Module XXXVI – Blackberry Forensics
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly ProhibitedSource: http://www.10tv.com/
News: Police Join AG BlackBerry Investigation
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: BlackBerry Wins Versus Windows Mobile For Google Apps Mail
Source: http://www.informationweek.com/
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
• BlackBerry• BlackBerry Operating System• How BlackBerry Works• BlackBerry Serial Protocol• Blackjacking Attack• BlackBerry Security• BlackBerry Forensics• Best Practices • Forensics Tools
This module will familiarize you with:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow
BlackBerry Operating System
BlackBerry Serial Protocol
BlackBerry Forensics
BlackBerry
Forensics Tools
Best Practices
Blackjacking Attack BlackBerry Security
How BlackBerry Works
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
BlackBerry
• To compose, send, and receive messages• As a phone• To access wireless Internet• As tethered Modem• As an organizer• For sending SMS• For instant messaging• For corporate data access• As paging service
Blackberries can be used:
Personal wireless handheld device that supports e-mail, mobile phone capabilities, text messaging, web browsing and other wireless information services
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
BlackBerry Operating System
• Supports web standards such as AJAX and CSS• Music Sync - a synchronization application for selecting and
transferring music from a computer to a BlackBerry Smartphone• Clock application – the evolution of the alarm application• Supports continuous spell checking• Numerous enhancements to existing BlackBerry Smartphone
applications• Eliminates the need of browsing the address book for composing
SMS• Provides method to add recipients in SMS similar to Email To: field • Built-in light-sensing technology automatically adjusts screen and
keyboard brightness for indoors or outdoors
Features of BlackBerry OS 4.6:
BlackBerry OS 4.6 is the new version of BlackBerry
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
How BlackBerry Works
BlackBerry Device(Proprietary)
Third PartyMessage Center
GenericInternet
DesktopE-mail System
MicrosoftOutlook
BlackBerryDesktop
Redirector
SMTP/POPvia Internet
RIM PDA
RIM Modem
BlackBerryMessage Center
RIMs Wireless protocol
BlackBerryEnterprise Server
Microsoft Exchange
Corporate message center
Gen
eric
In
tern
et
Cor
por
ate
Inte
rnet
Mailbox Interface
BlackBerryMessage Center
MailboxSynchronization
Gen
eric Intern
et
ISP Message Center
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
BlackBerry Serial Protocol
BlackBerry Serial Protocol is used to back up, restore, and synchronize data between the BlackBerry handheld unit and the desktop software
It comprises of simple packets and single byte return codes
All packets have the same basic structure
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
BlackBerry Serial Protocol: Packet Structure
Bytes Description
3 Packet headerAlways D9 AE FB
1 Command typeEach command type has a unique value, which will limit the set of commands available:40 = Normal command60 = Extended packet41 = ACKCF = Handshake challengeCE = Handshake reply
1 CommandFor "Command Type" 41For "Command Type" 40, the value 00 specifies initialization-related commands. Any other value represents commands listed in the "Command TableFor "Command Type" 60, the only observed value has been 02.
Variable Command-dependent packet data
1 FooterAlways BF EA 9D
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Blackjacking Attack
Blackjacking is the process of using the BlackBerry environment to circumvent perimeter defenses and directly attack hosts on a enterprise’s networks
Attacker installs BBProxy on the user’s BlackBerry or sends it as an email attachment to the targets
Once this tool is activated, it opens a covert channel between attackers and compromised hosts on improperly secured enterprise networks
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
BlackBerry Attack Toolkit
• BBProxy tool runs on BlackBerry devices and allows the device to be used as a proxy between the Internet and the internal network
• BBScan is the BlackBerry port scanner
"BlackBerry Attack Toolkit” contains the BBProxy, BBScan, and relevant MetaSploit patches to exploit the vulnerability of any website
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
BlackBerry Attachment Service Vulnerability
BlackBerry Attachment Service in BlackBerry Enterprise Server uses (Graphics Device Interface) GDI component to convert images to a viewable format on the BlackBerry smartphone
There exists a vulnerability in GDI component of Windows while processing Windows Metafile (WMF) and Enhanced Metafile (EMF) images
This vulnerability causes the BlackBerry Attachment Service to allow a malicious user to run arbitrary code on the computer on which the BlackBerry Attachment Service is running
If a BlackBerry smartphone user is on the BlackBerry Enterprise Server with that BlackBerry Attachment Service running, and tries to use the BlackBerry smartphone to open and view a WMF or EMF image attachment in a received email message sent by a user with malicious intent, the computer on which the BlackBerry Attachment Service is running could be compromised
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
TeamOn Import Object ActiveX Control Vulnerability
BlackBerry Internet service works with T-Mobile My E-mail to provide a secure and direct access to the BlackBerry users to any combination of registered enterprise, proprietary, Post Office Protocol 3 (POP3), or Internet Message Access Protocol 4 (IMAP4) email accounts
BlackBerry Internet Service and the T-Mobile My E-mail websites use TeamOn Import Object Microsoft ActiveX control which is vulnerable to buffer overflow
This buffer overflow occurs when a user uses Internet Explorer to view the BlackBerry Internet Service or T-Mobile My E-mail websites and tries to install and run the ActiveX control
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Denial of Service in BlackBerryBrowser
A malicious user can create a web site with a HTML or WML web page which contains a long string value within the link
When BlackBerry user accesses such links using the BlackBerry Browser, a temporary denial of service may occur which stops the device from responding
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
BlackBerry Security
The BlackBerry Enterprise Solution offers two transport encryption options, Advanced Encryption Standard (AES) and Triple Data Encryption Standard (Triple DES), for all data transmitted between BlackBerry® Enterprise Server and BlackBerry smartphones
• Integrity• Confidentiality• Authenticity of the data
BlackBerry uses a strong encryption scheme to safeguard:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
BlackBerry Wireless Security
• Choose either Triple DES ( Data Encryption Standard) or AES (Advanced Encryption Standard) to encrypt messages and data
Transport encryption options
• Enforce all local encryption data (messages, address book entries, calendar entries, memos, and tasks) via IT policy
Content protection
• Password Keeper securely stores password entries on the device (e.g. banking passwords, PINs, etc.) using AES encryption technology
Password Keeper
• Users regenerate encryption keys directly from their device
Wireless encryption key regeneration
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
BlackBerry Security for Wireless Data
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
BlackBerry Security for Wireless Data (cont’d)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Prerequisites for Blackberry Forensics
• Faraday cage• RIM BlackBerry Physical Plug-in• StrongHold tent
Hardware Tools:
• Program Loader• Hex editor• Simulator• BlackBerry Signing Authority Tool
Software Tools:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steps for BlackBerry Forensics
Review the information
Acquire the information
Imaging and Profiling
Document the scene and preserve the evidence
Collect the evidence
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Collect the Evidence
Seize the BlackBerry and computer evidence at the scene
Seize the BlackBerry memory cards such as SD and MMC
Collect non-electronic evidence such as written passwords, handwritten notes, and computer printouts
Prevent the unauthorized user from entering at the scene and touching the evidence
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Document the Scene and Preserve the Evidence
All devices connected to the BlackBerry must be documented
Take photographs of all evidence at the scene
Document the state of the device during seizure
Preserve all the documents in a secure location
Secure the BlackBerry device and other evidence while transporting and storing
Secure the devices from mechanical or electrical shock
Maintain the chain of custody of documents, photographs, and evidence
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Radio Control
There are two different ways to control wireless signal of the device to maintain evidence:
• Turn off the wireless signal through the main menu• If the interaction with the device is not desired then put the device in a faraday cage
Faraday cage prevents the device from receiving any wireless data
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Imaging and Profiling in BlackBerry
Imaging is the process of creating an exact copy of contents of a digital device to protect the original one from changes
Use SDK utility which dumps the contents of the Flash RAM into a file
An investigator can extract the logs from the image or can perform the investigation on the image
Use program loader for imaging and other inspection
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Acquire the Information
Leave the RIM in an “off” state when:
• Power is removed for an extended period of time or the unit is placed in data storage mode
• Unit is turned back “on” from an “off” or true powered down state
Turn off the radio, if RIM is in “on” state
• Take the RIM to a secured location to turn it ‘on; and immediately shut down the radio before examination
Get the password, if the RIM is password protected
• To get the password, SHA-1 hash is stored on the RIM• Direct-to-hardware solution is taken, if the password is not available• Do not attempt passwords as the number of failed password attempts is limited;
more number of failed attempts may lead to wiping of the memory
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Hidden Data in BlackBerry
Data can be hidden on a RIM device in different ways such as:
• Hidden databases• Partition gaps• Obfuscated data
Data can be hidden in the gap between the OS/Application and Files partitions
Use the tools such as Rim Walker database reader to read the hidden databases
This hidden data can also be viewed by using SAVEFS Programmer command
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Acquire Logs Information from BlackBerry
Log collection is the first step in the forensics investigation
Collect the logs available on the BlackBerry device
Logs are not accessible using standard user interface
• Mobitex2 Radio Status• It provides information on Radio Status, Roam & Radio, Transmit or Receive, and Profile String• BlackBerry: Func + Cap + R • Simulator: Ctrl + Shift + R
The following are some of the hidden control functions used to review the logs:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Acquire Logs Information from BlackBerry (cont’d)
• It provides information on memory allocation, port status, file system allocation, and CPU WatchPuppy
• Select a line in the Device status using the Rim’s thumbwheel to see detail information and to access logs
• BlackBerry: Func + Cap + B (or V) • Simulator: Ctrl + Shift + B (or V)
Device Status
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Acquire Logs Information from BlackBerry (cont’d)
• It provides information on battery type, load, status and temperature
Battery Status
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Acquire Logs Information from BlackBerry (cont’d)
• It provides information on memory allocation, Common port, File system, Watchpuppy, OTA status, Halt, and Reset
Free Mem
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Program Loader
Program Loader is a imaging and analysis command line tool
Use the following commands with Program Loader:
• It writes a hex dump of the RIM’s Flash RAM to FILESYS.DMP, in the same directory as programmer.exeSAVEFS:
• It lists applications residing on the handheld by memory locationDIR:
• It displays detailed Flash and SRAM mapsMAP:
• It displays a “partition table” ALLOC:
• Switch on the BATCH command line or on the first line of the batch file if a password is requiredWpassword:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Review of Information
Information from the evidence is reviewed by:
• The hex editor provides access to the entire file system including deleted or “dirty” records indicated by byte 3 of the file header
• Information available regarding the bitwise file storage method used by the RIM OS
Hex editor:
• Acquires or reads the data from image file load that dump file into the BlackBerry SDK Simulator
• For this, rename the FILESYS.DMP file according to the following rules: • “FS” • “HH” if an 857/957 “Pgr” if an 850/950 • “Mb” if Mobitex or “Dt” if Datatac• “.DMP”
• Simulator must be set to match the Flash memory size to the size of the DMP file
Simulator:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Simulator: Screenshot
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Best Practices for Protecting Stored Data
To secure information stored on BlackBerry devices, make password authentication mandatory through the customizable IT policies of the BlackBerry Enterprise Server
To increase protection from unauthorized parties, there is no staging area between the server and the BlackBerry device where data is decrypted
Clean the BlackBerry device memory
Protect stored messages on the messaging server
Encrypt application password and storage on the BlackBerry device
Protect storage of user’s data on a locked BlackBerry device
Limit the password authentication to ten attempts
Use AES (Advanced Encryption Standard) technology to secure the storage of password keeper and password entries on BlackBerry device (e.g. banking passwords and PINs)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
BlackBerry Signing Authority Tool
BlackBerry Signing Authority Tool helps the developers by protecting the data and intellectual property
It enables the developers to handle access to their sensitive APIs (Application Program Interfaces) and data by using public and private signature keys
It uses asymmetric private/public key cryptography to validate the authenticity of the signature request
It allows external developers to request, receive, and verify the signatures for accessing specified API and data in a secure environment
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Forensics Tool: RIM BlackBerry Physical Plug-inhttp://www.paraben-forensics.com/
• Address Book • Auto Text • Calendar • Categories • File System (form Content Store database)• Handheld Agent • Hotlist • Memo • Messages • PhoneCall• Profiles • QuickContacts• Service Book • SMS Task
It can acquire:
RIM BlackBerry device physical plug-in performs physical acquisition of data from most types of RIM BlackBerry devices
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
ABC Amber BlackBerry Converterhttp://www.processtext.com/
This tool is used to convert the message and contacts from IPD files into any document format
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Pocket PC http://www.datadoctor.in/
Pocket PC is the Windows-based tool that can be used for the filtering and searching the Blackberry files
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
ABC Amber vCard Converterhttp://www.processtext.com/
ABC Amber vCard Converter can be used to convert the contacts from the VCF (vCard) files to any document files
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
BlackBerry Database Viewer Plushttp://www.cellica.com/
BlackBerry Database Viewer Plus is a database software for BlackBerry handheld
Features:
• Supports Databases: MS Access, MS Excel, Oracle, SQL Server, FoxPro, dBase, and Any ODBC Compliant Database
• View and sync any database with BlackBerry• Modify database contents on BlackBerry and reflect them to database• Apply Filters, Sort the fields• Apply any SQL Select queries on database to purify records• Easy navigation through database in both Record and Grid view using
shortcut keys• Create databases on BlackBerry and import those on Desktop as .csv format• Import Record or Field data to Memo pad• Manage database in different categories
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Summary
BlackBerry is a personal wireless handheld device that supports e-mail, mobile phone capabilities, text messaging, web browsing, and other wireless information services
BlackBerry safeguards integrity, confidentiality, and authenticity of data using a strong encryption scheme
BlackBerry Serial Protocol is used to back up, restore, and synchronize data between the BlackBerry handheld unit and the desktop software
RIM's push technology adds new dimension to forensics investigation of a PDA
To secure information stored on BlackBerry devices, make password authentication mandatory through the customizable IT policies of the BlackBerry Enterprise Server
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Top Related