Difference between pages "Blackberry Forensics" and "SIM Cards"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m
 
(Added picture of SIM Card)
 
Line 1: Line 1:
== Warning for BlackBerry Forensics ==
+
__TOC__
[[BlackBerry]] devices come with password protection. The owner has the capability to protect all data on the phone with a password. The user may also specify the amount of attempts for entering the password before wiping all data from the device.
+
  
[[Image:Image1.jpg]]
+
[[Image:Simpic.jpg|frame|Picture of SIM Card]]
 +
== SIM-Subscriber Identity Module ==
  
If you exceed your password attempts limit (defaults to 10, but you can set it as low as 3), you will be prompted one last time to type the word BlackBerry.  
+
The terms SIM, smart card, and UICC have an unfortunate tendency to be used interchangeably.  The UICC is hardware.  A SIM is a software application.  Generally speaking a smart card is a UICC running a SIM as well as possibly other applications.
  
[[Image:Image2.jpg]]
+
SIM is actually just an application running on a smartcard.  A given card could contain multiple SIM’s, allowing, for instance, a given phone to be used on multiple networks.
  
The device will then wipe. It will be reset to the factory out-of-the-box condition (default folder structure), and the password reset. You will lose everything in the device memory, with no possibility of recovery. It will not reformat the microSD card, since that's not part of the factory configuration. The phone will still be usable, and the operating system will be unchanged. So this technique cannot be used to roll back from an OS upgrade problem.
+
A typical SIM contains several categories of information. One is the actual identity of the card itself.  The SIM needs to have a unique identity to the network. This allows the network to identify what sources the subscriber is entitled to, billing information, etc.  A second category relates to the actual operation of the device. Information such as the last number called, or the length of the phone call can be stored. A third category of information is personalized information.  Phonebooks or calendars fall into this category.
  
Obviously this is a serious problem if you need to perform forensics on the device. The best work around is to work with the owner of the device and hopefully get them to disclose the password.
+
A SIM has three major purposes
 +
* Uniquely identify the subscriber
 +
* Determines phone number
 +
* Contains algorithms for network authentification
  
== Acquiring BlackBerry Backup File (.ipd) ==
+
A Sim contains
 +
* 16 to 64 KB of memory
 +
* Processor
 +
* Operating System
  
1. Open Blackberry’s Desktop Manager<br/>
 
2. Click “Options” then “Connection Settings” <br/>
 
[[Image:4.JPG]]<br/>
 
4. Select “USB-PIN: 2016CC12” for connection<br/>
 
[[Image:1.JPG]]<br/>
 
5. Click “Detect”, then it should show a dialog box saying it found the device<br/>
 
6.      Click "OK" to return to the main menu<br/>
 
7. Double click “Backup and Restore”<br/>
 
[[Image:2.JPG]]  <br/>
 
8.      Click "Backup"<br/>
 
[[Image:5.JPG]]<br/>
 
9. Save the .ipd file<br/>
 
[[Image:3.JPG]]<br/>
 
  
== Opening Blackberry Backup Files (.ipd) ==
+
== Uses of SIMs ==
1. Purchase Amber BlackBerry Converter from [http://www.processtext.com/abcblackberry.html]
+
<br>Or
+
<br>Download Trial Version
+
<br><br>2. Use File | Open and point the program to the BlackBerry backup file (.ipd).
+
<br><br>3. Navigate to the appropriate content by using the navigator icons on the left.
+
  
 +
SIM cards can be used in any kind of device or situation where there is a need to authenticate the identity of a user.  They are particularly useful when  there is a need or desire to provide different types or levels of service to many users who have different configurations.
  
== BlackBerry Simulator ==
+
The primary use of SIM cards in the United States is in cell phones.  There are other uses as well.  The US military issues smart cards as identification to its personnel.  These cards are used to allow users to log into computers. 
  
This is a step by step guide to downloading and using a BlackBerry simulator. For this example I downloaded version 4.0.2 in order to simulate the 9230 series.
+
Europe has seen a wider use of these cards. The credit and debit card industry has integrated this technology in their cards for years. Similarly, a number of European phone companies have used these as phone cards to use in public telephones. The card companies in the United States have evidently not seen enough fraud to have a business justification to switch to this technology.  There is some speculation that American credit cards will use a future generation of the technology when the added robustness and security of the system will make more economic sense.
  
1. Select a simulator to download from the drop-down list on the [https://www.blackberry.com/Downloads/entry.do?code=060AD92489947D410D897474079C1477]BlackBerry website. Click ''Next''.
+
The SIM uses a hierarchically organized file system that stores names, phone numbers, received and sent text messages.  It also contains the network configuration information. The SIM also allows for easy transporting of all information from one phone to another. Forensically speaking, a SIM could be an incredible source of evidence. It allows for all information that the suspect has dealt with over the phone to be investigated. All phone numbers dialed, and receieved would be available for investigation.  Also, if no identifying information is on the phone the network provider could be contacted and could possibly provide more information that is even on the SIM.
  
2. Look through the list and download BlackBerry Handheld Simulator v4.0.2.51.
+
One downside to the use of SIM cards is the amount of thefts that occur.  A person could steal a SIM card and use it for their own personal calls, which would be still on the original owners information log. This is becoming a problem in European countries with the theft of SIM cards.
  
3. Enter your proper user credentials and click ''Next'' to continue.
+
== SIM Security ==
  
4. On the next page, reply accordingly to the eligibility prompt and click ''Next'' to continue.*
+
There are two things that help secure the information located on your SIM.  The PIN (Personal Identification Number) and the PUK (Personal Unlocking Code).
  
5. Agree or disagree to the SDK agreement and click ''Submit'' to continue.*
+
When PIN protection is enabled, every time the phone is turned on - the PIN must be entered. The information on the SIM is locked until the correct code is entered.  The PIN by default is at a standard default number and can be changed on the handset.  If the PIN is entered incorrectly 3 times in a row the phone is locked and another code called the PUK is needed from the network provider.
  
6. The next page will provide you with a link to download the .ZIP file containing the wanted simulator.
+
If the PIN is incorrectly entered 3 times in a row, the phone is locked making the phone unable to make or receive any calls or SMS messages. The PUK, which is an 8 digit code, is needed from the network provider to unlock the phone. If the pin is entered 10 times incorrectly, the SIM is permanently disabled and the SIM must be exchanged.
* - If you disagree at any of these points you will not be able to continue to the download.
+
  
7. Extract the files to a folder that can easily be accessed (I used the desktop).
+
==SIM Forensics==
 
+
8. In that folder, find the xxxx.bat file (where xxxx is the model number of the device that is being simulated). The simulator should now open an image that resembles the phone.
+
 
+
9. In the ''BlackBerry 7230 Simulator'' window, select ''Simulate'' | ''USB Cable Connected''.  Refer to ''Figure __'' for further reference.
+
 
+
10. Open BlackBerry Desktop Manager.  If there are no Outlook profiles created there will be a prompt on how to create one.  Click ''OK'' to continue.  If the BlackBerry xxxx Simulator has properly connected to the BlackBerry Desktop Manager, ''Connected'' should be displayed at the bottom of the BlackBerry Desktop Manager window.  Refer to Figure __ for further reference.
+
 
+
11. Double click ''Backup and Restore'' | select ''Restore...''.  Refer to Figure __ for further reference.
+
 
+
12. Navigate to the directory where an .ipd file that has been previously backed up is stored and select Open to load that file to the Simulator.  See the Acquiring BlackBerry Backup File[[]] section above on information on how to backup a physical BlackBerry.
+
 
+
Below is an example of a 7510 simulator. These simulators ARE capable of connecting to BlackBerry Desktop Manager.
+
 
+
[[Image:Image3.jpg]]
+
 
+
== Acquisition with Paraben's Device Seizure ==
+
 
+
As an alternative to acquiring the Blackberry through Amber Blackberry Converter, Paraben's Device Seizure is a simple and effective method to acquire the data.  The only drawback, is that this method takes significantly more time to acquire than using Amber Blackberry Converter.
+
 
+
1. Create a new case in Device Seizure with File | New.
+
 
+
2. Give the case a name and fill in any desired information about the case on the next two screens.  Nothing is actually required to be entered.  The third screen is a summary of the data entered.  If all data is correct click Next and then Finish.
+
 
+
3. You are now ready to acquire the phone.  Go to Tools | Data Acquisition.
+
 
+
4. You are prompted for the supported manufacturer.  Select RIM Blackbery (Physical).<br/>
+
[[Image:Image10.JPG]]<br/><br/>
+
 
+
5. Leave supported models at the default selection of autodetect.<br/>
+
[[Image:Image11.JPG]]<br/><br/>
+
 
+
6. Connection type should be set to USB.<br/>
+
[[Image:Image12.JPG]]<br/><br/>
+
 
+
7. For data type selection select Logical Image (Databases).<br/>
+
[[Image:Image13.jpg]]<br/><br/>
+
 
+
8. Confirm your selections on the summary page and click Next to start the acquisition.
+
 
+
== Blackberry Protocol ==
+
http://www.off.net/cassis/protocol-description.html
+
 
+
Here is a useful link to the Blackberry Protocol as documented by Phil Schwan, Mike Shaver, and Ian Goldberg. The article goes into great description of packet sniffing and the protocol as it relates to data transfer across a USB port.
+

Revision as of 15:46, 7 March 2006

Picture of SIM Card

SIM-Subscriber Identity Module

The terms SIM, smart card, and UICC have an unfortunate tendency to be used interchangeably. The UICC is hardware. A SIM is a software application. Generally speaking a smart card is a UICC running a SIM as well as possibly other applications.

SIM is actually just an application running on a smartcard. A given card could contain multiple SIM’s, allowing, for instance, a given phone to be used on multiple networks.

A typical SIM contains several categories of information. One is the actual identity of the card itself. The SIM needs to have a unique identity to the network. This allows the network to identify what sources the subscriber is entitled to, billing information, etc. A second category relates to the actual operation of the device. Information such as the last number called, or the length of the phone call can be stored. A third category of information is personalized information. Phonebooks or calendars fall into this category.

A SIM has three major purposes

  • Uniquely identify the subscriber
  • Determines phone number
  • Contains algorithms for network authentification

A Sim contains

  • 16 to 64 KB of memory
  • Processor
  • Operating System


Uses of SIMs

SIM cards can be used in any kind of device or situation where there is a need to authenticate the identity of a user. They are particularly useful when there is a need or desire to provide different types or levels of service to many users who have different configurations.

The primary use of SIM cards in the United States is in cell phones. There are other uses as well. The US military issues smart cards as identification to its personnel. These cards are used to allow users to log into computers.

Europe has seen a wider use of these cards. The credit and debit card industry has integrated this technology in their cards for years. Similarly, a number of European phone companies have used these as phone cards to use in public telephones. The card companies in the United States have evidently not seen enough fraud to have a business justification to switch to this technology. There is some speculation that American credit cards will use a future generation of the technology when the added robustness and security of the system will make more economic sense.

The SIM uses a hierarchically organized file system that stores names, phone numbers, received and sent text messages. It also contains the network configuration information. The SIM also allows for easy transporting of all information from one phone to another. Forensically speaking, a SIM could be an incredible source of evidence. It allows for all information that the suspect has dealt with over the phone to be investigated. All phone numbers dialed, and receieved would be available for investigation. Also, if no identifying information is on the phone the network provider could be contacted and could possibly provide more information that is even on the SIM.

One downside to the use of SIM cards is the amount of thefts that occur. A person could steal a SIM card and use it for their own personal calls, which would be still on the original owners information log. This is becoming a problem in European countries with the theft of SIM cards.

SIM Security

There are two things that help secure the information located on your SIM. The PIN (Personal Identification Number) and the PUK (Personal Unlocking Code).

When PIN protection is enabled, every time the phone is turned on - the PIN must be entered. The information on the SIM is locked until the correct code is entered. The PIN by default is at a standard default number and can be changed on the handset. If the PIN is entered incorrectly 3 times in a row the phone is locked and another code called the PUK is needed from the network provider.

If the PIN is incorrectly entered 3 times in a row, the phone is locked making the phone unable to make or receive any calls or SMS messages. The PUK, which is an 8 digit code, is needed from the network provider to unlock the phone. If the pin is entered 10 times incorrectly, the SIM is permanently disabled and the SIM must be exchanged.

SIM Forensics