To get round to the heart of fortress

FORENSICS

To Get Round
To The Heart Of Fortress
Cybercrime is becoming a growing threat to society. The thefts of
information, crashing a website or manipulating online payment
traffic are also increasing. Many organizations offer various services
in the battle against digital crime, such as network or data monitors
and extractions tools. It is interesting mainly to authorities and
financial institutions, but they are accessible to every organization..

What you will learn… What you should know…
• General forensic classi�cation • Basic knowledge about forensic
• Classic and non-classic mobile forensic

T
he current century describes like the individuals may just be careless about usage and
application of digital technology that enhances distribution of sensitive data. The result is that
traditional methodologies. The incorporation of organizations need to defend against the malicious
computer systems private, commercial, educational, insider as well as the careless user. The common
governmental, and other way life improved the efficiency security vulnerabilities increase risk of insider threats
of these entities. One other hand the computers as is inadequate auditing and analytics:
a criminal tool has enhanced their own activity. In
particular, the surge of technical adeptness by the • Sheer volume of audit and log data impedes
general population, coupled with anonymity, seems to forensics investigation and detection. Logging all
encourage crimes using computer systems since there IT activity is an important first step in combating
is a small chance of being prosecuted, let alone being insider attacks and today’s highly distributed
caught. These crimes is rather classic crimes To catch and complex IT environments generate massive
criminals involved with digital crime, investigators must volumes of logging data, but the sheer volume of
employ consistent and well-defined forensic procedures data is very difficult to manage.
if possible. • Most current approaches to addressing insider
Writing off insider threat as a low cast risk ought threats are reactive, not predictive. This helps
to realize sternness of the problem. Threat as this immensely in forensic investigations, but the
kind ranges from the malicious employee (of he has problem is that the attack or theft has already
and have to has the technical expertise to implant occurred. Therefore, organizations should be
a malware (logic bomb,…) in the critical system. looking for solutions that can provide more analytic
Malicious insider is a employee (current or former), and predictive capabilities that if not able to prevent
contractor, or business partner who had / has / going to insider attacks, may still identify at-risk insiders and
have authorized access to an organization’s network, then implement more detailed logging on those
system, or data in a manner that negatively affected individuals in response.
the confidentiality, integrity, or availability. Employees • Delicate balance of risk versus productivity. IT
also represent another significant insider threat managers need to balance the risk of employees’
vector. These inadvertent actions can occur because need for additional access versus the lost
individuals have accumulated more privileges than productivity that would result if access was not
they need for their current job functions or because granted to certain users. Many organizations also

20 www.hakin9.org/en

To Get Round To The Heart Of Fortress

lack the necessary reporting tools to examine Computer Forensics
an individual’s expanding entitlements over time Computer forensics is relating to legal evidence found
which further compounds the problem. The result in computers and digital storage media, .e.g. examine
is that IT often struggles to answer the critical digital media with identifying, preserving, recovering,
question, Who has access to what? confidently and analyzing, and reporting. Although, it is most often
accurately. associated with the investigation of a wide variety
of computer crime, computer forensics may also be
What is digital forensic? used in civil proceedings. The discipline involves
Digital forensics suggests a high-tech process reserved similar techniques and principles to data recovery.
only for cases centered on proprietary technology. Now Computer forensic investigations usually follow the
digital data is omnipresent, therefore digital forensics standard digital forensic process. Investigations are
has quickly become a legal necessity. Searching performed on static data/images rather than live
through digital evidence could recover a hidden systems.
document or deleted e-mail message, which may There are several techniques is pertaining to
accelerate exposure or win it. computer forensic:
In the typical case, a hard copy document is analyzed,
and the lawyer can only engage in direct or cross- • Cross-drive analysis correlates information found
examination based on information printed on the page. on multiple hard drives. This process can be used
It is difficult to determine the document’s authenticity, for identifying social networks and for performing
original author, etc. However, documents created anomaly detection.
in Microsoft Word or other leading word processing • Live analysis examines the operating system
systems are likely to contain a surplus of information using custom forensics or existing sysadmin tools
is not displayed or printed. A forensic examiner is shall to extract evidence. The practice is useful when
to discover an additional information called metadata. dealing with the logical hard drive volume may be
Metadata is a description or definition of electronic data, imaged (known as a live acquisition) before the
or data about data. Metadata can include descriptive computer is shutdown.
tags and information about create data or changes have • Recovering deleted files is a common technique
been made. used in computer forensics in view of data allowing
Internet logs also may provide valuable evidence. to be reconstructed from the physical disk sectors.
The main rule is if information was displayed at some It involves searching for signatures of file headers
time on a computer screen, it can be recovered from to reconstruct.
it. For example, checking account balance online. It is • Volatile data dumping as recovering any information
applicable to data of all types. The failure of analyzing stored in RAM because after powering down it may
digital data is at best inexcusable, and at worst, be lost.
ineffective assistance of malpractice. With the vast
majority of documents that created, and with so many Mobile Device Forensics
communications, now there is the luxury with easy Mobile device forensics is relating to recovery of digital
validating a controversy and the responsibility of doing. evidence or data from a mobile device. The memory
Data forensics was all but unknown just a few years type, custom interface and proprietary nature of mobile
ago. Nowadays it considered a standard and routine devices require a different forensic process compared
practice in legal matters, of course. to computer forensics. Each device often has to
have custom extraction techniques used on it. The
Several branches in digital forensic forensics process for mobile devices broadly matches
It is a branch of forensic bringing about the recovery and other branches of digital forensics; however, some
investigation of material found in digital devices, often particular concerns apply. One of the main ongoing
in relation to computer crime. This term was originally considerations for analysts is preventing the device
used as a synonym for computer forensics however from making a network/cellular connection, because
it has expanded in view of covering investigation of it may bring in new data, overwriting evidence. To
all devices capable of storing digital data. As a result, prevent a connection mobile devices will often be
now prefer either to use more specialised terms such transported and examined from within a Faraday
as mobile device forensics or mobile phone forensics cage. Mobiles will often be recovered switched on
or to use a term such as digital forensics to include all to avoid a shutdown changing files. However, with
digital devices. Digital forensics includes several sub- more advanced smartphones using advanced memory
branches relating to the investigation of various types of management, connecting it to a recharger and putting
devices, media or artefacts. it into a faraday cage may not be good practice.

www.hakin9.org/en 21

FORENSICS
The mobile device would recognize the network This branch has two uses.
disconnection and therefore it would change its status
information that can trigger the memory manager to • Security: analysis involves monitoring a network
write data. By the way, there’s a two flash memory for anomalous traffic and identifying intrusions. For
types: NOR as internal and NAND as external (like example, attacker might be able to erase all log
sd-cards). NAND-memory can be examined with PC files on a compromised host.
forensic tool for FAT file system. • Law Enforcement: analysis of captured network
There are several techniques is pertaining to mobile traffic can include tasks such as reassembling
forensic: transferred files, searching for keywords and
parsing human communication such as emails or
• Physical acquisition technique is a bit-by-bit copy chat sessions.
of an entire physical store. It has the advantage
of allowing deleted files and data remnants to be Network forensics is a comparatively new field of
examined. Physical extraction acquires information forensic science. The growing popularity of the Internet
from the device by direct access to the flash in homes means that computing has become social-
memories. Generally this is harder to achieve centric. There’s a several type of traffic-catchers.
because the device vendors needs to secure against
arbitrary reading of memory so that a device may be • Ethernet – by eavesdropping bit streams with tools
locked to a certain operator. called sniffers. It collects all data on this layer and
• Logical acquisition technique is a bit-by-bit copy of allows the data that has been transmitted over the
logical storage objects (e.g., directories and files) network can be reconstructed.
that reside on a logical store (e.g., a file system • TCP/IP – the network layer the Internet Protocol (IP)
partition). Logical acquisition has the advantage is responsible for directing the packets generated
that system data structures are easier for a tool by TCP through the network (e.g., the Internet)
to extract and organize. This usually does not by adding source and destination information that
produce any deleted information, due to it normally interpreted by routers all over the network. Cellular
being removed from the file system of the phone. digital packet networks, like GPRS, use similar
However, in some cases the phone may keep protocols like IP, so the IP forensic methods as well.
a database file of information which does not • Internet can be a rich source of digital evidence
overwrite the information but simply marks it as including web browsing, email, newsgroup,
deleted and available for later overwriting. synchronous chat and peer-to-peer traffic. For
• Manual acquisition technique as kind of utilizing example web server logs can be used to show
of the user interface to investigate the content when (or if) a suspect accessed information
of the memory. Therefore the device is used as related to criminal activity. Email accounts can
normal and pictures are taken from the screen. often contain useful evidence; but email headers
The disadvantage is that only data visible to the are easily faked and, so, network forensics may
operating system can be recovered and that all be used to prove the exact origin of incriminating
data are only available in form of pictures. material. Network forensics can also be used in
• External memory acquisition technique is acquisition order to find out who is using a particular computer
from devices are SIM cards, SD cards, MMC cards, by extracting user account information from the
CF cards, and the Memory Stick. For external network traffic.
memory and the USB flash drive is possible to make • Wireless – the main goal of wireless forensics is
the bit-level copy. Furthermore USB drives and to provide the methodology and tools required to
memory cards have a write-lock switch that can be collect and analyze (wireless) network traffic that
used to prevent data changes, while making a copy can be presented as valid digital evidence in a court
(SD cards have it, but microSD don’t). of law. The evidence collected can correspond to
plain data or, with the broad usage of Voice-over-IP
Network Forensics (VoIP) technologies, especially over wireless, can
Network forensics is relating to the monitoring and include voice conversations.
analysis of computer network traffic for the purposes
of information gathering, legal evidence, or intrusion Database Forensics
detection. Unlike other areas of digital forensics, Database Forensics is relating to the forensic study of
network investigations deal with volatile and dynamic databases, their related metadata, to the timestamps that
information. Network forensics is often smoewhat pro- apply to the mobile device time of a row in a relational table
active in case of traffic is transmitted and then lost. being inspected and tested for validity in order to verify



the actions of a database user. Alternatively, a forensic Step 3. Collection
examination may focus on identifying transactions within During this step, you collect data and potential evidence
a database system or application that indicate evidence from the device parts are suspected. There is a
of wrong doing, such as fraud. multitude of these types of devices, so we will limit our
discussion to just a few such nor-flash or nand-flash.
Mobile Forensic You have to collect all the types of information consist
Today a mobile device is powerful device that can of both volatile and dynamic information. The reason is
function as a cellular phone, web browser and a that anything that is classified, as volatile information
personal organizer. These devices have reached such will not survive if the device is powered off or reset.
a level of power, and functionality they are in essence a Therefore, the mobile device should be placed into an
mini-computer. A mobile device forensics is very similar evidence bag and maintained at stable power support
to the procedures and methodologies that are used with throughout.
any form of forensics. From time to time it may easy
than PC. Step 4. Documentation
Records as extracted data must be document with
the case number, the date and time it was collected.
Did you know?
When you seize the mobile device we have to ensure Another part of the documentation process is to
we take the mobile device, docking cradle and external generate a report that consists of the detailed
memory cards. This is probably one of the most difficult information that describes the entire forensic process
things to control and requires that you conduct a thorough that you are performing. Within this report you need to
search for any and all memory cards. With the size of annotate the state and status of the device in question
memory cards today there is all extensive amount of
evidence that you would be missing if you miss just one
memory card. Did you know?
Device Switched On
Investigative Methods If the device is in the on state, you act immediately to get
power to the mobile device. Now it will not lose the volatile
There are four main steps when it comes to performing
information. Then you need to take the device to a secure
a forensic investigation of a mobile device. These four location like a Faraday Cage or turn off the radio before
steps are identified as follows: beginning the examination

• Examination Device Switched Off
• Identification If the device is in the off state, you need to take the device
• Collection to the shielded location before attempting to switch on
or place the device in room that can block the signal well
• Documentation. enough to prevent the data push.

Step 0. Permission Device in its Cradle
As with any forensic examination, the main step is to If device is in cradle, you have to remove any connection
from the PC despite possibility that a sophisticated suspect
have permission to seize the evidence that is required
might have a tripwire device and once it disconnected it
for your investigation. could activate script to erase potential evidence.

Step 1. Examination Password Protected
The thing has to be known when it comes to password
First, you need to understand the potential sources of
protection is the fact that the password itself is not stored
the evidence. With a mobile device, these sources can on the device. The only thing stored on the device is a
be the device, the device cradle, power supply and any hash of the plain-text password. This storage is similar to
other peripherals or media that the device examined the storage used by the majority of operating systems out
has met. In addition to these sources, you should also there.
investigate any device that has synchronized with the Wireless Connection
mobile device you are examining. You must avoid any further communication activities, if
possible. Eliminate any wireless activity by placing the
Step 2. Identi�cation device into an cage that can isolate the device.
Second, start the identifying the type of investigating External Memory Card
device. Once you have identified the device you have You must not initiate any contact before taking components
to identify the operating system that the device is using. off. This includes any devices that supported external media
Note, device, is possible, to be running two operating types of cards.
systems.


FORENSICS
during your collection process. The final step of the set it as low as 3), you will be prompted one last time
collection process consists of accumulating all of to type the word BlackBerry. The device will then wipe.
the information and storing it in a secure and safe It will be reset to the factory out-of-the-box condition,
location. and the password reset. You will lose everything in
the device memory, with no possibility of recovery. It
Forensic Investigation of the BlackBerry will not reformat the microSD card, because that’s not
A BlackBerry is a handheld mobile device engineered part of the factory configuration. The phone will still be
for email. All models now come with a built-in mobile usable, and the operating system will be unchanged. So
phone, making the BlackBerry an obvious choice this technique cannot be used to roll back from an OS
for users with the need to access their email from upgrade problem.
somewhere besides the comfort of a desk chair.
The device is equipped with the RIM software Password Extraction from BlackBerry
implementation of proprietary wireless-oriented At first you can attack BlackBerry via bruteforce
protocols. The BlackBerry device is always on and BlackBerry backup file. You can access encrypted
participating in some form of wireless push technology. information stored in password-protection backups if the
Because of this, the BlackBerry does not require original password is known or recovered with Elcomsoft
some form of desktop synchronization like the other Phone Password Breaker (http://www.elcomsoft.com/
mobile device does. BlackBerry OS has numerous eppb.html). Elcomsoft Phone Password Breaker
capabilities and features like over the air activation, grants forensic access to protected information stored
ability to synchronize contracts and appointments in BlackBerry devices by recovering the original plain-
with Microsoft Outlook, a password keeper program to text password. The toolkit allows eligible customers
store sensitive information and the ability to customize acquiring bit-to-bit images of devices’ file systems,
your BlackBerry display data. extracting phone secrets (passcodes, passwords, and
The BlackBerry device has an integrated wireless encryption keys) and decrypting the file system dump.
modem allows communicating over the air with RIM Access to most information is provided in real-time. In
Network. The BlackBerry uses the BlackBerry Serial addition to Elcomsoft Phone Password Breaker, the
Protocol to backup, restore and synchronize the data toolkit includes the ability to decrypt images of devices’
between the handheld and desktop. In addition, device file systems, as well as a free tool that can extract the
uses a strong encryption that safeguards confidentiality, encrypted file system out of the device in raw form. To
and authenticity of data to keep data encrypted while unlock Apple backups even faster, the tool engages
it transit between the enterprise server and the device the company’s patent-pending GPU acceleration
itself. technology.

Warning for BlackBerry Push-Technology
Since the BlackBerry is all always on, push messaging,
device information can be pushed to it at any time. Note
that pushed information has the ability to overwrite any
data that possibly was previously deleted. The first step
in preserving the information is to eliminate the ability
of the device to receive this data push. If possible, turn
the radio off, or a better solution is to take the device
to an in area where the signal cannot be received.
The BlackBerry device is not really off unless power
is removed for an extended period. If the blackberry is
powered back off then any items that were in the queue
waiting to be pushed to the device could possibly be
pushed before you could stop them.

Warning for BlackBerry Password Protection
BlackBerry devices come with password protection.
The owner has the capability to protect all data on
the phone with a password. He may also specify the
amount of attempts for entering the password before
wiping all data from the device. If you exceed your
password attempts limit (defaults to 10, but you can Figure 1. Elcomsoft Phone Password Breaker



• Three key features are:
• Decrypt encrypted BlackBerry backups
• Recover original plain-text passwords
• GPU acceleration

However, you will not have a BlackBerry Backup File.
The attack or theft has already occurred, therefore, you
have to be more analytic, more predictive. According
to previous warnings for the BlackBerry. In this case,
you have to install spyware to extract password from
device.
All smartphones give their owners a free choice to
lock handheld by password or grant unsecured access.
The major concept in using the most complex password
is main idea. You’re have to lock your devices! You are
have to use more complex combination! It’s have to be
randomness! Nevertheless, think for moment. Can you
quickly say how many symbols are entered up? No is
correct answer.
Figure 3. Virtual Keyboard “bug”
So, just imagine malware product loaded into
device memory and waits when you are going to keyboard is a sure type or multitap keyboard. The bold
unlock handheld by typing your topsecret password. keyboard is a full keyboard so it will not duplicate that
After inputting is half-closed, malware types just the behavior.
one random letter to make senseless your unlocking There are two possible way of stealing password –
action. In addition, BlackBerry says Wrong password! during device unlocking or when you synchronize your
Try once again. Next attempt. Once you have reached device with PC. During it you are asked about sync way
a half-attemps and have typed word blackberry your whether sync media or use usb drive or only charge
password is open and is able to steal with screen- device. Sure, we cannot guess what you choose, but
shot. we do not. Do you draw attention on discrepancy or
Let us examine a virtual keyboard. When you touch take it as a kind of program error (bug)? In any case,
screen to type a character a big-scaled review appears. you are caught on fake-logining. After password typing
When you do the same while typing password into you will be notified about wrong password (two times to
masked text-box you can see that every character is get your right pass and one more to inform about e.g.
going to be masked by asterisk or black circle in ~1-2 null-pointer error, hung process. Then you have seen
second after. Password preview is only used when the originally logon screen.

Figure 2. Sync-extracted password Figure 4. PC-sync extracted password – part I


FORENSICS
Every device is going to synchronize with PC First, let’s examine hotkeys.
sometimes. The major target is password field of
textbox’s software. Unfortunately, we cannot get a QWERTY / SureType keyboard
screen-capture, but we still able to use a WINAPI
functional to unmask password-box, steal password’s • From the Home screen hold the Alt key and then
character, and then mask password-box again. Repeat type lglg.
it several times and you will get a password. More detail • Display the debug information by completing the
you can find in my previous articles. following steps:
• Press the Menu key and click Options.
Classic BlackBerry forensic • Click the Min log level drop-down list and select
A typical forensic investigator performs the investigation Debug Info.
by hand-reading mail and data files, checking for • Press the Menu key and then click Save.
system activities through different log files, and verifying
the consistency of the data through the time stamps BlackBerry Storm 9500 in portrait view
associated with files on the file system. Protections
such as firewalls often force the investigator to perform • From the Home screen go to Options, then to
these tasks on-site. Screen/Keyboard.
The difficulties of performing a local analysis can • In the Screen/Keyboard options menu, set the
limit the investigation. First, forensic software must Portrait View Keyboard option to SureType and
be running on the local machine, and may have to be then Save the settings.
installed. Second, running such software locally risks • From the Home screen of the BlackBerry
damaging or contaminating data. Third, if the machine smartphone, press the convenience key to display
has been compromised, the investigation may produce the keyboard in portrait view.
suspect results – or worse, may alert the attacker. • Hold the number key to lock the number keyboard.
The 123 icon appears at the top right of the screen,
Gathering Logs and dumps and a small lock appears on the number key.
The main classic forensic procedure of evidence • Press the ,5,5 keys.
collection violates the forensic method by requiring the • Display the debug information by completing the
investigator to record logs kept and dump. Investigator following steps:
can view some log on the device pressing hotkeys or • Press the Menu key and click Options.
throughout several applications from BlackBerry SDK • Click the Min log level drop-down list and select
Tools. Don’t forget that the counter is always running, Debug Info.
even when the radio is turned off, so to be sure to • Press the Menu key and then click Save.
record these values as soon as possible to avoid log
overwrites. BlackBerry Storm 9550 in portrait view

• From the Home screen of the BlackBerry
smartphone, press the convenience key to display
the keyboard in portrait view.
• Press the ,5,5 keys.
• Display the debug information by completing the
following steps:
• Press the Menu key and click Options.
• Click the Min log level drop-down list and select
Debug Info.
• Press the Menu key and then click Save.

BlackBerry Storm 9500 in landscape view

• From the Home screen press the Menu key and
click Show Keyboard.
• Hold the number key to lock the number keyboard.
The 123 icon appears at the top right of the screen,
and a small lock appears on the number key.
Figure 5. PC-sync extracted password – part II • Press the „/”/ keys.



• Display the debug information by completing the Table 2. Loader usage
following steps: command is one of:
• Press the Menu key and click Options. eventlog output �lename
• Click the Min log level drop-down list and select
screenshot output �lename
Debug Info.
• Press the Menu key and then click Save. deviceinfo output �lename
dir output �lename
Another way to collect the log information is using radio on|off
loader.exe from BB SDK tools. It extracts a full copy of dump output �lename
BlackBerry event log to text file stored on your drive.
Let’s see some useful command of javaloader. Loader Usage
Usage: loader.exe /<command> (Table 2).
Java Loader Usage Dump extracting is the same the log previous.
Usage: JavaLoader [-p<pin>] [-d0|-d1] [-w<password>] Command syntax example is below.
[-q] <command> (Table 1).
To extract event log from device Loader.exe /eventlog „D:BBSAKeventlog-loader.txt”
Loader.exe /screenshot active „D:BBSAKactive-loader.bmp”
• Plug it to PC via USB cable Loader.exe /screenshot primary „D:BBSAKprimary-loader.bmp”
• Open command shell and type javaloader.exe - Loader.exe /screenshot auxiliary „D:BBSAKauxiliary-loader.bmp”
wPASSW eventlog log.txt Loader.exe /dir „D:BBSAKdir-loader.txt”
Loader.exe /deviceinfo „D:BBSAKdeviceinfo-loader.txt”
Command dump gives us all .cod modules stored on Loader.exe /dump „D:BBSAKdump-loader.txt”
device in root subfolder dump.
To get dump of BlackBerry device let’s use a Loader However, before you will be asking to enter a device’s
from BlackBerry Device Mangaer. It locates on c: password. Note, dump beginning is required a
Program FilesCommon FilesResearch In Motion device reboot. It can erase log to overwriting some
AppLoader if your OS is 32bit or on c:Program Files information. Do not forget about encryption feature of
(x86)Common FilesResearch In MotionAppLoader if BlackBerry Storage Protection based on Password
your OS is 64bit. Some useful command is below. & ECC. If it is on the dump result is empty obvious.

Table 1. Java loader usage
-p<pin> Speci�es the handheld PIN (hex pin pre�x '0x')
-w<password> Connects using the speci�ed password
<command> is one of
dir [-d] [-s] [-1] Lists modules on the handheld
-d Display dependency information
-s Display siblings
-1 Single column output
deviceinfo Provides information on the handheld
save {<module> ... | -g Retrieves modules from the handheld
<group>}
-g Retrieves all modules in a speci�ed group
info [-d] [-s] [-v] <.cod file> Provides information on the speci�ed modules
-d Display dependency information
-s Display sibling information
-v Display verbose module information
eventlog Retrives the handheld event log
radio on|off Turns the handheld's radio on or off
siblinginfo <.cod file> Provides sibling information on the speci�ed modules
screenshot <.bmp file> Retreives the contents of the speci�ed screen and saves as a BMP �le.
logstacktraces Dumps the stack traces for all threads to the event log


FORENSICS
Table 6. DB data block format
Device Information Database ID 2 bytes. Zero-based position in
Hardware Id: 0x5001807
the list of database name blocks
PIN: 0x23436780
OS Version: 0x0 Record length 4 bytes
VM Version: 0x600023a Database version 1 byte
Radio ID: 0x0
DatabaseRecordHandle 2 bytes
Vendor ID: 609
Record unique ID 4 bytes
FaceBook Additional Info
Friendly name: Facebook Field length #1 2 bytes
Description: Facebook?® for BlackBerry?® smartphones Field type #1 1 byte
makes it even easier to connect and share while you’re on
Field data #1 As long as the �eld length
the go...
Version: 2.0.0.37 Field length #n 2 bytes
Vendor: Research In Motion Limited Field type #n 1 byte
Copyright: (null)
Field data #n As long as the �eld length
Event Log
Guid: 0x6659A3FDB89204F9 time: Sat Jul
30 21:57:05 2011 severity:0 type:2 app: Despite Name, Version, Size, Created and Depends
GoogleTalk data: Auto on fields there is a following possible description fields.
Guid: 0x80C11EC7B1720C9F time: Sat Jul 30 Let us example on Facebook application. Event Log for
21:57:05 2011 severity:0 type:2 app:
Google Talk Messenger and Windows Live Messager
WLM data: Auto
store an option Save password & Sign.
Table 3. Directory information
Name Version Size Created
BlackBerry Backup Format
The structure of the IPD file shown above is as follows:
8 net_rim_m2g 6.0.0.570 293384 0 Sun May 01
Table 4. Each database name block is of the form (Table 5).
03:16:11 2011
Each database data block is of the form (Table 6).
Depends on:
For a more advanced and in depth look at the file
net_rim_cldc format you may visit blackberry site.
net_rim_xml_org
11 net_rim_xml_org 6.0.0.570 44460 0 Sun May 01 Data Extracting through the BlackBerry Backup
03:15:59 2011 First, you need to download and install BlackBerry
Depends on: Desktop Manager. Use the following link (https://
net_rim_cldc www.BlackBerry.com/Downloads/entry.do?code=A8
BAA56554F96369AB93E4F3BB068C22) to select
and download the install file that fits your system
Table 4. General BB Backup format
or version. Once BB Desktop Manager installed,
Inter@ctive Pager connect the device to PC. Then Click Back up button
Backup/Restore File for a full backup of the device or use the advanced
Line feed 1 byte value 0A section for specific data. In the options, you can find
Version 1 byte value 02 a destination folder where your .ipd file will save.
Number of databases in �le 2 bytes Note, that ipd-file can be encrypted with password
Database name separator 1 byte value 00
not less than 4 characters. BlackBerry backups
contain essential information stored in the device.
Database name block#1
User data such as email, SMS and MMS messages,
Database name block#2
Database name block#n
Did you know?
Database data block#1 Backup �le does not save your email attachments. More,
Database data block#2 email forensic on BlackBerry is empty in case that email-
Database data block#n message is TOO large. You �nd out only message about
truncation. „TOO LARGE” is equal to 8Mb data or ~ 5Mb
of data that encoded into Base64 per one data�le. If
Table 5. DB name block format attachments �les are more than one size takes ~3Mb per
Database name length 2 bytes. The length includes the ter- �le. The new announced version of BES and BIS can support
minating null EXTRA large size of �les that counts ~8Mb instead of ~5Mb
per �le. Everything else is the same.
Database name As long as the name length



Web browsing history and cache, call logs, pictures
and photos, contacts, calendars, appointments, and
other organizer information are stored in BlackBerry
backups. Access to information stored in BlackBerry
backups can be essential for investigations, and is in
high demand by forensic customers.
The IPD file can be read using several commercial
utilities, including

• MagicBerry IPD Reader (http://menastep.com)
• Amber BlackBerry Converter (http://www.proces
stext.com/abcBlackBerry.html)
• Elcomsoft BlackBerry Backup Explorer (http://
www.elcomsoft.com/ebbe.html)
• Paraben Device Seizure (http://www.paraben.com/
device-seizure.html) Figure 7. Amber BlackBerry Converter
• UFED (http://www.cellebrite.com/forensic-products/ BlackBerry devices by extracting, analyzing, printing
forensic-products/ufed-physical-pro.html) or exporting the content of a BlackBerry backup
produced with BlackBerry Desktop Software.
UFED is one of the physical analyzer software toolthat Elcomsoft Blackberry Backup Explorer supports
can be used for intelligence gathering, investigative BlackBerry backups made with PC and Mac versions
research. It extracts phone content, hex dump, files, of BlackBerry Desktop Software. You can export
and extensive information from GPS devices that can information from BlackBerry backups into a variety
be mapped on Google Maps. In addition, it extracts of readable formats (PDF, HTML, DOC, RTF,..). Also
existing, hidden, and deleted phone data, including call Blackberry Backup Explorer can access encrypted
history, text messages, contacts, images, phonebook information stored in password-protection backups
entries and videos. if the original password is known or recovered with
So, what you’ll be able to do with Magic Berry IPD Elcomsoft Phone Password Breaker. Elcomsoft
Parser: Phone Password Breaker grants forensic access to
protected information stored in BlackBerry devices by
• Read ipd files recovering the original plain-text password. Elcomsoft
• Split ipd files Blackberry Backup Explorer is totally the same with
• Export MS Messages, Phone Calls Log, Memos, Amber BlackBerry Converter.
Tasks, Calendar, and Address Book to CSV As an alternative to acquiring the BlackBerry through
• Edit Service Books BlackBerry IPD Reader, Paraben’s Device Seizure
• Merge two ipd files is a simple and effective method to acquire the data.
Device Seizure was designed from the ground up as a
Elcomsoft Blackberry Backup Explorer allows forensic grade tool that has been upheld in countless
forensic specialists investigating the content of court cases.

Figure 6. BlackBerry Backup Manager Figure 8. Elcomsoft Blackberry Backup Explorer


FORENSICS
• SMS History (Text Messages)
• Deleted SMS (Text Messages)
• Phonebook (both stored in the memory of the
phone and on the SIM card)
• Call History
• Received Calls
• Dialed Numbers
• Missed calls
• Call Dates & Durations
• Scheduler
• Calendar
• To-Do List
• Filesystem (physical memory dumps)
• System Files
• Multimedia Files (Images, Videos, etc.)
Figure 10. BB Manager is linked with BB Simulator
• Java Files
• Deleted Data • You are now ready to acquire the phone. Go to
• GPS Waypoints, Tracks, Routes, etc. Tools | Data Acquisition.
• RAM/ROM • You are prompted for the supported manufacturer.
• PDA Databases Select RIM Blackbery.
• E-mail • Leave supported models at the default selection of
autodetect.
There’s a briefly general draft to examine data with • Connection type should be set to USB.
Paraben Device Seizure. • For data type selection select Logical Image
(Databases).
• Create a new case in Device Seizure with File | • Confirm your selections on the summary page and
New. click Next to start the acquisition.
• Give the case a name and fill in any desired
information about the case on the next two BlackBerry Simulation
screens. The third screen is a summary of the BlackBerry Simulator built for simulating a backup copy
data entered. If all data is correct click Next and of the physical device. This is helpful if the device is low
then Finish. on battery, needs to be turned off, or you do not want

Figure 9. USB Connection Figure 11. BB Simulator after sync



to alter the data on the physical device. Following steps forensics focuses on learning as much about a dead
are suitable for each BlackBerry device model. file system as possible. While a full analysis can be
time consuming, doing one can reveal allot about an
• Select a simulator from the drop-down list on the incident. Often times one of the most revealing thing
BlackBerry website (http://us.blackberry.com/ that can be done is a MAC time analysis to reconstruct
developers/resources/simulators.jsp) and download the events of an attack by the files accessed. While a
it. Then install it skilled attacker can certainly manipulate this, few go to
• Select and download BlackBerry Device Manager. this depth. In general, this type of analysis is limited
Then install it. to criminal cases or for cases where the attacker’s
• Run BlackBerry Device Manager and BlackBerry means of compromise was unknown and the goal is to
Simulator determine how they got in.
• Select Simulate | USB Cable Connected. In some situations, it is not desirable to shut down,
• Select File | Restore to simulate with physical data seize the digital device, and perform the forensic
evidence on BlackBerry Simulator. analysis at the lab. For example, if there is an indication
that an encryption mechanism is used on the digital
Also, you mount a SD-card copy to the BlackBerry device that was discovered, then the investigator
Simulator. Now you may turn off blackberry wireless should not shutdown this digital device. Otherwise,
communication holding power on and then examine after shutdown all the information (potential evidence)
evidence with up state device-simulator. that was encrypted will be unintelligible. By performing
Live Analysis, the investigators attempt to extract the
Live (Spy) BlackBerry forensic encryption key from the running system. That’s known
When a digital device is discovered on the crime as Live Analysis or Non-Classic Forensic. The goal
scene, the investigator first looks whether the device of any live forensics task should be to extract and
is switched on or not. In the dead analysis method, if preserve the volatile data on a system while, to the
the discovered digital device is switched on it will be extent possible, otherwise preserving the state of the
switched off. Then the digital device will be packaged system. Additionally, this is often the first step of an
and labelled in a correct way and transported to the incident response scenario where a handler is simply
forensic lab for further analysis. At the lab, the forensic trying to determine if an event has occurred. The benefit
examiner acquires the potential evidence on the device of using this approach is you have a forensically sound
by making a forensic copy of the data stored on the data collection from which to proceed with a full forensic
digital device under investigation. The tools used to analysis if the initial analysis indicates one is required.
make the forensic copy guarantee that no modifications
are made to data stored on the digital device under Live ToolKit
investigation during the process of forensic acquisition. First toolkit is made by Gamma Group and called
After this analysis to find incriminating or discriminating Remote Monitoring & Infection Solutions (FinFisher
evidence is performed on the forensic copy.That’s – FinFly & FinSpy). The Remote Monitoring and
known as Dead Analysis or Classic Forensic. Traditional Infection Solutions are used to access target
systems. They give full access to stored information,
the ability to take control of the target systems’
functions, and even capturing encrypted data and
communications. In combination with advanced
remote infection methods, you have the capability
to remotely infect and monitor all activity on target
systems. It can extract SMS & MMS messages, email
messages, BlackBerry Messages (PIN-to-PIN), call
history, gps location and cell location, address book,
calendar events and url history. By the way, it has
several attacking features such as attack via usb or
bluetooth, attack via sms trojan activating or through
a browser downloading.
Second toolkit is not less interesting rather than
previous is made by Italian professionals and called
Remote Control System (RCS, http://hackingteam.it/
index.php/remote-control-system). Briefly, it evades
Figure 12. SD mounting encryption by means of an agent directly installed


FORENSICS
on the device to monitor. Evidence collection on Friday, April, 29th
monitored devices is stealth and transmission of Friends birthday (as default it’s marked by 00:00 hour)
collected data from the device to the RCS server is is set 00:00,
encrypted and untraceable. Those toolkit collect all Daily alarm is set 06:01,
possible information such as phone history, organizer WLB Europe 2011, Arena Moscow – 21:00 til 22:30 (9
& address book, sms/mms/email, location tracking, til 10.30 p.m.). It was a Tarja’s Turunen Concert
screenshot & camera snapshots, SIM info, remory
audio spy. Both of them divide into two part: client and Monday, May, 16th
GUI-monitoring. My free time is set 00:00-06:01. Indeed it’s time when
my device is sleeping (auto on/off features) and me
Potential Data as Evidence too... from time to time.
Potential attack vector can be various, however, the And daily alarm is set 06:01
most popular of them are

• Address Book
• Calendar Events
• Call History
• Browser history and bookmarks
• Memos and Tasks
• Screen-shots
• Camera-shots
• Videocamera-shots
• Clipboard
• Location tracking (cell, wifi, gps, bluetooth)
• SMS/MMS/Emails
• Pictures, Videos, Voice notes, and other file
• IMs
• Passwords

Let us examine some of them to find out the common
sense. What is in an up-to-date BlackBerry Address
Book? A lot of contact’s data, such as several mobile
or home phone number, faxes, emails, BB PINs,
work and home addresses, web-pages or dates.
Also we can add a IM data (Gtalk, Y!, Windows Live,
AIM, and not trustable up-to-date ICQ). That was all
until social networking arrived. One more question:
Does your BlackBerry device have an auto on-off
feature? OK, let us summarize it. In our Address
Book, we have much valuable information about
friends; social network gives an up-to-date avatar,
calendar (in spite of our calendar that filled our
sleeping time at least), GPS location points, and SW
names that provide several pieces of information.
Due to victim’s calendar info and GPS info (from
photo exif or FaceBook likes), private data such as
tracking info, habits, time marked a free, time when
you’re possible sleeping, time when you’re at home/
company can come to light. For example, in Figure 2,
my contact information appears. Though my personal
data is obfuscated, a few of my email addresses,
phone numbers, home address (this info – City and
County – was gotten from Facebook, by the way), my
birthday, BlackBerry PIN, web sites come up. Now
let us check my calendar events. Figure 13. Up-to-date contact card



more useful usage way of BlackBerry Wallet. You
need to see it to type or need to copy into clipboard.
Moreover, no one software producer can protect it,
because need to put data into public text-box. In other
words, end-point object is vulnerable. By the way,
there’s a getClipboard() method to retrieve the system’s
clipboard object in the BlackBerry API. Your data and
password are open for it. Other methods of password
steal have already discussed in the beginning of
article.
Next victim is message (sms, mms, email, further
email). Email is one of the most common ways
people communicate. From internal meeting requests,
distribution of documents and general conversation
one would be pressed to find an organization of any
size that does not rely on email. Studies have shown
that more email is generated every day than phone
conversations and paper documents combined. Many
users store their personal colanders, contacts and
even synchronize their email clients with their mobile
devices.
Less interesting part of evidence concludes browser
history, browser bookmarks, memos, tasks, etc. Such
kind of forensic has sense in case of violating company
policy by visiting certain sites or time aspect (when the
computer was connected to a site at the time when
Figure 14. Up-to-date calendar events something happened) and reconstruct a detailed history
In additional, if you involve call history with gps records of a computer’s use by examining a handful of files that
as two part of evidence you provide yourself with many
opportunities to draw a social graph of accomplices.
Extracting all possible fields from the object called
PIM is goal for gathering more information about the
attacked individual from their profile overall.
Mentioned on the net password tips are revoked
by the tendency inmatter to complexify. Moreover,
guess why. Do you have enough time to type a
random string (20-40 character in length)? How many
web sites do you log in? There are more than I can
count. Facebook, Myspace, Linkedin, Twitter and any
number of other social networking sites? Probably a
dozen. Shopping sites? Yes, a several. Emails, IMs,
etc. Every site requires you to create a password,
strong password. Is it possible to memorize? Some
kind people solve it with digit wallet. Great! All you
need keep in mind only one super complex password.
Other stored passwords are encrypted by default. For
example, BlackBerry Wallet or Kaspersky Password
Manager. Both are describe, as is indispensable tool
for the active internet and shopping user. In addition,
it fully automates the process of entering passwords
and other data into websites and saves the user going
to the trouble of creating and remembering multiple
passwords. It is still unsecured. Do not neglect a
spyware that able to capture screens of your device.
Ok, forget about that kind of malware. Let us about Figure 15. Screen-shot of BlackBerry Wallet


FORENSICS
contain a web browser’s past operation. One more part
of it is Favorites folder that contains the URLs of web
sites saved by the user, probably because they are of
interest to the user and are frequently visited explicit
storing of these links indicates intent.
Pictures, Videos, Voice notes, and other files. Let’s
start from its last object other files. What a digital
document can tell you about the person who wrote it is
often more important than what it says, if you read it. It
may contain evidence equivalent to a smoking gun for
your case, but do you know who created the document
and when it was written? Obtaining a digital document
and hoping to enter it into the record at court is not
enough. You must link the evidence to the document
creator and that’s where document forensics is critical
in trial preparation. Although the electronic document
cannot speak, what it can tell about who, what, when,
where, why, and how is often much more credible than
any testimony by a witness. Voice notes, videos and
pictures show us in general what interesting in particular
our victim. It may be secret/internal presentation that he
videocaptured or audiocaptured. This case is useful for
us, because we don’t need to intercept API events; all
we need is listen file events of creating and deleting
files.
Pictures are more inquisitive as camera-snaphots
Figure 16. Potential Messages since it has exif-header. Metadata is, quite simply, data

Figure 17. Potential WebBrowser Bookmarks Figure 18. Potential BBM chat



The EXIF format was created by the Japan Electronic
BlackBerry EXIF-Picture information Industry Development Association and is referenced
FileName Moskva-20110801-00007.jpg as the preferred image format for digital cameras in
Camera
ISO 12234-1. Many digital camera manufacturers,
Camera Make Research In Motion
Camera Model BlackBerry 9800 such as Canon, Sony and Kodak implement the use of
X-Resolution 72/1 EXIF headers. This header is stored in an application
Y-Resolution 72/1 segment of a JPEG file, or as privately defined tags in
Resolution inches a TIFF file. This means that the resulting JPEG or TIFF
Software Rim Exif Version1.00a
is still in a standard format readable by applications
DateTime 01.08.2011 0:38:43
YCbCr Near that are ignorant of EXIF information [3]. Below is a
Picture typical EXIF header (in human readable format): File
Exposure time 0s name/size/date, Camera make/model, Date/Time,
DateTime 01.08.2011 0:38:43 Resolution, etc.
Focus Dist N/A Although it is possible to retrieve EXIF headers by
Light source N/A
looking at each picture in a disk editor, a considerable
Flash used No
Brightness-color space sRGB amount of time is required to translate the hex codes
Width 2592 into human readable format. You use Adobe Photoshop,
Height 1944 ACDSee or 88K in size jhead. Let us see by ACDSee
GPS Software.
GPS base-latitude northern latitude Last of them is IM chat. Instant messaging is a well-
GPS latitude 55, 52’ 6.18”
GPS base-longitude east longitude established means of fast and effective communication.
GPS longitude 37, 36’ 55.8” Once used primarily by home users for personal
GPS orthometric height 0m communications, IM solutions are now being deployed
Misc by organizations to provide convenient internal
EXIF version 2.2 communication. This often includes the exchange and
GPS version (32,32,30,30)
discussion of proprietary and sensitive information,
thus introducing privacy concerns. Although IM is used
in many legitimate activities for conversations and
about data. For example, a Microsoft Word document’s message exchange, it can also be misused by various
metadata may contain the author’s name and the means. For example, an attacker may masquerade as
dates the document was created/modified. Metadata another user by hijacking the connection, performing
may contain useful information for an investigator. a man-in-the-middle attack, or by obtaining physical
Specifically, digital camera pictures may contain an access to a user’s computer. Analysis of IM in terms
Extended File Information (EXIF) header, which saves of computer forensics and intrusion detection has
information about the camera that took the picture. gone largely unexplored until now. All humans have

IM chat csv �le format
Date/Time PIN Sender PIN Receiver Data
YYYYMMDDHHMMSSMS HEX VALUE HEX VALUE STRING

Date/Time ID Sender ID Receiver Data
YYYYMMDDHHMMSSMS STRING STRING STRING

File Paths should be monitored.
/Device/Home/User/ if information stored on internal memory
/MediaCard/BlackBerry/ if information stored on external memory
../IM/AIM/USERNAME/history/ AIMs history in csv format
../IM/BlackBerryMessenger/PIN/history/ BBMs history in csv format
../IM/GoogleTalk/USERNAME/history/ GTalks history in csv format
../IM/Yahoo/USERNAME/history/ YMessengers history in csv format
../IM/WindowsLive/USERNAME/history/ WLives history in csv format
../pictures Manully added pic or screenshoted data
../camera Photo captured data
../videos Video captured data
../voice notes Voice captured data


FORENSICS
unique patterns of behavior, much like the uniqueness some kind of its below. Some of them are near with
of biometric data. Therefore, certain characteristics other mobile devices.
pertaining to language, composition, and writing, such
as particular syntactic and structural layout traits, BlackBerry Device Forensics
patterns of vocabulary usage, unusual language
usage, and stylistic traits, should remain relatively • BlackBerry Device forensics is very similar to
constant. The identification and learning of these forensics of any system
characteristics with a sufficiently high accuracy is the • Mobile investigating process is the same a PC
principal challenge in author identification. • The BlackBerry device is a push technology device
IM forensic were to answer the following questions: that does not require synchronization with a PC

• identify an author of an IM conversation based Investigative Methods of BlackBerry Device
strictly on author behavior Forensics
• classify behavior characteristics
• Prior investigating the BlackBerry Device we have
Author behavior categorization uses a set of to secure and acquire the evidence.
characteristics that remain relatively constant for a • There are four steps to investigating a BlackBerry
large number of IM messages written by an author. Device:
These characteristics, known as stylometric features, • Examination
include syntactic and structural layout traits, patterns • Identification
of vocabulary usage, unusual language usage, and • Collection
stylistic features. Each author has various stylometric • Documentation
features that are sufficient to uniquely identify him
or her. Stylometric features are often word-based, BlackBerry Device Investigative Tips
including word and character frequency distributions,
word length, and sentence length. Literary analysts • If the device is in the on state you have to preserve
and computational linguists often use frequency the state by supplying adequate power.
lists. Various syntactic features are also included, • If the device is in the off state, leave it in that state,
such as the use of function words (short all-purpose switch on the device, not battery and photograph
words such as the and to), punctuation, greetings and the device.
farewells, and emoticons. Users also use abbreviations • If device is in the cradle avoid any communication
for common phrases such as LOL (laughing out loud) activities.
and ROTFL (rolling on the floor laughing), as well as • If wireless is on eliminate any activity by placing the
shortened spellings of words such as ru (are you) and device in an envelope, anti-static and isolation bag.
4 (for). So, in this case IM analyzing give opportunity
to find out person that can anonymously identified for Conclusion
forensic. The RIM device shares the same evidentiary value as
any other Personal Digital Assistant (mobile device).
BlackBerry Forensic Tips As the investigator may suspect of most file systems,
Summarize all information above you should have a delete is by no means a total removal of data on
several plan of action about BlackBerry forensic. I give the device. However, the RIM’s always-on, wireless

On the ‘Net
• http://na.BlackBerry.com/eng/devjournals/resources/journals/jan_2006/ipd_�le_format.jsp – BlackBerry IPD File Format (.ipd)
• http://www.ca.com/us/home/lpg/forms/na/sre/12625_15012.aspx – Defending Against Insider Threats To Reduce Your IT Risk
• http://www.elcomsoft.com/eppb.html – Elcomsoft Phone Password Breaker
• http://menastep.com – MagicBerry IPD Reader
• http://www.processtext.com/abcBlackBerry.html – Amber BlackBerry Converter
• http://www.elcomsoft.com/ebbe.html – Elcomsoft BlackBerry Backup Explorer
• http://www.paraben.com/device-seizure.html – Paraben Mobile Device Seizure
• https://www.BlackBerry.com/Downloads/entry.do?code=A8BAA56554F96369AB93E4F3BB068C22 – BlackBerry Desktop Manager
• http://us.blackberry.com/developers/resources/simulators.jsp – BlackBerry Simulator
• http://www.cellebrite.com/forensic-products/forensic-products/ufed-physical-pro.html – Cellebrite for Mobile Forensics
Universal Forensic Extraction Device



push technology adds a unique dimension to forensic
examination. In fact, a RIM device does not need a
cradle or desktop connection to be useful. The more
time a mobile device spends with its owner, the greater
the chance is that it will more accurately reflect and
tell a story about that person. The BlackBerry is an
always-on, push messaging device. Information can
be pushed to the device through its radio antenna at
any time, potentially overwriting previously „deleted”
data. Without warning, applications such as the email
client, instant messaging, wireless calendar, and
any number of third party applications may receive
information that makes the forensic investigator’s
attempts to obtain an unaltered file system much more
difficult. In order to preserve the unit, turn the radio off.
Make note that completely powering off the RIM will
wipe data from the SRAM. Logs stored there, which
may be of interest, will not survive a full power-down.
If the RIM is password protected, get the password.
The password itself is not stored on the unit; rather an
SHA-1 hash of the password is stored and compared
to a hash of what entered. The examiner only has the
opportunity to guess 10 times before a file system
wipe occurs to protect the data. This wipe will destroy
all non-OS files. No software exists to circumvent the
password protection. A direct-to-hardware solution
will be required if the password is not available. Thus,
the RIM’s currently unsurpassed portability is the
examiner’s greatest ally.

YURY CHEMERKIN
Graduated at Russian State University for the Humanities
(http://rggu.com/) in 2010. At present postgraduate at RSUH.
Information Security Analyst since 2009 and currently works
as mobile info security researcher in Moscow.
I have scienti�c and applied interests in the sphere of
forensics, cyber security, AR, perceptive reality, semantic
networks, mobile security and cloud computing. I’m
researching BlackBerry Infrastructure and the effects of the
trust bot-net & forensic techniques on the human privacy.
E-mail: yury.chemerkin@gmail.com (yury.chemerkin@faceb
ook.com)
Facebook: www.facebook.com/yury.chemerkin
LinkedIn: http://ru.linkedin.com/pub/yury-chemerkin/2a/434/
549

www.hakin9.org/en

To get round to the heart of fortress

Recomendados

Recomendados

Mais conteúdo relacionado

Mais de Yury Chemerkin

Mais de Yury Chemerkin (20)

Último

Último (20)

To get round to the heart of fortress