Łukasz 
Fedifriends, here's a sneak preview of a project I've been working on lately. Just don't tell anyone yet.
It's a website that tries to collect, document and debunk misinformation related to malware and malware forensics.
iplayniceI'm not sure that your first claim is entirely correct.
You said "While indeed a complete examination of the physical phone can lead to the detection of malware, it is not the only way to perform forensic analysis of the phone."
Can you elaborate on what other methods allow you to obtain keystores or even the backup if you don't have access to the iCloud profile in question?
From what I'm aware, you'd need to be using some chain of exploits similar to how (GrayKey/ Elcomsoft iOS Forensic Toolkit/ Passware Kit etc) do to bypass certain restrictions that you can only get at from physical access of the device. Otherwise you'd need a RCE and priv esc to get back the data in question..
You should change it to;
"A complete physical examination of an iOS device is the only way to identify and lead to the detection of the Pegasus malware."
Logically.. if you are only ever performing static analysis on samples you're likely just looking at downloaders anyways, with such an expensive and sophisticated malware you're going to have to look at kernel changes, memory artifacts, bootloader modifications, any cached logs if they still exist etc. It's hardly just run one tool and look for previously known artifacts, if that worked then everyone working writing new detection rules could just give up and go home.
@iplaynice performing analysis on an iCloud backup is a valid forensic analysis that can detect malware (not only Pegasus). Same goes for e.g. Windows backups and Android bug reports for example.
@maldr0id I'm not saying it's not. I'm suggesting that to get at the iCloud backups themselves you need physical access to the device or an RCE to get access remotely for that relevant keystore which would give you complete access to the device and it's backups.
@iplaynice not always, the person who has the phone can just give you the backup (or even their password). You don't have to always be on the offensive side.
@maldr0id While that's true I would assume that unless they're aware that they're a victim and cooperating in an investigation it would just go unnoticed for the most part. The infected device(s) in question may even never be able to retrieved nor the person(s) in some of the cases we've seen surrounding Pegasus where journalists have been assassinated.. so there may be no way without a warrant to subject Apple and the courts to appeal for that information and then from there do the analysis on the backups.
@iplaynice "only a complete examination of the physical device can lead to the detection of malware" is a false statement, as you yourself just wrote.
@maldr0id It's just a more correct statement. It's not that your argument is incorrect but it could be improved upon in its accuracy of the comments made in the process of discovery for Pegasus.
You did not disclose the process in which I mentioned because it's not a process that actually happens. Even when the FBI wanted to use Pegasus and the NSO Group's exploit framework on the last person here they were tracking from the Boston Bombings; Apple made it clear that they would fight backdooring their software and anyone attempting to in court. That being said I doubt they're any different about letting up on the protected data of their customers for those same reasons as suggested above in the process for discovery said iCloud backups. It's a logical move but it just never happens and hasn't so far. So until then the previously mentioned processes are all that researchers have and are limited to. That's why I have suggested that you change the statement.
I must be run for now but this is a good discussion to have.