Difference between pages "Linux" and "Blackberry Forensics"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
 
Line 1: Line 1:
{{Expand}}
+
'''Working Title:'''
 +
Forensics of a RIM Blackberry Device
 +
John B. Powers and Richard P. Mislan
  
Linux refers to the family of Unix-like computer operating systems using the Linux kernel. Due to the nature of Linux it is possible for a wide range of high penetration forensic tools. 
+
'''Date:'''
 +
March 2006
  
The wide variety of useful Linux utilities exist for desktop computers can also be used on Linux-based PDAs. These utilities can often be used as a part of the [[forensics investigation]] process.
+
'''Outline:'''
 +
RIM Devices (OS, Specs, etc.)
 +
Hardware and Software Tools
 +
Acquisition Process
 +
Preservation of Evidence
 +
Analysis of Evidence
 +
Presentation of Evidence
 +
Blackberry Simulator, Microsoft Outlook, others…
 +
Conclusions
  
Software for Linux systems are not only targets at personal computers, desktops, laptops etc, but also server based tools exist for both accessing, monitoring and analysing servers.
 
  
== Specialist Software ==
 
  
=== Helix ===
 
  
[http://www.e-fense.com/h3-enterprise.php Helix] is a live Linux CD designed for live incident response. Helix is targeted towards the more experienced users and forensic investigators.
+
'''''Notes:'''''
 
+
Ideally, I’d like to get as many newer devices, but we’ll have to start with what we have…If anyone wants to donate one...let us know!!!
The latest version of Helix, Helix 3, is based on the Ubuntu version of Linux, this allows for greater stability and ease of use.
+
[mailto:rmislan@purdue.edu]
 
+
Due to Helix being a live disc it is possible to run it on a "suspect" machine whilst the installed operating system remains inactive, also live network forensics are possible when running the Helix Live Disc allowing for users to perform checks on networks that their machines are attached to.
+
 
+
== Tools ==
+
 
+
=== dd ===
+
 
+
'''[[dd]]''', or duplicate disk, is a Unix and Linux utility that allows the user to create a bitstream image of a disk or device. Once the Linux-based PDA is connected to another device and the dd utility is run, the mirror image can be uploaded onto [[memory card]]s or even an external desktop workstation connected via a network. Images created by dd are readable by [[forensics software]] tools such as [[EnCase]] and [[Forensic Toolkit]]. Since the device uses a Linux [[filesystem]], the image may also be mounted and examined on a Linux workstation.
+
 
+
=== foremost ===
+
 
+
'''[[foremost]]''' is a Linux based program data for [[Recovering_deleted_data|recovering deleted files]] and served as the basis for the more modern [[Scalpel]]. The program uses a configuration file to specify [[File_Formats|headers and footers]] to search for. Intended to be run on disk images, foremost can search through most any kind of data without worrying about the format.
+
 
+
=== EtherApe ===
+
 
+
[http://etherape.sourceforge.net/ EtherApe]is a free program built on the structure of Etherman. It is designed as a high level wide range network monitoring tool which provides a graphical display to the user illustrating packet information. Although EtherApe might be seen as a security orientated tool it does have forensic application.
+
 
+
EtherApe has two main modes, live monitoring which can be run on a server machine which will map any packets passing to and from that machine, illustrating with colours the type of packet, as well as by diameter the amount of traffic that type of packet brings. It is also possible to see the different nodes attached , by IP and IPv6 addresses.  
+
 
+
EtherApe's secondary function is a review ability, taking a selection of packets captured either by TCPDUMP command or another piece of capture software. When running the file through EtherApe the program displays the same information as it does with a live capture but reading from the data file imported instead of the live network. A review of files can be done on any machine, regardless of network connectivity.
+
 
+
=References=
+
 
+
* http://en.wikipedia.org/wiki/Linux
+
* http://en.wikipedia.org/wiki/Android_(mobile_device_platform)
+
* http://www.android-freeware.org/
+
 
+
[[Category:Operating systems]]
+

Revision as of 14:45, 27 February 2006

Working Title: Forensics of a RIM Blackberry Device John B. Powers and Richard P. Mislan

Date: March 2006

Outline: RIM Devices (OS, Specs, etc.) Hardware and Software Tools Acquisition Process Preservation of Evidence Analysis of Evidence Presentation of Evidence Blackberry Simulator, Microsoft Outlook, others… Conclusions



Notes: Ideally, I’d like to get as many newer devices, but we’ll have to start with what we have…If anyone wants to donate one...let us know!!! [1]