DFIR Project

iPhone 17 Digital Forensics Project Using EIFT and MVT

A full iOS forensic workflow covering device verification, data acquisition, backup preservation, IOC scanning, Pegasus indicator analysis, and post-scan artifact review in a controlled lab environment.

DFIR iOS Forensics EIFT MVT Pegasus Analysis IOC Hunting

Overview

This project demonstrates a complete digital forensic workflow performed on an iPhone 17, including data acquisition, preservation, and analysis. The process uses Elcomsoft iOS Forensic Toolkit (EIFT) for data extraction and Mobile Verification Toolkit (MVT) for forensic analysis and threat detection.

All work is conducted in a controlled lab environment to ensure forensic integrity, prevent modification of original data, and isolate analysis from the host system.

Lab Environment

The forensic workflow is performed in a secure and controlled setup:

  • External SSD is used to store all forensic data
  • SSD is accessed in read-only mode to preserve evidence
  • Analysis is performed inside a Linux virtual machine
  • MVT is executed within the VM to isolate processing

This ensures that the original data remains unchanged and protected throughout the investigation.

Tools Used

  • Elcomsoft iOS Forensic Toolkit (EIFT) for data acquisition
  • Mobile Verification Toolkit (MVT) for analysis and IOC scanning
  • libimobiledevice tools for device interaction and backup
  • jq for parsing JSON forensic artifacts

Step 1: Device Verification and Preparation

The workflow begins by confirming the device state, validating connectivity, preparing storage directories, and pairing the iPhone with the forensic workstation.

Check device state and confirm connectivity:

sudo ./EIFT_cmd info

This command retrieves device details such as model, iOS version, and connection status.

Create directories on the external SSD:

mkdir -p /Volumes/LaCie/yourusername/ios_backups_clean
mkdir -p /Volumes/LaCie/yourusername/DFIR/mvt

These directories store backups and forensic analysis output.

Verify directory structure:

ls "/Volumes/LaCie/yourusername"

Confirm device detection:

./idevice_id -l

Pair the device:

idevicepair pair

This allows trusted communication between the system and the iPhone.

Step 2: Data Acquisition Using EIFT

Create directory for AFC dump:

mkdir -p /Volumes/LaCie/yourusername/DFIR/afc_dump

Perform logical acquisition using EIFT:

sudo ./EIFT_cmd normal dumpafc -o "/Volumes/LaCie/yourusername/DFIR/afc_dump.tar"

This extracts accessible user filesystem data from the device.

Verify acquisition:

ls -lh /Volumes/LaCie/yourusername/DFIR/afc_dump.tar

Step 3: iOS Backup Acquisition

Enable backup encryption:

idevicebackup2 encryption on "yourpassword"
idevicebackup2 -i encryption on
idevicebackup2 -i encryption off

Encrypted backups provide more complete forensic data.

Create full logical backup:

idevicebackup2 backup --full /Volumes/LaCie/yourusername/ios_backups_clean

Verify backup:

ls -lh /Volumes/LaCie/yourusername/ios_backups_clean
ls /Volumes/LaCie/yourusername/ios_backups_clean/00008150-001164502638401C

Check total backup size:

du -sh /Volumes/LaCie/yourusername/ios_backups_clean

Step 4: Extract Device Metadata and Artifacts

Extract battery information:

ideviceinfo -q com.apple.mobile.battery > /Volumes/LaCie/yourusername/DFIR/battery.txt

List installed applications:

ideviceinfo -k InstalledApps > /Volumes/LaCie/yourusername/DFIR/installed_apps.txt

Create crash report directory:

mkdir -p /Volumes/LaCie/yourusername/DFIR/crash_reports

Extract crash logs:

idevicecrashreport /Volumes/LaCie/yourusername/DFIR/crash_reports

List backup contents:

idevicebackup2 list /Volumes/LaCie/yourusername/ios_backups_clean > /Volumes/LaCie/yourusername/DFIR/backup_file_index.csv

Compare artifact sizes:

du -sh \
/Volumes/LaCie/yourusername/DFIR/afc_dump.tar \
/Volumes/LaCie/yourusername/ios_backups_clean \
/Volumes/LaCie/yourusername/DFIR

Step 5: Analysis Environment Setup (VM)

Activate virtual environment:

cd tools
source ~/tools/mvt-env/bin/activate

Create output directory:

sudo mkdir -p /mnt/shared/yourusername/DFIR/mvt_output

Step 6: Decrypt Backup for Analysis

sudo -E $(which mvt-ios) decrypt-backup \
  -p "$BP" \
  -d /mnt/shared/ios_backups_decrypted/yourdevicenumber \
  /mnt/shared/ios_backups_clean/yourdevicenumber

Verify decrypted files:

sudo ls -l /mnt/shared/ios_backups_decrypted/yourdevicenumber

Check backup integrity:

sudo file /mnt/shared/ios_backups_decrypted/yourdevicenumber/Manifest.db

Step 7: IOC-Based Analysis Using MVT

Run MVT scan:

sudo -E $(which mvt-ios) check-backup \
  --iocs /home/vmusername/tools/investigations/2021-07-18_nso \
  --output /mnt/shared/DFIR/mvt_scan_nso_decrypted \
  /mnt/shared/ios_backups_decrypted/yourdevicenumber

Run final Pegasus-focused scan:

sudo -E $(which mvt-ios) check-backup \
  --iocs /home/vmusername/tools/investigations/2021-07-18_nso \
  --output /mnt/shared/DFIR/mvt_scan_nso_FINAL \
  /mnt/shared/ios_backups_decrypted/yourdevicenumber

Step 8: Extract and Analyze Pegasus Indicators

Inspect IOC files:

ls /home/vmusername/tools/investigations/2021-07-18_nso

Check STIX structure:

jq '.objects[].type' /home/vmusername/tools/investigations/2021-07-18_nso/pegasus.stix2 | sort -u

Extract domains:

jq -r '.objects[] | select(.type=="indicator") | .pattern' /home/vmusername/tools/investigations/2021-07-18_nso/pegasus.stix2 \
| grep -oE "'[^']+'" \
| tr -d "'" \
| sort -u > pegasus_domains.txt

Preview and count:

head pegasus_domains.txt
wc -l pegasus_domains.txt

Step 9: Compare Device Data Against IOCs

Extract Safari URLs:

sudo jq -r '.[] | .url // empty' /mnt/shared/DFIR/mvt_scan_nso_FINAL/safari_history.json | sort -u > safari_urls.txt

Search for matches:

sudo grep -Ff pegasus_domains.txt /mnt/shared/DFIR/mvt_scan_nso_FINAL/timeline.csv

Extract domains from timeline:

sudo awk -F',' '{print $4}' /mnt/shared/DFIR/mvt_scan_nso_FINAL/timeline.csv \
| grep -oE '([a-zA-Z0-9.-]+\.[a-zA-Z]{2,})' \
| sort -u > timeline_domains.txt

Perform exact match:

grep -FxF pegasus_domains.txt timeline_domains.txt

Step 10: Post-Scan Analysis

List output files:

sudo ls /mnt/shared/DFIR/mvt_scan_nso_decrypted

Check detections:

sudo jq . /mnt/shared/DFIR/mvt_scan_nso_decrypted/detections.json

Search logs:

sudo egrep -i "detect|detection|match|indicator|ioc|warning|suspicious|hit" /mnt/shared/DFIR/mvt_scan_nso_decrypted/command.log | tail -n 80

Check for detection files:

sudo ls /mnt/shared/DFIR/mvt_scan_nso_decrypted | egrep -i "detect|match"

Step 11: Artifact Analysis

Configuration profiles:

sudo jq . /mnt/shared/DFIR/mvt_scan_nso_decrypted/configuration_profiles.json | head -n 120

Permissions (TCC):

sudo jq . /mnt/shared/DFIR/mvt_scan_nso_decrypted/tcc.json | head -n 120

Sensitive permissions:

sudo jq '.[] | select(.service | test("Camera|Microphone|Accessibility|AllFiles|Bluetooth|Location"))' \
/mnt/shared/DFIR/mvt_scan_nso_decrypted/tcc.json

Safari and WebKit:

sudo jq . /mnt/shared/DFIR/mvt_scan_nso_decrypted/safari_history.json | head -n 120
sudo jq . /mnt/shared/DFIR/mvt_scan_nso_decrypted/webkit_resource_load_statistics.json | head -n 120

SMS analysis:

sudo jq . /mnt/shared/DFIR/mvt_scan_nso_decrypted/sms.json | head -n 120

Timeline review:

sudo head -n 5 /mnt/shared/DFIR/mvt_scan_nso_decrypted/timeline.csv
sudo tail -n 5 /mnt/shared/DFIR/mvt_scan_nso_decrypted/timeline.csv

Keyword search:

sudo egrep -i "profile|mdm|vpn|certificate|root|webkit|safari|push|imessage|facetime|crash|panic|jetsam" \
/mnt/shared/DFIR/mvt_scan_nso_decrypted/timeline.csv | head -n 50

Full Walkthrough Video

This project is also demonstrated step-by-step in a full walkthrough video, showing the complete workflow from acquisition to IOC analysis and final review.

For a complete step-by-step demonstration of this workflow, watch the full walkthrough: iPhone 17 DFIR Walkthrough Using EIFT and MVT

Conclusion

This project demonstrates a full DFIR workflow for iOS, from acquisition to advanced threat analysis. The use of EIFT enables reliable data extraction, while MVT provides powerful detection capabilities using known indicators of compromise.

No evidence of Pegasus or known spyware was identified in this analysis. The results indicate normal device activity with no matches against known malicious infrastructure.

This approach ensures forensic integrity, repeatability, and a structured methodology suitable for real-world investigations.