A crucial part of the investigative reporting done by the 17 media organisations which are part of the Pegasus Project is the forensic examination of phones believed to be targeted for surveillance.
1. How does this forensic examination process work?
With the help of the project’s media partners, Amnesty International’s Security Lab has been able to conduct in-depth forensic analyses of over 60 smartphones belonging to journalists, activists, politicians and other persons of interest across 10 countries.
Put simply, the forensic test involved examining the device of people whose numbers were on the leaked list and looking for digital evidence left behind by the Pegasus spyware.
2. What exactly did you look for? How do you know what you found is Pegasus and not some other malware?
In the past, Amnesty International and other organisations have recognised Pegasus spyware attacks based on specific domain names and other network infrastructure used to deliver the attacks.
However, forensic evidence left behind by Pegasus also provides an independent way to attribute the attacks to the NSO Group’s technology.
For a number of cases in this project, Amnesty examined records of process executions and their respective network usage in iOS devices, looking for malicious fingerprints that are left behind by the spyware.
Some of these processes that were detected on infected phones – and crucially did not match any legitimate code created and released by Apple – were seen in previously known Pegasus infections and appear to be key components of the Pegasus toolkit.
“There are a bunch of different pieces, essentially, and they all fit together very well,” Claudio Guarnieri, director of Amnesty International’s Security Lab, said. “There’s no doubt in my mind that what we’re looking at is Pegasus because the characteristics are very distinct and all of the traces that we see confirm each other.”
For the technically-minded, Amnesty is publishing its full technical analysis that allowed it to reach these conclusions. It can be read here.
3. What if I don’t trust Amnesty… how robust is this forensic process?
The Pegasus Project’s media partners have taken steps to help build trust in the underlying methodology used to attribute these attacks.
Citizen Lab – an institute based out of the University of Toronto, which in 2019 gained widespread attention for helping WhatsApp identify human rights activists and journalists affected by Pegasus – was asked to analyse three iPhone back-ups that were examined by Amnesty and in which traces of Pegasus had been found.
This was a blind test – Citizen Lab was not told of Amnesty’s results before they conducted their analysis.
All three phones were independently confirmed by Citizen Lab as having been compromised by Pegasus within the timeframe provided.
“We conclude with high confidence that the DataUsage.sqlite files show evidence that the phones they were taken from were successfully infected with NSO Group’s Pegasus spyware during the dates mentioned above. Our high confidence conclusion stems from the fact that we have never seen the above process names used in a benign context, and we have only ever seen them used in high-confidence cases of infection with NSO Group’s Pegasus spyware. The phones may also have been infected on additional dates, as DataUsage.sqlite entries are only recorded when the phone is using mobile data,” said Citizen Lab.
The institute also conducted a peer review of Amnesty’s forensic methods and found them to be sound.
4. What are the limitations to this forensic process? Why have you only done it for a subset of the people who have been selected as a target?
There are a few factors that have prevented us from doing a greater amount of forensic analyses.
Firstly, there is the issue of consent; a number of people we contacted simply refused to participate in this process.
Secondly, if a target no longer had the phone that was being used at the time of selection, then obviously forensics could not be carried out. On similar lines, if a target had erased the data on her phone (say through a factory reset) that also prevented us from examining the device for traces of Pegasus.
Lastly, in Amnesty’s experience, there are “significantly more forensic traces accessible to investigators” on Apple devices than stock Android phones. Or, in other words, efforts to verify a Pegasus attack on Android phones were held back by a shortage of relevant logs in the memories of the devices.
Consequently, our ability to conduct a successful forensic analysis – one that was able to detect evidence of a compromise, provided all other factors remained the same – was extremely limited for Android smartphones.
When asked whether Google would consider creating more extensive and persisting logging capabilities to ease the search for Pegasus, company spokesperson Kaylin Trychon said: “While we understand that persistent logs would be more helpful for forensic uses such as the ones described by Amnesty International’s researchers, they also would be helpful to attackers. We continually balance these different needs.”
5. On how many phones did you detect signs of a Pegasus attack or infection?
Amnesty’s Security Lab examined 67 smartphones where attacks were suspected. Of those, 23 were successfully infected and 14 showed signs of attempted penetration.
For the remaining 30, the tests were inconclusive, in several cases because the phones had been replaced and therefore the needed data was not available.
Fifteen of the phones were Android devices, none of which showed evidence of successful infection. As noted above, Androids do not log the kinds of information required for Amnesty’s detective work.
Three Android phones, including a device belonging to The Hindu reporter Vijaita Singh, showed signs of targeting, such as Pegasus-linked SMS messages.
Read The Wire’s coverage as part of the Pegasus Project here.