If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!
Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.
Not only since the Pegasus Project, which exposed the surveillance of numerous activists, journalists and opposition figures by the NSO Group's Pegasus state malware, state malware have posed a threat to the privacy of those affected and their contacts. In order to make such attacks visible and provable, analyses are needed using methods and tools similar to those used by security agencies, but which should be open source and adhere to ethical standards of consensual forensics. In our workshop we want to give an overview of what approaches, methods, and tools are suitable for these analyses to best perform forensic data extraction in a civilian context and present what tools and scripts we have developed ourselves. We all work in civil forensics ourselves and want to share our experiences on what has worked for us and what has not.
The presented tools are of course not only suitable for the search of state malware, but also for any other malware such as stalkerware or ransomware.
Topics and tools we present are:
* Android/iOS: Mobile Verification Toolkit (MVT), android-qf.
* HDD/SSD Image: guymager
* Windows/Mac: pc-qf
* Indicator of Compromise (IoC) Management (MISP).
* Mobile Verification Toolkit (MVT)
* Sysdiagnose exports: analyze processes
* PCAP evaluation (TinyCheck)
For these steps and typical attack patterns we explain reasonable approaches and what has been proven in our work.