54
Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3323 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Computer Hacking Forensic Investigator (CHFI) Module XXXVI: BlackBerry Forensics Exam 312-49

File000091

Tags:

Embed Size (px)

DESCRIPTION

 

Citation preview

  • 1. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3323 Computer Hacking Forensic Investigator Copyright byEC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Computer Hacking Forensic Investigator (CHFI) Module XXXVI: BlackBerry Forensics Exam 312-49

2. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3324 Computer Hacking Forensic Investigator Copyright byEC-Council All Rights Reserved. Reproduction is Strictly Prohibited. News: Police Join AG BlackBerry Investigation Source: http://www.10tv.com/ Police joined the search for a BlackBerry as they suspected that it may hold evidence related to a general investigation. Paul Aker reported that detectives were dusting Jen Urbans (an attorney in the attorney generals office) apartment for fingerprints as she said that her BlackBerry and other items were stolen from the apartment. Its unfortunate, Urban told 10 investigators. A lot of my personal belongings were taken. I do not know the motivation behind it. Aker reported that: State investigators said they were "very curious" about the timing The burglary took place just hours after an unannounced sweep of Attorney General Marc Dann's office by the Inspector General Inspector General Thomas Charles locked all the computers with the one belonging to Urban Charles said that his office wants to find Urbans missing BlackBerry According to investigators in their final report, the device could consist of important information as they doubt that Urban was romantically linked to Leo Jennings III, who served as Dann's communications director. Urban stated that someone walked inside the apartment at about 5 a.m. and took her television, along with her purse and BlackBerry. Continuing with this, she told police that the crime happened while she was on the back patio where Jessica Utovich, Danns former scheduler, was on her couch. Later, she changed her statement by saying that Utovich was out during the burglary. To support the later statement she said that, It is discerned at this time that the items were taken before she rested on the couch. Aker further reported that, 10 investigators got to know that the Inspector General seized a BlackBerry belonging to Tom Winters, who took over as acting Attorney General when Dann resigned. The women who were sexually harassed inside Danns office claimed that Winters knew about some of the problems in January but failed to act, where Winters denied to comment about it. 3. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3326 Computer Hacking Forensic Investigator Copyright byEC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Module Objective This module will familiarize you with: BlackBerry BlackBerry Operating System How BlackBerry Works BlackBerry Serial Protocol Blackjacking Attack BlackBerry Security BlackBerry Forensics Best Practices Forensics Tools 4. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3327 Computer Hacking Forensic Investigator Copyright byEC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Module Flow 5. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3328 Computer Hacking Forensic Investigator Copyright byEC-Council All Rights Reserved. Reproduction is Strictly Prohibited. BlackBerry In 1999, Research In Motion (RIM) manufactured the BlackBerry wireless handheld device. It provides a number of applications such as email, mobile telephone, text messaging, Internet faxing, web browsing, and other wireless information services. Initially, it focused on email facility. BlackBerry transports data over the wireless data networks of mobile phone service companies. BlackBerry has a small built-in QWERTY keyboard, wtih an Alt key for entering special numbers and characters.It has a self-configurable "AutoText" feature that provides a list of frequently used words or special characters. You can navigate through the system using the trackwheel that allows you to select an option with a click function on the right side of the device. Certain BlackBerry models incorporate a two-way-radio. Modern BlackBerry devices have ARM 7 or 9s processor. While the old BlackBerry 950 and 957 devices consist of Intel 80386 processors, the latest GSM BlackBerry models (8100 and 8700 series) consist of an Intel PXA901 312 MHz processor, 64 MB flash memory, and 16 MB SDRAM. BlackBerry provides solutions to meet the needs of: Individuals: Everyone can stay in contact with work and home Enterprise and government customers: With the help of BlackBerry, professionals can keep in contact with their existing email and other enterprise systems Small/medium business: The Explore option of a BlackBerry has the ability to address several wireless requirements of your business A BlackBerry can be used: As a address book, calendar, and to create to-do lists To compose, send, and receive messages As a phone To access wireless Internet As a tethered modem As an organizer For corporate data access As a paging service 6. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3329 Computer Hacking Forensic Investigator Copyright byEC-Council All Rights Reserved. Reproduction is Strictly Prohibited. BlackBerry Operating System The BlackBerrys operating system runs on its Intel 80386 microprocessor. The devices that connect to BlackBerry require a built-in RIM wireless modem. The operating system is event-driven, and it supports multitasking and multithreading applications. This operating system makes use of input devices such as the thumbwheel. If a message needs access to the operating system, it is done using the RimGetMessage () Application Programming Interface (API). When the operating system has no applications to process, the processor switches to standby mode. With the help of proprietary BlackBerry APIs, third-party developers can write software, but the applications that have some limited functionality must be digitally signed so that it gives authorship of an application to particular developers. Earlier, BlackBerry software development was based on C++, but the latest models support MDS and Java. Java supports the RIM devices that come with the J2ME MIDP platform. RIM provides a Java Developers Kit that supports a custom application model that is different from the J2ME MIDP specification. JDK consists of the javax.microedition and RIMs own net.rim.device.api package that supports a host of operating system-specific classes like Bitmap, Application Registry, Keypad, Radio, and Persistent Object. BlackBerry OS 4.6 is the new version of BlackBerry. It has the following features: Supports of web standards, like AJAX and CSS 1 GB onboard memory and 128 MB flash memory High capacity, slim 1500 mAhr battery Tri-band UMTS: 2100/1900/850 3.6 Mbps HSDPA Supports Wi-Fi technology (802.11a/b/g) Supports GPS features Quad-band GSM/GPRS/EDGE Music synchronization Clock application the evolution of the alarm application 7. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3330 Computer Hacking Forensic Investigator Copyright byEC-Council All Rights Reserved. Reproduction is Strictly Prohibited. How BlackBerry Works The BlackBerry wireless email solution is simple. It works as follows: Step 1: The BlackBerry enterprise server constantly monitors BlackBerry users mailboxes. When a new message arrives in a user's Exchange mailbox, BES picks up that message. Step 2: After retrieving the message, it gets compressed, encrypted, and sent over the Internet via a wireless network to the BlackBerry server. Step 3: Now the message is not a readable text message; it gets decrypted only on the destination user's BlackBerry handheld. Step 4: The server decrypts, decompresses, and then places the email into the Outbox. During this procedure, a copy of the message is placed in the Sent Items folder. The BlackBerry Enterprise Server (BES) uses MAPI for communication with the user's Inbox. Due to MAPI, BES immediately knows about the incoming message. BES supports triple DES security, which helps with secure transmission of the data. 8. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3331 Computer Hacking Forensic Investigator Copyright byEC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Figure 36-01: Working of BlackBerry (Source: http://www.freeprotocols.org/) 9. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3332 Computer Hacking Forensic Investigator Copyright byEC-Council All Rights Reserved. Reproduction is Strictly Prohibited. BlackBerry Serial Protocol BlackBerry Serial Protocol backs up, restores, and synchronizes the data between the BlackBerry device and desktop system. It is comprised of simple packets and single byte return codes. The packets have a similar structure and consist of the following fields: Packet header (3 bytes) Command type (1 byte) Command (1 byte) Command-dependent packet data (Variable) Footer (3 bytes) The various packets include: Normal command packets Extended packets ACK packets 10. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3333 Computer Hacking Forensic Investigator Copyright byEC-Council All Rights Reserved. Reproduction is Strictly Prohibited. BlackBerry Serial Protocol: Packet Structure Table 36-01: BlackBerry serial protocol packet structure 11. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3334 Computer Hacking Forensic Investigator Copyright byEC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Blackjacking Attack Blackjacking means hijacking a BlackBerry connection. Attackers make use of the BlackBerry environment to prevent the security perimeters and directly attack the host of the network. The attacker uses the BBProxy tool to conduct the Blackjacking. It is a security assessment tool which allows the attacker to use BlackBerry devices as a proxy between the Internet and an internal network. The attacker installs BBProxy on the users BlackBerry or sends it in email attachment to the target device. On being activated, it establishes a covert channel between attackers and compromised hosts on improperly secured enterprise networks. 12. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3335 Computer Hacking Forensic Investigator Copyright byEC-Council All Rights Reserved. Reproduction is Strictly Prohibited. BlackBerry Attack Toolkit "BlackBerry Attack Toolkit contains the BBProxy, BBScan, and relevant MetaSploit patches to exploit the vulnerability of any website. The attacker can hide the malicious software in the handheld that in turn invades the entire network it is connected to. BBProxy is the tool generally used to attack the BlackBerry device. When this tool gets installed into the device, it allows the device to be used as a proxy between the Internet and the internal network. BBScan is the BlackBerry port scanner 13. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3336 Computer Hacking Forensic Investigator Copyright byEC-Council All Rights Reserved. Reproduction is Strictly Prohibited. BlackBerry Attachment Service Vulnerability Source: http://www.BlackBerry.com/ BlackBerry Attachment Service in BlackBerry Enterprise Server uses a Graphics Device Interface (GDI) component to convert images to a viewable format on the BlackBerry smartphones. Vulnerability is prevalent in the GDI component of Windows while processing Windows Metafile (WMF) and Enhanced Metafile (EMF) images. This vulnerability in the GDI component exposes the BlackBerry Attachment Service to attacks that could allow a malicious user to cause arbitrary code to run on the computer on which the BlackBerry Attachment Service is running. If a BlackBerry smartphone user is on the BlackBerry Enterprise Server with the BlackBerry Attachment Service running, and the BlackBerry smartphone user tries to use the BlackBerry smartphone to open and view a WMF or EMF image attachment in a received email message sent by a user with malicious intent, the computer on which the BlackBerry Attachment Service is running could be compromised. 14. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3337 Computer Hacking Forensic Investigator Copyright byEC-Council All Rights Reserved. Reproduction is Strictly Prohibited. TeamOn Import Object ActiveX Control Vulnerability Source: http://www.BlackBerry.com/ The BlackBerry Internet Solution is designed to work with T-Mobile My E-mail to give BlackBerry device users secure and direct access to any combination of registered enterprise, proprietary, Post Office Protocol 3 (POP3), or Internet Message Access Protocol 4 (IMAP4) email accounts on their BlackBerry devices using a single user login account. Vulnerability exists in the TeamOn Import Object Microsoft ActiveX control used by BlackBerry Internet Service 2.0 on the BlackBerry Internet Service and the T- Mobile My E-mail websites. This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 8.0 (Critical). While using Internet Explorer to view the BlackBerry Internet Service or T-Mobile My E-mail websites that use the TeamOn Import Object ActiveX control, and when trying to install and run the ActiveX control, the ActiveX control introduces the vulnerability to the system. An exploitable buffer overflow exists in the TeamOn Import Object ActiveX control used by the BlackBerry Internet Service and T-Mobile My E-mail websites. 15. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3338 Computer Hacking Forensic Investigator Copyright byEC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Denial of Service in BlackBerry Browser Source: http://www.BlackBerry.com/ A website creator with malicious intent may use a Hypertext Markup Language (HTML) or Wireless Markup Language (WML) web page that contains a long string value within the link. If the BlackBerry device user accesses the link using the BlackBerry Browser, a temporary denial of service may occur and the BlackBerry device may stop responding. A temporary denial of service vulnerability exists in the BlackBerry Browser. The BlackBerry Browser may stop responding when parsing a long web page address. While in the process of parsing a long web page address, the BlackBerry Browser uses the BlackBerry devices processing capability. This may cause the BlackBerry device to stop or become slow in responding. 16. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3339 Computer Hacking Forensic Investigator Copyright byEC-Council All Rights Reserved. Reproduction is Strictly Prohibited. BlackBerry Security BlackBerry uses a strong encryption scheme to safeguard: Integrity: Data integrity depends on the security of the encryption protocol used to encrypt the data. Data integrity is generally maintained by using a Message Authentication Code (MAC) producing a unique digital fingerprint of a document known as a hash. Confidentiality: Confidentiality is achieved using various encryption mechanisms Authenticity: Authenticity is achieved using digital signatures BlackBerry Enterprise Solution provides two types of encryption techniques for all data transmitted between BlackBerry Enterprise Server and BlackBerry smartphones. Advanced Encryption Standard (AES) Triple Data Encryption Standard (Triple DES) 17. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3340 Computer Hacking Forensic Investigator Copyright byEC-Council All Rights Reserved. Reproduction is Strictly Prohibited. BlackBerry Wireless Security The BlackBerry encryption security mechanism meets United States Military standards. The U.S. government gave the designation 140/2 to BlackBerry, which permits its use by government agencies and the armed forces. During transit between the BES and BlackBerry, BES ensures that your confidential data is secured by using encryption methods such as the Advanced Encryption Standard (AES) and Triple Data Encryption Standard (Triple DES). BES keeps the data encrypted during transit and ensures the data between the BES and the handheld is not decrypted anywhere outside of the corporate firewall. The private encrypted keys are generated in a secure, two-way authenticated environment. The private keys that are used to access BlackBerry devices remotely are stored in the BlackBerry users secure mailbox (Microsoft Exchange, IBM, Lotus, Domino, or Novell GroupWise mailbox). Using the private key (which is available from the users mailbox), any data that is sent to a BlackBerry device can be encrypted and sent to the device, where it can be decrypted using the key available on that device. The MDS (Mobile Data System) service acts as a secure gateway between the wireless networks, corporate intranets, and the Internet. 18. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3341 Computer Hacking Forensic Investigator Copyright byEC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Figure 36-02: BlackBerry Security for Wireless Data (Source: http://www.BlackBerry.com/) 19. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3342 Computer Hacking Forensic Investigator Copyright byEC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Prerequisites for BlackBerry Forensics The following are the hardware tools: Faraday cage RIM BlackBerry Physical Plug-in StrongHold tent The following are the software tools: Program Loader Hex editor Simulator BlackBerry Signing Authority Tool 20. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3343 Computer Hacking Forensic Investigator Copyright byEC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Steps for BlackBerry Forensics Collect the evidence Document the scene and preserve the evidence Imaging and profiling Acquire the information Review the information 21. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3344 Computer Hacking Forensic Investigator Copyright byEC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Collect the Evidence Seize BlackBerry handheld devices and computer devices present at the evidence site. Seize the memory devices such as SD and MMC. Collect non-electronic evidence such as written passwords, handwritten notes, computer printouts, etc. While collecting the device, take the following precautions: While collecting the devices, take precautions to maintain the evidence such as fingerprint on the devices Evidence should not be damaged Collect and keep the devices in bags Stop the unauthorized user from entering the scene and touching the evidence 22. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3345 Computer Hacking Forensic Investigator Copyright byEC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Document the Scene and Preserve the Evidence Prepare documentation about the scene, which must include the state of all the evidence at the scene. Other than documents, photographs of the evidence are also necessary in the investigation. Take photographs of the scene and all the evidence present there. Evidence and documents must be kept in a secure place to protect them from damage. The main aim to preserve the evidence is to maintain the integrity of the evidence. Keep all evidence in such a way that it should be easily identifiable. If possible, label each piece of evidence with where, when, and how it was found. Secure the BlackBerry device and other evidence while transporting and storing. Secure the devices from mechanical or electrical shock. Maintain a chain of custody of documents, photographs, and evidence. 23. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3346 Computer Hacking Forensic Investigator Copyright byEC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Radio Control Radio waves can be used to control a device through radio signals. A switched-on BlackBerry device always emits radio waves to accept incoming connections. If a new connection is established using these radio waves, the evidence in the BlackBerry may get tampered or completely spoiled. This makes it necessary to control these radio waves to preserve evidence integrity. There are two different ways to control the wireless signals and maintain the evidentiary value of the device: Turn off the wireless signals through the main menu Place the device in a faraday cage when there is no need to interact with the device. The faraday cage will prevent the device from receiving any wireless data that can damage the evidence. 24. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3347 Computer Hacking Forensic Investigator Copyright byEC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Imaging and Profiling in BlackBerry Source: http://www.rh-law.com/ Imaging is the process of creating an exact copy of the contents of a digital device to protect the original one from changes. An image should be taken of the file system as the first step as long the logs are not required or a method of extracting the logs from the image is developed. An image or bit-by-bit backup is acquired using an SDK utility that dumps the contents of the Flash RAM into a file easily examined with a hex editor. The Program Loader, which is used to perform most of the inspection in addition to taking the image, will cause a reset each time it is run. Recalling a reset can mean a file system cleanup. This means that to get a partition table, you risk changing the file system and spoiling the data. One way to work around this is to use the BATCH command. The BATCH command will group all the command switches into one access, so multiple resets can be avoided. The Program Loader is run from the command line: PROGRAMMER [ [-Pport] [-Sspeed] [-Wpassword command 25. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3348 Computer Hacking Forensic Investigator Copyright byEC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Acquire the Information Source: http://www.rh-law.com/ The radio in the on state allows data to be pushed onto the unit, overwriting the previous data, which makes it difficult to retrieve the lost data. Thus, a forensic investigators attempt to obtain an unaltered file system becomes more difficult. In order to preserve the unit, turn off the radio immediately. Turn off the radio and not the entire unit (including the BlackBerry device) for three specific reasons: 1. The BlackBerry is not really off unless power is removed for an extended period of time or the unit is placed in data storage mode. Only the display, keyboard, and radio are shut down when using the GUI to turn off the unit. 2. When the unit is turned on from an off mode or a true powered down state, queued items may be pushed to the unit before there is a chance to turn off the radio. 3. A program might be installed on the unit that can accept remote commands via email, by which the owner of the BlackBerry can delete or alter information to mislead the investigator. If the RIM is off, leave it off If the RIM is on, turn off the radio If the RIM is password protected, get the password Turn off the radio if the RIM is in the on state. If the unit is off at the time of acquisition, take the RIM to a secured location to turn it on and immediately shut down the radio before examination. 26. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3349 Computer Hacking Forensic Investigator Copyright byEC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Hidden Data in BlackBerry The various methods to perform data hiding on RIM devices are through hidden databases, partition gaps, and obfuscated data. Certain databases that are custom written do not display their icon in the ribbon graphical user interface (GUI). This enables hidden data transport. Rim Walker is a tool that can identify such a database on the subject unit by installing it on that unit. Such a database can be viewed by the SAVEFS Programmer command if it is in unencrypted form. Unused space in the file system can be utilized using the SDK tools. Data stored at the end of the available file system space is retained after the device is reset and can be tested with the SAVEFS Programmer command. The data can only be viewed but is not accessible. The gap between the OS/application and files partitions can be used to store information. You can view the partition table using the ALLOC Programmer command. The space between partitions can be used with SAVEFS and LOADFS commands that can load data to such spaces. Attackers may program to directly access the memory and write to the space between the partitions. 27. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3350 Computer Hacking Forensic Investigator Copyright byEC-Council All Rights Reserved. Reproduction is Strictly Prohibited. 28. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3351 Computer Hacking Forensic Investigator Copyright byEC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Acquire Logs Information from BlackBerry Source: http://www.rh-law.com/ The initial step for collecting evidence from a BlackBerry is to gather logs. This procedure is in violation of forensic methods because it requires an image to be taken and afterwards wiped from the record of logs on the handheld. Prior to applying the SDK tool, you must access the logs present on the original device and not through the standard user interface. The hidden controls to review logs are Mobitex2 Radio Status, Device Status, Battery Status, and Free Mem. Logs are reviewed by unit control functions: Mobitex2 Radio Status Provides access to the following four logs: 1. Radio Status: Enumerate the state of radio functions 2. Roam & Radio: Records Base/Area (tower) and Roam (channel) information are recorded with a duration of up to 99 hours per Base/Area/Channel. This log wraps at 16 entries and will not survive a reset. A blank entry represents a radio-off state 3. Transmit/Receive: Records TxRx, gateway MAN addresses, type and size of the data transmitted, and both network and handheld date stamps per transmission 4. Profile String: This is a recorded negotiation with the last utilized radio tower Radio Status: BlackBerry: Func + Cap + R Simulator: Ctrl + Shift + R 29. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3352 Computer Hacking Forensic Investigator Copyright byEC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Figure 36-03: Radio Status Device Status This function reviewed the logs that give detailed information about memory allocation, port status, file system allocation, and CPU WatchPuppy. Select a line in the Device Status using the rims thumbwheel to see detailed information and to access logs. BlackBerry: Func + Cap + B (or V) Simulator: Ctrl + Shift + B (or V) Figure 36-04: Device Status Battery Status Battery Status provides information on battery type, load, status, and even temperature. Figure 36-05: Battery Status 30. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3353 Computer Hacking Forensic Investigator Copyright byEC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Free Mem This provides information on memory allocation, common port, file system, WatchPuppy, OTA status, halt, and reset. This value can prove that the unit cleans up the file system when reset. Figure 36-06: Free Mem Comm Port This indicates the ports state. The security thread is not unique. Figure 36-07: Comm Port File System This indicates the basic values for free space and handles. The numbers of handles, which can be found in the SDK guides, are limited. Figure 36-08: File System WatchPuppy The CPU WatchPuppy logs an entry when an application uses the CPU past a predetermined threshold. It kills processes that do not release the CPU. Figure 36-09: WatchPuppy Change to You can find the Over the Air (OTA) calendar log in the Change To menu: the OTA logs the last items synchronized via wireless calendaring on 32 lines and provides access to the debugging information. 31. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3354 Computer Hacking Forensic Investigator Copyright byEC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Figure 36-10: Change to Halt & Reset Reset causes the unit to re-read the file-system and can trigger a file system cleanup. The items, which are marked as deleted during cleanup will be deleted permanently. At cleanup, the memory is freed for future use, which has to be avoided for a successful forensic investigation. Figure 36-11: Halt & Reset 32. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3355 Computer Hacking Forensic Investigator Copyright byEC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Program Loader Source: http://www.rh-law.com/ Program Loader is an imaging and analysis command line tool. Use the following commands with Program Loader: SAVEFS: The SAVEFS command writes a hex dump of the RIMs Flash RAM to FILESYS.DMP, in the same directory as programmer.exe. The file will be exactly equal to the amount of Flash RAM available in the device (i.e. 950 = 4 MB, 957 = 5 MB). View this file with any hex editor. See Appendix A for more hex dump information. Immediately rename and write protect the file. The next time the Program Loader is run with SAVEFS it will overwrite FILESYS.DMP without warning. This is also a good opportunity to hash the file to prove integrity later in the investigation. DIR: The DIR command lists applications residing on the handheld by memory location. This will be useful later when attempting to emulate the original handheld on a PC. Take note of any non- standard or missing applications. Figure 36-12: List of DIR commands 33. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3356 Computer Hacking Forensic Investigator Copyright byEC-Council All Rights Reserved. Reproduction is Strictly Prohibited. VER: The VER command lists applications residing on the handheld and corresponding version numbers. This will be useful later when attempting to emulate the original handheld on a PC. Take note of any non-standard or missing applications. Figure 36-13: List of VER commands MAP: The MAP command displays detailed Flash and SRAM maps. 34. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3357 Computer Hacking Forensic Investigator Copyright byEC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Figure 36-14: List of MAP commands ALLOC: The ALLOC command displays a partition table that lists the breakpoints between application memory and file system memory. Take note of any unused sectors and any difference between the end of the files area and the start of the OS and application area. These do not have to be the same and is an excellent example of how data hiding can occur on a RIM device. 35. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3358 Computer Hacking Forensic Investigator Copyright byEC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Figure 36-15: List of ALLOC commands BATCH filename: The BATCH command groups the previous commands into a single communication session with the RIM device. This authors testing has shown that all of the commands are compatible within the same batch, with the exception of the SAVEFS or LOADFS options. These must be performed separately, which is why the SAVEFS image should come before all of the others. The amount of free space can possibly change during an initialization. Since a cleanup may erase previously retrievable data, it makes sense to perform the image first. Wpassword: Switch on the BATCH command line or on the first line of the batch file if a password is required. 36. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3359 Computer Hacking Forensic Investigator Copyright byEC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Review of Information Source: http://www.rh-law.com/ Using hexdump, there are two options to review the information: 1. Manual review of the hex files using a hex editor enables access to the file system including the deleted records (indicated by byte 3 of the file header). 2. Load the hex file into the BlackBerry SDK Simulator for review. The SDK enables to decode dates on the expired records. Hex Editor Figure 36-16: Extract from file dump created using PROGRAMMER SAVEFS Simulator The Simulator operates in exactly the same manner as a handheld BlackBerry with the additional convenience of PC keyboard manipulation. You can load the dump file into the BlackBerry SDK Simulator using hex dump without handling the original unit. Procedure to simulate BlackBerry: 1. Rename the FILESYS.DMP file as following build rules: FS HH if an 857/957 Pgr if an 850/950 Mb if Mobitex or Dt if Datatac .DMP 2. Now the Mobitex pager style BlackBerry has a load file FSPgrMb.DMP. 37. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3360 Computer Hacking Forensic Investigator Copyright byEC-Council All Rights Reserved. Reproduction is Strictly Prohibited. 3. During the loading, if you place the DMP file in the same directory as the Simulator and all ancillary Simulator options are set to match, the file (do not mark it read-only) will be substituted for the default blank file system. The file will be overwritten to match the last state of the simulator while exiting the Simulator. 4. Set the Simulator to exactly match its Flash memory size to that of the DMP file. However, you can use a file that is smaller than the available Flash; FFh will be appended to the image file to make it match the size set in the simulator. Figure 36-17: Screenshot for Simulator options 5. Set the Simulator to match the network and model of the investigated unit. Figure 36-18: Screenshot for Simulator settings 6. Load the applications from those available in the SDK. In this stage, the DIR listing acquired in the earlier evidence acquisition will become useful. Figure 36-19: Screenshot for application loading For example, in the following figure, you can identify that the default applications of a Mobitex BlackBerry are loaded. The default applications are the same to all the models with other applications being added with respect to that model. 38. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3361 Computer Hacking Forensic Investigator Copyright byEC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Figure 36-20: Screenshot of loaded Mobitex BlackBerry applications 7. Select the control, start simulation to Run the simulator. Figure 36-21: Screenshot to run the Simulator 8. To connect the Simulator to a serial port on a PC, run the following command: OSLoader.exe OsPgrMb.dll /s1 39. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3362 Computer Hacking Forensic Investigator Copyright byEC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Best Practices for Protecting Stored Data The following are some of the best practices for protecting the stored data: Make password authentication mandatory through the customizable IT policies of the BlackBerry enterprise server To increase protection from unauthorized parties, there is no staging area between the server and the BlackBerry device where the data is decrypted Clean the BlackBerry devices memory Protect the stored messages on the messaging server Encrypt the application password and storage on the BlackBerry device Protect storage of the users data on a locked BlackBerry device Limit the password authentication to 10 attempts Use Advanced Encryption Standard (AES) technology to secure the storage of the password keeper and the password entries on the BlackBerry device (e.g. banking passwords and PINs) 40. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3363 Computer Hacking Forensic Investigator Copyright byEC-Council All Rights Reserved. Reproduction is Strictly Prohibited. BlackBerry Signing Authority Tool Source: http://www.BlackBerry.com/ The BlackBerry Signing Authority Tool enables developers to protect the data and intellectual property of their applications. Developers can manage access to sensitive APIs and data using public and private signature keys. Administrators can select and access specific APIs and data stores. The tool validates the authenticity of a signature request using private/public key cryptography. The administrator can configure the tool to either restrict internal developers or allow external developers to request and receive signature access to specific APIs and data stores. Signature requests can be tracked and accepted or rejected based on administrator control. The BlackBerry Signing Authority Tool supports all versions of the BlackBerry Java Development Environment (JDE) and applications created for Java- based BlackBerry devices. 41. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3364 Computer Hacking Forensic Investigator Copyright byEC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Forensics Tool: RIM BlackBerry Physical Plug-in Source: http://www.paraben-forensics.com/ The RIM BlackBerry device physical plug-in allows you to perform a physical acquisition from most types of RIM BlackBerry devices. The BlackBerry plug-in allows you to acquire the following data from the devices: Address book Auto text Calendar Categories File system (from content store database) Handheld agent Hotlist Memo Messages Phone call Profiles Quick contacts Service book SMS Task 42. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3365 Computer Hacking Forensic Investigator Copyright byEC-Council All Rights Reserved. Reproduction is Strictly Prohibited. ABC Amber BlackBerry Converter Source: http://www.processtext.com/ ABC Amber BlackBerry Converter is a very useful tool that converts emails, contacts, SMS messages, PIN messages, autotext entries, calendar events, phone hotlist entries, memos, phone call logs, tasks, etc. from IPD (BlackBerry backup) files to any format (PDF, HTML, CHM, RTF, HLP, TXT, DOC, MDB, XLS, CSV, etc.) easily and quickly. Reads IPD (BlackBerry backup) files and exports selected messages, contacts, SMS messages, PIN messages, autotext entries, calendar events, memos, phone call logs, phone hotlist entries, and tasks to a single file of any document format: PDF format (Adobe Acrobat doesn't need to be installed), RTF format (also doesn't require MS Word to be installed), hypertext HTML format, text format, MS DOC format, popular CHM format, old good HLP format, and many more (Access, Excel, DBF, etc.) Generates contents with bookmarks (in RTF, DOC, PDF and HTML) and hyperlinks in the output file Supports column sorting Displays selected message (or contact) Supports advanced PDF export options (document information, 40/128 bits PDF encryption, PDF security options, page size, page orientation and page margins, resolution mode, compression mode, viewer options) Supports multiple CHM and HLP export options Exports messages to TIFF and DCX (multipage) Converts messages to EML in bulk. You can then drag those *.eml files and drop them into an MS Outlook Express folder. Website Creator for BlackBerry, Advanced CHM Maker Converts BlackBerry items to LIT (MS Reader), RB (Rocket eBook), FB2 (FictionBook), and PDB (Palm) Extracts text of MMS messages Exports browser URLs and browser bookmarks Supports Extended MAPI 43. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3366 Computer Hacking Forensic Investigator Copyright byEC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Converts contacts to VCF (vCard), emails to MSG (Outlook), calendar events to VCS (vCalendar) Allows to transfer emails to Novell GroupWise (since 6.44) Command line support, multiple language support, skin support and more Figure 36-22: Screenshot of ABC Amber BlackBerry Converter 44. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3367 Computer Hacking Forensic Investigator Copyright byEC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Pocket PC Source: http://www.datadoctor.in/ Pocket PC is the Windows-based tool that can be used to extract all detailed information of Windows- based mobile devices for evidence usage. The handheld PC forensic utility is used to collect data from all PDAs or equivalent digital devices for forensic analysis and scientific investigation. The smartphone investigator utility is fully capable to capture detailed information from mobile phones, such as Windows registry records, database records, mobile processor architecture, and other related information of cell phone devices. The Windows powered cell phone examiner tool is helpful to examine the other relevant information of a cellular phone, including SMS (sent or received messages), call history (call duration and call log), last dialed and received number, and saved files/folders (music, pictures, images, text documents etc) history. The Pocket PC data extraction application provides mobile phone information including model number with manufacturer name, SIM IMSI number, mobile IMEI number, battery status, and signal quality. Easy to use multimedia mobile phone forensic software is used in the field of forensic investigation to identify any data theft. The following are the features of the Pocket PC: Extract all detailed information of Windows-based pocket PC or PDA mobile phone devices such as OS registry records, database records, all saved files, and folder information Examine the information about saved text messages, call history, mobile model number with manufacturer name, IMEI number, sim IMSI number, battery status, and signal quality Generate text reports of extracted cell phone information for further use Support all major brands and companies of multimedia cell phone devices Useful for scientific investigation and forensic use User friendly software utility is easily understandable by layman users Easy to use software facilitates with systematic help menu for users assistance 45. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3368 Computer Hacking Forensic Investigator Copyright byEC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Figure 36-23: Screenshot of Pocket PC 46. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3369 Computer Hacking Forensic Investigator Copyright byEC-Council All Rights Reserved. Reproduction is Strictly Prohibited. ABC Amber vCard Converter Source: http://www.processtext.com/ ABC Amber vCard Converter is a useful tool that converts contacts from your VCF (vCard) files to many document formats (PDF, MS Word, HTML, RTF, TXT and others). The following are the features of the ABC Amber vCard Converter: Reads VCF (vCard) files Exports selected contacts to a single file of any document format: PDF format (Adobe Acrobat doesn't need to be installed), RTF format (also doesn't require MS Word to be installed), hypertext HTML format, text format, MS DOC format, popular CHM format, old good HLP format, and many more Generates contents with bookmarks and hyperlinks in the output file Command line support Supports column sorting in ascending and descending order Supports multiple PDF export options (document information, 40/128 bits PDF encryption, advanced PDF security options, page size, page orientation and page margins, resolution mode, compression mode, viewer options) Supports multiple CHM and HLP export options Displays selected contact, saves it to disk and prints it to printer Multiple language support Exports contacts to TIFF and DCX (multipage) Converts contacts to IPD (BlackBerry) Converts contacts to MS Outlook directly 47. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3370 Computer Hacking Forensic Investigator Copyright byEC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Figure 36-24: Screenshot of ABC Amber vCard Converter 48. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3371 Computer Hacking Forensic Investigator Copyright byEC-Council All Rights Reserved. Reproduction is Strictly Prohibited. BlackBerry Database Viewer Plus Source: http://www.cellica.com/ Wireless Database Viewer Plus allows you to be more productive by allowing you to view and update database contents on your BlackBerry. Wireless Database Viewer Plus allows you to sync with Microsoft Access, Microsoft Excel, and any ODBC-compliant database like Oracle, SQL Server, etc. The following are the features of the BlackBerry Database Viewer Plus: Get any desktop data wirelessly on your BlackBerry device Push only updated desktop data to the BlackBerry automatically Apply SQL select queries, filters, sort the fields and push data according to it Supported databases: MS Access, MS Excel, Oracle, SQL Server, FoxPro, dBase and any ODBC- compliant database Make a phone call for the selected field's numeric contents, which will be treated as a phone number Find and find again option to search a record Easy navigation in both record and grid view using shortcut keys Data is secured as 128 bit AES used for encryption Supports unicode language database such as Japanese, Chinese, Korean, Russian, etc. Figure 36-25: Screenshot of BlackBerry Database Viewer Plus 49. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3372 Computer Hacking Forensic Investigator Copyright byEC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Summary BlackBerry is a personal wireless handheld device that supports email, mobile phone capabilities, text messaging, web browsing, and other wireless information services BlackBerry OS 4.6 is the new version of BlackBerry It uses encryption to protect integrity, confidentiality, and authenticity of the data BlackBerry Serial Protocol backs up, restores, and synchronizes the data between the BlackBerry handheld unit and the desktop software Make password authentication mandatory through the customizable IT policies of the BlackBerry enterprise server Blackjacking is the process of using the BlackBerry environment to circumvent perimeter defenses and directly attacking hosts on a enterprise networks "BlackBerry Attack Toolkit contains the BBProxy, BBScan, and relevant MetaSploit patches to exploit the vulnerability of any website Imaging is the process of creating an exact copy of contents of a digital device to protect the original one from changes The radio in the on state allows data to be pushed onto the unit, overwriting the previous data, which makes it difficult to retrieve the lost data Program Loader is an imaging and analysis command line tool Use AES technology to secure the storage of the password keeper and the password entries on the BlackBerry device (e.g. banking passwords and PINs) The RIM BlackBerry device physical plug-in allows you to perform a physical acquisition from most types of RIM BlackBerry devices 50. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3373 Computer Hacking Forensic Investigator Copyright byEC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Exercise: 1. How does a BlackBerry work? 2. Write a summary about the BlackBerry Serial Protocol. 3. Explain the different BlackBerry attacks. 4. List the different vulnerabilities in a BlackBerry. 51. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3374 Computer Hacking Forensic Investigator Copyright byEC-Council All Rights Reserved. Reproduction is Strictly Prohibited. 5. Describe the process for BlackBerry forensics. 6. How do you acquire log information from a BlackBerry? 7. Give a brief description of BlackBerry wireless security. 8. List some of the BlackBerry forensic tools. 9. Why is radio control necessary to preserve evidence in a BlackBerry? 52. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3375 Computer Hacking Forensic Investigator Copyright byEC-Council All Rights Reserved. Reproduction is Strictly Prohibited. 10. What are the best practices for protecting stored data? 53. Computer Hacking Forensic Investigator Exam 312-49 BlackBerry Forensics Module XXXVI Page | 3376 Computer Hacking Forensic Investigator Copyright byEC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Hands-On 1. Connect the BlackBerry to the forensic computer via a USB cable and examine the contents of the BlackBerry device. 2. See the contents such as hidden files, email content, phone call data, security event log, and system settings in the BlackBerry. 3. What is the version and make of the operating system running your BlackBerry?


How to Set Google Analytics Goals and Funnels

How to Set Google Analytics Goals and Funnels

Technology
The Art & Science of Seductive Interactions

The Art & Science of Seductive Interactions

Technology
Introduction to wireframes

Introduction to wireframes

Technology
Automotive20

Automotive20

Technology
PickupPal Eco-Rideshare Program

PickupPal Eco-Rideshare Program

Technology
Google Analytics New Feature

Google Analytics New Feature

Technology
Simple Steps to UX/UI Web Design

Simple Steps to UX/UI Web Design

Technology
App optimization for ios 7

App optimization for ios 7

Technology
The Essence of Design for Startups

The Essence of Design for Startups

Technology
Become A Photographer

Become A Photographer

Technology
Apple 03 - Management Mistakes

Apple 03 - Management Mistakes

Technology
Design Principles: The Philosophy of UX

Design Principles: The Philosophy of UX

Technology
Evangelizing Yourself

Evangelizing Yourself

Technology
Refresh OKC

Refresh OKC

Technology
Advertising Psychology

Advertising Psychology

Technology
Designing With Vision

Designing With Vision

Technology
Social, Digital & Mobile in The Americas

Social, Digital & Mobile in The Americas

Technology
Profile & Resume Buzzkill - Words to avoid

Profile & Resume Buzzkill - Words to avoid

Technology
On Digital Transformation - 10 Observations

On Digital Transformation - 10 Observations

Technology
Succumbing to the Python in Financial Markets

Succumbing to the Python in Financial Markets

Technology
Big Data - The 5 Vs Everyone Must Know

Big Data - The 5 Vs Everyone Must Know

Technology
Social, Digital & Mobile in India 2014

Social, Digital & Mobile in India 2014

Technology
trendwatching.com's INNOVATION CELEBRATION

trendwatching.com's INNOVATION CELEBRATION

Technology
Using Social Networks as Job Searching Tools

Using Social Networks as Job Searching Tools

Technology
Leaving Positive Impression

Leaving Positive Impression

Technology
Lets Go on a Field Trip! (Physically & Virtually)

Lets Go on a Field Trip! (Physically & Virtually)

Technology
Crafting a UX Strategy for Wearables and the Mobile Mainframe

Crafting a UX Strategy for Wearables and the Mobile Mainframe

Technology
Campaign Tracking and Adwords Integration

Campaign Tracking and Adwords Integration

Technology
Zipcar Millennials Survey

Zipcar Millennials Survey

Technology
Ogilvy PR 360 DI Twitter Webinar

Ogilvy PR 360 DI Twitter Webinar

Technology