https://www.slavasoft.com/download.htm
Execute this command:
python
If you don't have Python installed,
Windows Store will open and offer it
to you. Install it.
If you have Python installed, it will open, as shown below.
Execute this command to exit from Python:
exit()
pip install mvt
A lot of messages scroll by,
as shown below.
To test your installation, execute this command:
mvt-ios
It will probably fail, saying it is not recognized,
as shown below.
If that happens, execute this command:
pip show mvt
This reveals the path where Python put the file,
which is very long, highlighted in the
image below.
To copy the path, carefully highlight the whole thing, as shown above, and then press the Enter key.
Click Start. Type ENVIRONMENT. In the search results, click "Edit environment variables for your account".
In the top pane, click Path. Then click the Edit... button, as shown below.
In the "Edit environment variable" box, click the New. button.
Paste in the long path you copied earlier, as shown below.
At the right end of that long path, delete "site-packages" and add
Scripts
as shown below.
Click OK. Click OK.
Close the Command Prompt window. Open a new Command Prompt window.
Execute this command:
mvt-ios
You should see a Usage message,
as shown below.
mvt-ios download-iocs
It downloads several recent packages
including STIX2 files, which are
Indicators of Compromise,
as shown below.
cd Downloads\iTunesBackup
mvt-ios check-backup --output out iTunesBackup
dir out
The results show several files, but none of them
end in "_detected", so none of these
IOCs were detected,
as shown below.
F 231.1: Timeline (15 pts)
To find the latest threat, named "Triangulation", search the timeline.csv file for "BackupAgent".To search for all lines containing "ba", execute this command:
The flag is covered by a green rectangle in the image below.
type out\timeline.csv | findstr ba
Posted 6-12-23