image from source
 
 ```bash
 git clone https://github.com/mvt-project/mvt.git
@@ -16,18 +31,4 @@ Test if the image was created successfully:
 docker run -it mvt
 ```
 
-If a prompt is spawned successfully, you can close it with `exit`.
-
-If you wish to use MVT to test an Android device you will need to enable the container's access to the host's USB devices. You can do so by enabling the `--privileged` flag and mounting the USB bus device as a volume:
-
-```bash
-docker run -it --privileged -v /dev/bus/usb:/dev/bus/usb mvt
-```
-
-**Please note:** the `--privileged` parameter is generally regarded as a security risk. If you want to learn more about this check out [this explainer on container escapes](https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/) as it gives access to the whole system.
-
-Recent versions of Docker provide a `--device` parameter allowing to specify a precise USB device without enabling `--privileged`:
-
-```bash
-docker run -it --device=/dev/<your_usb_port> mvt
-```
+If a prompt is spawned successfully, you can close it with `exit`.

docs/install.md

@@ -98,3 +98,7 @@ You now should have the `mvt-ios` and `mvt-android` utilities installed.
 **Notes:**
 1. The `--force` flag is necessary to force the reinstallation of the package.
 2. To revert to using a PyPI version, it will be necessary to `pipx uninstall mvt` first.
+
+## Setting up command completions
+
+See ["Command completions"](command_completion.md)

docs/iocs.md

@@ -34,6 +34,13 @@ It is also possible to load STIX2 files automatically from the environment varia
 export MVT_STIX2="/home/user/IOC1.stix2:/home/user/IOC2.stix2"
 ```
 
+## STIX2 Support
+
+So far MVT implements only a subset of [STIX2 specifications](https://docs.oasis-open.org/cti/stix/v2.1/csprd01/stix-v2.1-csprd01.html):
+
+* It only supports checks for one value (such as `[domain-name:value='DOMAIN']`) and not boolean expressions over multiple comparisons
+* It only supports the following types: `domain-name:value`, `process:name`, `email-addr:value`, `file:name`, `file:path`, `file:hashes.md5`, `file:hashes.sha1`, `file:hashes.sha256`, `app:id`, `configuration-profile:id`, `android-property:name`, `url:value` (but each type will only be checked by a module if it is relevant to the type of data obtained)
+
 ## Known repositories of STIX2 IOCs
 
 - The [Amnesty International investigations repository](https://github.com/AmnestyTech/investigations) contains STIX-formatted IOCs for:
@@ -46,3 +53,6 @@ export MVT_STIX2="/home/user/IOC1.stix2:/home/user/IOC2.stix2"
 You can automaticallly download the latest public indicator files with the command `mvt-ios download-iocs` or `mvt-android download-iocs`. These commands download the list of indicators from the [mvt-indicators](https://github.com/mvt-project/mvt-indicators/blob/main/indicators.yaml) repository and store them in the [appdir](https://pypi.org/project/appdirs/) folder. They are then loaded automatically by MVT.
 
 Please [open an issue](https://github.com/mvt-project/mvt/issues/) to suggest new sources of STIX-formatted IOCs.
+
+
+

docs/requirements.txt

@@ -1,5 +1,5 @@
-mkdocs==1.2.3
-mkdocs-autorefs
-mkdocs-material
-mkdocs-material-extensions
-mkdocstrings
+mkdocs==1.6.1
+mkdocs-autorefs==1.4.3
+mkdocs-material==9.6.20
+mkdocs-material-extensions==1.3.1
+mkdocstrings==0.30.1

mkdocs.yml

@@ -7,8 +7,8 @@ markdown_extensions:
     - attr_list
     - admonition
     - pymdownx.emoji:
-        emoji_index: !!python/name:materialx.emoji.twemoji
-        emoji_generator: !!python/name:materialx.emoji.to_svg
+        emoji_index: !!python/name:material.extensions.emoji.twemoji
+        emoji_generator: !!python/name:material.extensions.emoji.to_svg
     - pymdownx.superfences
     - pymdownx.inlinehilite
     - pymdownx.highlight:

mvt/android/artifacts/artifact.py

@@ -1,36 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-from mvt.common.artifact import Artifact
-
-
-class AndroidArtifact(Artifact):
-    @staticmethod
-    def extract_dumpsys_section(dumpsys: str, separator: str) -> str:
-        """
-        Extract a section from a full dumpsys file.
-
-        :param dumpsys: content of the full dumpsys file (string)
-        :param separator: content of the first line separator (string)
-        :return: section extracted (string)
-        """
-        lines = []
-        in_section = False
-        for line in dumpsys.splitlines():
-            if line.strip() == separator:
-                in_section = True
-                continue
-
-            if not in_section:
-                continue
-
-            if line.strip().startswith(
-                "------------------------------------------------------------------------------"
-            ):
-                break
-
-            lines.append(line)
-
-        return "\n".join(lines)

mvt/android/cmd_check_adb.py

@@ -1,37 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-import logging
-from typing import Optional
-
-from mvt.common.command import Command
-
-from .modules.adb import ADB_MODULES
-
-log = logging.getLogger(__name__)
-
-
-class CmdAndroidCheckADB(Command):
-    def __init__(
-        self,
-        target_path: Optional[str] = None,
-        results_path: Optional[str] = None,
-        ioc_files: Optional[list] = None,
-        module_name: Optional[str] = None,
-        serial: Optional[str] = None,
-        module_options: Optional[dict] = None,
-    ) -> None:
-        super().__init__(
-            target_path=target_path,
-            results_path=results_path,
-            ioc_files=ioc_files,
-            module_name=module_name,
-            serial=serial,
-            module_options=module_options,
-            log=log,
-        )
-
-        self.name = "check-adb"
-        self.modules = ADB_MODULES

mvt/android/cmd_check_androidqf.py

@@ -1,67 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-import logging
-import os
-import zipfile
-from pathlib import Path
-from typing import List, Optional
-
-from mvt.common.command import Command
-
-from .modules.androidqf import ANDROIDQF_MODULES
-
-log = logging.getLogger(__name__)
-
-
-class CmdAndroidCheckAndroidQF(Command):
-    def __init__(
-        self,
-        target_path: Optional[str] = None,
-        results_path: Optional[str] = None,
-        ioc_files: Optional[list] = None,
-        module_name: Optional[str] = None,
-        serial: Optional[str] = None,
-        module_options: Optional[dict] = None,
-        hashes: bool = False,
-    ) -> None:
-        super().__init__(
-            target_path=target_path,
-            results_path=results_path,
-            ioc_files=ioc_files,
-            module_name=module_name,
-            serial=serial,
-            module_options=module_options,
-            hashes=hashes,
-            log=log,
-        )
-
-        self.name = "check-androidqf"
-        self.modules = ANDROIDQF_MODULES
-
-        self.format: Optional[str] = None
-        self.archive: Optional[zipfile.ZipFile] = None
-        self.files: List[str] = []
-
-    def init(self):
-        if os.path.isdir(self.target_path):
-            self.format = "dir"
-            parent_path = Path(self.target_path).absolute().parent.as_posix()
-            target_abs_path = os.path.abspath(self.target_path)
-            for root, subdirs, subfiles in os.walk(target_abs_path):
-                for fname in subfiles:
-                    file_path = os.path.relpath(os.path.join(root, fname), parent_path)
-                    self.files.append(file_path)
-        elif os.path.isfile(self.target_path):
-            self.format = "zip"
-            self.archive = zipfile.ZipFile(self.target_path)
-            self.files = self.archive.namelist()
-
-    def module_init(self, module):
-        if self.format == "zip":
-            module.from_zip_file(self.archive, self.files)
-        else:
-            parent_path = Path(self.target_path).absolute().parent.as_posix()
-            module.from_folder(parent_path, self.files)

mvt/android/cmd_check_backup.py

@@ -1,114 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-import io
-import logging
-import os
-import sys
-import tarfile
-from pathlib import Path
-from typing import List, Optional
-
-from mvt.android.modules.backup.base import BackupExtraction
-from mvt.android.modules.backup.helpers import prompt_or_load_android_backup_password
-from mvt.android.parsers.backup import (
-    AndroidBackupParsingError,
-    InvalidBackupPassword,
-    parse_ab_header,
-    parse_backup_file,
-)
-from mvt.common.command import Command
-
-from .modules.backup import BACKUP_MODULES
-
-log = logging.getLogger(__name__)
-
-
-class CmdAndroidCheckBackup(Command):
-    def __init__(
-        self,
-        target_path: Optional[str] = None,
-        results_path: Optional[str] = None,
-        ioc_files: Optional[list] = None,
-        module_name: Optional[str] = None,
-        serial: Optional[str] = None,
-        module_options: Optional[dict] = None,
-        hashes: bool = False,
-    ) -> None:
-        super().__init__(
-            target_path=target_path,
-            results_path=results_path,
-            ioc_files=ioc_files,
-            module_name=module_name,
-            serial=serial,
-            module_options=module_options,
-            hashes=hashes,
-            log=log,
-        )
-
-        self.name = "check-backup"
-        self.modules = BACKUP_MODULES
-
-        self.backup_type: str = ""
-        self.backup_archive: Optional[tarfile.TarFile] = None
-        self.backup_files: List[str] = []
-
-    def init(self) -> None:
-        if not self.target_path:
-            return
-
-        if os.path.isfile(self.target_path):
-            self.backup_type = "ab"
-            with open(self.target_path, "rb") as handle:
-                data = handle.read()
-
-            header = parse_ab_header(data)
-            if not header["backup"]:
-                log.critical("Invalid backup format, file should be in .ab format")
-                sys.exit(1)
-
-            password = None
-            if header["encryption"] != "none":
-                password = prompt_or_load_android_backup_password(
-                    log, self.module_options
-                )
-                if not password:
-                    log.critical("No backup password provided.")
-                    sys.exit(1)
-            try:
-                tardata = parse_backup_file(data, password=password)
-            except InvalidBackupPassword:
-                log.critical("Invalid backup password")
-                sys.exit(1)
-            except AndroidBackupParsingError as exc:
-                log.critical("Impossible to parse this backup file: %s", exc)
-                log.critical("Please use Android Backup Extractor (ABE) instead")
-                sys.exit(1)
-
-            dbytes = io.BytesIO(tardata)
-            self.backup_archive = tarfile.open(fileobj=dbytes)
-            for member in self.backup_archive:
-                self.backup_files.append(member.name)
-
-        elif os.path.isdir(self.target_path):
-            self.backup_type = "folder"
-            self.target_path = Path(self.target_path).absolute().as_posix()
-            for root, subdirs, subfiles in os.walk(os.path.abspath(self.target_path)):
-                for fname in subfiles:
-                    self.backup_files.append(
-                        os.path.relpath(os.path.join(root, fname), self.target_path)
-                    )
-        else:
-            log.critical(
-                "Invalid backup path, path should be a folder or an "
-                "Android Backup (.ab) file"
-            )
-            sys.exit(1)
-
-    def module_init(self, module: BackupExtraction) -> None:  # type: ignore[override]
-        if self.backup_type == "folder":
-            module.from_folder(self.target_path, self.backup_files)
-        else:
-            module.from_ab(self.target_path, self.backup_archive, self.backup_files)

mvt/android/cmd_check_bugreport.py

@@ -1,76 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-import logging
-import os
-from pathlib import Path
-from typing import List, Optional
-from zipfile import ZipFile
-
-from mvt.android.modules.bugreport.base import BugReportModule
-from mvt.common.command import Command
-
-from .modules.bugreport import BUGREPORT_MODULES
-
-log = logging.getLogger(__name__)
-
-
-class CmdAndroidCheckBugreport(Command):
-    def __init__(
-        self,
-        target_path: Optional[str] = None,
-        results_path: Optional[str] = None,
-        ioc_files: Optional[list] = None,
-        module_name: Optional[str] = None,
-        serial: Optional[str] = None,
-        module_options: Optional[dict] = None,
-        hashes: bool = False,
-    ) -> None:
-        super().__init__(
-            target_path=target_path,
-            results_path=results_path,
-            ioc_files=ioc_files,
-            module_name=module_name,
-            serial=serial,
-            module_options=module_options,
-            hashes=hashes,
-            log=log,
-        )
-
-        self.name = "check-bugreport"
-        self.modules = BUGREPORT_MODULES
-
-        self.bugreport_format: str = ""
-        self.bugreport_archive: Optional[ZipFile] = None
-        self.bugreport_files: List[str] = []
-
-    def init(self) -> None:
-        if not self.target_path:
-            return
-
-        if os.path.isfile(self.target_path):
-            self.bugreport_format = "zip"
-            self.bugreport_archive = ZipFile(self.target_path)
-            for file_name in self.bugreport_archive.namelist():
-                self.bugreport_files.append(file_name)
-        elif os.path.isdir(self.target_path):
-            self.bugreport_format = "dir"
-            parent_path = Path(self.target_path).absolute().as_posix()
-            for root, _, subfiles in os.walk(os.path.abspath(self.target_path)):
-                for file_name in subfiles:
-                    file_path = os.path.relpath(
-                        os.path.join(root, file_name), parent_path
-                    )
-                    self.bugreport_files.append(file_path)
-
-    def module_init(self, module: BugReportModule) -> None:  # type: ignore[override]
-        if self.bugreport_format == "zip":
-            module.from_zip(self.bugreport_archive, self.bugreport_files)
-        else:
-            module.from_folder(self.target_path, self.bugreport_files)
-
-    def finish(self) -> None:
-        if self.bugreport_archive:
-            self.bugreport_archive.close()