More Related Content
Similar to File000091 (20)
More from Desmond Devendran
More from Desmond Devendran (20)
File000091
- 1. Computer Hacking Forensic Investigator Exam 312-49
BlackBerry Forensics
Module XXXVI Page | 3323 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator (CHFI)
Module XXXVI: BlackBerry Forensics
Exam 312-49
- 2. Computer Hacking Forensic Investigator Exam 312-49
BlackBerry Forensics
Module XXXVI Page | 3324 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
News: Police Join AG BlackBerry Investigation
Source: http://www.10tv.com/
Police joined the search for a BlackBerry as they suspected that it may hold evidence related to a general
investigation.
Paul Aker reported that detectives were dusting Jen Urban’s (an attorney in the attorney general’s office)
apartment for fingerprints as she said that her BlackBerry and other items were stolen from the
apartment.
“It’s unfortunate,” Urban told 10 investigators. “A lot of my personal belongings were taken. I do not know
the motivation behind it.”
Aker reported that:
State investigators said they were "very curious" about the timing
The burglary took place just hours after an unannounced sweep of Attorney General Marc Dann's
office by the Inspector General
Inspector General Thomas Charles locked all the computers with the one belonging to Urban
Charles said that his office wants to find Urban’s missing BlackBerry
According to investigators in their final report, the device could consist of important information as they
doubt that Urban was romantically linked to Leo Jennings III, who served as Dann's communications
director.
Urban stated that someone walked inside the apartment at about 5 a.m. and took her television, along
with her purse and BlackBerry. Continuing with this, she told police that the crime happened while she
was on the back patio where Jessica Utovich, Dann’s former scheduler, was on her couch.
Later, she changed her statement by saying that Utovich was out during the burglary.
To support the later statement she said that, “It is discerned at this time that the items were taken before
she rested on the couch.”
Aker further reported that, 10 investigators got to know that the Inspector General seized a BlackBerry
belonging to Tom Winters, who took over as acting Attorney General when Dann resigned.
The women who were sexually harassed inside Dann’s office claimed that Winters knew about some of the
problems in January but failed to act, where Winters denied to comment about it.
- 4. Computer Hacking Forensic Investigator Exam 312-49
BlackBerry Forensics
Module XXXVI Page | 3326 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module Objective
This module will familiarize you with:
BlackBerry
BlackBerry Operating System
How BlackBerry Works
BlackBerry Serial Protocol
Blackjacking Attack
BlackBerry Security
BlackBerry Forensics
Best Practices
Forensics Tools
- 5. Computer Hacking Forensic Investigator Exam 312-49
BlackBerry Forensics
Module XXXVI Page | 3327 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module Flow
- 6. Computer Hacking Forensic Investigator Exam 312-49
BlackBerry Forensics
Module XXXVI Page | 3328 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
BlackBerry
In 1999, Research In Motion (RIM) manufactured the BlackBerry wireless handheld device. It provides a
number of applications such as email, mobile telephone, text messaging, Internet faxing, web browsing,
and other wireless information services. Initially, it focused on email facility. BlackBerry transports data
over the wireless data networks of mobile phone service companies.
BlackBerry has a small built-in QWERTY keyboard, wtih an “Alt” key for entering special numbers and
characters. It has a self-configurable "AutoText" feature that provides a list of frequently used words or
special characters. You can navigate through the system using the “trackwheel” that allows you to select
an option with a click function on the right side of the device. Certain BlackBerry models incorporate a
two-way-radio.
Modern BlackBerry devices have ARM 7 or 9’s processor. While the old BlackBerry 950 and 957 devices
consist of Intel 80386 processors, the latest GSM BlackBerry models (8100 and 8700 series) consist of an
Intel PXA901 312 MHz processor, 64 MB flash memory, and 16 MB SDRAM.
BlackBerry provides solutions to meet the needs of:
Individuals: Everyone can stay in contact with work and home
Enterprise and government customers: With the help of BlackBerry, professionals can keep in
contact with their existing email and other enterprise systems
Small/medium business: The “Explore” option of a BlackBerry has the ability to address several
wireless requirements of your business
A BlackBerry can be used:
As a address book, calendar, and to create to-do lists
To compose, send, and receive messages
As a phone
To access wireless Internet
As a tethered modem
As an organizer
For corporate data access
As a paging service
- 7. Computer Hacking Forensic Investigator Exam 312-49
BlackBerry Forensics
Module XXXVI Page | 3329 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
BlackBerry Operating System
The BlackBerry’s operating system runs on its Intel 80386 microprocessor. The devices that connect to
BlackBerry require a built-in RIM wireless modem. The operating system is event-driven, and it supports
multitasking and multithreading applications. This operating system makes use of input devices such as
the thumbwheel. If a message needs access to the operating system, it is done using the “RimGetMessage
()” Application Programming Interface (API). When the operating system has no applications to process,
the processor switches to standby mode.
With the help of proprietary BlackBerry APIs, third-party developers can write software, but the
applications that have some limited functionality must be digitally signed so that it gives authorship of an
application to particular developers.
Earlier, BlackBerry software development was based on C++, but the latest models support MDS and
Java. Java supports the RIM devices that come with the J2ME MIDP platform. RIM provides a Java
Developers Kit that supports a custom application model that is different from the J2ME MIDP
specification. JDK consists of the javax.microedition and RIM’s own net.rim.device.api package that
supports a host of operating system-specific classes like Bitmap, Application Registry, Keypad, Radio, and
Persistent Object.
BlackBerry OS 4.6 is the new version of BlackBerry. It has the following features:
Supports of web standards, like AJAX and CSS
1 GB onboard memory and 128 MB flash memory
High capacity, slim 1500 mAhr battery
Tri-band UMTS: 2100/1900/850
3.6 Mbps HSDPA
Supports Wi-Fi technology (802.11a/b/g)
Supports GPS features
Quad-band GSM/GPRS/EDGE
Music synchronization
Clock application – the evolution of the alarm application
- 8. Computer Hacking Forensic Investigator Exam 312-49
BlackBerry Forensics
Module XXXVI Page | 3330 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
How BlackBerry Works
The BlackBerry wireless email solution is simple. It works as follows:
Step 1: The BlackBerry enterprise server constantly monitors BlackBerry users’ mailboxes. When
a new message arrives in a user's Exchange mailbox, BES picks up that message.
Step 2: After retrieving the message, it gets compressed, encrypted, and sent over the Internet via
a wireless network to the BlackBerry server.
Step 3: Now the message is not a readable text message; it gets decrypted only on the destination
user's BlackBerry handheld.
Step 4: The server decrypts, decompresses, and then places the email into the Outbox. During this
procedure, a copy of the message is placed in the Sent Items folder.
The BlackBerry Enterprise Server (BES) uses MAPI for communication with the user's Inbox. Due to
MAPI, BES immediately knows about the incoming message. BES supports triple DES security, which
helps with secure transmission of the data.
- 9. Computer Hacking Forensic Investigator Exam 312-49
BlackBerry Forensics
Module XXXVI Page | 3331 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Figure 36-01: Working of BlackBerry (Source: http://www.freeprotocols.org/)
- 10. Computer Hacking Forensic Investigator Exam 312-49
BlackBerry Forensics
Module XXXVI Page | 3332 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
BlackBerry Serial Protocol
BlackBerry Serial Protocol backs up, restores, and synchronizes the data between the BlackBerry device
and desktop system. It is comprised of simple packets and single byte return codes.
The packets have a similar structure and consist of the following fields:
Packet header (3 bytes)
Command type (1 byte)
Command (1 byte)
Command-dependent packet data (Variable)
Footer (3 bytes)
The various packets include:
Normal command packets
Extended packets
ACK packets
- 11. Computer Hacking Forensic Investigator Exam 312-49
BlackBerry Forensics
Module XXXVI Page | 3333 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
BlackBerry Serial Protocol: Packet Structure
Table 36-01: BlackBerry serial protocol packet structure
- 12. Computer Hacking Forensic Investigator Exam 312-49
BlackBerry Forensics
Module XXXVI Page | 3334 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Blackjacking Attack
Blackjacking means hijacking a BlackBerry connection. Attackers make use of the BlackBerry
environment to prevent the security perimeters and directly attack the host of the network. The attacker
uses the BBProxy tool to conduct the Blackjacking. It is a security assessment tool which allows the
attacker to use BlackBerry devices as a proxy between the Internet and an internal network. The attacker
installs BBProxy on the user’s BlackBerry or sends it in email attachment to the target device. On being
activated, it establishes a covert channel between attackers and compromised hosts on improperly
secured enterprise networks.
- 13. Computer Hacking Forensic Investigator Exam 312-49
BlackBerry Forensics
Module XXXVI Page | 3335 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
BlackBerry Attack Toolkit
"BlackBerry Attack Toolkit” contains the BBProxy, BBScan, and relevant MetaSploit patches to exploit the
vulnerability of any website. The attacker can hide the malicious software in the handheld that in turn
invades the entire network it is connected to.
BBProxy is the tool generally used to attack the BlackBerry device. When this tool gets installed
into the device, it allows the device to be used as a proxy between the Internet and the internal
network.
BBScan is the BlackBerry port scanner
- 14. Computer Hacking Forensic Investigator Exam 312-49
BlackBerry Forensics
Module XXXVI Page | 3336 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
BlackBerry Attachment Service Vulnerability
Source: ‘http://www.BlackBerry.com/
BlackBerry Attachment Service in BlackBerry Enterprise Server uses a Graphics Device Interface (GDI)
component to convert images to a viewable format on the BlackBerry smartphones. Vulnerability is
prevalent in the GDI component of Windows while processing Windows Metafile (WMF) and Enhanced
Metafile (EMF) images. This vulnerability in the GDI component exposes the BlackBerry Attachment
Service to attacks that could allow a malicious user to cause arbitrary code to run on the computer on
which the BlackBerry Attachment Service is running. If a BlackBerry smartphone user is on the
BlackBerry Enterprise Server with the BlackBerry Attachment Service running, and the BlackBerry
smartphone user tries to use the BlackBerry smartphone to open and view a WMF or EMF image
attachment in a received email message sent by a user with malicious intent, the computer on which the
BlackBerry Attachment Service is running could be compromised.
- 15. Computer Hacking Forensic Investigator Exam 312-49
BlackBerry Forensics
Module XXXVI Page | 3337 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
TeamOn Import Object ActiveX Control Vulnerability
Source: http://www.BlackBerry.com/
The BlackBerry Internet Solution is designed to work with T-Mobile My E-mail to give BlackBerry device
users secure and direct access to any combination of registered enterprise, proprietary, Post Office
Protocol 3 (POP3), or Internet Message Access Protocol 4 (IMAP4) email accounts on their BlackBerry
devices using a single user login account. Vulnerability exists in the TeamOn Import Object Microsoft
ActiveX® control used by BlackBerry Internet Service 2.0 on the BlackBerry Internet Service and the T-
Mobile My E-mail websites.
This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 8.0 (Critical). While using
Internet Explorer to view the BlackBerry Internet Service or T-Mobile My E-mail websites that use the
TeamOn Import Object ActiveX control, and when trying to install and run the ActiveX control, the
ActiveX control introduces the vulnerability to the system. An exploitable buffer overflow exists in the
TeamOn Import Object ActiveX control used by the BlackBerry Internet Service and T-Mobile My E-mail
websites.
- 16. Computer Hacking Forensic Investigator Exam 312-49
BlackBerry Forensics
Module XXXVI Page | 3338 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Denial of Service in BlackBerry Browser
Source: http://www.BlackBerry.com/
A website creator with malicious intent may use a Hypertext Markup Language (HTML) or Wireless
Markup Language (WML) web page that contains a long string value within the link. If the BlackBerry
device user accesses the link using the BlackBerry Browser, a temporary denial of service may occur and
the BlackBerry device may stop responding.
A temporary denial of service vulnerability exists in the BlackBerry Browser. The BlackBerry Browser
may stop responding when parsing a long web page address. While in the process of parsing a long web
page address, the BlackBerry Browser uses the BlackBerry device’s processing capability. This may cause
the BlackBerry device to stop or become slow in responding.
- 17. Computer Hacking Forensic Investigator Exam 312-49
BlackBerry Forensics
Module XXXVI Page | 3339 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
BlackBerry Security
BlackBerry uses a strong encryption scheme to safeguard:
Integrity: Data integrity depends on the security of the encryption protocol used to encrypt the
data. Data integrity is generally maintained by using a Message Authentication Code (MAC)
producing a unique “digital fingerprint” of a document known as a hash.
Confidentiality: Confidentiality is achieved using various encryption mechanisms
Authenticity: Authenticity is achieved using digital signatures
BlackBerry Enterprise Solution provides two types of encryption techniques for all data transmitted
between BlackBerry Enterprise Server and BlackBerry smartphones.
Advanced Encryption Standard (AES)
Triple Data Encryption Standard (Triple DES)
- 18. Computer Hacking Forensic Investigator Exam 312-49
BlackBerry Forensics
Module XXXVI Page | 3340 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
BlackBerry Wireless Security
The BlackBerry encryption security mechanism meets United States Military standards. The U.S.
government gave the designation 140/2 to BlackBerry, which permits its use by government agencies and
the armed forces.
During transit between the BES and BlackBerry, BES ensures that your confidential data is secured by
using encryption methods such as the Advanced Encryption Standard (AES) and Triple Data Encryption
Standard (Triple DES).
BES keeps the data encrypted during transit and ensures the data between the BES and the handheld is
not decrypted anywhere outside of the corporate firewall.
The private encrypted keys are generated in a secure, two-way authenticated environment. The private
keys that are used to access BlackBerry devices remotely are stored in the BlackBerry user’s secure
mailbox (Microsoft Exchange, IBM, Lotus, Domino, or Novell GroupWise mailbox).
Using the private key (which is available from the user’s mailbox), any data that is sent to a BlackBerry
device can be encrypted and sent to the device, where it can be decrypted using the key available on that
device.
The MDS (Mobile Data System) service acts as a secure gateway between the wireless networks, corporate
intranets, and the Internet.
- 19. Computer Hacking Forensic Investigator Exam 312-49
BlackBerry Forensics
Module XXXVI Page | 3341 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Figure 36-02: BlackBerry Security for Wireless Data (Source: http://www.BlackBerry.com/)
- 20. Computer Hacking Forensic Investigator Exam 312-49
BlackBerry Forensics
Module XXXVI Page | 3342 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Prerequisites for BlackBerry Forensics
The following are the hardware tools:
Faraday cage
RIM BlackBerry Physical Plug-in
StrongHold tent
The following are the software tools:
Program Loader
Hex editor
Simulator
BlackBerry Signing Authority Tool
- 21. Computer Hacking Forensic Investigator Exam 312-49
BlackBerry Forensics
Module XXXVI Page | 3343 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Steps for BlackBerry Forensics
Collect the evidence
Document the scene and preserve the evidence
Imaging and profiling
Acquire the information
Review the information
- 22. Computer Hacking Forensic Investigator Exam 312-49
BlackBerry Forensics
Module XXXVI Page | 3344 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Collect the Evidence
Seize BlackBerry handheld devices and computer devices present at the evidence site. Seize the memory
devices such as SD and MMC. Collect non-electronic evidence such as written passwords, handwritten
notes, computer printouts, etc.
While collecting the device, take the following precautions:
While collecting the devices, take precautions to maintain the evidence such as fingerprint on the
devices
Evidence should not be damaged
Collect and keep the devices in bags
Stop the unauthorized user from entering the scene and touching the evidence
- 23. Computer Hacking Forensic Investigator Exam 312-49
BlackBerry Forensics
Module XXXVI Page | 3345 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Document the Scene and Preserve the Evidence
Prepare documentation about the scene, which must include the state of all the evidence at the scene.
Other than documents, photographs of the evidence are also necessary in the investigation. Take
photographs of the scene and all the evidence present there.
Evidence and documents must be kept in a secure place to protect them from damage. The main aim to
preserve the evidence is to maintain the integrity of the evidence. Keep all evidence in such a way that it
should be easily identifiable. If possible, label each piece of evidence with where, when, and how it was
found. Secure the BlackBerry device and other evidence while transporting and storing. Secure the devices
from mechanical or electrical shock. Maintain a chain of custody of documents, photographs, and
evidence.
- 24. Computer Hacking Forensic Investigator Exam 312-49
BlackBerry Forensics
Module XXXVI Page | 3346 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Radio Control
Radio waves can be used to control a device through radio signals. A switched-on BlackBerry device
always emits radio waves to accept incoming connections. If a new connection is established using these
radio waves, the evidence in the BlackBerry may get tampered or completely spoiled. This makes it
necessary to control these radio waves to preserve evidence integrity. There are two different ways to
control the wireless signals and maintain the evidentiary value of the device:
Turn off the wireless signals through the main menu
Place the device in a faraday cage when there is no need to interact with the device. The faraday
cage will prevent the device from receiving any wireless data that can damage the evidence.
- 25. Computer Hacking Forensic Investigator Exam 312-49
BlackBerry Forensics
Module XXXVI Page | 3347 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Imaging and Profiling in BlackBerry
Source: http://www.rh-law.com/
Imaging is the process of creating an exact copy of the contents of a digital device to protect the original
one from changes. An image should be taken of the file system as the first step as long the logs are not
required or a method of extracting the logs from the image is developed. An image or bit-by-bit backup is
acquired using an SDK utility that dumps the contents of the Flash RAM into a file easily examined with a
hex editor. The Program Loader, which is used to perform most of the inspection in addition to taking the
image, will cause a reset each time it is run. Recalling a reset can mean a file system cleanup. This means
that to get a partition table, you risk changing the file system and spoiling the data. One way to work
around this is to use the BATCH command. The BATCH command will group all the command switches
into one access, so multiple resets can be avoided. The Program Loader is run from the command line:
PROGRAMMER [ [-Pport] [-Sspeed] [-Wpassword command
- 26. Computer Hacking Forensic Investigator Exam 312-49
BlackBerry Forensics
Module XXXVI Page | 3348 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Acquire the Information
Source: ‘http://www.rh-law.com/
The radio in the “on” state allows data to be pushed onto the unit, overwriting the previous data, which
makes it difficult to retrieve the lost data. Thus, a forensic investigator’s attempt to obtain an unaltered
file system becomes more difficult. In order to preserve the unit, turn off the radio immediately. Turn
“off” the radio and not the entire unit (including the BlackBerry device) for three specific reasons:
1. The BlackBerry is not really “off” unless power is removed for an extended period of time or the
unit is placed in data storage mode. Only the display, keyboard, and radio are shut down when
using the GUI to turn off the unit.
2. When the unit is turned on from an “off” mode or a true powered down state, queued items may
be pushed to the unit before there is a chance to turn off the radio.
3. A program might be installed on the unit that can accept remote commands via email, by which
the owner of the BlackBerry can delete or alter information to mislead the investigator.
If the RIM is off, leave it off
If the RIM is on, turn off the radio
If the RIM is password protected, get the password
Turn “off” the radio if the RIM is in the “on” state. If the unit is off at the time of acquisition, take the RIM
to a secured location to turn it on and immediately shut down the radio before examination.
- 27. Computer Hacking Forensic Investigator Exam 312-49
BlackBerry Forensics
Module XXXVI Page | 3349 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Hidden Data in BlackBerry
The various methods to perform data hiding on RIM devices are through hidden databases, partition
gaps, and obfuscated data. Certain databases that are custom written do not display their icon in the
ribbon graphical user interface (GUI). This enables hidden data transport. Rim Walker is a tool that can
identify such a database on the subject unit by installing it on that unit. Such a database can be viewed by
the SAVEFS Programmer command if it is in unencrypted form. Unused space in the file system can be
utilized using the SDK tools.
Data stored at the “end” of the available file system space is retained after the device is reset and can be
tested with the SAVEFS Programmer command. The data can only be viewed but is not accessible.
The gap between the OS/application and files partitions can be used to store information. You can view
the partition table using the ALLOC Programmer command. The space between partitions can be used
with SAVEFS and LOADFS commands that can load data to such spaces. Attackers may program to
directly access the memory and write to the space between the partitions.
- 28. Computer Hacking Forensic Investigator Exam 312-49
BlackBerry Forensics
Module XXXVI Page | 3350 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
- 29. Computer Hacking Forensic Investigator Exam 312-49
BlackBerry Forensics
Module XXXVI Page | 3351 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Acquire Logs Information from BlackBerry
Source: ‘http://www.rh-law.com/
The initial step for collecting evidence from a BlackBerry is to gather logs. This procedure is in violation of
forensic methods because it requires an image to be taken and afterwards wiped from the record of logs
on the handheld. Prior to applying the SDK tool, you must access the logs present on the original device
and not through the standard user interface. The hidden controls to review logs are Mobitex2 Radio
Status, Device Status, Battery Status, and Free Mem.
Logs are reviewed by unit control functions:
Mobitex2 Radio Status
Provides access to the following four logs:
1. Radio Status: Enumerate the state of radio functions
2. Roam & Radio: Records Base/Area (tower) and Roam (channel) information are recorded
with a duration of up to 99 hours per Base/Area/Channel. This log wraps at 16 entries
and will not survive a reset. A blank entry represents a radio-off state
3. Transmit/Receive: Records TxRx, gateway MAN addresses, type and size of the data
transmitted, and both network and handheld date stamps per transmission
4. Profile String: This is a recorded negotiation with the last utilized radio tower
Radio Status:
BlackBerry: Func + Cap + R
Simulator: Ctrl + Shift + R
- 30. Computer Hacking Forensic Investigator Exam 312-49
BlackBerry Forensics
Module XXXVI Page | 3352 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Figure 36-03: Radio Status
Device Status
This function reviewed the logs that give detailed information about memory allocation, port
status, file system allocation, and CPU WatchPuppy.
Select a line in the Device Status using the rim’s thumbwheel to see detailed information and to
access logs.
BlackBerry: Func + Cap + B (or V)
Simulator: Ctrl + Shift + B (or V)
Figure 36-04: Device Status
Battery Status
Battery Status provides information on battery type, load, status, and even temperature.
Figure 36-05: Battery Status
- 31. Computer Hacking Forensic Investigator Exam 312-49
BlackBerry Forensics
Module XXXVI Page | 3353 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Free Mem
This provides information on memory allocation, common port, file system, WatchPuppy, OTA
status, halt, and reset. This value can prove that the unit cleans up the file system when reset.
Figure 36-06: Free Mem
Comm Port
This indicates the port’s state. The security thread is not unique.
Figure 36-07: Comm Port
File System
This indicates the basic values for free space and handles. The numbers of handles, which can be
found in the SDK guides, are limited.
Figure 36-08: File System
WatchPuppy
The CPU WatchPuppy logs an entry when an application uses the CPU past a predetermined
threshold. It kills processes that do not release the CPU.
Figure 36-09: WatchPuppy
Change to
You can find the Over the Air (OTA) calendar log in the Change To menu: the OTA logs the last
items synchronized via wireless calendaring on 32 lines and provides access to the debugging
information.
- 32. Computer Hacking Forensic Investigator Exam 312-49
BlackBerry Forensics
Module XXXVI Page | 3354 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Figure 36-10: Change to
Halt & Reset
Reset causes the unit to re-read the file-system and can trigger a file system cleanup. The items,
which are marked as ”deleted” during cleanup will be deleted permanently. At cleanup, the
memory is freed for future use, which has to be avoided for a successful forensic investigation.
Figure 36-11: Halt & Reset
- 33. Computer Hacking Forensic Investigator Exam 312-49
BlackBerry Forensics
Module XXXVI Page | 3355 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Program Loader
Source: http://www.rh-law.com/
Program Loader is an imaging and analysis command line tool. Use the following commands with
Program Loader:
SAVEFS:
The SAVEFS command writes a hex dump of the RIM’s Flash RAM to FILESYS.DMP, in the same
directory as programmer.exe. The file will be exactly equal to the amount of Flash RAM available
in the device (i.e. 950 = 4 MB, 957 = 5 MB). View this file with any hex editor. See Appendix A for
more hex dump information.
Immediately rename and write protect the file. The next time the Program Loader is run with
SAVEFS it will overwrite FILESYS.DMP without warning. This is also a good opportunity to hash
the file to prove integrity later in the investigation.
DIR:
The DIR command lists applications residing on the handheld by memory location. This will be
useful later when attempting to emulate the original handheld on a PC. Take note of any non-
standard or missing applications.
Figure 36-12: List of DIR commands
- 34. Computer Hacking Forensic Investigator Exam 312-49
BlackBerry Forensics
Module XXXVI Page | 3356 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
VER:
The VER command lists applications residing on the handheld and corresponding version
numbers. This will be useful later when attempting to emulate the original handheld on a PC.
Take note of any non-standard or missing applications.
Figure 36-13: List of VER commands
MAP:
The MAP command displays detailed Flash and SRAM maps.
- 35. Computer Hacking Forensic Investigator Exam 312-49
BlackBerry Forensics
Module XXXVI Page | 3357 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Figure 36-14: List of MAP commands
ALLOC:
The ALLOC command displays a “partition table” that lists the breakpoints between application
memory and file system memory. Take note of any unused sectors and any difference between the
end of the files area and the start of the OS and application area. These do not have to be the same
and is an excellent example of how data hiding can occur on a RIM device.
- 36. Computer Hacking Forensic Investigator Exam 312-49
BlackBerry Forensics
Module XXXVI Page | 3358 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Figure 36-15: List of ALLOC commands
BATCH filename:
The BATCH command groups the previous commands into a single communication session with
the RIM device. This author’s testing has shown that all of the commands are compatible within
the same batch, with the exception of the SAVEFS or LOADFS options. These must be performed
separately, which is why the SAVEFS image should come before all of the others. The amount of
free space can possibly change during an initialization. Since a cleanup may erase previously
retrievable data, it makes sense to perform the image first.
Wpassword:
Switch on the BATCH command line or on the first line of the batch file if a password is required.
- 37. Computer Hacking Forensic Investigator Exam 312-49
BlackBerry Forensics
Module XXXVI Page | 3359 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Review of Information
Source: http://www.rh-law.com/
Using hexdump, there are two options to review the information:
1. Manual review of the hex files using a hex editor enables access to the file system including the
deleted records (indicated by byte 3 of the file header).
2. Load the hex file into the BlackBerry SDK Simulator for review. The SDK enables to decode dates
on the expired records.
Hex Editor
Figure 36-16: Extract from file dump created using PROGRAMMER SAVEFS
Simulator
The Simulator operates in exactly the same manner as a handheld BlackBerry with the additional
convenience of PC keyboard manipulation. You can load the dump file into the BlackBerry SDK Simulator
using hex dump without handling the original unit.
Procedure to simulate BlackBerry:
1. Rename the FILESYS.DMP file as following build rules:
“FS”
“HH” if an 857/957 “Pgr” if an 850/950
“Mb” if Mobitex or “Dt” if Datatac
“.DMP”
2. Now the Mobitex pager style BlackBerry has a load file “FSPgrMb.DMP.”
- 38. Computer Hacking Forensic Investigator Exam 312-49
BlackBerry Forensics
Module XXXVI Page | 3360 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
3. During the loading, if you place the DMP file in the same directory as the Simulator and all
ancillary Simulator options are set to match, the file (do not mark it read-only) will be substituted
for the default blank file system. The file will be overwritten to match the last state of the
simulator while exiting the Simulator.
4. Set the Simulator to exactly match its Flash memory size to that of the DMP file. However, you
can use a file that is smaller than the available Flash; FFh will be appended to the image file to
make it match the size set in the simulator.
Figure 36-17: Screenshot for Simulator options
5. Set the Simulator to match the network and model of the investigated unit.
Figure 36-18: Screenshot for Simulator settings
6. Load the applications from those available in the SDK. In this stage, the DIR listing acquired in
the earlier evidence acquisition will become useful.
Figure 36-19: Screenshot for application loading
For example, in the following figure, you can identify that the default applications of a Mobitex
BlackBerry are loaded. The default applications are the same to all the models with other
applications being added with respect to that model.
- 39. Computer Hacking Forensic Investigator Exam 312-49
BlackBerry Forensics
Module XXXVI Page | 3361 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Figure 36-20: Screenshot of loaded Mobitex BlackBerry applications
7. Select the “control”, “start simulation” to “Run” the simulator.
Figure 36-21: Screenshot to run the Simulator
8. To connect the Simulator to a serial port on a PC, run the following command:
OSLoader.exe OsPgrMb.dll /s1
- 40. Computer Hacking Forensic Investigator Exam 312-49
BlackBerry Forensics
Module XXXVI Page | 3362 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Best Practices for Protecting Stored Data
The following are some of the best practices for protecting the stored data:
Make password authentication mandatory through the customizable IT policies of the BlackBerry
enterprise server
To increase protection from unauthorized parties, there is no staging area between the server and
the BlackBerry device where the data is decrypted
Clean the BlackBerry device’s memory
Protect the stored messages on the messaging server
Encrypt the application password and storage on the BlackBerry device
Protect storage of the user’s data on a locked BlackBerry device
Limit the password authentication to 10 attempts
Use Advanced Encryption Standard (AES) technology to secure the storage of the password
keeper and the password entries on the BlackBerry device (e.g. banking passwords and PINs)
- 41. Computer Hacking Forensic Investigator Exam 312-49
BlackBerry Forensics
Module XXXVI Page | 3363 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
BlackBerry Signing Authority Tool
Source: http://www.BlackBerry.com/
The BlackBerry Signing Authority Tool enables developers to protect the data and intellectual property of
their applications. Developers can manage access to sensitive APIs and data using public and private
signature keys. Administrators can select and access specific APIs and data stores. The tool validates the
authenticity of a signature request using private/public key cryptography.
The administrator can configure the tool to either restrict internal developers or allow external developers
to request and receive signature access to specific APIs and data stores. Signature requests can be tracked
and accepted or rejected based on administrator control. The BlackBerry Signing Authority Tool supports
all versions of the BlackBerry Java Development Environment (JDE) and applications created for Java-
based BlackBerry devices.
- 42. Computer Hacking Forensic Investigator Exam 312-49
BlackBerry Forensics
Module XXXVI Page | 3364 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Forensics Tool: RIM BlackBerry Physical Plug-in
Source: http://www.paraben-forensics.com/
The RIM BlackBerry device physical plug-in allows you to perform a physical acquisition from most types
of RIM BlackBerry devices.
The BlackBerry plug-in allows you to acquire the following data from the devices:
Address book
Auto text
Calendar
Categories
File system (from content store database)
Handheld agent
Hotlist
Memo
Messages
Phone call
Profiles
Quick contacts
Service book
SMS
Task
- 43. Computer Hacking Forensic Investigator Exam 312-49
BlackBerry Forensics
Module XXXVI Page | 3365 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
ABC Amber BlackBerry Converter
Source: http://www.processtext.com/
ABC Amber BlackBerry Converter is a very useful tool that converts emails, contacts, SMS messages, PIN
messages, autotext entries, calendar events, phone hotlist entries, memos, phone call logs, tasks, etc. from
IPD (BlackBerry backup) files to any format (PDF, HTML, CHM, RTF, HLP, TXT, DOC, MDB, XLS, CSV,
etc.) easily and quickly.
Reads IPD (BlackBerry backup) files and exports selected messages, contacts, SMS messages, PIN
messages, autotext entries, calendar events, memos, phone call logs, phone hotlist entries, and
tasks to a single file of any document format: PDF format (Adobe Acrobat doesn't need to be
installed), RTF format (also doesn't require MS Word to be installed), hypertext HTML format,
text format, MS DOC format, popular CHM format, old good HLP format, and many more
(Access, Excel, DBF, etc.)
Generates contents with bookmarks (in RTF, DOC, PDF and HTML) and hyperlinks in the output
file
Supports column sorting
Displays selected message (or contact)
Supports advanced PDF export options (document information, 40/128 bits PDF encryption, PDF
security options, page size, page orientation and page margins, resolution mode, compression
mode, viewer options)
Supports multiple CHM and HLP export options
Exports messages to TIFF and DCX (multipage)
Converts messages to EML in bulk. You can then drag those *.eml files and drop them into an MS
Outlook Express folder.
Website Creator for BlackBerry, Advanced CHM Maker
Converts BlackBerry items to LIT (MS Reader), RB (Rocket eBook), FB2 (FictionBook), and PDB
(Palm)
Extracts text of MMS messages
Exports browser URLs and browser bookmarks
Supports Extended MAPI
- 44. Computer Hacking Forensic Investigator Exam 312-49
BlackBerry Forensics
Module XXXVI Page | 3366 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Converts contacts to VCF (vCard), emails to MSG (Outlook), calendar events to VCS (vCalendar)
Allows to transfer emails to Novell GroupWise (since 6.44)
Command line support, multiple language support, skin support and more
Figure 36-22: Screenshot of ABC Amber BlackBerry Converter
- 45. Computer Hacking Forensic Investigator Exam 312-49
BlackBerry Forensics
Module XXXVI Page | 3367 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Pocket PC
Source: http://www.datadoctor.in/
Pocket PC is the Windows-based tool that can be used to extract all detailed information of Windows-
based mobile devices for evidence usage. The handheld PC forensic utility is used to collect data from all
PDAs or equivalent digital devices for forensic analysis and scientific investigation. The smartphone
investigator utility is fully capable to capture detailed information from mobile phones, such as Windows
registry records, database records, mobile processor architecture, and other related information of cell
phone devices.
The Windows powered cell phone examiner tool is helpful to examine the other relevant information of a
cellular phone, including SMS (sent or received messages), call history (call duration and call log), last
dialed and received number, and saved files/folders (music, pictures, images, text documents etc) history.
The Pocket PC data extraction application provides mobile phone information including model number
with manufacturer name, SIM IMSI number, mobile IMEI number, battery status, and signal quality.
Easy to use multimedia mobile phone forensic software is used in the field of forensic investigation to
identify any data theft.
The following are the features of the Pocket PC:
Extract all detailed information of Windows-based pocket PC or PDA mobile phone devices such
as OS registry records, database records, all saved files, and folder information
Examine the information about saved text messages, call history, mobile model number with
manufacturer name, IMEI number, sim IMSI number, battery status, and signal quality
Generate text reports of extracted cell phone information for further use
Support all major brands and companies of multimedia cell phone devices
Useful for scientific investigation and forensic use
User friendly software utility is easily understandable by layman users
Easy to use software facilitates with systematic help menu for user’s assistance
- 46. Computer Hacking Forensic Investigator Exam 312-49
BlackBerry Forensics
Module XXXVI Page | 3368 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Figure 36-23: Screenshot of Pocket PC
- 47. Computer Hacking Forensic Investigator Exam 312-49
BlackBerry Forensics
Module XXXVI Page | 3369 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
ABC Amber vCard Converter
Source: http://www.processtext.com/
ABC Amber vCard Converter is a useful tool that converts contacts from your VCF (vCard) files to many
document formats (PDF, MS Word, HTML, RTF, TXT and others).
The following are the features of the ABC Amber vCard Converter:
Reads VCF (vCard) files
Exports selected contacts to a single file of any document format: PDF format (Adobe Acrobat
doesn't need to be installed), RTF format (also doesn't require MS Word to be installed),
hypertext HTML format, text format, MS DOC format, popular CHM format, old good HLP
format, and many more
Generates contents with bookmarks and hyperlinks in the output file
Command line support
Supports column sorting in ascending and descending order
Supports multiple PDF export options (document information, 40/128 bits PDF encryption,
advanced PDF security options, page size, page orientation and page margins, resolution mode,
compression mode, viewer options)
Supports multiple CHM and HLP export options
Displays selected contact, saves it to disk and prints it to printer
Multiple language support
Exports contacts to TIFF and DCX (multipage)
Converts contacts to IPD (BlackBerry)
Converts contacts to MS Outlook directly
- 48. Computer Hacking Forensic Investigator Exam 312-49
BlackBerry Forensics
Module XXXVI Page | 3370 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Figure 36-24: Screenshot of ABC Amber vCard Converter
- 49. Computer Hacking Forensic Investigator Exam 312-49
BlackBerry Forensics
Module XXXVI Page | 3371 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
BlackBerry Database Viewer Plus
Source: http://www.cellica.com/
Wireless Database Viewer Plus allows you to be more productive by allowing you to view and update
database contents on your BlackBerry. Wireless Database Viewer Plus allows you to sync with Microsoft
Access, Microsoft Excel, and any ODBC-compliant database like Oracle, SQL Server, etc.
The following are the features of the BlackBerry Database Viewer Plus:
Get any desktop data wirelessly on your BlackBerry device
Push only updated desktop data to the BlackBerry automatically
Apply SQL select queries, filters, sort the fields and push data according to it
Supported databases: MS Access, MS Excel, Oracle, SQL Server, FoxPro, dBase and any ODBC-
compliant database
Make a phone call for the selected field's numeric contents, which will be treated as a phone
number
Find and find again option to search a record
Easy navigation in both record and grid view using shortcut keys
Data is secured as 128 bit AES used for encryption
Supports unicode language database such as Japanese, Chinese, Korean, Russian, etc.
Figure 36-25: Screenshot of BlackBerry Database Viewer Plus
- 50. Computer Hacking Forensic Investigator Exam 312-49
BlackBerry Forensics
Module XXXVI Page | 3372 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Summary
BlackBerry is a personal wireless handheld device that supports email, mobile phone capabilities,
text messaging, web browsing, and other wireless information services
BlackBerry OS 4.6 is the new version of BlackBerry
It uses encryption to protect integrity, confidentiality, and authenticity of the data
BlackBerry Serial Protocol backs up, restores, and synchronizes the data between the BlackBerry
handheld unit and the desktop software
Make password authentication mandatory through the customizable IT policies of the BlackBerry
enterprise server
Blackjacking is the process of using the BlackBerry environment to circumvent perimeter
defenses and directly attacking hosts on a enterprise networks
"BlackBerry Attack Toolkit” contains the BBProxy, BBScan, and relevant MetaSploit patches to
exploit the vulnerability of any website
Imaging is the process of creating an exact copy of contents of a digital device to protect the
original one from changes
The radio in the “on” state allows data to be pushed onto the unit, overwriting the previous data,
which makes it difficult to retrieve the lost data
Program Loader is an imaging and analysis command line tool
Use AES technology to secure the storage of the password keeper and the password entries on the
BlackBerry device (e.g. banking passwords and PINs)
The RIM BlackBerry device physical plug-in allows you to perform a physical acquisition from
most types of RIM BlackBerry devices
- 51. Computer Hacking Forensic Investigator Exam 312-49
BlackBerry Forensics
Module XXXVI Page | 3373 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Exercise:
1. How does a BlackBerry work?
2. Write a summary about the BlackBerry Serial Protocol.
3. Explain the different BlackBerry attacks.
4. List the different vulnerabilities in a BlackBerry.
- 52. Computer Hacking Forensic Investigator Exam 312-49
BlackBerry Forensics
Module XXXVI Page | 3374 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
5. Describe the process for BlackBerry forensics.
6. How do you acquire log information from a BlackBerry?
7. Give a brief description of BlackBerry wireless security.
8. List some of the BlackBerry forensic tools.
9. Why is radio control necessary to preserve evidence in a BlackBerry?
- 53. Computer Hacking Forensic Investigator Exam 312-49
BlackBerry Forensics
Module XXXVI Page | 3375 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
10. What are the best practices for protecting stored data?
- 54. Computer Hacking Forensic Investigator Exam 312-49
BlackBerry Forensics
Module XXXVI Page | 3376 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Hands-On
1. Connect the BlackBerry to the forensic computer via a USB cable and examine the contents of the
BlackBerry device.
2. See the contents such as hidden files, email content, phone call data, security event log, and
system settings in the BlackBerry.
3. What is the version and make of the operating system running your BlackBerry?