Difference between pages "PDAs" and "Blackberry Forensics"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m
 
 
Line 1: Line 1:
[[Image:Zaurus-front.jpg|thumb|Sharp Zaurus]]
+
== Warning for BlackBerry Forensics ==
 +
[[BlackBerry]] devices come with password protection. The owner has the capability to protect all data on the phone with a password. The user may also specify the amount of attempts for entering the password before wiping all data from the device.
  
'''Personal Digital Assistants''' ('''PDAs''') are handheld devices with features such as calendar, notes, and so on.
+
[[Image:Image1.jpg]]
  
== History ==
+
If you exceed your password attempts limit (defaults to 10, but you can set it as low as 3), you will be prompted one last time to type the word BlackBerry.
  
The first PDA was introduced by [[Apple|Apple Inc.]] with the release of the [[Newton]] in 1993. The CEO at Apple at the time, John Sculley, coined the device a "Personal Digital Assistent" at the Consumer Electronics Show in Las Vegas. He claimed that PDAs would become "ubiquitous tools that would hold telephone numbers, keep your calendar, store notes, plus send and receive data wirelessly". While the Newton could not do all that he predicted at the time, his claim would ultimately become a reality many years later.
+
[[Image:Image2.jpg]]
  
While the Apple Newton went practically unnoticed in the consumer market, the introduction of the [[Palm Pilot]] by [[Palm|Palm, Inc.]] in 1996 started the popularity of the PDA. The device was a highly effective method of information management because one could store calendars, to-do lists, notes, and address book all in one simple handheld.
+
The device will then wipe. It will be reset to the factory out-of-the-box condition (default folder structure), and the password reset. You will lose everything in the device memory, with no possibility of recovery. It will not reformat the microSD card, since that's not part of the factory configuration. The phone will still be usable, and the operating system will be unchanged. So this technique cannot be used to roll back from an OS upgrade problem.
  
With the advent of faster processors and better displays, PDAs gained more features, such as improved handwriting recognition, music and video playback, and [[Bluetooth]] and [[WiFi]] capabilities. [[Palm OS]]'s stronghold in the PDA operating system arena was challenged by the release of alternative PDA OSs such as [[Symbian]], [[Windows CE]], [[Microsoft Windows Mobile]], and [[Linux]]. New devices, such as [[Research in Motion]]'s [[BlackBerry]], redefined the way that individuals stayed in touch with one another. The proliferation of [[Cellphones|cell phones]] into the majority of households around the world has also created the [[Smartphone]], which integrates the traditional functionality of phones and PDAs into one device.
+
Obviously this is a serious problem if you need to perform forensics on the device. The best work around is to work with the owner of the device and hopefully get them to disclose the password.
  
== Current Popular PDA Operating Systems ==
+
== Acquiring BlackBerry Backup File (.ipd) ==
  
* [[RIM BlackBerry]]
+
1. Open Blackberry’s Desktop Manager<br/>
* [[Linux]]
+
2. Click “Options” then “Connection Settings” <br/>
* [[Palm]]
+
[[Image:4.JPG]]<br/>
* [[Symbian]]
+
4. Select “USB-PIN: 2016CC12” for connection<br/>
* [[Microsoft PocketPC]]
+
[[Image:1.JPG]]<br/>
* [[Microsoft Windows Mobile]]
+
5. Click “Detect”, then it should show a dialog box saying it found the device<br/>
 +
6.      Click "OK" to return to the main menu<br/>
 +
7. Double click “Backup and Restore”<br/>
 +
[[Image:2.JPG]] <br/>
 +
8.      Click "Backup"<br/>
 +
[[Image:5.JPG]]<br/>
 +
9. Save the .ipd file<br/>
 +
[[Image:3.JPG]]<br/>
  
== PDA Forensics ==
+
== Opening Blackberry Backup Files (.ipd) ==
 +
1. Purchase Amber BlackBerry Converter from [http://www.processtext.com/abcblackberry.html]
 +
<br>Or
 +
<br>Download Trial Version
 +
<br><br>2. Use File | Open and point the program to the BlackBerry backup file (.ipd).
 +
<br><br>3. Navigate to the appropriate content by using the navigator icons on the left.
  
===Links===
+
== Blackberry Simulator ==
 +
 
 +
This is a step by step guide to downloading and using a Blackberry simulator. For this example I downloaded version 4.0.2 in order to simulate the 9230 series.
 +
 
 +
1. Select a simulator to download from the drop-down list on the [https://www.blackberry.com/Downloads/entry.do?code=060AD92489947D410D897474079C1477]Blackberry website. Click ''Next''.
 +
 
 +
2. Look through the list and download BlackBerry Handheld Simulator v4.0.2.51.
 +
 
 +
3. Enter your proper user credentials and click ''Next'' to continue.
 +
 
 +
4. On the next page, reply accordingly to the eligibility prompt and click ''Next'' to continue.*
 +
 
 +
5. Agree or disagree to the SDK agreement and click ''Submit'' to continue.*
 +
 
 +
6. The next page will provide you with a link to download the .ZIP file containing the wanted simulator.
 +
* - If you disagree at any of these point you will not be able to continue to the download.
 +
 
 +
7. Extract the files to a folder that can easily be accessed (I used the desktop).
 +
 
 +
8. In that folder, find the xxxx.bat file (where xxxx is the model number of the device that is being simulated). The simulator should now open an image that resembles the phone.
 +
 
 +
Below is an example of a 7510 simulator. These simulators ARE capable of connecting to Blackberry Desktop Manager.
 +
 
 +
[[Image:Image3.jpg]]
 +
 
 +
== Acquisition with Paraben's Device Seizure ==
 +
 
 +
As an alternative to acquiring the Blackberry through Amber Blackberry Converter, Paraben's Device Seizure is a simple and effective method to acquire the data.  The only drawback, is that this method takes significantly more time to acquire than using Amber Blackberry Converter.
 +
 
 +
1. Create a new case in Device Seizure with File | New.
 +
 
 +
2. Give the case a name and fill in any desired information about the case on the next two screens.  Nothing is actually required to be entered.  The third screen is a summary of the data entered.  If all data is correct click Next and then Finish.
 +
 
 +
3. You are now ready to acquire the phone.  Go to Tools | Data Acquisition.
 +
 
 +
4. You are prompted for the supported manufacturer.  Select RIM Blackbery (Physical).
 +
 
 +
5. Leave supported models at the default selection of autodetect.
 +
 
 +
6. Connection type should be set to USB.
 +
 
 +
7. For data type selection select Memory Image.
 +
 
 +
NOT COMPLETE YET
 +
 
 +
== Blackberry Protocol ==
 +
http://www.off.net/cassis/protocol-description.html
 +
 
 +
Here is a useful link to the Blackberry Protocol as documented by Phil Schwan, Mike Shaver, and Ian Goldberg. The article goes into great description of packet sniffing and the protocol as it relates to data transfer across a USB port.

Revision as of 11:35, 3 November 2008

Warning for BlackBerry Forensics

BlackBerry devices come with password protection. The owner has the capability to protect all data on the phone with a password. The user may also specify the amount of attempts for entering the password before wiping all data from the device.

Image1.jpg

If you exceed your password attempts limit (defaults to 10, but you can set it as low as 3), you will be prompted one last time to type the word BlackBerry.

Image2.jpg

The device will then wipe. It will be reset to the factory out-of-the-box condition (default folder structure), and the password reset. You will lose everything in the device memory, with no possibility of recovery. It will not reformat the microSD card, since that's not part of the factory configuration. The phone will still be usable, and the operating system will be unchanged. So this technique cannot be used to roll back from an OS upgrade problem.

Obviously this is a serious problem if you need to perform forensics on the device. The best work around is to work with the owner of the device and hopefully get them to disclose the password.

Acquiring BlackBerry Backup File (.ipd)

1. Open Blackberry’s Desktop Manager
2. Click “Options” then “Connection Settings”
4.JPG
4. Select “USB-PIN: 2016CC12” for connection
1.JPG
5. Click “Detect”, then it should show a dialog box saying it found the device
6. Click "OK" to return to the main menu
7. Double click “Backup and Restore”
2.JPG
8. Click "Backup"
5.JPG
9. Save the .ipd file
3.JPG

Opening Blackberry Backup Files (.ipd)

1. Purchase Amber BlackBerry Converter from [1]
Or
Download Trial Version

2. Use File | Open and point the program to the BlackBerry backup file (.ipd).

3. Navigate to the appropriate content by using the navigator icons on the left.

Blackberry Simulator

This is a step by step guide to downloading and using a Blackberry simulator. For this example I downloaded version 4.0.2 in order to simulate the 9230 series.

1. Select a simulator to download from the drop-down list on the [2]Blackberry website. Click Next.

2. Look through the list and download BlackBerry Handheld Simulator v4.0.2.51.

3. Enter your proper user credentials and click Next to continue.

4. On the next page, reply accordingly to the eligibility prompt and click Next to continue.*

5. Agree or disagree to the SDK agreement and click Submit to continue.*

6. The next page will provide you with a link to download the .ZIP file containing the wanted simulator.

  • - If you disagree at any of these point you will not be able to continue to the download.

7. Extract the files to a folder that can easily be accessed (I used the desktop).

8. In that folder, find the xxxx.bat file (where xxxx is the model number of the device that is being simulated). The simulator should now open an image that resembles the phone.

Below is an example of a 7510 simulator. These simulators ARE capable of connecting to Blackberry Desktop Manager.

Image3.jpg

Acquisition with Paraben's Device Seizure

As an alternative to acquiring the Blackberry through Amber Blackberry Converter, Paraben's Device Seizure is a simple and effective method to acquire the data. The only drawback, is that this method takes significantly more time to acquire than using Amber Blackberry Converter.

1. Create a new case in Device Seizure with File | New.

2. Give the case a name and fill in any desired information about the case on the next two screens. Nothing is actually required to be entered. The third screen is a summary of the data entered. If all data is correct click Next and then Finish.

3. You are now ready to acquire the phone. Go to Tools | Data Acquisition.

4. You are prompted for the supported manufacturer. Select RIM Blackbery (Physical).

5. Leave supported models at the default selection of autodetect.

6. Connection type should be set to USB.

7. For data type selection select Memory Image.

NOT COMPLETE YET

Blackberry Protocol

http://www.off.net/cassis/protocol-description.html

Here is a useful link to the Blackberry Protocol as documented by Phil Schwan, Mike Shaver, and Ian Goldberg. The article goes into great description of packet sniffing and the protocol as it relates to data transfer across a USB port.