File000149
Upcoming SlideShare
Loading in...5
×
 

File000149

on

  • 208 views

 

Statistics

Views

Total Views
208
Views on SlideShare
208
Embed Views
0

Actions

Likes
1
Downloads
2
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

File000149 File000149 Presentation Transcript

  • Module XXXVI – Blackberry Forensics
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly ProhibitedSource: http://www.10tv.com/ News: Police Join AG BlackBerry Investigation
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: BlackBerry Wins Versus Windows Mobile For Google Apps Mail Source: http://www.informationweek.com/
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Objective • BlackBerry • BlackBerry Operating System • How BlackBerry Works • BlackBerry Serial Protocol • Blackjacking Attack • BlackBerry Security • BlackBerry Forensics • Best Practices • Forensics Tools This module will familiarize you with:
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Flow BlackBerry Operating System BlackBerry Serial Protocol BlackBerry Forensics BlackBerry Forensics Tools Best Practices Blackjacking Attack BlackBerry Security How BlackBerry Works
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited BlackBerry • To compose, send, and receive messages • As a phone • To access wireless Internet • As tethered Modem • As an organizer • For sending SMS • For instant messaging • For corporate data access • As paging service Blackberries can be used: Personal wireless handheld device that supports e-mail, mobile phone capabilities, text messaging, web browsing and other wireless information services
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited BlackBerry Operating System • Supports web standards such as AJAX and CSS • Music Sync - a synchronization application for selecting and transferring music from a computer to a BlackBerry Smartphone • Clock application – the evolution of the alarm application • Supports continuous spell checking • Numerous enhancements to existing BlackBerry Smartphone applications • Eliminates the need of browsing the address book for composing SMS • Provides method to add recipients in SMS similar to Email To: field • Built-in light-sensing technology automatically adjusts screen and keyboard brightness for indoors or outdoors Features of BlackBerry OS 4.6: BlackBerry OS 4.6 is the new version of BlackBerry
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited How BlackBerry Works BlackBerry Device (Proprietary) Third Party Message Center Generic Internet Desktop E-mail System Microsoft Outlook BlackBerry Desktop Redirector SMTP/POP via Internet RIM PDA RIM Modem BlackBerry Message Center RIMs Wireless protocol BlackBerry Enterprise Server Microsoft Exchange Corporate message center GenericInternet CorporateInternet Mailbox Interface BlackBerry Message Center Mailbox Synchronization GenericInternet ISP Message Center
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited BlackBerry Serial Protocol BlackBerry Serial Protocol is used to back up, restore, and synchronize data between the BlackBerry handheld unit and the desktop software It comprises of simple packets and single byte return codes All packets have the same basic structure
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited BlackBerry Serial Protocol: Packet Structure Bytes Description 3 Packet header Always D9 AE FB 1 Command type Each command type has a unique value, which will limit the set of commands available: 40 = Normal command 60 = Extended packet 41 = ACK CF = Handshake challenge CE = Handshake reply 1 Command For "Command Type" 41 For "Command Type" 40, the value 00 specifies initialization-related commands. Any other value represents commands listed in the "Command Table For "Command Type" 60, the only observed value has been 02. Variable Command-dependent packet data 1 Footer Always BF EA 9D
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Blackjacking Attack Blackjacking is the process of using the BlackBerry environment to circumvent perimeter defenses and directly attack hosts on a enterprise’s networks Attacker installs BBProxy on the user’s BlackBerry or sends it as an email attachment to the targets Once this tool is activated, it opens a covert channel between attackers and compromised hosts on improperly secured enterprise networks
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited BlackBerry Attack Toolkit • BBProxy tool runs on BlackBerry devices and allows the device to be used as a proxy between the Internet and the internal network • BBScan is the BlackBerry port scanner "BlackBerry Attack Toolkit” contains the BBProxy, BBScan, and relevant MetaSploit patches to exploit the vulnerability of any website
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited BlackBerry Attachment Service Vulnerability BlackBerry Attachment Service in BlackBerry Enterprise Server uses (Graphics Device Interface) GDI component to convert images to a viewable format on the BlackBerry smartphone There exists a vulnerability in GDI component of Windows while processing Windows Metafile (WMF) and Enhanced Metafile (EMF) images This vulnerability causes the BlackBerry Attachment Service to allow a malicious user to run arbitrary code on the computer on which the BlackBerry Attachment Service is running If a BlackBerry smartphone user is on the BlackBerry Enterprise Server with that BlackBerry Attachment Service running, and tries to use the BlackBerry smartphone to open and view a WMF or EMF image attachment in a received email message sent by a user with malicious intent, the computer on which the BlackBerry Attachment Service is running could be compromised
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited TeamOn Import Object ActiveX Control Vulnerability BlackBerry Internet service works with T-Mobile My E-mail to provide a secure and direct access to the BlackBerry users to any combination of registered enterprise, proprietary, Post Office Protocol 3 (POP3), or Internet Message Access Protocol 4 (IMAP4) email accounts BlackBerry Internet Service and the T-Mobile My E-mail websites use TeamOn Import Object Microsoft ActiveX control which is vulnerable to buffer overflow This buffer overflow occurs when a user uses Internet Explorer to view the BlackBerry Internet Service or T-Mobile My E-mail websites and tries to install and run the ActiveX control
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Denial of Service in BlackBerry Browser A malicious user can create a web site with a HTML or WML web page which contains a long string value within the link When BlackBerry user accesses such links using the BlackBerry Browser, a temporary denial of service may occur which stops the device from responding
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited BlackBerry Security The BlackBerry Enterprise Solution offers two transport encryption options, Advanced Encryption Standard (AES) and Triple Data Encryption Standard (Triple DES), for all data transmitted between BlackBerry® Enterprise Server and BlackBerry smartphones • Integrity • Confidentiality • Authenticity of the data BlackBerry uses a strong encryption scheme to safeguard:
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited BlackBerry Wireless Security • Choose either Triple DES ( Data Encryption Standard) or AES (Advanced Encryption Standard) to encrypt messages and data Transport encryption options • Enforce all local encryption data (messages, address book entries, calendar entries, memos, and tasks) via IT policy Content protection • Password Keeper securely stores password entries on the device (e.g. banking passwords, PINs, etc.) using AES encryption technology Password Keeper • Users regenerate encryption keys directly from their device Wireless encryption key regeneration
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited BlackBerry Security for Wireless Data
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited BlackBerry Security for Wireless Data (cont’d)
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Prerequisites for Blackberry Forensics • Faraday cage • RIM BlackBerry Physical Plug-in • StrongHold tent Hardware Tools: • Program Loader • Hex editor • Simulator • BlackBerry Signing Authority Tool Software Tools:
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Steps for BlackBerry Forensics Review the information Acquire the information Imaging and Profiling Document the scene and preserve the evidence Collect the evidence
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Collect the Evidence Seize the BlackBerry and computer evidence at the scene Seize the BlackBerry memory cards such as SD and MMC Collect non-electronic evidence such as written passwords, handwritten notes, and computer printouts Prevent the unauthorized user from entering at the scene and touching the evidence
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Document the Scene and Preserve the Evidence All devices connected to the BlackBerry must be documented Take photographs of all evidence at the scene Document the state of the device during seizure Preserve all the documents in a secure location Secure the BlackBerry device and other evidence while transporting and storing Secure the devices from mechanical or electrical shock Maintain the chain of custody of documents, photographs, and evidence
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Radio Control There are two different ways to control wireless signal of the device to maintain evidence: • Turn off the wireless signal through the main menu • If the interaction with the device is not desired then put the device in a faraday cage Faraday cage prevents the device from receiving any wireless data
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Imaging and Profiling in BlackBerry Imaging is the process of creating an exact copy of contents of a digital device to protect the original one from changes Use SDK utility which dumps the contents of the Flash RAM into a file An investigator can extract the logs from the image or can perform the investigation on the image Use program loader for imaging and other inspection
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Acquire the Information Leave the RIM in an “off” state when: • Power is removed for an extended period of time or the unit is placed in data storage mode • Unit is turned back “on” from an “off” or true powered down state Turn off the radio, if RIM is in “on” state • Take the RIM to a secured location to turn it ‘on; and immediately shut down the radio before examination Get the password, if the RIM is password protected • To get the password, SHA-1 hash is stored on the RIM • Direct-to-hardware solution is taken, if the password is not available • Do not attempt passwords as the number of failed password attempts is limited; more number of failed attempts may lead to wiping of the memory
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Hidden Data in BlackBerry Data can be hidden on a RIM device in different ways such as: • Hidden databases • Partition gaps • Obfuscated data Data can be hidden in the gap between the OS/Application and Files partitions Use the tools such as Rim Walker database reader to read the hidden databases This hidden data can also be viewed by using SAVEFS Programmer command
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Acquire Logs Information from BlackBerry Log collection is the first step in the forensics investigation Collect the logs available on the BlackBerry device Logs are not accessible using standard user interface • Mobitex2 Radio Status • It provides information on Radio Status, Roam & Radio, Transmit or Receive, and Profile String • BlackBerry: Func + Cap + R • Simulator: Ctrl + Shift + R The following are some of the hidden control functions used to review the logs:
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Acquire Logs Information from BlackBerry (cont’d) • It provides information on memory allocation, port status, file system allocation, and CPU WatchPuppy • Select a line in the Device status using the Rim’s thumbwheel to see detail information and to access logs • BlackBerry: Func + Cap + B (or V) • Simulator: Ctrl + Shift + B (or V) Device Status
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Acquire Logs Information from BlackBerry (cont’d) • It provides information on battery type, load, status and temperature Battery Status
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Acquire Logs Information from BlackBerry (cont’d) • It provides information on memory allocation, Common port, File system, Watchpuppy, OTA status, Halt, and Reset Free Mem
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Program Loader Program Loader is a imaging and analysis command line tool Use the following commands with Program Loader: • It writes a hex dump of the RIM’s Flash RAM to FILESYS.DMP, in the same directory as programmer.exeSAVEFS: • It lists applications residing on the handheld by memory locationDIR: • It displays detailed Flash and SRAM mapsMAP: • It displays a “partition table”ALLOC: • Switch on the BATCH command line or on the first line of the batch file if a password is requiredWpassword:
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Review of Information Information from the evidence is reviewed by: • The hex editor provides access to the entire file system including deleted or “dirty” records indicated by byte 3 of the file header • Information available regarding the bitwise file storage method used by the RIM OS Hex editor: • Acquires or reads the data from image file load that dump file into the BlackBerry SDK Simulator • For this, rename the FILESYS.DMP file according to the following rules: • “FS” • “HH” if an 857/957 “Pgr” if an 850/950 • “Mb” if Mobitex or “Dt” if Datatac • “.DMP” • Simulator must be set to match the Flash memory size to the size of the DMP file Simulator:
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Simulator: Screenshot
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Best Practices for Protecting Stored Data To secure information stored on BlackBerry devices, make password authentication mandatory through the customizable IT policies of the BlackBerry Enterprise Server To increase protection from unauthorized parties, there is no staging area between the server and the BlackBerry device where data is decrypted Clean the BlackBerry device memory Protect stored messages on the messaging server Encrypt application password and storage on the BlackBerry device Protect storage of user’s data on a locked BlackBerry device Limit the password authentication to ten attempts Use AES (Advanced Encryption Standard) technology to secure the storage of password keeper and password entries on BlackBerry device (e.g. banking passwords and PINs)
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited BlackBerry Signing Authority Tool BlackBerry Signing Authority Tool helps the developers by protecting the data and intellectual property It enables the developers to handle access to their sensitive APIs (Application Program Interfaces) and data by using public and private signature keys It uses asymmetric private/public key cryptography to validate the authenticity of the signature request It allows external developers to request, receive, and verify the signatures for accessing specified API and data in a secure environment
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Forensics Tool: RIM BlackBerry Physical Plug-in http://www.paraben-forensics.com/ • Address Book • Auto Text • Calendar • Categories • File System (form Content Store database) • Handheld Agent • Hotlist • Memo • Messages • PhoneCall • Profiles • QuickContacts • Service Book • SMS Task It can acquire: RIM BlackBerry device physical plug-in performs physical acquisition of data from most types of RIM BlackBerry devices
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited ABC Amber BlackBerry Converter http://www.processtext.com/ This tool is used to convert the message and contacts from IPD files into any document format
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Pocket PC http://www.datadoctor.in/ Pocket PC is the Windows-based tool that can be used for the filtering and searching the Blackberry files
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited ABC Amber vCard Converter http://www.processtext.com/ ABC Amber vCard Converter can be used to convert the contacts from the VCF (vCard) files to any document files
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited BlackBerry Database Viewer Plus http://www.cellica.com/ BlackBerry Database Viewer Plus is a database software for BlackBerry handheld Features: • Supports Databases: MS Access, MS Excel, Oracle, SQL Server, FoxPro, dBase, and Any ODBC Compliant Database • View and sync any database with BlackBerry • Modify database contents on BlackBerry and reflect them to database • Apply Filters, Sort the fields • Apply any SQL Select queries on database to purify records • Easy navigation through database in both Record and Grid view using shortcut keys • Create databases on BlackBerry and import those on Desktop as .csv format • Import Record or Field data to Memo pad • Manage database in different categories
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Summary BlackBerry is a personal wireless handheld device that supports e-mail, mobile phone capabilities, text messaging, web browsing, and other wireless information services BlackBerry safeguards integrity, confidentiality, and authenticity of data using a strong encryption scheme BlackBerry Serial Protocol is used to back up, restore, and synchronize data between the BlackBerry handheld unit and the desktop software RIM's push technology adds new dimension to forensics investigation of a PDA To secure information stored on BlackBerry devices, make password authentication mandatory through the customizable IT policies of the BlackBerry Enterprise Server
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited