See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/368607677

Exonerating Morocco EXONERATING MOROCCO DISPROVING THE SPYWARE

Technical Report · February 2023

DOI: 10.13140/RG.2.2.30357.81126

CITATIONS
0

1 author:

Jonathan Scott

32 PUBLICATIONS   0 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

UNCOVERING THE CITIZEN LAB AN ANALYTICAL AND TECHNICAL REVIEW DISPROVING CATALANGATE View project

All content following this page was uploaded by Jonathan Scott on 18 February 2023.

The user has requested enhancement of the downloaded file.

Exonerating
Morocco
Disproving The Spyware

2023
Jonathan Boyd Scott
1

EXONERATING MOROCCO
DISPROVING THE SPYWARE

Jonathan Boyd Scott

02/18/2023
2

Abstract
This report delves into the scientific Radi, Claude Mangin, and others phones
methodologies, data, and events surrounding have been tampered, and forged, by way of
many cases of alleged digital espionage several false positive results that were not
perpetrated by the Moroccan government. disclosed by the researchers.
There have been forensic investigations From a scientific posture, it is
conducted by Amnesty International and The paramount to highlight the importance of
Citizen Lab, but concerns have been raised transparent and rigorous investigation
regarding their reputations in the information methods in cases involving spyware
security and scientific communities. Their technology. False positives in forensic
research has often not been independently analysis lead to erroneous conclusions, which
verified or reproduced by anyone outside of can have significant implications for the
their trusted network, and their disregard for individuals involved and the broader political
international forensics policies and landscape. It is also important to note that
procedures is alarming. Despite these accusations of government surveillance carry
shortcomings, they have formed partnerships significant weight and can have a profound
with several global media outlets, including impact on international relations, which
the coalition of journalists from Forbidden further underscores the need for thorough and
Stories who are part of “The Pegasus impartial investigations.
Project”. It is important to approach these The lack of transparency regarding
partnerships with increased scrutiny and the false positive results raises concerns
validation to ensure the accuracy and about the intentionality of the investigation
impartiality of any investigations conducted. and calls into question the credibility of the
Recent events reveal that the conclusions drawn by Amnesty International
investigations conducted by these and The Citizen Lab. This highlights the need
organizations significantly lack rigor. for increased scrutiny and independent
Specifically, it has come to light that the validation of investigations involving
mobile forensics results used to support the sensitive political issues.
allegations of Pegasus spyware on Omar
3

Abstract 2

Background 4

Citizen Case Zero 4

Uncovering Citizen Case Zero 5

Hacking Team Files 6

The Budapest Convention 9

The Reports 12

Stopping a Coup d'état 14

Raising Issues 16

GitHub Issue 321 17

Github Issue 320 18

Github Issue 319 19

Github Issue 318 19

Conclusion 21

References 22
4

Background the matter, strongly condemning Morocco’s

Accusations of the Moroccan unlawful surveillance.
government engaging in unlawful Citizen Case Zero
surveillance against members of civil society In 2012, The Citizen Lab wrote a
first surfaced over a decade ago1 and it began report titled, Backdoors are Forever
with a group of public policy researchers Hacking Team and the Targeting of
from the University of Toronto known as The Dissent?4, and definitively stated the
Citizen Lab. They made their initial Moroccan government used Hacking Team's
accusations in 2012 and subsequently RCS surveillance technology to target the
released a three-part series of reports labeling journalism project Mamfakinch. The alleged
Morocco as a repressive regime2. Other attack happened when someone sent a
human rights advocacy groups and NGOs phishing message to the group that contained
such as Human Rights Watch, Amnesty a link to download a Microsoft Word
International, Privacy International, document claiming to have breaking news.
Electronic Frontier Foundation, and The message was submitted via a WordPress
Forbidden Stories have joined in with similar contact form on the Mamfakinch website and
or exact allegations of unlawful surveillance the IP address of the message sent was
against civil society members perpetuated by associated to a block owned by Maroc
The Kingdom of Morocco. Telecom. Former Citizen Lab senior
Despite significant false positive researcher Morgan Marquis-Boire used that
results in forensics reports, the allegations IP address range to attribute the phishing
against Morocco have continued to mount message to the Moroccan government and
over time. The situation has reached a critical but provides no evidence to support this
point, with the European Parliament ignoring attribution.
scientific evidence that exonerates Morocco The report cites an article written by
of any wrongdoing and instead passing a Slate to bolster their claims of the Moroccan
JOINT MOTION FOR A RESOLUTION3 on government espionage. Past the pejorative
language calling Morocco draconian, the

1
The date of this report is Friday, February 17th, 2023
2
https://citizenlab.ca/2014/06/backdoor-hacking-teams-tradecraft-android-implant/#Introduction [§2]
3
https://www.europarl.europa.eu/doceo/document/RC-9-2023-0057_EN.html
4
https://citizenlab.ca/2012/10/backdoors-are-forever-hacking-team-and-the-targeting-of-dissent/
5

author, journalist Ryan Gallagher states, single IP address. Criminal courts around the
“While it’s not possible to say for sure world have unequivocally dismissed cases
whether Moroccan authorities are using that were brought forth with nothing more
RCS, it’s certainly being deployed by than an IP address as evidence of a crime.
countries in that region of the world5.” This is especially true in cases involving
According to The Citizen Lab's computer hacking or digital espionage, where
report, they claimed to have acquired a leaked the use of IP addresses as the sole evidence
PDF document detailing Hacking Team’s has been found to be unreliable and
ability, but this assertion was completely insufficient to establish guilt beyond a
fabricated. Hacking Team had already reasonable doubt. Arstechnica, a long-time
disclosed the capabilities of their Remote supporter of The Citizen Lab and Amnesty
Control System (RCS) software. Video International, released an article in 2011
demos of their desktop and mobile software titled, Court confirms: IP address aren’t
was on their website since 2009, and a people7. The article summarized the UK
graphic on their homepage containing a court's judgement on a case that stated simply
download link for the PDF brochure of RCS citing an Internet Protocol (IP) address is not
that Citizen Lab calls “leaked” can be seen as sufficient evidence to convict someone of a
far back September 26th, 20116. The Hacking crime. Arstechnica journalist Mathew Lasar,
Team was diligent in updating their PDFs and writes “Just because some lawyer cites an
the so called “leaked” document was Internet Protocol (IP) address where illegal
available until mid 2013 for anyone to view file sharing may have taken place, that
and download. This case would go on to be doesn't mean that the subscriber living there
referenced for over a decade, and laid the necessarily did the dirty deed. Or is
foundation for future accusations against responsible for others who may have done
Morocco. it.”
Uncovering Citizen Case Zero Tracing an IP address to identify
For Citizen Lab, the irrefutable technical information is a common practice
evidence confirming the Moroccan that is widely accepted and can inform the
government had attacked Mamfakinch was a development of a malicious payload based on

5
https://slate.com/technology/2012/08/moroccan-website-mamfakinch-targeted-by-government-grade-spyware-from-hacking-team.html
6
https://web.archive.org/web/20110926182858/http://hackingteam.it/
7
https://arstechnica.com/tech-policy/2011/02/court-confirms-ip-addresses-arent-people-and-p2p-lawyers-know-it/
6

the reconnaissance conducted. Relying solely insight into Hacking Team's business
on an IP address to identify a person or entity practices The release of the documents
is not a dependable method, as academic caused significant controversy and led to
sources have demonstrated the limitations calls for greater regulation of the surveillance
and inaccuracies of IP geolocation, as well as industry. Many critics argued that the
the high risk of false positives. For instance, activities of Hacking Team and other similar
in 2014, D. Brian Nichols and Casey Canfield companies represented a serious threat to
published a paper in the Journal of Digital privacy and human rights, and that these
Forensics, Security and Law titled "False companies needed to be held accountable for
Positives in IP Geolocation: Estimating Error their actions. In response to the leak, Hacking
Rates," while Amirali Sanatinia, Tristan Team said that the they had always operated
Gurtler, and Nicholas Hopper published a within the law, but ultimately the leak led to
paper in IEEE Security & Privacy in 2017 a significant loss of business, and the
titled "On the Reliability of IP Geolocation." company shut down in 2016.
Hacking Team Files The leaked files gave us a rare view
In 2015, a large collection of internal of the internal interactions surrounding the
documents and emails from Hacking Team, allegations that Morocco hacked
an Italian company that specialized in the sale Mamfakinch. The events leading up to the
of surveillance software to government and Citizen Lab report and the internal
law enforcement agencies, was leaked to the communications after the report start to
public. The source of the leak remains reveal the truth.
unknown, but the release of the files provided
7

Table 1 Timeline of events first accusing Morocco of digital espionage

Date Event

October, 2011 Ryan Gallagher contacts Hacking Team and asks for a statement about the kind of work they do.

October, 2011 Hacking Team grants Ryan an interview.

August, 2012 Ryan Gallagher reports the hacking of Mamfakinch.

Hacking Team becomes aware of Gallagher's report, and states the following8.

In October of last year I had granted an interview by mail (mail is perhaps the most safe to release interviews: everything is
already written, it cannot be manipulated) to this Ryan. I basically told him that we make a tool to fight various crime types
and that we only sell it to governments. Nothing more than what's in the brochure.

Now this Ryan has decided to make a living doing the activist journalist and in fact on Twitter he devotes a lot of space to
Julian Assange. The article doesn't worry us. I ask everyone to NEVER give any interviews to anyone and also to avoid talking
August, 2012 to reporters even just tell them "No comment".
The Citizen Lab releases the Mamfakinch hacking report and also embedded in that report are detailed of an alleged hack on
October, 2012 Ahmed Mansoor.
Ryan Gallagher writes another article9 about the alleged Moroccan government hacking, and also the alleged the Ahmed
Mansoor hacking by the UAE. This article echoes The Citizen Lab by saying the malware found in the Mamfakinch hack is
October, 2012 within the same class as the Ahmed Mansoor hack.
Hacking Team speak internally about the 2nd article written by Ryan Gallagher say they say10:

I think he's referring to the fact that the sample was an exploit that downloaded the second stage from our old demo server...

the doubt that comes to me from this is the "it was also linked" which I cannot understand if they mean that citizen also found
October, 2012 this or if this too has come to him…

According to the email field12, limiting it solely to internal use,

communications that have been made public, which means it would not be possible for
Citizen Lab researcher Morgan Marquis- anyone from the Moroccan government to
Boire stumbled upon an outdated demo have even attempted to attack Mamfakinch.
server that was once used by Hacking Team The Citizen Lab report lacks any endpoint
to demonstrate its software capabilities. Four communications that were captured and
sectors of the Canadian RCMP also requested analyzed between the alleged Mamfakinch
demonstrations from Hacking Team11. infected machine and the C2 (Command and
Additionally, the software was configured Control) server, yet this is never questioned
during a demo and trial period in a way that by information security researchers.
would prevent it from being used in the

8
https://wikileaks.org/hackingteam/emails/emailid/449677
9
https://slate.com/technology/2012/10/ahmed-mansoor-uae-activst-allegedly-tricked-by-phoney-wikileaks-into-downloading-hacking-team-
spyware.html
10
https://wikileaks.org/hackingteam/emails/emailid/449796
11
https://wikileaks.org/hackingteam/emails/emailid/600803
12
https://wikileaks.org/hackingteam/emails/emailid/567378
8

Table 2 List of publications by The Citizen Lab accusing Morocco of espionage

Software
Publication Title Year Surveillance Firm Used Name

Backdoors are Forever Hacking Team and the Targeting of Dissent? October 10, 2012 Hacking Team RCS

Open letter to Hacking Team August 8, 2014 Hacking Team RCS

Mapping Hacking Team’s “Untraceable” Spyware February 17, 2014 Hacking Team RCS

Hacking Team’s Government Surveillance Malware June 24, 2014 Hacking Team RCS
The Million Dollar Dissident: NSO Group’s iPhone Zero-Days used
against a UAE Human Rights Defender

Hacking Team’s US Nexus February 28, 2014 Hacking Team RCS

Hacking Team’s US Nexus: Appendix A February 28, 2014 Hacking Team RCS

US-based Servers Part of Hacking Team’s Surveillance Infrastructure February 28, 2014 Hacking Team RCS

Mapping Hacking Team’s Covert Surveillance Networks February 17, 2014 Hacking Team RCS
Canadian Cyberbullying Legislation Threatens to Further Legitimize Hacking Team & Gamma RCS &
Malware Sales June 5th, 2014 Group FinFisher

Schrodinger’s Cat Video and the Death of Clear-Text August 15, 2014 Hacking Team RCS
Pay No Attention to the Server Behind the Proxy
Mapping FinFisher’s Continuing Proliferation October 15, 2015 Gamma FinFisher

On October 15th, 2015, Citizen Lab Citizen Lab was not primarily seeking to
accused Morocco of deploying Gamma identify any unlawful activities when
Group’s FinFisher surveillance tools13, analyzing the use of these surveillance tools.
despite being aware of Wikileaks' disclosures Rather, their focus was on locating the
and acknowledging that there was no presence of such tools and then making
evidence linking Morocco to Gamma Group attributions to a government.
and their FinFisher technology. In their Citizen Lab claims to have discovered
report, Citizen Lab claimed to have found a FinFisher server in a range of an IP
evidence that the Moroccan government had addresses registered to a Moroccan user
deployed FinFisher, but stated that they were named "Conseil Superieur De La Defense
unable to provide all the data to corroborate Nationale" as evidence of Moroccan
their claims due to possible ongoing criminal government deployment of Gamma Group's
investigations that involved the usage of tools is again primarily based on an IP
FinFisher. It should be noted that FinFisher address. While Citizen Lab believes the
was originally designed to be used for lawful
interception purposes, which indicates that

13
https://citizenlab.ca/2015/10/mapping-finfishers-continuing-proliferation/
9

agency to be the same as CSDN14, they called Forbidden Stories. This project is a
acknowledged limited open-source collaboration between journalists, media
information about the agency and adding outlets, and Amnesty International's Security
more to their assumptive claims. Lab, aimed at identifying individuals from
Furthermore, Citizen Lab cited their 2012 civil society who have been targeted by
article about Morocco's alleged hacking of Pegasus, a surveillance tool developed by the
Mamfakinch to support this new allegation, Israeli company NSO Group. To detect
which is merely a circular self-citation that is Pegasus infections, Claudio Guarnieri and his
not supported by any factual evidence. team at Amnesty Tech created a forensics
Although Citizen Lab asserts that their methodology18 and a software program
reporting is crucial in holding governments called MVT-Tool. However, the details of
accountable, they have failed to provide any the software's logic and reasoning have not
evidence that is reproducible or verifiable been publicly disclosed and yet widely
beyond assumptions. accepted by the information security
Following researcher Morgan community.
Marquis-Boire's removal from the Citizen Furthermore, I would like to
Lab advisory board on account of alleged emphasize that fundamental and essential
sexual assault during a Citizen Lab event15, components have been missing from every
several individuals whom he had enlisted to forensics investigation undertaken by The
work at the Citizen Lab persisted in actively Citizen Lab and Amnesty International. This
seeking out targets of spyware. Notably, reality is highly concerning, as the integrity
Claudio Guarnieri opted to leave Citizen Lab of every alleged case of espionage has been
and accept the position of head of security rendering completely unreliable and invalid.
research at Amnesty International's security Immediate and thorough attention must be
lab16. given to these core missing components as
The Budapest Convention their absence undermines the criminal justice
In 2021, the Pegasus Project17, was
system of Morocco and every country
launched by a French non-profit organization
accused of digital espionage.

14
Government body responsible for advising the Moroccan King on defense and national security matters
15
https://arstechnica.com/tech-policy/2017/11/report-infosec-researcher-accused-of-numerous-instances-of-sexual-assault/
16
https://www.speakers.co.uk/speakers/claudio-guarnieri/
17
https://forbiddenstories.org/about-the-pegasus-project/
18
https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/
10

Figure 1 Amnesty Forensics Missing Components

Amnesty International, The Citizen globally accepted procedures that are

Lab, and Forbidden Stories are exerting designed to facilitate the collection of digital
undue pressure on Morocco to contravene its evidence in the course of criminal
commitment to the Budapest Convention on investigations22.
Cybercrime, which it acceded to in 201819. Furthermore, the Budapest
Morocco has repeatedly demanded that Convention agrees that “The Parties shall
Amnesty provide substantiated evidence of afford one another mutual assistance to the
its allegations related to Pegasus, yet these widest extent possible for the purpose of
demands have gone unmet20. The Budapest investigations or proceedings concerning
Convention (ETS No. 18521) lays down criminal offences related to computer

19
https://www.coe.int/en/web/cybercrime/t-cy-news/-/asset_publisher/GxUcENEFhivB/content/morocco-joins-the-budapest-convention-on-
cybercrime-an-becomes-it-s-60th-member-?inheritRedirect=false
20
https://www.moroccoworldnews.com/2022/03/347777/morocco-demands-amnesty-international-for-proof-over-pegasus-allegations
21
https://www.coe.int/en/web/conventions/full-list?module=treaty-detail&treatynum=185
22
https://rm.coe.int/1680081561 [pg 12. Chapter III Section 1 Article 23]
11

systems and data, or for the collection of Amnesty International, The Citizen Lab, and
evidence in electronic form of a criminal Forbidden Stories. This glaring oversight
offence23.” The EU Parliament disregarded cannot be overlooked, especially considering
its obligation to honor the legally binding the fact that 65 nations have pledged to
treaty ratified by its member states and uphold this treaty, which is being treated with
proceeded to penalize Morocco24 based on disdain and disrespect by non-governmental
unsubstantiated claims of digital espionage organizations and special interest groups.
concerning Omar Radi, brought forth by

Table 3 All countries that have signed Treaty No. 185 The Budapest Convention on Cybercrime

23
https://rm.coe.int/1680081561 [pg 13. Chapter III Section 1 Article 25]
24
https://www.europarl.europa.eu/doceo/document/RC-9-2023-0057_EN.html
12

The Reports

Referring to Amnesty International labeled as such since they lack the necessary
and The Citizen Lab's unverified documents components previously mentioned.
as forensic evidence or forensic reports not Additionally, often there is no mobile device
only weakens the integrity of forensic science used for conducting forensic analysis.
but also damages the credibility of computer Instead, both Amnesty and the Citizen Lab
science as a field of study. In the case of solely rely on iCloud backups of an iPhone to
Omar Radi, a convicted rapist presently conduct their analysis. When asked by an El
serving a prison sentence for his offense, PAIS reporter why they don't possess the
Amnesty and The Citizen Lab have resorted physical devices to perform the forensics, the
to a defense strategy known as SaaD Director of The Citizen Lab responded, "We
(Spyware as a Defense) to have him released don't need it. Receiving the mobile might not
from prison. I first introduced SaaD in be that useful for us26." Citizen Lab
response to the case of Carine Kanimba, an acknowledges that they do not require the
American who alleged being spied on by the device to carry out a mobile forensics
Rwandan government. Kanimba also examination and rely solely on an iCloud
included her father, Paul Rusesabagina - a backup. Furthermore, in 2021, Citizen Lab
convicted terrorist and the character depicted 'independently' validated Amnesty's forensics
in the movie Hotel Rwanda - as a victim of methodology. However, the only information
Pegasus. Supported by Amnesty and The provided to Citizen Lab by Amnesty to
Citizen Lab SaaD was deployed to secure authenticate their forensics was an iCloud
Paul Rusesabagina’s release from prison in backup. "Forbidden Stories and Amnesty
Kigali, but Rwanda is aware of this strategy International requested that the Citizen Lab
and President Paul Kagame suggested, “Only undertake an independent peer review of a
an invasion of his country could force him to sample of their forensic evidence and their
release Paul Rusesabagina25.” general forensic methodology. We were
The terminology used by Amnesty, provided with iTunes backups of several
such as forensics analysis, forensics traces, devices and a separate methodology brief. No
and forensics reports, cannot be accurately additional context or information about the

25
https://www.nytimes.com/2022/12/14/us/politics/rwanda-president-kagame-rusesabagina.html
26
https://elpais.com/espana/2022-05-15/ronald-deibert-fundador-de-citizen-lab-los-gobiernos-usan-pegasus-porque-tienen-apetito-de-espiar.html
13

devices or the investigation was provided to November 24, 2021 The Ford
us27." Citizen Lab continues by calling Foundation tweeted, “Important step to
Amnesty’s methodologies “sound.” defend civic space against surveillance, and
To complete the circular independent welcomed recognition of the work of grantees
validation loop, The Citizen Lab says, “We @citizenlab & @AmnestyTech whose
shared a selection of Pegasus cases with research uncovered the organized and
Amnesty International’s Tech Lab, which deliberate use of spyware targeting global
independently validated our forensic activists and journalists29.” We can also see
methodology28.” In addition to their financials from the MacArthur Foundation
questionable validation methods, the conflict funding The Citizen Lab, $500,000 USD, and
of interest resulting from the funding these Amnesty International $120,000 USD30.
organizations receive from the same Further adding to the conflict of
institutions they are tasked with investigating interest is The University of Toronto’s
raises serious concerns about the integrity of funding31 and collaboration32 with US
their findings. This includes financial support blacklisted Chinese AI spyware firm
from institutions such as the Ford Foundation iFLYTEK, and The Citizen Lab’s funding33,
and the MacArthur Foundation, which have multiple34 collaborations35, and endorsement
both funded The Citizen Lab and Amnesty of American spyware firm Palantir. Palantir
International in their efforts to uncover was named as the #4 evil spyware firm36 by
Pegasus victims. This conflict-of-interest Slate.com, the same media outlet that
calls into question the impartiality of their accused Morocco of espionage.
investigations and undermines the credibility Although several critical concerns
of their research. such as conflicts of interest, the reliance on

27
https://citizenlab.ca/2021/07/amnesty-peer-review/
28
https://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/
29
https://twitter.com/FordFoundation/status/1463568098489946120
30
https://www.macfound.org/media/files/macarthur-foundation-2020-form-990-pf-(final).pdf
31
https://web.archive.org/web/20211028035847/https://www.urap.ca/all-canadian-universities-must-critically-reassess-their-collaborations-with-
china/
32
https://aclanthology.org/W18-3707.pdf
33
The Information Warfare Monitor is a public-private venture between two Canadian institutions: the Citizen Lab at the Munk School of Global
Affairs, University of Toronto and the SecDev Group, an operational think tank based in a Ottawa (Canada). The Information Warfare Monitor is
an advanced research activity tracking the emergence of cyberspace as a strategic domain. We are an independent research effort. Our mission is
to build and broaden the evidence base available to scholars, policy makers, and others. We aim to educate and inform. The research of the
Citizen Lab and the Information Warfare Monitor is supported by the Canada Centre for Global Security Studies (University of Toronto), a
generous grant from the John D. and Catherine T. MacArthur Foundation, in-kind and staff contributions from the SecDev Group, and a generous
donation of software from Palantir Technologies Inc. https://citizenlab.ca/2010/11/koobface-inside-a-crimeware-network/
34
https://twitter.com/citizenlab/status/3888203174?s=20
35
https://twitter.com/citizenlab/status/3888711632?s=20
36
https://slate.com/technology/2020/01/evil-list-tech-companies-dangerous-amazon-facebook-google-palantir.html
14

an IP address as a conclusive indicator of and reliability of the reports and

compromise, and insufficient execution of methodologies jointly confirmed by Amnesty
forensic analyses have been brought to and Citizen Lab regarding alleged victims of
attention, the most detrimental factor to Pegasus.
Morocco is Amnesty's acknowledgement of One particularly concerning aspect of
presenting false data regarding Pegasus. the Forensics Methodology Report is a single
Stopping a Coup d'état line that reads: “Amnesty International
In the interest of maintaining the
verified that no legitimate binaries of the
highest standards of accuracy and reliability,
same names were distributed in recent
I submitted a comprehensive and detailed
versions of iOS38.” July 19th, 2021 Amnesty
37
GitHub issue challenging the forensics
International recognized that an indicator of
methodology employed by the MVT-Tool.
compromise that they alleged to be Pegasus
My findings have revealed significant flaws
was not Pegasus, but just a normal iOS
that have the potential to facilitate forgery
process inside of the iPhone. Amnesty quietly
and false identification. Furthermore, I
removed the process
identified several known false positives that
[com.apple.softwareupdateservicesd.plist]
have gravely compromised the credibility
from their Pegasus indicator list39.

Figure 2 Amnesty acknowledges a false positive and quietly removes it from their list of Pegasus indicators

37
https://github.com/mvt-project/mvt/issues/321
38
https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/
39
https://github.com/AmnestyTech/investigations/commit/1c694217c3efb4e40f34822b6ef99a7b5bd8a064
15

This issue is particularly significant, problem with their forensic traces is rooted in
as it impacted the investigations into the the iCloud backup methodology, which does
alleged cases of Pegasus infection for both not contain memory that can be scanned or
Omar Radi and Claude Mangin. The now- rebuilt. A physical data extraction of the
discredited indicator of compromise, mobile device, live network monitoring,
[com.apple.softwareupdateservicesd.plist], chipset extraction and analysis, among other
was central to the investigation of both cases. controlled lab environment procedures,
In a formal mobile forensics trace, it is would produce a more comprehensive,
critical that the events are reproducible and accurate, and precise result that can be
serve as the basis for the methodology replicated by any forensic and computer
employed. scientist globally. The 2017 IEEE
The methodology presented by International Conference on Big Data
Amnesty and The Citizen Lab has been Proceedings features a qualified and peer-
deemed impractical to follow as the initial reviewed forensic analysis that explores the
event in Claude Mangin's trace has been Wi-Fi communication traces present on
invalidated, rendering the entire trace and its mobile devices. This analysis provides
outcome invalid. A similar issue has occurred valuable insights into what these traces are
with Omar Radi's events due to the expected to look like when conducting a
acknowledged false positive result. The forensic analysis on a mobile device40.

Figure 3 Claude Mangin’s 1st step in her phone trace is a discredited indicator of compromise

40
https://researchonline.gcu.ac.uk/ws/portalfiles/portal/25640096/PID5133269.pdf
16

Figure 4 Omar Radi's forensics traces showing the false positive result

Raising Issues

have raised 4 Github issues with the issue and decided not to address it. This
Amnesty International, 3 issues of which I could be because the issue is not considered
demonstrate how easily false positive results a priority, it does not fit within the project's
can be derived, and forged. All 3 issues were scope or vision, or it is not technically
closed as “not planned.” Not planned means feasible or desirable to implement41.
that the project maintainers have considered

41
https://github.blog/changelog/2022-03-10-the-new-github-issues-march-10th-
update/#:~:text=When%20closing%20an%20issue%2C%20you,reason%3A%22not%20planned%22%20.
17

GitHub Issue 321 42

iOS Pegasus spyware sample request - MVT methods lack a control

42
https://github.com/mvt-project/mvt/issues/321
18

Github Issue 320 43

Legitimate Apple Apps can be seen as malicious with MVT

Figure 5 MVT-Tool Issue Legitimate Apple Apps can be seen as malicious with MVT

43
https://github.com/mvt-project/mvt/issues/320
19

Github Issue 319 44

Domain False Positive Results When Wi-Fi On or Off

Github Issue 318 45

44
https://github.com/mvt-project/mvt/issues/319
45
https://github.com/mvt-project/mvt/issues/318
20

SQL Data Injection – Leads to False Positive Results

21

Conclusion
The disregard for legal systems reproducibility. Despite the admission of
designed to prosecute illicit actions has falsification by the accusers, a significant
allowed certain organizations to become their number of individuals, including information
own global judicial system, exempt from the security professionals, politicians, and
rules of criminal procedure and not required members of the public, continue to propagate
to provide verifiable evidence for their the allegations of illicit spyware use by
claims. Such departure from the foundations Morocco.
of our collective justice systems poses a The accusations of committing a
grave threat to science and geo-politics. To crime against humanity by the Moroccan
combat the spread of fear, uncertainty, and government have the potential to jeopardize
doubt, a collaborative effort is required international relations with other countries
between scientists, geo-political analysts, and and have significant consequences for the
legal professionals to equip government Kingdom. The allegations of malicious
organizations with the necessary tools and software installed on the mobile devices of
expertise to respond effectively to false political opponents have been shown to be
accusations and sensationalism. nothing more than normal iPhone processes
The allegations against the Moroccan that exist in every device. The perpetuation of
government engaging in unlawful such false claims by NGOs, non-profits, and
surveillance against civil society members other special interest groups undermines
are of utmost concern and demand immediate computer and forensics science as a whole.
attention because the evidentiary basis for the
allegations lacks scientific verifiability and
22

References

Amnesty Tech. (2021, July 18). Forensic methodology report: How to catch nso group's
pegasus. Amnesty International. Retrieved February 17, 2023, from
https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-
catch-nso-groups-pegasus/

AmnestyTech. (2021, July 19). Removing false positive · AmnestyTech/investigations@1c69421.

GitHub. Retrieved February 17, 2023, from
https://github.com/AmnestyTech/investigations/commit/1c694217c3efb4e40f34822b6ef99
a7b5bd8a064

Amundsen, A., & Ovens, K. (2017). Forensics analysis of Wi-Fi communication traces in mobile
devices ... Retrieved February 18, 2023, from
https://researchonline.gcu.ac.uk/ws/portalfiles/portal/25640096/PID5133269.pdf

Council of Europe. (2001). Convention on cybercrime. Council of Europe Treaty Office.

Retrieved February 18, 2023, from https://rm.coe.int/1680081561

Council of Europe. (2018, August 30). Morocco joins the Budapest Convention on Cybercrime
and its protocol on xenophobia and racism - cybercrime - publi.coe.int. Cybercrime.
Retrieved February 17, 2023, from https://www.coe.int/en/web/cybercrime/t-cy-news/-
/asset_publisher/GxUcENEFhivB/content/morocco-joins-the-budapest-convention-on-
cybercrime-an-becomes-it-s-60th-member-?inheritRedirect=false

Crowley, M. (2022, December 14). Rwanda's president says the United States can't 'bully' him
into releasing a political opponent. The New York Times. Retrieved February 17, 2023,
from https://www.nytimes.com/2022/12/14/us/politics/rwanda-president-kagame-
rusesabagina.html

CSA. (n.d.). Claudio Guarnieri. CSA Celebrity Speakers. Retrieved February 17, 2023, from
https://www.speakers.co.uk/speakers/claudio-guarnieri/

European Council. (2004, January 7). Budapest Convention . ETS No. 185. Retrieved February
17, 2023, from https://www.coe.int/en/web/conventions/full-list?module=treaty-
detail&treatynum=185

Farivar , C. (2017, November 19). Infosec star accused of sexual assault booted from
professional affiliations. Ars Technica. Retrieved February 13, 2023, from
https://arstechnica.com/tech-policy/2017/11/report-infosec-researcher-accused-of-
numerous-instances-of-sexual-assault/

Forbidden Stories. (2021). About the pegasus project. Forbidden Stories. Retrieved February 17,
2023, from https://forbiddenstories.org/about-the-pegasus-project/
23

Foundation, F. (2021, November 24). Important step to defend civic space against surveillance,
and welcomed recognition of the work of grantees @citizenlab & @amnestytech whose
research uncovered the organized and deliberate use of spyware targeting global activists
and journalists. https://t.co/nmljyjqdcd. Twitter. Retrieved February 17, 2023, from
https://twitter.com/FordFoundation/status/1463568098489946120

Gallagher, R. (2012, August 20). How government-grade spy tech used a fake scandal to Dupe
Journalists. Slate Magazine. Retrieved February 12, 2023, from
https://slate.com/technology/2012/08/moroccan-website-mamfakinch-targeted-by-
government-grade-spyware-from-hacking-team.html

Gallagher, R. (2012, October 10). Phony wikileaks tricks activist into downloading government-
grade spyware. Slate Magazine. Retrieved February 17, 2023, from
https://slate.com/technology/2012/10/ahmed-mansoor-uae-activst-allegedly-tricked-by-
phoney-wikileaks-into-downloading-hacking-team-spyware.html

GitHub. (2022, March 11). The new github issues - March 10th update: Github changelog. The
GitHub Blog. Retrieved February 18, 2023, from https://github.blog/changelog/2022-03-
10-the-new-github-issues-march-10th-
update/#:~:text=When%20closing%20an%20issue%2C%20you,reason%3A%22not%20pl
anned%22%20.

Hacking Team. (2011, July 24). Hacking Team Emails. Retrieved February 17, 2023, from
https://wikileaks.org/hackingteam/emails/emailid/600803

Hacking Team. (2012, August 21). Hacking Team Emails. Retrieved February 17, 2023, from
https://wikileaks.org/hackingteam/emails/emailid/449677

Hacking Team. (2012, May 4). Hacking Team Emails. Retrieved February 17, 2023, from
https://wikileaks.org/hackingteam/emails/emailid/571259

Hacking Team. (2012, October 10). Hacking Team Emails. WikiLeaks. Retrieved February 17,
2023, from https://wikileaks.org/hackingteam/emails/emailid/449796

Hajjaji, D. (2019, July 1). Moroccan independent journalists describe climate of pervasive
surveillance, harassment. Committee to Protect Journalists. Retrieved February 12, 2023,
from https://cpj.org/2019/07/moroccan-independent-journalists-describe-climate/

Jonathan Scott. (2022, November 30). Domain history - false positive results · issue #319 · MVT-
Project/MVT. GitHub. Retrieved February 18, 2023, from https://github.com/mvt-
project/mvt/issues/319

Jonathan Scott. (2022, November 30). Legitimate apple apps can be seen as malicious - false
positive results · issue #320 · MVT-Project/MVT. GitHub. Retrieved February 18, 2023,
from https://github.com/mvt-project/mvt/issues/320
24

Jonathan Scott. (2022, November 30). SQL injection - leads to false positive results - · issue #318
· MVT-Project/MVT. GitHub. Retrieved February 18, 2023, from https://github.com/mvt-
project/mvt/issues/318

Lab, C. (2009, September 10). Http://bit.ly/226Wws Palantir brainstorming session at psiphon

office. Twitter. Retrieved February 17, 2023, from
https://twitter.com/citizenlab/status/3888711632?s=20

Lab, C. (2009, September 10). Palantir visit to the PSIPHON and Citizen Lab offices today for
brainstorming session on cyber investigations. Twitter. Retrieved February 17, 2023, from
https://twitter.com/citizenlab/status/3888203174?s=20

Lab, C. (2017, July 8). Koobface: Inside a crimeware network. The Citizen Lab. Retrieved
February 17, 2023, from https://citizenlab.ca/2010/11/koobface-inside-a-crimeware-
network/

MacArthur Foundation. (2020). MacArthur Foundation - MacArthur Foundation. MacArthur

Foundation Form 990. Retrieved February 18, 2023, from
https://www.macfound.org/media/files/macarthur-foundation-2020-form-990-pf-(final).pdf

Marczak, B., Scott-Railton, J., Anstis, S., & Deibert, R. (2021, July 19). Independent peer review
of Amnesty International's forensic methods for identifying pegasus spyware. The Citizen
Lab. Retrieved February 17, 2023, from https://citizenlab.ca/2021/07/amnesty-peer-review/

Marquis-Boire, M. (2012, October 10). Backdoors are forever: Hacking team and the targeting
of dissent. The Citizen Lab. Retrieved February 13, 2023, from
https://citizenlab.ca/2012/10/backdoors-are-forever-hacking-team-and-the-targeting-of-
dissent/

MCCUAIG-JOHNSTON, M. A. R. G. A. R. E. T. (2021, June 18). All Canadian universities

must critically reassess their collaborations with China. URAPca. Retrieved February 17,
2023, from https://web.archive.org/web/20211028035847/https://www.urap.ca/all-
canadian-universities-must-critically-reassess-their-collaborations-with-china/

Quino Petit, M. G. (2022, May 15). Ronald Deibert, Fundador de Citizen Lab: "los gobiernos
usan pegasus porque tienen apetito de espiar". El País. Retrieved February 17, 2023, from
https://elpais.com/espana/2022-05-15/ronald-deibert-fundador-de-citizen-lab-los-
gobiernos-usan-pegasus-porque-tienen-apetito-de-espiar.html

Rahhou, J. (2022, March 19). Morocco demands Amnesty International for proof over pegasus
allegations. https://www.moroccoworldnews.com/. Retrieved February 17, 2023, from
https://www.moroccoworldnews.com/2022/03/347777/morocco-demands-amnesty-
international-for-proof-over-pegasus-allegations

Scott-Railton, J., Campo, E., Marczak, B., Razzak, B. A., Anstis, S., Böcü, G., Solimano, S., &
Deibert, R. (2022, December 23). Catalangate: Extensive mercenary spyware operation
25

against Catalans using pegasus and Candiru. The Citizen Lab. Retrieved February 17,
2023, from https://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-
operation-against-catalans-using-pegasus-candiru/

Scott-Railton, J., Senft, A., Poetranto, I., & McKune, S. (2015, October 15). Mapping Finfisher's
continuing proliferation. The Citizen Lab. Retrieved February 17, 2023, from
https://citizenlab.ca/2015/10/mapping-finfishers-continuing-proliferation/

slate. (2020, January 15). Which tech company is really the most evil? Slate Magazine. Retrieved
February 17, 2023, from https://slate.com/technology/2020/01/evil-list-tech-companies-
dangerous-amazon-facebook-google-palantir.html

Various. (2018). Chinese grammatical error diagnosis using statistical ... - ACL anthology.
Chinese Grammatical Error Diagnosis using Statistical and Prior Knowledge driven
Features with Probabilistic Ensemble Enhancement. Retrieved February 18, 2023, from
https://aclanthology.org/W18-3707.pdf

View publication stats