Device Forensics

Pegasus Detection & Spyware Forensics

Professional-grade forensic scanning that detects Pegasus, Predator, Hermit, QuaDream, FinFisher, and commercial stalkerware. Built on research by Citizen Lab and Amnesty International's Mobile Verification Toolkit.

Threat Database

Surveillance Tools We Detect

Our database includes indicators for all major government and commercial spyware families.

Pegasus

NSO Group

Critical

The most sophisticated commercial spyware. Costs $8M per deployment. Found on devices of journalists and heads of state.

Zero-click exploitsFull device accessCamera/mic activationMessage interceptionLocation trackingSelf-destruction

Predator

Cytrox / Intellexa

Critical

Linked to surveillance campaigns against journalists and politicians in multiple countries.

Zero-click exploitsData exfiltrationCredential theftBrowser exploitation

Hermit

RCS Lab

High

Used by government agencies. Deployed via modified carrier apps and fake messaging applications.

Audio recordingPhoto captureSMS/call logsGPS tracking

FinFisher

FinFisher GmbH

High

Marketed to law enforcement but documented in use against dissidents and journalists.

KeyloggingScreen captureFile accessEmail monitoring

QuaDream

QuaDream Ltd.

Critical

Rival to NSO Group. Uses ENDOFDAYS exploit targeting Apple devices via invisible calendar invitations.

Zero-click iMessage exploitsCalendar event weaponizationFull data extraction

Stalkerware

Various (mSpy, FlexiSPY, Cocospy, Spyic, Cerberus)

High

Consumer-grade surveillance apps often used for domestic abuse. Installed by someone with physical device access.

Real-time locationCall recordingSocial media monitoringKeyloggingAmbient recording

Scan Options

Choose Your Scan Depth

From a quick 60-second check to a full forensic backup analysis.

01

Quick Scan

~1 minute

Basic IOC check against known spyware indicators. Checks running processes and installed packages.

02

Standard Scan

~5 minutes

Includes Quick Scan plus iOS shutdown.log analysis, network connection audit, and certificate chain validation.

Recommended
03

Deep Scan

~30 minutes

Full forensic analysis: YARA rules, behavioral anomaly detection, file system inspection, persistence mechanism checks.

04

Backup Analysis

~1 hour

Complete iOS backup parsing. Examines sysdiagnose, DataUsage.sqlite, configuration profiles, and all system artifacts.

Detection Methodology

How OrbGuard Detects Pegasus

A 6-stage forensic pipeline combining indicator matching, behavioral analysis, and real-time threat intelligence.

1

IOC Matching

Compare device artifacts against 20,000+ known indicators of compromise from Citizen Lab, Amnesty MVT, and OrbGuard Lab.

2

Behavioral Analysis

ML-powered anomaly detection monitors battery drain, CPU spikes, network traffic, and background process activity.

3

Shutdown.log Forensics

iOS-specific analysis of system shutdown logs for Pegasus process indicators (roleaccountd, bh, laaboratoryd).

4

YARA Rule Scanning

Custom YARA rules scan the file system for malware signatures, suspicious binaries, and persistence mechanisms.

5

Certificate Analysis

Detect MITM proxy certificates, unauthorized root CAs, and SSL pinning bypasses used by surveillance tools.

6

Cloud Intelligence

Cross-reference findings with real-time threat intelligence from 20+ feeds updated hourly.

On-Device Processing

Every stage of this pipeline runs locally on your device. The threat intelligence database is cached and updated periodically. Your forensic data never leaves your device.

Remediation Guide

What Happens If Spyware Is Found?

Don't panic. Follow these steps to isolate, document, and recover safely.

1

Isolate the Device

Enable airplane mode immediately. Do not factory reset yet — forensic evidence may be needed for legal proceedings or investigations.

2

Document Everything

Export the OrbGuard forensic report. Take screenshots and note the infection timeline. This evidence may be critical for legal action.

3

Secure Wipe & Recovery

Perform a full factory reset from recovery mode (not settings). Set up as a new device — do not restore from backup as it may contain persistence mechanisms.

4

Harden Your Device

Enable Lockdown Mode (iOS). Update to latest OS version. Install OrbGuard for continuous monitoring. Avoid clicking links from unknown sources.

Frequently Asked Questions

Can OrbGuard detect Pegasus?+
Yes. OrbGuard uses detection methodology based on research by Citizen Lab and Amnesty International's Mobile Verification Toolkit (MVT). We analyze iOS shutdown.log artifacts, known process indicators, network connections to NSO infrastructure, and behavioral anomalies consistent with Pegasus infection. While no tool can guarantee 100% detection against a well-funded adversary, OrbGuard provides the most comprehensive mobile forensics available outside of dedicated incident response teams.
How does the shutdown.log analysis work?+
When iOS shuts down, it logs all running processes. Pegasus and similar spyware must run as background processes. By analyzing these logs, OrbGuard can identify suspicious processes (like "roleaccountd", "bh", "laaboratoryd") that are known Pegasus indicators. This technique was pioneered by Kaspersky researchers and adopted by Citizen Lab.
Is my data sent to your servers during scanning?+
No. All forensic scanning happens entirely on your device. Zero data leaves your device during analysis. The threat intelligence database is downloaded periodically and cached locally. Even the ML models run on-device.
What happens if spyware is found?+
You receive a detailed forensic report with: the specific threat identified, severity level, infection timeline estimate, affected data categories, and step-by-step remediation guidance. For critical findings like Pegasus, we recommend immediate device isolation and contacting a security professional.
Can OrbGuard detect unknown/zero-day spyware?+
OrbGuard uses behavioral anomaly detection powered by machine learning to identify suspicious patterns even for unknown threats. Unusual battery drain, abnormal network traffic, unexpected background processes, and excessive CPU usage are all indicators that OrbGuard monitors continuously.
How often is the threat database updated?+
OrbGuard Lab aggregates intelligence from 20+ feeds including Citizen Lab, Amnesty MVT, Abuse.ch, VirusTotal, AlienVault OTX, and more. The threat database is updated hourly with new indicators of compromise.

Is Your Device Clean?

Run your first forensic scan in under 60 seconds. Pegasus detection included with OrbGuard Pro.