Blackberry Forensics

From ForensicsWiki
Revision as of 16:35, 3 November 2008 by Ehrstein (Talk | contribs)

Jump to: navigation, search

Warning for BlackBerry Forensics

BlackBerry devices come with password protection. The owner has the capability to protect all data on the phone with a password. The user may also specify the amount of attempts for entering the password before wiping all data from the device.


If you exceed your password attempts limit (defaults to 10, but you can set it as low as 3), you will be prompted one last time to type the word BlackBerry.


The device will then wipe. It will be reset to the factory out-of-the-box condition (default folder structure), and the password reset. You will lose everything in the device memory, with no possibility of recovery. It will not reformat the microSD card, since that's not part of the factory configuration. The phone will still be usable, and the operating system will be unchanged. So this technique cannot be used to roll back from an OS upgrade problem.

Obviously this is a serious problem if you need to perform forensics on the device. The best work around is to work with the owner of the device and hopefully get them to disclose the password.

Acquiring BlackBerry Backup File (.ipd)

1. Open Blackberry’s Desktop Manager
2. Click “Options” then “Connection Settings”
4. Select “USB-PIN: 2016CC12” for connection
5. Click “Detect”, then it should show a dialog box saying it found the device
6. Click "OK" to return to the main menu
7. Double click “Backup and Restore”
8. Click "Backup"
9. Save the .ipd file

Opening Blackberry Backup Files (.ipd)

1. Purchase Amber BlackBerry Converter from [1]
Download Trial Version

2. Use File | Open and point the program to the BlackBerry backup file (.ipd).

3. Navigate to the appropriate content by using the navigator icons on the left.

Blackberry Simulator

This is a step by step guide to downloading and using a Blackberry simulator. For this example I downloaded version 4.0.2 in order to simulate the 9230 series.

1. Select a simulator to download from the drop-down list on the [2]Blackberry website. Click Next.

2. Look through the list and download BlackBerry Handheld Simulator v4.0.2.51.

3. Enter your proper user credentials and click Next to continue.

4. On the next page, reply accordingly to the eligibility prompt and click Next to continue.*

5. Agree or disagree to the SDK agreement and click Submit to continue.*

6. The next page will provide you with a link to download the .ZIP file containing the wanted simulator.

  • - If you disagree at any of these point you will not be able to continue to the download.

7. Extract the files to a folder that can easily be accessed (I used the desktop).

8. In that folder, find the xxxx.bat file (where xxxx is the model number of the device that is being simulated). The simulator should now open an image that resembles the phone.

Below is an example of a 7510 simulator. These simulators ARE capable of connecting to Blackberry Desktop Manager.


Acquisition with Paraben's Device Seizure

As an alternative to acquiring the Blackberry through Amber Blackberry Converter, Paraben's Device Seizure is a simple and effective method to acquire the data. The only drawback, is that this method takes significantly more time to acquire than using Amber Blackberry Converter.

1. Create a new case in Device Seizure with File | New.

2. Give the case a name and fill in any desired information about the case on the next two screens. Nothing is actually required to be entered. The third screen is a summary of the data entered. If all data is correct click Next and then Finish.

3. You are now ready to acquire the phone. Go to Tools | Data Acquisition.

4. You are prompted for the supported manufacturer. Select RIM Blackbery (Physical).

5. Leave supported models at the default selection of autodetect.

6. Connection type should be set to USB.

7. For data type selection select Memory Image.


Blackberry Protocol

Here is a useful link to the Blackberry Protocol as documented by Phil Schwan, Mike Shaver, and Ian Goldberg. The article goes into great description of packet sniffing and the protocol as it relates to data transfer across a USB port.