Add docs explaining how to seek expert help for forensic analysis (#476)

* Update forensic support links in the documentation * Add expert help message to MVT output * Add warning to disable ADB after an Android acquisition * Include Developer Options in the ADB warning text
mvt-project · Apr 8, 2024 · f9d7b55 · f9d7b55
1 parent b738603
commit f9d7b55
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -26,7 +26,7 @@ MVT supports using public [indicators of compromise (IOCs)](https://github.com/m
 >
 > Reliable and comprehensive digital forensic support and triage requires access to non-public indicators, research and threat intelligence.
 >
->Such support is available to civil society through [Amnesty International's Security Lab](https://www.amnesty.org/en/tech/) or through our forensic partnership with [Access Now’s Digital Security Helpline](https://www.accessnow.org/help/).
+>Such support is available to civil society through [Amnesty International's Security Lab](https://securitylab.amnesty.org/get-help/?c=mvt_docs) or through our forensic partnership with [Access Now’s Digital Security Helpline](https://www.accessnow.org/help/).
 
 More information about using indicators of compromise with MVT is available in the [documentation](https://docs.mvt.re/en/latest/iocs/).
 

diff --git a/docs/introduction.md b/docs/introduction.md
@@ -21,7 +21,7 @@ MVT supports using [indicators of compromise (IOCs)](https://github.com/mvt-proj
 
     Reliable and comprehensive digital forensic support and triage requires access to non-public indicators, research and threat intelligence.
 
-    Such support is available to civil society through [Amnesty International's Security Lab](https://securitylab.amnesty.org/contact-us/) or [Access Now’s Digital Security Helpline](https://www.accessnow.org/help/).
+    Such support is available to civil society through [Amnesty International's Security Lab](https://securitylab.amnesty.org/get-help/?c=mvt_docs) or [Access Now’s Digital Security Helpline](https://www.accessnow.org/help/).
 
 More information about using indicators of compromise with MVT is available in the [documentation](iocs.md).
 

diff --git a/mvt/common/command.py b/mvt/common/command.py
@@ -160,6 +160,27 @@ def module_init(self, module: MVTModule) -> None:
     def finish(self) -> None:
         raise NotImplementedError
 
+    def _show_disable_adb_warning(self) -> None:
+        """Warn if ADB is enabled"""
+        if type(self).__name__ in ["CmdAndroidCheckADB", "CmdAndroidCheckAndroidQF"]:
+            self.log.info(
+                "Please disable Developer Options and ADB (Android Debug Bridge) on the device once finished with the acquisition. "
+                "ADB is a powerful tool which can allow unauthorized access to the device."
+            )
+
+    def _show_support_message(self) -> None:
+        support_message = "Please seek reputable expert help if you have serious concerns about a possible spyware attack. Such support is available to human rights defenders and civil society through Amnesty International's Security Lab at https://securitylab.amnesty.org/get-help/?c=mvt"
+        if self.detected_count == 0:
+            self.log.info(
+                f"[bold]NOTE:[/bold] Using MVT with public indicators of compromise (IOCs) [bold]WILL NOT[/bold] automatically detect advanced attacks.\n\n{support_message}",
+                extra={"markup": True},
+            )
+        else:
+            self.log.warning(
+                f"[bold]NOTE: Detected indicators of compromise[/bold]. Only expert review can confirm if the detected indicators are signs of an attack.\n\n{support_message}",
+                extra={"markup": True},
+            )
+
     def run(self) -> None:
         try:
             self.init()
@@ -208,3 +229,6 @@ def run(self) -> None:
 
         self._store_timeline()
         self._store_info()
+
+        self._show_disable_adb_warning()
+        self._show_support_message()