Forensic Methodology Report: Pegasus Forensic Traces per Target Published: 2021-07-18 · Archived: 2026-04-05 16:39:06 UTC Updated on: 27 July 2021 This document is an appendix to the research report “Forensic Methodology Report: How to catch NSO Group’s Pegasus” published as part of the Pegasus Project. This document may be updated over time as additional individuals become public. Appendix D: Pegasus Forensic Traces per Target All individuals have been assigned a code name for safety and privacy reasons. Only individuals who have given consent will be named publicly. The occurrence of a known malicious iCloud account may be a result of actions made by a Pegasus customer against a potential target device. It does not by itself signify that an attack was attempted or succeeded. Forensic traces for AZJRN1 – Khadija Ismayilova Date (UTC) Event 2019- 03-28 07:44:14 Process: roleaccountd 2019- 03-28 07:44:14 Process: stagingd 2019- 03-28 07:44:15 File: Library/Preferences/roleaccountd.plist 2019- 04-02 09:17:55 Process record deleted from ZPROCESS https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 1 of 86 2019- 04-12 07:42:38 Process record deleted from ZPROCESS 2019- 05-01 10:48:06 Process record deleted from ZPROCESS 2019- 05-03 07:42:27 Process record deleted from ZPROCESS 2019- 05-18 11:03:21 Process record deleted from ZPROCESS 2019- 06-17 05:10:02 Process record deleted from ZPROCESS 2019- 06-18 05:25:41 Process record deleted from ZPROCESS 2019- 06-25 17:03:13 Process record deleted from ZPROCESS 2019- 07-08 05:39:13 Process record deleted from ZPROCESS 2019- 07-12 11:10:51 Process record deleted from ZPROCESS https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 2 of 86 2019- 07-18 13:40:01 Process record deleted from ZPROCESS 2019- 08-22 08:41:02 Process record deleted from ZPROCESS 2019- 08-26 05:04:19 Process record deleted from ZPROCESS 2019- 08-27 15:02:15 Process record deleted from ZPROCESS 2019- 09-06 05:52:30 Process record deleted from ZPROCESS 2019- 09-07 07:19:31 Process record deleted from ZPROCESS 2019- 09-15 06:11:31 Process record deleted from ZPROCESS 2019- 09-17 14:11:51 Process record deleted from ZPROCESS 2019- 09-28 12:25:15 Process: libtouchregd https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 3 of 86 2019- 10-01 19:42:17 Process record deleted from ZPROCESS 2019- 10-14 05:11:06 Process record deleted from ZPROCESS 2019- 10-14 16:08:43 Process: libbmanaged 2019- 10-14 16:08:43 Process: mobileargd 2019- 10-14 16:08:43 Process: brstaged 2019- 10-14 16:08:43 Process: libtouchregd 2019- 10-14 16:08:43 Process: launchrexd 2019- 10-15 14:21:44 Process: faskeepd 2019- 10-16 22:17:17 Process: bundpwrd https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 4 of 86 2019- 10-22 15:42:40 Process: seraccountd 2019- 10-22 15:42:40 Process: comnetd 2019- 11-25 09:06:49 Process: confinstalld 2019- 11-25 09:06:49 Process: msgacntd 2019- 11-25 09:06:49 Process: launchrexd 2019- 11-25 09:06:49 Process: accountpfd 2019- 11-25 09:06:49 Process: xpccfd 2019- 11-25 09:06:49 Process: setframed 2019- 11-25 09:06:49 Process: natgd https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 5 of 86 2019- 11-25 09:06:49 Process: aggregatenotd 2019- 12-09 05:28:20 Process record deleted from ZPROCESS 2019- 12-22 16:10:27 Process record deleted from ZPROCESS 2019- 12-26 06:01:46 Process record deleted from ZPROCESS 2020- 01-09 05:43:20 Process record deleted from ZPROCESS 2020- 01-14 06:56:05 Process record deleted from ZPROCESS 2020- 01-27 05:44:27 Process record deleted from ZPROCESS 2020- 01-31 11:41:04 Process record deleted from ZPROCESS 2020- 02-07 05:00:03 Process record deleted from ZPROCESS https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 6 of 86 2020- 02-09 07:03:56 Process record deleted from ZPROCESS 2020- 02-13 05:00:59 iMessage lookup for account e\x00\x00aholm575[@]gmail.com (emmaholm575[@]gmail.com) 2020- 02-23 07:39:00 Process record deleted from ZPROCESS 2020- 02-26 04:57:01 Process record deleted from ZPROCESS 2020- 03-09 05:33:30 Process record deleted from ZPROCESS 2020- 03-13 06:45:19 Process record deleted from ZPROCESS 2020- 03-24 07:27:42 Process record deleted from ZPROCESS 2020- 03-30 06:08:44 Process record deleted from ZPROCESS 2020- 04-21 12:04:31 Process record deleted from ZPROCESS https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 7 of 86 2020- 04-23 06:26:56 iMessage lookup for account filip.bl82[@]gmail.\x00\x00m (filip.bl82[@]gmail.com) 2020- 04-23 07:24:11 Process record deleted from ZPROCESS 2020- 04-29 07:31:57 Process record deleted from ZPROCESS 2020- 04-30 07:58:32 Process record deleted from ZPROCESS 2020- 05-11 14:25:28 Process record deleted from ZPROCESS 2020- 05-15 11:31:09 Process record deleted from ZPROCESS 2020- 05-17 07:03:29 Process record deleted from ZPROCESS 2020- 05-20 21:10:16 Process: logseld 2020- 05-20 21:10:16 Process: brstaged https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 8 of 86 2020- 05-20 21:10:16 Process: pstid 2020- 05-20 21:10:16 Process: roleaboutd 2020- 05-20 21:10:16 Process: libtouchregd 2020- 05-20 21:10:16 Process: brstaged 2020- 05-29 07:11:37 Process record deleted from ZPROCESS 2020- 05-31 07:32:56 Process record deleted from ZPROCESS 2020- 05-31 15:28:11 Process: bfrgbd 2020- 05-31 15:28:11 Process: xpccfd 2020- 05-31 15:28:11 Process: nehelprd https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 9 of 86 2020- 06-01 09:07:27 iMessage lookup for account kleinleon1987[@]gma\x00\x00.com (kleinleon1987[@]gmail.com) 2020- 06-05 13:07:16 Process record deleted from ZPROCESS 2020- 06-08 08:13:02 Process record deleted from ZPROCESS 2020- 06-08 18:22:45 Process: comnetd 2020- 06-08 18:22:45 Process: fservernetd 2020- 06-08 18:22:45 Process: rolexd 2020- 06-12 08:45:08 Process record deleted from ZPROCESS 2020- 06-22 05:29:22 Process: roleaccountd 2020- 06-22 05:29:23 Process: stagingd https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 10 of 86 2020- 06-27 11:23:05 Process record deleted from ZPROCESS 2020- 06-27 11:23:09 Process record deleted from ZPROCESS 2020- 06-29 05:13:04 Process record deleted from ZPROCESS 2020- 06-29 05:13:04 Process record deleted from ZPROCESS 2020- 06-30 05:59:08 iMessage lookup for account k\x00\x00inleon1987[@]gmail.com (kleinleon1987[@]gmail.com) 2020- 07-01 13:04:43 Process: nehelprd 2020- 07-01 13:04:43 Process: aggregatenotd 2020- 07-01 13:04:43 Process: fservernetd 2020- 07-01 13:04:43 Process: msgacntd https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 11 of 86 2020- 07-02 06:29:48 Process record deleted from ZPROCESS 2020- 07-02 06:29:48 Process record deleted from ZPROCESS 2020- 07-03 06:51:47 Process record deleted from ZPROCESS 2020- 07-03 06:51:53 Process record deleted from ZPROCESS 2020- 07-04 07:20:57 Process record deleted from ZPROCESS 2020- 07-04 07:20:58 Process record deleted from ZPROCESS 2020- 07-05 07:23:50 Process record deleted from ZPROCESS 2020- 07-06 05:22:21 iMessage lookup for account f\x00\x00ip.bl82[@]gmail.com (filip.bl82[@]gmail.com) 2020- 07-10 14:12:09 Cache file /private/var/mobile/Containers/Data/Application/D6A69566-55F7-4757-96DE-EBA612685272/Library/Caches/com.apple.Music/Cache.db recorded visit to  URL hxxps://x1znqjo0x8b8j.php78mp9v.opposedarrangement[.]net:37271/afAVt89Wq/stadium/pop2.html? key=501_4&n=7 https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 12 of 86 2020- 07-10 14:12:15 Cache file /private/var/mobile/Containers/Data/Application/D6A69566-55F7-4757-96DE-EBA612685272/Library/Caches/com.apple.Music/Cache.db recorded visit to  URL hxxps://x1znqjo0x8b8j.php78mp9v.opposedarrangement[.]net:37271/afAVt89Wq/stadium/pop2.html? key=501_4&n=1 2020- 07-10 14:12:21 Process: roleaccountd 2020- 07-10 14:12:26 Process: stagingd 2020- 07-11 19:34:04 Process: confinstalld 2020- 07-11 19:34:04 Process: roleaboutd 2020- 07-11 19:34:04 Process: lobbrogd 2020- 07-11 19:34:04 Process: fservernetd 2020- 07-11 19:34:04 Process: launchafd https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 13 of 86 2020- 07-13 05:05:17 Cache file /private/var/mobile/Containers/Data/Application/D6A69566-55F7-4757-96DE-EBA612685272/Library/Caches/com.apple.Music/Cache.db recorded visit to  URL hxxps://4n3d9ca2st.php78mp9v.opposedarrangement[.]net:37891/w58Xp5Z/stadium/pop2.html? key=501_4&n=7 2020- 12-07 07:23:23 iMessage lookup for account kleinleon1987[@]gmail.com 2021- 04-20 17:53:51 iMessage lookup for account filip.bl82[@]gmail.com 2021- 05-06 08:34:43 iMessage lookup for account emmaholm575[@]gmail.com Forensic traces for AZJRN2 – Sevinc Vaqifqizi Date (UTC) Event 2019-04-17 10:53:04 File created: Library/Preferences/com.apple.CrashReporter.plist from RootDomain 2019-04-17 10:53:45 Process: roleaccountd 2019-04-17 10:53:45 File created: Library/Preferences/roleaccountd.plist from RootDomain 2019-04-24 12:13:29 Process: roleaccountd 2019-04-24 12:13:31 Process: stagingd 2019-07-18 09:35:17 Process: rolexd https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 14 of 86 2019-08-02 11:45:12 Process: actmanaged 2019-10-08 15:22:29 Process: libbmanaged 2019-10-12 08:17:28 Process: xpccfd 2019-10-14 05:05:09 Process: setframed 2019-10-18 06:16:16 Process: natgd 2019-10-21 05:23:50 Process: libtouchregd 2019-10-29 05:28:54 Process: frtipd 2019-11-08 07:01:25 Process: brstaged 2019-11-11 10:46:47 Process: boardframed 2019-11-17 07:15:36 Process: ckkeyrollfd 2019-11-19 11:50:37 Process: mptbd 2019-12-02 05:18:49 Process: mobileargd 2019-12-03 13:15:03 Process: nehelprd 2019-12-12 14:38:31 Process: corecomnetd 2020-02-10 05:15:54 Process: pstid https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 15 of 86 2020-02-12 10:10:30 Process: stagingd (IN: 63.17 MB, OUT: 2.76 MB) 2020-02-13 15:32:49 Process: roleaccountd (IN: 0.25 MB, OUT: 0.13 MB) 2020-03-02 08:57:41 Process: roleaccountd 2020-03-02 08:57:48 Process: stagingd 2020-03-02 08:58:07 Process: seraccountd 2020-12-15 10:55:58 Process: comsercvd 2020-12-24 08:45:03 Process: comsercvd (IN: 17.63 MB, OUT: 64.19 MB) 2020-12-24 16:47:45 Process: comsercvd 2021-02-09 09:42:00 Attack related push notifications over iMessage 2021-02-09 10:06:50 Process: ctrlfs 2021-02-09 10:06:50 Process: ctrlfs 2021-05-20 05:46:42 Process: com.apple.rapports.events Forensic traces for FRHRD1 – Claude Mangin    Phone 1 Date (UTC) Event 2020-10-08 08:40:42 File created: Library/Preferences/com.apple.softwareupdateservicesd.plist from HomeDomain https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 16 of 86 2020-10-08 10:25:29 Process record deleted from ZPROCESS (IN: 5.46 MB, OUT: 45.62 MB) 2020-10-09 16:17:22 Process record deleted from ZPROCESS (IN: 0.71 MB, OUT: 1.33 MB) 2020-10-10 16:17:24 Process record deleted from ZPROCESS (IN: 0.30 MB, OUT: 0.82 MB) 2020-10-11 16:17:32 Process record deleted from ZPROCESS (IN: 2.25 MB, OUT: 4.88 MB) 2020-10-12 16:51:34 Process record deleted from ZPROCESS (IN: 0.98 MB, OUT: 1.31 MB) 2020-10-13 17:55:23 Process record deleted from ZPROCESS (IN: 1.20 MB, OUT: 5.40 MB) 2020-10-15 17:30:29 Process record deleted from ZPROCESS (IN: 1.56 MB, OUT: 1.92 MB) 2020-10-17 17:08:00 Process record deleted from ZPROCESS (IN: 1.80 MB, OUT: 0.23 MB) 2020-11-18 13:32:24 Process record deleted from ZPROCESS (IN: 1.83 MB, OUT: 0.21 MB) 2020-12-14 15:29:59 Process record deleted from ZPROCESS (IN: 1.83 MB, OUT: 0.25 MB) 2020-12-14 15:31:13 Process record deleted from ZPROCESS (IN: 0.02 MB, OUT: 0.05 MB) https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 17 of 86 2020-12-15 14:36:59 Process record deleted from ZPROCESS (IN: 1.83 MB, OUT: 0.25 MB) 2021-01-12 14:33:11 Process record deleted from ZPROCESS (IN: 6.99 MB, OUT: 22.26 MB) 2021-01-15 13:39:12 Process record deleted from ZPROCESS (IN: 0.06 MB, OUT: 0.07 MB) 2021-01-16 13:43:10 Process record deleted from ZPROCESS (IN: 2.00 MB, OUT: 1.88 MB) 2021-01-17 15:48:01 Process record deleted from ZPROCESS (IN: 1.25 MB, OUT: 4.43 MB) 2021-01-19 13:58:33 Process record deleted from ZPROCESS (IN: 2.94 MB, OUT: 3.59 MB) 2021-01-21 08:40:52 Process record deleted from ZPROCESS (IN: 1.69 MB, OUT: 1.64 MB) 2021-01-22 08:41:08 Process record deleted from ZPROCESS (IN: 2.50 MB, OUT: 4.70 MB) 2021-03-16 12:33:20 Process record deleted from ZPROCESS (IN: 292.83 MB, OUT: 353.60 MB) 2021-03-17 12:40:45 Process record deleted from ZPROCESS (IN: 0.63 MB, OUT: 0.37 MB) 2021-03-19 10:55:06 Process record deleted from ZPROCESS (IN: 2.74 MB, OUT: 1.72 MB) https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 18 of 86 2021-03-20 10:57:33 Process record deleted from ZPROCESS (IN: 9.34 MB, OUT: 8.15 MB) 2021-03-21 10:59:08 Process record deleted from ZPROCESS (IN: 12.38 MB, OUT: 19.65 MB) 2021-03-22 11:02:54 Process record deleted from ZPROCESS (IN: 2.54 MB, OUT: 5.11 MB) 2021-03-23 11:34:43 Process record deleted from ZPROCESS (IN: 0.35 MB, OUT: 0.21 MB) 2021-03-24 11:51:11 Process record deleted from ZPROCESS (IN: 2.69 MB, OUT: 1.72 MB) 2021-03-25 12:44:15 Process record deleted from ZPROCESS (IN: 3.74 MB, OUT: 3.94 MB) 2021-03-27 14:43:42 Process record deleted from ZPROCESS (IN: 1.72 MB, OUT: 1.06 MB) 2021-03-27 22:52:14 Process: brstaged 2021-03-31 14:18:42 Process record deleted from ZPROCESS (IN: 0.02 MB, OUT: 0.01 MB) 2021-03-31 14:19:03 Process record deleted from ZPROCESS (IN: 1.87 MB, OUT: 0.28 MB) 2021-04-01 05:50:40 Process: accountpfd https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 19 of 86 2021-04-30 12:25:15 Process record deleted from ZPROCESS (IN: 77.19 MB, OUT: 49.49 MB) 2021-05-01 16:35:25 Process record deleted from ZPROCESS (IN: 5.86 MB, OUT: 3.63 MB) 2021-05-03 07:27:01 Process record deleted from ZPROCESS (IN: 1.70 MB, OUT: 0.97 MB) 2021-05-04 07:59:24 Process record deleted from ZPROCESS (IN: 2.66 MB, OUT: 1.77 MB) 2021-05-05 09:09:40 Process record deleted from ZPROCESS (IN: 11.23 MB, OUT: 7.73 MB) 2021-05-07 13:13:51 Process record deleted from ZPROCESS (IN: 5.51 MB, OUT: 3.57 MB) 2021-05-08 13:15:26 Process record deleted from ZPROCESS (IN: 13.65 MB, OUT: 9.88 MB) 2021-05-09 13:18:40 Process record deleted from ZPROCESS (IN: 15.42 MB, OUT: 9.87 MB) 2021-05-10 13:20:46 Process record deleted from ZPROCESS (IN: 0.31 MB, OUT: 0.19 MB) 2021-05-12 09:25:23 Process record deleted from ZPROCESS (IN: 3.87 MB, OUT: 2.33 MB) 2021-05-13 09:26:19 Process record deleted from ZPROCESS (IN: 1.79 MB, OUT: 1.15 MB) https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 20 of 86 2021-05-14 00:32:59 Process: comsercvd 2021-05-15 12:51:46 Process: com.apple.Mappit.SnapshotService (IN: 0.03 MB, OUT: 0.01 MB) 2021-05-15 12:56:04 Process record deleted from ZPROCESS (IN: 1.87 MB, OUT: 0.28 MB) 2021-05-15 13:04:10 Process: roleaboutd 2021-05-15 13:04:10 Process: confinstalld 2021-05-15 13:04:10 Process: gssdp 2021-05-15 20:58:34 Process: roleaboutd 2021-05-15 20:58:34 Process: confinstalld 2021-05-15 20:58:34 Process: gssdp 2021-05-16 21:46:58 Process: roleaboutd 2021-05-16 21:46:58 Process: confinstalld https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 21 of 86 2021-05-16 21:46:58 Process: gssdp 2021-05-17 21:46:13 Process: roleaboutd 2021-05-17 21:46:13 Process: confinstalld 2021-05-17 21:46:13 Process: gssdp 2021-05-18 21:47:13 Process: roleaboutd 2021-05-18 21:47:13 Process: confinstalld 2021-05-18 21:47:13 Process: gssdp 2021-05-19 22:30:36 Process: roleaboutd 2021-05-19 22:30:36 Process: confinstalld 2021-05-19 22:30:36 Process: gssdp 2021-05-21 21:09:59 Process: roleaboutd https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 22 of 86 2021-05-21 21:09:59 Process: confinstalld 2021-05-21 21:09:59 Process: gssdp 2021-05-22 21:12:51 Process: roleaboutd 2021-05-22 21:12:51 Process: confinstalld 2021-05-22 21:12:51 Process: gssdp 2021-05-23 21:13:37 Process: roleaboutd 2021-05-23 21:13:37 Process: confinstalld 2021-05-23 21:13:37 Process: gssdp 2021-05-23 21:14:55 Process: roleaboutd 2021-05-23 21:14:55 Process: confinstalld 2021-05-23 21:14:55 Process: gssdp https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 23 of 86 2021-05-25 10:51:16 Process: roleaboutd 2021-05-25 10:51:16 Process: confinstalld 2021-05-25 10:51:16 Process: gssdp 2021-05-26 19:31:58 Process: roleaboutd 2021-05-26 19:31:58 Process: confinstalld 2021-05-26 19:31:58 Process: gssdp 2021-05-27 19:35:21 Process: roleaboutd 2021-05-27 19:35:21 Process: confinstalld 2021-05-27 19:35:21 Process: gssdp 2021-05-28 19:50:06 Process: roleaboutd 2021-05-28 19:50:06 Process: confinstalld https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 24 of 86 2021-05-28 19:50:06 Process: gssdp 2021-05-29 19:51:18 Process: roleaboutd 2021-05-29 19:51:18 Process: confinstalld 2021-05-29 19:51:18 Process: gssdp 2021-05-31 04:52:47 Process: roleaboutd 2021-05-31 04:52:47 Process: confinstalld 2021-05-31 04:52:47 Process: gssdp 2021-05-31 04:53:49 Process: roleaboutd 2021-05-31 04:53:49 Process: confinstalld 2021-05-31 04:53:49 Process: gssdp 2021-06-01 05:13:25 Process: roleaboutd https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 25 of 86 2021-06-01 05:13:25 Process: confinstalld 2021-06-01 05:13:25 Process: gssdp 2021-06-01 14:12:05 Process: PDPDialogs 2021-06-02 05:14:44 Process: roleaboutd 2021-06-02 05:14:44 Process: confinstalld 2021-06-02 05:14:44 Process: gssdp 2021-06-03 05:23:42 Process: roleaboutd 2021-06-03 05:23:42 Process: confinstalld 2021-06-03 05:23:42 Process: gssdp 2021-06-04 14:38:54 Process: roleaboutd 2021-06-04 14:38:54 Process: confinstalld https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 26 of 86 2021-06-04 14:38:54 Process: gssdp 2021-06-05 20:26:58 Process: confinstalld 2021-06-06 20:33:20 Process: confinstalld 2021-06-07 20:31:57 Process: confinstalld 2021-06-09 14:42:29 Process: confinstalld 2021-06-10 20:09:26 Process: confinstalld 2021-06-11 09:34:00 Attack related push notifications over iMessage 2021-06-11 09:35:00 Attack related push notifications over iMessage 2021-06-11 09:36:00 Attack related push notifications over iMessage 2021-06-11 09:37:00 Attack related push notifications over iMessage 2021-06-11 09:37:52 iMessage lookup for account linakeller2203[@]gmail.com https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 27 of 86 2021-06-11 09:38:00 Attack related push notifications over iMessage 2021-06-11 09:40:00 Attack related push notifications over iMessage 2021-06-11 09:41:00 Attack related push notifications over iMessage 2021-06-11 09:43:00 Attack related push notifications over iMessage 2021-06-11 09:48:37 Process: com.apple.Mappit.SnapshotService (IN: 0.02 MB, OUT: 0.01 MB) 2021-06-11 09:48:49 Process: com.apple.Mappit.SnapshotService 2021-06-11 09:51:28 Process: cfprefssd 2021-06-11 20:25:58 Process: confinstalld 2021-06-12 19:30:30 Process: confinstalld Phone 2 Date (UTC) Event 2021-07-06 12:39:42 iMessage lookup for account linakeller2203[@]gmail.com https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 28 of 86 2021-07-06 12:40:30 Traces from zero-click attack attempt over iMessage Forensic traces for FRHRD2 Date (UTC) Event 2019-01-03 11:32 Suspicious SMS with fake Facebook link: https://web-facebook[.]com/[REDACTED] Forensic traces for FRHRL1  – Joseph Breham Date (UTC) Event 2019-09-20 10:27:41 iMessage lookup for account bergers.o79[@]gmail.com 2019-09-20 10:29:47 iMessage lookup for account naomiwerff772[@]gmail.com 2019-10-29 09:04:58 Process: bh (IN: 2.86 MB, OUT: 0.21 MB) 2019-10-29 09:05:08 File created: Library/Preferences/com.apple.CrashReporter.plist from RootDomain 2019-10-29 09:05:52 Process: mptbd (IN: 18.31 MB, OUT: 106.70 MB) 2019-11-01 12:09:05 Process: mptbd 2019-11-01 19:03:23 Process: mptbd 2019-11-04 09:35:34 Process: corecomnetd (IN: 62.45 MB, OUT: 157.21 MB) 2019-11-07 11:53:06 Process: corecomnetd 2019-11-07 19:41:45 Process: corecomnetd https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 29 of 86 2019-11-08 15:27:30 Process: actmanaged (IN: 90.27 MB, OUT: 139.34 MB) 2019-11-13 19:09:16 Process: actmanaged 2019-11-15 17:07:06 Process: actmanaged 2019-11-20 11:15:13 Process: pstid (IN: 13.85 MB, WWAN OUT: 1.83 MB) 2019-11-20 11:17:40 Process: pstid 2019-11-22 09:17:27 Process: bh 2019-11-22 09:22:00 Process: logseld (IN: 0.01 MB, WWAN OUT: 0.01 MB) 2019-11-26 09:23:57 Process: ckeblld (IN: 0.02 MB, WWAN OUT: 0.01 MB) 2019-11-29 09:38:05 Process: libbmanaged (IN: 77.70 MB, OUT: 128.32 MB) 2019-12-05 10:45:44 Process: libbmanaged 2019-12-06 08:25:23 Process: libbmanaged 2019-12-06 12:02:25 Process: natgd 2019-12-09 10:44:59 Process: launchrexd (IN: 22.50 MB, OUT: 86.92 MB) 2019-12-15 17:17:59 Process: launchrexd 2019-12-16 01:37:31 Process: launchrexd https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 30 of 86 2019-12-18 08:13:29 Process: bh 2019-12-18 08:14:05 Process: ckeblld 2019-12-18 11:50:15 Process: ckeblld 2019-12-22 15:13:04 Process: natgd (IN: 5.39 MB, OUT: 35.72 MB) 2019-12-25 08:57:28 iMessage lookup for account bogaardlisa803[@]gmail.com Forensic traces for FRHRL2 Date (UTC) Event 2019-06-13 14:03:23 File created: Library/Preferences/com.apple.CrashReporter.plist from RootDomain 2019-06-13 14:03:42 File created: Library/Preferences/roleaccountd.plist from RootDomain 2019-06-13 14:04:00 Process: roleaccountd (IN: 0.01 MB, OUT: 0.00 MB) 2019-06-13 14:04:00 Process: stagingd (IN: 1.47 MB, OUT: 0.08 MB) 2019-06-13 14:04:30 Process: launchafd (IN: 0.01 MB, OUT: 0.01 MB) 2019-06-13 14:04:31 Process: launchafd 2019-06-13 16:03:43 Process: roleaccountd 2019-06-17 17:22:00 Process: corecomnetd 2019-06-24 08:58:25 Process: corecomnetd (IN: 0.51 MB, OUT: 0.88 MB) https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 31 of 86 2019-07-01 14:44:29 iMessage lookup for account b\x00\x00gers.o79[@]gmail.com (bergers.o79[@]gmail.com) 2019-07-04 09:01:19 Process: fdlibframed 2019-07-08 10:14:53 Process: fdlibframed (IN: 25.19 MB, OUT: 209.25 MB) 2019-07-10 08:44:54 Process: fdlibframed 2019-07-12 13:58:16 iMessage lookup for account bergers.o79[@]gmail\x00\x00om (bergers.o79[@]gmail.com) 2019-07-18 18:22:47 Process: corecomnetd (IN: 64.69 MB, OUT: 401.88 MB) 2019-07-18 19:53:44 Process: corecomnetd 2019-07-22 15:13:11 Process: roleaboutd 2019-07-25 18:29:47 Process: roleaboutd (IN: 4.62 MB, OUT: 10.40 MB) 2019-07-28 20:24:31 Process: roleaboutd (IN: 27.80 MB, OUT: 261.17 MB) 2019-07-29 04:02:57 Process: roleaboutd 2019-08-02 15:34:08 Process: roleaccountd (IN: 0.02 MB, OUT: 0.01 MB) 2019-08-02 15:34:11 Process: stagingd (IN: 2.95 MB, OUT: 0.12 MB) 2019-08-02 15:34:19 Process: stagingd 2019-08-02 15:34:36 Process: pstid (IN: 10.20 MB, OUT: 68.77 MB) https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 32 of 86 2019-08-03 13:58:01 Process: pstid 2019-08-07 10:40:04 iMessage lookup for account bergers.o79[@]gmail.com 2020-02-06 14:52:22 Photostream lookup for account bogaardlisa803[@]gmail.com 2021-02-08 10:42:40 iMessage lookup for account linakeller2203[@]gmail.com 2021-02-08 11:27:23 Process: gatekeeperd (IN: 0.01 MB, OUT: 0.00 MB) 2021-02-08 11:27:25 Process: bluetoothfs 2021-02-08 12:27:21 Process: gatekeeperd Forensic traces for FRJRN1 – Lenaig Bredoux Date (UTC) Event 2019-07-08 05:22:05 iMessage lookup for account bergers.o79[@]gmail.com 2019-10-10 12:39:17 File: Library/Preferences/com.apple.CrashReporter.plist from RootDomain 2020-03-12 15:06:23 Process: frtipd (IN: 0.05 MB, OUT: 0.43 MB) 2020-03-13 02:20:34 Process: frtipd 2020-03-16 10:46:55 Process: comnetd (IN: 0.58 MB, OUT: 4.92 MB) 2020-03-20 09:48:10 Process: comnetd 2020-03-21 20:09:49 Process: comnetd https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 33 of 86 2020-03-23 13:57:42 Process: netservcomd (IN: 0.01 MB, OUT: 0.06 MB) 2020-03-23 21:10:16 Process: netservcomd 2020-04-19 12:25:41 Process: setframed (IN: 0.23 MB, OUT: 2.00 MB) 2020-04-20 21:32:18 Process: setframed 2020-04-22 16:43:22 Process: launchrexd (IN: 0.50 MB, OUT: 4.14 MB) 2020-04-27 20:01:46 Process: launchrexd 2020-05-01 14:18:15 Process: nehelprd (IN: 4.24 MB, OUT: 52.75 MB) 2020-05-03 00:57:11 Process: nehelprd 2020-05-04 11:39:47 Process: msgacntd (IN: 3.21 MB, OUT: 34.59 MB) 2020-05-06 12:52:13 Process: msgacntd 2020-05-06 20:29:07 Process: msgacntd 2020-07-07 15:04:34 Process: aggregatenotd (IN: 1.10 MB, OUT: 10.69 MB) 2020-05-08 17:56:58 Process: aggregatenotd 2020-05-09 10:21:18 Process: bundpwrd (IN: 1.37 MB, OUT: 9.63 MB) 2020-05-09 16:52:05 Process: bundpwrd https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 34 of 86 2020-05-12 05:27:20 Process: seraccountd (IN: 0.06 MB, OUT: 0.42 MB) 2020-05-12 19:29:17 Process: seraccountd 2020-05-13 16:06:41 Process: otpgrefd (IN: 1.28 MB, OUT: 13.78 MB) 2020-05-13 17:19:07 Process: otpgrefd 2020-05-15 12:23:30 Process: eventstorpd (IN: 0.01 MB, OUT: 0.06 MB) 2020-05-16 18:00:50 Process: eventstorpd 2020-05-16 18:12:29 Process: eventstorpd 2020-05-17 14:42:23 Process: roleaboutd (IN: 6.54 MB, OUT: 69.61 MB) 2020-05-20 11:38:45 Process: roleaboutd 2020-05-20 21:01:24 Process: roleaboutd 2020-05-21 14:54:20 Process: mptbd (IN: 0.70 MB, OUT: 8.14 MB) 2020-05-23 16:05:30 Process: mptbd 2020-05-23 22:58:10 Process: bh (IN: 4.93 MB, OUT: 0.61 MB) 2020-05-24 15:44:39 Process: bh 2020-05-24 15:46:51 Process: fservernetd (IN: 0.00 MB, OUT: 0.04 MB) https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 35 of 86 2020-05-24 17:36:36 Process: fservernetd 2020-05-26 12:28:34 Process: brstaged (IN: 2.56 MB, OUT: 22.61 MB) 2020-05-27 04:33:50 Process: brstaged 2020-05-27 14:55:06 Process: ckkeyrollfd (IN: 0.01 MB, OUT: 0.09 MB) 2020-05-27 16:58:52 Process: bh 2020-05-27 18:00:50 Process: ckkeyrollfd 2020-07-10 11:12:35 iMessage account lookup: bogaardlisa803[@]gmail.com Forensic traces for FRJRN2 Date (UTC) Event 2019-08-16 12:08:44 iMessage lookup for account bergers.o79[@]gmail.com 2019-08-16 12:33:52 iMessage lookup for account bergers.o79[@]gmail\x00\x00om 2019-08-16 12:37:55 File created: Library/Preferences/com.apple.CrashReporter.plist from RootDomain 2019-08-16 12:41:25 File created: Library/Preferences/roleaccountd.plist from RootDomain 2019-08-16 12:41:36 Process: roleaccountd (IN: 0.01 MB, OUT: 0.01 MB) 2019-08-16 12:41:52 Process: stagingd (IN: 1.46 MB, OUT: 0.09 MB) 2019-08-16 12:49:21 Process: aggregatenotd https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 36 of 86 2019-08-20 13:35:23 Process: aggregatenotd (IN: 11.07 MB, OUT: 45.52 MB) 2019-08-21 14:10:48 Process: aggregatenotd Forensic traces for FRJRN3 – Edwy Plenel Date (UTC) Event 2019-07-05 11:23:29 File: Library/Preferences/com.apple.CrashReporter.plist from RootDomain 2019-07-05 11:23:45 File created: Library/Preferences/roleaccountd.plist from RootDomain 2019-07-05 11:23:51 Process: stagingd 2019-07-05 11:24:19 Process: eventfssd 2019-07-07 11:28:15 Process: eventfssd 2019-07-09 10:39:41 Process: fservernetd 2019-07-09 11:49:48 Process: fservernetd 2019-07-12 11:12:24 Process: nehelprd 2019-07-14 14:01:26 Process: nehelprd 2019-07-20 12:18:30 Process: libbmanaged 2019-08-11 14:03:11 Process: rlaccountd 2019-08-13 17:34:40 Process: rlaccountd https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 37 of 86 2019-08-19 13:21:02 Process: libbmanaged 2019-08-19 14:48:42 Process: libbmanaged 2019-08-19 21:51:00 Process: libbmanaged 2019-08-28 09:12:33 Process: roleaccountd 2019-08-28 09:12:34 Process: stagingd 2019-08-28 09:12:49 Process: stagingd 2019-08-28 09:13:10 Process: boardframed 2019-08-29 09:15:05 Process: boardframed 2019-08-31 09:04:17 Process: boardframed 2019-08-31 09:49:33 Process: boardframed 2019-09-03 10:59:31 Process: launchafd 2019-09-05 11:02:43 Process: launchafd 2019-09-05 20:32:02 Process: launchafd Forensic traces for FRJRN4 – Bruno Delport Date (UTC) Event 2019-07-05 13:21:47 File created Library/Preferences/com.apple.CrashReporter.plist from RootDomain https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 38 of 86 2019-07-05 13:21:53 File modified Library/Preferences/com.apple.CrashReporter.plist from RootDomain Forensic traces for FRJRN5 2019-08-16 12:19:54 iMessage lookup for account b\x00\x00gers.o79[@]gmail.com 2019-08-19 09:20:01 File created: Library/Preferences/com.apple.CrashReporter.plist from RootDomain 2019-08-19 09:20:30 File created: Library/Preferences/roleaccountd.plist from RootDomain 2019-08-19 09:20:45 Process: roleaccountd (IN: 0.01 MB, OUT: 0.00 MB) 2019-08-19 09:20:45 Process: stagingd (IN: 1.46 MB, OUT: 0.06 MB) 2019-08-19 09:20:50 Process: stagingd 2019-08-19 09:21:13 Process: bundpwrd (IN: 28.50 MB, OUT: 198.12 MB) 2019-08-21 05:36:00 Process: bundpwrd 2019-08-21 07:39:34 iMessage lookup for account bergers.o79[@]gmail.com Forensic traces for FRPOI1 Date (UTC) Event 2019-03-16 10:42:56 iMessage lookup for account bergers.o79[@]gmail.com 2020-08-02 20:03:19 iMessage lookup for account naomiwerff772[@]gmail.com Forensic traces for FRPOI2 – François de Rugy https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 39 of 86 Date (UTC) Event 2019-07-XX iMessage lookup for account bergers.o79[@]gmail.com Forensic traces for FRPOI3 – Philippe Bouyssou Date (UTC) Event 2021-07-06 12:20:01 iMessage lookup for account linakeller2203[@]gmail.com Forensic traces for FRPOI4 Date (UTC) Event 2021-XX-XX iMessage lookup for account linakeller2203[@]gmail.com Forensic traces for FRPOI5 – Oubi Buchraya Bachir Date (UTC) Event 2021-03-15 12:08:27 iMessage lookup for account linakeller2203[@]gmail.com 2021-03-15 12:12:49 Traces related to iMessage exploitation 2021-03-15 12:16:02c File modified: Library/Caches from RootDomain Forensic traces for HUJRN1 – András Szabó Date (UTC) Event 2019-06-13 11:15:40 File created: Library/Preferences/com.apple.CrashReporter.plist from RootDomain https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 40 of 86 2019-06-13 11:15:53 File created: Library/Preferences/roleaccountd.plist from RootDomain 2019-06-13 12:39:40 Process record deleted from ZPROCESS (IN: 3.69 MB, OUT: 27.39 MB) 2019-06-15 08:06:27 Process record deleted from ZPROCESS (IN: 0.32 MB, OUT: 0.56 MB) 2019-07-25 09:31:09 Process record deleted from ZPROCESS (IN: 7.80 MB, OUT: 6.43 MB) 2019-08-16 10:13:19 Process record deleted from ZPROCESS (IN: 18 MB, OUT: 29.81 MB) 2019-09-15 15:30:44 Process record deleted from ZPROCESS (IN: 1.27 MB, OUT: 3.34 MB) 2019-09-17 06:33:24 Process record deleted from ZPROCESS (IN: 2.00 MB, OUT: 5.57 MB) 2019-09-24 13:26:15 iMessage lookup for account jessicadavies1345[@]outlook.com 2019-09-24 13:26:51 iMessage lookup for account emmadavies8266[@]gmail.com 2019-09-24 13:32:10 Process: roleaccountd (IN: 0.02 MB, OUT: 0.003 MB) 2019-09-24 13:32:11 Process: roleaccountd 2019-09-24 13:32:13 Process: stagingd (IN: 4.03 MB, OUT: 0.19 MB) 2019-09-24 13:32:23 Process: stagingd 2019-09-26 14:32:25 Process record deleted from ZPROCESS (IN: 1.16 MB, OUT: 2.81 MB) 2019-10-24 05:40:33 Process record deleted from ZPROCESS (IN: 12.81 MB, OUT: 46 MB) Forensic traces for HUJRN2 – Szabolcs Panyi https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 41 of 86 Date (UTC) Event 2019-04-04 05:33:02 File created: Library/Preferences/com.apple.CrashReporter.plist from RootDomain 2019-04-04 05:33:12 File created: Library/Preferences/roleaccountd.plist from RootDomain 2019-04-04 06:02:26 Process: libbmanaged (IN: 23.29 MB, OUT: 21.39 MB) 2019-04-06 21:47:45 Process: libbmanaged 2019-07-05 08:35:28 Process: ckeblld (IN: 45.44 MB, OUT: 118.06 MB) 2019-07-12 20:49:11 Process: ckeblld 2019-07-13 20:32:28 Process: ckeblld 2019-07-15 12:02:37 iMessage lookup for account e\x00\x00adavies8266[@]gmail.com (emmadavies8266[@]gmail.com) 2019-07-15 14:21:40 Process: accountpfd (IN: 0.88 MB, OUT: 1.77 MB) 2019-07-16 14:25:11 Process: accountpfd 2019-08-29 10:57:43 Process: roleaccountd (IN: 0.01 MB, OUT: 0.003 MB) https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 42 of 86 2019-08-29 10:57:44 Process: stagingd (IN: 4.05 MB, OUT: 0.20 MB) 2019-08-29 10:58:35 Process: launchrexd (IN: 0.03 MB, OUT: 0.01 MB) 2019-09-03 07:54:26 Process: roleaccountd 2019-09-03 07:54:28 Process: stagingd 2019-09-03 07:54:51 Process: seraccountd (IN: 20.94 MB, OUT: 7.52 MB) 2019-09-05 08:00:15 Process: seraccountd 2019-09-05 13:26:38 Process: seraccountd 2019-09-05 13:26:55 Process: misbrigd (IN: 10.12 MB, OUT: 8.13 MB) 2019-09-06 13:27:04 Process: misbrigd 2019-09-06 22:04:12 Process: misbrigd 2019-09-10 06:09:04 iMessage lookup for account emmadavies8266[@]gmail.com https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 43 of 86 2019-09-10 06:09:49 iMessage lookup for account jessicadavies1345[@]outlook.com 2019-10-30 14:09:51 Process: nehelprd (IN: 23.45 MB, OUT: 8.64 MB) 2019-11-04 14:27:48 Process: nehelprd 2019-11-07 01:58:52 Process: nehelprd Forensic traces for HUPOI1 Date (UTC) Event 2018-06-01 12:33:08 Process: stagingd 2018-06-01 12:33:08 Process: roleaccountd 2018-06-01 12:35:55 Process: fmld 2018-06-05 18:21:35 Process: stagingd (IN: 7.17 MB, OUT: 0.01 MB) 2018-06-08 14:42:05 Process: fmld (IN: 3.52 MB, OUT: 0.07 MB) 2018-06-21 07:02:55 File created: Library/Preferences/com.apple.CrashReporter.plist from RootDomain 2018-06-21 07:03:19 Process: roleaccountd (IN: 0.05 MB, OUT: 0.00 MB) 2018-06-21 07:03:31 Process: stagingd https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 44 of 86 2018-06-27 05:04:19 Thumper lookup for account k.williams.enny74[@]gmail.com 2018-06-27 08:09:04 Process: bh (IN: 4.42 MB, OUT: 0.29 MB) 2018-07-09 08:30:34 Process: bh 2018-07-10 08:31:19 Process: fmld (IN: 22.54 MB, OUT: 64.62 MB) 2018-07-10 09:40:37 Process: fmld Forensic traces for HUPOI2 – Adrien  Beauduin                                Date (UTC) Event 2018-12-19 09:13:48 File created: Library/Preferences/com.apple.CrashReporter.plist from RootDomain 2018-12-19 09:15:57 File modified: Library/Caches from RootDomain 2018-12-20 11:06:49 Thumper lookup for account k.williams.enny74[@]gmail.com Forensic traces for HUPOI3 Date (UTC) Event 2018-06-01 10:12:49 IMessage lookup for k.williams.enny74[@]gmail.com Forensic traces for INHRD1 – SAR Geelani Date (UTC) Event https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 45 of 86 2017-07-05 15:01:28 Process: pcsd 2017-11-30 09:26:33 Process: pcsd (IN: 24.09 MB, OUT: 211.43 MB) 2017-12-19 06:48:00 Process: pcsd 2018-02-13 12:46:10 SMS from +447797801009: United Nations launches online portal for the independence of Kashmir. To cast your online vote click here https://bit[.]ly/2o487h1 (https://signpetition[.]co/vU1zwaqFh) 2018-02-15 12:06:01 SMS from +447797801009: BJP hatches conspiracy for a muslim free Jammu region through medical poisoning of muslims. https://bit[.]ly/2o95TNh (https://news-alert[.]org/TfteZB6wK) 2018-02-16 09:44:46 SMS from +447797801009: Another incident showing Indian army beating librandu Kashmiri youth mercilessly to chant Pakistan Murdabad. https://bit[.]ly/2ob9QkO (https://news-alert[.]org/K9pAkFk3R) 2018-04-12 14:10:57 SMS from +447797801009: Organization of Islamic countries(OIC) launches online portal for the independence of Kashmir from India. For the detailed article, click here https://bit[.]ly/2Hk1UJE (https://news-alert[.]org/WW7G1EW2) 2018-04-13 13:13:30 SMS from +447797801009: Global powers urge Indian leadership to concede the entire Jammu & Kashmir to Pakistan for regional peace and stability. For the detailed article, click here. https://news-alert[.]org/T1q4YjItT 2018-04-16 10:52:26 SMS from +447797801009: Hot & sexy male & female escorts available at 60% discount. To avail the service, please click on https://my-privacy[.]co/Ooboe7u 2018-04-17 12:39:36 SMS from +447797801009: European Union leads its unconditional support to India over the issue of Kashmir during the current visit of PM Modi. For more details, click https://my-privacy[.]co/j2xgK558 https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 46 of 86 2018-04-20 13:36:02 SMS from +447797801009: India & America strategically conspiring for the failure of China Pakistan Economic Corridor(CPEC). For the detailed article, click here. https://my-privacy[.]co/ZOubFbXW 2018-04-23 12:58:31 SMS from +447797801009: Syed Ali Shah Geelani comes out with 5 point proposal for India, Pak. https://bit[.]ly/2HkhW2L (https://news-alert[.]org/1M2VbKPeB) 2018-04-27 08:17:38 SMS from +447797801009: Pakistan always stood like a rock guarding Kashmir cause says Geelani. https://bit[.]ly/2Fl7Dtq (https://news-alert.org/xdwWVvCP) 2018-04-27 12:02:13 SMS from +447797801009: Yasin Malik to address press conference at UN.For detail news click at https://bit[.]ly/2FlNjIC (https://news-alert[.]org/CyCX97BO) 2018-05-01 11:57:38 SMS from +447797801009: Pakistan strategically preparing to put the issue of Kashmir in International Court of Justice. Read full storey here https://bit[.]ly/2Fwg2dH (https://news-alert[.]org/AXJ1n6e) 2018-05-02 12:36:16 SMS from +447797801009: Pakistan in all probability will become the next province of China through China Pakistan Economic Corridor (CPEC). For the detailed article, click here. https://news-alert[.]org/KYz4FG6 2018-05-18 04:37:42 Process: fmld 2018-05-24 04:18:31 Process: roleaccountd 2018-05-24 04:18:41 Process: stagingd 2018-07-20 14:05:14 Thumper lookup for account taylorjade0303[@]gmail.com 2018-10-24 08:48:04 Process: fmld (IN: 208.63 MB, OUT: 3591.56 MB) https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 47 of 86 2018-10-27 07:05:42 Process: roleaccountd (IN: 0.28 MB, OUT: 0.04 MB) 2018-10-27 07:05:50 Process: stagingd (IN: 53.02 MB, OUT: 0.15 MB) 2018-10-28 07:09:14 Process: fmld (IN: 1.84 MB, OUT: 110.30 MB) 2018-10-29 07:16:51 Process: fmld (IN: 1.70 MB, OUT: 69.41 MB) 2018-10-30 07:25:43 Process: fmld (IN: 1.25 MB, OUT: 4.15 MB) 2018-10-31 07:29:37 Process: fmld (IN: 0.63 MB, OUT: 19.51 MB) 2018-12-08 07:24:18 Process: fmld (IN: 9.88 MB, OUT: 150.38 MB) 2018-12-10 06:23:11 Process: fmld 2018-12-27 09:44:30 Process: otpgrefd (IN: 1.66 MB, OUT: 20.07 MB) 2018-12-28 09:08:32 Process: otpgrefd 2018-12-31 06:37:59 Process: bfrgbd https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 48 of 86 2019-01-02 06:45:14 Process: bfrgbd (IN: 3.02 MB, OUT: 59.12 MB) 2019-01-02 15:34:37 Process: bfrgbd 2019-01-03 07:13:41 Process: stagingd (IN: 12.96 MB, OUT: 0.05 MB) 2019-01-03 07:20:50 Process: fservernetd (IN: 0.58 MB, OUT: 15.90 MB) 2019-01-03 08:35:44 Process: fservernetd 2019-01-05 05:28:58 Process: libtouchregd (IN: 1.04 MB, OUT: 41.43 MB) 2019-01-05 05:33:02 Process: libtouchregd (IN: 0.00 MB, OUT: 0.38 MB) 2019-01-07 06:06:22 Process: roleaccountd (IN: 0.05 MB, OUT: 0.01 MB) 2019-01-07 06:09:43 Process: stagingd 2019-01-07 06:11:34 Process: accountpfd (IN: 1.41 MB, OUT: 9.05 MB) 2019-01-07 18:13:34 Process: accountpfd https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 49 of 86 2019-01-25 07:26:52 Thumper lookup for account lee.85.holland[@]gmail.com 2019-01-25 07:33:59 File created: Library/Preferences/com.apple.CrashReporter.plist from RootDomain 2019-01-25 07:34:08 File created: Library/Preferences/com.apple.CrashReporter.plist from RootDomain 2019-01-26 14:16:19 File created: Library/Preferences/com.apple.CrashReporter.plist from RootDomain 2019-09-22 05:14:27 iMessage lookup for account bekkerfredi[@]gmail.com 2019-09-27 09:20:58 SMS from +9159039000: Trump to mediate between India and Pakistan on Kashmir https://bit[.]ly/ecICPjk 2019-09-27 09:32:59 Process: bh (IN: 1.47 MB, OUT: 0.09 MB) 2019-09-27 09:33:49 Process: natgd (IN: 19.95 MB, OUT: 171.65 MB) 2019-09-28 13:49:07 Process: natgd 2019-10-15 08:40:38 SMS from +9156161940: Get Rs 100 off on recharge of your Tata Sky Id 1093453759 https://todaysdeals4u[.]com/n7V7uA4X5 2019-10-18 10:34:49 SMS from +9156161940: Avail extra benefits on recharge of your Tata Sky Id 1093453759 https://todaysdeals4u[.]com/KjtvDBA https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 50 of 86 2019-10-23 17:07:15 Process: frtipd (IN: 2.24 MB, OUT: 2.87 MB) 2019-10-24 19:27:51 Process: frtipd Forensic traces for INJRN1 – Mangalam Kesavan Venu Date (UTC) Event 2021-02-16 18:40:27 Process: frtipd 2021-02-22 21:34:35 Process: otpgrefd 2021-03-25 08:11:28 Process: boardframed 2021-03-25 08:11:28 Process: comsercvd 2021-05-15 05:06:16 Process: llmdwatchd 2021-05-15 05:06:16 Process: aggregatenotd 2021-05-21 19:17:37 Process: setframed 2021-06-03 19:15:52 Process: seraccountd 2021-06-07 07:09:16 Upgrade from iOS 14.4.2 to 14.6 2021-06-11 14:02:14 Process: comsercvd 2021-06-11 14:02:14 Process: Diagnostics-2543 https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 51 of 86 2021-06-16 05:53:28 Process: actmanaged 2021-06-16 05:53:28 Process: nehelprd 2021-06-16 05:53:29 Process: cfprefssd 2021-06-16 05:58:43 Process: actmanaged 2021-06-16 06:18:04 Process: actmanaged 2021-06-16 07:01:03 Process: actmanaged 2021-06-16 07:16:45 Process: cfprefssd 2021-06-16 07:16:45 Process: nehelprd 2021-06-23 13:39:51 Process record deleted from ZPROCESS (IN: 0.20 MB, OUT: 2.04 MB) 2021-06-27 03:27:12 iMessage lookup for account herbruud2[@]gmail.com 2021-06-27 03:49:51 Process: corecomnetd (IN: 1.25 MB, OUT: 13.20 MB) 2021-06-28 11:11:36 Process: corecomnetd (IN: 0.03, OUT: 0.04 MB) 2021-06-29 07:26:55 Process: corecomnetd Forensic traces for INJRN2 – Sushant Singh Date (UTC) Event 2021-03-31 13:45:32 Process: CommsCenterRootHelper (IN: 0.01 MB, OUT: 4.41 KB) https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 52 of 86 2021-03-31 13:45:46 Process: CommsCenterRootHelper 2021-04-07 09:34:40 Process: eventfssd 2021-04-07 09:34:40 Process: locserviced 2021-04-13 08:52:18 Process: accountpfd 2021-04-13 08:52:18 Process: fservernetd 2021-04-19 15:49:38 Process: otpgrefd 2021-04-19 15:49:38 Process: ckeblld 2021-04-26 13:54:30 Process record deleted from ZPROCESS (IN: 4.24 MB, OUT: 2.19 MB) 2021-04-27 03:34:16 Process: comsercvd 2021-06-05 13:36:54 Process record deleted from ZPROCESS (IN: 0.11 MB, OUT: 2021-06-06 13:38:51 Process record deleted from ZPROCESS (IN: 0.10 MB, OUT: 0.11 MB) 2021-06-07 13:41:51 Process record deleted from ZPROCESS (IN: 0.16 MB, OUT: 0.17 MB) 2021-06-08 13:42:25 Process record deleted from ZPROCESS (IN: 0.11MB, OUT: 0.13 MB) 2021-06-10 13:42:35 Process record deleted from ZPROCESS (IN: 0.10 MB, OUT: 0.11 MB) 2021-06-12 19:09:37 Process: faskeepd https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 53 of 86 2021-06-12 19:09:37 Process: logseld 2021-06-18 09:40:45 Process record deleted from ZPROCESS (IN: 0.20 MB, OUT: 0.23 MB) 2021-06-19 14:25:16 Process record deleted from ZPROCESS (IN: 0.04 MB, OUT: 2021-06-19 17:05:21 Process: xpccfd 2021-06-19 17:05:21 Process: pstid 2021-06-21 05:29:38 iMessage lookup for account herbruud2[@]gmail.com 2021-06-21 05:56:55 Process: bfrgbd 2021-06-21 05:56:55 Process: msgacntd 2021-06-21 05:56:55 Process: CommsCenterRootHelper 2021-06-21 06:29:13 Process: bfrgbd 2021-06-21 06:59:25 Process: bfrgbd 2021-06-21 08:22:27 Process: bfrgbd (IN: 1.02 MB, OUT: 2.25 MB) 2021-06-21 13:33:03 Process: bfrgbd 2021-06-21 13:33:03 Process: msgacntd 2021-06-21 13:33:03 Process: CommsCenterRootHelper https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 54 of 86 2021-06-21 13:34:01 Process: bfrgbd 2021-06-21 13:34:01 Process: msgacntd 2021-06-21 13:34:01 Process: CommsCenterRootHelper 2021-06-22 09:47:01 Process: bfrgbd (IN: 0.50 MB, OUT: 0.65 MB) 2021-06-22 14:06:24 Process: bfrgbd 2021-06-22 14:06:24 Process: msgacntd 2021-06-22 14:06:24 Process: CommsCenterRootHelper 2021-06-23 09:50:46 Process: bfrgbd (IN: 0.86 MB, OUT: 1.05 MB) 2021-06-23 15:02:35 Process: bfrgbd 2021-06-23 15:02:35 Process: msgacntd 2021-06-23 15:02:35 Process: CommsCenterRootHelper 2021-06-24 09:50:51 Process: bfrgbd (IN: 0.44 MB, OUT: 60.72 MB) 2021-06-24 15:02:23 Process: bfrgbd 2021-06-24 15:02:23 Process: msgacntd 2021-06-24 15:02:23 Process: CommsCenterRootHelper https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 55 of 86 2021-06-25 09:59:00 Process: bfrgbd (IN: 0.74 MN, OUT: 5.53 MB) 2021-06-25 15:03:09 Process: bfrgbd 2021-06-25 15:03:09 Process: msgacntd 2021-06-25 15:03:09 Process: CommsCenterRootHelper 2021-06-26 13:04:37 Process: bfrgbd (IN: 0.08 MB, OUT: 0.09 MB) 2021-06-26 16:18:41 Process: bfrgbd 2021-06-26 16:18:41 Process: msgacntd 2021-06-26 16:18:41 Process: CommsCenterRootHelper 2021-06-26 16:22:12 Process: bfrgbd 2021-06-26 16:22:12 Process: msgacntd 2021-06-26 16:22:12 Process: CommsCenterRootHelper 2021-06-27 13:34:07 Process: bfrgbd (IN: 0.91 MB, OUT: 1.29 MB) 2021-06-28 00:04:15 Process: bfrgbd 2021-06-28 00:04:15 Process: msgacntd 2021-06-28 00:04:15 Process: CommsCenterRootHelper https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 56 of 86 2021-06-28 13:37:38 Process: bfrgbd (IN: 0.43 MB, OUT: 0.60 MB) 2021-06-29 06:39:31 Process: bfrgbd 2021-06-29 06:39:31 Process: msgacntd 2021-06-29 06:39:31 Process: CommsCenterRootHelper 2021-06-29 06:40:42 Process: bfrgbd 2021-06-29 06:40:42 Process: msgacntd 2021-06-29 06:40:42 Process: CommsCenterRootHelper 2021-06-29 14:12:36 Process: bfrgbd (IN: 0.14 MB, OUT: 0.17 MB) 2021-06-30 07:15:33 Process: bfrgbd 2021-06-30 07:15:33 Process: msgacntd 2021-06-30 07:15:33 Process: CommsCenterRootHelper 2021-06-30 14:15:33 Process: bfrgbd (IN: 0.61 MB, OUT: 1.90 MB) 2021-07-01 14:19:26 Process: bfrgbd (IN: 0.30 MB, OUT: 0.46 MB) 2021-07-01 14:33:08 Process: bfrgbd 2021-07-01 14:33:08 Process: msgacntd https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 57 of 86 2021-07-01 14:33:08 Process: CommsCenterRootHelper 2021-07-02 14:20:32 Process: bfrgbd (IN: 0.43 MB, OUT: 0.50 MB) 2021-07-03 04:14:29 Process: bfrgbd 2021-07-03 04:14:29 Process: msgacntd 2021-07-03 04:14:29 Process: CommsCenterRootHelper 2021-07-03 14:27:24 Process: bfrgbd (IN: 0.03 MB, OUT: 0.02 MB) 2021-07-04 05:34:57 Process: bfrgbd 2021-07-04 05:34:57 Process: msgacntd 2021-07-04 05:34:57 Process: CommsCenterRootHelper 2021-07-04 14:39:00 Process: bfrgbd (IN: 0.77 MB, OUT: 0.91 MB) 2021-07-05 09:40:02 Process: bfrgbd 2021-07-05 12:12:01 Process: bfrgbd 2021-07-05 12:12:01 Process: msgacntd 2021-07-05 12:12:01 Process: CommsCenterRootHelper 2021-07-05 12:13:31 Process: bfrgbd https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 58 of 86 2021-07-05 12:13:31 Process: msgacntd 2021-07-05 12:13:31 Process: CommsCenterRootHelper 2021-07-05 12:50:32 Process: msgacntd 2021-07-05 12:50:32 Process: bfrgbd Forensic traces for INJRN3 – SNM Abdi Date (UTC) Event 2019-04-02 04:51:19 File created: Library/Preferences/com.apple.CrashReporter.plist from RootDomain 2019-04-02 04:51:40 File created Library/Preferences/roleaccountd.plist from RootDomain 2019-04-02 04:51:45 Process: roleaccountd 2019-04-02 04:51:50 Process: stagingd 2019-04-26 03:27:40 Process: fdlibframed 2019-04-28 04:00:46 Process: fdlibframed (IN: 7.90 MB, OUT: 25.36 MB) 2019-04-29 12:56:34 Process: fdlibframed 2019-05-27 04:46:07 Process: xpccfd 2019-05-28 04:48:01 Process: xpccfd (IN: 5.24 MB, OUT: 15.32 MB) 2019-07-04 03:33:11 Process: ckeblld (IN: 7.91 MB, OUT: 33.05 MB) https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 59 of 86 2019-07-05 01:22:18 Process: ckeblld 2019-07-05 09:22:54 Process: lobbrogd (IN: 3.76 MB, OUT: 15.59 MB) 2019-07-06 03:20:03 Process: lobbrogd 2019-07-08 05:56:52 Process: xpccfd (IN: 5.69 MB, OUT: 16.14 MB) 2019-07-10 01:24:04 Process: xpccfd 2019-07-11 06:46:37 Process: pstid (IN: 3.59 MN, OUT: 12.08 MB) 2019-07-11 13:41:50 Process: pstid 2019-07-12 09:07:18 Process: roleaccountd (IN: 0.03 MB, OUT: 0.02 MB) 2019-07-12 09:08:07 Process: boardframed (IN: 6.24 MB, OUT: 32.14 MB) 2019-07-12 14:15:01 Process: boardframed 2019-07-15 06:07:28 Process: stagingd  (IN: 8.49 MB, OUT: 0.5 MB) 2019-07-15 18:08:57 Process: ckkeyrollfd 2019-10-19 04:32:33 Process: roleaccountd (IN: 0.04 MB, OUT: 0.02 MB) 2019-10-19 04:33:46 Process: launchafd (IN: 1.28 MB, OUT: 6.48 MB) 2019-10-19 06:10:04 Process: launchafd https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 60 of 86 2019-10-21 07:07:16 Process: netservcomd (IN: 0.22 MB, OUT: 1.26 MB) 2019-10-21 07:31:16 Process: netservcomd 2019-10-23 03:48:40 Process: roleaccountd 2019-10-23 03:48:47 Process: stagingd (IN: 7.03 MB, OUT: 0.41 MB) 2019-10-23 03:49:02 Process: stagingd 2019-10-23 03:49:24 Process: misbrigd 2019-10-24 03:50:28 Process: misbrigd (IN: 15.79 MB, OUT: 99.28 MB) 2019-12-22 11:15:30 Process: netservcomd 2019-12-22 11:15:30 Process: launchafd 2019-12-22 11:15:30 Process: misbrigd Forensic traces for INJRN4 – Siddharth Varadarajan Date (UTC) Event 2018-04-06 08:17:14 Process: roleaccountd (IN: 0.03 MB, OUT: 0.01 MB) 2018-04-06 08:17:22 Process: stagingd 2018-04-06 08:18:47 Process: pcsd 2018-04-24 07:57:53 Process: stagingd (IN: 4.15 MB, OUT: 0.02 MB) https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 61 of 86 2018-04-24 07:57:56 Process: roleaccountd 2018-04-24 07:58:16 Process: stagingd 2018-04-26 05:35:12 Process: pcsd (IN: 16.30 MB, OUT: 329.17 MB) 2018-04-26 12:24:42 Process: pcsd 2018-04-27 04:41:37 File created Library/Preferences/com.apple.CrashReporter.plist in RootDomain Forensic traces for INJRN5 – Paranjoy Guha Thakurta Date (UTC) Event 2018-04-04 05:33:47 Process: roleaccountd 2018-04-04 05:33:49 Process: stagingd 2018-05-15 07:46:30 Process: pcsd 2018-05-22 04:17:46 Process: roleaccountd (IN: 0.04 MB, OUT: 0.01 MB) 2018-05-22 04:17:59 Process: stagingd (IN: 5.18 MB, OUT: 0.02 MB) 2018-05-22 04:18:08 Process: pcsd (IN: 3.25 MB, OUT: 20.54 MB) 2018-05-22 04:18:17 Process: pcsd 2018-05-22 04:18:48 Process: fmld 2018-06-20 10:44:14 Process: roleaccountd https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 62 of 86 2018-06-20 10:44:31 Process: stagingd 2018-07-25 03:58:42 File created Library/Preferences/com.apple.CrashReporter.plist from RootDomain 2018-07-29 13:07:51 Process: fmld (IN: 55.21 MB, OUT: 417.58 MB) 2018-07-30 11:07:56 Process: fmld Forensic traces for INJRN6 – Smita Sharma Date (UTC) Event 2018-06-25 17:31:37 iMessage lookup for taylorjade0303[@]gmail.com 2018-07-20 11:11:49 iMessage lookup for lee.85.holland[@]gmail.com Forensic traces for INJRN7 Date (UTC) Event 2019-06-12 08:48:04 SMS “R&AW and IB chief to get three months extension. Read full story  https://globalnews247[.]net/3BMw9Zj” Forensic traces for INPOI1 – Prashant Kishor Date (UTC) Event 2018-06-21 13:23:30 Thumper lookup for account taylorjade0303[@]gmail.com 2018-09-06 09:11:49 Thumper lookup for account lee.85.holland[@]gmail.com https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 63 of 86 2021-04-28 03:31:39 Process: ReminderIntentsUIExtension (IN: 0.01 MB, OUT: 0.00 MB) 2021-04-28 03:31:39 Process: ReminderIntentsUIExtension 2021-04-28 03:31:45 Process: ReminderIntentsUIExtension 2021-06-11 12:45:48 Process record deleted from ZPROCESS (IN: 0.01 MB, OUT: 0.00 MB) 2021-06-11 12:46:22 Process record deleted from ZPROCESS (IN: 1.79 MB, OUT: 0.31 MB) 2021-06-11 12:46:47 Process record deleted from ZPROCESS (IN: 12.94 MB, OUT: 145.88 MB) 2021-06-14 06:17:10 Process record deleted from ZPROCESS (IN: 2.36 MB, OUT: 2.76 MB) 2021-06-15 06:21:28 Process record deleted from ZPROCESS (IN: 1.05 MB, OUT: 1.29 MB) 2021-06-16 13:47:51 Process record deleted from ZPROCESS (IN: 0.16 MB, OUT: 0.16 MB) 2021-06-18 13:52:14 Process record deleted from ZPROCESS (IN: 0.01 MB, OUT: 0.00 MB) 2021-06-18 13:53:37 Process record deleted from ZPROCESS (IN: 1.79 MB, OUT: 0.31 MB) 2021-06-18 13:58:41 Process record deleted from ZPROCESS (IN: 13.63 MB, OUT: 172.99 MB) 2021-06-19 14:16:20 Process record deleted from ZPROCESS (IN: 0.87 MB, OUT: 1.02 MB) 2021-06-21 05:44:29 Process record deleted from ZPROCESS (IN: 1.81 MB, OUT: 2.58 MB) 2021-06-22 05:45:29 Process record deleted from ZPROCESS (IN: 1.19 MB, OUT: 1.38 MB) https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 64 of 86 2021-06-23 05:49:37 Process record deleted from ZPROCESS (IN: 0.98 MB, OUT: 1.19 MB) 2021-06-24 05:57:02 Process record deleted from ZPROCESS (IN: 2.66 MB, OUT: 24.15 MB) 2021-06-25 05:57:03 Process record deleted from ZPROCESS (IN: 1.98 MB, OUT: 2.77 MB) 2021-06-26 06:01:26 Process record deleted from ZPROCESS (IN: 0.35 MB, OUT: 0.47 MB) 2021-06-27 06:06:59 Process record deleted from ZPROCESS (IN: 0.42 MB, OUT: 0.49 MB) 2021-06-28 13:19:57 Process record deleted from ZPROCESS (IN: 1.12 MB, OUT: 7.33 MB) 2021-06-30 04:50:04 Process record deleted from ZPROCESS (IN: 1.51 MB, OUT: 6.50 MB) 2021-07-01 04:50:49 Process record deleted from ZPROCESS (IN: 0.52 MB, OUT: 0.60 MB) 2021-07-02 05:08:42 Process record deleted from ZPROCESS (IN: 1.48 MB, OUT: 1.73 MB) 2021-07-03 05:33:23 Process record deleted from ZPROCESS (IN: 1.00 MB, OUT: 2.03 MB) 2021-07-05 11:44:29 Traces related to iMessage attack 2021-07-05 11:48:34 File created: Library/Caches from RootDomain 2021-07-05 11:48:35 Process record deleted from ZPROCESS (IN: 0.01 MB, OUT: 0.00 MB) 2021-07-05 11:49:27 Process: CommsCenterRootHelper (IN: 1.88 MB, OUT: 0.31 MB) 2021-07-05 11:49:27 Process: CommsCenterRootHelper https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 65 of 86 2021-07-05 11:50:19 Process record deleted from ZPROCESS (IN: 7.57 MB, OUT: 90.71 MB) 2021-07-07 04:11:55 Process record deleted from ZPROCESS (IN: 0.62 MB, OUT: 0.77 MB) 2021-07-08 12:21:05 iMessage lookup for account herbruud2[@]gmail.com 2021-07-08 12:27:04 Process record deleted from ZPROCESS (IN: 0.01 MB, OUT: 0.00 MB) 2021-07-08 12:27:18 Process record deleted from ZPROCESS (IN: 1.88 MB, OUT: 0.23 MB) 2021-07-08 12:28:14 Process: smmsgingd (IN: 6.94 MB, OUT: 82.77 MB) 2021-07-09 12:59:49 Process: smmsgingd (IN: 0.45 MB, OUT: 0.51 MB) 2021-07-12 08:45:26 Process: smmsgingd (IN: 2.69 MB, OUT: 7.99 MB) 2021-07-13 08:47:45 Process: smmsgingd (IN: 1.23 MB, OUT: 8.63 MB) 2021-07-14 09:26:50 Process: smmsgingd (IN: 0.77 MB, OUT: 2.28 MB) 2021-07-14 13:17:15 Process: smmsgingd Forensic traces for INPOI2 Date (UTC) Event 2019-10-18 03:59:01 iMessage lookup for bekkerfredi[@]gmail.com Forensic traces for KASH01 – Hatice Cengiz Date (UTC) Event https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 66 of 86 2018-10-06 00:33:28 File created: Library/Preferences/com.apple.CrashReporter.plist from RootDomain 2018-10-06 07:30:13 Process: fmld (IN: 33.27 MB, OUT: 324.72 MB) 2018-10-09 07:12:39 Process: bh (IN: 1.49 MB, OUT: 0.95 MB) 2018-10-09 07:13:07 Process: bh 2018-10-12 08:30:33 Process: fmld 2018-10-12 21:23:23 Process: fmld 2019-06-02 16:05:23 iMessage lookup for account vincent.dahl76[@]gmail.com Forensic traces for KASH02 – Rodney Dixon Date (UTC) Event 2019-04-29 10:50:44 iMessage lookup for account vincent.dahl76[@]gmail.com Forensic traces for KASH03 – Wadah Khanfar Phone 1: Date (UTC) Event 2019-11-02 17:19:22 Process record deleted from ZPROCESS 2019-11-02 17:19:29 File created Library/Preferences/com.apple.CrashReporter.plist by RootDomain 2019-11-02 17:20:23 Process record deleted from ZPROCESS https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 67 of 86 2021-04-11 08:35:25 Process: ReminderIntentsUIExtension (IN: 0.01 MB, OUT: 0.00 MB) 2021-04-11 08:35:33 Process: ReminderIntentsUIExtension 2021-06-30 08:58:04 iMessage lookup for account oskarschalcher[@]outlook.com 2021-06-30 09:34:34 Process: com.apple.Mappit.SnapshotService (IN: 0.02 MB, OUT: 0.01 MB) 2021-06-30 09:34:40 Process: com.apple.Mappit.SnapshotService Phone 2: Date (UTC) Event 2021-04-02 10:43:27 iMessage lookup for oskarschalcher[@]outlook.com Forensic traces for KASH04 – Hanan El Atr Date (UTC) Event 2017-11-08 10:22 Malicious SMS from VERIFY: WhatsApp Web for [REDACTED] is now active on CHROME in ABU DHABI. Not you? Click here: hxxps://noonstore[.]sale/tkYHFbE 2017-11-15 09:01 Malicious SMS from VERIFY: Emirates AIrline changing the game in first class travel: hxxp://bit[.]ly/2A00EI7 2017-11-19 Malicious SMS from VERIFY: Dear Hanan Elatr, Nada shared a photo with you on Photobucket! Click here to view it and download our app. hxxp://bit[.]ly/AbzvEMS 2018-11-26 17:16:48 Malicious link in browsing history: https://done[.]events/TajbxOGh5 https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 68 of 86 2017-11-27 08:48 Malicious SMS: Dear HANA you have a package from CAIRO via Aramex, enter PIN 3483 and choose delivery location on our map: https://bit[.]ly/2zxnwOF 2018-04-15 09:33 Malicious SMS from SMSINFO: MONA ELATR shared a photo with you on Photobucket! Click here to view it and download our app: https://myfiles[.]photo/sVIKHJE Forensic traces for MOJRN1 – Hicham Mansouri Date (UTC) Event 2021-02-04 10:31:36 Process: CommsCenterRootHelper (IN: 0.01 MB, OUT: 0.00 MB) 2021-02-11 13:45:07 Process: CommsCenterRootHelper 2021-04-02 10:15:38 iMessage lookup for account linakeller2203[@]gmail.com Forensic traces for MXJRN1 Date (UTC) Event 2016-08-03 21:52:00 SMS: Hola Alvaro unicamente paso a saludarte y enviarte esta nota de the guardian que parece importante retomar: https://bit[.]ly/2ayGnMm (https://smsmensaje[.]mx/5901888s/) Forensic traces for MXJRN2 – Carmen Aristegui These Pegasus attack messages were original discovered and published as part of collaborative investigation between Citizen Lab, R3D, SocialTic and Article 19.                                                                 Date (UTC) Event 2014-11-20 03:10:04 SMS from +525536438524: El siguiente mensaje esta marcado como urgente y no se recibio correctamente. https://smsmensaje[.]mx/5103285s/ https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 69 of 86 2014-12-17 19:32:13 SMS from +525511393977: El siguiente mensaje no ha sido enviado https://smscentro[.]com/7984947s/ 2015-01-06 18:29:53 SMS from +525512350872: El siguiente mensaje no ha sido enviado https://smscentro[.]com/4064303s/ 2015-01-09 19:45:57 SMS from +525512350872: El siguiente mensaje no ha sido enviado https://tinyurl[.]com/l8cwcc5 (https://smscentro[.]com/1097486s/) 2015-01-13 01:59:19 SMS from +525511393877: El siguiente mensaje no ha sido enviado https://bit[.]ly/1z2NQdh (https://smscentro[.]com/9480260s/) 2015-03-26 18:15:59 SMS from +525585292665: El numero 5535606234 le ha enviado un mensaje de texto que no se recibio. Entre a https://iusacell-movil[.]com[.]mx/6731340s/ para ver el sms 2015-04-12 22:41:24 SMS from +525525715066: Notificacion de compra con tarjeta **** monto $3,500.00 M.N, ver detalles en: https://smsmensaje[.]mx/1493024s/ 2015-05-08 19:49:23 SMS from +525525715066: Aviso de vencimiento de pago asociado a tu servicio con cargo a tu tarjeta ****, ver mas detalles: https://smsmensaje[.]mx/6445761s/ 2015-05-08 23:19:14 SMS from +525585292665: El siguiente mensaje esta marcado como urgente y no se recibio correctamente, recuperalo en .. https://smsmensaje[.]mx/3863925s/ 2015-05-09 01:24:29 SMS from +525525715066: Haz realizado un Retiro/Compra en tienda departamental **** monto $2,500.00 M.N, ver detalles https://smsmensaje[.]mx/9936510s/ 2015-05-09 02:42:26 SMS from +525585292665: Haz realizado un Retiro/Compra en tienda departamental **** monto $2,500.00 M.N, ver detalles https://smsmensaje[.]mx/1796758s/ 2015-05-10 00:09:55 SMS from +525585292665: UNOTV[.]com/ AUDI ENTRE LOS PRINCIPALES AUTOS CON PROBLEMAS EN LA TRANSMICION VERIFICA LA LISTA DE ELLOS: https://unonoticias[.]net/1291412s/ https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 70 of 86 2015-05-11 20:19:20 SMS from +525585292665: El siguiente mensaje esta marcado como urgente y no se recibio correctamente, recuperalo en .. https://smsmensaje[.]mx/6713776s/ 2015-05-12 02:05:06 SMS from +525585292665: El siguiente mensaje esta marcado como urgente y no se recibio correctamente, recuperalo en .. https://smsmensaje[.]mx/6318147s/ 2015-05-12 04:03:33 SMS from +525525715066: Estimado cliente informamos que presentas un problema de pago asociado a tu servicio, ver detalles.. https://smsmensaje[.]mx/8884678s/ 2015-05-12 22:42:53 SMS from +525585292665: Alcanzaste la tarifa premium de IUSACELL $0.30 Min a Celular y $0.10 Nacional, codigo 2207 y activalo ya… https://smsmensaje[.]mx/3432773s/ 2015-05-14 00:37:27 SMS from +525585292665: Alcanzaste la tarifa premium de IUSACELL $0.30 Min a Celular y $0.10 Nacional, codigo 2207 activalo ya… https://smsmensaje[.]mx/7534402s/ 2015-05-14 02:55:35 SMS from +525525715066: UNONOTICIAS. En encuesta revelan las 3 posiciones sexuales favoritas de las mujeres, ver nota en: https://unonoticias[.]net/6218095s/ 2015-05-14 03:24:41 SMS from +525585292665: Retiro/Compra en tienda departamental $4,000.00 M.N 13/05/2015 20:10 hrs ,ver detalles en: https://smsmensaje[.]mx/9550014s/ 2015-05-14 19:56:23 SMS from +525585292665: El numero +525541337879 le ha mandado un mensaje de texto que ser ecibio incompleto. Ver mensaje en: https://smsmensaje[.]mx/5670989s/ 2015-05-15 01:18:30 SMS from +525585292665: UNOTV. Detectan irregularidades en caso Aristegui, ver nota completa.. https://unonoticias[.]net/4347580s/ 2015-06-05 01:56:27 SMS from +525585292665: UNOTV. Que depara el futuro para MVS y cual es el camino de Carmen Aristegui? ver nota completa.. https://unonoticias[.]net/9275690s/ 2015-07-26 03:05:05 SMS from +525585292665: TELCEL[.]com/ RECIBISTE CORRECTAMENTE TU FACTURA ELECTRONICA VERIFICA DETALLES DE TU COMPRA: https://ideas-telcel.com[.]mx/9872742s/ https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 71 of 86 2015-07-26 12:34:59 SMS from +525525715066: has realizado un Retiro/Compra Tarjeta**** M.N monto $3,500.00 verifica detalles de operacion: https://smsmensaje[.]mx/6156234s/ 2015-07-26 15:23:35 SMS from +525525715066: UNOTV.com/ ANONYMUS ANUNCIA QUE ATACARA PAGINA DE ARISTEGUI VER DETALLES: https://unonoticias[.]net/9250302s/ 2015-08-20 19:20:46 SMS from +525525715066: IUSACELL/ Estimado cliente su factura esta lista, agradeceremos pago puntual por $17401.25 Detalles: https://iusacell-movil[.]com[.]mx/8595070s/ 2015-08-20 19:34:05 SMS from +525525715066: USEMBASSY.GOV/ DETECTAMOS UN PROBLEMA CON TU VISA POR FAVOR ACUDE PRONTAMENTE A LA EMBAJADA. VER DETALLES: https://bit[.]ly/1MAAWrO (https://smsmensaje[.]mx/9439115s/) 2015-08-23 04:58:47 SMS from +525525715066: IUSACELL.com/ EL SIGUIENTE MENSAJE ESTA MARCADO COMO URGENTE REVISALO DESDE NUESTRO PORTAL VER https://iusacell-movil[.]com[.]mx/7918310s/ 2015-08-24 03:03:48 SMS from +525585292665: UNOTV[.]com/ FAMILIA DE CHAPO SE REFUGIA EN GRANDES RESIDENCIAS EN DF ENTRE ELLAS SN JERONIMO VER DONDE: https://unonoticias[.]net/6353793s/ 2015-08-24 15:31:38 SMS from +525525715066: ALERTA AMBER DF/ COOPERACION PARA LOCALIZAR A NINO DE 9 ANOS, DESAPARECIDO EN LA COLONIA SAN JERONIMO. DETALLES: https://bit[.]ly/1EQYOkG (https://mymensaje-sms[.]com/6649365s/) 2015-08-24 15:31:59 SMS from +525585292665: ALERTA AMBER DF/ COOPERACION PARA LOCALIZAR A NINO DE 9 ANOS, DESAPARECIDO EN LA COLONIA SAN JERONIMO. DETALLES: https://bit[.]ly/1EQYSB1 (https://mymensaje-sms[.]com/5186565s/) 2015-09-02 18:43:23 SMS from +525585292665: Hola Carmen, solo para desearte una excelente tarde y compartirte la nota que publica proceso sobre el 3er informe: https://bit[.]ly/1JNTfox (https://twiitter[.]com.mx/8527373s/) https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 72 of 86 2015-09-05 15:39:41 SMS from +525585292665: IUSACELL[.]com / DESCUBRE LA NUEVA TELEFONIA Y CONOCE LAS APLICACIONES MAS SEGURAS PARA TU SMARTPHONE SEGUN EL PENTAGONO https://bit[.]ly/1IQhzFw (https://iusacell-movil[.]com.mx/5726967s/) 2015-09-25 18:47:50 SMS from +525585292665: Queridisima Carmen en la madrugada fallecio mi padre, estamos muy devastados. Mando datos del funeral ojala puedas ir: https://bit[.]ly/1KDGbSR (https://smsmensaje[.]mx/4966295s/) 2015-10-17 18:12:07 SMS from +525585292665: chatita como estas, espero que bien este mi numero nuevo checa esta noticia la subi a drive checala para borrarla urge https://tinyurl[.]com/pfwmr88 (https://googleplay-store[.]com/7863372s/) 2015-10-25 23:39:29 SMS from +525525715066: Hola te envio invitacion electronica con detalles por motivo de mi fiesta de disfraces espero contar contigo alonso: https://tinyurl[.]com/o2tq8rl (https://smsmensaje[.]mx/8623600s/) 2016-02-09 17:46:42 SMS from +525552899427: Carmen hace 5 dias que no aparece mi hija te agradecere mucho que compartas su foto, estamos desesperados: https://bit[.]ly/1KDekJ9 (https://smsmensaje[.]mx/5957475s/) 2016-02-10 23:10:59 SMS from +525552899427: Querida Carmen fallecio mi hermano en un accidente, estoy devastada, envio datos del velorio, espero asistas: https://bit[.]ly/1TTjm6D (https://smsmensaje[.]mx/6056487s) 2016-02-11 22:30:48 SMS from +525568850176: Hace 7 dias desaparecio mi hija de 8 a?os en ecatepec, por favor ayudame a compartir su foto, estamos desesperados: https://smsmensaje[.]mx/7430255t/ 2016-02-11 22:32:15 SMS from +525568850176: Hace 7 dias desaparecio mi hija de 8 a?os en ecatepec, por favor ayudame a compartir su foto, estamos desesperados: https://smsmensaje[.]mx/7430255t/ 2016-02-11 23:58:10 SMS from +525568850176: Perdon en el sms anterior no se veia la foto, la reenvio, por favor compartela queremos a nuestra ni?a de vuelta: https://smsmensaje[.]mx/7430255t/ 2016-02-15 04:02:23 SMS from +525547311580: Vinieron unas personas a extorsionarnos si no les dabamos 100mil pesos saben quienes somos tome fotos mira https://fb-accounts[.]com/1324052s/ https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 73 of 86 2016-02-24 15:45:04 SMS from +525552899427: UNOTV[.]com/ LANZA TELEVISA DESPLEGADOS EN TODOS SUS MEDIOS;CRITICA POSTURA DE ORGANIZACION ARTICULO 19. VER: https://bit[.]ly/1SU5N7q (https://unonoticias[.]net/6809853s/) 2016-02-25 15:27:59 SMS from +525552899427: has realizado un Retiro/Compra Tarjeta**** M.N monto $3,500.00 verifica detalles de operacion: https://bit[.]ly/21jxVFW (https://unonoticias[.]net/2250072s/) 2016-03-10 16:09:38 SMS from +529993190183: ARISTEGUI NOTICIAS ESTRENA SERVICIO DE SMS. SUSCRIBASE Y RECIBIRA RESUMEN DE LAS NOTICIAS MAS IMPORTANTES: https://bit[.]ly/225VXRR (https://smsmensaje[.]mx/8807734s/) 2016-03-11 16:19:14 SMS from +529993190183: ARISTEGUI NOTICIAS ESTRENA SERVICIO DE SMS. SUSCRIBASE Y RECIBIRA RESUMEN DE LAS NOTICIAS MAS IMPORTANTES: https://smsmensaje[.]mx/4701759s/ 2016-04-05 14:42:23 SMS from +528120754135: ARISTEGUINOTICIASONLINE[.]mx ESTRENA SERVICIO DE SMS. SUSCRIBASE Y RECIBIRA LAS NOTICIAS MAS IMPORTANTES: https://bit[.]ly/1q3n16a (https://smsmensaje[.]mx/7974159s/) 2016-04-07 20:54:12 SMS from +528120953203: ARISTEGUINOTICIASONLINE[.]mx ESTRENA SERVICIO DE SMS. SUSCRIBASE Y RECIBIRA LAS NOTICIAS MAS IMPORTANTES: https://smsmensaje[.]mx/1119786s/ 2016-04-12 21:42:40 SMS from +528120943682: ARISTEGUINOTICIASONLINE[.]mx ESTRENA SERVICIO DE SMS. SUSCRIBASE Y RECIBIRA LAS NOTICIAS MAS IMPORTANTES: https://smsmensaje[.]mx/2365691s/ 2016-05-11 18:30:07 SMS from +525585401284: UNOTV[.]com/ CONFIRMA PGR QUE HIJO MAYOR DE AMLO LLEVA 48 HRS DESAPARECIDO. DETALLES: https://bit[.]ly/1QYVKaM (https://unonoticias[.]net/5911276s/) 2016-05-13 15:19:47 SMS from +528120531318: Perdon x molestarte pero hace 3 dias que no aparece mi hija te agradecere que me ayudes a compartir su foto: https://bit[.]ly/1Oo7cSS (https://smsmensaje[.]mx/8984621s/) https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 74 of 86 2016-06-03 18:03:24 SMS from +525585401299: Carmen la pagina esta intermitente, esta apareciendo este error al intentar ingresar: https://bit[.]ly/1WzrZ8T (https://smsmensaje[.]mx/9371877s/) 2016-06-09 19:19:10 SMS from +528120990524: Eres mierda porque yo me ando cojiendo a tu pareja mientras tu pendejeas y de prueba te mando esta foto: https://bit[.]ly/1rfaNHR (https://smsmensaje[.]mx/9449190s/) 2016-06-13 17:38:35 SMS from +525585401299: Hace 3 dias que no aparece mi hija, estamos desesperados, te agradecere que me ayudes a compartir su foto: https://bit[.]ly/235giae (https://smsmensaje[.]mx/1239663s/) 2016-06-15 21:21:29 SMS from +528122090316: Buenas tardes Carmen, unicamente paso a saludarte y enviarte esta nota de Proceso que es importante retomar: https://bit[.]ly/1twXSDl (https://smsmensaje[.]mx/1911343s/) 2016-06-22 21:35:59 SMS from +529993190053: UNOTV[.]com/ REVELAN VIDEO DONDE CRISTIANO RONALDO SE ENFADA Y AVIENTA MICROFONO DE REPORTERO. VIDEO EN: https://unonoticias[.]net/2068822s/ 2016-06-28 21:32:09 SMS from +528120696998: UNOTV[.]com/ ATENTADO TERRORISTA EN ESTAMBUL DEJA 30 MUERTOS/SECUESTRAN REPORTERO DE TELEVISA/FALLECE CHACHITA https://bit[.]ly/295RNq7 (https://smsmensaje[.]mx/1656017s/) 2016-07-01 16:45:44 SMS from +528122090348: UNOTV[.]com/ CARMEN ARISTEGUI YA FIRMO CONTRATO PARA REGRESAR A LA RADIO. DETALLES: https://unonoticias[.]net/3423165s/ 2016-07-04 20:32:34 SMS from +528121050415: UNOTV[.]com/ AMARILLISMO DE ARISTEGUI VS REALIDAD/ VAN 30 DETENIDOS EN ATENTADO DE ESTAMBUL/ CHILE CAMPEON https://bit[.]ly/29eWzzv (https://unonoticias[.]net/9436744s/) 2016-07-05 18:42:59 SMS from +525536438524: https://fb-accounts[.]com/2102272t/ 2016-07-06 21:56:08 SMS from +528122090257: Hace 5 dias q no aparece mi hija te agradecere mucho q compartan su foto, estamos destrozados es un infierno: https://bit[.]ly/29rnk6c (https://smsmensaje[.]mx/7960742s/) https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 75 of 86 2016-07-12 21:20:25 SMS from +528120697015: UNOTV[.]com/ FILMAN A REPORTERO Y PERIODISTA CUANDO SON LEVANTADOS POR COMANDO ARMADO EN TAMAULIPAS. VIDEO: https://unonoticias[.]net/1887451s/ 2016-07-14 20:29:40 SMS from +528122090358: ESTIMADO USUARIO ha realizado un Retiro/Compra Tarjeta M.N de ****** el 14/07/16 10:52:00 AM. Ver DETALLES: https://banca-movil[.]com/4982255s/ 2016-07-15 23:56:16 SMS from +528122090286: Mi rey te mando mis fotos encueradita y abiertita asi como te gusta, las ves y las borras eh: https://bit[.]ly/29IQvyh (https://smsmensaje[.]mx/3376811s/) 2016-07-18 17:50:57 SMS from +523319983437: Hola oye abriste nuevo facebook? Me llego una solicitud de un face con tus fotos pero con otro nombre mira: https://fb-accounts[.]com/1607422s/ 2016-07-19 17:55:54 SMS from +528113788852: Hola buen martes. Oye que pedo con el puto Lopez Doriga? Mira lo que escribio sobre ti hoy, urge desmentirlo: https://bit[.]ly/29LfZfD (https://smsmensaje[.]mx/9093723s/) 2016-07-22 21:33:26 SMS from +525576169290: Estimado cliente Unefon te informa su saldo vencido al de la lInea 5539290869, es por $4,278. DETALLES: https://ideas-telcel[.]com[.]mx/4729605s/ 2016-07-23 17:51:28 SMS from +525576169290: Amigo,hay una pseudo cuenta de fb y twitter identica a la tuya checala para que la denuncies mira checala: https://fb-accounts[.]com/9543697s/ 2016-07-25 21:01:24 SMS from +528122090359: Bienvenido Club CHICAS CALIENTES, se ha aplicado un cargo de $875.85 a su linea, si desea cancelar ingrese a: https://bit[.]ly/2a0hZ2I (https://smsmensaje[.]mx/6881768s/) 2016-07-28 22:47:46 SMS from +528120990542: UNOTV[.]com/ VIRAL EL VIDEO DE FUERTE GOLPE QUE RECIBE EN LA CARA OSORIO CHONG PROPINADO POR MAESTRO. VIDEO: https://unonoticias[.]net/6328951s/ Forensic traces for MXJRN3 No timestamps are available as these SMS messages where found in previous screenshots. https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 76 of 86 Date (UTC) Event SMS from +523332078807: Buenas noches Sandra, unicamente paso a saludarte y enviarte esta nota de Proceso que es importante retomar: https://bit[.]ly/25JHLDm (https://smsmensaje[.]mx/5727775s/) SMS from +525546613611: Sandra amiga acaba de morir mi esposo, estamos devastadas, te envio los datos del velatorio espero asistas: https://bit[.]ly/28hMScw (https://smsmensaje[.]mx/6050864s/) SMS from +524446613611: Hace 3 dias quo no aparence mi hija, estamos desesperados, te agradecere que me ayudes a compartit su foto: https://bit[.]ly/235hzhv (https://smsmensaje[.]mx/4159043s/) SMS from +518122090332: Sandra, mi mama esta muy grave, tal vez no pase la noche te envio datos de donde esta internada ojala vengas: https://bit[.]ly/1PQsLvX (https://smsmensaje[.]mx/6395084s/) Forensic traces for MXJRN4 This Pegasus attack message was original discovered and published as part of collaborative investigation between Citizen Lab, R3D, SocialTic and Article 19.     Date (UTC) Event 2016-05-12 19:06:04  SMS from + 528112889362: Tengo pruebas clave y fidedignas en contra de servidores publicos, ayudame tiene que ver con este asunto https://bit[.]ly/1s2eguc (https://secure-access10[.]mx/2618844s/) Forensic traces for RWHRD1 – Carine Kanimba Date (UTC) Event 2020-11-24 13:26:03 Process record deleted from ZPROCESS (IN: 12.86 MB, OUT: 168.99 MB) 2021-01-28 22:42:56 Process: Diagnosticd https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 77 of 86 2021-01-31 18:28:39 Process: dhcp4d 2021-01-31 23:59:02 Process: libtouchregd 2021-02-02 13:54:23 Process: MobileSMSd 2021-02-13 19:44:12 Process: vm_stats 2021-02-21 23:10:09 Process: launchrexd 2021-02-21 23:10:09 Process: mptbd 2021-02-22 15:39:00 Process: PDPDialogs 2021-03-16 13:33:22 Process: neagentd 2021-03-17 15:27:06 Process: CommsCenterRootHelper 2021-03-21 06:06:45 Process: roleaboutd 2021-03-23 17:37:31 Process: contextstoremgrd 2021-03-28 00:36:43 Process: otpgrefd 2021-03-31 13:57:01 Process: vm_stats 2021-04-06 21:29:56 Process: locserviced 2021-04-09 19:09:18 Process: bluetoothfs https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 78 of 86 2021-04-23 01:48:56 Process: eventfssd 2021-04-23 20:43:14 Process: com.apple.Mappit.SnapshotService 2021-04-23 23:01:44 Process: aggregatenotd 2021-04-24 22:01:47 Process: ReminderIntentsUIExtension 2021-04-24 22:01:54 Process: ReminderIntentsUIExtension 2021-04-28 13:34:53 Process: com.apple.rapports.events 2021-04-28 13:34:57 Process: com.apple.rapports.events (IN: 0.01 MB, OUT: 0.00 MB) 2021-04-28 13:34:57 Process: com.apple.rapports.events 2021-04-28 13:35:40 Process: com.apple.rapports.events 2021-04-28 16:08:40 Process: xpccfd 2021-05-03 08:07:38 Traces from zero-click attack attempt over iMessage 2021-05-08 07:28:40 Traces from zero-click attack attempt over iMessage 2021-05-16 12:30:10 Traces from zero-click attack attempt over iMessage 2021-05-17 13:39:16 iMessage lookup for account benjiburns8[@]gmail.com 2021-05-17 13:40:12 Traces from zero-click attack attempt over iMessage https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 79 of 86 2021-06-14 00:06:00 Attack related push notifications over iMessage 2021-06-14 00:09:33 Process crash detected 2021-06-14 00:12:57 Process: com.apple.rapports.events 2021-06-14 00:17:12 Process: faskeepd 2021-06-14 00:17:12 Process: lobbrogd 2021-06-14 00:17:12 Process: neagentd 2021-06-14 00:17:12 Process: com.apple.rapports.events 2021-06-14 17:38:44 Process: faskeepd 2021-06-14 17:38:44 Process: lobbrogd 2021-06-14 17:38:44 Process: neagentd 2021-06-14 17:39:59 Process: faskeepd 2021-06-14 17:39:59 Process: lobbrogd 2021-06-14 17:39:59 Process: neagentd 2021-06-15 18:26:22 Process: faskeepd 2021-06-15 18:26:22 Process: lobbrogd https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 80 of 86 2021-06-15 18:26:22 Process: neagentd 2021-06-15 18:28:16 Process: faskeepd 2021-06-15 18:28:16 Process: lobbrogd 2021-06-15 18:28:16 Process: neagentd 2021-06-15 18:30:12 Process: faskeepd 2021-06-15 18:30:12 Process: lobbrogd 2021-06-15 18:30:12 Process: neagentd 2021-06-16 00:04:37 Process: faskeepd 2021-06-16 00:04:37 Process: lobbrogd 2021-06-16 00:04:37 Process: neagentd 2021-06-16 18:49:50 Process: faskeepd 2021-06-16 18:49:50 Process: lobbrogd 2021-06-16 18:49:50 Process: neagentd 2021-06-16 21:54:15 Process: faskeepd 2021-06-16 21:54:15 Process: lobbrogd https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 81 of 86 2021-06-16 21:54:15 Process: neagentd 2021-06-18 08:13:35 Process: faskeepd 2021-06-18 15:21:00 Attack related push notifications over iMessage 2021-06-18 15:26:04 Process crash detected 2021-06-18 15:26:08 Process: com.apple.Mappit.SnapshotService 2021-06-18 15:26:16 Process: com.apple.Mappit.SnapshotService 2021-06-18 15:31:12 Process: launchrexd 2021-06-18 15:31:12 Process: frtipd 2021-06-18 15:31:12 Process: ReminderIntentsUIExtension 2021-06-19 16:00:16 Process: launchrexd 2021-06-19 16:00:16 Process: frtipd 2021-06-19 16:00:16 Process: ReminderIntentsUIExtension 2021-06-20 00:06:25 Process: launchrexd 2021-06-20 00:06:25 Process: frtipd 2021-06-20 00:06:25 Process: ReminderIntentsUIExtension https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 82 of 86 2021-06-20 19:52:25 Process: launchrexd 2021-06-20 19:52:25 Process: frtipd 2021-06-20 19:52:26 Process: ReminderIntentsUIExtension 2021-06-20 19:53:58 Process: launchrexd 2021-06-20 19:53:58 Process: frtipd 2021-06-20 19:53:58 Process: ReminderIntentsUIExtension 2021-06-22 03:57:10 Process: launchrexd 2021-06-22 03:57:10 Process: frtipd 2021-06-22 03:57:10 Process: ReminderIntentsUIExtension 2021-06-22 04:06:51 Process: launchrexd 2021-06-22 04:06:51 Process: frtipd 2021-06-22 04:06:51 Process: ReminderIntentsUIExtension 2021-06-23 00:01:02 Process: launchrexd 2021-06-23 00:01:02 Process: frtipd 2021-06-23 00:01:02 Process: ReminderIntentsUIExtension https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 83 of 86 2021-06-23 14:31:39 Process: launchrexd 2021-06-23 20:46:00 Attack related push notifications over iMessage 2021-06-23 20:48:56 Process crash detected 2021-06-23 20:54:16 Process crash detected 2021-06-23 20:55:10 Process: otpgrefd 2021-06-23 20:59:35 Process: otpgrefd 2021-06-23 20:59:35 Process: launchafd 2021-06-23 20:59:35 Process: vm_stats 2021-06-23 22:21:13 Attack artifact on disk: /private/var/tmp/vditcfwheovjf/cc/otpgrefd/ 2021-06-24 12:16:22 Process: otpgrefd 2021-06-24 12:16:22 Process: launchafd 2021-06-24 12:16:22 Process: vm_stats 2021-06-24 12:24:29 Process: otpgrefd 2021-06-26 21:56:00 Attack related push notifications over iMessage 2021-06-26 23:25:32 Process: smmsgingd https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 84 of 86 2021-06-29 22:26:00 Attack related push notifications over iMessage 2021-06-29 22:30:46 Process crash detected 2021-06-29 22:36:01 Process: launchafd 2021-06-29 22:36:01 Process: otpgrefd 2021-06-29 22:36:01 Process: dhcp4d 2021-06-29 22:36:01 Process: ctrlfs 2021-06-30 00:09:19 Process: launchafd 2021-06-30 00:09:19 Process: otpgrefd 2021-06-30 00:09:19 Process: dhcp4d 2021-07-01 00:09:32 Process: launchafd 2021-07-01 00:09:32 Process: otpgrefd 2021-07-01 00:09:32 Process: dhcp4d 2021-07-01 12:16:43 Process: launchafd 2021-07-01 12:16:43 Process: otpgrefd 2021-07-01 12:16:43 Process: dhcp4d https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 85 of 86 2021-07-01 21:42:19 Process: launchafd 2021-07-03 06:06:37 iMessage lookup for account benjiburns8[@]gmail.com 2021-07-03 06:07:00 Attack related push notifications over iMessage 2021-07-03 06:22:16 Process crash detected 2021-07-03 06:32:56 Process: actmanaged 2021-07-03 06:32:56 Process: misbrigd 2021-07-03 06:32:56 Process: Diagnostics-2543 2021-07-03 06:32:56 Process: gssdp 2021-07-03 15:23:18 Process: actmanaged Source: https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ Page 86 of 86 https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/ 2021-04-28 03:31:39 Process: ReminderIntentsUIExtension (IN: 0.01 MB, OUT: 0.00 MB) 2021-04-28 03:31:39 Process: ReminderIntentsUIExtension 2021-04-28 03:31:45 Process: ReminderIntentsUIExtension 2021-06-11 12:45:48 Process record deleted from ZPROCESS (IN: 0.01 MB, OUT: 0.00 MB) 2021-06-11 12:46:22 Process record deleted from ZPROCESS (IN: 1.79 MB, OUT: 0.31 MB) 2021-06-11 12:46:47 Process record deleted from ZPROCESS (IN: 12.94 MB, OUT: 145.88 MB) 2021-06-14 06:17:10 Process record deleted from ZPROCESS (IN: 2.36 MB, OUT: 2.76 MB) 2021-06-15 06:21:28 Process record deleted from ZPROCESS (IN: 1.05 MB, OUT: 1.29 MB) 2021-06-16 13:47:51 Process record deleted from ZPROCESS (IN: 0.16 MB, OUT: 0.16 MB) 2021-06-18 13:52:14 Process record deleted from ZPROCESS (IN: 0.01 MB, OUT: 0.00 MB) 2021-06-18 13:53:37 Process record deleted from ZPROCESS (IN: 1.79 MB, OUT: 0.31 MB) 2021-06-18 13:58:41 Process record deleted from ZPROCESS (IN: 13.63 MB, OUT: 172.99 MB) 2021-06-19 14:16:20 Process record deleted from ZPROCESS (IN: 0.87 MB, OUT: 1.02 MB) 2021-06-21 05:44:29 Process record deleted from ZPROCESS (IN: 1.81 MB, OUT: 2.58 MB) 2021-06-22 05:45:29 Process record deleted from ZPROCESS (IN: 1.19 MB, OUT: 1.38 MB) Page 64 of 86