Howie Shia

Appendix E – Pegasus Forensic Traces per Target Identified in the Aftermath of the Revelations of Pegasus Project

This document is an appendix to the research report “Forensic Methodology Report: How to catch NSO Group’s Pegasus”, published as part of the Pegasus Project. It contains forensic analysis conducted by Amnesty Tech’s Security Lab of the mobile devices of individuals targeted with NSO Group’s Pegasus spyware who were identified after the launch of the Pegasus Project on 18 July 2021.

The analysis in this appendix has been published with the informed consent of the individuals whose phones were targeted.

Forensic traces

Forensic traces for HUJRN3 – Brigitta Csikász, Hungarian journalist

Date (UTC)Event
2019-04-05 11:06:39File Library/Preferences/ created in RootDomain
2019-04-05 11:06:41File Library/Preferences/ modified in RootDomain
2019-04-05 11:06:57File Library/Preferences/roleaccountd.plist created in RootDomain
2019-04-05 11:07:01File Library/Preferences/roleaccountd.plist modified in RootDomain
2019-04-05 17:57:29Process: logseld
2019-04-07 06:32:00Process: logseld (IN: 0.71 MB, OUT: 0.40 MB)
2019-04-07 14:31:02Process: logseld
2019-06-18 14:04:18Process: roleaccountd (IN: 0.03 MB, OUT: 0.01 MB)
2019-06-18 14:04:22Process: stagingd (IN: 8.55 MB, OUT: 0.41 MB)
2019-06-18 14:04:46Process: bundpwrd
2019-06-21 05:14:41Process: bundpwrd (IN: 4.37 MB, OUT: 2.24 MB)
2019-06-21 14:21:19Process: bundpwrd
2019-07-12 14:10:39iMessage lookup for account e\x00\x00adavies8266[@]  (emmadavies8266[@]
2019-07-12 14:13:11Process: roleaccountd
2019-07-12 14:13:39Process: boardframed
2019-07-12 14:14:25Process: stagingd
2019-07-13 10:09:47iMessage lookup for account emmadavies8266[@]
2019-07-31 13:33:30Process: boardframed (IN: 21.00 MB, OUT: 13.58 MB)
2019-08-04 07:01:15Process: boardframed
2019-11-18 08:16:31Photostream lookup for account ameliehaggart[@]
2019-11-18 08:18:50Process: bh (IN: 4.43 MB, OUT: 0.16 MB)
2019-11-18 08:19:01Process: bh
2019-11-18 08:20:44Process: rolexd (IN: 8.96 MB, OUT: 23.01 MB)
2019-11-19 15:24:55Process: rolexd

Forensic traces for TRJRN1 – Ragip Soylu, Turkey Bureau Chief for Middle East Eye

Date (UTC)Event
2021-02-09 07:26:27Traces related to iMessage exploitation
2021-02-10 12:15:38Process: tisppd
2021-02-12 07:25:17Traces related to iMessage exploitation
2021-02-12 07:30:51Process: CommsCenterRootHelper (IN: 1.74 MB, OUT: 0.23 MB)
2021-02-12 07:31:12Process: CommsCenterRootHelper
2021-02-12 10:30:52Process: launchrexd
2021-02-12 10:30:52Process: boardframed
2021-02-19 05:26:06Traces related to iMessage exploitation
2021-02-21 07:58:44Traces related to iMessage exploitation
2021-03-22 05:39:06Traces related to iMessage exploitation
2021-04-10 08:09:32Traces related to iMessage exploitation
2021-04-13 20:39:16Process: accountpfd
2021-04-14 04:41:05Traces related to iMessage exploitation
2021-04-15 16:59:11Process: xpccfd
2021-04-25 04:59:32Traces related to iMessage exploitation
2021-04-26 23:52:27Process: xpccfd
2021-05-02 07:12:23Traces related to iMessage exploitation
2021-05-02 20:22:15Process: faskeepd
2021-05-08 20:28:06Traces related to iMessage exploitation
2021-05-09 12:51:05Process: corecomnetd
2021-05-16 04:27:48Traces related to iMessage exploitation
2021-05-19 11:04:07Traces related to iMessage exploitation
2021-05-23 00:00:13Process: roleaboutd
2021-07-05 12:41:48Traces related to iMessage exploitation
2021-07-05 12:56:59Process: ReminderIntentsUIExtension (IN: 1.89 MB, OUT: 0.22 MB)
2021-07-05 12:57:11Process: ReminderIntentsUIExtension
2021-07-05 15:11:44Process: neagentd
2021-07-05 15:11:44Process: smmsgingd

Forensic traces for UKHRL1 – David Haigh, human rights lawyer

Date (UTC)Event
2020-08-03 04:01:01iMessage lookup for account arvidamelia1[@]
2020-08-03 07:37:49Process: netservcomd (IN: 5.27 MB, OUT: 79.44 MB)
2020-08-04 15:27:47Process: netservcomd

Forensic traces for UKPOI1 – Anas Altikriti, CEO and Founder of The Cordoba Foundation

Date (UTC)Event
2020-07-24 11:45:09Process: otpgrefd (IN: 1.15 MB, OUT: 3.96 MB)
2020-07-24 18:45:05Process: otpgrefd
2021-02-10 12:15:38Process: tisppd
2021-02-12 10:30:5Process: launchrexd
2021-02-12 10:30:52Process: boardframed
2021-04-13 20:39:16Process: accountpfd
2021-04-15 16:59:11Process: xpccfd
2021-04-26 23:52:27Process: xpccfd
2021-05-02 20:22:15Process: faskeepd
2021-05-09 12:51:05Process: corecomnetd
2021-05-23 00:00:13Process: roleaboutd
2021-07-05 15:11:44Process: neagentd
2021-07-05 15:11:44Process: smmsgingd

 Updates of the document