BlackBerry Forums Support Community               

Closed Thread
 
LinkBack Thread Tools
Old 10-04-2006, 08:59 AM   #1 (permalink)
New Member
 
Join Date: Aug 2006
Model: 8700C
Carrier: Cingular
Posts: 8
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default Blackberry forensic research

Please Login to Remove!

Hi guys,

I'm taking a graduate level class in computer forensics, and for my term paper I have decided to do use Blackberry forensics as my topic. I'm really just starting initial research, but I've noticed it doesn't seem like there is a whole lot of information out there. I've found one paper written on the subject, "Forensic Examination of a RIM (Blackberry) Wireless Device", but the paper is from '02, and I've found one software package from Paraben. I've also found several message boards devoted to this topics, but most are completely empty or very close to empty.

Does anyone have any more information or resources on this topic? Specifically I'm looking at trying to find out what you can gather from a recovered blackberry (no knowing the password or any other information), or backup/log files found on a user's hard drive, etc. I'm not locked into these specific topics, so if any has other ideas that might yield better research I'm open to them as well.

Thanks for any info you guy can provide.
Andy
Offline  
Old 10-04-2006, 09:42 AM   #2 (permalink)
Retired BlackBerryForums.com Moderator
 
d_fisher's Avatar
 
Join Date: Oct 2005
Location: Columbus, OH
Model: 9700
OS: SID 6.7
Carrier: AT&T
Posts: 4,455
Post Thanks: 0
Thanked 2 Times in 1 Post
Default

I think you will have difficulty finding information on BlackBerry forensic tools. In the past year I have only hear 1 person mention their existince. RIM claims that nothing can be recoved from the device itself if it was wiped, but I know there is a tool for getting info from the .ipd backup file. Once again, I have never seen this tool only heard that it existed.
__________________
Doug

Remember, please try searching first!

Need a screenshot? ... Like JavaLoader?
Try using BBscreen .....Use JL_Cmder!
or BBScreenShooter!

[SIGPIC][/SIGPIC]
Offline  
Old 10-04-2006, 12:24 PM   #3 (permalink)
New Member
 
Join Date: Aug 2006
Model: 8700C
Carrier: Cingular
Posts: 8
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thanks for the info. I'm not really too concerned with recovering data from a wiped device. Really, I'm more interested in what can be done with one that is recovered intact or as you said with backup files that are found.
Offline  
Old 10-04-2006, 03:34 PM   #4 (permalink)
BlackBerry Extraordinaire
 
secrecyguy's Avatar
 
Join Date: Jun 2006
Location: Southern California, USA
Model: 8100
Carrier: T-mobile
Posts: 1,238
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Are you talking about if the Blackberry is password protected? How do you bypass it and get inside it to get information?

Correct me if I am wrong, but I believe all cell phones have a backdoor so if you forget the password, there's a way to get around it.

But how to do it? You have to go to a company owned cell phone store or call them. For example, if you have T-mobile, you go to a T-mobile company owned store.
Offline  
Old 10-04-2006, 03:57 PM   #5 (permalink)
BBF Moderator
 
acnst's Avatar
 
Join Date: Aug 2004
Location: Germany
Model: 9700
PIN: not configured
Carrier: T-Mobile
Posts: 1,527
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

I doubt that there is such a back door on the BB. E.g. if the password is forgotten, the only option to reset the password is to assign a new one through the BES (if the device is on a BES and radio is turned on) or you need to wipe all data from the device to be able to reuse the device, but as I said all data will be lost!
__________________
Deutsches Blackberry Forum - visit www.blackberry-forum.de


for Microsoft Exchange

Offline  
Old 10-04-2006, 03:59 PM   #6 (permalink)
Thumbs Must Hurt
 
CodyMac's Avatar
 
Join Date: Aug 2005
Location: Dallas, TC
Model: 8130
Carrier: AT&T
Posts: 156
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

My brother works for a handheld security software firm (Credant Technologies) and may be able to help you out. PM me for his email address.
Offline  
Old 10-04-2006, 05:43 PM   #7 (permalink)
BlackBerry Extraordinaire
 
Join Date: May 2005
Location: Waterloo: Home of RIM
Model: PlayB
Carrier: Bell Mobility
Posts: 1,008
Post Thanks: 1
Thanked 4 Times in 3 Posts
Default

Quote:
Originally Posted by d_fisher
I know there is a tool for getting info from the .ipd backup file.
Simply opening this file in text editor (MS Notepad, for example) enables you to view the majority of the information (emails, SMS messages, contacts, etc).
Offline  
Old 10-04-2006, 05:59 PM   #8 (permalink)
Retired BlackBerryForums.com Moderator
 
d_fisher's Avatar
 
Join Date: Oct 2005
Location: Columbus, OH
Model: 9700
OS: SID 6.7
Carrier: AT&T
Posts: 4,455
Post Thanks: 0
Thanked 2 Times in 1 Post
Default

Quote:
Originally Posted by secrecyguy
Are you talking about if the Blackberry is password protected? How do you bypass it and get inside it to get information?

Correct me if I am wrong, but I believe all cell phones have a backdoor so if you forget the password, there's a way to get around it.

But how to do it? You have to go to a company owned cell phone store or call them. For example, if you have T-mobile, you go to a T-mobile company owned store.
From my understanding, RIM has stated there there is no such backdoor.
__________________
Doug

Remember, please try searching first!

Need a screenshot? ... Like JavaLoader?
Try using BBscreen .....Use JL_Cmder!
or BBScreenShooter!

[SIGPIC][/SIGPIC]
Offline  
Old 10-05-2006, 07:15 AM   #9 (permalink)
BBF Moderator
 
acnst's Avatar
 
Join Date: Aug 2004
Location: Germany
Model: 9700
PIN: not configured
Carrier: T-Mobile
Posts: 1,527
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by Jase88
Simply opening this file in text editor (MS Notepad, for example) enables you to view the majority of the information (emails, SMS messages, contacts, etc).
Yes, but there is a tool to export the data without the need of BlackBerry.
__________________
Deutsches Blackberry Forum - visit www.blackberry-forum.de


for Microsoft Exchange

Offline  
Old 10-05-2006, 08:03 AM   #10 (permalink)
Talking BlackBerry Encyclopedia
 
Join Date: Jan 2006
Model: 8830
Carrier: Verizon
Posts: 217
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Paraben Forensics - Forensic Software, Hardware, & Training might be worth a gander. There are other resources to read about in http://csrc.nist.gov/publications/ni...istir-7250.pdf ..

There is a thread here with (a lot) more information Forensic Focus Forums General Discussion Commercial Software Mobile phone analysis ..

Cheers, -Pk
__________________
http://www.packetknife.com
Offline  
Old 10-06-2006, 02:28 PM   #11 (permalink)
New Member
 
Join Date: Aug 2006
Model: 8700C
Carrier: Cingular
Posts: 8
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thanks for all the extra info. It has given me some more leads to the problem.

I'm necessarily just looking for a way to bypass the password protection, as I know that that is supposedly not possible. I'm more just looking at doing some research on what can be gathered and how. If a BB is password protected, and that means it would not be feasible to get any information from it without the password, that is fine, I'll just put that in the report. If there were a way to get in without the password, all the better, but from what I've read it sounds like nobody knows of one.

I already know that a lot of the information can be gathered from the backup files because it is stored in the clear. I'm also just kind of curious if there would be a way to gather more information that what is obvious or not.

Anyways, thanks again for the help.
Andy
Offline  
Old 10-06-2006, 07:29 PM   #12 (permalink)
Talking BlackBerry Encyclopedia
 
Join Date: Mar 2006
Model: 9800
OS: 6.x
PIN: 0xDEADBEEF
Carrier: Bell Mobility
Posts: 412
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by d_fisher
From my understanding, RIM has stated there there is no such backdoor.
Yes, one would think such a back door may invalidate thier FIPS approval
Offline  
Old 05-17-2007, 09:20 AM   #13 (permalink)
New Member
 
Join Date: May 2007
Location: Washington D.C.
Model: 7290
PIN: N/A
Carrier: Sprint
Posts: 2
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

looks like im reviving an old thread here, but i am actually a digital forensic examiner with an agency. I have done heavy research into blackberry forensics and have found little... paraben teaches a course for about 2k but its mostly for processing IPD files, there is a program called ABC Amber Blackberry Converter which i use to forensically process IPD files, as for backdoors.. well i am still trying to find a way to get in the back door but for now i have sucessfully used Desktop manager to backup a blackberry when it is password protected(locked).

To do this simply roll back your blackberry desktop software to a version where it doesnt automatically prompt you for an unlock password( 3.5a or even 2.7 would work), the tricky part is getting your non-serial bb to connect with non-usb software... i had to get some hardware but managed to backup 7290's this method... and then from there i just process the IPD files for evidence, granted that as of right now it is kind of hard to verify that evidence because i am still unable to get into the original evidence, but its nice for grabbing data from locked BB's.

Also i reccomend the JAVA mobile tools, Blackberry Java Development Environment 4.0, and Blackberry JDE 4.2.1... they are simulators/emulators which allow you to create a working copy onsite or in the lab within seconds, just select your model bb, click on simulate USB cable connection and then do a restore of the IPD file to the simulated blackberry.

There is a paper that was pulled down the day it was put up, it was written by a security analyst at symantec and it listed multiple vulnerabilities with blackberries, you can find this paper on Milw0rm.com, just do a search for blackberry.... also there were some neat talks at defcon which you may want to reference about backdoors using the blackberry, but not necessarily backdoors into the bb's themselves.

On a side note i am trying to acquire a Hash value of a bb password to see if that is a viable option but as for right now i can not get a PC to see the blackberry as a device with any software i use, so if anyone has any insight on this i would appreciate it.
Offline  
Old 06-01-2007, 05:04 PM   #14 (permalink)
New Member
 
Join Date: Feb 2007
Location: Mexico
Model: 8200
Carrier: Telcel
Posts: 1
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default Converter

Maybe using Jungo driver, the BB could be seen by the PC. Also, where do you get the HW to connect a non-serial BB with a non-usb software ?
Offline  
Old 09-14-2007, 04:14 PM   #15 (permalink)
New Member
 
Join Date: Jan 2007
Location: Tustin, California
Model: 7250
Carrier: Verizon
Posts: 9
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

I am bumping this older thread as I am running into a blackberry forensics issue myself.

Specifically I would love some details from Mirk, or anyone else, regarding what hardware and software I would be able to use to connect a non-serial BB with the non-usb software.

I have been tasked to recover data from a users device who left in bad blood and was removed from the server before they realized there was information on his password locked BB "they" might want.

Any help on this would be a godsend.

TDW
Offline  
Old 09-14-2007, 06:27 PM   #16 (permalink)
BlackBerry Extraordinaire
 
jbairdjr's Avatar
 
Join Date: Feb 2005
Location: Lincoln, Ne
Model: 9550
OS: 5.0
Carrier: Verizon
Posts: 1,232
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Working in this field, I can tell you that cellular phones are not the same as a computer when it comes to analysis by law enforcement or otherwise.
Paraben works great (most of the time), but it is not a forensic analysis, as you do have to change data on the phone to get info from the phone.
Most examiners are using Paraben's Device Seizure for their analysis.
__________________
Blackberry Storm2 (Verizon)
7280-7780-7290-7100g-7250-8703-8830-8330-9530-9550
Offline  
Old 09-14-2007, 06:51 PM   #17 (permalink)
Retired BBF Moderator
 
Mark Rejhon's Avatar
 
Join Date: Aug 2004
Location: Ottawa, Ontario, Canada
Model: Bold
Carrier: Rogers
Posts: 4,870
Post Thanks: 1
Thanked 0 Times in 0 Posts
Default

Clearly, BlackBerry is harder to do foresenics analysis on. Unlike many other cellphones, there is an option to encrypt the BlackBerry's memory ("Content Encryption"). It's also possible to encrypt or disable the SD Micro card as well. While I'm not familiar with Paraben's backup techniques, RIM has done a much better job in securing BlackBerry phones than most smartphone makers - the government was a very early customer of RIM and at one point, 50% of RIM business came from government customers. Needless to say, this made the security on RIM devices much more rock solid and are one of the hardest cellphones to crack if the BlackBerry was set to maximum security settings with long passwords... There are BlackBerries have never been successfully cracked by forsenics. (A good or bad thing, depending on who lost the BlackBerry - government staff that lose their BlackBerry units, for example). The BES is the obvious easiest "backdoor", especially if one can somehow re-add it back to the BES (sometimes easier said than done). That depends on who runs the BES for the BlackBerry (if it's the bad guy's BES -- then siezure of the server/facilities containing BES may be far easier than trying to crack the BlackBerry itself if it's configured in a virtually uncrackable way). If it is still linked to the BES, in certain cases, it is my understanding the password can be changed remotely from the BES server. But once the relationship is severed/wiped, doing so may be impossible (the remote lobotomize capability - allows, say, the government to remotely "zap" a goverment employee's BlackBerry when it gets stolen. Or the flip side of the coin, if it's a crime organization's BlackBerry network BES, the criminal's berry can get remote-zapped very quickly if it's lost or siezed (if not immediately shielded by remote zapping by immediate shutoff of the radio or pull of battery). BAM - data wiped, and even if you could recover the data by removing the chip from the BlackBerry's motherboard and using "Norton Utility like stuff" (metaphorically, theoretically), cracking a strong long password will be frustrating). Bottom line - BlackBerries are titanium-clad tough nuts to crack compared to most other cellphones... A great advantage for the government, but also a great advantage to the "bad guys" too...
__________________
Thanks,
Mark Rejhon
Author of XMPP extension XEP-0301:
www.xmpp.org/extensions/xep-0301.html - specification
www.realjabber.org - open source

Last edited by Mark Rejhon : 09-14-2007 at 07:06 PM.
Offline  
Old 10-25-2007, 05:10 PM   #18 (permalink)
New Member
 
Join Date: Feb 2006
Model: 7105t
Carrier: NA
Posts: 3
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default Paper progress?

Hi,

I would like to know how your paper turned out and what progressed you've made so far. If you may, please share a copy of your paper as welll; you may provide a link to it if it is available online or send it to me via email.

Thanks.
Offline  
Old 10-27-2007, 12:35 PM   #19 (permalink)
Thumbs Must Hurt
 
Join Date: Apr 2005
Location: Kitchener, ON
Model: 8120
Carrier: Rogers
Posts: 93
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

There there is no such backdoor.

Also, with a passwrod set, content protection turned on, and SD card encryption on, there is no way to get the data.

If there was, would the BlackBerry be as secure as it is? no.

This is why hackers are trying to figure out ways to run software on the BB to hack it.


As with all things, it is only as secure as the user using it (easy password, no content protection, no device password, letting others get to your IPD files...)
Offline  
Old 01-31-2009, 03:50 PM   #20 (permalink)
New Member
 
Join Date: Jan 2009
Model: 8330
PIN: N/A
Carrier: Telus
Posts: 1
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Can't be that hard to do, the police do it very frequently.

Last edited by SnowStorm : 01-31-2009 at 03:53 PM.
Offline  
Closed Thread


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On





Copyright 2004-2014 BlackBerryForums.com.
The names RIM and BlackBerry are registered Trademarks of BlackBerry Inc.