File000149

Module XXXVI – Blackberry Forensics

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly ProhibitedSource: http://www.10tv.com/

News: Police Join AG BlackBerry Investigation


All Rights Reserved. Reproduction is Strictly Prohibited

News: BlackBerry Wins Versus Windows Mobile For Google Apps Mail

Source: http://www.informationweek.com/



Module Objective

• BlackBerry• BlackBerry Operating System• How BlackBerry Works• BlackBerry Serial Protocol• Blackjacking Attack• BlackBerry Security• BlackBerry Forensics• Best Practices • Forensics Tools

This module will familiarize you with:



Module Flow

BlackBerry Operating System

BlackBerry Serial Protocol

BlackBerry Forensics

BlackBerry

Forensics Tools

Best Practices

Blackjacking Attack BlackBerry Security

How BlackBerry Works



BlackBerry

• To compose, send, and receive messages• As a phone• To access wireless Internet• As tethered Modem• As an organizer• For sending SMS• For instant messaging• For corporate data access• As paging service

Blackberries can be used:

Personal wireless handheld device that supports e-mail, mobile phone capabilities, text messaging, web browsing and other wireless information services



BlackBerry Operating System

• Supports web standards such as AJAX and CSS• Music Sync - a synchronization application for selecting and

transferring music from a computer to a BlackBerry Smartphone• Clock application – the evolution of the alarm application• Supports continuous spell checking• Numerous enhancements to existing BlackBerry Smartphone

applications• Eliminates the need of browsing the address book for composing

SMS• Provides method to add recipients in SMS similar to Email To: field • Built-in light-sensing technology automatically adjusts screen and

keyboard brightness for indoors or outdoors

Features of BlackBerry OS 4.6:

BlackBerry OS 4.6 is the new version of BlackBerry



How BlackBerry Works

BlackBerry Device(Proprietary)

Third PartyMessage Center

GenericInternet

DesktopE-mail System

MicrosoftOutlook

BlackBerryDesktop

Redirector

SMTP/POPvia Internet

RIM PDA

RIM Modem

BlackBerryMessage Center

RIMs Wireless protocol

BlackBerryEnterprise Server

Microsoft Exchange

Corporate message center

Gen

eric

In

tern

et

Cor

por

ate

Inte

rnet

Mailbox Interface

BlackBerryMessage Center

MailboxSynchronization

Gen

eric Intern

et

ISP Message Center



BlackBerry Serial Protocol

BlackBerry Serial Protocol is used to back up, restore, and synchronize data between the BlackBerry handheld unit and the desktop software

It comprises of simple packets and single byte return codes

All packets have the same basic structure



BlackBerry Serial Protocol: Packet Structure

Bytes Description

3 Packet headerAlways D9 AE FB

1 Command typeEach command type has a unique value, which will limit the set of commands available:40 = Normal command60 = Extended packet41 = ACKCF = Handshake challengeCE = Handshake reply

1 CommandFor "Command Type" 41For "Command Type" 40, the value 00 specifies initialization-related commands. Any other value represents commands listed in the "Command TableFor "Command Type" 60, the only observed value has been 02.

Variable Command-dependent packet data

1 FooterAlways BF EA 9D



Blackjacking Attack

Blackjacking is the process of using the BlackBerry environment to circumvent perimeter defenses and directly attack hosts on a enterprise’s networks

Attacker installs BBProxy on the user’s BlackBerry or sends it as an email attachment to the targets

Once this tool is activated, it opens a covert channel between attackers and compromised hosts on improperly secured enterprise networks



BlackBerry Attack Toolkit

• BBProxy tool runs on BlackBerry devices and allows the device to be used as a proxy between the Internet and the internal network

• BBScan is the BlackBerry port scanner

"BlackBerry Attack Toolkit” contains the BBProxy, BBScan, and relevant MetaSploit patches to exploit the vulnerability of any website



BlackBerry Attachment Service Vulnerability

BlackBerry Attachment Service in BlackBerry Enterprise Server uses (Graphics Device Interface) GDI component to convert images to a viewable format on the BlackBerry smartphone

There exists a vulnerability in GDI component of Windows while processing Windows Metafile (WMF) and Enhanced Metafile (EMF) images

This vulnerability causes the BlackBerry Attachment Service to allow a malicious user to run arbitrary code on the computer on which the BlackBerry Attachment Service is running

If a BlackBerry smartphone user is on the BlackBerry Enterprise Server with that BlackBerry Attachment Service running, and tries to use the BlackBerry smartphone to open and view a WMF or EMF image attachment in a received email message sent by a user with malicious intent, the computer on which the BlackBerry Attachment Service is running could be compromised



TeamOn Import Object ActiveX Control Vulnerability

BlackBerry Internet service works with T-Mobile My E-mail to provide a secure and direct access to the BlackBerry users to any combination of registered enterprise, proprietary, Post Office Protocol 3 (POP3), or Internet Message Access Protocol 4 (IMAP4) email accounts

BlackBerry Internet Service and the T-Mobile My E-mail websites use TeamOn Import Object Microsoft ActiveX control which is vulnerable to buffer overflow

This buffer overflow occurs when a user uses Internet Explorer to view the BlackBerry Internet Service or T-Mobile My E-mail websites and tries to install and run the ActiveX control



Denial of Service in BlackBerryBrowser

A malicious user can create a web site with a HTML or WML web page which contains a long string value within the link

When BlackBerry user accesses such links using the BlackBerry Browser, a temporary denial of service may occur which stops the device from responding



BlackBerry Security

The BlackBerry Enterprise Solution offers two transport encryption options, Advanced Encryption Standard (AES) and Triple Data Encryption Standard (Triple DES), for all data transmitted between BlackBerry® Enterprise Server and BlackBerry smartphones

• Integrity• Confidentiality• Authenticity of the data

BlackBerry uses a strong encryption scheme to safeguard:



BlackBerry Wireless Security

• Choose either Triple DES ( Data Encryption Standard) or AES (Advanced Encryption Standard) to encrypt messages and data

Transport encryption options

• Enforce all local encryption data (messages, address book entries, calendar entries, memos, and tasks) via IT policy

Content protection

• Password Keeper securely stores password entries on the device (e.g. banking passwords, PINs, etc.) using AES encryption technology

Password Keeper

• Users regenerate encryption keys directly from their device

Wireless encryption key regeneration



BlackBerry Security for Wireless Data



BlackBerry Security for Wireless Data (cont’d)



Prerequisites for Blackberry Forensics

• Faraday cage• RIM BlackBerry Physical Plug-in• StrongHold tent

Hardware Tools:

• Program Loader• Hex editor• Simulator• BlackBerry Signing Authority Tool

Software Tools:



Steps for BlackBerry Forensics

Review the information

Acquire the information

Imaging and Profiling

Document the scene and preserve the evidence

Collect the evidence



Collect the Evidence

Seize the BlackBerry and computer evidence at the scene

Seize the BlackBerry memory cards such as SD and MMC

Collect non-electronic evidence such as written passwords, handwritten notes, and computer printouts

Prevent the unauthorized user from entering at the scene and touching the evidence



Document the Scene and Preserve the Evidence

All devices connected to the BlackBerry must be documented

Take photographs of all evidence at the scene

Document the state of the device during seizure

Preserve all the documents in a secure location

Secure the BlackBerry device and other evidence while transporting and storing

Secure the devices from mechanical or electrical shock

Maintain the chain of custody of documents, photographs, and evidence



Radio Control

There are two different ways to control wireless signal of the device to maintain evidence:

• Turn off the wireless signal through the main menu• If the interaction with the device is not desired then put the device in a faraday cage

Faraday cage prevents the device from receiving any wireless data



Imaging and Profiling in BlackBerry

Imaging is the process of creating an exact copy of contents of a digital device to protect the original one from changes

Use SDK utility which dumps the contents of the Flash RAM into a file

An investigator can extract the logs from the image or can perform the investigation on the image

Use program loader for imaging and other inspection



Acquire the Information

Leave the RIM in an “off” state when:

• Power is removed for an extended period of time or the unit is placed in data storage mode

• Unit is turned back “on” from an “off” or true powered down state

Turn off the radio, if RIM is in “on” state

• Take the RIM to a secured location to turn it ‘on; and immediately shut down the radio before examination

Get the password, if the RIM is password protected

• To get the password, SHA-1 hash is stored on the RIM• Direct-to-hardware solution is taken, if the password is not available• Do not attempt passwords as the number of failed password attempts is limited;

more number of failed attempts may lead to wiping of the memory



Hidden Data in BlackBerry

Data can be hidden on a RIM device in different ways such as:

• Hidden databases• Partition gaps• Obfuscated data

Data can be hidden in the gap between the OS/Application and Files partitions

Use the tools such as Rim Walker database reader to read the hidden databases

This hidden data can also be viewed by using SAVEFS Programmer command



Acquire Logs Information from BlackBerry

Log collection is the first step in the forensics investigation

Collect the logs available on the BlackBerry device

Logs are not accessible using standard user interface

• Mobitex2 Radio Status• It provides information on Radio Status, Roam & Radio, Transmit or Receive, and Profile String• BlackBerry: Func + Cap + R • Simulator: Ctrl + Shift + R

The following are some of the hidden control functions used to review the logs:



Acquire Logs Information from BlackBerry (cont’d)

• It provides information on memory allocation, port status, file system allocation, and CPU WatchPuppy

• Select a line in the Device status using the Rim’s thumbwheel to see detail information and to access logs

• BlackBerry: Func + Cap + B (or V) • Simulator: Ctrl + Shift + B (or V)

Device Status




• It provides information on battery type, load, status and temperature

Battery Status




• It provides information on memory allocation, Common port, File system, Watchpuppy, OTA status, Halt, and Reset

Free Mem



Program Loader

Program Loader is a imaging and analysis command line tool

Use the following commands with Program Loader:

• It writes a hex dump of the RIM’s Flash RAM to FILESYS.DMP, in the same directory as programmer.exeSAVEFS:

• It lists applications residing on the handheld by memory locationDIR:

• It displays detailed Flash and SRAM mapsMAP:

• It displays a “partition table” ALLOC:

• Switch on the BATCH command line or on the first line of the batch file if a password is requiredWpassword:



Review of Information

Information from the evidence is reviewed by:

• The hex editor provides access to the entire file system including deleted or “dirty” records indicated by byte 3 of the file header

• Information available regarding the bitwise file storage method used by the RIM OS

Hex editor:

• Acquires or reads the data from image file load that dump file into the BlackBerry SDK Simulator

• For this, rename the FILESYS.DMP file according to the following rules: • “FS” • “HH” if an 857/957 “Pgr” if an 850/950 • “Mb” if Mobitex or “Dt” if Datatac• “.DMP”

• Simulator must be set to match the Flash memory size to the size of the DMP file

Simulator:



Simulator: Screenshot



Best Practices for Protecting Stored Data

To secure information stored on BlackBerry devices, make password authentication mandatory through the customizable IT policies of the BlackBerry Enterprise Server

To increase protection from unauthorized parties, there is no staging area between the server and the BlackBerry device where data is decrypted

Clean the BlackBerry device memory

Protect stored messages on the messaging server

Encrypt application password and storage on the BlackBerry device

Protect storage of user’s data on a locked BlackBerry device

Limit the password authentication to ten attempts

Use AES (Advanced Encryption Standard) technology to secure the storage of password keeper and password entries on BlackBerry device (e.g. banking passwords and PINs)



BlackBerry Signing Authority Tool

BlackBerry Signing Authority Tool helps the developers by protecting the data and intellectual property

It enables the developers to handle access to their sensitive APIs (Application Program Interfaces) and data by using public and private signature keys

It uses asymmetric private/public key cryptography to validate the authenticity of the signature request

It allows external developers to request, receive, and verify the signatures for accessing specified API and data in a secure environment



Forensics Tool: RIM BlackBerry Physical Plug-inhttp://www.paraben-forensics.com/

• Address Book • Auto Text • Calendar • Categories • File System (form Content Store database)• Handheld Agent • Hotlist • Memo • Messages • PhoneCall• Profiles • QuickContacts• Service Book • SMS Task

It can acquire:

RIM BlackBerry device physical plug-in performs physical acquisition of data from most types of RIM BlackBerry devices



ABC Amber BlackBerry Converterhttp://www.processtext.com/

This tool is used to convert the message and contacts from IPD files into any document format



Pocket PC http://www.datadoctor.in/

Pocket PC is the Windows-based tool that can be used for the filtering and searching the Blackberry files



ABC Amber vCard Converterhttp://www.processtext.com/

ABC Amber vCard Converter can be used to convert the contacts from the VCF (vCard) files to any document files



BlackBerry Database Viewer Plushttp://www.cellica.com/

BlackBerry Database Viewer Plus is a database software for BlackBerry handheld

Features:

• Supports Databases: MS Access, MS Excel, Oracle, SQL Server, FoxPro, dBase, and Any ODBC Compliant Database

• View and sync any database with BlackBerry• Modify database contents on BlackBerry and reflect them to database• Apply Filters, Sort the fields• Apply any SQL Select queries on database to purify records• Easy navigation through database in both Record and Grid view using

shortcut keys• Create databases on BlackBerry and import those on Desktop as .csv format• Import Record or Field data to Memo pad• Manage database in different categories



Summary

BlackBerry is a personal wireless handheld device that supports e-mail, mobile phone capabilities, text messaging, web browsing, and other wireless information services

BlackBerry safeguards integrity, confidentiality, and authenticity of data using a strong encryption scheme

BlackBerry Serial Protocol is used to back up, restore, and synchronize data between the BlackBerry handheld unit and the desktop software

RIM's push technology adds new dimension to forensics investigation of a PDA

To secure information stored on BlackBerry devices, make password authentication mandatory through the customizable IT policies of the BlackBerry Enterprise Server

File000149

Technology

Transcript of File000149