{
	"id": "3f95e19b-2a63-4da6-a7d1-bc38ac45ff5f",
	"created_at": "2026-04-06T00:18:00.180172Z",
	"updated_at": "2026-04-10T13:11:32.426384Z",
	"deleted_at": null,
	"sha1_hash": "daac0e91f26dacc40c4c6ff6704d757b5c13b5c0",
	"title": "Independent Peer Review of Amnesty International's Forensic Methods for Identifying Pegasus Spyware - The Citizen Lab",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 44935,
	"plain_text": "Independent Peer Review of Amnesty International's Forensic\r\nMethods for Identifying Pegasus Spyware - The Citizen Lab\r\nBy Bill Marczak\r\nPublished: 2021-07-18 · Archived: 2026-04-05 19:11:56 UTC\r\nOpens in a new window Opens an external site Opens an external site in a new window\r\nOn July 18, non-profit journalism organization Forbidden Stories released a major new investigation into NSO\r\nGroup. The investigation exposes widespread global targeting with Pegasus spyware. The investigation also\r\nincludes results from the forensic examination of a number of devices that their technical partner, Amnesty\r\nInternational, assessed to be infected.\r\nForbidden Stories and Amnesty International requested that the Citizen Lab undertake an independent peer review\r\nof a sample of their forensic evidence and their general forensic methodology. We were provided with iTunes\r\nbackups of several devices and a separate methodology brief. No additional context or information about the\r\ndevices or the investigation was provided to us.\r\nWe independently validated that Amnesty International’s forensic methodology correctly identified infections with\r\nNSO’s Pegasus spyware within four iTunes backups. We also determined that their overall methodology is sound.\r\nIn addition, the Citizen Lab’s own research has independently arrived at a number of the same key findings as\r\nAmnesty International’s analysis.\r\nMethodological Assessment: Sound\r\nThe Citizen Lab provides the following assessment of Amnesty’s methodology:\r\nAmnesty’s described methodology for identifying Pegasus Process Names (and email addresses linked\r\nto the NSO Pegasus killchain) is sound. Their method is based on temporal correlation between the\r\nitems’ first appearance in logs and phones’ communication with known Pegasus Installation servers, or\r\nother Pegasus Process Names.\r\nAmnesty’s described methodology for identifying times during which phones were compromised is\r\nsound. Their method involves observing Pegasus Process Names in a DataUsage.sqlite file obtained from\r\nan iTunes backup, or a netusage.sqlite file obtained from a full filesystem extraction, or other log files on\r\nthe phone that record process names.\r\nAmnesty’s described methodology for linking the zero-click compromise they observed on iOS 14.6 to\r\nNSO Group is sound. Their method is the same as above.\r\nAmnesty’s described methodology for linking the activity they observed involving Amazon CloudFront\r\nservers to the NSO Pegasus killchain is sound. Their method is the same as above.\r\nAmnesty did in fact detect Version 4 Pegasus servers. Citizen Lab and Amnesty Tech conducted mutual\r\nsharing of Version 4 domain names we each detected as of July 2020. At that point, it became clear to both\r\nhttps://citizenlab.ca/2021/07/amnesty-peer-review/\r\nPage 1 of 2\n\ngroups that we had independently developed substantially similar methods to detect NSO Group’s\r\ninfrastructure.\r\nAdditional Independent Support for Amnesty’s Findings\r\nThe Citizen Lab’s own research has independently arrived at several of Amnesty’s key findings:\r\nCitizen Lab independently employed a similar methodology to Amnesty International in our analysis\r\nof potential Pegasus compromise (i.e., identifying process names proximate to communication with\r\nPegasus servers), and have devised our own list of process names. Amnesty appears to have mentioned 45\r\nprocess names in their draft report. We computed the intersection of this list with our list, and identified 28\r\nprocess names in common. We can also confirm that we have not observed Amnesty’s list of 45 process\r\nnames used in association with any benign or legitimate apps.\r\nCitizen Lab independently documented NSO Pegasus spyware installed via successful zero-day zero-click iMessage compromises of an iPhone 12 Pro Max device running iOS 14.6, as well as zero-day\r\nzero-click iMessage attacks that successfully installed Pegasus on an iPhone SE2 device running iOS\r\nversion 14.4, and a zero-click (non-zero-day) iMessage attack on an iPhone SE2 device running iOS\r\n14.0.1. The mechanics of the zero-click exploit for iOS 14.x appear to be substantially different than the\r\nKISMET exploit for iOS 13.5.1 and iOS 13.7, suggesting that it is in fact a different zero-click iMessage\r\nexploit.\r\nCitizen Lab independently observed NSO Group’s new design for their hidden infrastructure which\r\nappears to have been launched starting on September 2, 2018, about one month after Amnesty Tech and\r\nCitizen Lab published reports on NSO Group in August 2018. The new design is as Amnesty Tech\r\ndescribes in their draft report: “URL Shortener Servers” are separated from “Pegasus Installation Servers,”\r\nand “Installation DNS Servers” are introduced.\r\nCitizen Lab independently conducted similar scanning for Pegasus Infection Server domain names, as\r\nwell as Command and Control (C\u0026C) server domain names. Citizen Lab and Amnesty International\r\nconducted mutual sharing of these Version 4 domain names we detected in July 2020.\r\nCitizen Lab independently observed NSO Group begin to make extensive use of Amazon services\r\nincluding CloudFront in 2021.\r\nCitizen Lab observed that NSO Group’s spyware was modified in late 2019 or early 2020 to\r\n(incompletely) delete information from the DataUsage.sqlite file. We have never observed this anomaly\r\noutside of Pegasus infection, and in each case where we have observed this anomaly, we are able to\r\ncorrelate it with other indicators of Pegasus infection.\r\nConclusion\r\nAmnesty International’s core forensic methods for analyzing devices to determine that they have been infected\r\nwith NSO Group spyware are sound.\r\nFurther information about the Citizen Lab’s own investigations into NSO Group can be found here.\r\nSource: https://citizenlab.ca/2021/07/amnesty-peer-review/\r\nhttps://citizenlab.ca/2021/07/amnesty-peer-review/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://citizenlab.ca/2021/07/amnesty-peer-review/"
	],
	"report_names": [
		"amnesty-peer-review"
	],
	"threat_actors": [],
	"ts_created_at": 1775434680,
	"ts_updated_at": 1775826692,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/daac0e91f26dacc40c4c6ff6704d757b5c13b5c0.pdf",
		"text": "https://archive.orkl.eu/daac0e91f26dacc40c4c6ff6704d757b5c13b5c0.txt",
		"img": "https://archive.orkl.eu/daac0e91f26dacc40c4c6ff6704d757b5c13b5c0.jpg"
	}
}