[rocket5556]

Hi guys,

I'm taking a graduate level class in computer forensics, and for my term paper I have decided to do use Blackberry forensics as my topic. I'm really just starting initial research, but I've noticed it doesn't seem like there is a whole lot of information out there. I've found one paper written on the subject, "Forensic Examination of a RIM (Blackberry) Wireless Device", but the paper is from '02, and I've found one software package from Paraben. I've also found several message boards devoted to this topics, but most are completely empty or very close to empty.

Does anyone have any more information or resources on this topic? Specifically I'm looking at trying to find out what you can gather from a recovered blackberry (no knowing the password or any other information), or backup/log files found on a user's hard drive, etc. I'm not locked into these specific topics, so if any has other ideas that might yield better research I'm open to them as well.

Thanks for any info you guy can provide.
Andy

[d_fisher]

I think you will have difficulty finding information on BlackBerry forensic tools. In the past year I have only hear 1 person mention their existince. RIM claims that nothing can be recoved from the device itself if it was wiped, but I know there is a tool for getting info from the .ipd backup file. Once again, I have never seen this tool only heard that it existed.

[rocket5556]

Thanks for the info. I'm not really too concerned with recovering data from a wiped device. Really, I'm more interested in what can be done with one that is recovered intact or as you said with backup files that are found.

[secrecyguy]

Are you talking about if the Blackberry is password protected? How do you bypass it and get inside it to get information?

Correct me if I am wrong, but I believe all cell phones have a backdoor so if you forget the password, there's a way to get around it.

But how to do it? You have to go to a company owned cell phone store or call them. For example, if you have T-mobile, you go to a T-mobile company owned store.

[acnst]

I doubt that there is such a back door on the BB. E.g. if the password is forgotten, the only option to reset the password is to assign a new one through the BES (if the device is on a BES and radio is turned on) or you need to wipe all data from the device to be able to reuse the device, but as I said all data will be lost!

[CodyMac]

My brother works for a handheld security software firm (Credant Technologies) and may be able to help you out. PM me for his email address.

[Jase88]

Quote:

Originally Posted by d_fisher

I know there is a tool for getting info from the .ipd backup file.

Simply opening this file in text editor (MS Notepad, for example) enables you to view the majority of the information (emails, SMS messages, contacts, etc).

[d_fisher]

Quote:

Originally Posted by secrecyguy

Are you talking about if the Blackberry is password protected? How do you bypass it and get inside it to get information?

Correct me if I am wrong, but I believe all cell phones have a backdoor so if you forget the password, there's a way to get around it.

But how to do it? You have to go to a company owned cell phone store or call them. For example, if you have T-mobile, you go to a T-mobile company owned store.

From my understanding, RIM has stated there there is no such backdoor.

[acnst]

Quote:

Originally Posted by Jase88

Simply opening this file in text editor (MS Notepad, for example) enables you to view the majority of the information (emails, SMS messages, contacts, etc).

Yes, but there is a tool to export the data without the need of BlackBerry.

[packetknife]

Paraben Forensics - Forensic Software, Hardware, & Training might be worth a gander. There are other resources to read about in http://csrc.nist.gov/publications/ni...istir-7250.pdf ..

There is a thread here with (a lot) more information Forensic Focus › Forums › General Discussion › Commercial Software › Mobile phone analysis ..

Cheers, -Pk

[rocket5556]

Thanks for all the extra info. It has given me some more leads to the problem.

I'm necessarily just looking for a way to bypass the password protection, as I know that that is supposedly not possible. I'm more just looking at doing some research on what can be gathered and how. If a BB is password protected, and that means it would not be feasible to get any information from it without the password, that is fine, I'll just put that in the report. If there were a way to get in without the password, all the better, but from what I've read it sounds like nobody knows of one.

I already know that a lot of the information can be gathered from the backup files because it is stored in the clear. I'm also just kind of curious if there would be a way to gather more information that what is obvious or not.

Anyways, thanks again for the help.
Andy

[omkhar]

Quote:

Originally Posted by d_fisher

From my understanding, RIM has stated there there is no such backdoor.

Yes, one would think such a back door may invalidate thier FIPS approval

[Mirk]

looks like im reviving an old thread here, but i am actually a digital forensic examiner with an agency. I have done heavy research into blackberry forensics and have found little... paraben teaches a course for about 2k but its mostly for processing IPD files, there is a program called ABC Amber Blackberry Converter which i use to forensically process IPD files, as for backdoors.. well i am still trying to find a way to get in the back door but for now i have sucessfully used Desktop manager to backup a blackberry when it is password protected(locked).

To do this simply roll back your blackberry desktop software to a version where it doesnt automatically prompt you for an unlock password( 3.5a or even 2.7 would work), the tricky part is getting your non-serial bb to connect with non-usb software... i had to get some hardware but managed to backup 7290's this method... and then from there i just process the IPD files for evidence, granted that as of right now it is kind of hard to verify that evidence because i am still unable to get into the original evidence, but its nice for grabbing data from locked BB's.

Also i reccomend the JAVA mobile tools, Blackberry Java Development Environment 4.0, and Blackberry JDE 4.2.1... they are simulators/emulators which allow you to create a working copy onsite or in the lab within seconds, just select your model bb, click on simulate USB cable connection and then do a restore of the IPD file to the simulated blackberry.

There is a paper that was pulled down the day it was put up, it was written by a security analyst at symantec and it listed multiple vulnerabilities with blackberries, you can find this paper on Milw0rm.com, just do a search for blackberry.... also there were some neat talks at defcon which you may want to reference about backdoors using the blackberry, but not necessarily backdoors into the bb's themselves.

On a side note i am trying to acquire a Hash value of a bb password to see if that is a viable option but as for right now i can not get a PC to see the blackberry as a device with any software i use, so if anyone has any insight on this i would appreciate it.

[capotix]

Maybe using Jungo driver, the BB could be seen by the PC. Also, where do you get the HW to connect a non-serial BB with a non-usb software ?

[timdwells]

I am bumping this older thread as I am running into a blackberry forensics issue myself.

Specifically I would love some details from Mirk, or anyone else, regarding what hardware and software I would be able to use to connect a non-serial BB with the non-usb software.

I have been tasked to recover data from a users device who left in bad blood and was removed from the server before they realized there was information on his password locked BB "they" might want.

Any help on this would be a godsend.

TDW

[jbairdjr]

Working in this field, I can tell you that cellular phones are not the same as a computer when it comes to analysis by law enforcement or otherwise.
Paraben works great (most of the time), but it is not a forensic analysis, as you do have to change data on the phone to get info from the phone.
Most examiners are using Paraben's Device Seizure for their analysis.

[Mark Rejhon]

Clearly, BlackBerry is harder to do foresenics analysis on. Unlike many other cellphones, there is an option to encrypt the BlackBerry's memory ("Content Encryption"). It's also possible to encrypt or disable the SD Micro card as well. While I'm not familiar with Paraben's backup techniques, RIM has done a much better job in securing BlackBerry phones than most smartphone makers - the government was a very early customer of RIM and at one point, 50% of RIM business came from government customers. Needless to say, this made the security on RIM devices much more rock solid and are one of the hardest cellphones to crack if the BlackBerry was set to maximum security settings with long passwords... There are BlackBerries have never been successfully cracked by forsenics. (A good or bad thing, depending on who lost the BlackBerry - government staff that lose their BlackBerry units, for example). The BES is the obvious easiest "backdoor", especially if one can somehow re-add it back to the BES (sometimes easier said than done). That depends on who runs the BES for the BlackBerry (if it's the bad guy's BES -- then siezure of the server/facilities containing BES may be far easier than trying to crack the BlackBerry itself if it's configured in a virtually uncrackable way). If it is still linked to the BES, in certain cases, it is my understanding the password can be changed remotely from the BES server. But once the relationship is severed/wiped, doing so may be impossible (the remote lobotomize capability - allows, say, the government to remotely "zap" a goverment employee's BlackBerry when it gets stolen. Or the flip side of the coin, if it's a crime organization's BlackBerry network BES, the criminal's berry can get remote-zapped very quickly if it's lost or siezed (if not immediately shielded by remote zapping by immediate shutoff of the radio or pull of battery). BAM - data wiped, and even if you could recover the data by removing the chip from the BlackBerry's motherboard and using "Norton Utility like stuff" (metaphorically, theoretically), cracking a strong long password will be frustrating). Bottom line - BlackBerries are titanium-clad tough nuts to crack compared to most other cellphones... A great advantage for the government, but also a great advantage to the "bad guys" too...

[osioke]

Hi,

I would like to know how your paper turned out and what progressed you've made so far. If you may, please share a copy of your paper as welll; you may provide a link to it if it is available online or send it to me via email.

Thanks.

[DJChew]

There there is no such backdoor.

Also, with a passwrod set, content protection turned on, and SD card encryption on, there is no way to get the data.

If there was, would the BlackBerry be as secure as it is? no.

This is why hackers are trying to figure out ways to run software on the BB to hack it.


As with all things, it is only as secure as the user using it (easy password, no content protection, no device password, letting others get to your IPD files...)

[SnowStorm]

Can't be that hard to do, the police do it very frequently.