2. FORENSICS
To Get Round
To The Heart Of Fortress
Cybercrime is becoming a growing threat to society. The thefts of
information, crashing a website or manipulating online payment
traffic are also increasing. Many organizations offer various services
in the battle against digital crime, such as network or data monitors
and extractions tools. It is interesting mainly to authorities and
financial institutions, but they are accessible to every organization..
What you will learn…
What you should know…
• General forensic classi�cation
• Classic and non-classic mobile forensic
• Basic knowledge about forensic
T
he current century describes like the
application of digital technology that enhances
traditional methodologies. The incorporation of
computer systems private, commercial, educational,
governmental, and other way life improved the efficiency
of these entities. One other hand the computers as
a criminal tool has enhanced their own activity. In
particular, the surge of technical adeptness by the
general population, coupled with anonymity, seems to
encourage crimes using computer systems since there
is a small chance of being prosecuted, let alone being
caught. These crimes is rather classic crimes To catch
criminals involved with digital crime, investigators must
employ consistent and well-defined forensic procedures
if possible.
Writing off insider threat as a low cast risk ought
to realize sternness of the problem. Threat as this
kind ranges from the malicious employee (of he has
and have to has the technical expertise to implant
a malware (logic bomb,…) in the critical system.
Malicious insider is a employee (current or former),
contractor, or business partner who had / has / going to
have authorized access to an organization’s network,
system, or data in a manner that negatively affected
the confidentiality, integrity, or availability. Employees
also represent another significant insider threat
vector. These inadvertent actions can occur because
individuals have accumulated more privileges than
they need for their current job functions or because
20
individuals may just be careless about usage and
distribution of sensitive data. The result is that
organizations need to defend against the malicious
insider as well as the careless user. The common
security vulnerabilities increase risk of insider threats
is inadequate auditing and analytics:
•
•
•
Sheer volume of audit and log data impedes
forensics investigation and detection. Logging all
IT activity is an important first step in combating
insider attacks and today’s highly distributed
and complex IT environments generate massive
volumes of logging data, but the sheer volume of
data is very difficult to manage.
Most current approaches to addressing insider
threats are reactive, not predictive. This helps
immensely in forensic investigations, but the
problem is that the attack or theft has already
occurred. Therefore, organizations should be
looking for solutions that can provide more analytic
and predictive capabilities that if not able to prevent
insider attacks, may still identify at-risk insiders and
then implement more detailed logging on those
individuals in response.
Delicate balance of risk versus productivity. IT
managers need to balance the risk of employees’
need for additional access versus the lost
productivity that would result if access was not
granted to certain users. Many organizations also
www.hakin9.org/en
3. To Get Round To The Heart Of Fortress
lack the necessary reporting tools to examine
an individual’s expanding entitlements over time
which further compounds the problem. The result
is that IT often struggles to answer the critical
question, Who has access to what? confidently and
accurately.
What is digital forensic?
Digital forensics suggests a high-tech process reserved
only for cases centered on proprietary technology. Now
digital data is omnipresent, therefore digital forensics
has quickly become a legal necessity. Searching
through digital evidence could recover a hidden
document or deleted e-mail message, which may
accelerate exposure or win it.
In the typical case, a hard copy document is analyzed,
and the lawyer can only engage in direct or crossexamination based on information printed on the page.
It is difficult to determine the document’s authenticity,
original author, etc. However, documents created
in Microsoft Word or other leading word processing
systems are likely to contain a surplus of information
is not displayed or printed. A forensic examiner is shall
to discover an additional information called metadata.
Metadata is a description or definition of electronic data,
or data about data. Metadata can include descriptive
tags and information about create data or changes have
been made.
Internet logs also may provide valuable evidence.
The main rule is if information was displayed at some
time on a computer screen, it can be recovered from
it. For example, checking account balance online. It is
applicable to data of all types. The failure of analyzing
digital data is at best inexcusable, and at worst,
ineffective assistance of malpractice. With the vast
majority of documents that created, and with so many
communications, now there is the luxury with easy
validating a controversy and the responsibility of doing.
Data forensics was all but unknown just a few years
ago. Nowadays it considered a standard and routine
practice in legal matters, of course.
Several branches in digital forensic
It is a branch of forensic bringing about the recovery and
investigation of material found in digital devices, often
in relation to computer crime. This term was originally
used as a synonym for computer forensics however
it has expanded in view of covering investigation of
all devices capable of storing digital data. As a result,
now prefer either to use more specialised terms such
as mobile device forensics or mobile phone forensics
or to use a term such as digital forensics to include all
digital devices. Digital forensics includes several subbranches relating to the investigation of various types of
devices, media or artefacts.
www.hakin9.org/en
Computer Forensics
Computer forensics is relating to legal evidence found
in computers and digital storage media, .e.g. examine
digital media with identifying, preserving, recovering,
analyzing, and reporting. Although, it is most often
associated with the investigation of a wide variety
of computer crime, computer forensics may also be
used in civil proceedings. The discipline involves
similar techniques and principles to data recovery.
Computer forensic investigations usually follow the
standard digital forensic process. Investigations are
performed on static data/images rather than live
systems.
There are several techniques is pertaining to
computer forensic:
•
•
•
•
Cross-drive analysis correlates information found
on multiple hard drives. This process can be used
for identifying social networks and for performing
anomaly detection.
Live analysis examines the operating system
using custom forensics or existing sysadmin tools
to extract evidence. The practice is useful when
dealing with the logical hard drive volume may be
imaged (known as a live acquisition) before the
computer is shutdown.
Recovering deleted files is a common technique
used in computer forensics in view of data allowing
to be reconstructed from the physical disk sectors.
It involves searching for signatures of file headers
to reconstruct.
Volatile data dumping as recovering any information
stored in RAM because after powering down it may
be lost.
Mobile Device Forensics
Mobile device forensics is relating to recovery of digital
evidence or data from a mobile device. The memory
type, custom interface and proprietary nature of mobile
devices require a different forensic process compared
to computer forensics. Each device often has to
have custom extraction techniques used on it. The
forensics process for mobile devices broadly matches
other branches of digital forensics; however, some
particular concerns apply. One of the main ongoing
considerations for analysts is preventing the device
from making a network/cellular connection, because
it may bring in new data, overwriting evidence. To
prevent a connection mobile devices will often be
transported and examined from within a Faraday
cage. Mobiles will often be recovered switched on
to avoid a shutdown changing files. However, with
more advanced smartphones using advanced memory
management, connecting it to a recharger and putting
it into a faraday cage may not be good practice.
21
4. FORENSICS
The mobile device would recognize the network
disconnection and therefore it would change its status
information that can trigger the memory manager to
write data. By the way, there’s a two flash memory
types: NOR as internal and NAND as external (like
sd-cards). NAND-memory can be examined with PC
forensic tool for FAT file system.
There are several techniques is pertaining to mobile
forensic:
•
•
•
•
Physical acquisition technique is a bit-by-bit copy
of an entire physical store. It has the advantage
of allowing deleted files and data remnants to be
examined. Physical extraction acquires information
from the device by direct access to the flash
memories. Generally this is harder to achieve
because the device vendors needs to secure against
arbitrary reading of memory so that a device may be
locked to a certain operator.
Logical acquisition technique is a bit-by-bit copy of
logical storage objects (e.g., directories and files)
that reside on a logical store (e.g., a file system
partition). Logical acquisition has the advantage
that system data structures are easier for a tool
to extract and organize. This usually does not
produce any deleted information, due to it normally
being removed from the file system of the phone.
However, in some cases the phone may keep
a database file of information which does not
overwrite the information but simply marks it as
deleted and available for later overwriting.
Manual acquisition technique as kind of utilizing
of the user interface to investigate the content
of the memory. Therefore the device is used as
normal and pictures are taken from the screen.
The disadvantage is that only data visible to the
operating system can be recovered and that all
data are only available in form of pictures.
External memory acquisition technique is acquisition
from devices are SIM cards, SD cards, MMC cards,
CF cards, and the Memory Stick. For external
memory and the USB flash drive is possible to make
the bit-level copy. Furthermore USB drives and
memory cards have a write-lock switch that can be
used to prevent data changes, while making a copy
(SD cards have it, but microSD don’t).
Network Forensics
Network forensics is relating to the monitoring and
analysis of computer network traffic for the purposes
of information gathering, legal evidence, or intrusion
detection. Unlike other areas of digital forensics,
network investigations deal with volatile and dynamic
information. Network forensics is often smoewhat proactive in case of traffic is transmitted and then lost.
22
This branch has two uses.
•
•
Security: analysis involves monitoring a network
for anomalous traffic and identifying intrusions. For
example, attacker might be able to erase all log
files on a compromised host.
Law Enforcement: analysis of captured network
traffic can include tasks such as reassembling
transferred files, searching for keywords and
parsing human communication such as emails or
chat sessions.
Network forensics is a comparatively new field of
forensic science. The growing popularity of the Internet
in homes means that computing has become socialcentric. There’s a several type of traffic-catchers.
•
•
•
•
Ethernet – by eavesdropping bit streams with tools
called sniffers. It collects all data on this layer and
allows the data that has been transmitted over the
network can be reconstructed.
TCP/IP – the network layer the Internet Protocol (IP)
is responsible for directing the packets generated
by TCP through the network (e.g., the Internet)
by adding source and destination information that
interpreted by routers all over the network. Cellular
digital packet networks, like GPRS, use similar
protocols like IP, so the IP forensic methods as well.
Internet can be a rich source of digital evidence
including web browsing, email, newsgroup,
synchronous chat and peer-to-peer traffic. For
example web server logs can be used to show
when (or if) a suspect accessed information
related to criminal activity. Email accounts can
often contain useful evidence; but email headers
are easily faked and, so, network forensics may
be used to prove the exact origin of incriminating
material. Network forensics can also be used in
order to find out who is using a particular computer
by extracting user account information from the
network traffic.
Wireless – the main goal of wireless forensics is
to provide the methodology and tools required to
collect and analyze (wireless) network traffic that
can be presented as valid digital evidence in a court
of law. The evidence collected can correspond to
plain data or, with the broad usage of Voice-over-IP
(VoIP) technologies, especially over wireless, can
include voice conversations.
Database Forensics
Database Forensics is relating to the forensic study of
databases, their related metadata, to the timestamps that
apply to the mobile device time of a row in a relational table
being inspected and tested for validity in order to verify
www.hakin9.org/en
5. To Get Round To The Heart Of Fortress
the actions of a database user. Alternatively, a forensic
examination may focus on identifying transactions within
a database system or application that indicate evidence
of wrong doing, such as fraud.
Mobile Forensic
Today a mobile device is powerful device that can
function as a cellular phone, web browser and a
personal organizer. These devices have reached such
a level of power, and functionality they are in essence a
mini-computer. A mobile device forensics is very similar
to the procedures and methodologies that are used with
any form of forensics. From time to time it may easy
than PC.
Did you know?
When you seize the mobile device we have to ensure
we take the mobile device, docking cradle and external
memory cards. This is probably one of the most difficult
things to control and requires that you conduct a thorough
search for any and all memory cards. With the size of
memory cards today there is all extensive amount of
evidence that you would be missing if you miss just one
memory card.
Step 3. Collection
During this step, you collect data and potential evidence
from the device parts are suspected. There is a
multitude of these types of devices, so we will limit our
discussion to just a few such nor-flash or nand-flash.
You have to collect all the types of information consist
of both volatile and dynamic information. The reason is
that anything that is classified, as volatile information
will not survive if the device is powered off or reset.
Therefore, the mobile device should be placed into an
evidence bag and maintained at stable power support
throughout.
Step 4. Documentation
Records as extracted data must be document with
the case number, the date and time it was collected.
Another part of the documentation process is to
generate a report that consists of the detailed
information that describes the entire forensic process
that you are performing. Within this report you need to
annotate the state and status of the device in question
Did you know?
Device Switched On
Investigative Methods
If the device is in the on state, you act immediately to get
power to the mobile device. Now it will not lose the volatile
information. Then you need to take the device to a secure
location like a Faraday Cage or turn off the radio before
beginning the examination
•
•
•
•
Device Switched Off
There are four main steps when it comes to performing
a forensic investigation of a mobile device. These four
steps are identified as follows:
Examination
Identification
Collection
Documentation.
If the device is in the off state, you need to take the device
to the shielded location before attempting to switch on
or place the device in room that can block the signal well
enough to prevent the data push.
Step 0. Permission
Device in its Cradle
As with any forensic examination, the main step is to
have permission to seize the evidence that is required
for your investigation.
If device is in cradle, you have to remove any connection
from the PC despite possibility that a sophisticated suspect
might have a tripwire device and once it disconnected it
could activate script to erase potential evidence.
Step 1. Examination
Password Protected
First, you need to understand the potential sources of
the evidence. With a mobile device, these sources can
be the device, the device cradle, power supply and any
other peripherals or media that the device examined
has met. In addition to these sources, you should also
investigate any device that has synchronized with the
mobile device you are examining.
Step 2. Identi�cation
Second, start the identifying the type of investigating
device. Once you have identified the device you have
to identify the operating system that the device is using.
Note, device, is possible, to be running two operating
systems.
www.hakin9.org/en
The thing has to be known when it comes to password
protection is the fact that the password itself is not stored
on the device. The only thing stored on the device is a
hash of the plain-text password. This storage is similar to
the storage used by the majority of operating systems out
there.
Wireless Connection
You must avoid any further communication activities, if
possible. Eliminate any wireless activity by placing the
device into an cage that can isolate the device.
External Memory Card
You must not initiate any contact before taking components
off. This includes any devices that supported external media
types of cards.
23
6. FORENSICS
during your collection process. The final step of the
collection process consists of accumulating all of
the information and storing it in a secure and safe
location.
Forensic Investigation of the BlackBerry
A BlackBerry is a handheld mobile device engineered
for email. All models now come with a built-in mobile
phone, making the BlackBerry an obvious choice
for users with the need to access their email from
somewhere besides the comfort of a desk chair.
The device is equipped with the RIM software
implementation of proprietary wireless-oriented
protocols. The BlackBerry device is always on and
participating in some form of wireless push technology.
Because of this, the BlackBerry does not require
some form of desktop synchronization like the other
mobile device does. BlackBerry OS has numerous
capabilities and features like over the air activation,
ability to synchronize contracts and appointments
with Microsoft Outlook, a password keeper program to
store sensitive information and the ability to customize
your BlackBerry display data.
The BlackBerry device has an integrated wireless
modem allows communicating over the air with RIM
Network. The BlackBerry uses the BlackBerry Serial
Protocol to backup, restore and synchronize the data
between the handheld and desktop. In addition, device
uses a strong encryption that safeguards confidentiality,
and authenticity of data to keep data encrypted while
it transit between the enterprise server and the device
itself.
set it as low as 3), you will be prompted one last time
to type the word BlackBerry. The device will then wipe.
It will be reset to the factory out-of-the-box condition,
and the password reset. You will lose everything in
the device memory, with no possibility of recovery. It
will not reformat the microSD card, because that’s not
part of the factory configuration. The phone will still be
usable, and the operating system will be unchanged. So
this technique cannot be used to roll back from an OS
upgrade problem.
Password Extraction from BlackBerry
At first you can attack BlackBerry via bruteforce
BlackBerry backup file. You can access encrypted
information stored in password-protection backups if the
original password is known or recovered with Elcomsoft
Phone Password Breaker (http://www.elcomsoft.com/
eppb.html). Elcomsoft Phone Password Breaker
grants forensic access to protected information stored
in BlackBerry devices by recovering the original plaintext password. The toolkit allows eligible customers
acquiring bit-to-bit images of devices’ file systems,
extracting phone secrets (passcodes, passwords, and
encryption keys) and decrypting the file system dump.
Access to most information is provided in real-time. In
addition to Elcomsoft Phone Password Breaker, the
toolkit includes the ability to decrypt images of devices’
file systems, as well as a free tool that can extract the
encrypted file system out of the device in raw form. To
unlock Apple backups even faster, the tool engages
the company’s patent-pending GPU acceleration
technology.
Warning for BlackBerry Push-Technology
Since the BlackBerry is all always on, push messaging,
device information can be pushed to it at any time. Note
that pushed information has the ability to overwrite any
data that possibly was previously deleted. The first step
in preserving the information is to eliminate the ability
of the device to receive this data push. If possible, turn
the radio off, or a better solution is to take the device
to an in area where the signal cannot be received.
The BlackBerry device is not really off unless power
is removed for an extended period. If the blackberry is
powered back off then any items that were in the queue
waiting to be pushed to the device could possibly be
pushed before you could stop them.
Warning for BlackBerry Password Protection
BlackBerry devices come with password protection.
The owner has the capability to protect all data on
the phone with a password. He may also specify the
amount of attempts for entering the password before
wiping all data from the device. If you exceed your
password attempts limit (defaults to 10, but you can
24
Figure 1. Elcomsoft Phone Password Breaker
www.hakin9.org/en
7. To Get Round To The Heart Of Fortress
•
•
•
•
Three key features are:
Decrypt encrypted BlackBerry backups
Recover original plain-text passwords
GPU acceleration
However, you will not have a BlackBerry Backup File.
The attack or theft has already occurred, therefore, you
have to be more analytic, more predictive. According
to previous warnings for the BlackBerry. In this case,
you have to install spyware to extract password from
device.
All smartphones give their owners a free choice to
lock handheld by password or grant unsecured access.
The major concept in using the most complex password
is main idea. You’re have to lock your devices! You are
have to use more complex combination! It’s have to be
randomness! Nevertheless, think for moment. Can you
quickly say how many symbols are entered up? No is
correct answer.
So, just imagine malware product loaded into
device memory and waits when you are going to
unlock handheld by typing your topsecret password.
After inputting is half-closed, malware types just the
one random letter to make senseless your unlocking
action. In addition, BlackBerry says Wrong password!
Try once again. Next attempt. Once you have reached
a half-attemps and have typed word blackberry your
password is open and is able to steal with screenshot.
Let us examine a virtual keyboard. When you touch
screen to type a character a big-scaled review appears.
When you do the same while typing password into
masked text-box you can see that every character is
going to be masked by asterisk or black circle in ~1-2
second after. Password preview is only used when the
Figure 2. Sync-extracted password
www.hakin9.org/en
Figure 3. Virtual Keyboard “bug”
keyboard is a sure type or multitap keyboard. The bold
keyboard is a full keyboard so it will not duplicate that
behavior.
There are two possible way of stealing password –
during device unlocking or when you synchronize your
device with PC. During it you are asked about sync way
whether sync media or use usb drive or only charge
device. Sure, we cannot guess what you choose, but
we do not. Do you draw attention on discrepancy or
take it as a kind of program error (bug)? In any case,
you are caught on fake-logining. After password typing
you will be notified about wrong password (two times to
get your right pass and one more to inform about e.g.
null-pointer error, hung process. Then you have seen
originally logon screen.
Figure 4. PC-sync extracted password – part I
25
8. FORENSICS
Every device is going to synchronize with PC
sometimes. The major target is password field of
textbox’s software. Unfortunately, we cannot get a
screen-capture, but we still able to use a WINAPI
functional to unmask password-box, steal password’s
character, and then mask password-box again. Repeat
it several times and you will get a password. More detail
you can find in my previous articles.
First, let’s examine hotkeys.
QWERTY / SureType keyboard
•
•
Classic BlackBerry forensic
A typical forensic investigator performs the investigation
by hand-reading mail and data files, checking for
system activities through different log files, and verifying
the consistency of the data through the time stamps
associated with files on the file system. Protections
such as firewalls often force the investigator to perform
these tasks on-site.
The difficulties of performing a local analysis can
limit the investigation. First, forensic software must
be running on the local machine, and may have to be
installed. Second, running such software locally risks
damaging or contaminating data. Third, if the machine
has been compromised, the investigation may produce
suspect results – or worse, may alert the attacker.
Gathering Logs and dumps
The main classic forensic procedure of evidence
collection violates the forensic method by requiring the
investigator to record logs kept and dump. Investigator
can view some log on the device pressing hotkeys or
throughout several applications from BlackBerry SDK
Tools. Don’t forget that the counter is always running,
even when the radio is turned off, so to be sure to
record these values as soon as possible to avoid log
overwrites.
From the Home screen hold the Alt key and then
type lglg.
Display the debug information by completing the
following steps:
• Press the Menu key and click Options.
• Click the Min log level drop-down list and select
Debug Info.
• Press the Menu key and then click Save.
BlackBerry Storm 9500 in portrait view
•
•
•
•
•
•
From the Home screen go to Options, then to
Screen/Keyboard.
In the Screen/Keyboard options menu, set the
Portrait View Keyboard option to SureType and
then Save the settings.
From the Home screen of the BlackBerry
smartphone, press the convenience key to display
the keyboard in portrait view.
Hold the number key to lock the number keyboard.
The 123 icon appears at the top right of the screen,
and a small lock appears on the number key.
Press the ,5,5 keys.
Display the debug information by completing the
following steps:
• Press the Menu key and click Options.
• Click the Min log level drop-down list and select
Debug Info.
• Press the Menu key and then click Save.
BlackBerry Storm 9550 in portrait view
•
•
•
From the Home screen of the BlackBerry
smartphone, press the convenience key to display
the keyboard in portrait view.
Press the ,5,5 keys.
Display the debug information by completing the
following steps:
• Press the Menu key and click Options.
• Click the Min log level drop-down list and select
Debug Info.
• Press the Menu key and then click Save.
BlackBerry Storm 9500 in landscape view
•
•
Figure 5. PC-sync extracted password – part II
26
•
From the Home screen press the Menu key and
click Show Keyboard.
Hold the number key to lock the number keyboard.
The 123 icon appears at the top right of the screen,
and a small lock appears on the number key.
Press the „/”/ keys.
www.hakin9.org/en
9. To Get Round To The Heart Of Fortress
•
Display the debug information by completing the
following steps:
• Press the Menu key and click Options.
• Click the Min log level drop-down list and select
Debug Info.
• Press the Menu key and then click Save.
Another way to collect the log information is using
loader.exe from BB SDK tools. It extracts a full copy of
BlackBerry event log to text file stored on your drive.
Let’s see some useful command of javaloader.
Java Loader Usage
Usage: JavaLoader [-p<pin>] [-d0|-d1]
[-q] <command> (Table 1).
To extract event log from device
•
•
Plug it to PC via USB cable
Open command shell and type
[-w<password>]
Table 2. Loader usage
command
is one of:
eventlog
output �lename
screenshot
output �lename
deviceinfo
output �lename
dir
output �lename
radio
on|off
dump
output �lename
Loader Usage
Usage: loader.exe /<command> (Table 2).
Dump extracting is the same the log previous.
Command syntax example is below.
Loader.exe /eventlog „D:BBSAKeventlog-loader.txt”
Loader.exe /screenshot active „D:BBSAKactive-loader.bmp”
Loader.exe /screenshot primary „D:BBSAKprimary-loader.bmp”
javaloader.exe
-
wPASSW eventlog log.txt
Command dump gives us all .cod modules stored on
device in root subfolder dump.
To get dump of BlackBerry device let’s use a Loader
from BlackBerry Device Mangaer. It locates on c:
Program FilesCommon FilesResearch In Motion
AppLoader if your OS is 32bit or on c:Program Files
(x86)Common FilesResearch In MotionAppLoader if
your OS is 64bit. Some useful command is below.
Loader.exe /screenshot auxiliary „D:BBSAKauxiliary-loader.bmp”
Loader.exe /dir „D:BBSAKdir-loader.txt”
Loader.exe /deviceinfo „D:BBSAKdeviceinfo-loader.txt”
Loader.exe /dump „D:BBSAKdump-loader.txt”
However, before you will be asking to enter a device’s
password. Note, dump beginning is required a
device reboot. It can erase log to overwriting some
information. Do not forget about encryption feature of
BlackBerry Storage Protection based on Password
& ECC. If it is on the dump result is empty obvious.
Table 1. Java loader usage
-p<pin>
Speci�es the handheld PIN (hex pin pre�x '0x')
-w<password>
Connects using the speci�ed password
<command>
is one of
dir [-d] [-s] [-1]
Lists modules on the handheld
-d
Display dependency information
-s
Display siblings
-1
Single column output
deviceinfo
Provides information on the handheld
save {<module> ... | -g
<group>}
Retrieves modules from the handheld
-g
Retrieves all modules in a speci�ed group
info [-d] [-s] [-v] <.cod file>
Provides information on the speci�ed modules
-d
Display dependency information
-s
Display sibling information
-v
Display verbose module information
eventlog
Retrives the handheld event log
radio on|off
Turns the handheld's radio on or off
siblinginfo <.cod file>
Provides sibling information on the speci�ed modules
screenshot <.bmp file>
Retreives the contents of the speci�ed screen and saves as a BMP �le.
logstacktraces
Dumps the stack traces for all threads to the event log
www.hakin9.org/en
27
10. FORENSICS
Device Information
Hardware Id:
PIN:
OS Version:
VM Version:
Radio ID:
Vendor ID:
Table 6. DB data block format
Database ID
Record unique ID
time:
Sat
type:2 app:
Jul
time:
Sat Jul 30
type:2 app:
Table 3. Directory information
Name
Version
Size
Created
8 net_rim_m2g
6.0.0.570
293384
0 Sun May 01
03:16:11 2011
6.0.0.570
44460
0 Sun May 01
03:15:59 2011
Depends on:
net_rim_cldc
net_rim_xml_org
11 net_rim_xml_org
Depends on:
net_rim_cldc
Table 4. General BB Backup format
Inter@ctive Pager
Backup/Restore File
Line feed
1 byte
value 0A
Version
1 byte
value 02
Number of databases in �le 2 bytes
Database name separator
1 byte
value 00
Database name block#1
Database name block#2
Database name block#n
4 bytes
Field length #1
2 bytes
Field type #1
1 byte
Field data #1
As long as the �eld length
Field length #n
2 bytes
Field type #n
1 byte
Field data #n
As long as the �eld length
Despite Name, Version, Size, Created and Depends
on fields there is a following possible description fields.
Let us example on Facebook application. Event Log for
Google Talk Messenger and Windows Live Messager
store an option Save password & Sign.
BlackBerry Backup Format
The structure of the IPD file shown above is as follows:
Table 4. Each database name block is of the form (Table 5).
Each database data block is of the form (Table 6).
For a more advanced and in depth look at the file
format you may visit blackberry site.
Data Extracting through the BlackBerry Backup
First, you need to download and install BlackBerry
Desktop Manager. Use the following link (https://
www.BlackBerry.com/Downloads/entry.do?code=A8
BAA56554F96369AB93E4F3BB068C22) to select
and download the install file that fits your system
or version. Once BB Desktop Manager installed,
connect the device to PC. Then Click Back up button
for a full backup of the device or use the advanced
section for specific data. In the options, you can find
a destination folder where your .ipd file will save.
Note, that ipd-file can be encrypted with password
not less than 4 characters. BlackBerry backups
contain essential information stored in the device.
User data such as email, SMS and MMS messages,
Did you know?
Database data block#1
Database data block#2
Database data block#n
Table 5. DB name block format
Database name length
2 bytes. The length includes the terminating null
Database name
28
1 byte
DatabaseRecordHandle 2 bytes
Friendly name: Facebook
Description: Facebook?® for BlackBerry?® smartphones
makes it even easier to connect and share while you’re on
the go...
Version: 2.0.0.37
Vendor: Research In Motion Limited
Copyright: (null)
Guid:
0x6659A3FDB89204F9
30 21:57:05 2011 severity:0
GoogleTalk
data:
Auto
Guid:
0x80C11EC7B1720C9F
21:57:05 2011
severity:0
WLM
data:
Auto
4 bytes
Database version
FaceBook Additional Info
Event Log
2 bytes. Zero-based position in
the list of database name blocks
Record length
0x5001807
0x23436780
0x0
0x600023a
0x0
609
As long as the name length
Backup �le does not save your email attachments. More,
email forensic on BlackBerry is empty in case that emailmessage is TOO large. You �nd out only message about
truncation. „TOO LARGE” is equal to 8Mb data or ~ 5Mb
of data that encoded into Base64 per one data�le. If
attachments �les are more than one size takes ~3Mb per
�le. The new announced version of BES and BIS can support
EXTRA large size of �les that counts ~8Mb instead of ~5Mb
per �le. Everything else is the same.
www.hakin9.org/en
11. To Get Round To The Heart Of Fortress
Web browsing history and cache, call logs, pictures
and photos, contacts, calendars, appointments, and
other organizer information are stored in BlackBerry
backups. Access to information stored in BlackBerry
backups can be essential for investigations, and is in
high demand by forensic customers.
The IPD file can be read using several commercial
utilities, including
•
•
•
•
•
MagicBerry IPD Reader (http://menastep.com)
Amber BlackBerry Converter (http://www.proces
stext.com/abcBlackBerry.html)
Elcomsoft BlackBerry Backup Explorer (http://
www.elcomsoft.com/ebbe.html)
Paraben Device Seizure (http://www.paraben.com/
device-seizure.html)
UFED (http://www.cellebrite.com/forensic-products/
forensic-products/ufed-physical-pro.html)
Figure 7. Amber BlackBerry Converter
Elcomsoft Blackberry Backup Explorer allows
forensic specialists investigating the content of
BlackBerry devices by extracting, analyzing, printing
or exporting the content of a BlackBerry backup
produced with BlackBerry Desktop Software.
Elcomsoft Blackberry Backup Explorer supports
BlackBerry backups made with PC and Mac versions
of BlackBerry Desktop Software. You can export
information from BlackBerry backups into a variety
of readable formats (PDF, HTML, DOC, RTF,..). Also
Blackberry Backup Explorer can access encrypted
information stored in password-protection backups
if the original password is known or recovered with
Elcomsoft Phone Password Breaker. Elcomsoft
Phone Password Breaker grants forensic access to
protected information stored in BlackBerry devices by
recovering the original plain-text password. Elcomsoft
Blackberry Backup Explorer is totally the same with
Amber BlackBerry Converter.
As an alternative to acquiring the BlackBerry through
BlackBerry IPD Reader, Paraben’s Device Seizure
is a simple and effective method to acquire the data.
Device Seizure was designed from the ground up as a
forensic grade tool that has been upheld in countless
court cases.
Figure 6. BlackBerry Backup Manager
Figure 8. Elcomsoft Blackberry Backup Explorer
UFED is one of the physical analyzer software toolthat
can be used for intelligence gathering, investigative
research. It extracts phone content, hex dump, files,
and extensive information from GPS devices that can
be mapped on Google Maps. In addition, it extracts
existing, hidden, and deleted phone data, including call
history, text messages, contacts, images, phonebook
entries and videos.
So, what you’ll be able to do with Magic Berry IPD
Parser:
•
•
•
•
•
Read ipd files
Split ipd files
Export MS Messages, Phone Calls Log, Memos,
Tasks, Calendar, and Address Book to CSV
Edit Service Books
Merge two ipd files
www.hakin9.org/en
29
12. FORENSICS
•
•
•
•
•
•
•
•
•
•
•
•
SMS History (Text Messages)
Deleted SMS (Text Messages)
Phonebook (both stored in the memory of the
phone and on the SIM card)
Call History
• Received Calls
• Dialed Numbers
• Missed calls
• Call Dates & Durations
Scheduler
Calendar
To-Do List
Filesystem (physical memory dumps)
• System Files
• Multimedia Files (Images, Videos, etc.)
• Java Files
• Deleted Data
GPS Waypoints, Tracks, Routes, etc.
RAM/ROM
PDA Databases
E-mail
Figure 10. BB Manager is linked with BB Simulator
•
•
•
There’s a briefly general draft to examine data with
Paraben Device Seizure.
•
•
•
•
•
Create a new case in Device Seizure with File |
New.
Give the case a name and fill in any desired
information about the case on the next two
screens. The third screen is a summary of the
data entered. If all data is correct click Next and
then Finish.
Figure 9. USB Connection
30
You are now ready to acquire the phone. Go to
Tools | Data Acquisition.
You are prompted for the supported manufacturer.
Select RIM Blackbery.
Leave supported models at the default selection of
autodetect.
Connection type should be set to USB.
For data type selection select Logical Image
(Databases).
Confirm your selections on the summary page and
click Next to start the acquisition.
BlackBerry Simulation
BlackBerry Simulator built for simulating a backup copy
of the physical device. This is helpful if the device is low
on battery, needs to be turned off, or you do not want
Figure 11. BB Simulator after sync
www.hakin9.org/en
13. To Get Round To The Heart Of Fortress
to alter the data on the physical device. Following steps
are suitable for each BlackBerry device model.
•
•
•
•
•
Select a simulator from the drop-down list on the
BlackBerry
website
(http://us.blackberry.com/
developers/resources/simulators.jsp) and download
it. Then install it
Select and download BlackBerry Device Manager.
Then install it.
Run BlackBerry Device Manager and BlackBerry
Simulator
Select Simulate | USB Cable Connected.
Select File | Restore to simulate with physical data
evidence on BlackBerry Simulator.
Also, you mount a SD-card copy to the BlackBerry
Simulator. Now you may turn off blackberry wireless
communication holding power on and then examine
evidence with up state device-simulator.
Live (Spy) BlackBerry forensic
When a digital device is discovered on the crime
scene, the investigator first looks whether the device
is switched on or not. In the dead analysis method, if
the discovered digital device is switched on it will be
switched off. Then the digital device will be packaged
and labelled in a correct way and transported to the
forensic lab for further analysis. At the lab, the forensic
examiner acquires the potential evidence on the device
by making a forensic copy of the data stored on the
digital device under investigation. The tools used to
make the forensic copy guarantee that no modifications
are made to data stored on the digital device under
investigation during the process of forensic acquisition.
After this analysis to find incriminating or discriminating
evidence is performed on the forensic copy.That’s
known as Dead Analysis or Classic Forensic. Traditional
Figure 12. SD mounting
www.hakin9.org/en
forensics focuses on learning as much about a dead
file system as possible. While a full analysis can be
time consuming, doing one can reveal allot about an
incident. Often times one of the most revealing thing
that can be done is a MAC time analysis to reconstruct
the events of an attack by the files accessed. While a
skilled attacker can certainly manipulate this, few go to
this depth. In general, this type of analysis is limited
to criminal cases or for cases where the attacker’s
means of compromise was unknown and the goal is to
determine how they got in.
In some situations, it is not desirable to shut down,
seize the digital device, and perform the forensic
analysis at the lab. For example, if there is an indication
that an encryption mechanism is used on the digital
device that was discovered, then the investigator
should not shutdown this digital device. Otherwise,
after shutdown all the information (potential evidence)
that was encrypted will be unintelligible. By performing
Live Analysis, the investigators attempt to extract the
encryption key from the running system. That’s known
as Live Analysis or Non-Classic Forensic. The goal
of any live forensics task should be to extract and
preserve the volatile data on a system while, to the
extent possible, otherwise preserving the state of the
system. Additionally, this is often the first step of an
incident response scenario where a handler is simply
trying to determine if an event has occurred. The benefit
of using this approach is you have a forensically sound
data collection from which to proceed with a full forensic
analysis if the initial analysis indicates one is required.
Live ToolKit
First toolkit is made by Gamma Group and called
Remote Monitoring & Infection Solutions (FinFisher
– FinFly & FinSpy). The Remote Monitoring and
Infection Solutions are used to access target
systems. They give full access to stored information,
the ability to take control of the target systems’
functions, and even capturing encrypted data and
communications. In combination with advanced
remote infection methods, you have the capability
to remotely infect and monitor all activity on target
systems. It can extract SMS & MMS messages, email
messages, BlackBerry Messages (PIN-to-PIN), call
history, gps location and cell location, address book,
calendar events and url history. By the way, it has
several attacking features such as attack via usb or
bluetooth, attack via sms trojan activating or through
a browser downloading.
Second toolkit is not less interesting rather than
previous is made by Italian professionals and called
Remote Control System (RCS, http://hackingteam.it/
index.php/remote-control-system). Briefly, it evades
encryption by means of an agent directly installed
31
14. FORENSICS
on the device to monitor. Evidence collection on
monitored devices is stealth and transmission of
collected data from the device to the RCS server is
encrypted and untraceable. Those toolkit collect all
possible information such as phone history, organizer
& address book, sms/mms/email, location tracking,
screenshot & camera snapshots, SIM info, remory
audio spy. Both of them divide into two part: client and
GUI-monitoring.
Potential Data as Evidence
Potential attack vector can be various, however, the
most popular of them are
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Friends birthday (as default it’s marked by 00:00 hour)
is set 00:00,
Daily alarm is set 06:01,
WLB Europe 2011, Arena Moscow – 21:00 til 22:30 (9
til 10.30 p.m.). It was a Tarja’s Turunen Concert
Monday, May, 16th
My free time is set 00:00-06:01. Indeed it’s time when
my device is sleeping (auto on/off features) and me
too... from time to time.
And daily alarm is set 06:01
Address Book
Calendar Events
Call History
Browser history and bookmarks
Memos and Tasks
Screen-shots
Camera-shots
Videocamera-shots
Clipboard
Location tracking (cell, wifi, gps, bluetooth)
SMS/MMS/Emails
Pictures, Videos, Voice notes, and other file
IMs
Passwords
Let us examine some of them to find out the common
sense. What is in an up-to-date BlackBerry Address
Book? A lot of contact’s data, such as several mobile
or home phone number, faxes, emails, BB PINs,
work and home addresses, web-pages or dates.
Also we can add a IM data (Gtalk, Y!, Windows Live,
AIM, and not trustable up-to-date ICQ). That was all
until social networking arrived. One more question:
Does your BlackBerry device have an auto on-off
feature? OK, let us summarize it. In our Address
Book, we have much valuable information about
friends; social network gives an up-to-date avatar,
calendar (in spite of our calendar that filled our
sleeping time at least), GPS location points, and SW
names that provide several pieces of information.
Due to victim’s calendar info and GPS info (from
photo exif or FaceBook likes), private data such as
tracking info, habits, time marked a free, time when
you’re possible sleeping, time when you’re at home/
company can come to light. For example, in Figure 2,
my contact information appears. Though my personal
data is obfuscated, a few of my email addresses,
phone numbers, home address (this info – City and
County – was gotten from Facebook, by the way), my
birthday, BlackBerry PIN, web sites come up. Now
let us check my calendar events.
32
Friday, April, 29th
Figure 13. Up-to-date contact card
www.hakin9.org/en
15. To Get Round To The Heart Of Fortress
Figure 14. Up-to-date calendar events
In additional, if you involve call history with gps records
as two part of evidence you provide yourself with many
opportunities to draw a social graph of accomplices.
Extracting all possible fields from the object called
PIM is goal for gathering more information about the
attacked individual from their profile overall.
Mentioned on the net password tips are revoked
by the tendency inmatter to complexify. Moreover,
guess why. Do you have enough time to type a
random string (20-40 character in length)? How many
web sites do you log in? There are more than I can
count. Facebook, Myspace, Linkedin, Twitter and any
number of other social networking sites? Probably a
dozen. Shopping sites? Yes, a several. Emails, IMs,
etc. Every site requires you to create a password,
strong password. Is it possible to memorize? Some
kind people solve it with digit wallet. Great! All you
need keep in mind only one super complex password.
Other stored passwords are encrypted by default. For
example, BlackBerry Wallet or Kaspersky Password
Manager. Both are describe, as is indispensable tool
for the active internet and shopping user. In addition,
it fully automates the process of entering passwords
and other data into websites and saves the user going
to the trouble of creating and remembering multiple
passwords. It is still unsecured. Do not neglect a
spyware that able to capture screens of your device.
Ok, forget about that kind of malware. Let us about
www.hakin9.org/en
more useful usage way of BlackBerry Wallet. You
need to see it to type or need to copy into clipboard.
Moreover, no one software producer can protect it,
because need to put data into public text-box. In other
words, end-point object is vulnerable. By the way,
there’s a getClipboard() method to retrieve the system’s
clipboard object in the BlackBerry API. Your data and
password are open for it. Other methods of password
steal have already discussed in the beginning of
article.
Next victim is message (sms, mms, email, further
email). Email is one of the most common ways
people communicate. From internal meeting requests,
distribution of documents and general conversation
one would be pressed to find an organization of any
size that does not rely on email. Studies have shown
that more email is generated every day than phone
conversations and paper documents combined. Many
users store their personal colanders, contacts and
even synchronize their email clients with their mobile
devices.
Less interesting part of evidence concludes browser
history, browser bookmarks, memos, tasks, etc. Such
kind of forensic has sense in case of violating company
policy by visiting certain sites or time aspect (when the
computer was connected to a site at the time when
something happened) and reconstruct a detailed history
of a computer’s use by examining a handful of files that
Figure 15. Screen-shot of BlackBerry Wallet
33
16. FORENSICS
Figure 16. Potential Messages
Figure 17. Potential WebBrowser Bookmarks
34
contain a web browser’s past operation. One more part
of it is Favorites folder that contains the URLs of web
sites saved by the user, probably because they are of
interest to the user and are frequently visited explicit
storing of these links indicates intent.
Pictures, Videos, Voice notes, and other files. Let’s
start from its last object other files. What a digital
document can tell you about the person who wrote it is
often more important than what it says, if you read it. It
may contain evidence equivalent to a smoking gun for
your case, but do you know who created the document
and when it was written? Obtaining a digital document
and hoping to enter it into the record at court is not
enough. You must link the evidence to the document
creator and that’s where document forensics is critical
in trial preparation. Although the electronic document
cannot speak, what it can tell about who, what, when,
where, why, and how is often much more credible than
any testimony by a witness. Voice notes, videos and
pictures show us in general what interesting in particular
our victim. It may be secret/internal presentation that he
videocaptured or audiocaptured. This case is useful for
us, because we don’t need to intercept API events; all
we need is listen file events of creating and deleting
files.
Pictures are more inquisitive as camera-snaphots
since it has exif-header. Metadata is, quite simply, data
Figure 18. Potential BBM chat
www.hakin9.org/en
17. To Get Round To The Heart Of Fortress
BlackBerry EXIF-Picture information
FileName
Camera
Picture
GPS
Misc
Moskva-20110801-00007.jpg
Camera Make
Camera Model
X-Resolution
Y-Resolution
Resolution
Software
DateTime
YCbCr
Research In Motion
BlackBerry 9800
72/1
72/1
inches
Rim Exif Version1.00a
01.08.2011 0:38:43
Near
Exposure time
DateTime
Focus Dist
Light source
Flash used
Brightness-color space
Width
Height
0s
01.08.2011 0:38:43
N/A
N/A
No
sRGB
2592
1944
GPS base-latitude northern latitude
GPS latitude
55, 52’ 6.18”
GPS base-longitude
east longitude
GPS longitude
37, 36’ 55.8”
GPS orthometric height
0m
EXIF version
GPS version
2.2
(32,32,30,30)
about data. For example, a Microsoft Word document’s
metadata may contain the author’s name and the
dates the document was created/modified. Metadata
may contain useful information for an investigator.
Specifically, digital camera pictures may contain an
Extended File Information (EXIF) header, which saves
information about the camera that took the picture.
IM chat csv �le format
The EXIF format was created by the Japan Electronic
Industry Development Association and is referenced
as the preferred image format for digital cameras in
ISO 12234-1. Many digital camera manufacturers,
such as Canon, Sony and Kodak implement the use of
EXIF headers. This header is stored in an application
segment of a JPEG file, or as privately defined tags in
a TIFF file. This means that the resulting JPEG or TIFF
is still in a standard format readable by applications
that are ignorant of EXIF information [3]. Below is a
typical EXIF header (in human readable format): File
name/size/date, Camera make/model, Date/Time,
Resolution, etc.
Although it is possible to retrieve EXIF headers by
looking at each picture in a disk editor, a considerable
amount of time is required to translate the hex codes
into human readable format. You use Adobe Photoshop,
ACDSee or 88K in size jhead. Let us see by ACDSee
Software.
Last of them is IM chat. Instant messaging is a wellestablished means of fast and effective communication.
Once used primarily by home users for personal
communications, IM solutions are now being deployed
by organizations to provide convenient internal
communication. This often includes the exchange and
discussion of proprietary and sensitive information,
thus introducing privacy concerns. Although IM is used
in many legitimate activities for conversations and
message exchange, it can also be misused by various
means. For example, an attacker may masquerade as
another user by hijacking the connection, performing
a man-in-the-middle attack, or by obtaining physical
access to a user’s computer. Analysis of IM in terms
of computer forensics and intrusion detection has
gone largely unexplored until now. All humans have
Date/Time
YYYYMMDDHHMMSSMS
PIN Sender
HEX VALUE
PIN Receiver
HEX VALUE
Data
STRING
Date/Time
YYYYMMDDHHMMSSMS
ID Sender
STRING
ID Receiver
STRING
Data
STRING
File Paths should be monitored.
/Device/Home/User/
/MediaCard/BlackBerry/
../IM/AIM/USERNAME/history/
../IM/BlackBerryMessenger/PIN/history/
../IM/GoogleTalk/USERNAME/history/
../IM/Yahoo/USERNAME/history/
../IM/WindowsLive/USERNAME/history/
../pictures
../camera
../videos
../voice notes
www.hakin9.org/en
if information stored on internal memory
if information stored on external memory
AIMs history in csv format
BBMs history in csv format
GTalks history in csv format
YMessengers history in csv format
WLives history in csv format
Manully added pic or screenshoted data
Photo captured data
Video captured data
Voice captured data
35
18. FORENSICS
unique patterns of behavior, much like the uniqueness
of biometric data. Therefore, certain characteristics
pertaining to language, composition, and writing, such
as particular syntactic and structural layout traits,
patterns of vocabulary usage, unusual language
usage, and stylistic traits, should remain relatively
constant. The identification and learning of these
characteristics with a sufficiently high accuracy is the
principal challenge in author identification.
IM forensic were to answer the following questions:
some kind of its below. Some of them are near with
other mobile devices.
•
Investigative Methods of BlackBerry Device
Forensics
identify an author of an IM conversation based
strictly on author behavior
classify behavior characteristics
•
Author behavior categorization uses a set of
characteristics that remain relatively constant for a
large number of IM messages written by an author.
These characteristics, known as stylometric features,
include syntactic and structural layout traits, patterns
of vocabulary usage, unusual language usage, and
stylistic features. Each author has various stylometric
features that are sufficient to uniquely identify him
or her. Stylometric features are often word-based,
including word and character frequency distributions,
word length, and sentence length. Literary analysts
and computational linguists often use frequency
lists. Various syntactic features are also included,
such as the use of function words (short all-purpose
words such as the and to), punctuation, greetings and
farewells, and emoticons. Users also use abbreviations
for common phrases such as LOL (laughing out loud)
and ROTFL (rolling on the floor laughing), as well as
shortened spellings of words such as ru (are you) and
4 (for). So, in this case IM analyzing give opportunity
to find out person that can anonymously identified for
forensic.
BlackBerry Forensic Tips
Summarize all information above you should have
several plan of action about BlackBerry forensic. I give
BlackBerry Device Forensics
•
•
•
•
•
BlackBerry Device forensics is very similar to
forensics of any system
Mobile investigating process is the same a PC
The BlackBerry device is a push technology device
that does not require synchronization with a PC
Prior investigating the BlackBerry Device we have
to secure and acquire the evidence.
There are four steps to investigating a BlackBerry
Device:
• Examination
• Identification
• Collection
• Documentation
BlackBerry Device Investigative Tips
•
•
•
•
If the device is in the on state you have to preserve
the state by supplying adequate power.
If the device is in the off state, leave it in that state,
switch on the device, not battery and photograph
the device.
If device is in the cradle avoid any communication
activities.
If wireless is on eliminate any activity by placing the
device in an envelope, anti-static and isolation bag.
Conclusion
The RIM device shares the same evidentiary value as
any other Personal Digital Assistant (mobile device).
As the investigator may suspect of most file systems,
a delete is by no means a total removal of data on
the device. However, the RIM’s always-on, wireless
On the ‘Net
•
•
•
•
•
•
•
•
•
•
36
http://na.BlackBerry.com/eng/devjournals/resources/journals/jan_2006/ipd_�le_format.jsp – BlackBerry IPD File Format (.ipd)
http://www.ca.com/us/home/lpg/forms/na/sre/12625_15012.aspx – Defending Against Insider Threats To Reduce Your IT Risk
http://www.elcomsoft.com/eppb.html – Elcomsoft Phone Password Breaker
http://menastep.com – MagicBerry IPD Reader
http://www.processtext.com/abcBlackBerry.html – Amber BlackBerry Converter
http://www.elcomsoft.com/ebbe.html – Elcomsoft BlackBerry Backup Explorer
http://www.paraben.com/device-seizure.html – Paraben Mobile Device Seizure
https://www.BlackBerry.com/Downloads/entry.do?code=A8BAA56554F96369AB93E4F3BB068C22 – BlackBerry Desktop Manager
http://us.blackberry.com/developers/resources/simulators.jsp – BlackBerry Simulator
http://www.cellebrite.com/forensic-products/forensic-products/ufed-physical-pro.html – Cellebrite for Mobile Forensics
Universal Forensic Extraction Device
www.hakin9.org/en
19. To Get Round To The Heart Of Fortress
push technology adds a unique dimension to forensic
examination. In fact, a RIM device does not need a
cradle or desktop connection to be useful. The more
time a mobile device spends with its owner, the greater
the chance is that it will more accurately reflect and
tell a story about that person. The BlackBerry is an
always-on, push messaging device. Information can
be pushed to the device through its radio antenna at
any time, potentially overwriting previously „deleted”
data. Without warning, applications such as the email
client, instant messaging, wireless calendar, and
any number of third party applications may receive
information that makes the forensic investigator’s
attempts to obtain an unaltered file system much more
difficult. In order to preserve the unit, turn the radio off.
Make note that completely powering off the RIM will
wipe data from the SRAM. Logs stored there, which
may be of interest, will not survive a full power-down.
If the RIM is password protected, get the password.
The password itself is not stored on the unit; rather an
SHA-1 hash of the password is stored and compared
to a hash of what entered. The examiner only has the
opportunity to guess 10 times before a file system
wipe occurs to protect the data. This wipe will destroy
all non-OS files. No software exists to circumvent the
password protection. A direct-to-hardware solution
will be required if the password is not available. Thus,
the RIM’s currently unsurpassed portability is the
examiner’s greatest ally.
YURY CHEMERKIN
Graduated at Russian State University for the Humanities
(http://rggu.com/) in 2010. At present postgraduate at RSUH.
Information Security Analyst since 2009 and currently works
as mobile info security researcher in Moscow.
I have scienti�c and applied interests in the sphere of
forensics, cyber security, AR, perceptive reality, semantic
networks, mobile security and cloud computing. I’m
researching BlackBerry Infrastructure and the effects of the
trust bot-net & forensic techniques on the human privacy.
E-mail: yury.chemerkin@gmail.com (yury.chemerkin@faceb
ook.com)
Facebook: www.facebook.com/yury.chemerkin
LinkedIn: http://ru.linkedin.com/pub/yury-chemerkin/2a/434/
549
www.hakin9.org/en