FORENSICS

To Get Round
To The Heart Of Fortress
Cybercrime is becoming a growing threat to society. The thefts of information, crashing a website or manipulating online payment traffic are also increasing. Many organizations offer various services in the battle against digital crime, such as network or data monitors and extractions tools. It is interesting mainly to authorities and financial institutions, but they are accessible to every organization..
What you will learn
General forensic classication Classic and non-classic mobile forensic

What you should know

Basic knowledge about forensic

he current century describes like the application of digital technology that enhances traditional methodologies. The incorporation of computer systems private, commercial, educational, governmental, and other way life improved the efficiency of these entities. One other hand the computers as a criminal tool has enhanced their own activity. In particular, the surge of technical adeptness by the general population, coupled with anonymity, seems to encourage crimes using computer systems since there is a small chance of being prosecuted, let alone being caught. These crimes is rather classic crimes To catch criminals involved with digital crime, investigators must employ consistent and well-defined forensic procedures if possible. Writing off insider threat as a low cast risk ought to realize sternness of the problem. Threat as this kind ranges from the malicious employee (of he has and have to has the technical expertise to implant a malware (logic bomb,) in the critical system. Malicious insider is a employee (current or former), contractor, or business partner who had / has / going to have authorized access to an organizations network, system, or data in a manner that negatively affected the confidentiality, integrity, or availability. Employees also represent another significant insider threat vector. These inadvertent actions can occur because individuals have accumulated more privileges than they need for their current job functions or because

individuals may just be careless about usage and distribution of sensitive data. The result is that organizations need to defend against the malicious insider as well as the careless user. The common security vulnerabilities increase risk of insider threats is inadequate auditing and analytics: Sheer volume of audit and log data impedes forensics investigation and detection. Logging all IT activity is an important first step in combating insider attacks and todays highly distributed and complex IT environments generate massive volumes of logging data, but the sheer volume of data is very difficult to manage. Most current approaches to addressing insider threats are reactive, not predictive. This helps immensely in forensic investigations, but the problem is that the attack or theft has already occurred. Therefore, organizations should be looking for solutions that can provide more analytic and predictive capabilities that if not able to prevent insider attacks, may still identify at-risk insiders and then implement more detailed logging on those individuals in response. Delicate balance of risk versus productivity. IT managers need to balance the risk of employees need for additional access versus the lost productivity that would result if access was not granted to certain users. Many organizations also

20

www.hakin9.org/en

To Get Round To The Heart Of Fortress

lack the necessary reporting tools to examine an individuals expanding entitlements over time which further compounds the problem. The result is that IT often struggles to answer the critical question, Who has access to what? confidently and accurately.

Computer Forensics

What is digital forensic?

Digital forensics suggests a high-tech process reserved only for cases centered on proprietary technology. Now digital data is omnipresent, therefore digital forensics has quickly become a legal necessity. Searching through digital evidence could recover a hidden document or deleted e-mail message, which may accelerate exposure or win it. In the typical case, a hard copy document is analyzed, and the lawyer can only engage in direct or crossexamination based on information printed on the page. It is difficult to determine the documents authenticity, original author, etc. However, documents created in Microsoft Word or other leading word processing systems are likely to contain a surplus of information is not displayed or printed. A forensic examiner is shall to discover an additional information called metadata. Metadata is a description or definition of electronic data, or data about data. Metadata can include descriptive tags and information about create data or changes have been made. Internet logs also may provide valuable evidence. The main rule is if information was displayed at some time on a computer screen, it can be recovered from it. For example, checking account balance online. It is applicable to data of all types. The failure of analyzing digital data is at best inexcusable, and at worst, ineffective assistance of malpractice. With the vast majority of documents that created, and with so many communications, now there is the luxury with easy validating a controversy and the responsibility of doing. Data forensics was all but unknown just a few years ago. Nowadays it considered a standard and routine practice in legal matters, of course.

Computer forensics is relating to legal evidence found in computers and digital storage media, .e.g. examine digital media with identifying, preserving, recovering, analyzing, and reporting. Although, it is most often associated with the investigation of a wide variety of computer crime, computer forensics may also be used in civil proceedings. The discipline involves similar techniques and principles to data recovery. Computer forensic investigations usually follow the standard digital forensic process. Investigations are performed on static data/images rather than live systems. There are several techniques is pertaining to computer forensic: Cross-drive analysis correlates information found on multiple hard drives. This process can be used for identifying social networks and for performing anomaly detection. Live analysis examines the operating system using custom forensics or existing sysadmin tools to extract evidence. The practice is useful when dealing with the logical hard drive volume may be imaged (known as a live acquisition) before the computer is shutdown. Recovering deleted files is a common technique used in computer forensics in view of data allowing to be reconstructed from the physical disk sectors. It involves searching for signatures of file headers to reconstruct. Volatile data dumping as recovering any information stored in RAM because after powering down it may be lost.

Mobile Device Forensics

Several branches in digital forensic

It is a branch of forensic bringing about the recovery and investigation of material found in digital devices, often in relation to computer crime. This term was originally used as a synonym for computer forensics however it has expanded in view of covering investigation of all devices capable of storing digital data. As a result, now prefer either to use more specialised terms such as mobile device forensics or mobile phone forensics or to use a term such as digital forensics to include all digital devices. Digital forensics includes several subbranches relating to the investigation of various types of devices, media or artefacts.

Mobile device forensics is relating to recovery of digital evidence or data from a mobile device. The memory type, custom interface and proprietary nature of mobile devices require a different forensic process compared to computer forensics. Each device often has to have custom extraction techniques used on it. The forensics process for mobile devices broadly matches other branches of digital forensics; however, some particular concerns apply. One of the main ongoing considerations for analysts is preventing the device from making a network/cellular connection, because it may bring in new data, overwriting evidence. To prevent a connection mobile devices will often be transported and examined from within a Faraday cage. Mobiles will often be recovered switched on to avoid a shutdown changing files. However, with more advanced smartphones using advanced memory management, connecting it to a recharger and putting it into a faraday cage may not be good practice.

www.hakin9.org/en

21

FORENSICS
The mobile device would recognize the network disconnection and therefore it would change its status information that can trigger the memory manager to write data. By the way, theres a two flash memory types: NOR as internal and NAND as external (like sd-cards). NAND-memory can be examined with PC forensic tool for FAT file system. There are several techniques is pertaining to mobile forensic: Physical acquisition technique is a bit-by-bit copy of an entire physical store. It has the advantage of allowing deleted files and data remnants to be examined. Physical extraction acquires information from the device by direct access to the flash memories. Generally this is harder to achieve because the device vendors needs to secure against arbitrary reading of memory so that a device may be locked to a certain operator. Logical acquisition technique is a bit-by-bit copy of logical storage objects (e.g., directories and files) that reside on a logical store (e.g., a file system partition). Logical acquisition has the advantage that system data structures are easier for a tool to extract and organize. This usually does not produce any deleted information, due to it normally being removed from the file system of the phone. However, in some cases the phone may keep a database file of information which does not overwrite the information but simply marks it as deleted and available for later overwriting. Manual acquisition technique as kind of utilizing of the user interface to investigate the content of the memory. Therefore the device is used as normal and pictures are taken from the screen. The disadvantage is that only data visible to the operating system can be recovered and that all data are only available in form of pictures. External memory acquisition technique is acquisition from devices are SIM cards, SD cards, MMC cards, CF cards, and the Memory Stick. For external memory and the USB flash drive is possible to make the bit-level copy. Furthermore USB drives and memory cards have a write-lock switch that can be used to prevent data changes, while making a copy (SD cards have it, but microSD dont). This branch has two uses. Security: analysis involves monitoring a network for anomalous traffic and identifying intrusions. For example, attacker might be able to erase all log files on a compromised host. Law Enforcement: analysis of captured network traffic can include tasks such as reassembling transferred files, searching for keywords and parsing human communication such as emails or chat sessions.

Network forensics is a comparatively new field of forensic science. The growing popularity of the Internet in homes means that computing has become socialcentric. Theres a several type of traffic-catchers. Ethernet by eavesdropping bit streams with tools called sniffers. It collects all data on this layer and allows the data that has been transmitted over the network can be reconstructed. TCP/IP the network layer the Internet Protocol (IP) is responsible for directing the packets generated by TCP through the network (e.g., the Internet) by adding source and destination information that interpreted by routers all over the network. Cellular digital packet networks, like GPRS, use similar protocols like IP, so the IP forensic methods as well. Internet can be a rich source of digital evidence including web browsing, email, newsgroup, synchronous chat and peer-to-peer traffic. For example web server logs can be used to show when (or if) a suspect accessed information related to criminal activity. Email accounts can often contain useful evidence; but email headers are easily faked and, so, network forensics may be used to prove the exact origin of incriminating material. Network forensics can also be used in order to find out who is using a particular computer by extracting user account information from the network traffic. Wireless the main goal of wireless forensics is to provide the methodology and tools required to collect and analyze (wireless) network traffic that can be presented as valid digital evidence in a court of law. The evidence collected can correspond to plain data or, with the broad usage of Voice-over-IP (VoIP) technologies, especially over wireless, can include voice conversations.

Network Forensics

Network forensics is relating to the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection. Unlike other areas of digital forensics, network investigations deal with volatile and dynamic information. Network forensics is often smoewhat proactive in case of traffic is transmitted and then lost.

Database Forensics

Database Forensics is relating to the forensic study of databases, their related metadata, to the timestamps that apply to the mobile device time of a row in a relational table being inspected and tested for validity in order to verify

22

www.hakin9.org/en

To Get Round To The Heart Of Fortress

the actions of a database user. Alternatively, a forensic examination may focus on identifying transactions within a database system or application that indicate evidence of wrong doing, such as fraud.

Step 3. Collection

Mobile Forensic

Today a mobile device is powerful device that can function as a cellular phone, web browser and a personal organizer. These devices have reached such a level of power, and functionality they are in essence a mini-computer. A mobile device forensics is very similar to the procedures and methodologies that are used with any form of forensics. From time to time it may easy than PC.

During this step, you collect data and potential evidence from the device parts are suspected. There is a multitude of these types of devices, so we will limit our discussion to just a few such nor-flash or nand-flash. You have to collect all the types of information consist of both volatile and dynamic information. The reason is that anything that is classified, as volatile information will not survive if the device is powered off or reset. Therefore, the mobile device should be placed into an evidence bag and maintained at stable power support throughout.

Step 4. Documentation

Did you know?

When you seize the mobile device we have to ensure we take the mobile device, docking cradle and external memory cards. This is probably one of the most difficult things to control and requires that you conduct a thorough search for any and all memory cards. With the size of memory cards today there is all extensive amount of evidence that you would be missing if you miss just one memory card.

Records as extracted data must be document with the case number, the date and time it was collected. Another part of the documentation process is to generate a report that consists of the detailed information that describes the entire forensic process that you are performing. Within this report you need to annotate the state and status of the device in question

Did you know?

Device Switched On
If the device is in the on state, you act immediately to get power to the mobile device. Now it will not lose the volatile information. Then you need to take the device to a secure location like a Faraday Cage or turn off the radio before beginning the examination

Investigative Methods

There are four main steps when it comes to performing a forensic investigation of a mobile device. These four steps are identified as follows: Examination Identification Collection Documentation.

Device Switched Off

If the device is in the off state, you need to take the device to the shielded location before attempting to switch on or place the device in room that can block the signal well enough to prevent the data push.

Step 0. Permission

Device in its Cradle

As with any forensic examination, the main step is to have permission to seize the evidence that is required for your investigation.

If device is in cradle, you have to remove any connection from the PC despite possibility that a sophisticated suspect might have a tripwire device and once it disconnected it could activate script to erase potential evidence.

Step 1. Examination

Password Protected

First, you need to understand the potential sources of the evidence. With a mobile device, these sources can be the device, the device cradle, power supply and any other peripherals or media that the device examined has met. In addition to these sources, you should also investigate any device that has synchronized with the mobile device you are examining.

The thing has to be known when it comes to password protection is the fact that the password itself is not stored on the device. The only thing stored on the device is a hash of the plain-text password. This storage is similar to the storage used by the majority of operating systems out there.

Wireless Connection

Step 2. Identication

You must avoid any further communication activities, if possible. Eliminate any wireless activity by placing the device into an cage that can isolate the device.

Second, start the identifying the type of investigating device. Once you have identified the device you have to identify the operating system that the device is using. Note, device, is possible, to be running two operating systems.

External Memory Card

You must not initiate any contact before taking components off. This includes any devices that supported external media types of cards.

www.hakin9.org/en

23

FORENSICS
during your collection process. The final step of the collection process consists of accumulating all of the information and storing it in a secure and safe location. set it as low as 3), you will be prompted one last time to type the word BlackBerry. The device will then wipe. It will be reset to the factory out-of-the-box condition, and the password reset. You will lose everything in the device memory, with no possibility of recovery. It will not reformat the microSD card, because thats not part of the factory configuration. The phone will still be usable, and the operating system will be unchanged. So this technique cannot be used to roll back from an OS upgrade problem.

Forensic Investigation of the BlackBerry

A BlackBerry is a handheld mobile device engineered for email. All models now come with a built-in mobile phone, making the BlackBerry an obvious choice for users with the need to access their email from somewhere besides the comfort of a desk chair. The device is equipped with the RIM software implementation of proprietary wireless-oriented protocols. The BlackBerry device is always on and participating in some form of wireless push technology. Because of this, the BlackBerry does not require some form of desktop synchronization like the other mobile device does. BlackBerry OS has numerous capabilities and features like over the air activation, ability to synchronize contracts and appointments with Microsoft Outlook, a password keeper program to store sensitive information and the ability to customize your BlackBerry display data. The BlackBerry device has an integrated wireless modem allows communicating over the air with RIM Network. The BlackBerry uses the BlackBerry Serial Protocol to backup, restore and synchronize the data between the handheld and desktop. In addition, device uses a strong encryption that safeguards confidentiality, and authenticity of data to keep data encrypted while it transit between the enterprise server and the device itself.

Password Extraction from BlackBerry

At first you can attack BlackBerry via bruteforce BlackBerry backup file. You can access encrypted information stored in password-protection backups if the original password is known or recovered with Elcomsoft Phone Password Breaker (http://www.elcomsoft.com/ eppb.html). Elcomsoft Phone Password Breaker grants forensic access to protected information stored in BlackBerry devices by recovering the original plaintext password. The toolkit allows eligible customers acquiring bit-to-bit images of devices file systems, extracting phone secrets (passcodes, passwords, and encryption keys) and decrypting the file system dump. Access to most information is provided in real-time. In addition to Elcomsoft Phone Password Breaker, the toolkit includes the ability to decrypt images of devices file systems, as well as a free tool that can extract the encrypted file system out of the device in raw form. To unlock Apple backups even faster, the tool engages the companys patent-pending GPU acceleration technology.

Warning for BlackBerry Push-Technology

Since the BlackBerry is all always on, push messaging, device information can be pushed to it at any time. Note that pushed information has the ability to overwrite any data that possibly was previously deleted. The first step in preserving the information is to eliminate the ability of the device to receive this data push. If possible, turn the radio off, or a better solution is to take the device to an in area where the signal cannot be received. The BlackBerry device is not really off unless power is removed for an extended period. If the blackberry is powered back off then any items that were in the queue waiting to be pushed to the device could possibly be pushed before you could stop them.

Warning for BlackBerry Password Protection

BlackBerry devices come with password protection. The owner has the capability to protect all data on the phone with a password. He may also specify the amount of attempts for entering the password before wiping all data from the device. If you exceed your password attempts limit (defaults to 10, but you can

Figure 1. Elcomsoft Phone Password Breaker

24

www.hakin9.org/en

To Get Round To The Heart Of Fortress

Three key features are: Decrypt encrypted BlackBerry backups Recover original plain-text passwords GPU acceleration

However, you will not have a BlackBerry Backup File. The attack or theft has already occurred, therefore, you have to be more analytic, more predictive. According to previous warnings for the BlackBerry. In this case, you have to install spyware to extract password from device. All smartphones give their owners a free choice to lock handheld by password or grant unsecured access. The major concept in using the most complex password is main idea. Youre have to lock your devices! You are have to use more complex combination! Its have to be randomness! Nevertheless, think for moment. Can you quickly say how many symbols are entered up? No is correct answer. So, just imagine malware product loaded into device memory and waits when you are going to unlock handheld by typing your topsecret password. After inputting is half-closed, malware types just the one random letter to make senseless your unlocking action. In addition, BlackBerry says Wrong password! Try once again. Next attempt. Once you have reached a half-attemps and have typed word blackberry your password is open and is able to steal with screenshot. Let us examine a virtual keyboard. When you touch screen to type a character a big-scaled review appears. When you do the same while typing password into masked text-box you can see that every character is going to be masked by asterisk or black circle in ~1-2 second after. Password preview is only used when the

Figure 3. Virtual Keyboard bug

keyboard is a sure type or multitap keyboard. The bold keyboard is a full keyboard so it will not duplicate that behavior. There are two possible way of stealing password during device unlocking or when you synchronize your device with PC. During it you are asked about sync way whether sync media or use usb drive or only charge device. Sure, we cannot guess what you choose, but we do not. Do you draw attention on discrepancy or take it as a kind of program error (bug)? In any case, you are caught on fake-logining. After password typing you will be notified about wrong password (two times to get your right pass and one more to inform about e.g. null-pointer error, hung process. Then you have seen originally logon screen.

Figure 2. Sync-extracted password

Figure 4. PC-sync extracted password part I

www.hakin9.org/en

25

FORENSICS
Every device is going to synchronize with PC sometimes. The major target is password field of textboxs software. Unfortunately, we cannot get a screen-capture, but we still able to use a WINAPI functional to unmask password-box, steal passwords character, and then mask password-box again. Repeat it several times and you will get a password. More detail you can find in my previous articles. First, lets examine hotkeys. QWERTY / SureType keyboard From the Home screen hold the Alt key and then type lglg. Display the debug information by completing the following steps: Press the Menu key and click Options. Click the Min log level drop-down list and select Debug Info. Press the Menu key and then click Save.

Classic BlackBerry forensic

A typical forensic investigator performs the investigation by hand-reading mail and data files, checking for system activities through different log files, and verifying the consistency of the data through the time stamps associated with files on the file system. Protections such as firewalls often force the investigator to perform these tasks on-site. The difficulties of performing a local analysis can limit the investigation. First, forensic software must be running on the local machine, and may have to be installed. Second, running such software locally risks damaging or contaminating data. Third, if the machine has been compromised, the investigation may produce suspect results or worse, may alert the attacker.

BlackBerry Storm 9500 in portrait view

From the Home screen go to Options, then to Screen/Keyboard. In the Screen/Keyboard options menu, set the Portrait View Keyboard option to SureType and then Save the settings. From the Home screen of the BlackBerry smartphone, press the convenience key to display the keyboard in portrait view. Hold the number key to lock the number keyboard. The 123 icon appears at the top right of the screen, and a small lock appears on the number key. Press the ,5,5 keys. Display the debug information by completing the following steps: Press the Menu key and click Options. Click the Min log level drop-down list and select Debug Info. Press the Menu key and then click Save.

Gathering Logs and dumps

The main classic forensic procedure of evidence collection violates the forensic method by requiring the investigator to record logs kept and dump. Investigator can view some log on the device pressing hotkeys or throughout several applications from BlackBerry SDK Tools. Dont forget that the counter is always running, even when the radio is turned off, so to be sure to record these values as soon as possible to avoid log overwrites.

BlackBerry Storm 9550 in portrait view

From the Home screen of the BlackBerry smartphone, press the convenience key to display the keyboard in portrait view. Press the ,5,5 keys. Display the debug information by completing the following steps: Press the Menu key and click Options. Click the Min log level drop-down list and select Debug Info. Press the Menu key and then click Save.

BlackBerry Storm 9500 in landscape view

From the Home screen press the Menu key and click Show Keyboard. Hold the number key to lock the number keyboard. The 123 icon appears at the top right of the screen, and a small lock appears on the number key. Press the // keys.

Figure 5. PC-sync extracted password part II

26

www.hakin9.org/en

To Get Round To The Heart Of Fortress

Display the debug information by completing the following steps: Press the Menu key and click Options. Click the Min log level drop-down list and select Debug Info. Press the Menu key and then click Save.
Table 2. Loader usage

command
eventlog screenshot deviceinfo dir radio dump

is one of:
output lename output lename output lename output lename on|off output lename

Another way to collect the log information is using loader.exe from BB SDK tools. It extracts a full copy of BlackBerry event log to text file stored on your drive. Lets see some useful command of javaloader.

Loader Usage

Java Loader Usage

Usage: JavaLoader [-p<pin>] [-d0|-d1] [-q] <command> (Table 1). To extract event log from device Plug it to PC via USB cable Open command shell and type
wPASSW eventlog log.txt

[-w<password>]

Usage: loader.exe /<command> (Table 2). Dump extracting is the same the log previous. Command syntax example is below.
Loader.exe /eventlog D:\BBSAK\eventlog-loader.txt

Loader.exe /screenshot active D:\BBSAK\active-loader.bmp Loader.exe /screenshot primary D:\BBSAK\primary-loader.bmp

javaloader.exe -

Loader.exe /screenshot auxiliary D:\BBSAK\auxiliary-loader.bmp Loader.exe /dir D:\BBSAK\dir-loader.txt Loader.exe /deviceinfo D:\BBSAK\deviceinfo-loader.txt Loader.exe /dump D:\BBSAK\dump-loader.txt

Command dump gives us all .cod modules stored on device in root subfolder dump. To get dump of BlackBerry device lets use a Loader from BlackBerry Device Mangaer. It locates on c:\ Program Files\Common Files\Research In Motion\ AppLoader if your OS is 32bit or on c:\Program Files (x86)\Common Files\Research In Motion\AppLoader if your OS is 64bit. Some useful command is below.

However, before you will be asking to enter a devices password. Note, dump beginning is required a device reboot. It can erase log to overwriting some information. Do not forget about encryption feature of BlackBerry Storage Protection based on Password & ECC. If it is on the dump result is empty obvious.

Table 1. Java loader usage

-p<pin> -w<password> <command> dir [-d] [-s] [-1] -d -s -1 deviceinfo save {<module> ... | -g <group>} -g info [-d] [-s] [-v] <.cod file> -d -s -v eventlog radio on|off siblinginfo <.cod file> screenshot <.bmp file> logstacktraces

Species the handheld PIN (hex pin prex '0x') Connects using the specied password is one of Lists modules on the handheld Display dependency information Display siblings Single column output Provides information on the handheld Retrieves modules from the handheld Retrieves all modules in a specied group Provides information on the specied modules Display dependency information Display sibling information Display verbose module information Retrives the handheld event log Turns the handheld's radio on or off Provides sibling information on the specied modules Retreives the contents of the specied screen and saves as a BMP le. Dumps the stack traces for all threads to the event log

www.hakin9.org/en

27

FORENSICS
Device Information
Hardware Id: PIN: OS Version: VM Version: Radio ID: Vendor ID: Table 6. DB data block format 0x5001807 0x23436780 0x0 0x600023a 0x0 609

Database ID
Record length Database version Record unique ID Field length #1 Field type #1 Field data #1 Field length #n Field type #n Field data #n

2 bytes. Zero-based position in the list of database name blocks

4 bytes 1 byte 4 bytes 2 bytes 1 byte As long as the eld length 2 bytes 1 byte As long as the eld length

DatabaseRecordHandle 2 bytes

FaceBook Additional Info

Friendly name: Facebook Description: Facebook? for BlackBerry? smartphones makes it even easier to connect and share while youre on the go... Version: 2.0.0.37 Vendor: Research In Motion Limited Copyright: (null)

Event Log

Guid: 0x6659A3FDB89204F9 30 21:57:05 2011 severity:0 GoogleTalk data: Auto Guid: 0x80C11EC7B1720C9F 21:57:05 2011 severity:0 WLM data: Auto Table 3. Directory information

time: Sat type:2 app:

Jul

time: Sat Jul 30 type:2 app:

Despite Name, Version, Size, Created and Depends on fields there is a following possible description fields. Let us example on Facebook application. Event Log for Google Talk Messenger and Windows Live Messager store an option Save password & Sign.

Name
8 net_rim_m2g Depends on: net_rim_cldc net_rim_xml_org 11 net_rim_xml_org Depends on: net_rim_cldc

Version
6.0.0.570

Size
293384

Created
0 Sun May 01 03:16:11 2011

BlackBerry Backup Format

The structure of the IPD file shown above is as follows: Table 4. Each database name block is of the form (Table 5). Each database data block is of the form (Table 6). For a more advanced and in depth look at the file format you may visit blackberry site.

6.0.0.570

44460

0 Sun May 01 03:15:59 2011

Data Extracting through the BlackBerry Backup

Table 4. General BB Backup format

Inter@ctive Pager Backup/Restore File

Line feed Version Database name separator Database name block#1 Database name block#2 Database name block#n Database data block#1 Database data block#2 Database data block#n Table 5. DB name block format Database name length Database name 2 bytes. The length includes the terminating null As long as the name length 1 byte 1 byte 1 byte value 0A value 02 value 00

Number of databases in le 2 bytes

First, you need to download and install BlackBerry Desktop Manager. Use the following link (https:// www.BlackBerry.com/Downloads/entry.do?code=A8 BAA56554F96369AB93E4F3BB068C22) to select and download the install file that fits your system or version. Once BB Desktop Manager installed, connect the device to PC. Then Click Back up button for a full backup of the device or use the advanced section for specific data. In the options, you can find a destination folder where your .ipd file will save. Note, that ipd-file can be encrypted with password not less than 4 characters. BlackBerry backups contain essential information stored in the device. User data such as email, SMS and MMS messages,

Did you know?

Backup le does not save your email attachments. More, email forensic on BlackBerry is empty in case that emailmessage is TOO large. You nd out only message about truncation. TOO LARGE is equal to 8Mb data or ~ 5Mb of data that encoded into Base64 per one datale. If attachments les are more than one size takes ~3Mb per le. The new announced version of BES and BIS can support EXTRA large size of les that counts ~8Mb instead of ~5Mb per le. Everything else is the same.

28

www.hakin9.org/en

To Get Round To The Heart Of Fortress

Web browsing history and cache, call logs, pictures and photos, contacts, calendars, appointments, and other organizer information are stored in BlackBerry backups. Access to information stored in BlackBerry backups can be essential for investigations, and is in high demand by forensic customers. The IPD file can be read using several commercial utilities, including MagicBerry IPD Reader (http://menastep.com) Amber BlackBerry Converter (http://www.proces stext.com/abcBlackBerry.html) Elcomsoft BlackBerry Backup Explorer (http:// www.elcomsoft.com/ebbe.html) Paraben Device Seizure (http://www.paraben.com/ device-seizure.html) UFED (http://www.cellebrite.com/forensic-products/ forensic-products/ufed-physical-pro.html)

Figure 7. Amber BlackBerry Converter

UFED is one of the physical analyzer software toolthat can be used for intelligence gathering, investigative research. It extracts phone content, hex dump, files, and extensive information from GPS devices that can be mapped on Google Maps. In addition, it extracts existing, hidden, and deleted phone data, including call history, text messages, contacts, images, phonebook entries and videos. So, what youll be able to do with Magic Berry IPD Parser: Read ipd files Split ipd files Export MS Messages, Phone Calls Log, Memos, Tasks, Calendar, and Address Book to CSV Edit Service Books Merge two ipd files

Elcomsoft Blackberry Backup Explorer allows forensic specialists investigating the content of

BlackBerry devices by extracting, analyzing, printing or exporting the content of a BlackBerry backup produced with BlackBerry Desktop Software. Elcomsoft Blackberry Backup Explorer supports BlackBerry backups made with PC and Mac versions of BlackBerry Desktop Software. You can export information from BlackBerry backups into a variety of readable formats (PDF, HTML, DOC, RTF,..). Also Blackberry Backup Explorer can access encrypted information stored in password-protection backups if the original password is known or recovered with Elcomsoft Phone Password Breaker. Elcomsoft Phone Password Breaker grants forensic access to protected information stored in BlackBerry devices by recovering the original plain-text password. Elcomsoft Blackberry Backup Explorer is totally the same with Amber BlackBerry Converter. As an alternative to acquiring the BlackBerry through BlackBerry IPD Reader, Parabens Device Seizure is a simple and effective method to acquire the data. Device Seizure was designed from the ground up as a forensic grade tool that has been upheld in countless court cases.

Figure 6. BlackBerry Backup Manager

Figure 8. Elcomsoft Blackberry Backup Explorer

www.hakin9.org/en

29

FORENSICS
SMS History (Text Messages) Deleted SMS (Text Messages) Phonebook (both stored in the memory of the phone and on the SIM card) Call History Received Calls Dialed Numbers Missed calls Call Dates & Durations Scheduler Calendar To-Do List Filesystem (physical memory dumps) System Files Multimedia Files (Images, Videos, etc.) Java Files Deleted Data GPS Waypoints, Tracks, Routes, etc. RAM/ROM PDA Databases E-mail

Figure 10. BB Manager is linked with BB Simulator

Theres a briefly general draft to examine data with Paraben Device Seizure. Create a new case in Device Seizure with File | New. Give the case a name and fill in any desired information about the case on the next two screens. The third screen is a summary of the data entered. If all data is correct click Next and then Finish.

You are now ready to acquire the phone. Go to Tools | Data Acquisition. You are prompted for the supported manufacturer. Select RIM Blackbery. Leave supported models at the default selection of autodetect. Connection type should be set to USB. For data type selection select Logical Image (Databases). Confirm your selections on the summary page and click Next to start the acquisition.

BlackBerry Simulation

BlackBerry Simulator built for simulating a backup copy of the physical device. This is helpful if the device is low on battery, needs to be turned off, or you do not want

Figure 9. USB Connection

Figure 11. BB Simulator after sync

30

www.hakin9.org/en

To Get Round To The Heart Of Fortress

to alter the data on the physical device. Following steps are suitable for each BlackBerry device model. Select a simulator from the drop-down list on the BlackBerry website (http://us.blackberry.com/ developers/resources/simulators.jsp) and download it. Then install it Select and download BlackBerry Device Manager. Then install it. Run BlackBerry Device Manager and BlackBerry Simulator Select Simulate | USB Cable Connected. Select File | Restore to simulate with physical data evidence on BlackBerry Simulator. forensics focuses on learning as much about a dead file system as possible. While a full analysis can be time consuming, doing one can reveal allot about an incident. Often times one of the most revealing thing that can be done is a MAC time analysis to reconstruct the events of an attack by the files accessed. While a skilled attacker can certainly manipulate this, few go to this depth. In general, this type of analysis is limited to criminal cases or for cases where the attackers means of compromise was unknown and the goal is to determine how they got in. In some situations, it is not desirable to shut down, seize the digital device, and perform the forensic analysis at the lab. For example, if there is an indication that an encryption mechanism is used on the digital device that was discovered, then the investigator should not shutdown this digital device. Otherwise, after shutdown all the information (potential evidence) that was encrypted will be unintelligible. By performing Live Analysis, the investigators attempt to extract the encryption key from the running system. Thats known as Live Analysis or Non-Classic Forensic. The goal of any live forensics task should be to extract and preserve the volatile data on a system while, to the extent possible, otherwise preserving the state of the system. Additionally, this is often the first step of an incident response scenario where a handler is simply trying to determine if an event has occurred. The benefit of using this approach is you have a forensically sound data collection from which to proceed with a full forensic analysis if the initial analysis indicates one is required.

Also, you mount a SD-card copy to the BlackBerry Simulator. Now you may turn off blackberry wireless communication holding power on and then examine evidence with up state device-simulator.

Live (Spy) BlackBerry forensic

When a digital device is discovered on the crime scene, the investigator first looks whether the device is switched on or not. In the dead analysis method, if the discovered digital device is switched on it will be switched off. Then the digital device will be packaged and labelled in a correct way and transported to the forensic lab for further analysis. At the lab, the forensic examiner acquires the potential evidence on the device by making a forensic copy of the data stored on the digital device under investigation. The tools used to make the forensic copy guarantee that no modifications are made to data stored on the digital device under investigation during the process of forensic acquisition. After this analysis to find incriminating or discriminating evidence is performed on the forensic copy.Thats known as Dead Analysis or Classic Forensic. Traditional

Live ToolKit

Figure 12. SD mounting

First toolkit is made by Gamma Group and called Remote Monitoring & Infection Solutions (FinFisher FinFly & FinSpy). The Remote Monitoring and Infection Solutions are used to access target systems. They give full access to stored information, the ability to take control of the target systems functions, and even capturing encrypted data and communications. In combination with advanced remote infection methods, you have the capability to remotely infect and monitor all activity on target systems. It can extract SMS & MMS messages, email messages, BlackBerry Messages (PIN-to-PIN), call history, gps location and cell location, address book, calendar events and url history. By the way, it has several attacking features such as attack via usb or bluetooth, attack via sms trojan activating or through a browser downloading. Second toolkit is not less interesting rather than previous is made by Italian professionals and called Remote Control System (RCS, http://hackingteam.it/ index.php/remote-control-system). Briefly, it evades encryption by means of an agent directly installed

www.hakin9.org/en

31

FORENSICS
on the device to monitor. Evidence collection on monitored devices is stealth and transmission of collected data from the device to the RCS server is encrypted and untraceable. Those toolkit collect all possible information such as phone history, organizer & address book, sms/mms/email, location tracking, screenshot & camera snapshots, SIM info, remory audio spy. Both of them divide into two part: client and GUI-monitoring.

Friday, April, 29th

Friends birthday (as default its marked by 00:00 hour) is set 00:00, Daily alarm is set 06:01, WLB Europe 2011, Arena Moscow 21:00 til 22:30 (9 til 10.30 p.m.). It was a Tarjas Turunen Concert

Monday, May, 16th

Potential Data as Evidence

Potential attack vector can be various, however, the most popular of them are Address Book Calendar Events Call History Browser history and bookmarks Memos and Tasks Screen-shots Camera-shots Videocamera-shots Clipboard Location tracking (cell, wifi, gps, bluetooth) SMS/MMS/Emails Pictures, Videos, Voice notes, and other file IMs Passwords

My free time is set 00:00-06:01. Indeed its time when my device is sleeping (auto on/off features) and me too... from time to time. And daily alarm is set 06:01

Let us examine some of them to find out the common sense. What is in an up-to-date BlackBerry Address Book? A lot of contacts data, such as several mobile or home phone number, faxes, emails, BB PINs, work and home addresses, web-pages or dates. Also we can add a IM data (Gtalk, Y!, Windows Live, AIM, and not trustable up-to-date ICQ). That was all until social networking arrived. One more question: Does your BlackBerry device have an auto on-off feature? OK, let us summarize it. In our Address Book, we have much valuable information about friends; social network gives an up-to-date avatar, calendar (in spite of our calendar that filled our sleeping time at least), GPS location points, and SW names that provide several pieces of information. Due to victims calendar info and GPS info (from photo exif or FaceBook likes), private data such as tracking info, habits, time marked a free, time when youre possible sleeping, time when youre at home/ company can come to light. For example, in Figure 2, my contact information appears. Though my personal data is obfuscated, a few of my email addresses, phone numbers, home address (this info City and County was gotten from Facebook, by the way), my birthday, BlackBerry PIN, web sites come up. Now let us check my calendar events.

Figure 13. Up-to-date contact card

32

www.hakin9.org/en

To Get Round To The Heart Of Fortress

more useful usage way of BlackBerry Wallet. You need to see it to type or need to copy into clipboard. Moreover, no one software producer can protect it, because need to put data into public text-box. In other words, end-point object is vulnerable. By the way, theres a getClipboard() method to retrieve the systems clipboard object in the BlackBerry API. Your data and password are open for it. Other methods of password steal have already discussed in the beginning of article. Next victim is message (sms, mms, email, further email). Email is one of the most common ways people communicate. From internal meeting requests, distribution of documents and general conversation one would be pressed to find an organization of any size that does not rely on email. Studies have shown that more email is generated every day than phone conversations and paper documents combined. Many users store their personal colanders, contacts and even synchronize their email clients with their mobile devices. Less interesting part of evidence concludes browser history, browser bookmarks, memos, tasks, etc. Such kind of forensic has sense in case of violating company policy by visiting certain sites or time aspect (when the computer was connected to a site at the time when something happened) and reconstruct a detailed history of a computers use by examining a handful of files that

Figure 14. Up-to-date calendar events

In additional, if you involve call history with gps records as two part of evidence you provide yourself with many opportunities to draw a social graph of accomplices. Extracting all possible fields from the object called PIM is goal for gathering more information about the attacked individual from their profile overall. Mentioned on the net password tips are revoked by the tendency inmatter to complexify. Moreover, guess why. Do you have enough time to type a random string (20-40 character in length)? How many web sites do you log in? There are more than I can count. Facebook, Myspace, Linkedin, Twitter and any number of other social networking sites? Probably a dozen. Shopping sites? Yes, a several. Emails, IMs, etc. Every site requires you to create a password, strong password. Is it possible to memorize? Some kind people solve it with digit wallet. Great! All you need keep in mind only one super complex password. Other stored passwords are encrypted by default. For example, BlackBerry Wallet or Kaspersky Password Manager. Both are describe, as is indispensable tool for the active internet and shopping user. In addition, it fully automates the process of entering passwords and other data into websites and saves the user going to the trouble of creating and remembering multiple passwords. It is still unsecured. Do not neglect a spyware that able to capture screens of your device. Ok, forget about that kind of malware. Let us about

Figure 15. Screen-shot of BlackBerry Wallet

www.hakin9.org/en

33

FORENSICS
contain a web browsers past operation. One more part of it is Favorites folder that contains the URLs of web sites saved by the user, probably because they are of interest to the user and are frequently visited explicit storing of these links indicates intent. Pictures, Videos, Voice notes, and other files. Lets start from its last object other files. What a digital document can tell you about the person who wrote it is often more important than what it says, if you read it. It may contain evidence equivalent to a smoking gun for your case, but do you know who created the document and when it was written? Obtaining a digital document and hoping to enter it into the record at court is not enough. You must link the evidence to the document creator and thats where document forensics is critical in trial preparation. Although the electronic document cannot speak, what it can tell about who, what, when, where, why, and how is often much more credible than any testimony by a witness. Voice notes, videos and pictures show us in general what interesting in particular our victim. It may be secret/internal presentation that he videocaptured or audiocaptured. This case is useful for us, because we dont need to intercept API events; all we need is listen file events of creating and deleting files. Pictures are more inquisitive as camera-snaphots since it has exif-header. Metadata is, quite simply, data

Figure 16. Potential Messages

Figure 17. Potential WebBrowser Bookmarks

Figure 18. Potential BBM chat

34

www.hakin9.org/en

To Get Round To The Heart Of Fortress

The EXIF format was created by the Japan Electronic Industry Development Association and is referenced as the preferred image format for digital cameras in ISO 12234-1. Many digital camera manufacturers, such as Canon, Sony and Kodak implement the use of EXIF headers. This header is stored in an application segment of a JPEG file, or as privately defined tags in a TIFF file. This means that the resulting JPEG or TIFF is still in a standard format readable by applications that are ignorant of EXIF information [3]. Below is a typical EXIF header (in human readable format): File name/size/date, Camera make/model, Date/Time, Resolution, etc. Although it is possible to retrieve EXIF headers by looking at each picture in a disk editor, a considerable amount of time is required to translate the hex codes into human readable format. You use Adobe Photoshop, ACDSee or 88K in size jhead. Let us see by ACDSee Software. Last of them is IM chat. Instant messaging is a wellestablished means of fast and effective communication. Once used primarily by home users for personal communications, IM solutions are now being deployed by organizations to provide convenient internal communication. This often includes the exchange and discussion of proprietary and sensitive information, thus introducing privacy concerns. Although IM is used in many legitimate activities for conversations and message exchange, it can also be misused by various means. For example, an attacker may masquerade as another user by hijacking the connection, performing a man-in-the-middle attack, or by obtaining physical access to a users computer. Analysis of IM in terms of computer forensics and intrusion detection has gone largely unexplored until now. All humans have

BlackBerry EXIF-Picture information

FileName Camera Camera Make Camera Model X-Resolution Y-Resolution Resolution Software DateTime YCbCr Exposure time DateTime Focus Dist Light source Flash used Brightness-color space Width Height

Moskva-20110801-00007.jpg Research In Motion BlackBerry 9800 72/1 72/1 inches Rim Exif Version1.00a 01.08.2011 0:38:43 Near 0s 01.08.2011 0:38:43 N/A N/A No sRGB 2592 1944

Picture

GPS

Misc

GPS base-latitude northern latitude GPS latitude 55, 52 6.18 GPS base-longitude east longitude GPS longitude 37, 36 55.8 GPS orthometric height 0m EXIF version GPS version 2.2 (32,32,30,30)

about data. For example, a Microsoft Word documents metadata may contain the authors name and the dates the document was created/modified. Metadata may contain useful information for an investigator. Specifically, digital camera pictures may contain an Extended File Information (EXIF) header, which saves information about the camera that took the picture.

IM chat csv le format

Date/Time YYYYMMDDHHMMSSMS Date/Time YYYYMMDDHHMMSSMS

PIN Sender HEX VALUE ID Sender STRING

PIN Receiver HEX VALUE ID Receiver STRING

Data STRING Data STRING

File Paths should be monitored.

/Device/Home/User/ /MediaCard/BlackBerry/ ../IM/AIM/USERNAME/history/ ../IM/BlackBerryMessenger/PIN/history/ ../IM/GoogleTalk/USERNAME/history/ ../IM/Yahoo/USERNAME/history/ ../IM/WindowsLive/USERNAME/history/ ../pictures ../camera ../videos ../voice notes

if information stored on internal memory if information stored on external memory AIMs history in csv format BBMs history in csv format GTalks history in csv format YMessengers history in csv format WLives history in csv format Manully added pic or screenshoted data Photo captured data Video captured data Voice captured data

www.hakin9.org/en

35

FORENSICS
unique patterns of behavior, much like the uniqueness of biometric data. Therefore, certain characteristics pertaining to language, composition, and writing, such as particular syntactic and structural layout traits, patterns of vocabulary usage, unusual language usage, and stylistic traits, should remain relatively constant. The identification and learning of these characteristics with a sufficiently high accuracy is the principal challenge in author identification. IM forensic were to answer the following questions: identify an author of an IM conversation based strictly on author behavior classify behavior characteristics some kind of its below. Some of them are near with other mobile devices.

BlackBerry Device Forensics

BlackBerry Device forensics is very similar to forensics of any system Mobile investigating process is the same a PC The BlackBerry device is a push technology device that does not require synchronization with a PC

Investigative Methods of BlackBerry Device Forensics

Prior investigating the BlackBerry Device we have to secure and acquire the evidence. There are four steps to investigating a BlackBerry Device: Examination Identification Collection Documentation

Author behavior categorization uses a set of characteristics that remain relatively constant for a large number of IM messages written by an author. These characteristics, known as stylometric features, include syntactic and structural layout traits, patterns of vocabulary usage, unusual language usage, and stylistic features. Each author has various stylometric features that are sufficient to uniquely identify him or her. Stylometric features are often word-based, including word and character frequency distributions, word length, and sentence length. Literary analysts and computational linguists often use frequency lists. Various syntactic features are also included, such as the use of function words (short all-purpose words such as the and to), punctuation, greetings and farewells, and emoticons. Users also use abbreviations for common phrases such as LOL (laughing out loud) and ROTFL (rolling on the floor laughing), as well as shortened spellings of words such as ru (are you) and 4 (for). So, in this case IM analyzing give opportunity to find out person that can anonymously identified for forensic.

BlackBerry Device Investigative Tips

If the device is in the on state you have to preserve the state by supplying adequate power. If the device is in the off state, leave it in that state, switch on the device, not battery and photograph the device. If device is in the cradle avoid any communication activities. If wireless is on eliminate any activity by placing the device in an envelope, anti-static and isolation bag.

Conclusion

BlackBerry Forensic Tips

Summarize all information above you should have several plan of action about BlackBerry forensic. I give

The RIM device shares the same evidentiary value as any other Personal Digital Assistant (mobile device). As the investigator may suspect of most file systems, a delete is by no means a total removal of data on the device. However, the RIMs always-on, wireless

On the Net

http://na.BlackBerry.com/eng/devjournals/resources/journals/jan_2006/ipd_le_format.jsp BlackBerry IPD File Format (.ipd) http://www.ca.com/us/home/lpg/forms/na/sre/12625_15012.aspx Defending Against Insider Threats To Reduce Your IT Risk http://www.elcomsoft.com/eppb.html Elcomsoft Phone Password Breaker http://menastep.com MagicBerry IPD Reader http://www.processtext.com/abcBlackBerry.html Amber BlackBerry Converter http://www.elcomsoft.com/ebbe.html Elcomsoft BlackBerry Backup Explorer http://www.paraben.com/device-seizure.html Paraben Mobile Device Seizure https://www.BlackBerry.com/Downloads/entry.do?code=A8BAA56554F96369AB93E4F3BB068C22 BlackBerry Desktop Manager http://us.blackberry.com/developers/resources/simulators.jsp BlackBerry Simulator http://www.cellebrite.com/forensic-products/forensic-products/ufed-physical-pro.html Cellebrite for Mobile Forensics Universal Forensic Extraction Device

36

www.hakin9.org/en

To Get Round To The Heart Of Fortress

push technology adds a unique dimension to forensic examination. In fact, a RIM device does not need a cradle or desktop connection to be useful. The more time a mobile device spends with its owner, the greater the chance is that it will more accurately reflect and tell a story about that person. The BlackBerry is an always-on, push messaging device. Information can be pushed to the device through its radio antenna at any time, potentially overwriting previously deleted data. Without warning, applications such as the email client, instant messaging, wireless calendar, and any number of third party applications may receive information that makes the forensic investigators attempts to obtain an unaltered file system much more difficult. In order to preserve the unit, turn the radio off. Make note that completely powering off the RIM will wipe data from the SRAM. Logs stored there, which may be of interest, will not survive a full power-down. If the RIM is password protected, get the password. The password itself is not stored on the unit; rather an SHA-1 hash of the password is stored and compared to a hash of what entered. The examiner only has the opportunity to guess 10 times before a file system wipe occurs to protect the data. This wipe will destroy all non-OS files. No software exists to circumvent the password protection. A direct-to-hardware solution will be required if the password is not available. Thus, the RIMs currently unsurpassed portability is the examiners greatest ally.

YURY CHEMERKIN
Graduated at Russian State University for the Humanities (http://rggu.com/) in 2010. At present postgraduate at RSUH. Information Security Analyst since 2009 and currently works as mobile info security researcher in Moscow. I have scientic and applied interests in the sphere of forensics, cyber security, AR, perceptive reality, semantic networks, mobile security and cloud computing. Im researching BlackBerry Infrastructure and the effects of the trust bot-net & forensic techniques on the human privacy. E-mail: yury.chemerkin@gmail.com (yury.chemerkin@faceb ook.com) Facebook: www.facebook.com/yury.chemerkin LinkedIn: http://ru.linkedin.com/pub/yury-chemerkin/2a/434/ 549

www.hakin9.org/en