Difference between pages "Blackberry Forensics" and "Ddrescue"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m
 
(linked to my blog containing some useful scripts/oneliners -- not sure if linking is allowed this way... else lmk!)
 
Line 1: Line 1:
== Warning for BlackBerry Forensics ==
+
{{Infobox_Software |
[[BlackBerry]] devices come with password protection. The owner has the capability to protect all data on the phone with a password. The user may also specify the amount of attempts for entering the password before wiping all data from the device.
+
  name = ddrescure |
 +
  maintainer = [[Antonio Diaz Diaz]]|
 +
  os = {{Linux}}|
 +
  genre = {{Disk imaging}} |
 +
  license = {{GPL}} |
 +
  website = [http://www.gnu.org/software/ddrescue/ddrescue.html http://www.gnu.org/software/ddrescue/ddrescue.html] |
 +
}}
  
[[Image:Image1.jpg]]
+
'''ddrescue''' is a raw disk imaging tool that "copies data from one file or block device to another, trying hard to rescue data in case of read errors."  The application is developed as part of the GNU project and has written with UNIX/Linux in mind.
  
If you exceed your password attempts limit (defaults to 10, but you can set it as low as 3), you will be prompted one last time to type the word BlackBerry.  
+
'''ddrescue''' and '''[[dd_rescue]]''' are completely different programs which share no development between them.  The two projects are not related in any way except that they both attempt to enhance the standard [[dd]] tool and coincidentally chose similar names for their new programs.
  
[[Image:Image2.jpg]]
+
From the [[ddrescue]] info pages:
 +
<blockquote>
 +
GNU ddrescue is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors.<br><br>
  
The device will then wipe. It will be reset to the factory out-of-the-box condition (default folder structure), and the password reset. You will lose everything in the device memory, with no possibility of recovery. It will not reformat the microSD card, since that's not part of the factory configuration. The phone will still be usable, and the operating system will be unchanged. So this technique cannot be used to roll back from an OS upgrade problem.
+
Ddrescue does not truncate the output file if not asked to. So, every time you run it on the same output file, it tries to fill in the gaps.<br><br>
  
Obviously this is a serious problem if you need to perform forensics on the device. The best work around is to work with the owner of the device and hopefully get them to disclose the password.
+
The basic operation of ddrescue is fully automatic. That is, you don't have to wait for an error, stop the program, read the log, run it in reverse mode, etc.<br><br>
  
== Acquiring BlackBerry Backup File (.ipd) ==
+
If you use the logfile feature of ddrescue, the data is rescued very efficiently (only the needed blocks are read). Also you can interrupt the rescue at any time and resume it later at the same point.<br><br>
  
1. Open Blackberry’s Desktop Manager<br/>
+
Automatic merging of backups: If you have two or more damaged copies of a file, cdrom, etc, and run ddrescue on all of them, one at a time, with the same output file, you will probably obtain a complete and error-free file. This is so because the probability of having damaged areas at the same places on different input files is very low. Using
2. Click “Options” then “Connection Settings” <br/>
+
the logfile, only the needed blocks are read from the second and successive copies.
[[Image:4.JPG]]<br/>
+
</blockquote>
4. Select “USB-PIN: 2016CC12” for connection<br/>
+
[[Image:1.JPG]]<br/>
+
5. Click “Detect”, then it should show a dialog box saying it found the device<br/>
+
6.     Click "OK" to return to the main menu<br/>
+
7. Double click “Backup and Restore”<br/>
+
[[Image:2.JPG]]  <br/>
+
8.      Click "Backup"<br/>
+
[[Image:5.JPG]]<br/>
+
9. Save the .ipd file<br/>
+
[[Image:3.JPG]]<br/>
+
  
== Opening Blackberry Backup Files (.ipd) ==
+
== Installation ==
1. Purchase Amber BlackBerry Converter from [http://www.processtext.com/abcblackberry.html]
+
<br>Or
+
<br>Download Trial Version
+
<br><br>2. Use File | Open and point the program to the BlackBerry backup file (.ipd).
+
<br><br>3. Navigate to the appropriate content by using the navigator icons on the left.
+
  
 +
=== Bootable CD ===
 +
ddrescue is available on bootable rescue cds such as SystemRescueCd http://www.sysresccd.org/Main_Page.
 +
=== Debian and Ubuntu ===
 +
The package 'ddrescue' in Debian and Ubuntu is actually [[dd_rescue]], another dd-like program which does not maintain a recovery log.  The correct package is gddrescue.
  
== BlackBerry Simulator ==
+
Debian
 +
<blockquote>
 +
aptitude install gddrescue
 +
</blockquote>
 +
Ubuntu
 +
<blockquote>
 +
sudo apt-get install gddrescue
 +
</blockquote>
 +
=== Gentoo ===
 +
<blockquote>
 +
emerge ddrescue
 +
</blockquote>
 +
== Partition recovery ==
  
This is a step by step guide to downloading and using a BlackBerry simulator. For this example I downloaded version 4.0.2 in order to simulate the 9230 series.
+
=== Kernel 2.6.3+ & ddrescue 1.4+ ===
 +
'ddrescue --direct' will open the input with the O_DIRECT option for uncached reads. 'raw devices' are not needed on newer kernels. For older kernels see below.
  
1. Select a simulator to download from the drop-down list on the [https://www.blackberry.com/Downloads/entry.do?code=060AD92489947D410D897474079C1477]BlackBerry website. Click ''Next''.
+
First you copy as much data as possible, without retrying or splitting sectors:
 +
<blockquote>
 +
ddrescue --no-split /dev/hda1 imagefile logfile
 +
</blockquote>
  
2. Look through the list and download BlackBerry Handheld Simulator v4.0.2.51.
+
Now let it retry previous errors 3 times, using uncached reads:
 +
<blockquote>
 +
ddrescue --direct --max-retries=3 /dev/hda1 imagefile logfile
 +
</blockquote>
  
3. Enter your proper user credentials and click ''Next'' to continue.
+
If that fails you can try again but retrimmed, so it tries to reread full sectors:
 +
<blockquote>
 +
ddrescue --direct --retrim  --max-retries=3 /dev/hda1 imagefile logfile
 +
</blockquote>
  
4. On the next page, reply accordingly to the eligibility prompt and click ''Next'' to continue.*
+
You can now use ddrescue (or normal dd) to copy the imagefile to a new partition on a new disk. Use the appropriate filesystem checkers (fsck, CHKDSK) to try to fix errors caused by the bad blocks. Be sure to keep the imagefile around. Just in case the filesystem is severely broken, and datacarving tools like testdisk need to to be used on the original image.
  
5. Agree or disagree to the SDK agreement and click ''Submit'' to continue.*
+
=== Before linux kernel 2.6.3 / 2.4.x ===
 +
In 2.6.3 the 'raw device' has been marked obsolete. On later kernels ddrescue will use O_DIRECT on the input to do uncached reads.
  
6. The next page will provide you with a link to download the .ZIP file containing the wanted simulator.
+
First you copy as much data as possible, without retrying or splitting sectors:
* - If you disagree at any of these points you will not be able to continue to the download.
+
<blockquote>
 +
ddrescue --no-split /dev/hda1 imagefile logfile
 +
</blockquote>
  
7. Extract the files to a folder that can easily be accessed (I used the desktop).
+
Now change over to raw device access. Let it retry previous errors 3 times, don't read past last block in logfile:
 +
<blockquote>
 +
modprobe raw<br>
 +
raw /dev/raw/raw1 /dev/hda1<br>
 +
ddrescue --max-retries=3 --complete-only /dev/raw/raw1 imagefile logfile
 +
</blockquote>
  
8. In that folder, find the xxxx.bat file (where xxxx is the model number of the device that is being simulated). The simulator should now open an image that resembles the phone.
+
If that fails you can try again (still using raw) but retrimmed, so it tries to reread full sectors:
 +
<blockquote>
 +
ddrescue --retrim --max-retries=3 --complete-only /dev/raw/raw1 imagefile logfile
 +
</blockquote>
  
9. In the ''BlackBerry 7230 Simulator'' window, select ''Simulate'' | ''USB Cable Connected''. Refer to ''Figure __'' for further reference.
+
You can now use ddrescue (or normal dd) to copy the imagefile to a new partition on a new disk. Use the appropriate filesystem checkers (fsck, CHKDSK) to try to fix errors caused by the bad blocks. Be sure to keep the imagefile around. Just in case the filesystem is severely broken, and datacarving tools like testdisk need to to be used on the original image.
  
10. Open BlackBerry Desktop Manager.  If there are no Outlook profiles created there will be a prompt on how to create one.  Click ''OK'' to continue.  If the BlackBerry xxxx Simulator has properly connected to the BlackBerry Desktop Manager, ''Connected'' should be displayed at the bottom of the BlackBerry Desktop Manager window.  Refer to Figure __ for further reference.
+
At the end you may want to unbind the raw device:
 +
<blockquote>
 +
raw /dev/raw/raw1 0 0
 +
</blockquote>
  
11. Double click ''Backup and Restore'' | select ''Restore...''.  Refer to Figure __ for further reference.
+
== Examples ==
  
12. Navigate to the directory where an .ipd file that has been previously backed up is stored and select Open to load that file to the Simulator.  See the Acquiring BlackBerry Backup File[[]] section above on information on how to backup a physical BlackBerry.
+
These two examples are taken directly from the [[ddrescue]] info pages.
  
Below is an example of a 7510 simulator. These simulators ARE capable of connecting to BlackBerry Desktop Manager.
+
Example 1: Rescue an ext2 partition in /dev/hda2 to /dev/hdb2
  
[[Image:Image3.jpg]]
+
'''Please Note:''' This will overwrite ALL data on the partition you are copying to. If you do not want to do that, rather create an image of the partition to be rescued.
 +
<blockquote>
 +
ddrescue -r3 /dev/hda2 /dev/hdb2 logfile<br>
 +
e2fsck -v -f /dev/hdb2<br>
 +
mount -t ext2 -o ro /dev/hdb2 /mnt<br>
 +
</blockquote>
  
== Acquisition with Paraben's Device Seizure ==
+
Example 2: Rescue a CD-ROM in /dev/cdrom
 +
<blockquote>
 +
ddrescue -b 2048 /dev/cdrom cdimage logfile
 +
</blockquote>
 +
write cdimage to a blank CD-ROM
  
As an alternative to acquiring the Blackberry through Amber Blackberry Converter, Paraben's Device Seizure is a simple and effective method to acquire the data.  The only drawback, is that this method takes significantly more time to acquire than using Amber Blackberry Converter.
 
  
1. Create a new case in Device Seizure with File | New.
+
This example is derived from the ddrescue manual.
  
2. Give the case a name and fill in any desired information about the case on the next two screens.  Nothing is actually required to be entered.  The third screen is a summary of the data entered.  If all data is correct click Next and then Finish.
+
Example 3: Rescue an entire hard disk /dev/sda to another disk /dev/sdb
  
3. You are now ready to acquire the phone. Go to Tools | Data Acquisition.
+
copy the error free areas first
 +
ddrescue -n /dev/sda /dev/sdb rescue.log
 +
attempt to recover any bad sectors
 +
  ddrescue -r 1 /dev/sda /dev/sdb rescue.log
  
4. You are prompted for the supported manufacturer.  Select RIM Blackbery (Physical).<br/>
+
== Options ==
[[Image:Image10.JPG]]<br/><br/>
+
  
5. Leave supported models at the default selection of autodetect.<br/>
+
-h, --help
[[Image:Image11.JPG]]<br/><br/>
+
    display this help and exit
 +
-V, --version
 +
    output version information and exit
 +
-b, --block-size=<bytes>
 +
    hardware block size of input device [512]
 +
-B, --binary-prefixes
 +
    show binary multipliers in numbers [default SI]
 +
-c, --cluster-size=<blocks>
 +
    hardware blocks to copy at a time [128]
 +
-C, --complete-only
 +
    do not read new data beyond logfile limits
 +
-d, --direct
 +
    use direct disc access for input file
 +
-D, --synchronous
 +
    use synchronous writes for output file
 +
-e, --max-errors=<n>
 +
    maximum number of error areas allowed
 +
-F, --fill=<types>
 +
    fill given type areas with infile data (?*/-+)
 +
-g, --generate-logfile
 +
    generate approximate logfile from partial copy
 +
-i, --input-position=<pos>
 +
    starting position in input file [0]
 +
-n, --no-split
 +
    do not try to split or retry error areas
 +
-o, --output-position=<pos>
 +
    starting position in output file [ipos]  
 +
-q, --quiet
 +
    quiet operation
 +
-r, --max-retries=<n>
 +
    exit after given retries (-1=infinity) [0]
 +
-R, --retrim
 +
    mark all error areas as non-trimmed
 +
-s, --max-size=<bytes>
 +
    maximum size of data to be copied
 +
-S, --sparse
 +
    use sparse writes for output file
 +
-t, --truncate
 +
    truncate output file
 +
-v, --verbose
 +
    verbose operation
  
6. Connection type should be set to USB.<br/>
+
Numbers may be followed by a multiplier: b = blocks, k = kB = 10^3 = 1000, Ki = KiB = 2^10 = 1024, M = 10^6, Mi = 2^20, G = 10^9, Gi = 2^30, etc...  
[[Image:Image12.JPG]]<br/><br/>
+
  
7. For data type selection select Logical Image (Databases).<br/>
 
[[Image:Image13.jpg]]<br/><br/>
 
  
8. Confirm your selections on the summary page and click Next to start the acquisition.
+
== Cygwin ==
  
== Blackberry Protocol ==
+
As of release 1.4-rc1, it can be compiled directly in [[Cygwin]] [http://en.wikipedia.org/wiki/Out_of_the_box Out of the Box]. Precompiled packages are available in the [http://cygwin.com/packages/ Cygwin distribution]. This makes it usable natively on [[Windows]] systems.
http://www.off.net/cassis/protocol-description.html
+
  
Here is a useful link to the Blackberry Protocol as documented by Phil Schwan, Mike Shaver, and Ian Goldberg. The article goes into great description of packet sniffing and the protocol as it relates to data transfer across a USB port.
+
== See also ==
 +
 
 +
* [[aimage]]
 +
* [[Blackbag]]
 +
* [[dcfldd]]
 +
* [[dd]]
 +
* [[dd_rescue]]
 +
* [[sdd]]
 +
 
 +
== Other Resources ==
 +
[[http://pfuender.net/?p=80|Useful code-snippets for DDrescue]]

Revision as of 08:09, 25 June 2010

ddrescure
Maintainer: Antonio Diaz Diaz
OS: Linux
Genre: Disk imaging
License: GPL
Website: http://www.gnu.org/software/ddrescue/ddrescue.html

ddrescue is a raw disk imaging tool that "copies data from one file or block device to another, trying hard to rescue data in case of read errors." The application is developed as part of the GNU project and has written with UNIX/Linux in mind.

ddrescue and dd_rescue are completely different programs which share no development between them. The two projects are not related in any way except that they both attempt to enhance the standard dd tool and coincidentally chose similar names for their new programs.

From the ddrescue info pages:

GNU ddrescue is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors.

Ddrescue does not truncate the output file if not asked to. So, every time you run it on the same output file, it tries to fill in the gaps.

The basic operation of ddrescue is fully automatic. That is, you don't have to wait for an error, stop the program, read the log, run it in reverse mode, etc.

If you use the logfile feature of ddrescue, the data is rescued very efficiently (only the needed blocks are read). Also you can interrupt the rescue at any time and resume it later at the same point.

Automatic merging of backups: If you have two or more damaged copies of a file, cdrom, etc, and run ddrescue on all of them, one at a time, with the same output file, you will probably obtain a complete and error-free file. This is so because the probability of having damaged areas at the same places on different input files is very low. Using the logfile, only the needed blocks are read from the second and successive copies.

Installation

Bootable CD

ddrescue is available on bootable rescue cds such as SystemRescueCd http://www.sysresccd.org/Main_Page.

Debian and Ubuntu

The package 'ddrescue' in Debian and Ubuntu is actually dd_rescue, another dd-like program which does not maintain a recovery log. The correct package is gddrescue.

Debian

aptitude install gddrescue

Ubuntu

sudo apt-get install gddrescue

Gentoo

emerge ddrescue

Partition recovery

Kernel 2.6.3+ & ddrescue 1.4+

'ddrescue --direct' will open the input with the O_DIRECT option for uncached reads. 'raw devices' are not needed on newer kernels. For older kernels see below.

First you copy as much data as possible, without retrying or splitting sectors:

ddrescue --no-split /dev/hda1 imagefile logfile

Now let it retry previous errors 3 times, using uncached reads:

ddrescue --direct --max-retries=3 /dev/hda1 imagefile logfile

If that fails you can try again but retrimmed, so it tries to reread full sectors:

ddrescue --direct --retrim --max-retries=3 /dev/hda1 imagefile logfile

You can now use ddrescue (or normal dd) to copy the imagefile to a new partition on a new disk. Use the appropriate filesystem checkers (fsck, CHKDSK) to try to fix errors caused by the bad blocks. Be sure to keep the imagefile around. Just in case the filesystem is severely broken, and datacarving tools like testdisk need to to be used on the original image.

Before linux kernel 2.6.3 / 2.4.x

In 2.6.3 the 'raw device' has been marked obsolete. On later kernels ddrescue will use O_DIRECT on the input to do uncached reads.

First you copy as much data as possible, without retrying or splitting sectors:

ddrescue --no-split /dev/hda1 imagefile logfile

Now change over to raw device access. Let it retry previous errors 3 times, don't read past last block in logfile:

modprobe raw
raw /dev/raw/raw1 /dev/hda1
ddrescue --max-retries=3 --complete-only /dev/raw/raw1 imagefile logfile

If that fails you can try again (still using raw) but retrimmed, so it tries to reread full sectors:

ddrescue --retrim --max-retries=3 --complete-only /dev/raw/raw1 imagefile logfile

You can now use ddrescue (or normal dd) to copy the imagefile to a new partition on a new disk. Use the appropriate filesystem checkers (fsck, CHKDSK) to try to fix errors caused by the bad blocks. Be sure to keep the imagefile around. Just in case the filesystem is severely broken, and datacarving tools like testdisk need to to be used on the original image.

At the end you may want to unbind the raw device:

raw /dev/raw/raw1 0 0

Examples

These two examples are taken directly from the ddrescue info pages.

Example 1: Rescue an ext2 partition in /dev/hda2 to /dev/hdb2

Please Note: This will overwrite ALL data on the partition you are copying to. If you do not want to do that, rather create an image of the partition to be rescued.

ddrescue -r3 /dev/hda2 /dev/hdb2 logfile
e2fsck -v -f /dev/hdb2
mount -t ext2 -o ro /dev/hdb2 /mnt

Example 2: Rescue a CD-ROM in /dev/cdrom

ddrescue -b 2048 /dev/cdrom cdimage logfile

write cdimage to a blank CD-ROM


This example is derived from the ddrescue manual.

Example 3: Rescue an entire hard disk /dev/sda to another disk /dev/sdb

copy the error free areas first

ddrescue -n /dev/sda /dev/sdb rescue.log

attempt to recover any bad sectors

ddrescue -r 1 /dev/sda /dev/sdb rescue.log

Options

-h, --help
   display this help and exit 
-V, --version
   output version information and exit 
-b, --block-size=<bytes>
   hardware block size of input device [512] 
-B, --binary-prefixes
   show binary multipliers in numbers [default SI] 
-c, --cluster-size=<blocks>
   hardware blocks to copy at a time [128] 
-C, --complete-only
   do not read new data beyond logfile limits 
-d, --direct
   use direct disc access for input file 
-D, --synchronous
   use synchronous writes for output file 
-e, --max-errors=<n>
   maximum number of error areas allowed 
-F, --fill=<types>
   fill given type areas with infile data (?*/-+) 
-g, --generate-logfile
   generate approximate logfile from partial copy 
-i, --input-position=<pos>
   starting position in input file [0] 
-n, --no-split
   do not try to split or retry error areas 
-o, --output-position=<pos>
   starting position in output file [ipos] 
-q, --quiet
   quiet operation 
-r, --max-retries=<n>
   exit after given retries (-1=infinity) [0] 
-R, --retrim
   mark all error areas as non-trimmed 
-s, --max-size=<bytes>
   maximum size of data to be copied 
-S, --sparse
   use sparse writes for output file 
-t, --truncate
   truncate output file 
-v, --verbose
   verbose operation

Numbers may be followed by a multiplier: b = blocks, k = kB = 10^3 = 1000, Ki = KiB = 2^10 = 1024, M = 10^6, Mi = 2^20, G = 10^9, Gi = 2^30, etc...


Cygwin

As of release 1.4-rc1, it can be compiled directly in Cygwin Out of the Box. Precompiled packages are available in the Cygwin distribution. This makes it usable natively on Windows systems.

See also

Other Resources

[code-snippets for DDrescue]