Your SlideShare is downloading. ×
File000091
File000091
File000091
File000091
File000091
File000091
File000091
File000091
File000091
File000091
File000091
File000091
File000091
File000091
File000091
File000091
File000091
File000091
File000091
File000091
File000091
File000091
File000091
File000091
File000091
File000091
File000091
File000091
File000091
File000091
File000091
File000091
File000091
File000091
File000091
File000091
File000091
File000091
File000091
File000091
File000091
File000091
File000091
File000091
File000091
File000091
File000091
File000091
File000091
File000091
File000091
File000091
File000091
File000091
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

File000091

187

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
187
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3323  Computer Hacking Forensic Investigator Copyright © by EC-Council                                                                                                                                                      All Rights Reserved. Reproduction is Strictly Prohibited.   Computer Hacking Forensic Investigator (CHFI) Module XXXVI: BlackBerry Forensics Exam 312-49  
  • 2. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3324  Computer Hacking Forensic Investigator Copyright © by EC-Council                                                                                                                                                      All Rights Reserved. Reproduction is Strictly Prohibited.    News: Police Join AG BlackBerry Investigation Source: http://www.10tv.com/ Police joined the search for a BlackBerry as they suspected that it may hold evidence related to a general investigation. Paul Aker reported that detectives were dusting Jen Urban’s (an attorney in the attorney general’s office) apartment for fingerprints as she said that her BlackBerry and other items were stolen from the apartment. “It’s unfortunate,” Urban told 10 investigators. “A lot of my personal belongings were taken. I do not know the motivation behind it.” Aker reported that:  State investigators said they were "very curious" about the timing  The burglary took place just hours after an unannounced sweep of Attorney General Marc Dann's office by the Inspector General  Inspector General Thomas Charles locked all the computers with the one belonging to Urban  Charles said that his office wants to find Urban’s missing BlackBerry According to investigators in their final report, the device could consist of important information as they doubt that Urban was romantically linked to Leo Jennings III, who served as Dann's communications director. Urban stated that someone walked inside the apartment at about 5 a.m. and took her television, along with her purse and BlackBerry. Continuing with this, she told police that the crime happened while she was on the back patio where Jessica Utovich, Dann’s former scheduler, was on her couch. Later, she changed her statement by saying that Utovich was out during the burglary. To support the later statement she said that, “It is discerned at this time that the items were taken before she rested on the couch.” Aker further reported that, 10 investigators got to know that the Inspector General seized a BlackBerry belonging to Tom Winters, who took over as acting Attorney General when Dann resigned. The women who were sexually harassed inside Dann’s office claimed that Winters knew about some of the problems in January but failed to act, where Winters denied to comment about it.
  • 3. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3326  Computer Hacking Forensic Investigator Copyright © by EC-Council                                                                                                                                                      All Rights Reserved. Reproduction is Strictly Prohibited.   Module Objective This module will familiarize you with:  BlackBerry  BlackBerry Operating System  How BlackBerry Works  BlackBerry Serial Protocol  Blackjacking Attack  BlackBerry Security  BlackBerry Forensics  Best Practices  Forensics Tools  
  • 4. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3327  Computer Hacking Forensic Investigator Copyright © by EC-Council                                                                                                                                                      All Rights Reserved. Reproduction is Strictly Prohibited.   Module Flow  
  • 5. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3328  Computer Hacking Forensic Investigator Copyright © by EC-Council                                                                                                                                                      All Rights Reserved. Reproduction is Strictly Prohibited.    BlackBerry In 1999, Research In Motion (RIM) manufactured the BlackBerry wireless handheld device. It provides a number of applications such as email, mobile telephone, text messaging, Internet faxing, web browsing, and other wireless information services. Initially, it focused on email facility. BlackBerry transports data over the wireless data networks of mobile phone service companies.   BlackBerry has a small built-in QWERTY keyboard, wtih an “Alt” key for entering special numbers and characters. It has a self-configurable "AutoText" feature that provides a list of frequently used words or special characters. You can navigate through the system using the “trackwheel” that allows you to select an option with a click function on the right side of the device. Certain BlackBerry models incorporate a two-way-radio.  Modern BlackBerry devices have ARM 7 or 9’s processor. While the old BlackBerry 950 and 957 devices consist of Intel 80386 processors, the latest GSM BlackBerry models (8100 and 8700 series) consist of an Intel PXA901 312 MHz processor, 64 MB flash memory, and 16 MB SDRAM. BlackBerry provides solutions to meet the needs of:  Individuals: Everyone can stay in contact with work and home  Enterprise and government customers: With the help of BlackBerry, professionals can keep in contact with their existing email and other enterprise systems  Small/medium business: The “Explore” option of a BlackBerry has the ability to address several wireless requirements of your business A BlackBerry can be used:  As a address book, calendar, and to create to-do lists  To compose, send, and receive messages  As a phone  To access wireless Internet  As a tethered modem  As an organizer  For corporate data access  As a paging service 
  • 6. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3329  Computer Hacking Forensic Investigator Copyright © by EC-Council                                                                                                                                                      All Rights Reserved. Reproduction is Strictly Prohibited.    BlackBerry Operating System The BlackBerry’s operating system runs on its Intel 80386 microprocessor. The devices that connect to BlackBerry require a built-in RIM wireless modem. The operating system is event-driven, and it supports multitasking and multithreading applications. This operating system makes use of input devices such as the thumbwheel. If a message needs access to the operating system, it is done using the “RimGetMessage ()” Application Programming Interface (API). When the operating system has no applications to process, the processor switches to standby mode. With the help of proprietary BlackBerry APIs, third-party developers can write software, but the applications that have some limited functionality must be digitally signed so that it gives authorship of an application to particular developers. Earlier, BlackBerry software development was based on C++, but the latest models support MDS and Java. Java supports the RIM devices that come with the J2ME MIDP platform. RIM provides a Java Developers Kit that supports a custom application model that is different from the J2ME MIDP specification. JDK consists of the javax.microedition and RIM’s own net.rim.device.api package that supports a host of operating system-specific classes like Bitmap, Application Registry, Keypad, Radio, and Persistent Object. BlackBerry OS 4.6 is the new version of BlackBerry. It has the following features:  Supports of web standards, like AJAX and CSS  1 GB onboard memory and 128 MB flash memory  High capacity, slim 1500 mAhr battery  Tri-band UMTS: 2100/1900/850  3.6 Mbps HSDPA  Supports Wi-Fi technology (802.11a/b/g)  Supports GPS features  Quad-band GSM/GPRS/EDGE  Music synchronization  Clock application – the evolution of the alarm application
  • 7. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3330  Computer Hacking Forensic Investigator Copyright © by EC-Council                                                                                                                                                      All Rights Reserved. Reproduction is Strictly Prohibited.    How BlackBerry Works The BlackBerry wireless email solution is simple. It works as follows:  Step 1: The BlackBerry enterprise server constantly monitors BlackBerry users’ mailboxes. When a new message arrives in a user's Exchange mailbox, BES picks up that message.  Step 2: After retrieving the message, it gets compressed, encrypted, and sent over the Internet via a wireless network to the BlackBerry server.  Step 3: Now the message is not a readable text message; it gets decrypted only on the destination user's BlackBerry handheld.  Step 4: The server decrypts, decompresses, and then places the email into the Outbox. During this procedure, a copy of the message is placed in the Sent Items folder. The BlackBerry Enterprise Server (BES) uses MAPI for communication with the user's Inbox. Due to MAPI, BES immediately knows about the incoming message. BES supports triple DES security, which helps with secure transmission of the data.
  • 8. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3331  Computer Hacking Forensic Investigator Copyright © by EC-Council                                                                                                                                                      All Rights Reserved. Reproduction is Strictly Prohibited. Figure 36-01: Working of BlackBerry (Source: http://www.freeprotocols.org/)
  • 9. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3332  Computer Hacking Forensic Investigator Copyright © by EC-Council                                                                                                                                                      All Rights Reserved. Reproduction is Strictly Prohibited.    BlackBerry Serial Protocol BlackBerry Serial Protocol backs up, restores, and synchronizes the data between the BlackBerry device and desktop system. It is comprised of simple packets and single byte return codes. The packets have a similar structure and consist of the following fields:  Packet header (3 bytes)  Command type (1 byte)  Command (1 byte)  Command-dependent packet data (Variable)  Footer (3 bytes) The various packets include:  Normal command packets  Extended packets  ACK packets    
  • 10. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3333  Computer Hacking Forensic Investigator Copyright © by EC-Council                                                                                                                                                      All Rights Reserved. Reproduction is Strictly Prohibited. BlackBerry Serial Protocol: Packet Structure Table 36-01: BlackBerry serial protocol packet structure
  • 11. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3334  Computer Hacking Forensic Investigator Copyright © by EC-Council                                                                                                                                                      All Rights Reserved. Reproduction is Strictly Prohibited.    Blackjacking Attack Blackjacking means hijacking a BlackBerry connection. Attackers make use of the BlackBerry environment to prevent the security perimeters and directly attack the host of the network. The attacker uses the BBProxy tool to conduct the Blackjacking. It is a security assessment tool which allows the attacker to use BlackBerry devices as a proxy between the Internet and an internal network. The attacker installs BBProxy on the user’s BlackBerry or sends it in email attachment to the target device. On being activated, it establishes a covert channel between attackers and compromised hosts on improperly secured enterprise networks.
  • 12. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3335  Computer Hacking Forensic Investigator Copyright © by EC-Council                                                                                                                                                      All Rights Reserved. Reproduction is Strictly Prohibited.    BlackBerry Attack Toolkit "BlackBerry Attack Toolkit” contains the BBProxy, BBScan, and relevant MetaSploit patches to exploit the vulnerability of any website. The attacker can hide the malicious software in the handheld that in turn invades the entire network it is connected to.  BBProxy is the tool generally used to attack the BlackBerry device. When this tool gets installed into the device, it allows the device to be used as a proxy between the Internet and the internal network.  BBScan is the BlackBerry port scanner    
  • 13. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3336  Computer Hacking Forensic Investigator Copyright © by EC-Council                                                                                                                                                      All Rights Reserved. Reproduction is Strictly Prohibited.    BlackBerry Attachment Service Vulnerability Source: ‘http://www.BlackBerry.com/ BlackBerry Attachment Service in BlackBerry Enterprise Server uses a Graphics Device Interface (GDI) component to convert images to a viewable format on the BlackBerry smartphones. Vulnerability is prevalent in the GDI component of Windows while processing Windows Metafile (WMF) and Enhanced Metafile (EMF) images. This vulnerability in the GDI component exposes the BlackBerry Attachment Service to attacks that could allow a malicious user to cause arbitrary code to run on the computer on which the BlackBerry Attachment Service is running. If a BlackBerry smartphone user is on the BlackBerry Enterprise Server with the BlackBerry Attachment Service running, and the BlackBerry smartphone user tries to use the BlackBerry smartphone to open and view a WMF or EMF image attachment in a received email message sent by a user with malicious intent, the computer on which the BlackBerry Attachment Service is running could be compromised.        
  • 14. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3337  Computer Hacking Forensic Investigator Copyright © by EC-Council                                                                                                                                                      All Rights Reserved. Reproduction is Strictly Prohibited.    TeamOn Import Object ActiveX Control Vulnerability Source: http://www.BlackBerry.com/ The BlackBerry Internet Solution is designed to work with T-Mobile My E-mail to give BlackBerry device users secure and direct access to any combination of registered enterprise, proprietary, Post Office Protocol 3 (POP3), or Internet Message Access Protocol 4 (IMAP4) email accounts on their BlackBerry devices using a single user login account. Vulnerability exists in the TeamOn Import Object Microsoft ActiveX® control used by BlackBerry Internet Service 2.0 on the BlackBerry Internet Service and the T- Mobile My E-mail websites. This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 8.0 (Critical). While using Internet Explorer to view the BlackBerry Internet Service or T-Mobile My E-mail websites that use the TeamOn Import Object ActiveX control, and when trying to install and run the ActiveX control, the ActiveX control introduces the vulnerability to the system. An exploitable buffer overflow exists in the TeamOn Import Object ActiveX control used by the BlackBerry Internet Service and T-Mobile My E-mail websites.
  • 15. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3338  Computer Hacking Forensic Investigator Copyright © by EC-Council                                                                                                                                                      All Rights Reserved. Reproduction is Strictly Prohibited.    Denial of Service in BlackBerry Browser Source: http://www.BlackBerry.com/ A website creator with malicious intent may use a Hypertext Markup Language (HTML) or Wireless Markup Language (WML) web page that contains a long string value within the link. If the BlackBerry device user accesses the link using the BlackBerry Browser, a temporary denial of service may occur and the BlackBerry device may stop responding. A temporary denial of service vulnerability exists in the BlackBerry Browser. The BlackBerry Browser may stop responding when parsing a long web page address. While in the process of parsing a long web page address, the BlackBerry Browser uses the BlackBerry device’s processing capability. This may cause the BlackBerry device to stop or become slow in responding.  
  • 16. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3339  Computer Hacking Forensic Investigator Copyright © by EC-Council                                                                                                                                                      All Rights Reserved. Reproduction is Strictly Prohibited.    BlackBerry Security BlackBerry uses a strong encryption scheme to safeguard:  Integrity: Data integrity depends on the security of the encryption protocol used to encrypt the data. Data integrity is generally maintained by using a Message Authentication Code (MAC) producing a unique “digital fingerprint” of a document known as a hash.  Confidentiality: Confidentiality is achieved using various encryption mechanisms  Authenticity: Authenticity is achieved using digital signatures BlackBerry Enterprise Solution provides two types of encryption techniques for all data transmitted between BlackBerry Enterprise Server and BlackBerry smartphones.  Advanced Encryption Standard (AES)  Triple Data Encryption Standard (Triple DES)    
  • 17. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3340  Computer Hacking Forensic Investigator Copyright © by EC-Council                                                                                                                                                      All Rights Reserved. Reproduction is Strictly Prohibited.    BlackBerry Wireless Security The BlackBerry encryption security mechanism meets United States Military standards. The U.S. government gave the designation 140/2 to BlackBerry, which permits its use by government agencies and the armed forces. During transit between the BES and BlackBerry, BES ensures that your confidential data is secured by using encryption methods such as the Advanced Encryption Standard (AES) and Triple Data Encryption Standard (Triple DES). BES keeps the data encrypted during transit and ensures the data between the BES and the handheld is not decrypted anywhere outside of the corporate firewall. The private encrypted keys are generated in a secure, two-way authenticated environment. The private keys that are used to access BlackBerry devices remotely are stored in the BlackBerry user’s secure mailbox (Microsoft Exchange, IBM, Lotus, Domino, or Novell GroupWise mailbox). Using the private key (which is available from the user’s mailbox), any data that is sent to a BlackBerry device can be encrypted and sent to the device, where it can be decrypted using the key available on that device. The MDS (Mobile Data System) service acts as a secure gateway between the wireless networks, corporate intranets, and the Internet.
  • 18. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3341  Computer Hacking Forensic Investigator Copyright © by EC-Council                                                                                                                                                      All Rights Reserved. Reproduction is Strictly Prohibited.     Figure 36-02: BlackBerry Security for Wireless Data (Source: http://www.BlackBerry.com/)
  • 19. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3342  Computer Hacking Forensic Investigator Copyright © by EC-Council                                                                                                                                                      All Rights Reserved. Reproduction is Strictly Prohibited.    Prerequisites for BlackBerry Forensics The following are the hardware tools:  Faraday cage  RIM BlackBerry Physical Plug-in  StrongHold tent The following are the software tools:  Program Loader  Hex editor  Simulator  BlackBerry Signing Authority Tool
  • 20. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3343                                                      Computer Hacking Forensic Investigator Copyright © by EC-Council                                                                                                                                                      All Rights Reserved. Reproduction is Strictly Prohibited.    Steps for BlackBerry Forensics  Collect the evidence  Document the scene and preserve the evidence  Imaging and profiling  Acquire the information  Review the information  
  • 21. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3344                                                      Computer Hacking Forensic Investigator Copyright © by EC-Council                                                                                                                                                      All Rights Reserved. Reproduction is Strictly Prohibited.    Collect the Evidence Seize BlackBerry handheld devices and computer devices present at the evidence site. Seize the memory devices such as SD and MMC. Collect non-electronic evidence such as written passwords, handwritten notes, computer printouts, etc. While collecting the device, take the following precautions:  While collecting the devices, take precautions to maintain the evidence such as fingerprint on the devices  Evidence should not be damaged  Collect and keep the devices in bags  Stop the unauthorized user from entering the scene and touching the evidence          
  • 22. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3345                                                      Computer Hacking Forensic Investigator Copyright © by EC-Council                                                                                                                                                      All Rights Reserved. Reproduction is Strictly Prohibited.    Document the Scene and Preserve the Evidence Prepare documentation about the scene, which must include the state of all the evidence at the scene. Other than documents, photographs of the evidence are also necessary in the investigation. Take photographs of the scene and all the evidence present there. Evidence and documents must be kept in a secure place to protect them from damage. The main aim to preserve the evidence is to maintain the integrity of the evidence. Keep all evidence in such a way that it should be easily identifiable. If possible, label each piece of evidence with where, when, and how it was found. Secure the BlackBerry device and other evidence while transporting and storing. Secure the devices from mechanical or electrical shock. Maintain a chain of custody of documents, photographs, and evidence.
  • 23. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3346                                                      Computer Hacking Forensic Investigator Copyright © by EC-Council                                                                                                                                                      All Rights Reserved. Reproduction is Strictly Prohibited.  Radio Control Radio waves can be used to control a device through radio signals. A switched-on BlackBerry device always emits radio waves to accept incoming connections. If a new connection is established using these radio waves, the evidence in the BlackBerry may get tampered or completely spoiled. This makes it necessary to control these radio waves to preserve evidence integrity. There are two different ways to control the wireless signals and maintain the evidentiary value of the device:  Turn off the wireless signals through the main menu  Place the device in a faraday cage when there is no need to interact with the device. The faraday cage will prevent the device from receiving any wireless data that can damage the evidence.
  • 24. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3347                                                      Computer Hacking Forensic Investigator Copyright © by EC-Council                                                                                                                                                      All Rights Reserved. Reproduction is Strictly Prohibited.    Imaging and Profiling in BlackBerry Source: http://www.rh-law.com/ Imaging is the process of creating an exact copy of the contents of a digital device to protect the original one from changes. An image should be taken of the file system as the first step as long the logs are not required or a method of extracting the logs from the image is developed. An image or bit-by-bit backup is acquired using an SDK utility that dumps the contents of the Flash RAM into a file easily examined with a hex editor. The Program Loader, which is used to perform most of the inspection in addition to taking the image, will cause a reset each time it is run. Recalling a reset can mean a file system cleanup. This means that to get a partition table, you risk changing the file system and spoiling the data. One way to work around this is to use the BATCH command. The BATCH command will group all the command switches into one access, so multiple resets can be avoided. The Program Loader is run from the command line: PROGRAMMER [ [-Pport] [-Sspeed] [-Wpassword command    
  • 25. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3348                                                      Computer Hacking Forensic Investigator Copyright © by EC-Council                                                                                                                                                      All Rights Reserved. Reproduction is Strictly Prohibited.    Acquire the Information Source: ‘http://www.rh-law.com/ The radio in the “on” state allows data to be pushed onto the unit, overwriting the previous data, which makes it difficult to retrieve the lost data. Thus, a forensic investigator’s attempt to obtain an unaltered file system becomes more difficult. In order to preserve the unit, turn off the radio immediately. Turn “off” the radio and not the entire unit (including the BlackBerry device) for three specific reasons: 1. The BlackBerry is not really “off” unless power is removed for an extended period of time or the unit is placed in data storage mode. Only the display, keyboard, and radio are shut down when using the GUI to turn off the unit. 2. When the unit is turned on from an “off” mode or a true powered down state, queued items may be pushed to the unit before there is a chance to turn off the radio. 3. A program might be installed on the unit that can accept remote commands via email, by which the owner of the BlackBerry can delete or alter information to mislead the investigator.  If the RIM is off, leave it off  If the RIM is on, turn off the radio  If the RIM is password protected, get the password Turn “off” the radio if the RIM is in the “on” state. If the unit is off at the time of acquisition, take the RIM to a secured location to turn it on and immediately shut down the radio before examination.  
  • 26. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3349                                                      Computer Hacking Forensic Investigator Copyright © by EC-Council                                                                                                                                                      All Rights Reserved. Reproduction is Strictly Prohibited.    Hidden Data in BlackBerry The various methods to perform data hiding on RIM devices are through hidden databases, partition gaps, and obfuscated data. Certain databases that are custom written do not display their icon in the ribbon graphical user interface (GUI). This enables hidden data transport. Rim Walker is a tool that can identify such a database on the subject unit by installing it on that unit. Such a database can be viewed by the SAVEFS Programmer command if it is in unencrypted form. Unused space in the file system can be utilized using the SDK tools. Data stored at the “end” of the available file system space is retained after the device is reset and can be tested with the SAVEFS Programmer command. The data can only be viewed but is not accessible. The gap between the OS/application and files partitions can be used to store information. You can view the partition table using the ALLOC Programmer command. The space between partitions can be used with SAVEFS and LOADFS commands that can load data to such spaces. Attackers may program to directly access the memory and write to the space between the partitions.    
  • 27. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3350                                                      Computer Hacking Forensic Investigator Copyright © by EC-Council                                                                                                                                                      All Rights Reserved. Reproduction is Strictly Prohibited.      
  • 28. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3351                                                      Computer Hacking Forensic Investigator Copyright © by EC-Council                                                                                                                                                      All Rights Reserved. Reproduction is Strictly Prohibited.    Acquire Logs Information from BlackBerry Source: ‘http://www.rh-law.com/ The initial step for collecting evidence from a BlackBerry is to gather logs. This procedure is in violation of forensic methods because it requires an image to be taken and afterwards wiped from the record of logs on the handheld. Prior to applying the SDK tool, you must access the logs present on the original device and not through the standard user interface. The hidden controls to review logs are Mobitex2 Radio Status, Device Status, Battery Status, and Free Mem. Logs are reviewed by unit control functions:  Mobitex2 Radio Status Provides access to the following four logs: 1. Radio Status: Enumerate the state of radio functions 2. Roam & Radio: Records Base/Area (tower) and Roam (channel) information are recorded with a duration of up to 99 hours per Base/Area/Channel. This log wraps at 16 entries and will not survive a reset. A blank entry represents a radio-off state 3. Transmit/Receive: Records TxRx, gateway MAN addresses, type and size of the data transmitted, and both network and handheld date stamps per transmission 4. Profile String: This is a recorded negotiation with the last utilized radio tower Radio Status:  BlackBerry: Func + Cap + R  Simulator: Ctrl + Shift + R
  • 29. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3352                                                      Computer Hacking Forensic Investigator Copyright © by EC-Council                                                                                                                                                      All Rights Reserved. Reproduction is Strictly Prohibited. Figure 36-03: Radio Status  Device Status This function reviewed the logs that give detailed information about memory allocation, port status, file system allocation, and CPU WatchPuppy. Select a line in the Device Status using the rim’s thumbwheel to see detailed information and to access logs. BlackBerry: Func + Cap + B (or V) Simulator: Ctrl + Shift + B (or V) Figure 36-04: Device Status  Battery Status Battery Status provides information on battery type, load, status, and even temperature. Figure 36-05: Battery Status
  • 30. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3353                                                      Computer Hacking Forensic Investigator Copyright © by EC-Council                                                                                                                                                      All Rights Reserved. Reproduction is Strictly Prohibited.  Free Mem This provides information on memory allocation, common port, file system, WatchPuppy, OTA status, halt, and reset. This value can prove that the unit cleans up the file system when reset. Figure 36-06: Free Mem  Comm Port This indicates the port’s state. The security thread is not unique. Figure 36-07: Comm Port  File System This indicates the basic values for free space and handles. The numbers of handles, which can be found in the SDK guides, are limited. Figure 36-08: File System  WatchPuppy The CPU WatchPuppy logs an entry when an application uses the CPU past a predetermined threshold. It kills processes that do not release the CPU. Figure 36-09: WatchPuppy  Change to You can find the Over the Air (OTA) calendar log in the Change To menu: the OTA logs the last items synchronized via wireless calendaring on 32 lines and provides access to the debugging information.
  • 31. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3354                                                      Computer Hacking Forensic Investigator Copyright © by EC-Council                                                                                                                                                      All Rights Reserved. Reproduction is Strictly Prohibited. Figure 36-10: Change to  Halt & Reset Reset causes the unit to re-read the file-system and can trigger a file system cleanup. The items, which are marked as ”deleted” during cleanup will be deleted permanently. At cleanup, the memory is freed for future use, which has to be avoided for a successful forensic investigation. Figure 36-11: Halt & Reset
  • 32. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3355                                                      Computer Hacking Forensic Investigator Copyright © by EC-Council                                                                                                                                                      All Rights Reserved. Reproduction is Strictly Prohibited.    Program Loader Source: http://www.rh-law.com/ Program Loader is an imaging and analysis command line tool. Use the following commands with Program Loader:  SAVEFS: The SAVEFS command writes a hex dump of the RIM’s Flash RAM to FILESYS.DMP, in the same directory as programmer.exe. The file will be exactly equal to the amount of Flash RAM available in the device (i.e. 950 = 4 MB, 957 = 5 MB). View this file with any hex editor. See Appendix A for more hex dump information. Immediately rename and write protect the file. The next time the Program Loader is run with SAVEFS it will overwrite FILESYS.DMP without warning. This is also a good opportunity to hash the file to prove integrity later in the investigation.  DIR: The DIR command lists applications residing on the handheld by memory location. This will be useful later when attempting to emulate the original handheld on a PC. Take note of any non- standard or missing applications. Figure 36-12: List of DIR commands
  • 33. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3356                                                      Computer Hacking Forensic Investigator Copyright © by EC-Council                                                                                                                                                      All Rights Reserved. Reproduction is Strictly Prohibited.  VER: The VER command lists applications residing on the handheld and corresponding version numbers. This will be useful later when attempting to emulate the original handheld on a PC. Take note of any non-standard or missing applications. Figure 36-13: List of VER commands  MAP: The MAP command displays detailed Flash and SRAM maps.
  • 34. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3357                                                      Computer Hacking Forensic Investigator Copyright © by EC-Council                                                                                                                                                      All Rights Reserved. Reproduction is Strictly Prohibited. Figure 36-14: List of MAP commands  ALLOC: The ALLOC command displays a “partition table” that lists the breakpoints between application memory and file system memory. Take note of any unused sectors and any difference between the end of the files area and the start of the OS and application area. These do not have to be the same and is an excellent example of how data hiding can occur on a RIM device.
  • 35. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3358                                                      Computer Hacking Forensic Investigator Copyright © by EC-Council                                                                                                                                                      All Rights Reserved. Reproduction is Strictly Prohibited. Figure 36-15: List of ALLOC commands  BATCH filename: The BATCH command groups the previous commands into a single communication session with the RIM device. This author’s testing has shown that all of the commands are compatible within the same batch, with the exception of the SAVEFS or LOADFS options. These must be performed separately, which is why the SAVEFS image should come before all of the others. The amount of free space can possibly change during an initialization. Since a cleanup may erase previously retrievable data, it makes sense to perform the image first.  Wpassword: Switch on the BATCH command line or on the first line of the batch file if a password is required.
  • 36. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3359                                                      Computer Hacking Forensic Investigator Copyright © by EC-Council                                                                                                                                                      All Rights Reserved. Reproduction is Strictly Prohibited.    Review of Information Source: http://www.rh-law.com/ Using hexdump, there are two options to review the information: 1. Manual review of the hex files using a hex editor enables access to the file system including the deleted records (indicated by byte 3 of the file header). 2. Load the hex file into the BlackBerry SDK Simulator for review. The SDK enables to decode dates on the expired records.  Hex Editor Figure 36-16: Extract from file dump created using PROGRAMMER SAVEFS  Simulator The Simulator operates in exactly the same manner as a handheld BlackBerry with the additional convenience of PC keyboard manipulation. You can load the dump file into the BlackBerry SDK Simulator using hex dump without handling the original unit. Procedure to simulate BlackBerry: 1. Rename the FILESYS.DMP file as following build rules: “FS” “HH” if an 857/957 “Pgr” if an 850/950 “Mb” if Mobitex or “Dt” if Datatac “.DMP” 2. Now the Mobitex pager style BlackBerry has a load file “FSPgrMb.DMP.”
  • 37. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3360                                                      Computer Hacking Forensic Investigator Copyright © by EC-Council                                                                                                                                                      All Rights Reserved. Reproduction is Strictly Prohibited. 3. During the loading, if you place the DMP file in the same directory as the Simulator and all ancillary Simulator options are set to match, the file (do not mark it read-only) will be substituted for the default blank file system. The file will be overwritten to match the last state of the simulator while exiting the Simulator. 4. Set the Simulator to exactly match its Flash memory size to that of the DMP file. However, you can use a file that is smaller than the available Flash; FFh will be appended to the image file to make it match the size set in the simulator. Figure 36-17: Screenshot for Simulator options 5. Set the Simulator to match the network and model of the investigated unit. Figure 36-18: Screenshot for Simulator settings 6. Load the applications from those available in the SDK. In this stage, the DIR listing acquired in the earlier evidence acquisition will become useful. Figure 36-19: Screenshot for application loading For example, in the following figure, you can identify that the default applications of a Mobitex BlackBerry are loaded. The default applications are the same to all the models with other applications being added with respect to that model.
  • 38. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3361                                                      Computer Hacking Forensic Investigator Copyright © by EC-Council                                                                                                                                                      All Rights Reserved. Reproduction is Strictly Prohibited. Figure 36-20: Screenshot of loaded Mobitex BlackBerry applications 7. Select the “control”, “start simulation” to “Run” the simulator. Figure 36-21: Screenshot to run the Simulator 8. To connect the Simulator to a serial port on a PC, run the following command: OSLoader.exe OsPgrMb.dll /s1
  • 39. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3362                                                      Computer Hacking Forensic Investigator Copyright © by EC-Council                                                                                                                                                      All Rights Reserved. Reproduction is Strictly Prohibited.    Best Practices for Protecting Stored Data The following are some of the best practices for protecting the stored data:  Make password authentication mandatory through the customizable IT policies of the BlackBerry enterprise server  To increase protection from unauthorized parties, there is no staging area between the server and the BlackBerry device where the data is decrypted  Clean the BlackBerry device’s memory  Protect the stored messages on the messaging server  Encrypt the application password and storage on the BlackBerry device  Protect storage of the user’s data on a locked BlackBerry device  Limit the password authentication to 10 attempts  Use Advanced Encryption Standard (AES) technology to secure the storage of the password keeper and the password entries on the BlackBerry device (e.g. banking passwords and PINs)    
  • 40. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3363                                                      Computer Hacking Forensic Investigator Copyright © by EC-Council                                                                                                                                                      All Rights Reserved. Reproduction is Strictly Prohibited.    BlackBerry Signing Authority Tool Source: http://www.BlackBerry.com/ The BlackBerry Signing Authority Tool enables developers to protect the data and intellectual property of their applications. Developers can manage access to sensitive APIs and data using public and private signature keys. Administrators can select and access specific APIs and data stores. The tool validates the authenticity of a signature request using private/public key cryptography. The administrator can configure the tool to either restrict internal developers or allow external developers to request and receive signature access to specific APIs and data stores. Signature requests can be tracked and accepted or rejected based on administrator control. The BlackBerry Signing Authority Tool supports all versions of the BlackBerry Java Development Environment (JDE) and applications created for Java- based BlackBerry devices.    
  • 41. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3364                                                      Computer Hacking Forensic Investigator Copyright © by EC-Council                                                                                                                                                      All Rights Reserved. Reproduction is Strictly Prohibited.    Forensics Tool: RIM BlackBerry Physical Plug-in Source: http://www.paraben-forensics.com/ The RIM BlackBerry device physical plug-in allows you to perform a physical acquisition from most types of RIM BlackBerry devices. The BlackBerry plug-in allows you to acquire the following data from the devices:  Address book  Auto text  Calendar  Categories  File system (from content store database)  Handheld agent  Hotlist  Memo  Messages  Phone call  Profiles  Quick contacts  Service book  SMS  Task        
  • 42. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3365                                                      Computer Hacking Forensic Investigator Copyright © by EC-Council                                                                                                                                                      All Rights Reserved. Reproduction is Strictly Prohibited.    ABC Amber BlackBerry Converter Source: http://www.processtext.com/ ABC Amber BlackBerry Converter is a very useful tool that converts emails, contacts, SMS messages, PIN messages, autotext entries, calendar events, phone hotlist entries, memos, phone call logs, tasks, etc. from IPD (BlackBerry backup) files to any format (PDF, HTML, CHM, RTF, HLP, TXT, DOC, MDB, XLS, CSV, etc.) easily and quickly.  Reads IPD (BlackBerry backup) files and exports selected messages, contacts, SMS messages, PIN messages, autotext entries, calendar events, memos, phone call logs, phone hotlist entries, and tasks to a single file of any document format: PDF format (Adobe Acrobat doesn't need to be installed), RTF format (also doesn't require MS Word to be installed), hypertext HTML format, text format, MS DOC format, popular CHM format, old good HLP format, and many more (Access, Excel, DBF, etc.)  Generates contents with bookmarks (in RTF, DOC, PDF and HTML) and hyperlinks in the output file  Supports column sorting  Displays selected message (or contact)  Supports advanced PDF export options (document information, 40/128 bits PDF encryption, PDF security options, page size, page orientation and page margins, resolution mode, compression mode, viewer options)  Supports multiple CHM and HLP export options  Exports messages to TIFF and DCX (multipage)  Converts messages to EML in bulk. You can then drag those *.eml files and drop them into an MS Outlook Express folder.  Website Creator for BlackBerry, Advanced CHM Maker  Converts BlackBerry items to LIT (MS Reader), RB (Rocket eBook), FB2 (FictionBook), and PDB (Palm)  Extracts text of MMS messages  Exports browser URLs and browser bookmarks  Supports Extended MAPI
  • 43. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3366                                                      Computer Hacking Forensic Investigator Copyright © by EC-Council                                                                                                                                                      All Rights Reserved. Reproduction is Strictly Prohibited.  Converts contacts to VCF (vCard), emails to MSG (Outlook), calendar events to VCS (vCalendar)  Allows to transfer emails to Novell GroupWise (since 6.44)  Command line support, multiple language support, skin support and more    Figure 36-22: Screenshot of ABC Amber BlackBerry Converter 
  • 44. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3367                                                      Computer Hacking Forensic Investigator Copyright © by EC-Council                                                                                                                                                      All Rights Reserved. Reproduction is Strictly Prohibited.    Pocket PC Source: http://www.datadoctor.in/ Pocket PC is the Windows-based tool that can be used to extract all detailed information of Windows- based mobile devices for evidence usage. The handheld PC forensic utility is used to collect data from all PDAs or equivalent digital devices for forensic analysis and scientific investigation. The smartphone investigator utility is fully capable to capture detailed information from mobile phones, such as Windows registry records, database records, mobile processor architecture, and other related information of cell phone devices. The Windows powered cell phone examiner tool is helpful to examine the other relevant information of a cellular phone, including SMS (sent or received messages), call history (call duration and call log), last dialed and received number, and saved files/folders (music, pictures, images, text documents etc) history. The Pocket PC data extraction application provides mobile phone information including model number with manufacturer name, SIM IMSI number, mobile IMEI number, battery status, and signal quality. Easy to use multimedia mobile phone forensic software is used in the field of forensic investigation to identify any data theft. The following are the features of the Pocket PC:  Extract all detailed information of Windows-based pocket PC or PDA mobile phone devices such as OS registry records, database records, all saved files, and folder information  Examine the information about saved text messages, call history, mobile model number with manufacturer name, IMEI number, sim IMSI number, battery status, and signal quality  Generate text reports of extracted cell phone information for further use  Support all major brands and companies of multimedia cell phone devices  Useful for scientific investigation and forensic use  User friendly software utility is easily understandable by layman users  Easy to use software facilitates with systematic help menu for user’s assistance
  • 45. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3368                                                      Computer Hacking Forensic Investigator Copyright © by EC-Council                                                                                                                                                      All Rights Reserved. Reproduction is Strictly Prohibited.   Figure 36-23: Screenshot of Pocket PC   
  • 46. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3369                                                      Computer Hacking Forensic Investigator Copyright © by EC-Council                                                                                                                                                      All Rights Reserved. Reproduction is Strictly Prohibited.    ABC Amber vCard Converter Source: http://www.processtext.com/ ABC Amber vCard Converter is a useful tool that converts contacts from your VCF (vCard) files to many document formats (PDF, MS Word, HTML, RTF, TXT and others). The following are the features of the ABC Amber vCard Converter:  Reads VCF (vCard) files  Exports selected contacts to a single file of any document format: PDF format (Adobe Acrobat doesn't need to be installed), RTF format (also doesn't require MS Word to be installed), hypertext HTML format, text format, MS DOC format, popular CHM format, old good HLP format, and many more  Generates contents with bookmarks and hyperlinks in the output file  Command line support  Supports column sorting in ascending and descending order  Supports multiple PDF export options (document information, 40/128 bits PDF encryption, advanced PDF security options, page size, page orientation and page margins, resolution mode, compression mode, viewer options)  Supports multiple CHM and HLP export options  Displays selected contact, saves it to disk and prints it to printer  Multiple language support  Exports contacts to TIFF and DCX (multipage)  Converts contacts to IPD (BlackBerry)  Converts contacts to MS Outlook directly
  • 47. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3370                                                      Computer Hacking Forensic Investigator Copyright © by EC-Council                                                                                                                                                      All Rights Reserved. Reproduction is Strictly Prohibited.    Figure 36-24: Screenshot of ABC Amber vCard Converter
  • 48. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3371                                                      Computer Hacking Forensic Investigator Copyright © by EC-Council                                                                                                                                                      All Rights Reserved. Reproduction is Strictly Prohibited.    BlackBerry Database Viewer Plus Source: http://www.cellica.com/ Wireless Database Viewer Plus allows you to be more productive by allowing you to view and update database contents on your BlackBerry. Wireless Database Viewer Plus allows you to sync with Microsoft Access, Microsoft Excel, and any ODBC-compliant database like Oracle, SQL Server, etc. The following are the features of the BlackBerry Database Viewer Plus:  Get any desktop data wirelessly on your BlackBerry device   Push only updated desktop data to the BlackBerry automatically   Apply SQL select queries, filters, sort the fields and push data according to it   Supported databases: MS Access, MS Excel, Oracle, SQL Server, FoxPro, dBase and any ODBC- compliant database   Make a phone call for the selected field's numeric contents, which will be treated as a phone number   Find and find again option to search a record   Easy navigation in both record and grid view using shortcut keys    Data is secured as 128 bit AES used for encryption   Supports unicode language database such as Japanese, Chinese, Korean, Russian, etc.      Figure 36-25: Screenshot of BlackBerry Database Viewer Plus
  • 49. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3372                                                      Computer Hacking Forensic Investigator Copyright © by EC-Council                                                                                                                                                      All Rights Reserved. Reproduction is Strictly Prohibited.   Summary  BlackBerry is a personal wireless handheld device that supports email, mobile phone capabilities, text messaging, web browsing, and other wireless information services  BlackBerry OS 4.6 is the new version of BlackBerry  It uses encryption to protect integrity, confidentiality, and authenticity of the data  BlackBerry Serial Protocol backs up, restores, and synchronizes the data between the BlackBerry handheld unit and the desktop software  Make password authentication mandatory through the customizable IT policies of the BlackBerry enterprise server  Blackjacking is the process of using the BlackBerry environment to circumvent perimeter defenses and directly attacking hosts on a enterprise networks  "BlackBerry Attack Toolkit” contains the BBProxy, BBScan, and relevant MetaSploit patches to exploit the vulnerability of any website  Imaging is the process of creating an exact copy of contents of a digital device to protect the original one from changes  The radio in the “on” state allows data to be pushed onto the unit, overwriting the previous data, which makes it difficult to retrieve the lost data  Program Loader is an imaging and analysis command line tool  Use AES technology to secure the storage of the password keeper and the password entries on the BlackBerry device (e.g. banking passwords and PINs)  The RIM BlackBerry device physical plug-in allows you to perform a physical acquisition from most types of RIM BlackBerry devices 
  • 50. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3373                                                      Computer Hacking Forensic Investigator Copyright © by EC-Council                                                                                                                                                      All Rights Reserved. Reproduction is Strictly Prohibited. Exercise: 1. How does a BlackBerry work? 2. Write a summary about the BlackBerry Serial Protocol. 3. Explain the different BlackBerry attacks. 4. List the different vulnerabilities in a BlackBerry.
  • 51. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3374                                                      Computer Hacking Forensic Investigator Copyright © by EC-Council                                                                                                                                                      All Rights Reserved. Reproduction is Strictly Prohibited. 5. Describe the process for BlackBerry forensics. 6. How do you acquire log information from a BlackBerry? 7. Give a brief description of BlackBerry wireless security. 8. List some of the BlackBerry forensic tools. 9. Why is radio control necessary to preserve evidence in a BlackBerry?
  • 52. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3375                                                      Computer Hacking Forensic Investigator Copyright © by EC-Council                                                                                                                                                      All Rights Reserved. Reproduction is Strictly Prohibited. 10. What are the best practices for protecting stored data?
  • 53. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3376                                                      Computer Hacking Forensic Investigator Copyright © by EC-Council                                                                                                                                                      All Rights Reserved. Reproduction is Strictly Prohibited. Hands-On 1. Connect the BlackBerry to the forensic computer via a USB cable and examine the contents of the BlackBerry device. 2. See the contents such as hidden files, email content, phone call data, security event log, and system settings in the BlackBerry. 3. What is the version and make of the operating system running your BlackBerry?  

×