{ "id": "9dfbe33d-03d7-4537-a5ac-252e053c11c5", "created_at": "2026-04-06T00:11:29.145048Z", "updated_at": "2026-04-10T03:21:58.998434Z", "deleted_at": null, "sha1_hash": "0215d284fcfabb04baa2e7c5c6d08ad8caed1bb4", "title": "Forensic Methodology Report: Pegasus Forensic Traces per Target", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 222506, "plain_text": "Forensic Methodology Report: Pegasus Forensic Traces per Target\r\nPublished: 2021-07-18 · Archived: 2026-04-05 16:39:06 UTC\r\nUpdated on: 27 July 2021\r\nThis document is an appendix to the research report “Forensic Methodology Report: How to catch NSO Group’s\r\nPegasus” published as part of the Pegasus Project.\r\nThis document may be updated over time as additional individuals become public.\r\nAppendix D: Pegasus Forensic Traces per Target\r\nAll individuals have been assigned a code name for safety and privacy reasons. Only individuals who have given consent\r\nwill be named publicly.\r\nThe occurrence of a known malicious iCloud account may be a result of actions made by a Pegasus customer against a\r\npotential target device. It does not by itself signify that an attack was attempted or succeeded.\r\nForensic traces for AZJRN1 – Khadija Ismayilova\r\nDate\r\n(UTC)\r\nEvent\r\n2019-\r\n03-28\r\n07:44:14\r\nProcess: roleaccountd\r\n2019-\r\n03-28\r\n07:44:14\r\nProcess: stagingd\r\n2019-\r\n03-28\r\n07:44:15\r\nFile: Library/Preferences/roleaccountd.plist\r\n2019-\r\n04-02\r\n09:17:55\r\nProcess record deleted from ZPROCESS\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 1 of 86\n\n2019-\r\n04-12\r\n07:42:38\r\nProcess record deleted from ZPROCESS\r\n2019-\r\n05-01\r\n10:48:06\r\nProcess record deleted from ZPROCESS\r\n2019-\r\n05-03\r\n07:42:27\r\nProcess record deleted from ZPROCESS\r\n2019-\r\n05-18\r\n11:03:21\r\nProcess record deleted from ZPROCESS\r\n2019-\r\n06-17\r\n05:10:02\r\nProcess record deleted from ZPROCESS\r\n2019-\r\n06-18\r\n05:25:41\r\nProcess record deleted from ZPROCESS\r\n2019-\r\n06-25\r\n17:03:13\r\nProcess record deleted from ZPROCESS\r\n2019-\r\n07-08\r\n05:39:13\r\nProcess record deleted from ZPROCESS\r\n2019-\r\n07-12\r\n11:10:51\r\nProcess record deleted from ZPROCESS\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 2 of 86\n\n2019-\r\n07-18\r\n13:40:01\r\nProcess record deleted from ZPROCESS\r\n2019-\r\n08-22\r\n08:41:02\r\nProcess record deleted from ZPROCESS\r\n2019-\r\n08-26\r\n05:04:19\r\nProcess record deleted from ZPROCESS\r\n2019-\r\n08-27\r\n15:02:15\r\nProcess record deleted from ZPROCESS\r\n2019-\r\n09-06\r\n05:52:30\r\nProcess record deleted from ZPROCESS\r\n2019-\r\n09-07\r\n07:19:31\r\nProcess record deleted from ZPROCESS\r\n2019-\r\n09-15\r\n06:11:31\r\nProcess record deleted from ZPROCESS\r\n2019-\r\n09-17\r\n14:11:51\r\nProcess record deleted from ZPROCESS\r\n2019-\r\n09-28\r\n12:25:15\r\nProcess: libtouchregd\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 3 of 86\n\n2019-\r\n10-01\r\n19:42:17\r\nProcess record deleted from ZPROCESS\r\n2019-\r\n10-14\r\n05:11:06\r\nProcess record deleted from ZPROCESS\r\n2019-\r\n10-14\r\n16:08:43\r\nProcess: libbmanaged\r\n2019-\r\n10-14\r\n16:08:43\r\nProcess: mobileargd\r\n2019-\r\n10-14\r\n16:08:43\r\nProcess: brstaged\r\n2019-\r\n10-14\r\n16:08:43\r\nProcess: libtouchregd\r\n2019-\r\n10-14\r\n16:08:43\r\nProcess: launchrexd\r\n2019-\r\n10-15\r\n14:21:44\r\nProcess: faskeepd\r\n2019-\r\n10-16\r\n22:17:17\r\nProcess: bundpwrd\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 4 of 86\n\n2019-\r\n10-22\r\n15:42:40\r\nProcess: seraccountd\r\n2019-\r\n10-22\r\n15:42:40\r\nProcess: comnetd\r\n2019-\r\n11-25\r\n09:06:49\r\nProcess: confinstalld\r\n2019-\r\n11-25\r\n09:06:49\r\nProcess: msgacntd\r\n2019-\r\n11-25\r\n09:06:49\r\nProcess: launchrexd\r\n2019-\r\n11-25\r\n09:06:49\r\nProcess: accountpfd\r\n2019-\r\n11-25\r\n09:06:49\r\nProcess: xpccfd\r\n2019-\r\n11-25\r\n09:06:49\r\nProcess: setframed\r\n2019-\r\n11-25\r\n09:06:49\r\nProcess: natgd\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 5 of 86\n\n2019-\r\n11-25\r\n09:06:49\r\nProcess: aggregatenotd\r\n2019-\r\n12-09\r\n05:28:20\r\nProcess record deleted from ZPROCESS\r\n2019-\r\n12-22\r\n16:10:27\r\nProcess record deleted from ZPROCESS\r\n2019-\r\n12-26\r\n06:01:46\r\nProcess record deleted from ZPROCESS\r\n2020-\r\n01-09\r\n05:43:20\r\nProcess record deleted from ZPROCESS\r\n2020-\r\n01-14\r\n06:56:05\r\nProcess record deleted from ZPROCESS\r\n2020-\r\n01-27\r\n05:44:27\r\nProcess record deleted from ZPROCESS\r\n2020-\r\n01-31\r\n11:41:04\r\nProcess record deleted from ZPROCESS\r\n2020-\r\n02-07\r\n05:00:03\r\nProcess record deleted from ZPROCESS\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 6 of 86\n\n2020-\r\n02-09\r\n07:03:56\r\nProcess record deleted from ZPROCESS\r\n2020-\r\n02-13\r\n05:00:59\r\niMessage lookup for account e\\x00\\x00aholm575[@]gmail.com (emmaholm575[@]gmail.com)\r\n2020-\r\n02-23\r\n07:39:00\r\nProcess record deleted from ZPROCESS\r\n2020-\r\n02-26\r\n04:57:01\r\nProcess record deleted from ZPROCESS\r\n2020-\r\n03-09\r\n05:33:30\r\nProcess record deleted from ZPROCESS\r\n2020-\r\n03-13\r\n06:45:19\r\nProcess record deleted from ZPROCESS\r\n2020-\r\n03-24\r\n07:27:42\r\nProcess record deleted from ZPROCESS\r\n2020-\r\n03-30\r\n06:08:44\r\nProcess record deleted from ZPROCESS\r\n2020-\r\n04-21\r\n12:04:31\r\nProcess record deleted from ZPROCESS\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 7 of 86\n\n2020-\r\n04-23\r\n06:26:56\r\niMessage lookup for account filip.bl82[@]gmail.\\x00\\x00m (filip.bl82[@]gmail.com)\r\n2020-\r\n04-23\r\n07:24:11\r\nProcess record deleted from ZPROCESS\r\n2020-\r\n04-29\r\n07:31:57\r\nProcess record deleted from ZPROCESS\r\n2020-\r\n04-30\r\n07:58:32\r\nProcess record deleted from ZPROCESS\r\n2020-\r\n05-11\r\n14:25:28\r\nProcess record deleted from ZPROCESS\r\n2020-\r\n05-15\r\n11:31:09\r\nProcess record deleted from ZPROCESS\r\n2020-\r\n05-17\r\n07:03:29\r\nProcess record deleted from ZPROCESS\r\n2020-\r\n05-20\r\n21:10:16\r\nProcess: logseld\r\n2020-\r\n05-20\r\n21:10:16\r\nProcess: brstaged\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 8 of 86\n\n2020-\r\n05-20\r\n21:10:16\r\nProcess: pstid\r\n2020-\r\n05-20\r\n21:10:16\r\nProcess: roleaboutd\r\n2020-\r\n05-20\r\n21:10:16\r\nProcess: libtouchregd\r\n2020-\r\n05-20\r\n21:10:16\r\nProcess: brstaged\r\n2020-\r\n05-29\r\n07:11:37\r\nProcess record deleted from ZPROCESS\r\n2020-\r\n05-31\r\n07:32:56\r\nProcess record deleted from ZPROCESS\r\n2020-\r\n05-31\r\n15:28:11\r\nProcess: bfrgbd\r\n2020-\r\n05-31\r\n15:28:11\r\nProcess: xpccfd\r\n2020-\r\n05-31\r\n15:28:11\r\nProcess: nehelprd\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 9 of 86\n\n2020-\r\n06-01\r\n09:07:27\r\niMessage lookup for account kleinleon1987[@]gma\\x00\\x00.com (kleinleon1987[@]gmail.com)\r\n2020-\r\n06-05\r\n13:07:16\r\nProcess record deleted from ZPROCESS\r\n2020-\r\n06-08\r\n08:13:02\r\nProcess record deleted from ZPROCESS\r\n2020-\r\n06-08\r\n18:22:45\r\nProcess: comnetd\r\n2020-\r\n06-08\r\n18:22:45\r\nProcess: fservernetd\r\n2020-\r\n06-08\r\n18:22:45\r\nProcess: rolexd\r\n2020-\r\n06-12\r\n08:45:08\r\nProcess record deleted from ZPROCESS\r\n2020-\r\n06-22\r\n05:29:22\r\nProcess: roleaccountd\r\n2020-\r\n06-22\r\n05:29:23\r\nProcess: stagingd\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 10 of 86\n\n2020-\r\n06-27\r\n11:23:05\r\nProcess record deleted from ZPROCESS\r\n2020-\r\n06-27\r\n11:23:09\r\nProcess record deleted from ZPROCESS\r\n2020-\r\n06-29\r\n05:13:04\r\nProcess record deleted from ZPROCESS\r\n2020-\r\n06-29\r\n05:13:04\r\nProcess record deleted from ZPROCESS\r\n2020-\r\n06-30\r\n05:59:08\r\niMessage lookup for account k\\x00\\x00inleon1987[@]gmail.com (kleinleon1987[@]gmail.com)\r\n2020-\r\n07-01\r\n13:04:43\r\nProcess: nehelprd\r\n2020-\r\n07-01\r\n13:04:43\r\nProcess: aggregatenotd\r\n2020-\r\n07-01\r\n13:04:43\r\nProcess: fservernetd\r\n2020-\r\n07-01\r\n13:04:43\r\nProcess: msgacntd\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 11 of 86\n\n2020-\r\n07-02\r\n06:29:48\r\nProcess record deleted from ZPROCESS\r\n2020-\r\n07-02\r\n06:29:48\r\nProcess record deleted from ZPROCESS\r\n2020-\r\n07-03\r\n06:51:47\r\nProcess record deleted from ZPROCESS\r\n2020-\r\n07-03\r\n06:51:53\r\nProcess record deleted from ZPROCESS\r\n2020-\r\n07-04\r\n07:20:57\r\nProcess record deleted from ZPROCESS\r\n2020-\r\n07-04\r\n07:20:58\r\nProcess record deleted from ZPROCESS\r\n2020-\r\n07-05\r\n07:23:50\r\nProcess record deleted from ZPROCESS\r\n2020-\r\n07-06\r\n05:22:21\r\niMessage lookup for account f\\x00\\x00ip.bl82[@]gmail.com (filip.bl82[@]gmail.com)\r\n2020-\r\n07-10\r\n14:12:09\r\nCache file /private/var/mobile/Containers/Data/Application/D6A69566-55F7-4757-96DE-EBA612685272/Library/Caches/com.apple.Music/Cache.db recorded visit to  URL\r\nhxxps://x1znqjo0x8b8j.php78mp9v.opposedarrangement[.]net:37271/afAVt89Wq/stadium/pop2.html?\r\nkey=501_4\u0026n=7\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 12 of 86\n\n2020-\r\n07-10\r\n14:12:15\r\nCache file /private/var/mobile/Containers/Data/Application/D6A69566-55F7-4757-96DE-EBA612685272/Library/Caches/com.apple.Music/Cache.db recorded visit to  URL\r\nhxxps://x1znqjo0x8b8j.php78mp9v.opposedarrangement[.]net:37271/afAVt89Wq/stadium/pop2.html?\r\nkey=501_4\u0026n=1\r\n2020-\r\n07-10\r\n14:12:21\r\nProcess: roleaccountd\r\n2020-\r\n07-10\r\n14:12:26\r\nProcess: stagingd\r\n2020-\r\n07-11\r\n19:34:04\r\nProcess: confinstalld\r\n2020-\r\n07-11\r\n19:34:04\r\nProcess: roleaboutd\r\n2020-\r\n07-11\r\n19:34:04\r\nProcess: lobbrogd\r\n2020-\r\n07-11\r\n19:34:04\r\nProcess: fservernetd\r\n2020-\r\n07-11\r\n19:34:04\r\nProcess: launchafd\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 13 of 86\n\n2020-\r\n07-13\r\n05:05:17\r\nCache file /private/var/mobile/Containers/Data/Application/D6A69566-55F7-4757-96DE-EBA612685272/Library/Caches/com.apple.Music/Cache.db recorded visit to  URL\r\nhxxps://4n3d9ca2st.php78mp9v.opposedarrangement[.]net:37891/w58Xp5Z/stadium/pop2.html?\r\nkey=501_4\u0026n=7\r\n2020-\r\n12-07\r\n07:23:23\r\niMessage lookup for account kleinleon1987[@]gmail.com\r\n2021-\r\n04-20\r\n17:53:51\r\niMessage lookup for account filip.bl82[@]gmail.com\r\n2021-\r\n05-06\r\n08:34:43\r\niMessage lookup for account emmaholm575[@]gmail.com\r\nForensic traces for AZJRN2 – Sevinc Vaqifqizi\r\nDate (UTC) Event\r\n2019-04-17 10:53:04 File created: Library/Preferences/com.apple.CrashReporter.plist from RootDomain\r\n2019-04-17 10:53:45 Process: roleaccountd\r\n2019-04-17 10:53:45 File created: Library/Preferences/roleaccountd.plist from RootDomain\r\n2019-04-24 12:13:29 Process: roleaccountd\r\n2019-04-24 12:13:31 Process: stagingd\r\n2019-07-18 09:35:17 Process: rolexd\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 14 of 86\n\n2019-08-02 11:45:12 Process: actmanaged\r\n2019-10-08 15:22:29 Process: libbmanaged\r\n2019-10-12 08:17:28 Process: xpccfd\r\n2019-10-14 05:05:09 Process: setframed\r\n2019-10-18 06:16:16 Process: natgd\r\n2019-10-21 05:23:50 Process: libtouchregd\r\n2019-10-29 05:28:54 Process: frtipd\r\n2019-11-08 07:01:25 Process: brstaged\r\n2019-11-11 10:46:47 Process: boardframed\r\n2019-11-17 07:15:36 Process: ckkeyrollfd\r\n2019-11-19 11:50:37 Process: mptbd\r\n2019-12-02 05:18:49 Process: mobileargd\r\n2019-12-03 13:15:03 Process: nehelprd\r\n2019-12-12 14:38:31 Process: corecomnetd\r\n2020-02-10 05:15:54 Process: pstid\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 15 of 86\n\n2020-02-12 10:10:30 Process: stagingd (IN: 63.17 MB, OUT: 2.76 MB)\r\n2020-02-13 15:32:49 Process: roleaccountd (IN: 0.25 MB, OUT: 0.13 MB)\r\n2020-03-02 08:57:41 Process: roleaccountd\r\n2020-03-02 08:57:48 Process: stagingd\r\n2020-03-02 08:58:07 Process: seraccountd\r\n2020-12-15 10:55:58 Process: comsercvd\r\n2020-12-24 08:45:03 Process: comsercvd (IN: 17.63 MB, OUT: 64.19 MB)\r\n2020-12-24 16:47:45 Process: comsercvd\r\n2021-02-09 09:42:00 Attack related push notifications over iMessage\r\n2021-02-09 10:06:50 Process: ctrlfs\r\n2021-02-09 10:06:50 Process: ctrlfs\r\n2021-05-20 05:46:42 Process: com.apple.rapports.events\r\nForensic traces for FRHRD1 – Claude Mangin   \r\nPhone 1\r\nDate (UTC) Event\r\n2020-10-08\r\n08:40:42\r\nFile created: Library/Preferences/com.apple.softwareupdateservicesd.plist from\r\nHomeDomain\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 16 of 86\n\n2020-10-08\r\n10:25:29\r\nProcess record deleted from ZPROCESS (IN: 5.46 MB, OUT: 45.62 MB)\r\n2020-10-09\r\n16:17:22\r\nProcess record deleted from ZPROCESS (IN: 0.71 MB, OUT: 1.33 MB)\r\n2020-10-10\r\n16:17:24\r\nProcess record deleted from ZPROCESS (IN: 0.30 MB, OUT: 0.82 MB)\r\n2020-10-11\r\n16:17:32\r\nProcess record deleted from ZPROCESS (IN: 2.25 MB, OUT: 4.88 MB)\r\n2020-10-12\r\n16:51:34\r\nProcess record deleted from ZPROCESS (IN: 0.98 MB, OUT: 1.31 MB)\r\n2020-10-13\r\n17:55:23\r\nProcess record deleted from ZPROCESS (IN: 1.20 MB, OUT: 5.40 MB)\r\n2020-10-15\r\n17:30:29\r\nProcess record deleted from ZPROCESS (IN: 1.56 MB, OUT: 1.92 MB)\r\n2020-10-17\r\n17:08:00\r\nProcess record deleted from ZPROCESS (IN: 1.80 MB, OUT: 0.23 MB)\r\n2020-11-18\r\n13:32:24\r\nProcess record deleted from ZPROCESS (IN: 1.83 MB, OUT: 0.21 MB)\r\n2020-12-14\r\n15:29:59\r\nProcess record deleted from ZPROCESS (IN: 1.83 MB, OUT: 0.25 MB)\r\n2020-12-14\r\n15:31:13\r\nProcess record deleted from ZPROCESS (IN: 0.02 MB, OUT: 0.05 MB)\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 17 of 86\n\n2020-12-15\r\n14:36:59\r\nProcess record deleted from ZPROCESS (IN: 1.83 MB, OUT: 0.25 MB)\r\n2021-01-12\r\n14:33:11\r\nProcess record deleted from ZPROCESS (IN: 6.99 MB, OUT: 22.26 MB)\r\n2021-01-15\r\n13:39:12\r\nProcess record deleted from ZPROCESS (IN: 0.06 MB, OUT: 0.07 MB)\r\n2021-01-16\r\n13:43:10\r\nProcess record deleted from ZPROCESS (IN: 2.00 MB, OUT: 1.88 MB)\r\n2021-01-17\r\n15:48:01\r\nProcess record deleted from ZPROCESS (IN: 1.25 MB, OUT: 4.43 MB)\r\n2021-01-19\r\n13:58:33\r\nProcess record deleted from ZPROCESS (IN: 2.94 MB, OUT: 3.59 MB)\r\n2021-01-21\r\n08:40:52\r\nProcess record deleted from ZPROCESS (IN: 1.69 MB, OUT: 1.64 MB)\r\n2021-01-22\r\n08:41:08\r\nProcess record deleted from ZPROCESS (IN: 2.50 MB, OUT: 4.70 MB)\r\n2021-03-16\r\n12:33:20\r\nProcess record deleted from ZPROCESS (IN: 292.83 MB, OUT: 353.60 MB)\r\n2021-03-17\r\n12:40:45\r\nProcess record deleted from ZPROCESS (IN: 0.63 MB, OUT: 0.37 MB)\r\n2021-03-19\r\n10:55:06\r\nProcess record deleted from ZPROCESS (IN: 2.74 MB, OUT: 1.72 MB)\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 18 of 86\n\n2021-03-20\r\n10:57:33\r\nProcess record deleted from ZPROCESS (IN: 9.34 MB, OUT: 8.15 MB)\r\n2021-03-21\r\n10:59:08\r\nProcess record deleted from ZPROCESS (IN: 12.38 MB, OUT: 19.65 MB)\r\n2021-03-22\r\n11:02:54\r\nProcess record deleted from ZPROCESS (IN: 2.54 MB, OUT: 5.11 MB)\r\n2021-03-23\r\n11:34:43\r\nProcess record deleted from ZPROCESS (IN: 0.35 MB, OUT: 0.21 MB)\r\n2021-03-24\r\n11:51:11\r\nProcess record deleted from ZPROCESS (IN: 2.69 MB, OUT: 1.72 MB)\r\n2021-03-25\r\n12:44:15\r\nProcess record deleted from ZPROCESS (IN: 3.74 MB, OUT: 3.94 MB)\r\n2021-03-27\r\n14:43:42\r\nProcess record deleted from ZPROCESS (IN: 1.72 MB, OUT: 1.06 MB)\r\n2021-03-27\r\n22:52:14\r\nProcess: brstaged\r\n2021-03-31\r\n14:18:42\r\nProcess record deleted from ZPROCESS (IN: 0.02 MB, OUT: 0.01 MB)\r\n2021-03-31\r\n14:19:03\r\nProcess record deleted from ZPROCESS (IN: 1.87 MB, OUT: 0.28 MB)\r\n2021-04-01\r\n05:50:40\r\nProcess: accountpfd\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 19 of 86\n\n2021-04-30\r\n12:25:15\r\nProcess record deleted from ZPROCESS (IN: 77.19 MB, OUT: 49.49 MB)\r\n2021-05-01\r\n16:35:25\r\nProcess record deleted from ZPROCESS (IN: 5.86 MB, OUT: 3.63 MB)\r\n2021-05-03\r\n07:27:01\r\nProcess record deleted from ZPROCESS (IN: 1.70 MB, OUT: 0.97 MB)\r\n2021-05-04\r\n07:59:24\r\nProcess record deleted from ZPROCESS (IN: 2.66 MB, OUT: 1.77 MB)\r\n2021-05-05\r\n09:09:40\r\nProcess record deleted from ZPROCESS (IN: 11.23 MB, OUT: 7.73 MB)\r\n2021-05-07\r\n13:13:51\r\nProcess record deleted from ZPROCESS (IN: 5.51 MB, OUT: 3.57 MB)\r\n2021-05-08\r\n13:15:26\r\nProcess record deleted from ZPROCESS (IN: 13.65 MB, OUT: 9.88 MB)\r\n2021-05-09\r\n13:18:40\r\nProcess record deleted from ZPROCESS (IN: 15.42 MB, OUT: 9.87 MB)\r\n2021-05-10\r\n13:20:46\r\nProcess record deleted from ZPROCESS (IN: 0.31 MB, OUT: 0.19 MB)\r\n2021-05-12\r\n09:25:23\r\nProcess record deleted from ZPROCESS (IN: 3.87 MB, OUT: 2.33 MB)\r\n2021-05-13\r\n09:26:19\r\nProcess record deleted from ZPROCESS (IN: 1.79 MB, OUT: 1.15 MB)\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 20 of 86\n\n2021-05-14\r\n00:32:59\r\nProcess: comsercvd\r\n2021-05-15\r\n12:51:46\r\nProcess: com.apple.Mappit.SnapshotService (IN: 0.03 MB, OUT: 0.01 MB)\r\n2021-05-15\r\n12:56:04\r\nProcess record deleted from ZPROCESS (IN: 1.87 MB, OUT: 0.28 MB)\r\n2021-05-15\r\n13:04:10\r\nProcess: roleaboutd\r\n2021-05-15\r\n13:04:10\r\nProcess: confinstalld\r\n2021-05-15\r\n13:04:10\r\nProcess: gssdp\r\n2021-05-15\r\n20:58:34\r\nProcess: roleaboutd\r\n2021-05-15\r\n20:58:34\r\nProcess: confinstalld\r\n2021-05-15\r\n20:58:34\r\nProcess: gssdp\r\n2021-05-16\r\n21:46:58\r\nProcess: roleaboutd\r\n2021-05-16\r\n21:46:58\r\nProcess: confinstalld\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 21 of 86\n\n2021-05-16\r\n21:46:58\r\nProcess: gssdp\r\n2021-05-17\r\n21:46:13\r\nProcess: roleaboutd\r\n2021-05-17\r\n21:46:13\r\nProcess: confinstalld\r\n2021-05-17\r\n21:46:13\r\nProcess: gssdp\r\n2021-05-18\r\n21:47:13\r\nProcess: roleaboutd\r\n2021-05-18\r\n21:47:13\r\nProcess: confinstalld\r\n2021-05-18\r\n21:47:13\r\nProcess: gssdp\r\n2021-05-19\r\n22:30:36\r\nProcess: roleaboutd\r\n2021-05-19\r\n22:30:36\r\nProcess: confinstalld\r\n2021-05-19\r\n22:30:36\r\nProcess: gssdp\r\n2021-05-21\r\n21:09:59\r\nProcess: roleaboutd\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 22 of 86\n\n2021-05-21\r\n21:09:59\r\nProcess: confinstalld\r\n2021-05-21\r\n21:09:59\r\nProcess: gssdp\r\n2021-05-22\r\n21:12:51\r\nProcess: roleaboutd\r\n2021-05-22\r\n21:12:51\r\nProcess: confinstalld\r\n2021-05-22\r\n21:12:51\r\nProcess: gssdp\r\n2021-05-23\r\n21:13:37\r\nProcess: roleaboutd\r\n2021-05-23\r\n21:13:37\r\nProcess: confinstalld\r\n2021-05-23\r\n21:13:37\r\nProcess: gssdp\r\n2021-05-23\r\n21:14:55\r\nProcess: roleaboutd\r\n2021-05-23\r\n21:14:55\r\nProcess: confinstalld\r\n2021-05-23\r\n21:14:55\r\nProcess: gssdp\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 23 of 86\n\n2021-05-25\r\n10:51:16\r\nProcess: roleaboutd\r\n2021-05-25\r\n10:51:16\r\nProcess: confinstalld\r\n2021-05-25\r\n10:51:16\r\nProcess: gssdp\r\n2021-05-26\r\n19:31:58\r\nProcess: roleaboutd\r\n2021-05-26\r\n19:31:58\r\nProcess: confinstalld\r\n2021-05-26\r\n19:31:58\r\nProcess: gssdp\r\n2021-05-27\r\n19:35:21\r\nProcess: roleaboutd\r\n2021-05-27\r\n19:35:21\r\nProcess: confinstalld\r\n2021-05-27\r\n19:35:21\r\nProcess: gssdp\r\n2021-05-28\r\n19:50:06\r\nProcess: roleaboutd\r\n2021-05-28\r\n19:50:06\r\nProcess: confinstalld\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 24 of 86\n\n2021-05-28\r\n19:50:06\r\nProcess: gssdp\r\n2021-05-29\r\n19:51:18\r\nProcess: roleaboutd\r\n2021-05-29\r\n19:51:18\r\nProcess: confinstalld\r\n2021-05-29\r\n19:51:18\r\nProcess: gssdp\r\n2021-05-31\r\n04:52:47\r\nProcess: roleaboutd\r\n2021-05-31\r\n04:52:47\r\nProcess: confinstalld\r\n2021-05-31\r\n04:52:47\r\nProcess: gssdp\r\n2021-05-31\r\n04:53:49\r\nProcess: roleaboutd\r\n2021-05-31\r\n04:53:49\r\nProcess: confinstalld\r\n2021-05-31\r\n04:53:49\r\nProcess: gssdp\r\n2021-06-01\r\n05:13:25\r\nProcess: roleaboutd\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 25 of 86\n\n2021-06-01\r\n05:13:25\r\nProcess: confinstalld\r\n2021-06-01\r\n05:13:25\r\nProcess: gssdp\r\n2021-06-01\r\n14:12:05\r\nProcess: PDPDialogs\r\n2021-06-02\r\n05:14:44\r\nProcess: roleaboutd\r\n2021-06-02\r\n05:14:44\r\nProcess: confinstalld\r\n2021-06-02\r\n05:14:44\r\nProcess: gssdp\r\n2021-06-03\r\n05:23:42\r\nProcess: roleaboutd\r\n2021-06-03\r\n05:23:42\r\nProcess: confinstalld\r\n2021-06-03\r\n05:23:42\r\nProcess: gssdp\r\n2021-06-04\r\n14:38:54\r\nProcess: roleaboutd\r\n2021-06-04\r\n14:38:54\r\nProcess: confinstalld\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 26 of 86\n\n2021-06-04\r\n14:38:54\r\nProcess: gssdp\r\n2021-06-05\r\n20:26:58\r\nProcess: confinstalld\r\n2021-06-06\r\n20:33:20\r\nProcess: confinstalld\r\n2021-06-07\r\n20:31:57\r\nProcess: confinstalld\r\n2021-06-09\r\n14:42:29\r\nProcess: confinstalld\r\n2021-06-10\r\n20:09:26\r\nProcess: confinstalld\r\n2021-06-11\r\n09:34:00\r\nAttack related push notifications over iMessage\r\n2021-06-11\r\n09:35:00\r\nAttack related push notifications over iMessage\r\n2021-06-11\r\n09:36:00\r\nAttack related push notifications over iMessage\r\n2021-06-11\r\n09:37:00\r\nAttack related push notifications over iMessage\r\n2021-06-11\r\n09:37:52\r\niMessage lookup for account linakeller2203[@]gmail.com\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 27 of 86\n\n2021-06-11\r\n09:38:00\r\nAttack related push notifications over iMessage\r\n2021-06-11\r\n09:40:00\r\nAttack related push notifications over iMessage\r\n2021-06-11\r\n09:41:00\r\nAttack related push notifications over iMessage\r\n2021-06-11\r\n09:43:00\r\nAttack related push notifications over iMessage\r\n2021-06-11\r\n09:48:37\r\nProcess: com.apple.Mappit.SnapshotService (IN: 0.02 MB, OUT: 0.01 MB)\r\n2021-06-11\r\n09:48:49\r\nProcess: com.apple.Mappit.SnapshotService\r\n2021-06-11\r\n09:51:28\r\nProcess: cfprefssd\r\n2021-06-11\r\n20:25:58\r\nProcess: confinstalld\r\n2021-06-12\r\n19:30:30\r\nProcess: confinstalld\r\nPhone 2\r\nDate (UTC) Event\r\n2021-07-06 12:39:42 iMessage lookup for account linakeller2203[@]gmail.com\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 28 of 86\n\n2021-07-06 12:40:30 Traces from zero-click attack attempt over iMessage\r\nForensic traces for FRHRD2\r\nDate (UTC) Event\r\n2019-01-03 11:32 Suspicious SMS with fake Facebook link: https://web-facebook[.]com/[REDACTED]\r\nForensic traces for FRHRL1  – Joseph Breham\r\nDate (UTC) Event\r\n2019-09-20 10:27:41 iMessage lookup for account bergers.o79[@]gmail.com\r\n2019-09-20 10:29:47 iMessage lookup for account naomiwerff772[@]gmail.com\r\n2019-10-29 09:04:58 Process: bh (IN: 2.86 MB, OUT: 0.21 MB)\r\n2019-10-29 09:05:08 File created: Library/Preferences/com.apple.CrashReporter.plist from RootDomain\r\n2019-10-29 09:05:52 Process: mptbd (IN: 18.31 MB, OUT: 106.70 MB)\r\n2019-11-01 12:09:05 Process: mptbd\r\n2019-11-01 19:03:23 Process: mptbd\r\n2019-11-04 09:35:34 Process: corecomnetd (IN: 62.45 MB, OUT: 157.21 MB)\r\n2019-11-07 11:53:06 Process: corecomnetd\r\n2019-11-07 19:41:45 Process: corecomnetd\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 29 of 86\n\n2019-11-08 15:27:30 Process: actmanaged (IN: 90.27 MB, OUT: 139.34 MB)\r\n2019-11-13 19:09:16 Process: actmanaged\r\n2019-11-15 17:07:06 Process: actmanaged\r\n2019-11-20 11:15:13 Process: pstid (IN: 13.85 MB, WWAN OUT: 1.83 MB)\r\n2019-11-20 11:17:40 Process: pstid\r\n2019-11-22 09:17:27 Process: bh\r\n2019-11-22 09:22:00 Process: logseld (IN: 0.01 MB, WWAN OUT: 0.01 MB)\r\n2019-11-26 09:23:57 Process: ckeblld (IN: 0.02 MB, WWAN OUT: 0.01 MB)\r\n2019-11-29 09:38:05 Process: libbmanaged (IN: 77.70 MB, OUT: 128.32 MB)\r\n2019-12-05 10:45:44 Process: libbmanaged\r\n2019-12-06 08:25:23 Process: libbmanaged\r\n2019-12-06 12:02:25 Process: natgd\r\n2019-12-09 10:44:59 Process: launchrexd (IN: 22.50 MB, OUT: 86.92 MB)\r\n2019-12-15 17:17:59 Process: launchrexd\r\n2019-12-16 01:37:31 Process: launchrexd\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 30 of 86\n\n2019-12-18 08:13:29 Process: bh\r\n2019-12-18 08:14:05 Process: ckeblld\r\n2019-12-18 11:50:15 Process: ckeblld\r\n2019-12-22 15:13:04 Process: natgd (IN: 5.39 MB, OUT: 35.72 MB)\r\n2019-12-25 08:57:28 iMessage lookup for account bogaardlisa803[@]gmail.com\r\nForensic traces for FRHRL2\r\nDate (UTC) Event\r\n2019-06-13 14:03:23 File created: Library/Preferences/com.apple.CrashReporter.plist from RootDomain\r\n2019-06-13 14:03:42 File created: Library/Preferences/roleaccountd.plist from RootDomain\r\n2019-06-13 14:04:00 Process: roleaccountd (IN: 0.01 MB, OUT: 0.00 MB)\r\n2019-06-13 14:04:00 Process: stagingd (IN: 1.47 MB, OUT: 0.08 MB)\r\n2019-06-13 14:04:30 Process: launchafd (IN: 0.01 MB, OUT: 0.01 MB)\r\n2019-06-13 14:04:31 Process: launchafd\r\n2019-06-13 16:03:43 Process: roleaccountd\r\n2019-06-17 17:22:00 Process: corecomnetd\r\n2019-06-24 08:58:25 Process: corecomnetd (IN: 0.51 MB, OUT: 0.88 MB)\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 31 of 86\n\n2019-07-01 14:44:29 iMessage lookup for account b\\x00\\x00gers.o79[@]gmail.com (bergers.o79[@]gmail.com)\r\n2019-07-04 09:01:19 Process: fdlibframed\r\n2019-07-08 10:14:53 Process: fdlibframed (IN: 25.19 MB, OUT: 209.25 MB)\r\n2019-07-10 08:44:54 Process: fdlibframed\r\n2019-07-12 13:58:16 iMessage lookup for account bergers.o79[@]gmail\\x00\\x00om (bergers.o79[@]gmail.com)\r\n2019-07-18 18:22:47 Process: corecomnetd (IN: 64.69 MB, OUT: 401.88 MB)\r\n2019-07-18 19:53:44 Process: corecomnetd\r\n2019-07-22 15:13:11 Process: roleaboutd\r\n2019-07-25 18:29:47 Process: roleaboutd (IN: 4.62 MB, OUT: 10.40 MB)\r\n2019-07-28 20:24:31 Process: roleaboutd (IN: 27.80 MB, OUT: 261.17 MB)\r\n2019-07-29 04:02:57 Process: roleaboutd\r\n2019-08-02 15:34:08 Process: roleaccountd (IN: 0.02 MB, OUT: 0.01 MB)\r\n2019-08-02 15:34:11 Process: stagingd (IN: 2.95 MB, OUT: 0.12 MB)\r\n2019-08-02 15:34:19 Process: stagingd\r\n2019-08-02 15:34:36 Process: pstid (IN: 10.20 MB, OUT: 68.77 MB)\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 32 of 86\n\n2019-08-03 13:58:01 Process: pstid\r\n2019-08-07 10:40:04 iMessage lookup for account bergers.o79[@]gmail.com\r\n2020-02-06 14:52:22 Photostream lookup for account bogaardlisa803[@]gmail.com\r\n2021-02-08 10:42:40 iMessage lookup for account linakeller2203[@]gmail.com\r\n2021-02-08 11:27:23 Process: gatekeeperd (IN: 0.01 MB, OUT: 0.00 MB)\r\n2021-02-08 11:27:25 Process: bluetoothfs\r\n2021-02-08 12:27:21 Process: gatekeeperd\r\nForensic traces for FRJRN1 – Lenaig Bredoux\r\nDate (UTC) Event\r\n2019-07-08 05:22:05 iMessage lookup for account bergers.o79[@]gmail.com\r\n2019-10-10 12:39:17 File: Library/Preferences/com.apple.CrashReporter.plist from RootDomain\r\n2020-03-12 15:06:23 Process: frtipd (IN: 0.05 MB, OUT: 0.43 MB)\r\n2020-03-13 02:20:34 Process: frtipd\r\n2020-03-16 10:46:55 Process: comnetd (IN: 0.58 MB, OUT: 4.92 MB)\r\n2020-03-20 09:48:10 Process: comnetd\r\n2020-03-21 20:09:49 Process: comnetd\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 33 of 86\n\n2020-03-23 13:57:42 Process: netservcomd (IN: 0.01 MB, OUT: 0.06 MB)\r\n2020-03-23 21:10:16 Process: netservcomd\r\n2020-04-19 12:25:41 Process: setframed (IN: 0.23 MB, OUT: 2.00 MB)\r\n2020-04-20 21:32:18 Process: setframed\r\n2020-04-22 16:43:22 Process: launchrexd (IN: 0.50 MB, OUT: 4.14 MB)\r\n2020-04-27 20:01:46 Process: launchrexd\r\n2020-05-01 14:18:15 Process: nehelprd (IN: 4.24 MB, OUT: 52.75 MB)\r\n2020-05-03 00:57:11 Process: nehelprd\r\n2020-05-04 11:39:47 Process: msgacntd (IN: 3.21 MB, OUT: 34.59 MB)\r\n2020-05-06 12:52:13 Process: msgacntd\r\n2020-05-06 20:29:07 Process: msgacntd\r\n2020-07-07 15:04:34 Process: aggregatenotd (IN: 1.10 MB, OUT: 10.69 MB)\r\n2020-05-08 17:56:58 Process: aggregatenotd\r\n2020-05-09 10:21:18 Process: bundpwrd (IN: 1.37 MB, OUT: 9.63 MB)\r\n2020-05-09 16:52:05 Process: bundpwrd\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 34 of 86\n\n2020-05-12 05:27:20 Process: seraccountd (IN: 0.06 MB, OUT: 0.42 MB)\r\n2020-05-12 19:29:17 Process: seraccountd\r\n2020-05-13 16:06:41 Process: otpgrefd (IN: 1.28 MB, OUT: 13.78 MB)\r\n2020-05-13 17:19:07 Process: otpgrefd\r\n2020-05-15 12:23:30 Process: eventstorpd (IN: 0.01 MB, OUT: 0.06 MB)\r\n2020-05-16 18:00:50 Process: eventstorpd\r\n2020-05-16 18:12:29 Process: eventstorpd\r\n2020-05-17 14:42:23 Process: roleaboutd (IN: 6.54 MB, OUT: 69.61 MB)\r\n2020-05-20 11:38:45 Process: roleaboutd\r\n2020-05-20 21:01:24 Process: roleaboutd\r\n2020-05-21 14:54:20 Process: mptbd (IN: 0.70 MB, OUT: 8.14 MB)\r\n2020-05-23 16:05:30 Process: mptbd\r\n2020-05-23 22:58:10 Process: bh (IN: 4.93 MB, OUT: 0.61 MB)\r\n2020-05-24 15:44:39 Process: bh\r\n2020-05-24 15:46:51 Process: fservernetd (IN: 0.00 MB, OUT: 0.04 MB)\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 35 of 86\n\n2020-05-24 17:36:36 Process: fservernetd\r\n2020-05-26 12:28:34 Process: brstaged (IN: 2.56 MB, OUT: 22.61 MB)\r\n2020-05-27 04:33:50 Process: brstaged\r\n2020-05-27 14:55:06 Process: ckkeyrollfd (IN: 0.01 MB, OUT: 0.09 MB)\r\n2020-05-27 16:58:52 Process: bh\r\n2020-05-27 18:00:50 Process: ckkeyrollfd\r\n2020-07-10 11:12:35 iMessage account lookup: bogaardlisa803[@]gmail.com\r\nForensic traces for FRJRN2\r\nDate (UTC) Event\r\n2019-08-16 12:08:44 iMessage lookup for account bergers.o79[@]gmail.com\r\n2019-08-16 12:33:52 iMessage lookup for account bergers.o79[@]gmail\\x00\\x00om\r\n2019-08-16 12:37:55 File created: Library/Preferences/com.apple.CrashReporter.plist from RootDomain\r\n2019-08-16 12:41:25 File created: Library/Preferences/roleaccountd.plist from RootDomain\r\n2019-08-16 12:41:36 Process: roleaccountd (IN: 0.01 MB, OUT: 0.01 MB)\r\n2019-08-16 12:41:52 Process: stagingd (IN: 1.46 MB, OUT: 0.09 MB)\r\n2019-08-16 12:49:21 Process: aggregatenotd\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 36 of 86\n\n2019-08-20 13:35:23 Process: aggregatenotd (IN: 11.07 MB, OUT: 45.52 MB)\r\n2019-08-21 14:10:48 Process: aggregatenotd\r\nForensic traces for FRJRN3 – Edwy Plenel\r\nDate (UTC) Event\r\n2019-07-05 11:23:29 File: Library/Preferences/com.apple.CrashReporter.plist from RootDomain\r\n2019-07-05 11:23:45 File created: Library/Preferences/roleaccountd.plist from RootDomain\r\n2019-07-05 11:23:51 Process: stagingd\r\n2019-07-05 11:24:19 Process: eventfssd\r\n2019-07-07 11:28:15 Process: eventfssd\r\n2019-07-09 10:39:41 Process: fservernetd\r\n2019-07-09 11:49:48 Process: fservernetd\r\n2019-07-12 11:12:24 Process: nehelprd\r\n2019-07-14 14:01:26 Process: nehelprd\r\n2019-07-20 12:18:30 Process: libbmanaged\r\n2019-08-11 14:03:11 Process: rlaccountd\r\n2019-08-13 17:34:40 Process: rlaccountd\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 37 of 86\n\n2019-08-19 13:21:02 Process: libbmanaged\r\n2019-08-19 14:48:42 Process: libbmanaged\r\n2019-08-19 21:51:00 Process: libbmanaged\r\n2019-08-28 09:12:33 Process: roleaccountd\r\n2019-08-28 09:12:34 Process: stagingd\r\n2019-08-28 09:12:49 Process: stagingd\r\n2019-08-28 09:13:10 Process: boardframed\r\n2019-08-29 09:15:05 Process: boardframed\r\n2019-08-31 09:04:17 Process: boardframed\r\n2019-08-31 09:49:33 Process: boardframed\r\n2019-09-03 10:59:31 Process: launchafd\r\n2019-09-05 11:02:43 Process: launchafd\r\n2019-09-05 20:32:02 Process: launchafd\r\nForensic traces for FRJRN4 – Bruno Delport\r\nDate (UTC) Event\r\n2019-07-05 13:21:47 File created Library/Preferences/com.apple.CrashReporter.plist from RootDomain\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 38 of 86\n\n2019-07-05 13:21:53 File modified Library/Preferences/com.apple.CrashReporter.plist from RootDomain\r\nForensic traces for FRJRN5\r\n2019-08-16 12:19:54 iMessage lookup for account b\\x00\\x00gers.o79[@]gmail.com\r\n2019-08-19 09:20:01 File created: Library/Preferences/com.apple.CrashReporter.plist from RootDomain\r\n2019-08-19 09:20:30 File created: Library/Preferences/roleaccountd.plist from RootDomain\r\n2019-08-19 09:20:45 Process: roleaccountd (IN: 0.01 MB, OUT: 0.00 MB)\r\n2019-08-19 09:20:45 Process: stagingd (IN: 1.46 MB, OUT: 0.06 MB)\r\n2019-08-19 09:20:50 Process: stagingd\r\n2019-08-19 09:21:13 Process: bundpwrd (IN: 28.50 MB, OUT: 198.12 MB)\r\n2019-08-21 05:36:00 Process: bundpwrd\r\n2019-08-21 07:39:34 iMessage lookup for account bergers.o79[@]gmail.com\r\nForensic traces for FRPOI1\r\nDate (UTC) Event\r\n2019-03-16 10:42:56 iMessage lookup for account bergers.o79[@]gmail.com\r\n2020-08-02 20:03:19 iMessage lookup for account naomiwerff772[@]gmail.com\r\nForensic traces for FRPOI2 – François de Rugy\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 39 of 86\n\nDate (UTC) Event\r\n2019-07-XX iMessage lookup for account bergers.o79[@]gmail.com\r\nForensic traces for FRPOI3 – Philippe Bouyssou\r\nDate (UTC) Event\r\n2021-07-06 12:20:01 iMessage lookup for account linakeller2203[@]gmail.com\r\nForensic traces for FRPOI4\r\nDate (UTC) Event\r\n2021-XX-XX iMessage lookup for account linakeller2203[@]gmail.com\r\nForensic traces for FRPOI5 – Oubi Buchraya Bachir\r\nDate (UTC) Event\r\n2021-03-15 12:08:27 iMessage lookup for account linakeller2203[@]gmail.com\r\n2021-03-15 12:12:49 Traces related to iMessage exploitation\r\n2021-03-15 12:16:02c File modified: Library/Caches from RootDomain\r\nForensic traces for HUJRN1 – András Szabó\r\nDate (UTC) Event\r\n2019-06-13 11:15:40 File created: Library/Preferences/com.apple.CrashReporter.plist from RootDomain\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 40 of 86\n\n2019-06-13 11:15:53 File created: Library/Preferences/roleaccountd.plist from RootDomain\r\n2019-06-13 12:39:40 Process record deleted from ZPROCESS (IN: 3.69 MB, OUT: 27.39 MB)\r\n2019-06-15 08:06:27 Process record deleted from ZPROCESS (IN: 0.32 MB, OUT: 0.56 MB)\r\n2019-07-25 09:31:09 Process record deleted from ZPROCESS (IN: 7.80 MB, OUT: 6.43 MB)\r\n2019-08-16 10:13:19 Process record deleted from ZPROCESS (IN: 18 MB, OUT: 29.81 MB)\r\n2019-09-15 15:30:44 Process record deleted from ZPROCESS (IN: 1.27 MB, OUT: 3.34 MB)\r\n2019-09-17 06:33:24 Process record deleted from ZPROCESS (IN: 2.00 MB, OUT: 5.57 MB)\r\n2019-09-24 13:26:15 iMessage lookup for account jessicadavies1345[@]outlook.com\r\n2019-09-24 13:26:51 iMessage lookup for account emmadavies8266[@]gmail.com\r\n2019-09-24 13:32:10 Process: roleaccountd (IN: 0.02 MB, OUT: 0.003 MB)\r\n2019-09-24 13:32:11 Process: roleaccountd\r\n2019-09-24 13:32:13 Process: stagingd (IN: 4.03 MB, OUT: 0.19 MB)\r\n2019-09-24 13:32:23 Process: stagingd\r\n2019-09-26 14:32:25 Process record deleted from ZPROCESS (IN: 1.16 MB, OUT: 2.81 MB)\r\n2019-10-24 05:40:33 Process record deleted from ZPROCESS (IN: 12.81 MB, OUT: 46 MB)\r\nForensic traces for HUJRN2 – Szabolcs Panyi\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 41 of 86\n\nDate (UTC) Event\r\n2019-04-04\r\n05:33:02\r\nFile created: Library/Preferences/com.apple.CrashReporter.plist from RootDomain\r\n2019-04-04\r\n05:33:12\r\nFile created: Library/Preferences/roleaccountd.plist from RootDomain\r\n2019-04-04\r\n06:02:26\r\nProcess: libbmanaged (IN: 23.29 MB, OUT: 21.39 MB)\r\n2019-04-06\r\n21:47:45\r\nProcess: libbmanaged\r\n2019-07-05\r\n08:35:28\r\nProcess: ckeblld (IN: 45.44 MB, OUT: 118.06 MB)\r\n2019-07-12\r\n20:49:11\r\nProcess: ckeblld\r\n2019-07-13\r\n20:32:28\r\nProcess: ckeblld\r\n2019-07-15\r\n12:02:37\r\niMessage lookup for account e\\x00\\x00adavies8266[@]gmail.com\r\n(emmadavies8266[@]gmail.com)\r\n2019-07-15\r\n14:21:40\r\nProcess: accountpfd (IN: 0.88 MB, OUT: 1.77 MB)\r\n2019-07-16\r\n14:25:11\r\nProcess: accountpfd\r\n2019-08-29\r\n10:57:43\r\nProcess: roleaccountd (IN: 0.01 MB, OUT: 0.003 MB)\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 42 of 86\n\n2019-08-29\r\n10:57:44\r\nProcess: stagingd (IN: 4.05 MB, OUT: 0.20 MB)\r\n2019-08-29\r\n10:58:35\r\nProcess: launchrexd (IN: 0.03 MB, OUT: 0.01 MB)\r\n2019-09-03\r\n07:54:26\r\nProcess: roleaccountd\r\n2019-09-03\r\n07:54:28\r\nProcess: stagingd\r\n2019-09-03\r\n07:54:51\r\nProcess: seraccountd (IN: 20.94 MB, OUT: 7.52 MB)\r\n2019-09-05\r\n08:00:15\r\nProcess: seraccountd\r\n2019-09-05\r\n13:26:38\r\nProcess: seraccountd\r\n2019-09-05\r\n13:26:55\r\nProcess: misbrigd (IN: 10.12 MB, OUT: 8.13 MB)\r\n2019-09-06\r\n13:27:04\r\nProcess: misbrigd\r\n2019-09-06\r\n22:04:12\r\nProcess: misbrigd\r\n2019-09-10\r\n06:09:04\r\niMessage lookup for account emmadavies8266[@]gmail.com\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 43 of 86\n\n2019-09-10\r\n06:09:49\r\niMessage lookup for account jessicadavies1345[@]outlook.com\r\n2019-10-30\r\n14:09:51\r\nProcess: nehelprd (IN: 23.45 MB, OUT: 8.64 MB)\r\n2019-11-04\r\n14:27:48\r\nProcess: nehelprd\r\n2019-11-07\r\n01:58:52\r\nProcess: nehelprd\r\nForensic traces for HUPOI1\r\nDate (UTC) Event\r\n2018-06-01 12:33:08 Process: stagingd\r\n2018-06-01 12:33:08 Process: roleaccountd\r\n2018-06-01 12:35:55 Process: fmld\r\n2018-06-05 18:21:35 Process: stagingd (IN: 7.17 MB, OUT: 0.01 MB)\r\n2018-06-08 14:42:05 Process: fmld (IN: 3.52 MB, OUT: 0.07 MB)\r\n2018-06-21 07:02:55 File created: Library/Preferences/com.apple.CrashReporter.plist from RootDomain\r\n2018-06-21 07:03:19 Process: roleaccountd (IN: 0.05 MB, OUT: 0.00 MB)\r\n2018-06-21 07:03:31 Process: stagingd\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 44 of 86\n\n2018-06-27 05:04:19 Thumper lookup for account k.williams.enny74[@]gmail.com\r\n2018-06-27 08:09:04 Process: bh (IN: 4.42 MB, OUT: 0.29 MB)\r\n2018-07-09 08:30:34 Process: bh\r\n2018-07-10 08:31:19 Process: fmld (IN: 22.54 MB, OUT: 64.62 MB)\r\n2018-07-10 09:40:37 Process: fmld\r\nForensic traces for HUPOI2 – Adrien  Beauduin                               \r\nDate (UTC) Event\r\n2018-12-19 09:13:48 File created: Library/Preferences/com.apple.CrashReporter.plist from RootDomain\r\n2018-12-19 09:15:57 File modified: Library/Caches from RootDomain\r\n2018-12-20 11:06:49 Thumper lookup for account k.williams.enny74[@]gmail.com\r\nForensic traces for HUPOI3\r\nDate (UTC) Event\r\n2018-06-01 10:12:49 IMessage lookup for k.williams.enny74[@]gmail.com\r\nForensic traces for INHRD1 – SAR Geelani\r\nDate\r\n(UTC)\r\nEvent\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 45 of 86\n\n2017-07-05\r\n15:01:28\r\nProcess: pcsd\r\n2017-11-30\r\n09:26:33\r\nProcess: pcsd (IN: 24.09 MB, OUT: 211.43 MB)\r\n2017-12-19\r\n06:48:00\r\nProcess: pcsd\r\n2018-02-13\r\n12:46:10\r\nSMS from +447797801009: United Nations launches online portal for the independence of Kashmir.\r\nTo cast your online vote click here https://bit[.]ly/2o487h1 (https://signpetition[.]co/vU1zwaqFh)\r\n2018-02-15\r\n12:06:01\r\nSMS from +447797801009: BJP hatches conspiracy for a muslim free Jammu region through\r\nmedical poisoning of muslims. https://bit[.]ly/2o95TNh (https://news-alert[.]org/TfteZB6wK)\r\n2018-02-16\r\n09:44:46\r\nSMS from +447797801009: Another incident showing Indian army beating librandu Kashmiri youth\r\nmercilessly to chant Pakistan Murdabad. https://bit[.]ly/2ob9QkO (https://news-alert[.]org/K9pAkFk3R)\r\n2018-04-12\r\n14:10:57\r\nSMS from +447797801009: Organization of Islamic countries(OIC) launches online portal for the\r\nindependence of Kashmir from India. For the detailed article, click here https://bit[.]ly/2Hk1UJE\r\n(https://news-alert[.]org/WW7G1EW2)\r\n2018-04-13\r\n13:13:30\r\nSMS from +447797801009: Global powers urge Indian leadership to concede the entire Jammu \u0026\r\nKashmir to Pakistan for regional peace and stability. For the detailed article, click here. https://news-alert[.]org/T1q4YjItT\r\n2018-04-16\r\n10:52:26\r\nSMS from +447797801009: Hot \u0026 sexy male \u0026 female escorts available at 60% discount. To avail\r\nthe service, please click on https://my-privacy[.]co/Ooboe7u\r\n2018-04-17\r\n12:39:36\r\nSMS from +447797801009: European Union leads its unconditional support to India over the issue\r\nof Kashmir during the current visit of PM Modi. For more details, click https://my-privacy[.]co/j2xgK558\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 46 of 86\n\n2018-04-20\r\n13:36:02\r\nSMS from +447797801009: India \u0026 America strategically conspiring for the failure of China\r\nPakistan Economic Corridor(CPEC). For the detailed article, click here. https://my-privacy[.]co/ZOubFbXW\r\n2018-04-23\r\n12:58:31\r\nSMS from +447797801009: Syed Ali Shah Geelani comes out with 5 point proposal for India, Pak.\r\nhttps://bit[.]ly/2HkhW2L (https://news-alert[.]org/1M2VbKPeB)\r\n2018-04-27\r\n08:17:38\r\nSMS from +447797801009: Pakistan always stood like a rock guarding Kashmir cause says Geelani.\r\nhttps://bit[.]ly/2Fl7Dtq (https://news-alert.org/xdwWVvCP)\r\n2018-04-27\r\n12:02:13\r\nSMS from +447797801009: Yasin Malik to address press conference at UN.For detail news click at\r\nhttps://bit[.]ly/2FlNjIC (https://news-alert[.]org/CyCX97BO)\r\n2018-05-01\r\n11:57:38\r\nSMS from +447797801009: Pakistan strategically preparing to put the issue of Kashmir in\r\nInternational Court of Justice. Read full storey here https://bit[.]ly/2Fwg2dH (https://news-alert[.]org/AXJ1n6e)\r\n2018-05-02\r\n12:36:16\r\nSMS from +447797801009: Pakistan in all probability will become the next province of China\r\nthrough China Pakistan Economic Corridor (CPEC). For the detailed article, click here. https://news-alert[.]org/KYz4FG6\r\n2018-05-18\r\n04:37:42\r\nProcess: fmld\r\n2018-05-24\r\n04:18:31\r\nProcess: roleaccountd\r\n2018-05-24\r\n04:18:41\r\nProcess: stagingd\r\n2018-07-20\r\n14:05:14\r\nThumper lookup for account taylorjade0303[@]gmail.com\r\n2018-10-24\r\n08:48:04\r\nProcess: fmld (IN: 208.63 MB, OUT: 3591.56 MB)\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 47 of 86\n\n2018-10-27\r\n07:05:42\r\nProcess: roleaccountd (IN: 0.28 MB, OUT: 0.04 MB)\r\n2018-10-27\r\n07:05:50\r\nProcess: stagingd (IN: 53.02 MB, OUT: 0.15 MB)\r\n2018-10-28\r\n07:09:14\r\nProcess: fmld (IN: 1.84 MB, OUT: 110.30 MB)\r\n2018-10-29\r\n07:16:51\r\nProcess: fmld (IN: 1.70 MB, OUT: 69.41 MB)\r\n2018-10-30\r\n07:25:43\r\nProcess: fmld (IN: 1.25 MB, OUT: 4.15 MB)\r\n2018-10-31\r\n07:29:37\r\nProcess: fmld (IN: 0.63 MB, OUT: 19.51 MB)\r\n2018-12-08\r\n07:24:18\r\nProcess: fmld (IN: 9.88 MB, OUT: 150.38 MB)\r\n2018-12-10\r\n06:23:11\r\nProcess: fmld\r\n2018-12-27\r\n09:44:30\r\nProcess: otpgrefd (IN: 1.66 MB, OUT: 20.07 MB)\r\n2018-12-28\r\n09:08:32\r\nProcess: otpgrefd\r\n2018-12-31\r\n06:37:59\r\nProcess: bfrgbd\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 48 of 86\n\n2019-01-02\r\n06:45:14\r\nProcess: bfrgbd (IN: 3.02 MB, OUT: 59.12 MB)\r\n2019-01-02\r\n15:34:37\r\nProcess: bfrgbd\r\n2019-01-03\r\n07:13:41\r\nProcess: stagingd (IN: 12.96 MB, OUT: 0.05 MB)\r\n2019-01-03\r\n07:20:50\r\nProcess: fservernetd (IN: 0.58 MB, OUT: 15.90 MB)\r\n2019-01-03\r\n08:35:44\r\nProcess: fservernetd\r\n2019-01-05\r\n05:28:58\r\nProcess: libtouchregd (IN: 1.04 MB, OUT: 41.43 MB)\r\n2019-01-05\r\n05:33:02\r\nProcess: libtouchregd (IN: 0.00 MB, OUT: 0.38 MB)\r\n2019-01-07\r\n06:06:22\r\nProcess: roleaccountd (IN: 0.05 MB, OUT: 0.01 MB)\r\n2019-01-07\r\n06:09:43\r\nProcess: stagingd\r\n2019-01-07\r\n06:11:34\r\nProcess: accountpfd (IN: 1.41 MB, OUT: 9.05 MB)\r\n2019-01-07\r\n18:13:34\r\nProcess: accountpfd\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 49 of 86\n\n2019-01-25\r\n07:26:52\r\nThumper lookup for account lee.85.holland[@]gmail.com\r\n2019-01-25\r\n07:33:59\r\nFile created: Library/Preferences/com.apple.CrashReporter.plist from RootDomain\r\n2019-01-25\r\n07:34:08\r\nFile created: Library/Preferences/com.apple.CrashReporter.plist from RootDomain\r\n2019-01-26\r\n14:16:19\r\nFile created: Library/Preferences/com.apple.CrashReporter.plist from RootDomain\r\n2019-09-22\r\n05:14:27\r\niMessage lookup for account bekkerfredi[@]gmail.com\r\n2019-09-27\r\n09:20:58\r\nSMS from +9159039000: Trump to mediate between India and Pakistan on Kashmir\r\nhttps://bit[.]ly/ecICPjk\r\n2019-09-27\r\n09:32:59\r\nProcess: bh (IN: 1.47 MB, OUT: 0.09 MB)\r\n2019-09-27\r\n09:33:49\r\nProcess: natgd (IN: 19.95 MB, OUT: 171.65 MB)\r\n2019-09-28\r\n13:49:07\r\nProcess: natgd\r\n2019-10-15\r\n08:40:38\r\nSMS from +9156161940: Get Rs 100 off on recharge of your Tata Sky Id 1093453759\r\nhttps://todaysdeals4u[.]com/n7V7uA4X5\r\n2019-10-18\r\n10:34:49\r\nSMS from +9156161940: Avail extra benefits on recharge of your Tata Sky Id 1093453759\r\nhttps://todaysdeals4u[.]com/KjtvDBA\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 50 of 86\n\n2019-10-23\r\n17:07:15\r\nProcess: frtipd (IN: 2.24 MB, OUT: 2.87 MB)\r\n2019-10-24\r\n19:27:51\r\nProcess: frtipd\r\nForensic traces for INJRN1 – Mangalam Kesavan Venu\r\nDate (UTC) Event\r\n2021-02-16 18:40:27 Process: frtipd\r\n2021-02-22 21:34:35 Process: otpgrefd\r\n2021-03-25 08:11:28 Process: boardframed\r\n2021-03-25 08:11:28 Process: comsercvd\r\n2021-05-15 05:06:16 Process: llmdwatchd\r\n2021-05-15 05:06:16 Process: aggregatenotd\r\n2021-05-21 19:17:37 Process: setframed\r\n2021-06-03 19:15:52 Process: seraccountd\r\n2021-06-07 07:09:16 Upgrade from iOS 14.4.2 to 14.6\r\n2021-06-11 14:02:14 Process: comsercvd\r\n2021-06-11 14:02:14 Process: Diagnostics-2543\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 51 of 86\n\n2021-06-16 05:53:28 Process: actmanaged\r\n2021-06-16 05:53:28 Process: nehelprd\r\n2021-06-16 05:53:29 Process: cfprefssd\r\n2021-06-16 05:58:43 Process: actmanaged\r\n2021-06-16 06:18:04 Process: actmanaged\r\n2021-06-16 07:01:03 Process: actmanaged\r\n2021-06-16 07:16:45 Process: cfprefssd\r\n2021-06-16 07:16:45 Process: nehelprd\r\n2021-06-23 13:39:51 Process record deleted from ZPROCESS (IN: 0.20 MB, OUT: 2.04 MB)\r\n2021-06-27 03:27:12 iMessage lookup for account herbruud2[@]gmail.com\r\n2021-06-27 03:49:51 Process: corecomnetd (IN: 1.25 MB, OUT: 13.20 MB)\r\n2021-06-28 11:11:36 Process: corecomnetd (IN: 0.03, OUT: 0.04 MB)\r\n2021-06-29 07:26:55 Process: corecomnetd\r\nForensic traces for INJRN2 – Sushant Singh\r\nDate (UTC) Event\r\n2021-03-31 13:45:32 Process: CommsCenterRootHelper (IN: 0.01 MB, OUT: 4.41 KB)\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 52 of 86\n\n2021-03-31 13:45:46 Process: CommsCenterRootHelper\r\n2021-04-07 09:34:40 Process: eventfssd\r\n2021-04-07 09:34:40 Process: locserviced\r\n2021-04-13 08:52:18 Process: accountpfd\r\n2021-04-13 08:52:18 Process: fservernetd\r\n2021-04-19 15:49:38 Process: otpgrefd\r\n2021-04-19 15:49:38 Process: ckeblld\r\n2021-04-26 13:54:30 Process record deleted from ZPROCESS (IN: 4.24 MB, OUT: 2.19 MB)\r\n2021-04-27 03:34:16 Process: comsercvd\r\n2021-06-05 13:36:54 Process record deleted from ZPROCESS (IN: 0.11 MB, OUT:\r\n2021-06-06 13:38:51 Process record deleted from ZPROCESS (IN: 0.10 MB, OUT: 0.11 MB)\r\n2021-06-07 13:41:51 Process record deleted from ZPROCESS (IN: 0.16 MB, OUT: 0.17 MB)\r\n2021-06-08 13:42:25 Process record deleted from ZPROCESS (IN: 0.11MB, OUT: 0.13 MB)\r\n2021-06-10 13:42:35 Process record deleted from ZPROCESS (IN: 0.10 MB, OUT: 0.11 MB)\r\n2021-06-12 19:09:37 Process: faskeepd\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 53 of 86\n\n2021-06-12 19:09:37 Process: logseld\r\n2021-06-18 09:40:45 Process record deleted from ZPROCESS (IN: 0.20 MB, OUT: 0.23 MB)\r\n2021-06-19 14:25:16 Process record deleted from ZPROCESS (IN: 0.04 MB, OUT:\r\n2021-06-19 17:05:21 Process: xpccfd\r\n2021-06-19 17:05:21 Process: pstid\r\n2021-06-21 05:29:38 iMessage lookup for account herbruud2[@]gmail.com\r\n2021-06-21 05:56:55 Process: bfrgbd\r\n2021-06-21 05:56:55 Process: msgacntd\r\n2021-06-21 05:56:55 Process: CommsCenterRootHelper\r\n2021-06-21 06:29:13 Process: bfrgbd\r\n2021-06-21 06:59:25 Process: bfrgbd\r\n2021-06-21 08:22:27 Process: bfrgbd (IN: 1.02 MB, OUT: 2.25 MB)\r\n2021-06-21 13:33:03 Process: bfrgbd\r\n2021-06-21 13:33:03 Process: msgacntd\r\n2021-06-21 13:33:03 Process: CommsCenterRootHelper\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 54 of 86\n\n2021-06-21 13:34:01 Process: bfrgbd\r\n2021-06-21 13:34:01 Process: msgacntd\r\n2021-06-21 13:34:01 Process: CommsCenterRootHelper\r\n2021-06-22 09:47:01 Process: bfrgbd (IN: 0.50 MB, OUT: 0.65 MB)\r\n2021-06-22 14:06:24 Process: bfrgbd\r\n2021-06-22 14:06:24 Process: msgacntd\r\n2021-06-22 14:06:24 Process: CommsCenterRootHelper\r\n2021-06-23 09:50:46 Process: bfrgbd (IN: 0.86 MB, OUT: 1.05 MB)\r\n2021-06-23 15:02:35 Process: bfrgbd\r\n2021-06-23 15:02:35 Process: msgacntd\r\n2021-06-23 15:02:35 Process: CommsCenterRootHelper\r\n2021-06-24 09:50:51 Process: bfrgbd (IN: 0.44 MB, OUT: 60.72 MB)\r\n2021-06-24 15:02:23 Process: bfrgbd\r\n2021-06-24 15:02:23 Process: msgacntd\r\n2021-06-24 15:02:23 Process: CommsCenterRootHelper\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 55 of 86\n\n2021-06-25 09:59:00 Process: bfrgbd (IN: 0.74 MN, OUT: 5.53 MB)\r\n2021-06-25 15:03:09 Process: bfrgbd\r\n2021-06-25 15:03:09 Process: msgacntd\r\n2021-06-25 15:03:09 Process: CommsCenterRootHelper\r\n2021-06-26 13:04:37 Process: bfrgbd (IN: 0.08 MB, OUT: 0.09 MB)\r\n2021-06-26 16:18:41 Process: bfrgbd\r\n2021-06-26 16:18:41 Process: msgacntd\r\n2021-06-26 16:18:41 Process: CommsCenterRootHelper\r\n2021-06-26 16:22:12 Process: bfrgbd\r\n2021-06-26 16:22:12 Process: msgacntd\r\n2021-06-26 16:22:12 Process: CommsCenterRootHelper\r\n2021-06-27 13:34:07 Process: bfrgbd (IN: 0.91 MB, OUT: 1.29 MB)\r\n2021-06-28 00:04:15 Process: bfrgbd\r\n2021-06-28 00:04:15 Process: msgacntd\r\n2021-06-28 00:04:15 Process: CommsCenterRootHelper\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 56 of 86\n\n2021-06-28 13:37:38 Process: bfrgbd (IN: 0.43 MB, OUT: 0.60 MB)\r\n2021-06-29 06:39:31 Process: bfrgbd\r\n2021-06-29 06:39:31 Process: msgacntd\r\n2021-06-29 06:39:31 Process: CommsCenterRootHelper\r\n2021-06-29 06:40:42 Process: bfrgbd\r\n2021-06-29 06:40:42 Process: msgacntd\r\n2021-06-29 06:40:42 Process: CommsCenterRootHelper\r\n2021-06-29 14:12:36 Process: bfrgbd (IN: 0.14 MB, OUT: 0.17 MB)\r\n2021-06-30 07:15:33 Process: bfrgbd\r\n2021-06-30 07:15:33 Process: msgacntd\r\n2021-06-30 07:15:33 Process: CommsCenterRootHelper\r\n2021-06-30 14:15:33 Process: bfrgbd (IN: 0.61 MB, OUT: 1.90 MB)\r\n2021-07-01 14:19:26 Process: bfrgbd (IN: 0.30 MB, OUT: 0.46 MB)\r\n2021-07-01 14:33:08 Process: bfrgbd\r\n2021-07-01 14:33:08 Process: msgacntd\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 57 of 86\n\n2021-07-01 14:33:08 Process: CommsCenterRootHelper\r\n2021-07-02 14:20:32 Process: bfrgbd (IN: 0.43 MB, OUT: 0.50 MB)\r\n2021-07-03 04:14:29 Process: bfrgbd\r\n2021-07-03 04:14:29 Process: msgacntd\r\n2021-07-03 04:14:29 Process: CommsCenterRootHelper\r\n2021-07-03 14:27:24 Process: bfrgbd (IN: 0.03 MB, OUT: 0.02 MB)\r\n2021-07-04 05:34:57 Process: bfrgbd\r\n2021-07-04 05:34:57 Process: msgacntd\r\n2021-07-04 05:34:57 Process: CommsCenterRootHelper\r\n2021-07-04 14:39:00 Process: bfrgbd (IN: 0.77 MB, OUT: 0.91 MB)\r\n2021-07-05 09:40:02 Process: bfrgbd\r\n2021-07-05 12:12:01 Process: bfrgbd\r\n2021-07-05 12:12:01 Process: msgacntd\r\n2021-07-05 12:12:01 Process: CommsCenterRootHelper\r\n2021-07-05 12:13:31 Process: bfrgbd\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 58 of 86\n\n2021-07-05 12:13:31 Process: msgacntd\r\n2021-07-05 12:13:31 Process: CommsCenterRootHelper\r\n2021-07-05 12:50:32 Process: msgacntd\r\n2021-07-05 12:50:32 Process: bfrgbd\r\nForensic traces for INJRN3 – SNM Abdi\r\nDate (UTC) Event\r\n2019-04-02 04:51:19 File created: Library/Preferences/com.apple.CrashReporter.plist from RootDomain\r\n2019-04-02 04:51:40 File created Library/Preferences/roleaccountd.plist from RootDomain\r\n2019-04-02 04:51:45 Process: roleaccountd\r\n2019-04-02 04:51:50 Process: stagingd\r\n2019-04-26 03:27:40 Process: fdlibframed\r\n2019-04-28 04:00:46 Process: fdlibframed (IN: 7.90 MB, OUT: 25.36 MB)\r\n2019-04-29 12:56:34 Process: fdlibframed\r\n2019-05-27 04:46:07 Process: xpccfd\r\n2019-05-28 04:48:01 Process: xpccfd (IN: 5.24 MB, OUT: 15.32 MB)\r\n2019-07-04 03:33:11 Process: ckeblld (IN: 7.91 MB, OUT: 33.05 MB)\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 59 of 86\n\n2019-07-05 01:22:18 Process: ckeblld\r\n2019-07-05 09:22:54 Process: lobbrogd (IN: 3.76 MB, OUT: 15.59 MB)\r\n2019-07-06 03:20:03 Process: lobbrogd\r\n2019-07-08 05:56:52 Process: xpccfd (IN: 5.69 MB, OUT: 16.14 MB)\r\n2019-07-10 01:24:04 Process: xpccfd\r\n2019-07-11 06:46:37 Process: pstid (IN: 3.59 MN, OUT: 12.08 MB)\r\n2019-07-11 13:41:50 Process: pstid\r\n2019-07-12 09:07:18 Process: roleaccountd (IN: 0.03 MB, OUT: 0.02 MB)\r\n2019-07-12 09:08:07 Process: boardframed (IN: 6.24 MB, OUT: 32.14 MB)\r\n2019-07-12 14:15:01 Process: boardframed\r\n2019-07-15 06:07:28 Process: stagingd  (IN: 8.49 MB, OUT: 0.5 MB)\r\n2019-07-15 18:08:57 Process: ckkeyrollfd\r\n2019-10-19 04:32:33 Process: roleaccountd (IN: 0.04 MB, OUT: 0.02 MB)\r\n2019-10-19 04:33:46 Process: launchafd (IN: 1.28 MB, OUT: 6.48 MB)\r\n2019-10-19 06:10:04 Process: launchafd\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 60 of 86\n\n2019-10-21 07:07:16 Process: netservcomd (IN: 0.22 MB, OUT: 1.26 MB)\r\n2019-10-21 07:31:16 Process: netservcomd\r\n2019-10-23 03:48:40 Process: roleaccountd\r\n2019-10-23 03:48:47 Process: stagingd (IN: 7.03 MB, OUT: 0.41 MB)\r\n2019-10-23 03:49:02 Process: stagingd\r\n2019-10-23 03:49:24 Process: misbrigd\r\n2019-10-24 03:50:28 Process: misbrigd (IN: 15.79 MB, OUT: 99.28 MB)\r\n2019-12-22 11:15:30 Process: netservcomd\r\n2019-12-22 11:15:30 Process: launchafd\r\n2019-12-22 11:15:30 Process: misbrigd\r\nForensic traces for INJRN4 – Siddharth Varadarajan\r\nDate (UTC) Event\r\n2018-04-06 08:17:14 Process: roleaccountd (IN: 0.03 MB, OUT: 0.01 MB)\r\n2018-04-06 08:17:22 Process: stagingd\r\n2018-04-06 08:18:47 Process: pcsd\r\n2018-04-24 07:57:53 Process: stagingd (IN: 4.15 MB, OUT: 0.02 MB)\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 61 of 86\n\n2018-04-24 07:57:56 Process: roleaccountd\r\n2018-04-24 07:58:16 Process: stagingd\r\n2018-04-26 05:35:12 Process: pcsd (IN: 16.30 MB, OUT: 329.17 MB)\r\n2018-04-26 12:24:42 Process: pcsd\r\n2018-04-27 04:41:37 File created Library/Preferences/com.apple.CrashReporter.plist in RootDomain\r\nForensic traces for INJRN5 – Paranjoy Guha Thakurta\r\nDate (UTC) Event\r\n2018-04-04 05:33:47 Process: roleaccountd\r\n2018-04-04 05:33:49 Process: stagingd\r\n2018-05-15 07:46:30 Process: pcsd\r\n2018-05-22 04:17:46 Process: roleaccountd (IN: 0.04 MB, OUT: 0.01 MB)\r\n2018-05-22 04:17:59 Process: stagingd (IN: 5.18 MB, OUT: 0.02 MB)\r\n2018-05-22 04:18:08 Process: pcsd (IN: 3.25 MB, OUT: 20.54 MB)\r\n2018-05-22 04:18:17 Process: pcsd\r\n2018-05-22 04:18:48 Process: fmld\r\n2018-06-20 10:44:14 Process: roleaccountd\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 62 of 86\n\n2018-06-20 10:44:31 Process: stagingd\r\n2018-07-25 03:58:42 File created Library/Preferences/com.apple.CrashReporter.plist from RootDomain\r\n2018-07-29 13:07:51 Process: fmld (IN: 55.21 MB, OUT: 417.58 MB)\r\n2018-07-30 11:07:56 Process: fmld\r\nForensic traces for INJRN6 – Smita Sharma\r\nDate (UTC) Event\r\n2018-06-25 17:31:37 iMessage lookup for taylorjade0303[@]gmail.com\r\n2018-07-20 11:11:49 iMessage lookup for lee.85.holland[@]gmail.com\r\nForensic traces for INJRN7\r\nDate (UTC) Event\r\n2019-06-12\r\n08:48:04\r\nSMS “R\u0026AW and IB chief to get three months extension. Read full story \r\nhttps://globalnews247[.]net/3BMw9Zj”\r\nForensic traces for INPOI1 – Prashant Kishor\r\nDate (UTC) Event\r\n2018-06-21 13:23:30 Thumper lookup for account taylorjade0303[@]gmail.com\r\n2018-09-06 09:11:49 Thumper lookup for account lee.85.holland[@]gmail.com\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 63 of 86\n\n2021-04-28 03:31:39 Process: ReminderIntentsUIExtension (IN: 0.01 MB, OUT: 0.00 MB)\r\n2021-04-28 03:31:39 Process: ReminderIntentsUIExtension\r\n2021-04-28 03:31:45 Process: ReminderIntentsUIExtension\r\n2021-06-11 12:45:48 Process record deleted from ZPROCESS (IN: 0.01 MB, OUT: 0.00 MB)\r\n2021-06-11 12:46:22 Process record deleted from ZPROCESS (IN: 1.79 MB, OUT: 0.31 MB)\r\n2021-06-11 12:46:47 Process record deleted from ZPROCESS (IN: 12.94 MB, OUT: 145.88 MB)\r\n2021-06-14 06:17:10 Process record deleted from ZPROCESS (IN: 2.36 MB, OUT: 2.76 MB)\r\n2021-06-15 06:21:28 Process record deleted from ZPROCESS (IN: 1.05 MB, OUT: 1.29 MB)\r\n2021-06-16 13:47:51 Process record deleted from ZPROCESS (IN: 0.16 MB, OUT: 0.16 MB)\r\n2021-06-18 13:52:14 Process record deleted from ZPROCESS (IN: 0.01 MB, OUT: 0.00 MB)\r\n2021-06-18 13:53:37 Process record deleted from ZPROCESS (IN: 1.79 MB, OUT: 0.31 MB)\r\n2021-06-18 13:58:41 Process record deleted from ZPROCESS (IN: 13.63 MB, OUT: 172.99 MB)\r\n2021-06-19 14:16:20 Process record deleted from ZPROCESS (IN: 0.87 MB, OUT: 1.02 MB)\r\n2021-06-21 05:44:29 Process record deleted from ZPROCESS (IN: 1.81 MB, OUT: 2.58 MB)\r\n2021-06-22 05:45:29 Process record deleted from ZPROCESS (IN: 1.19 MB, OUT: 1.38 MB)\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 64 of 86\n\n2021-06-23 05:49:37 Process record deleted from ZPROCESS (IN: 0.98 MB, OUT: 1.19 MB)\r\n2021-06-24 05:57:02 Process record deleted from ZPROCESS (IN: 2.66 MB, OUT: 24.15 MB)\r\n2021-06-25 05:57:03 Process record deleted from ZPROCESS (IN: 1.98 MB, OUT: 2.77 MB)\r\n2021-06-26 06:01:26 Process record deleted from ZPROCESS (IN: 0.35 MB, OUT: 0.47 MB)\r\n2021-06-27 06:06:59 Process record deleted from ZPROCESS (IN: 0.42 MB, OUT: 0.49 MB)\r\n2021-06-28 13:19:57 Process record deleted from ZPROCESS (IN: 1.12 MB, OUT: 7.33 MB)\r\n2021-06-30 04:50:04 Process record deleted from ZPROCESS (IN: 1.51 MB, OUT: 6.50 MB)\r\n2021-07-01 04:50:49 Process record deleted from ZPROCESS (IN: 0.52 MB, OUT: 0.60 MB)\r\n2021-07-02 05:08:42 Process record deleted from ZPROCESS (IN: 1.48 MB, OUT: 1.73 MB)\r\n2021-07-03 05:33:23 Process record deleted from ZPROCESS (IN: 1.00 MB, OUT: 2.03 MB)\r\n2021-07-05 11:44:29 Traces related to iMessage attack\r\n2021-07-05 11:48:34 File created: Library/Caches from RootDomain\r\n2021-07-05 11:48:35 Process record deleted from ZPROCESS (IN: 0.01 MB, OUT: 0.00 MB)\r\n2021-07-05 11:49:27 Process: CommsCenterRootHelper (IN: 1.88 MB, OUT: 0.31 MB)\r\n2021-07-05 11:49:27 Process: CommsCenterRootHelper\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 65 of 86\n\n2021-07-05 11:50:19 Process record deleted from ZPROCESS (IN: 7.57 MB, OUT: 90.71 MB)\r\n2021-07-07 04:11:55 Process record deleted from ZPROCESS (IN: 0.62 MB, OUT: 0.77 MB)\r\n2021-07-08 12:21:05 iMessage lookup for account herbruud2[@]gmail.com\r\n2021-07-08 12:27:04 Process record deleted from ZPROCESS (IN: 0.01 MB, OUT: 0.00 MB)\r\n2021-07-08 12:27:18 Process record deleted from ZPROCESS (IN: 1.88 MB, OUT: 0.23 MB)\r\n2021-07-08 12:28:14 Process: smmsgingd (IN: 6.94 MB, OUT: 82.77 MB)\r\n2021-07-09 12:59:49 Process: smmsgingd (IN: 0.45 MB, OUT: 0.51 MB)\r\n2021-07-12 08:45:26 Process: smmsgingd (IN: 2.69 MB, OUT: 7.99 MB)\r\n2021-07-13 08:47:45 Process: smmsgingd (IN: 1.23 MB, OUT: 8.63 MB)\r\n2021-07-14 09:26:50 Process: smmsgingd (IN: 0.77 MB, OUT: 2.28 MB)\r\n2021-07-14 13:17:15 Process: smmsgingd\r\nForensic traces for INPOI2\r\nDate (UTC) Event\r\n2019-10-18 03:59:01 iMessage lookup for bekkerfredi[@]gmail.com\r\nForensic traces for KASH01 – Hatice Cengiz\r\nDate (UTC) Event\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 66 of 86\n\n2018-10-06 00:33:28 File created: Library/Preferences/com.apple.CrashReporter.plist from RootDomain\r\n2018-10-06 07:30:13 Process: fmld (IN: 33.27 MB, OUT: 324.72 MB)\r\n2018-10-09 07:12:39 Process: bh (IN: 1.49 MB, OUT: 0.95 MB)\r\n2018-10-09 07:13:07 Process: bh\r\n2018-10-12 08:30:33 Process: fmld\r\n2018-10-12 21:23:23 Process: fmld\r\n2019-06-02 16:05:23 iMessage lookup for account vincent.dahl76[@]gmail.com\r\nForensic traces for KASH02 – Rodney Dixon\r\nDate (UTC) Event\r\n2019-04-29 10:50:44 iMessage lookup for account vincent.dahl76[@]gmail.com\r\nForensic traces for KASH03 – Wadah Khanfar\r\nPhone 1:\r\nDate (UTC) Event\r\n2019-11-02 17:19:22 Process record deleted from ZPROCESS\r\n2019-11-02 17:19:29 File created Library/Preferences/com.apple.CrashReporter.plist by RootDomain\r\n2019-11-02 17:20:23 Process record deleted from ZPROCESS\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 67 of 86\n\n2021-04-11 08:35:25 Process: ReminderIntentsUIExtension (IN: 0.01 MB, OUT: 0.00 MB)\r\n2021-04-11 08:35:33 Process: ReminderIntentsUIExtension\r\n2021-06-30 08:58:04 iMessage lookup for account oskarschalcher[@]outlook.com\r\n2021-06-30 09:34:34 Process: com.apple.Mappit.SnapshotService (IN: 0.02 MB, OUT: 0.01 MB)\r\n2021-06-30 09:34:40 Process: com.apple.Mappit.SnapshotService\r\nPhone 2:\r\nDate (UTC) Event\r\n2021-04-02 10:43:27 iMessage lookup for oskarschalcher[@]outlook.com\r\nForensic traces for KASH04 – Hanan El Atr\r\nDate (UTC) Event\r\n2017-11-08\r\n10:22\r\nMalicious SMS from VERIFY: WhatsApp Web for [REDACTED] is now active on CHROME in\r\nABU DHABI. Not you? Click here: hxxps://noonstore[.]sale/tkYHFbE\r\n2017-11-15\r\n09:01\r\nMalicious SMS from VERIFY: Emirates AIrline changing the game in first class travel:\r\nhxxp://bit[.]ly/2A00EI7\r\n2017-11-19\r\nMalicious SMS from VERIFY: Dear Hanan Elatr, Nada shared a photo with you on Photobucket!\r\nClick here to view it and download our app. hxxp://bit[.]ly/AbzvEMS\r\n2018-11-26\r\n17:16:48\r\nMalicious link in browsing history: https://done[.]events/TajbxOGh5\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 68 of 86\n\n2017-11-27\r\n08:48\r\nMalicious SMS: Dear HANA you have a package from CAIRO via Aramex, enter PIN 3483 and\r\nchoose delivery location on our map: https://bit[.]ly/2zxnwOF\r\n2018-04-15\r\n09:33\r\nMalicious SMS from SMSINFO: MONA ELATR shared a photo with you on Photobucket! Click\r\nhere to view it and download our app: https://myfiles[.]photo/sVIKHJE\r\nForensic traces for MOJRN1 – Hicham Mansouri\r\nDate (UTC) Event\r\n2021-02-04 10:31:36 Process: CommsCenterRootHelper (IN: 0.01 MB, OUT: 0.00 MB)\r\n2021-02-11 13:45:07 Process: CommsCenterRootHelper\r\n2021-04-02 10:15:38 iMessage lookup for account linakeller2203[@]gmail.com\r\nForensic traces for MXJRN1\r\nDate (UTC) Event\r\n2016-08-03\r\n21:52:00\r\nSMS: Hola Alvaro unicamente paso a saludarte y enviarte esta nota de the guardian que parece\r\nimportante retomar: https://bit[.]ly/2ayGnMm (https://smsmensaje[.]mx/5901888s/)\r\nForensic traces for MXJRN2 – Carmen Aristegui\r\nThese Pegasus attack messages were original discovered and published as part of collaborative investigation between\r\nCitizen Lab, R3D, SocialTic and Article 19.                                                                \r\nDate\r\n(UTC)\r\nEvent\r\n2014-11-20\r\n03:10:04\r\nSMS from +525536438524: El siguiente mensaje esta marcado como urgente y no se recibio\r\ncorrectamente. https://smsmensaje[.]mx/5103285s/\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 69 of 86\n\n2014-12-17\r\n19:32:13\r\nSMS from +525511393977: El siguiente mensaje no ha sido enviado\r\nhttps://smscentro[.]com/7984947s/\r\n2015-01-06\r\n18:29:53\r\nSMS from +525512350872: El siguiente mensaje no ha sido enviado\r\nhttps://smscentro[.]com/4064303s/\r\n2015-01-09\r\n19:45:57\r\nSMS from +525512350872: El siguiente mensaje no ha sido enviado https://tinyurl[.]com/l8cwcc5\r\n(https://smscentro[.]com/1097486s/)\r\n2015-01-13\r\n01:59:19\r\nSMS from +525511393877: El siguiente mensaje no ha sido enviado https://bit[.]ly/1z2NQdh\r\n(https://smscentro[.]com/9480260s/)\r\n2015-03-26\r\n18:15:59\r\nSMS from +525585292665: El numero 5535606234 le ha enviado un mensaje de texto que no se\r\nrecibio. Entre a https://iusacell-movil[.]com[.]mx/6731340s/ para ver el sms\r\n2015-04-12\r\n22:41:24\r\nSMS from +525525715066: Notificacion de compra con tarjeta **** monto $3,500.00 M.N, ver\r\ndetalles en: https://smsmensaje[.]mx/1493024s/\r\n2015-05-08\r\n19:49:23\r\nSMS from +525525715066: Aviso de vencimiento de pago asociado a tu servicio con cargo a tu\r\ntarjeta ****, ver mas detalles: https://smsmensaje[.]mx/6445761s/\r\n2015-05-08\r\n23:19:14\r\nSMS from +525585292665: El siguiente mensaje esta marcado como urgente y no se recibio\r\ncorrectamente, recuperalo en .. https://smsmensaje[.]mx/3863925s/\r\n2015-05-09\r\n01:24:29\r\nSMS from +525525715066: Haz realizado un Retiro/Compra en tienda departamental **** monto\r\n$2,500.00 M.N, ver detalles https://smsmensaje[.]mx/9936510s/\r\n2015-05-09\r\n02:42:26\r\nSMS from +525585292665: Haz realizado un Retiro/Compra en tienda departamental **** monto\r\n$2,500.00 M.N, ver detalles https://smsmensaje[.]mx/1796758s/\r\n2015-05-10\r\n00:09:55\r\nSMS from +525585292665: UNOTV[.]com/ AUDI ENTRE LOS PRINCIPALES AUTOS CON\r\nPROBLEMAS EN LA TRANSMICION VERIFICA LA LISTA DE ELLOS:\r\nhttps://unonoticias[.]net/1291412s/\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 70 of 86\n\n2015-05-11\r\n20:19:20\r\nSMS from +525585292665: El siguiente mensaje esta marcado como urgente y no se recibio\r\ncorrectamente, recuperalo en .. https://smsmensaje[.]mx/6713776s/\r\n2015-05-12\r\n02:05:06\r\nSMS from +525585292665: El siguiente mensaje esta marcado como urgente y no se recibio\r\ncorrectamente, recuperalo en .. https://smsmensaje[.]mx/6318147s/\r\n2015-05-12\r\n04:03:33\r\nSMS from +525525715066: Estimado cliente informamos que presentas un problema de pago\r\nasociado a tu servicio, ver detalles.. https://smsmensaje[.]mx/8884678s/\r\n2015-05-12\r\n22:42:53\r\nSMS from +525585292665: Alcanzaste la tarifa premium de IUSACELL $0.30 Min a Celular y\r\n$0.10 Nacional, codigo 2207 y activalo ya… https://smsmensaje[.]mx/3432773s/\r\n2015-05-14\r\n00:37:27\r\nSMS from +525585292665: Alcanzaste la tarifa premium de IUSACELL $0.30 Min a Celular y\r\n$0.10 Nacional, codigo 2207 activalo ya… https://smsmensaje[.]mx/7534402s/\r\n2015-05-14\r\n02:55:35\r\nSMS from +525525715066: UNONOTICIAS. En encuesta revelan las 3 posiciones sexuales\r\nfavoritas de las mujeres, ver nota en: https://unonoticias[.]net/6218095s/\r\n2015-05-14\r\n03:24:41\r\nSMS from +525585292665: Retiro/Compra en tienda departamental $4,000.00 M.N 13/05/2015\r\n20:10 hrs ,ver detalles en: https://smsmensaje[.]mx/9550014s/\r\n2015-05-14\r\n19:56:23\r\nSMS from +525585292665: El numero +525541337879 le ha mandado un mensaje de texto que ser\r\necibio incompleto. Ver mensaje en: https://smsmensaje[.]mx/5670989s/\r\n2015-05-15\r\n01:18:30\r\nSMS from +525585292665: UNOTV. Detectan irregularidades en caso Aristegui, ver nota completa..\r\nhttps://unonoticias[.]net/4347580s/\r\n2015-06-05\r\n01:56:27\r\nSMS from +525585292665: UNOTV. Que depara el futuro para MVS y cual es el camino de Carmen\r\nAristegui? ver nota completa.. https://unonoticias[.]net/9275690s/\r\n2015-07-26\r\n03:05:05\r\nSMS from +525585292665: TELCEL[.]com/ RECIBISTE CORRECTAMENTE TU FACTURA\r\nELECTRONICA VERIFICA DETALLES DE TU COMPRA: https://ideas-telcel.com[.]mx/9872742s/\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 71 of 86\n\n2015-07-26\r\n12:34:59\r\nSMS from +525525715066: has realizado un Retiro/Compra Tarjeta**** M.N monto $3,500.00\r\nverifica detalles de operacion: https://smsmensaje[.]mx/6156234s/\r\n2015-07-26\r\n15:23:35\r\nSMS from +525525715066: UNOTV.com/ ANONYMUS ANUNCIA QUE ATACARA PAGINA DE\r\nARISTEGUI VER DETALLES: https://unonoticias[.]net/9250302s/\r\n2015-08-20\r\n19:20:46\r\nSMS from +525525715066: IUSACELL/ Estimado cliente su factura esta lista, agradeceremos pago\r\npuntual por $17401.25 Detalles: https://iusacell-movil[.]com[.]mx/8595070s/\r\n2015-08-20\r\n19:34:05\r\nSMS from +525525715066: USEMBASSY.GOV/ DETECTAMOS UN PROBLEMA CON TU VISA\r\nPOR FAVOR ACUDE PRONTAMENTE A LA EMBAJADA. VER DETALLES:\r\nhttps://bit[.]ly/1MAAWrO (https://smsmensaje[.]mx/9439115s/)\r\n2015-08-23\r\n04:58:47\r\nSMS from +525525715066: IUSACELL.com/ EL SIGUIENTE MENSAJE ESTA MARCADO\r\nCOMO URGENTE REVISALO DESDE NUESTRO PORTAL VER https://iusacell-movil[.]com[.]mx/7918310s/\r\n2015-08-24\r\n03:03:48\r\nSMS from +525585292665: UNOTV[.]com/ FAMILIA DE CHAPO SE REFUGIA EN GRANDES\r\nRESIDENCIAS EN DF ENTRE ELLAS SN JERONIMO VER DONDE:\r\nhttps://unonoticias[.]net/6353793s/\r\n2015-08-24\r\n15:31:38\r\nSMS from +525525715066: ALERTA AMBER DF/ COOPERACION PARA LOCALIZAR A NINO\r\nDE 9 ANOS, DESAPARECIDO EN LA COLONIA SAN JERONIMO. DETALLES:\r\nhttps://bit[.]ly/1EQYOkG (https://mymensaje-sms[.]com/6649365s/)\r\n2015-08-24\r\n15:31:59\r\nSMS from +525585292665: ALERTA AMBER DF/ COOPERACION PARA LOCALIZAR A NINO\r\nDE 9 ANOS, DESAPARECIDO EN LA COLONIA SAN JERONIMO. DETALLES:\r\nhttps://bit[.]ly/1EQYSB1 (https://mymensaje-sms[.]com/5186565s/)\r\n2015-09-02\r\n18:43:23\r\nSMS from +525585292665: Hola Carmen, solo para desearte una excelente tarde y compartirte la\r\nnota que publica proceso sobre el 3er informe: https://bit[.]ly/1JNTfox\r\n(https://twiitter[.]com.mx/8527373s/)\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 72 of 86\n\n2015-09-05\r\n15:39:41\r\nSMS from +525585292665: IUSACELL[.]com / DESCUBRE LA NUEVA TELEFONIA Y\r\nCONOCE LAS APLICACIONES MAS SEGURAS PARA TU SMARTPHONE SEGUN EL\r\nPENTAGONO https://bit[.]ly/1IQhzFw (https://iusacell-movil[.]com.mx/5726967s/)\r\n2015-09-25\r\n18:47:50\r\nSMS from +525585292665: Queridisima Carmen en la madrugada fallecio mi padre, estamos muy\r\ndevastados. Mando datos del funeral ojala puedas ir: https://bit[.]ly/1KDGbSR\r\n(https://smsmensaje[.]mx/4966295s/)\r\n2015-10-17\r\n18:12:07\r\nSMS from +525585292665: chatita como estas, espero que bien este mi numero nuevo checa esta\r\nnoticia la subi a drive checala para borrarla urge https://tinyurl[.]com/pfwmr88\r\n(https://googleplay-store[.]com/7863372s/)\r\n2015-10-25\r\n23:39:29\r\nSMS from +525525715066: Hola te envio invitacion electronica con detalles por motivo de mi fiesta\r\nde disfraces espero contar contigo alonso: https://tinyurl[.]com/o2tq8rl\r\n(https://smsmensaje[.]mx/8623600s/)\r\n2016-02-09\r\n17:46:42\r\nSMS from +525552899427: Carmen hace 5 dias que no aparece mi hija te agradecere mucho que\r\ncompartas su foto, estamos desesperados: https://bit[.]ly/1KDekJ9\r\n(https://smsmensaje[.]mx/5957475s/)\r\n2016-02-10\r\n23:10:59\r\nSMS from +525552899427: Querida Carmen fallecio mi hermano en un accidente, estoy devastada,\r\nenvio datos del velorio, espero asistas: https://bit[.]ly/1TTjm6D\r\n(https://smsmensaje[.]mx/6056487s)\r\n2016-02-11\r\n22:30:48\r\nSMS from +525568850176: Hace 7 dias desaparecio mi hija de 8 a?os en ecatepec, por favor\r\nayudame a compartir su foto, estamos desesperados: https://smsmensaje[.]mx/7430255t/\r\n2016-02-11\r\n22:32:15\r\nSMS from +525568850176: Hace 7 dias desaparecio mi hija de 8 a?os en ecatepec, por favor\r\nayudame a compartir su foto, estamos desesperados: https://smsmensaje[.]mx/7430255t/\r\n2016-02-11\r\n23:58:10\r\nSMS from +525568850176: Perdon en el sms anterior no se veia la foto, la reenvio, por favor\r\ncompartela queremos a nuestra ni?a de vuelta: https://smsmensaje[.]mx/7430255t/\r\n2016-02-15\r\n04:02:23\r\nSMS from +525547311580: Vinieron unas personas a extorsionarnos si no les dabamos 100mil pesos\r\nsaben quienes somos tome fotos mira https://fb-accounts[.]com/1324052s/\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 73 of 86\n\n2016-02-24\r\n15:45:04\r\nSMS from +525552899427: UNOTV[.]com/ LANZA TELEVISA DESPLEGADOS EN TODOS\r\nSUS MEDIOS;CRITICA POSTURA DE ORGANIZACION ARTICULO 19. VER:\r\nhttps://bit[.]ly/1SU5N7q (https://unonoticias[.]net/6809853s/)\r\n2016-02-25\r\n15:27:59\r\nSMS from +525552899427: has realizado un Retiro/Compra Tarjeta**** M.N monto $3,500.00\r\nverifica detalles de operacion: https://bit[.]ly/21jxVFW (https://unonoticias[.]net/2250072s/)\r\n2016-03-10\r\n16:09:38\r\nSMS from +529993190183: ARISTEGUI NOTICIAS ESTRENA SERVICIO DE SMS.\r\nSUSCRIBASE Y RECIBIRA RESUMEN DE LAS NOTICIAS MAS IMPORTANTES:\r\nhttps://bit[.]ly/225VXRR (https://smsmensaje[.]mx/8807734s/)\r\n2016-03-11\r\n16:19:14\r\nSMS from +529993190183: ARISTEGUI NOTICIAS ESTRENA SERVICIO DE SMS.\r\nSUSCRIBASE Y RECIBIRA RESUMEN DE LAS NOTICIAS MAS IMPORTANTES:\r\nhttps://smsmensaje[.]mx/4701759s/\r\n2016-04-05\r\n14:42:23\r\nSMS from +528120754135: ARISTEGUINOTICIASONLINE[.]mx ESTRENA SERVICIO DE\r\nSMS. SUSCRIBASE Y RECIBIRA LAS NOTICIAS MAS IMPORTANTES:\r\nhttps://bit[.]ly/1q3n16a (https://smsmensaje[.]mx/7974159s/)\r\n2016-04-07\r\n20:54:12\r\nSMS from +528120953203: ARISTEGUINOTICIASONLINE[.]mx ESTRENA SERVICIO DE\r\nSMS. SUSCRIBASE Y RECIBIRA LAS NOTICIAS MAS IMPORTANTES:\r\nhttps://smsmensaje[.]mx/1119786s/\r\n2016-04-12\r\n21:42:40\r\nSMS from +528120943682: ARISTEGUINOTICIASONLINE[.]mx ESTRENA SERVICIO DE\r\nSMS. SUSCRIBASE Y RECIBIRA LAS NOTICIAS MAS IMPORTANTES:\r\nhttps://smsmensaje[.]mx/2365691s/\r\n2016-05-11\r\n18:30:07\r\nSMS from +525585401284: UNOTV[.]com/ CONFIRMA PGR QUE HIJO MAYOR DE AMLO\r\nLLEVA 48 HRS DESAPARECIDO. DETALLES: https://bit[.]ly/1QYVKaM\r\n(https://unonoticias[.]net/5911276s/)\r\n2016-05-13\r\n15:19:47\r\nSMS from +528120531318: Perdon x molestarte pero hace 3 dias que no aparece mi hija te\r\nagradecere que me ayudes a compartir su foto: https://bit[.]ly/1Oo7cSS\r\n(https://smsmensaje[.]mx/8984621s/)\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 74 of 86\n\n2016-06-03\r\n18:03:24\r\nSMS from +525585401299: Carmen la pagina esta intermitente, esta apareciendo este error al\r\nintentar ingresar: https://bit[.]ly/1WzrZ8T (https://smsmensaje[.]mx/9371877s/)\r\n2016-06-09\r\n19:19:10\r\nSMS from +528120990524: Eres mierda porque yo me ando cojiendo a tu pareja mientras tu\r\npendejeas y de prueba te mando esta foto: https://bit[.]ly/1rfaNHR\r\n(https://smsmensaje[.]mx/9449190s/)\r\n2016-06-13\r\n17:38:35\r\nSMS from +525585401299: Hace 3 dias que no aparece mi hija, estamos desesperados, te agradecere\r\nque me ayudes a compartir su foto: https://bit[.]ly/235giae (https://smsmensaje[.]mx/1239663s/)\r\n2016-06-15\r\n21:21:29\r\nSMS from +528122090316: Buenas tardes Carmen, unicamente paso a saludarte y enviarte esta nota\r\nde Proceso que es importante retomar: https://bit[.]ly/1twXSDl\r\n(https://smsmensaje[.]mx/1911343s/)\r\n2016-06-22\r\n21:35:59\r\nSMS from +529993190053: UNOTV[.]com/ REVELAN VIDEO DONDE CRISTIANO RONALDO\r\nSE ENFADA Y AVIENTA MICROFONO DE REPORTERO. VIDEO EN:\r\nhttps://unonoticias[.]net/2068822s/\r\n2016-06-28\r\n21:32:09\r\nSMS from +528120696998: UNOTV[.]com/ ATENTADO TERRORISTA EN ESTAMBUL DEJA 30\r\nMUERTOS/SECUESTRAN REPORTERO DE TELEVISA/FALLECE CHACHITA\r\nhttps://bit[.]ly/295RNq7 (https://smsmensaje[.]mx/1656017s/)\r\n2016-07-01\r\n16:45:44\r\nSMS from +528122090348: UNOTV[.]com/ CARMEN ARISTEGUI YA FIRMO CONTRATO\r\nPARA REGRESAR A LA RADIO. DETALLES: https://unonoticias[.]net/3423165s/\r\n2016-07-04\r\n20:32:34\r\nSMS from +528121050415: UNOTV[.]com/ AMARILLISMO DE ARISTEGUI VS REALIDAD/\r\nVAN 30 DETENIDOS EN ATENTADO DE ESTAMBUL/ CHILE CAMPEON\r\nhttps://bit[.]ly/29eWzzv (https://unonoticias[.]net/9436744s/)\r\n2016-07-05\r\n18:42:59\r\nSMS from +525536438524: https://fb-accounts[.]com/2102272t/\r\n2016-07-06\r\n21:56:08\r\nSMS from +528122090257: Hace 5 dias q no aparece mi hija te agradecere mucho q compartan su\r\nfoto, estamos destrozados es un infierno: https://bit[.]ly/29rnk6c\r\n(https://smsmensaje[.]mx/7960742s/)\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 75 of 86\n\n2016-07-12\r\n21:20:25\r\nSMS from +528120697015: UNOTV[.]com/ FILMAN A REPORTERO Y PERIODISTA CUANDO\r\nSON LEVANTADOS POR COMANDO ARMADO EN TAMAULIPAS. VIDEO:\r\nhttps://unonoticias[.]net/1887451s/\r\n2016-07-14\r\n20:29:40\r\nSMS from +528122090358: ESTIMADO USUARIO ha realizado un Retiro/Compra Tarjeta M.N de\r\n****** el 14/07/16 10:52:00 AM. Ver DETALLES: https://banca-movil[.]com/4982255s/\r\n2016-07-15\r\n23:56:16\r\nSMS from +528122090286: Mi rey te mando mis fotos encueradita y abiertita asi como te gusta, las\r\nves y las borras eh: https://bit[.]ly/29IQvyh (https://smsmensaje[.]mx/3376811s/)\r\n2016-07-18\r\n17:50:57\r\nSMS from +523319983437: Hola oye abriste nuevo facebook? Me llego una solicitud de un face con\r\ntus fotos pero con otro nombre mira: https://fb-accounts[.]com/1607422s/\r\n2016-07-19\r\n17:55:54\r\nSMS from +528113788852: Hola buen martes. Oye que pedo con el puto Lopez Doriga? Mira lo que\r\nescribio sobre ti hoy, urge desmentirlo: https://bit[.]ly/29LfZfD\r\n(https://smsmensaje[.]mx/9093723s/)\r\n2016-07-22\r\n21:33:26\r\nSMS from +525576169290: Estimado cliente Unefon te informa su saldo vencido al de la lInea\r\n5539290869, es por $4,278. DETALLES: https://ideas-telcel[.]com[.]mx/4729605s/\r\n2016-07-23\r\n17:51:28\r\nSMS from +525576169290: Amigo,hay una pseudo cuenta de fb y twitter identica a la tuya checala\r\npara que la denuncies mira checala: https://fb-accounts[.]com/9543697s/\r\n2016-07-25\r\n21:01:24\r\nSMS from +528122090359: Bienvenido Club CHICAS CALIENTES, se ha aplicado un cargo de\r\n$875.85 a su linea, si desea cancelar ingrese a: https://bit[.]ly/2a0hZ2I\r\n(https://smsmensaje[.]mx/6881768s/)\r\n2016-07-28\r\n22:47:46\r\nSMS from +528120990542: UNOTV[.]com/ VIRAL EL VIDEO DE FUERTE GOLPE QUE\r\nRECIBE EN LA CARA OSORIO CHONG PROPINADO POR MAESTRO. VIDEO:\r\nhttps://unonoticias[.]net/6328951s/\r\nForensic traces for MXJRN3\r\nNo timestamps are available as these SMS messages where found in previous screenshots.\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 76 of 86\n\nDate\r\n(UTC)\r\nEvent\r\nSMS from +523332078807: Buenas noches Sandra, unicamente paso a saludarte y enviarte esta nota de\r\nProceso que es importante retomar: https://bit[.]ly/25JHLDm (https://smsmensaje[.]mx/5727775s/)\r\nSMS from +525546613611: Sandra amiga acaba de morir mi esposo, estamos devastadas, te envio los\r\ndatos del velatorio espero asistas: https://bit[.]ly/28hMScw (https://smsmensaje[.]mx/6050864s/)\r\nSMS from +524446613611: Hace 3 dias quo no aparence mi hija, estamos desesperados, te agradecere\r\nque me ayudes a compartit su foto: https://bit[.]ly/235hzhv (https://smsmensaje[.]mx/4159043s/)\r\nSMS from +518122090332: Sandra, mi mama esta muy grave, tal vez no pase la noche te envio datos de\r\ndonde esta internada ojala vengas: https://bit[.]ly/1PQsLvX (https://smsmensaje[.]mx/6395084s/)\r\nForensic traces for MXJRN4\r\nThis Pegasus attack message was original discovered and published as part of collaborative investigation between Citizen\r\nLab, R3D, SocialTic and Article 19.    \r\nDate (UTC) Event\r\n2016-05-12\r\n19:06:04\r\n SMS from + 528112889362: Tengo pruebas clave y fidedignas en contra de servidores publicos,\r\nayudame tiene que ver con este asunto https://bit[.]ly/1s2eguc (https://secure-access10[.]mx/2618844s/)\r\nForensic traces for RWHRD1 – Carine Kanimba\r\nDate (UTC) Event\r\n2020-11-24 13:26:03 Process record deleted from ZPROCESS (IN: 12.86 MB, OUT: 168.99 MB)\r\n2021-01-28 22:42:56 Process: Diagnosticd\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 77 of 86\n\n2021-01-31 18:28:39 Process: dhcp4d\r\n2021-01-31 23:59:02 Process: libtouchregd\r\n2021-02-02 13:54:23 Process: MobileSMSd\r\n2021-02-13 19:44:12 Process: vm_stats\r\n2021-02-21 23:10:09 Process: launchrexd\r\n2021-02-21 23:10:09 Process: mptbd\r\n2021-02-22 15:39:00 Process: PDPDialogs\r\n2021-03-16 13:33:22 Process: neagentd\r\n2021-03-17 15:27:06 Process: CommsCenterRootHelper\r\n2021-03-21 06:06:45 Process: roleaboutd\r\n2021-03-23 17:37:31 Process: contextstoremgrd\r\n2021-03-28 00:36:43 Process: otpgrefd\r\n2021-03-31 13:57:01 Process: vm_stats\r\n2021-04-06 21:29:56 Process: locserviced\r\n2021-04-09 19:09:18 Process: bluetoothfs\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 78 of 86\n\n2021-04-23 01:48:56 Process: eventfssd\r\n2021-04-23 20:43:14 Process: com.apple.Mappit.SnapshotService\r\n2021-04-23 23:01:44 Process: aggregatenotd\r\n2021-04-24 22:01:47 Process: ReminderIntentsUIExtension\r\n2021-04-24 22:01:54 Process: ReminderIntentsUIExtension\r\n2021-04-28 13:34:53 Process: com.apple.rapports.events\r\n2021-04-28 13:34:57 Process: com.apple.rapports.events (IN: 0.01 MB, OUT: 0.00 MB)\r\n2021-04-28 13:34:57 Process: com.apple.rapports.events\r\n2021-04-28 13:35:40 Process: com.apple.rapports.events\r\n2021-04-28 16:08:40 Process: xpccfd\r\n2021-05-03 08:07:38 Traces from zero-click attack attempt over iMessage\r\n2021-05-08 07:28:40 Traces from zero-click attack attempt over iMessage\r\n2021-05-16 12:30:10 Traces from zero-click attack attempt over iMessage\r\n2021-05-17 13:39:16 iMessage lookup for account benjiburns8[@]gmail.com\r\n2021-05-17 13:40:12 Traces from zero-click attack attempt over iMessage\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 79 of 86\n\n2021-06-14 00:06:00 Attack related push notifications over iMessage\r\n2021-06-14 00:09:33 Process crash detected\r\n2021-06-14 00:12:57 Process: com.apple.rapports.events\r\n2021-06-14 00:17:12 Process: faskeepd\r\n2021-06-14 00:17:12 Process: lobbrogd\r\n2021-06-14 00:17:12 Process: neagentd\r\n2021-06-14 00:17:12 Process: com.apple.rapports.events\r\n2021-06-14 17:38:44 Process: faskeepd\r\n2021-06-14 17:38:44 Process: lobbrogd\r\n2021-06-14 17:38:44 Process: neagentd\r\n2021-06-14 17:39:59 Process: faskeepd\r\n2021-06-14 17:39:59 Process: lobbrogd\r\n2021-06-14 17:39:59 Process: neagentd\r\n2021-06-15 18:26:22 Process: faskeepd\r\n2021-06-15 18:26:22 Process: lobbrogd\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 80 of 86\n\n2021-06-15 18:26:22 Process: neagentd\r\n2021-06-15 18:28:16 Process: faskeepd\r\n2021-06-15 18:28:16 Process: lobbrogd\r\n2021-06-15 18:28:16 Process: neagentd\r\n2021-06-15 18:30:12 Process: faskeepd\r\n2021-06-15 18:30:12 Process: lobbrogd\r\n2021-06-15 18:30:12 Process: neagentd\r\n2021-06-16 00:04:37 Process: faskeepd\r\n2021-06-16 00:04:37 Process: lobbrogd\r\n2021-06-16 00:04:37 Process: neagentd\r\n2021-06-16 18:49:50 Process: faskeepd\r\n2021-06-16 18:49:50 Process: lobbrogd\r\n2021-06-16 18:49:50 Process: neagentd\r\n2021-06-16 21:54:15 Process: faskeepd\r\n2021-06-16 21:54:15 Process: lobbrogd\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 81 of 86\n\n2021-06-16 21:54:15 Process: neagentd\r\n2021-06-18 08:13:35 Process: faskeepd\r\n2021-06-18 15:21:00 Attack related push notifications over iMessage\r\n2021-06-18 15:26:04 Process crash detected\r\n2021-06-18 15:26:08 Process: com.apple.Mappit.SnapshotService\r\n2021-06-18 15:26:16 Process: com.apple.Mappit.SnapshotService\r\n2021-06-18 15:31:12 Process: launchrexd\r\n2021-06-18 15:31:12 Process: frtipd\r\n2021-06-18 15:31:12 Process: ReminderIntentsUIExtension\r\n2021-06-19 16:00:16 Process: launchrexd\r\n2021-06-19 16:00:16 Process: frtipd\r\n2021-06-19 16:00:16 Process: ReminderIntentsUIExtension\r\n2021-06-20 00:06:25 Process: launchrexd\r\n2021-06-20 00:06:25 Process: frtipd\r\n2021-06-20 00:06:25 Process: ReminderIntentsUIExtension\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 82 of 86\n\n2021-06-20 19:52:25 Process: launchrexd\r\n2021-06-20 19:52:25 Process: frtipd\r\n2021-06-20 19:52:26 Process: ReminderIntentsUIExtension\r\n2021-06-20 19:53:58 Process: launchrexd\r\n2021-06-20 19:53:58 Process: frtipd\r\n2021-06-20 19:53:58 Process: ReminderIntentsUIExtension\r\n2021-06-22 03:57:10 Process: launchrexd\r\n2021-06-22 03:57:10 Process: frtipd\r\n2021-06-22 03:57:10 Process: ReminderIntentsUIExtension\r\n2021-06-22 04:06:51 Process: launchrexd\r\n2021-06-22 04:06:51 Process: frtipd\r\n2021-06-22 04:06:51 Process: ReminderIntentsUIExtension\r\n2021-06-23 00:01:02 Process: launchrexd\r\n2021-06-23 00:01:02 Process: frtipd\r\n2021-06-23 00:01:02 Process: ReminderIntentsUIExtension\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 83 of 86\n\n2021-06-23 14:31:39 Process: launchrexd\r\n2021-06-23 20:46:00 Attack related push notifications over iMessage\r\n2021-06-23 20:48:56 Process crash detected\r\n2021-06-23 20:54:16 Process crash detected\r\n2021-06-23 20:55:10 Process: otpgrefd\r\n2021-06-23 20:59:35 Process: otpgrefd\r\n2021-06-23 20:59:35 Process: launchafd\r\n2021-06-23 20:59:35 Process: vm_stats\r\n2021-06-23 22:21:13 Attack artifact on disk: /private/var/tmp/vditcfwheovjf/cc/otpgrefd/\r\n2021-06-24 12:16:22 Process: otpgrefd\r\n2021-06-24 12:16:22 Process: launchafd\r\n2021-06-24 12:16:22 Process: vm_stats\r\n2021-06-24 12:24:29 Process: otpgrefd\r\n2021-06-26 21:56:00 Attack related push notifications over iMessage\r\n2021-06-26 23:25:32 Process: smmsgingd\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 84 of 86\n\n2021-06-29 22:26:00 Attack related push notifications over iMessage\r\n2021-06-29 22:30:46 Process crash detected\r\n2021-06-29 22:36:01 Process: launchafd\r\n2021-06-29 22:36:01 Process: otpgrefd\r\n2021-06-29 22:36:01 Process: dhcp4d\r\n2021-06-29 22:36:01 Process: ctrlfs\r\n2021-06-30 00:09:19 Process: launchafd\r\n2021-06-30 00:09:19 Process: otpgrefd\r\n2021-06-30 00:09:19 Process: dhcp4d\r\n2021-07-01 00:09:32 Process: launchafd\r\n2021-07-01 00:09:32 Process: otpgrefd\r\n2021-07-01 00:09:32 Process: dhcp4d\r\n2021-07-01 12:16:43 Process: launchafd\r\n2021-07-01 12:16:43 Process: otpgrefd\r\n2021-07-01 12:16:43 Process: dhcp4d\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 85 of 86\n\n2021-07-01 21:42:19 Process: launchafd\r\n2021-07-03 06:06:37 iMessage lookup for account benjiburns8[@]gmail.com\r\n2021-07-03 06:07:00 Attack related push notifications over iMessage\r\n2021-07-03 06:22:16 Process crash detected\r\n2021-07-03 06:32:56 Process: actmanaged\r\n2021-07-03 06:32:56 Process: misbrigd\r\n2021-07-03 06:32:56 Process: Diagnostics-2543\r\n2021-07-03 06:32:56 Process: gssdp\r\n2021-07-03 15:23:18 Process: actmanaged\r\nSource: https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/\r\nPage 86 of 86\n\n https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ \n2021-04-28 03:31:39 Process: ReminderIntentsUIExtension (IN: 0.01 MB, OUT: 0.00 MB)\n2021-04-28 03:31:39 Process: ReminderIntentsUIExtension \n2021-04-28 03:31:45 Process: ReminderIntentsUIExtension \n2021-06-11 12:45:48 Process record deleted from ZPROCESS (IN: 0.01 MB, OUT: 0.00 MB)\n2021-06-11 12:46:22 Process record deleted from ZPROCESS (IN: 1.79 MB, OUT: 0.31 MB)\n2021-06-11 12:46:47 Process record deleted from ZPROCESS (IN: 12.94 MB, OUT: 145.88 MB)\n2021-06-14 06:17:10 Process record deleted from ZPROCESS (IN: 2.36 MB, OUT: 2.76 MB)\n2021-06-15 06:21:28 Process record deleted from ZPROCESS (IN: 1.05 MB, OUT: 1.29 MB)\n2021-06-16 13:47:51 Process record deleted from ZPROCESS (IN: 0.16 MB, OUT: 0.16 MB)\n2021-06-18 13:52:14 Process record deleted from ZPROCESS (IN: 0.01 MB, OUT: 0.00 MB)\n2021-06-18 13:53:37 Process record deleted from ZPROCESS (IN: 1.79 MB, OUT: 0.31 MB)\n2021-06-18 13:58:41 Process record deleted from ZPROCESS (IN: 13.63 MB, OUT: 172.99 MB)\n2021-06-19 14:16:20 Process record deleted from ZPROCESS (IN: 0.87 MB, OUT: 1.02 MB)\n2021-06-21 05:44:29 Process record deleted from ZPROCESS (IN: 1.81 MB, OUT: 2.58 MB)\n2021-06-22 05:45:29 Process record deleted from ZPROCESS (IN: 1.19 MB, OUT: 1.38 MB)\n Page 64 of 86", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/" ], "report_names": [ "forensic-methodology-report-appendix-d" ], "threat_actors": [], "ts_created_at": 1775434289, "ts_updated_at": 1775791318, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0215d284fcfabb04baa2e7c5c6d08ad8caed1bb4.pdf", "text": "https://archive.orkl.eu/0215d284fcfabb04baa2e7c5c6d08ad8caed1bb4.txt", "img": "https://archive.orkl.eu/0215d284fcfabb04baa2e7c5c6d08ad8caed1bb4.jpg" } }