Difference between pages "Chip-Off BlackBerry Curve 9315" and "Malware"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(Analysis)
 
Line 1: Line 1:
The hardware used in the BlackBerry 9315's and 9320's are almost identical. The following link describes the differences between the models. http://worldwide.blackberry.com/blackberrycurve/9220-9310-9320/specifications.jsp
+
'''Malware''' is a short version of '''Malicious Software'''.
  
== Tear Down ==
+
Malware is software used for data theft, device damage, harassment, etc. It is very similar to computer malware. It installs things such as trojans, worms, and botnets to the affected device. It is illegal to knowingly distribute malware.
  
<ol start="1">
+
== Virus ==
<li>Remove the back panel.</li>
+
A computer program that can automatically copy itself and infect a computer.
</ol>
+
  
{| border="1" cellpadding="2"
+
== Worm ==
|-
+
A self-replicating computer program that can automatically infect computers on a network.
| [[File:1-bb9320-BackPanelRemoved.jpg| 300px ]]
+
|-
+
|}
+
  
<ol start="2">
+
== Trojan horse ==
<li>Remove the SIM and SD Memory Card.</li>
+
A computer program which appears to perform a certain action, but actually performs many different forms of codes.
</ol>
+
  
<ol start="3">
+
== Spyware ==
<li>Using a torx-6 screw driver remove the 2 visible screws on the back of the phone.</li>
+
A computer program that can automatically intercept or take partial control over the user's interaction.
</ol>
+
  
{| border="1" cellpadding="2"
+
== Exploit Kit ==
|-
+
A toolkit that automates the exploitation of client-side vulnerabilities, targeting browsers and programs that a website can invoke through the browser [http://blog.zeltser.com/post/1410922437/what-are-exploit-kits]. Often utilizing a drive-by-download.
| [[File:2-bb9320-ScrewRemoval.jpg| 300px ]]
+
|-
+
|}
+
  
<ol start="4">
+
=== Drive-by-download ===
<li>Remove the screen protector using a shim, guitar pick, or prying tool.</li>
+
Any download that happens without a person's knowledge [http://en.wikipedia.org/wiki/Drive-by_download].
</ol>
+
  
{| border="1" cellpadding="2"
+
== Rootkit ==
|-
+
A rootkit is a stealthy type of software, typically malicious, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to an operating system.
| [[File:3-bb9320-ScreenRemoval.jpg| 300px ]]
+
|-
+
|}
+
  
<ol start="5">
+
== See Also ==
<li>Remove 2 torx-5 screws.</li>
+
* [[Malware analysis]]
</ol>
+
  
{| border="1" cellpadding="2"
+
== External Links ==
|-
+
* [http://en.wikipedia.org/wiki/Malware Wikipedia: malware]
| [[File:4-bb9320-ScrewRemoval.jpg| 300px ]]
+
* [http://en.wikipedia.org/wiki/Drive-by_download Wikipedia: drive-by-download]
|-
+
* [http://www.viruslist.com/ Viruslist.com]
|}
+
* [http://code.google.com/p/androguard/wiki/DatabaseAndroidMalwares Androguard]: A list of recognized Android malware
  
<ol start="6">
+
=== Analysis ===
<li>Use the shim to detach the outer bezel/keyboard from the device.</li>
+
* [http://sempersecurus.blogspot.ch/2013/12/a-forensic-overview-of-linux-perlbot.html A Forensic Overview of a Linux perlbot], by Andre M. DiMino, December 17, 2013
</ol>
+
* [http://research.zscaler.com/2014/02/probing-into-flash-zero-day-exploit-cve.html Probing into the Flash Zero Day Exploit (CVE-2014-0502)], by Krishnan Subramanian, February 21, 2014
 +
* [http://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf Operation Windigo], by Olivier Bilodeau, Pierre-Marc Bureau, Joan Calvet, Alexis Dorais-Joncas, Marc-Étienne M.Léveillé, Benjamin Vanheuverzwijn, March, 2014
  
{| border="1" cellpadding="2"
+
=== Exploit Kit ===
|-
+
* [http://blog.zeltser.com/post/1410922437/what-are-exploit-kits What Are Exploit Kits?], by [[Lenny Zeltser]], October 26, 2010
| [[File:5-bb9320-TopPlate.jpg| 300px ]]  
+
* [http://nakedsecurity.sophos.com/2013/07/02/the-four-seasons-of-glazunov-digging-further-into-sibhost-and-flimkit/ The four seasons of Glazunov: digging further into Sibhost and Flimkit], by Fraser Howard, July 2, 2013
| [[File:5-1-bb9320-TopPlate.jpg| 300px ]]
+
* [http://www.kahusecurity.com/2013/kore-exploit-kit/ Kore Exploit Kit], Kahu Security blog, July 18, 2013
|-
+
|}
+
  
<ol start="7">
+
=== Rootkit ===
<li>Remove 4 additional torx-6 screws. The main board will now easily be separated from the back plate</li>
+
* [http://en.wikipedia.org/wiki/Rootkit Wikipedia: Rootkit]
</ol>
+
* [http://articles.forensicfocus.com/2013/11/22/understanding-rootkits/ Understanding Rootkits: Using Memory Dump Analysis for Rootkit Detection], by Dmitry Korolev, Yuri Gubanov, Oleg Afonin, November 22, 2013
  
{| border="1" cellpadding="2"
+
[[Category:Malware]]
|-
+
| [[File:6-bb9320-ScrewRemoval.jpg| 300px ]]
+
|-
+
|}
+
 
+
<ol start="8">
+
<li>Peel off the vendor sticker.</li>
+
</ol>
+
{| border="1" cellpadding="2"
+
|-
+
| [[File:7-bb9320-VendorPlate.jpg| 300px ]]
+
|-
+
|}
+
 
+
<ol start="9">
+
<li>Remove the plastic cover protecting the track pad ribbon cable, and disconnect the track pad.</li>
+
</ol>
+
 
+
<ol start="10">
+
<li>Remove the final torx-4 screw located beneath the plastic protector, to remove the plastic keyboard overlay.</li>
+
</ol>
+
 
+
{| border="1" cellpadding="2"
+
|-
+
| [[File:8-bb9320-ScrewRemoval.jpg| 300px ]]
+
|-
+
|}
+
 
+
<ol start="11">
+
<li>Disconnect the ribbon cable connected to the LCD. Then using a pick separate the display from the main board.</li>
+
</ol>
+
 
+
{| border="1" cellpadding="2"
+
|-
+
| [[File:9-bb9320-ScreenRemoval.jpg| 300px ]]
+
|-
+
|}
+
 
+
<ol start="12">
+
<li>The tear down is now complete</li>
+
</ol>
+
 
+
{| border="1" cellpadding="2"
+
|-
+
| [[File:9-1-bb9320-TearDownComplete.jpg| 300px ]]
+
|-
+
|}
+
 
+
eMMC Removal
+
 
+
<ol start="1">
+
<li>The eMMC is located beneath the heat shield directly above the Micro SD card slot.</li>
+
</ol>
+
 
+
{| border="1" cellpadding="2"
+
|-
+
| [[File:10-bb9320-EMMC-Location.jpg| 300px ]]
+
|-
+
|}
+
 
+
<ol start="2">
+
<li>Place the main board in a stand or holder and position it approximately 2 1/2" - 3" inches away from a heat gun or device the blows super hot air.</li>
+
</ol>
+
 
+
{| border="1" cellpadding="2"
+
|-
+
| [[File:11-bb9320-HeatShield.jpg| 300px ]]
+
|-
+
|}
+
 
+
<ol start="3">
+
<li>Monitoring the temperature the heat shield will come off easily between 190-200 Centigrade.</li>
+
</ol>
+
 
+
{| border="1" cellpadding="2"
+
|-
+
| [[File:12-bb9320-HeatShield.jpg| 300px ]]
+
| [[File:13-bb9320-HeatShieldRemoved.jpg| 300px ]]
+
|-
+
|}
+
 
+
<ol start="4">
+
<li>Continue working under the high heat. With the 9315/9320's I've worked on the eMMC has been ready to lift off of the main board using tweezers immediately after removing the heat shield.</li>
+
</ol>
+
 
+
{| border="1" cellpadding="2"
+
|-
+
| [[File:14-bb9320-EMMC-Removed.jpg| 300px ]]
+
|-
+
|}
+
 
+
<ol start="5">
+
<li>Using liquid flux, or flux paste and a soldering iron clean the pads on the eMMC in preparation for a read</li>
+
</ol>
+
 
+
{| border="1" cellpadding="2"
+
|-
+
| [[File:15-bb9320-EMMC-Cleanup.jpg| 300px ]]
+
| [[File:16-bb9320-EMMC-Clean.jpg| 300px ]]
+
|-
+
|}
+
 
+
<ol start="6">
+
<li>The eMMC is now ready to read using the appropriate adapter/programmer and software.</li>
+
</ol>
+
 
+
At the time of this writing (2013OCT29) the eMMC that was removed in this example was read using an UP828 programmer via the "VBGA169E" adapter and using the "eNAND_H9DP4GG4JJACGR-4EM/459MB" device settings. The resulting image was then parsed via the CelleBrite Physical Analyzer (V. 3.8.5.108).
+

Revision as of 03:48, 19 March 2014

Malware is a short version of Malicious Software.

Malware is software used for data theft, device damage, harassment, etc. It is very similar to computer malware. It installs things such as trojans, worms, and botnets to the affected device. It is illegal to knowingly distribute malware.

Virus

A computer program that can automatically copy itself and infect a computer.

Worm

A self-replicating computer program that can automatically infect computers on a network.

Trojan horse

A computer program which appears to perform a certain action, but actually performs many different forms of codes.

Spyware

A computer program that can automatically intercept or take partial control over the user's interaction.

Exploit Kit

A toolkit that automates the exploitation of client-side vulnerabilities, targeting browsers and programs that a website can invoke through the browser [1]. Often utilizing a drive-by-download.

Drive-by-download

Any download that happens without a person's knowledge [2].

Rootkit

A rootkit is a stealthy type of software, typically malicious, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to an operating system.

See Also

External Links

Analysis

Exploit Kit

Rootkit