|
|
|
10-04-2006, 08:59 AM
|
#1
|
New Member
Join Date: Aug 2006
Model: 8700C
Carrier: Cingular
Posts: 8
|
Blackberry forensic research
Please Login to Remove!
Hi guys,
I'm taking a graduate level class in computer forensics, and for my term paper I have decided to do use Blackberry forensics as my topic. I'm really just starting initial research, but I've noticed it doesn't seem like there is a whole lot of information out there. I've found one paper written on the subject, "Forensic Examination of a RIM (Blackberry) Wireless Device", but the paper is from '02, and I've found one software package from Paraben. I've also found several message boards devoted to this topics, but most are completely empty or very close to empty.
Does anyone have any more information or resources on this topic? Specifically I'm looking at trying to find out what you can gather from a recovered blackberry (no knowing the password or any other information), or backup/log files found on a user's hard drive, etc. I'm not locked into these specific topics, so if any has other ideas that might yield better research I'm open to them as well.
Thanks for any info you guy can provide.
Andy
|
Offline
|
|
10-04-2006, 09:42 AM
|
#2
|
Retired BlackBerryForums.com Moderator
Join Date: Oct 2005
Location: Columbus, OH
Model: 9700
OS: SID 6.7
Carrier: AT&T
Posts: 4,455
|
I think you will have difficulty finding information on BlackBerry forensic tools. In the past year I have only hear 1 person mention their existince. RIM claims that nothing can be recoved from the device itself if it was wiped, but I know there is a tool for getting info from the .ipd backup file. Once again, I have never seen this tool only heard that it existed.
|
Offline
|
|
10-04-2006, 12:24 PM
|
#3
|
New Member
Join Date: Aug 2006
Model: 8700C
Carrier: Cingular
Posts: 8
|
Thanks for the info. I'm not really too concerned with recovering data from a wiped device. Really, I'm more interested in what can be done with one that is recovered intact or as you said with backup files that are found.
|
Offline
|
|
10-04-2006, 03:34 PM
|
#4
|
BlackBerry Extraordinaire
Join Date: Jun 2006
Location: Southern California, USA
Model: 8100
Carrier: T-mobile
Posts: 1,238
|
Are you talking about if the Blackberry is password protected? How do you bypass it and get inside it to get information?
Correct me if I am wrong, but I believe all cell phones have a backdoor so if you forget the password, there's a way to get around it.
But how to do it? You have to go to a company owned cell phone store or call them. For example, if you have T-mobile, you go to a T-mobile company owned store.
|
Offline
|
|
10-04-2006, 03:57 PM
|
#5
|
BBF Moderator
Join Date: Aug 2004
Location: Germany
Model: 9700
PIN: not configured
Carrier: T-Mobile
Posts: 1,528
|
I doubt that there is such a back door on the BB. E.g. if the password is forgotten, the only option to reset the password is to assign a new one through the BES (if the device is on a BES and radio is turned on) or you need to wipe all data from the device to be able to reuse the device, but as I said all data will be lost!
|
Offline
|
|
10-04-2006, 03:59 PM
|
#6
|
Thumbs Must Hurt
Join Date: Aug 2005
Location: Dallas, TC
Model: 8130
Carrier: AT&T
Posts: 156
|
My brother works for a handheld security software firm (Credant Technologies) and may be able to help you out. PM me for his email address.
|
Offline
|
|
10-04-2006, 05:43 PM
|
#7
|
BlackBerry Extraordinaire
Join Date: May 2005
Location: Waterloo: Home of RIM
Model: PlayB
Carrier: Bell Mobility
Posts: 1,008
|
Quote:
Originally Posted by d_fisher
I know there is a tool for getting info from the .ipd backup file.
|
Simply opening this file in text editor (MS Notepad, for example) enables you to view the majority of the information (emails, SMS messages, contacts, etc).
|
Offline
|
|
10-04-2006, 05:59 PM
|
#8
|
Retired BlackBerryForums.com Moderator
Join Date: Oct 2005
Location: Columbus, OH
Model: 9700
OS: SID 6.7
Carrier: AT&T
Posts: 4,455
|
Quote:
Originally Posted by secrecyguy
Are you talking about if the Blackberry is password protected? How do you bypass it and get inside it to get information?
Correct me if I am wrong, but I believe all cell phones have a backdoor so if you forget the password, there's a way to get around it.
But how to do it? You have to go to a company owned cell phone store or call them. For example, if you have T-mobile, you go to a T-mobile company owned store.
|
From my understanding, RIM has stated there there is no such backdoor.
|
Offline
|
|
10-05-2006, 07:15 AM
|
#9
|
BBF Moderator
Join Date: Aug 2004
Location: Germany
Model: 9700
PIN: not configured
Carrier: T-Mobile
Posts: 1,528
|
Quote:
Originally Posted by Jase88
Simply opening this file in text editor (MS Notepad, for example) enables you to view the majority of the information (emails, SMS messages, contacts, etc).
|
Yes, but there is a tool to export the data without the need of BlackBerry.
|
Offline
|
|
10-05-2006, 08:03 AM
|
#10
|
Talking BlackBerry Encyclopedia
Join Date: Jan 2006
Model: 8830
Carrier: Verizon
Posts: 217
|
|
Offline
|
|
10-06-2006, 02:28 PM
|
#11
|
New Member
Join Date: Aug 2006
Model: 8700C
Carrier: Cingular
Posts: 8
|
Thanks for all the extra info. It has given me some more leads to the problem.
I'm necessarily just looking for a way to bypass the password protection, as I know that that is supposedly not possible. I'm more just looking at doing some research on what can be gathered and how. If a BB is password protected, and that means it would not be feasible to get any information from it without the password, that is fine, I'll just put that in the report. If there were a way to get in without the password, all the better, but from what I've read it sounds like nobody knows of one.
I already know that a lot of the information can be gathered from the backup files because it is stored in the clear. I'm also just kind of curious if there would be a way to gather more information that what is obvious or not.
Anyways, thanks again for the help.
Andy
|
Offline
|
|
10-06-2006, 07:29 PM
|
#12
|
Talking BlackBerry Encyclopedia
Join Date: Mar 2006
Model: 9800
OS: 6.x
PIN: 0xDEADBEEF
Carrier: Bell Mobility
Posts: 412
|
Quote:
Originally Posted by d_fisher
From my understanding, RIM has stated there there is no such backdoor.
|
Yes, one would think such a back door may invalidate thier FIPS approval
|
Offline
|
|
05-17-2007, 09:20 AM
|
#13
|
New Member
Join Date: May 2007
Location: Washington D.C.
Model: 7290
PIN: N/A
Carrier: Sprint
Posts: 2
|
looks like im reviving an old thread here, but i am actually a digital forensic examiner with an agency. I have done heavy research into blackberry forensics and have found little... paraben teaches a course for about 2k but its mostly for processing IPD files, there is a program called ABC Amber Blackberry Converter which i use to forensically process IPD files, as for backdoors.. well i am still trying to find a way to get in the back door but for now i have sucessfully used Desktop manager to backup a blackberry when it is password protected(locked).
To do this simply roll back your blackberry desktop software to a version where it doesnt automatically prompt you for an unlock password( 3.5a or even 2.7 would work), the tricky part is getting your non-serial bb to connect with non-usb software... i had to get some hardware but managed to backup 7290's this method... and then from there i just process the IPD files for evidence, granted that as of right now it is kind of hard to verify that evidence because i am still unable to get into the original evidence, but its nice for grabbing data from locked BB's.
Also i reccomend the JAVA mobile tools, Blackberry Java Development Environment 4.0, and Blackberry JDE 4.2.1... they are simulators/emulators which allow you to create a working copy onsite or in the lab within seconds, just select your model bb, click on simulate USB cable connection and then do a restore of the IPD file to the simulated blackberry.
There is a paper that was pulled down the day it was put up, it was written by a security analyst at symantec and it listed multiple vulnerabilities with blackberries, you can find this paper on Milw0rm.com, just do a search for blackberry.... also there were some neat talks at defcon which you may want to reference about backdoors using the blackberry, but not necessarily backdoors into the bb's themselves.
On a side note i am trying to acquire a Hash value of a bb password to see if that is a viable option but as for right now i can not get a PC to see the blackberry as a device with any software i use, so if anyone has any insight on this i would appreciate it.
|
Offline
|
|
06-01-2007, 05:04 PM
|
#14
|
New Member
Join Date: Feb 2007
Location: Mexico
Model: 8200
Carrier: Telcel
Posts: 1
|
Converter
Maybe using Jungo driver, the BB could be seen by the PC. Also, where do you get the HW to connect a non-serial BB with a non-usb software ?
|
Offline
|
|
09-14-2007, 04:14 PM
|
#15
|
New Member
Join Date: Jan 2007
Location: Tustin, California
Model: 7250
Carrier: Verizon
Posts: 9
|
I am bumping this older thread as I am running into a blackberry forensics issue myself.
Specifically I would love some details from Mirk, or anyone else, regarding what hardware and software I would be able to use to connect a non-serial BB with the non-usb software.
I have been tasked to recover data from a users device who left in bad blood and was removed from the server before they realized there was information on his password locked BB "they" might want.
Any help on this would be a godsend.
TDW
|
Offline
|
|
09-14-2007, 06:27 PM
|
#16
|
BlackBerry Extraordinaire
Join Date: Feb 2005
Location: Lincoln, Ne
Model: 9550
OS: 5.0
Carrier: Verizon
Posts: 1,232
|
Working in this field, I can tell you that cellular phones are not the same as a computer when it comes to analysis by law enforcement or otherwise.
Paraben works great (most of the time), but it is not a forensic analysis, as you do have to change data on the phone to get info from the phone.
Most examiners are using Paraben's Device Seizure for their analysis.
__________________
Blackberry Storm2 (Verizon)
7280-7780-7290-7100g-7250-8703-8830-8330-9530-9550
|
Offline
|
|
09-14-2007, 06:51 PM
|
#17
|
Retired BBF Moderator
Join Date: Aug 2004
Location: Ottawa, Ontario, Canada
Model: Bold
Carrier: Rogers
Posts: 4,870
|
Clearly, BlackBerry is harder to do foresenics analysis on. Unlike many other cellphones, there is an option to encrypt the BlackBerry's memory ("Content Encryption"). It's also possible to encrypt or disable the SD Micro card as well. While I'm not familiar with Paraben's backup techniques, RIM has done a much better job in securing BlackBerry phones than most smartphone makers - the government was a very early customer of RIM and at one point, 50% of RIM business came from government customers. Needless to say, this made the security on RIM devices much more rock solid and are one of the hardest cellphones to crack if the BlackBerry was set to maximum security settings with long passwords... There are BlackBerries have never been successfully cracked by forsenics. (A good or bad thing, depending on who lost the BlackBerry - government staff that lose their BlackBerry units, for example). The BES is the obvious easiest "backdoor", especially if one can somehow re-add it back to the BES (sometimes easier said than done). That depends on who runs the BES for the BlackBerry (if it's the bad guy's BES -- then siezure of the server/facilities containing BES may be far easier than trying to crack the BlackBerry itself if it's configured in a virtually uncrackable way). If it is still linked to the BES, in certain cases, it is my understanding the password can be changed remotely from the BES server. But once the relationship is severed/wiped, doing so may be impossible (the remote lobotomize capability - allows, say, the government to remotely "zap" a goverment employee's BlackBerry when it gets stolen. Or the flip side of the coin, if it's a crime organization's BlackBerry network BES, the criminal's berry can get remote-zapped very quickly if it's lost or siezed (if not immediately shielded by remote zapping by immediate shutoff of the radio or pull of battery). BAM - data wiped, and even if you could recover the data by removing the chip from the BlackBerry's motherboard and using "Norton Utility like stuff" (metaphorically, theoretically), cracking a strong long password will be frustrating). Bottom line - BlackBerries are titanium-clad tough nuts to crack compared to most other cellphones... A great advantage for the government, but also a great advantage to the "bad guys" too...
Last edited by Mark Rejhon; 09-14-2007 at 07:06 PM..
|
Offline
|
|
10-25-2007, 05:10 PM
|
#18
|
New Member
Join Date: Feb 2006
Model: 7105t
Carrier: NA
Posts: 3
|
Paper progress?
Hi,
I would like to know how your paper turned out and what progressed you've made so far. If you may, please share a copy of your paper as welll; you may provide a link to it if it is available online or send it to me via email.
Thanks.
|
Offline
|
|
10-27-2007, 12:35 PM
|
#19
|
Thumbs Must Hurt
Join Date: Apr 2005
Location: Kitchener, ON
Model: 8120
Carrier: Rogers
Posts: 93
|
There there is no such backdoor.
Also, with a passwrod set, content protection turned on, and SD card encryption on, there is no way to get the data.
If there was, would the BlackBerry be as secure as it is? no.
This is why hackers are trying to figure out ways to run software on the BB to hack it.
As with all things, it is only as secure as the user using it (easy password, no content protection, no device password, letting others get to your IPD files...)
|
Offline
|
|
01-31-2009, 04:50 PM
|
#20
|
New Member
Join Date: Jan 2009
Model: 8330
PIN: N/A
Carrier: Telus
Posts: 1
|
Can't be that hard to do, the police do it very frequently.
Last edited by SnowStorm; 01-31-2009 at 04:53 PM..
|
Offline
|
|
|
|