Difference between pages "Blackberry Forensics" and "BitLocker: how to image"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(BlackBerry Simulator)
 
(Traditional Imaging)
 
Line 1: Line 1:
== Warning for BlackBerry Forensics ==
 
[[BlackBerry]] devices come with password protection. The owner has the capability to protect all data on the phone with a password. The user may also specify the amount of attempts for entering the password before wiping all data from the device.
 
  
[[Image:Image1.jpg]]
+
= Imaging Options =
  
If you exceed your password attempts limit (defaults to 10, but you can set it as low as 3), you will be prompted one last time to type the word BlackBerry.  
+
There are multiple ways to image a computer with bitlocker security in place.
  
[[Image:Image2.jpg]]
+
== Traditional Imaging ==
  
The device will then wipe. It will be reset to the factory out-of-the-box condition (default folder structure), and the password reset. You will lose everything in the device memory, with no possibility of recovery. It will not reformat the microSD card, since that's not part of the factory configuration. The phone will still be usable, and the operating system will be unchanged. So this technique cannot be used to roll back from an OS upgrade problem.
+
One can make a traditional image with the image containing encrypted information.
  
Obviously this is a serious problem if you need to perform forensics on the device. The best work around is to work with the owner of the device and hopefully get them to disclose the password.
+
Options to offline decrypt the information, provided the password or recovery password is available, exists some are:
 +
* [http://www.hsc.fr/ressources/outils/dislocker/ dislocker]
 +
* [[EnCase]] (as of version 6) with the (optional) encryption module
 +
* [[libbde]]
  
== Acquiring BlackBerry Backup File (.ipd) ==
+
The recovery password is a long series of digits broken up into 8 segments.
 +
<pre>
 +
123456-123456-123456-123456-123456-123456-13456-123456
 +
</pre>
  
1. Open Blackberry’s Desktop Manager<br/>
+
Note that there is no white space in the recovery password including not at the end, e.g. EnCase does not accept the recovery password if there is trailing white space.
2. Click “Options” then “Connection Settings” <br/>
+
[[Image:4.JPG]]<br/>
+
4. Select “USB-PIN: 2016CC12” for connection<br/>
+
[[Image:1.JPG]]<br/>
+
5. Click “Detect”, then it should show a dialog box saying it found the device<br/>
+
6.      Click "OK" to return to the main menu<br/>
+
7. Double click “Backup and Restore”<br/>
+
[[Image:2.JPG]]  <br/>
+
8.      Click "Backup"<br/>
+
[[Image:5.JPG]]<br/>
+
9. Save the .ipd file<br/>
+
[[Image:3.JPG]]<br/>
+
  
== Opening Blackberry Backup Files (.ipd) ==
+
The recovery password can be recovered from a BitLocker enabled computer provided it can be logged into or if stored in escrow.
1. Purchase Amber BlackBerry Converter from [http://www.processtext.com/abcblackberry.html]
+
<br>Or
+
<br>Download Trial Version
+
<br><br>2. Use File | Open and point the program to the BlackBerry backup file (.ipd).
+
<br><br>3. Navigate to the appropriate content by using the navigator icons on the left.
+
  
 +
The basic steps are:
  
== BlackBerry Simulator ==
+
# Make a "traditional" full disk image.
 +
# Recover the password, this can be done by booting the original computer, or by creating a clone and booting the clone.  (booting from a clone has not been tested at this time.)
 +
## Once booted log into the computer
 +
## Use the BitLocker control panel applet to display the password.  This can also be done from the command-line.
 +
## record the password
 +
#:
 +
# For EnCase v6 or higher with the encryption module installed
 +
## Load the image into EnCase
 +
## You will be prompted for the password.  Simply enter it and continue.
 +
## If you prefer to have an un-encrypted image to work with other tools or share with co-workers, you can "re-acquire" the image from within EnCase.  The new image will have unencrypted data.
 +
## After adding the encrypted image into your case, simply right click on the drive in the left panel and select acquire.  Select "do not add to case".  You will be presented a dialog window to enter new information about the image.  Make sure the destination you select for your new image does not exist.
  
This is a step by step guide to downloading and using a BlackBerry simulator. For this example I downloaded version 4.0.2 in order to simulate the 9230 series.
+
== Live Imaging ==
  
1. Select a simulator to download from the drop-down list on the [https://www.blackberry.com/Downloads/entry.do?code=060AD92489947D410D897474079C1477]BlackBerry website. Click ''Next''.
+
=== FTK Live Imaging of a physical drive ===
  
2. Look through the list and download BlackBerry Handheld Simulator v4.0.2.51.
+
Using FTK Imager lite, it was determined a live image of the physical system disk resulted in an image with an encrypted bitlocker container on it.
  
3. Enter your proper user credentials and click ''Next'' to continue.
+
Note that the phrase "physical" here corresponds directly with FTK Imagers use of the term in their image acquire menu.
  
4. On the next page, reply accordingly to the eligibility prompt and click ''Next'' to continue.*
+
=== FTK Live Imaging of a logical partition ===
  
5. Agree or disagree to the SDK agreement and click ''Submit'' to continue.*
+
This has not been verified to work or fail at this time.
  
6. The next page will provide you with a link to download the .ZIP file containing the wanted simulator.
+
Note that the phrase "logical" here corresponds directly with FTK Imagers use of the term in their image acquire menu.
* - If you disagree at any of these points you will not be able to continue to the download.
+
  
7. Extract the files to a folder that can easily be accessed (I used the desktop).
+
=== FTK Live Files and Folders collections ===
  
8. In that folder, find the xxxx.bat file (where xxxx is the model number of the device that is being simulated). The simulator should now open an image that resembles the phone.
+
This was not attempted, but it seems reasonable to assume this will collect unencrypted files.
  
9. In the ''BlackBerry 7230 Simulator'' window, select ''Simulate'' | ''USB Cable Connected''.  Refer to ''Figure __'' for further reference.
+
== See Also ==
 +
* [[BitLocker Disk Encryption]]
 +
* [[Defeating Whole Disk Encryption]]
  
10. Open BlackBerry Desktop Manager.  If there are no Outlook profiles created there will be a prompt on how to create one.  Click ''OK'' to continue.  If the BlackBerry xxxx Simulator has properly connected to the BlackBerry Desktop Manager, ''Connected'' should be displayed at the bottom of the BlackBerry Desktop Manager window.  Refer to Figure __ for further reference.
+
[[Category:Disk encryption]]
 
+
[[Category:Windows]]
11. Double click ''Backup and Restore'' | select ''Restore...''.  Refer to Figure __ for further reference.
+
 
+
12. Navigate to the directory where an .ipd file that has been previously backed up is stored and select Open to load that file to the Simulator.  See the Acquiring BlackBerry Backup File[[]] section above on information on how to backup a physical BlackBerry.
+
 
+
Below is an example of a 7510 simulator. These simulators ARE capable of connecting to BlackBerry Desktop Manager.
+
 
+
[[Image:Image3.jpg]]
+
 
+
== Acquisition with Paraben's Device Seizure ==
+
 
+
As an alternative to acquiring the Blackberry through Amber Blackberry Converter, Paraben's Device Seizure is a simple and effective method to acquire the data.  The only drawback, is that this method takes significantly more time to acquire than using Amber Blackberry Converter.
+
 
+
1. Create a new case in Device Seizure with File | New.
+
 
+
2. Give the case a name and fill in any desired information about the case on the next two screens.  Nothing is actually required to be entered.  The third screen is a summary of the data entered.  If all data is correct click Next and then Finish.
+
 
+
3. You are now ready to acquire the phone.  Go to Tools | Data Acquisition.
+
 
+
4. You are prompted for the supported manufacturer.  Select RIM Blackbery (Physical).<br/>
+
[[Image:Image10.JPG]]<br/><br/>
+
 
+
5. Leave supported models at the default selection of autodetect.<br/>
+
[[Image:Image11.JPG]]<br/><br/>
+
 
+
6. Connection type should be set to USB.<br/>
+
[[Image:Image12.JPG]]<br/><br/>
+
 
+
7. For data type selection select Memory Image.<br/>
+
[[Image:Image13.jpg]]<br/><br/>
+
 
+
8. Confirm your selections on the summary page and click Next to start the acquisition.
+
 
+
== Blackberry Protocol ==
+
http://www.off.net/cassis/protocol-description.html
+
 
+
Here is a useful link to the Blackberry Protocol as documented by Phil Schwan, Mike Shaver, and Ian Goldberg. The article goes into great description of packet sniffing and the protocol as it relates to data transfer across a USB port.
+

Revision as of 01:03, 15 July 2013

Imaging Options

There are multiple ways to image a computer with bitlocker security in place.

Traditional Imaging

One can make a traditional image with the image containing encrypted information.

Options to offline decrypt the information, provided the password or recovery password is available, exists some are:

The recovery password is a long series of digits broken up into 8 segments.

123456-123456-123456-123456-123456-123456-13456-123456

Note that there is no white space in the recovery password including not at the end, e.g. EnCase does not accept the recovery password if there is trailing white space.

The recovery password can be recovered from a BitLocker enabled computer provided it can be logged into or if stored in escrow.

The basic steps are:

  1. Make a "traditional" full disk image.
  2. Recover the password, this can be done by booting the original computer, or by creating a clone and booting the clone. (booting from a clone has not been tested at this time.)
    1. Once booted log into the computer
    2. Use the BitLocker control panel applet to display the password. This can also be done from the command-line.
    3. record the password
  3. For EnCase v6 or higher with the encryption module installed
    1. Load the image into EnCase
    2. You will be prompted for the password. Simply enter it and continue.
    3. If you prefer to have an un-encrypted image to work with other tools or share with co-workers, you can "re-acquire" the image from within EnCase. The new image will have unencrypted data.
    4. After adding the encrypted image into your case, simply right click on the drive in the left panel and select acquire. Select "do not add to case". You will be presented a dialog window to enter new information about the image. Make sure the destination you select for your new image does not exist.

Live Imaging

FTK Live Imaging of a physical drive

Using FTK Imager lite, it was determined a live image of the physical system disk resulted in an image with an encrypted bitlocker container on it.

Note that the phrase "physical" here corresponds directly with FTK Imagers use of the term in their image acquire menu.

FTK Live Imaging of a logical partition

This has not been verified to work or fail at this time.

Note that the phrase "logical" here corresponds directly with FTK Imagers use of the term in their image acquire menu.

FTK Live Files and Folders collections

This was not attempted, but it seems reasonable to assume this will collect unencrypted files.

See Also