Difference between pages "BlackBerry" and "Email Headers"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Added some overview information to the Forensics section)
 
m
 
Line 1: Line 1:
=Overview=
+
'''Email Headers''' are lines of [[metadata]] attached to each [[email]] that contain lots of useful information for a [[forensic investigator]]. However, email headers can be easily forged, so they should never be used as the only source of information.
The Blackberry is a wireless handheld device that supports e-mail, mobile phone capabilities, text messaging, web browsing, and other wireless information services.
+
  
 +
== Example ==
  
 +
This is an (incomplete) excerpt from an email header:
  
==History==
+
Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
The Blackberry was first introduced in 1999 by a company called Research in Motion (RIM).
+
        by outgoing2.securityfocus.com (Postfix) with QMQP
 +
        id 7E9971460C9; Mon,  9 Jan 2006 08:01:36 -0700 (MST)
 +
Mailing-List: contact forensics-help@securityfocus.com; run by ezmlm
 +
Precedence: bulk
 +
List-Id: <forensics.list-id.securityfocus.com>
 +
List-Post: <mailto:forensics@securityfocus.com>
 +
List-Help: <mailto:forensics-help@securityfocus.com>
 +
List-Unsubscribe: <mailto:forensics-unsubscribe@securityfocus.com>
 +
List-Subscribe: <mailto:forensics-subscribe@securityfocus.com>
 +
Delivered-To: mailing list forensics@securityfocus.com
 +
Delivered-To: moderator for forensics@securityfocus.com
 +
Received: (qmail 20564 invoked from network); 5 Jan 2006 16:11:57 -0000
 +
From: YJesus <yjesus@security-projects.com>
 +
To: forensics@securityfocus.com
 +
Subject: New Tool : Unhide
 +
User-Agent: KMail/1.9
 +
MIME-Version: 1.0
 +
Content-Disposition: inline
 +
Date: Thu, 5 Jan 2006 16:41:30 +0100
 +
Content-Type: text/plain;
 +
  charset="iso-8859-1"
 +
Content-Transfer-Encoding: quoted-printable
 +
Message-Id: <200601051641.31830.yjesus@security-projects.com>
 +
X-HE-Spam-Level: /
 +
X-HE-Spam-Score: 0.0
 +
X-HE-Virus-Scanned: yes
 +
Status: RO
 +
Content-Length: 586
 +
Lines: 26
  
 +
== External Links ==
  
 
+
* http://en.wikipedia.org/wiki/Computer_forensics#E-mail_Headers
=Operating System=
+
 
+
 
+
 
+
=Models=
+
 
+
* 7100 Series
+
 
+
* 7700 Series
+
 
+
* 7520
+
+
* 7700 Series
+
 
+
* 8700 Series
+
 
+
=Forensics=
+
 
+
RIM's push technology adds a new and different look at the forensics investigation of a PDA. Unlike traditional PDA's that need to be synchronized with a host computer with the use of a cradle or docking station, Blackberry's are synchronized wirelessly by the pushing of data onto the device. This means that the data on the device could potentially be changing at any moment. Also, a blackberry is never really off. What seems like “off” to the user is really only the display, keyboard, and radio being disabled. So when the device is powered back on to the user, items that have been waiting to be pushed to the device from the server begin immediately. This does not give the forensics examiner the time needed to shut down the device. For this reason, the first step in the acquisition of a Blackberry is to leave it off. The device should only be turned back on when it is in a place that cannot receive a signal and thus nothing can be pushed to it. 
+
 
+
 
+
 
+
 
+
'''References:'''
+
----
+
[http://www.oreillynet.com/pub/a/wireless/2005/09/15/what-is-blackberry.html "What is a Blackberry?"]
+
 
+
[http://www.discoverblackberry.com/ Discover Blackberry]
+
 
+
[http://www.rh-law.com/ediscovery/Blackberry.pdf Forensic Examination of a RIM (BlackBerry) Wireless Device]
+

Revision as of 17:29, 31 March 2006

Email Headers are lines of metadata attached to each email that contain lots of useful information for a forensic investigator. However, email headers can be easily forged, so they should never be used as the only source of information.

Example

This is an (incomplete) excerpt from an email header:

Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
        by outgoing2.securityfocus.com (Postfix) with QMQP
        id 7E9971460C9; Mon,  9 Jan 2006 08:01:36 -0700 (MST)
Mailing-List: contact forensics-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <forensics.list-id.securityfocus.com>
List-Post: <mailto:forensics@securityfocus.com>
List-Help: <mailto:forensics-help@securityfocus.com>
List-Unsubscribe: <mailto:forensics-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:forensics-subscribe@securityfocus.com>
Delivered-To: mailing list forensics@securityfocus.com
Delivered-To: moderator for forensics@securityfocus.com
Received: (qmail 20564 invoked from network); 5 Jan 2006 16:11:57 -0000
From: YJesus <yjesus@security-projects.com>
To: forensics@securityfocus.com
Subject: New Tool : Unhide
User-Agent: KMail/1.9
MIME-Version: 1.0
Content-Disposition: inline
Date: Thu, 5 Jan 2006 16:41:30 +0100
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Message-Id: <200601051641.31830.yjesus@security-projects.com>
X-HE-Spam-Level: /
X-HE-Spam-Score: 0.0
X-HE-Virus-Scanned: yes
Status: RO
Content-Length: 586
Lines: 26

External Links