Forensic Methodology

Inviolable analyzes mobile devices for signs of state-grade and commercial surveillance. We are accountable to the people who trust us with the most sensitive snapshot of their digital lives — journalists, human-rights defenders, activists, and lawyers. This page documents exactly how the analysis works, what runs on your computer, what leaves it, and the limits of what we can detect. We publish this so independent researchers, the security community, and our customers can verify our claims rather than take them on faith.

The detection engine combines two open-source toolchains maintained by recognized institutions: • Mobile Verification Toolkit (MVT) — created and maintained by Amnesty International's Security Lab. MVT is the same engine used by the Pegasus Project and Citizen Lab investigations to confirm mercenary spyware on devices belonging to journalists and activists. We do not run a fork: we use upstream MVT against your local backup, on your computer, with the official indicator sets. • Stalkerware Indicators of Compromise (IOC) — a community-maintained database of consumer-grade surveillance applications ("stalkerware") and their persistence artifacts. We match against the upstream feed. On top of these engines we maintain a baseline IOC set (currently v2026.04) that aggregates publicly documented Pegasus, Predator, FinSpy/FinFisher, Hermit and other mercenary-spyware indicators reported by Citizen Lab, Amnesty's Security Lab, the Stanford Internet Observatory, and TAG (Google's Threat Analysis Group).

When you start an analysis, the agent does the following on your machine: 1. Reads the local backup of your iPhone/Android (via Apple's official libimobiledevice for iOS, or via ADB for Android). The backup is created on your computer; it never leaves your control. 2. Runs MVT and the stalkerware-indicators matchers against the backup. All matching is local. 3. Generates a findings document: a JSON list of matches (which indicator triggered, which artifact, timestamp). 4. Submits ONLY the findings document to inviolable.io. The backup itself is not uploaded. 5. Deletes the backup and all working files from your computer when the analysis ends. The agent's source for macOS is open to inspection: the code path is straightforward, every command executed against your device is logged on screen before it runs, and you can re-run any step manually with the same upstream tools.

Only the findings document. It is a JSON file with the following kinds of entries: • Indicator hits: "process X matched stalkerware-indicator Y at timestamp Z." • Device fingerprint: SHA-256 hash of IMEI + MAC + serial + model, used to bind the analysis to your account. • Diagnostic metadata: backup size, iOS/Android version, MVT version, indicator-set version. We do NOT upload: • Your contacts, messages, photos, files, browser history, or any other personal content. • The backup archive itself. • Anything that allows reconstruction of the device's content. Network traffic is HTTPS-only and goes exclusively to https://inviolable.io. The agent's binary contains no other endpoints.

• We do not run a closed, proprietary detection engine that you cannot audit. • We do not claim a "100% Pegasus detection" rate; no honest forensic tool can. • We do not modify your device's settings, DNS, certificates, or system configuration. • We do not install anything persistent. The agent is a single signed binary you can delete after use. • We do not retain the backup after the analysis. We do not have a copy of your device's content. We cannot produce one even under subpoena because it does not exist on our infrastructure. • We do not sell your data, ever, to anyone.

What we can detect with high confidence: • Indicators of mercenary spyware (Pegasus, Predator, FinSpy, Hermit, etc.) that have been publicly documented and whose IOCs have been published by reputable researchers. • Persistence artifacts of commercial stalkerware sold openly on the internet. • Suspicious patterns matched by MVT's heuristics: unexplained crashes around known exploit times, references to known C2 domains, etc. What we cannot detect: • Zero-day spyware that has not been publicly reverse-engineered yet. By definition, indicators exist only after researchers have analyzed a sample. • Implants that wipe themselves on reboot and leave no persistent artifact on disk. • Active surveillance of network traffic occurring outside the device (e.g., upstream of your carrier). • Targeted attacks via SIM-swap or social engineering — those don't leave forensic traces on the phone. When in doubt, our clean report does not mean "you are safe forever." It means "we did not find indicators in this snapshot." For high-risk users we always recommend a follow-up with a digital security helpline (Access Now, Citizen Lab, Amnesty's Security Lab) listed in your report.

You can verify our claims against the public record: • Mobile Verification Toolkit: https://docs.mvt.re/ — Amnesty Security Lab's open-source forensic toolkit. • Stalkerware Indicators of Compromise: https://github.com/AssoEchap/stalkerware-indicators — community-maintained. • Citizen Lab (University of Toronto): https://citizenlab.ca/category/research/ — original Pegasus and Predator forensic reports. • Amnesty International Security Lab: https://securitylab.amnesty.org/ — methodology behind the Pegasus Project. Our indicator-set version is printed in every report ("Indicator set: v2026.04"). If a researcher disputes a specific match, we will provide the exact rule and the artifact path so it can be independently re-run with upstream MVT. For any question about methodology: methodology@inviolable.io.