Difference between pages "Blackberry Forensics" and "Metadata"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Warning for BlackBerry Forensics)
 
m
 
Line 1: Line 1:
== Warning for BlackBerry Forensics ==
+
Metadata is data about data. Metadata plays a number of important roles in computer forensics:
BlackBerry devices come with password protection. The owner has the capability to protect all data on the phone with a password. The user may also specify the amount of attempts for entering the password before wiping all data from the device.
+
* It can provide corroborating information about the document data itself.
 +
* It can reveal information that someone tried to hide, delete, or obscure.
 +
* It can be used to automatically correlate documents from different sources.
  
[[Image:Image1.jpg]]
+
Since metadata is fundamentally data, it suffers all of the data quality and pedigre issues as any other form of data. Nevertheless, because metadata isn't generally visible unless you use a special tool, more skill is required to alter or otherwise manipulate it.
  
If you exceed your password attempts limit (defaults to 10, but you can set it as low as 3), you will be prompted one last time to type the word BlackBerry.  
+
=Kinds of Metadata=
 +
Here are some kinds of metadata that are interesting in computer forensics:
 +
* File system metadata (e.g. MAC times, access control lists, etc.)
 +
* Digital image metadata. Although information such as the image size and number of colors are techncially metadata, JPEG and file formats store additional data about the photo or the device that acquired it.
  
[[Image:Image2.jpg]]
+
=File types that support metadata and extraction tools=
 +
Below are some common data and metadata formats, the files in which they are found, and a collection of tools that can be used to extract information.
  
The device will then wipe. It will be reset to the factory out-of-the-box condition (default folder structure), and the password reset. You will lose everything in the device memory, with no possibility of recovery. It will not reformat the microSD card, since that's not part of the factory configuration. The phone will still be usable, and the operating system will be unchanged. So this technique cannot be used to roll back from an OS upgrade problem.
 
  
Obviously this is a serious problem if you need to perform forensics on the device. The best work around is to work with the owner of the device and hopefully get them to disclose the password.
+
;EXIF  (JPEG and TIFF Image files; Music Files)
 +
: The Exchangeable Image File format describes a format for a block of data that can be embedded into JPEG and TIFF image files, as well as RIFF WAVE audio files. Information includes date and time information, camera settings, locaiton information, textual descriptions, and copyright information. For more information, see [http://www.exif.org] and the [http://en.wikipedia.org/wiki/Exchangeable_image_file_format Wikipedia entry.]
 +
:* [http://pel.sourceforge.net/ PEL: PHP Exif Library]
 +
:* [http://libexif.sourceforge.net/ LibExif] (C)
 +
:*
  
== Acquiring BlackBerry Backup File (.ipd) ==
+
;ID3 (MP3 files)
 +
: Implemented as a small block of data stored at the end of MP3 files. ID3v1 is a 128-byte block in a specified format allowing 30 bytes for slong, artist and album, 4 bytes for year, 30 bytes for comment, and 1 byte for genre. ID3v1.1 adds a track number. ID3v2 is a general container structure. For more information, see [http://www.id3.org/].
 +
:* [http://id3lib.sourceforge.net/ id3lib], a widely-used open source C/C++ ID3 implementation.
 +
:* [http://www.vdheide.de/projects.html Java library MP3]
 +
:* [http://search.cpan.org/dist/MP3-Info/ MP3::Info] (Perl)
 +
:* [http://search.cpan.org/dist/MPEG-ID3v2Tag/ MPEG::ID3v2Tag] (Perl)
  
1. Open Blackberry’s Desktop Manager<br/>
+
;Microsoft OLE 2
2. Click “Options” then “Connection Settings” <br/>
+
:Microsoft Office document files contain a huge amount of metadata. They are created as OLE 2 files. Here are some tools for processing them:  
[[Image:4.JPG]]<br/>
+
:* [http://jakarta.apache.org/poi/index.html Jakarta POI] Open Source implementation in Java.
4. Select “USB-PIN: 2016CC12” for connection<br/>
+
[[Image:1.JPG]]<br/>
+
5. Click “Detect”, then it should show a dialog box saying it found the device<br/>
+
6.     Click "OK" to return to the main menu<br/>
+
7. Double click “Backup and Restore”<br/>
+
[[Image:2.JPG]]  <br/>
+
8.      Click "Backup"<br/>
+
[[Image:5.JPG]]<br/>
+
9. Save the .ipd file<br/>
+
[[Image:3.JPG]]<br/>
+
  
== Opening Blackberry Backup Files (.ipd) ==
 
1. Purchase Amber BlackBerry Converter from [http://www.processtext.com/abcblackberry.html]
 
<br>Or
 
<br>Download Trial Version
 
<br><br>2. Use File | Open and point the program to the BlackBerry backup file (.ipd).
 
<br><br>3. Navigate to the appropriate content by using the navigator icons on the left.
 
  
== Blackberry Simulator ==
+
;TIFF
 +
: The Tagged Image File Format allows one or more images to be bundled in a single file. Multiple compression formats are supported. EXIF files can be stored inside TIFFs.
 +
:* [http://www.remotesensing.org/libtiff/ LibTIFF]
 +
:* [http://www.awaresystems.be/imaging/tiff/faq.html TIFF FAQ]
  
This is a step by step guide to downloading and using a Blackberry simulator. For this example I downloaded version 4.0.2 in order to simulate the 9230 series.
+
=External Links=
 +
Wikipedia has a nice [http://en.wikipedia.org/wiki/Metadata entry on metadata].
  
1. Select a simulator to download from the drop-down list on the [https://www.blackberry.com/Downloads/entry.do?code=060AD92489947D410D897474079C1477]Blackberry website. Click ''Next''.
+
[http://www.drewnoakes.com/code/exif/ Metadata extraction in Java]
 
+
2. Look through the list and download BlackBerry Handheld Simulator v4.0.2.51.
+
 
+
3. Enter your proper user credentials and click ''Next'' to continue.
+
 
+
4. On the next page, reply accordingly to the eligibility prompt and click ''Next'' to continue.*
+
 
+
5. Agree or disagree to the SDK agreement and click ''Submit'' to continue.*
+
 
+
6. The next page will provide you with a link to download the .ZIP file containing the wanted simulator.
+
 
+
* - If you disagree at any of these point you will not be able to continue to the download.
+
 
+
INCOMPLETE, WILL COMPLETE BY 11.3.2008
+
 
+
== Blackberry Protocol ==
+
http://www.off.net/cassis/protocol-description.html
+
 
+
Here is a useful link to the Blackberry Protocol as documented by Phil Schwan, Mike Shaver, and Ian Goldberg. The article goes into great description of packet sniffing and the protocol as it relates to data transfer across a USB port.
+

Revision as of 19:19, 1 March 2006

Metadata is data about data. Metadata plays a number of important roles in computer forensics:

  • It can provide corroborating information about the document data itself.
  • It can reveal information that someone tried to hide, delete, or obscure.
  • It can be used to automatically correlate documents from different sources.

Since metadata is fundamentally data, it suffers all of the data quality and pedigre issues as any other form of data. Nevertheless, because metadata isn't generally visible unless you use a special tool, more skill is required to alter or otherwise manipulate it.

Kinds of Metadata

Here are some kinds of metadata that are interesting in computer forensics:

  • File system metadata (e.g. MAC times, access control lists, etc.)
  • Digital image metadata. Although information such as the image size and number of colors are techncially metadata, JPEG and file formats store additional data about the photo or the device that acquired it.

File types that support metadata and extraction tools

Below are some common data and metadata formats, the files in which they are found, and a collection of tools that can be used to extract information.


EXIF (JPEG and TIFF Image files; Music Files)
The Exchangeable Image File format describes a format for a block of data that can be embedded into JPEG and TIFF image files, as well as RIFF WAVE audio files. Information includes date and time information, camera settings, locaiton information, textual descriptions, and copyright information. For more information, see [1] and the Wikipedia entry.
ID3 (MP3 files)
Implemented as a small block of data stored at the end of MP3 files. ID3v1 is a 128-byte block in a specified format allowing 30 bytes for slong, artist and album, 4 bytes for year, 30 bytes for comment, and 1 byte for genre. ID3v1.1 adds a track number. ID3v2 is a general container structure. For more information, see [2].
Microsoft OLE 2
Microsoft Office document files contain a huge amount of metadata. They are created as OLE 2 files. Here are some tools for processing them:


TIFF
The Tagged Image File Format allows one or more images to be bundled in a single file. Multiple compression formats are supported. EXIF files can be stored inside TIFFs.

External Links

Wikipedia has a nice entry on metadata.

Metadata extraction in Java