Improves documentation

.readthedocs.yaml

@@ -0,0 +1,15 @@
+# .readthedocs.yaml
+# Read the Docs configuration file
+# See https://docs.readthedocs.io/en/stable/config-file/v2.html for details
+
+# Required
+version: 2
+
+mkdocs:
+  configuration: mkdocs.yml
+
+# Optionally set the version of Python and requirements required to build your docs
+python:
+   version: 3.7
+   install:
+   - requirements: docs/requirements.txt

docs/android/backup.md

@@ -0,0 +1,38 @@
+# Checking SMSs from Android backup
+
+Some attacks against Android phones are done by sending malicious links by SMS. The Android backup feature does not allow to gather much information that can be interesting for a forensic analysis, but it can be used to extract SMSs and check them with MVT.
+
+To do so, you need to connect your Android device to your computer. You will then need to [enable USB debugging](https://developer.android.com/studio/debug/dev-options#enable>) on the Android device.
+
+If this is the first time you connect to this device, you will need to approve the authentication keys through a prompt that will appear on your Android device.
+
+Then you can use adb to extract the backup for SMS only with the following command:
+
+```bash
+adb backup com.android.providers.telephony
+```
+
+You will need to approve the backup on the phone and potentially enter a password to encrypt the backup. The backup will then be stored in a file named `backup.ab`.
+
+You will need to use [Android Backup Extractor](https://github.com/nelenkov/android-backup-extractor) to convert it to a readable file format. Make sure that java is installed on your system and use the following command:
+```bash
+java -jar ~/Download/abe.jar unpack backup.ab backup.tar
+tar xvf backup.tar
+```
+
+(If the backup is encrypted, the password will be asked by Android Backup Extractor).
+
+You can then extract SMSs containing links with MVT:
+
+```bash
+$ mvt-android check-backup --output sms .
+16:18:38 INFO     [mvt.android.cli] Checking ADB backup located at: .
+         INFO     [mvt.android.modules.backup.sms] Running module SMS...
+         INFO     [mvt.android.modules.backup.sms] Processing SMS backup
+                  file at ./apps/com.android.providers.telephony/d_f/000
+                  000_sms_backup
+16:18:39 INFO     [mvt.android.modules.backup.sms] Extracted a total of
+                  64 SMS messages containing links
+```
+
+Through the `--iocs` argument you can specify a [STIX2](https://oasis-open.github.io/cti-documentation/stix/intro) file defining a list of malicious indicators to check against the records extracted from the backup by mvt. Any matches will be highlighted in the terminal output.

docs/android.md → docs/android/download_apks.md

@@ -1,4 +1,4 @@
-# Checking an Android Device
+# Downloading APKs from an Android phone
 
 In order to use `mvt-android` you need to connect your Android device to your computer. You will then need to [enable USB debugging](https://developer.android.com/studio/debug/dev-options#enable>) on the Android device.
 

docs/android/methodology.md

@@ -0,0 +1,8 @@
+# Methodology for Android forensic
+
+For different technical reasons, it is more complex to do a forensic analysis of an Android phone.
+
+Currently MVT allows to perform two different checks on an Android phone:
+
+* Download APKs installed in order to analyze them
+* Extract Android backup in order to look for suspicious SMS

docs/install.md

@@ -32,7 +32,13 @@ If you haven't done so, you can add this to your `.bashrc` or `.zshrc` file in o
 export PATH=$PATH:~/.local/bin
 ```
 
-Then you can install MVT directly:
+Then you can install MVT directly from [pypi](https://pypi.org/project/mvt/)
+
+```bash
+pip install mvt
+```
+
+Or from the source code:
 
 ```bash
 git clone https://github.com/mvt-project/mvt.git

docs/ios/backup/check.md

@@ -52,7 +52,7 @@ Once you have a decrypted backup available for analysis you can use the `check-b
 
       --help              Show this message and exit.
 
-Following is a basic usage of `check-backup`: 
+Following is a basic usage of `check-backup`:
 
 ```bash
 mvt-ios check-backup --output /path/to/output/ /path/to/backup/udid/

docs/ios/backup/itunes.md

@@ -1 +1,16 @@
 # Backup with iTunes app
+
+It is possible to do an iPhone backup by using iTunes on Windows or Mac computers (in most recent versions of Mac OS, this feature is included in Finder).
+
+To do that:
+
+* Make sure iTunes is installed.
+* Connect your iPhone to your computer using a Lightning/USB cable.
+* Open the device in iTunes (or Finder on Mac OS).
+* If you want to have a more accurate detection, ensure that the encrypted backup option is activated and choose a secure password for the backup.
+* Start the backup and wait for it to finish (this may take up to 30 minutes).
+
+![](../../../img/macos-backup.jpg)
+_Source: [Apple Support](https://support.apple.com/en-us/HT211229)_
+
+* Once the backup is done, find its location and copy it to a place where it can be analyzed by `mvt`. On Windows, the backup can be stored either in `%USERPROFILE%\Apple\MobileSync\` or `%USERPROFILE%\AppData\Roaming\Apple Computer\MobileSync\`. On Mac OS, the backup is stored in `~/Library/Application Support/MobileSync/`.

docs/requirements.txt

@@ -0,0 +1,5 @@
+mkdocs==1.2.1
+mkdocs-autorefs
+mkdocs-material
+mkdocs-material-extensions
+mkdocstrings

mkdocs.yml

@@ -39,5 +39,8 @@ nav:
             - Dumping the filesystem: "ios/filesystem/dump.md"
             - Check a Filesystem Dump with mvt-ios: "ios/filesystem/check.md"
         - Records extracted by mvt-ios: "ios/records.md"
-    - MVT for Android: "android.md"
+    - MVT for Android:
+        - Android Forensic Methodology: "android/methodology.md"
+        - Check APKs: "android/download_apks.md"
+        - Check an Android Backup: "android/backup.md"
     - License: "license.md"