Difference between pages "Palm" and "Blackberry Forensics"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(added information to Palm Pilot Section and table)
 
(redid ABC Amber Black Berry Converter section and added step by instructions with screens, Added Export subsection to ABC)
 
Line 1: Line 1:
__TOC__
+
== Warning for BlackBerry Forensics ==
 +
[[BlackBerry]] devices come with password protection. The owner has the capability to protect all data on the phone with a password. The user may also specify the amount of attempts for entering the password before wiping all data from the device.
  
=Overview=
+
[[Image:Image1.jpg]]
  
A "Palm" is a commonly referred to as a small-scale (hand-held) computer that runs Palm's PalmOS software.
+
If you exceed your password attempts limit (defaults to 10, but you can set it as low as 3), you will be prompted one last time to type the word BlackBerry.  
  
The Palm OS platform is an open architecture that provides a basis for third-party developers and original equipment manufacturers (OEMs) to create mobile computing solutions. The platform consists of five components:<br><br>
+
[[Image:Image2.jpg]]
* The reference hardware design<br>
+
* The device operating system called the Palm OS software<br>
+
* The HotSync conduit data synchronization technology<br>
+
* The platform component tools including an applications programming interface (API) that enables developers to write applications<br>
+
* The software interface capabilities to support hardware add-ons<br>
+
  
(http://www.palm.com/us/company/pr/2000/092000.html, 2000)
+
The device will then wipe. It will be reset to the factory out-of-the-box condition (default folder structure), and the password reset. You will lose everything in the device memory, with no possibility of recovery. It will not reformat the microSD card, since that's not part of the factory configuration. The phone will still be usable, and the operating system will be unchanged. So this technique cannot be used to roll back from an OS upgrade problem.
  
 +
Obviously this is a serious problem if you need to perform forensics on the device. The best work around is to work with the owner of the device and hopefully get them to disclose the password.
  
== History ==
 
  
Palm Computing was founded by Jeff Hawkins, Donna Dubinsky and Ed ColliganThe original purpose of the company was to create handwriting recognition software for other devices (Graffiti).  The initial idea for the devices came from Hawkins' habit of carrying a block of wood in his pocket.
+
== Acquiring BlackBerry Backup File (.ipd)* Updated ==
 +
  * Version 4.6 was used in this example
  
The initial Palm device released in 1996 was called the Pilot. Because Pilot Pen Corporation brought forth a trademark infrigement case, the second generation device released in 1997 was named the PalmPilot.
+
Prerequisites:<br/>
 +
Download and install Blackberry Desktop Manager. <br/>
 +
Use the following link to select and download the install file that fits your system or version. <br/>
 +
https://www.blackberry.com/Downloads/entry.do?code=A8BAA56554F96369AB93E4F3BB068C22 <br/>
 +
<br/>
  
The Palm was not the original PDA device released, but benefited from the failure of Apple's Newton.
+
Once Desktop Manager is installed:<br/>
 +
1. Open Blackberry’s Desktop Manager.<br/>
 +
2. Click “Options” then “Connection Settings” <br/>
  
The Palm OS initially featured personal information management (PIM) tools such as Calendar, Contacts, Memo Pad, Expense and Tasks. As later versions were released, more features were added.  Here is a list of various Palm OS releases:
+
[[Image:BBManager4 6 Options.JPG]]<br/><br/>
  
*  Version 3.1, 3.3, 3.5
+
4. If the Desktop Manager hasn't already done so, select “USB-PIN: Device #” for connection type. Your device # may not be the same as the image below.<br/>
Added support for color, multiple expansion ports, new processors, etc.
+
  
*  Version 4.0
+
[[Image:BBManager4 6 Connect.JPG]]<br/>
Added a standard interface for external FS access
+
  
*  Version 5.0
+
5.     Click "OK" to return to the main menu.<br/><br/>
First version to support Acorn Risc Machine (ARM) devices. Later versions which included OS 5.2, featured Graffiti 2. It began the separation of Palm OS and Palm One.  
+
6. Click “Backup and Restore”.<br/>
  
Presently, version 6.1 of the Palm OS is under development (Cobalt). Cobalt features a Linux-based kernel.  There are presently no devices released using Palm OS 6.
+
[[Image:BBManager4 6 Backup.JPG]] <br/><br/>
  
=Features=
+
7.      Click the "Back up" button for a full backup of the device or use the Advanced section for specific data.<br/>
<table>
+
<tr>
+
<td>'''Address Book''': Allows the user to keep track of their contacts.  Synchronized via HotSync manager</td>
+
</tr>
+
<tr>
+
<td>'''Calculator''': Basic 4 function calculator</td>
+
</tr>
+
<tr>
+
<td>'''Datebook''': Track appointments, birthdates and other important times during the year.  Synchronized via HotSync manager</td>
+
</tr>
+
<tr>
+
<td>'''Expenses''': Keep track of your spending habits.</td>
+
</tr>
+
<tr>
+
<td>'''HotSync''': Application that ran on your desktop or portable PC or Mac to allow for calendars and contacts to easily be synchronized with Palm device.</td>
+
</tr>
+
<tr>
+
<td>'''Memo Pad''': Write short notes.</td>
+
</tr>
+
<tr>
+
<td>'''Note Pad''': Scribble notes in your natural writing language.</td>
+
</tr>
+
<tr>
+
<td>'''To Do List''': Create a check list of items to accomplish.  Synchronized via HotSync manager.</td>
+
</tr>
+
<tr>
+
<td>'''Palm Photos''': Photo manager that allows sharing of photos between multiple palm devices.</td>
+
</tr>
+
</table>
+
  
==Palm Pilot==
+
[[Image:BBManager4 6 Backup1.JPG]]<br/><br/>
The original creators of the Palm Pilot were Jeff Hawkins, Donna Dubinsky, and Ed Colligan. The idea of the palm pilot was established by Jeff Hawkins from a block of wood with writing on it.
+
  
<table>
+
8. Select your destination and save the ".ipd" file.<br/>
<tr>
+
  <th>
+
  Palm Pilot 1000
+
  </th>
+
  <th>
+
  Palm Pilot 5000
+
  </th>
+
  <th>
+
  Palm Pilot Personal
+
  </th>
+
  <th>
+
  Palm Pilot Professional
+
  </th>
+
</tr>
+
<tr>
+
  <th>Features</th>
+
  <td>
+
      <ul>Motorola 68328 processor</ul>
+
      <ul>128 KB memory</ul>
+
      <ul>Palm OS 1.0</ul>
+
  </td>
+
  <td>
+
      <ul>Dragonball processor</ul>
+
      <ul>512 KB memory</ul>
+
      <ul>Palm OS 1.0</ul>
+
  </td>
+
  <td>
+
      <ul>Dragonball processor</ul>
+
      <ul>512 KB memory</ul>
+
      <ul>Palm OS 2.0</ul>
+
  </td>
+
  <td>
+
      <ul>Dragonball processor</ul>
+
      <ul>1 MB memory</ul>
+
      <ul>Palm OS 2.0</ul>
+
  </td>
+
</tr>
+
<tr>
+
  <th>Dimensions & Weight</th>
+
</tr>
+
</table>
+
  
==3Com Audrey==
+
[[Image:BBManager4 6 Save.JPG]]<br/><br/>
  
The 3Com Audrey was created to be a kitchen computer in 2000-2001.  It was a mainly a used to access the Internet.  Cisco then bought out 3Com and the Audrey was no more.  One noticeable aspect of the Audrey is how people can hack it.  They have turned it into anything from a web server to a chatting client.  It runs QNX with PalmOS extensions.  This allows it to be hacked extremely easily.
 
  
It runs on the Intel-compatible Cyrix-MediaGX processor. It uses Palm's HotSync technology to update the address book and date book with up to two Palms simultaneously.  It uses a USB Ethernet controller to connect to the Internet.  It also has built-in stereo speakers to play digital and streaming music.  You can either use the clear pen to input data, or pull out the wireless keyboard.  No graffiti is used. 
+
== Acquiring BlackBerry Backup File (.ipd) ==
  
It was discontinued on March 21, 2001However, there is still an Audrey frenzy going on today.
+
1. Open Blackberry’s Desktop Manager<br/>
 +
2. Click “Options” then “Connection Options” <br/>
 +
[[Image:4.JPG]]<br/>
 +
4. Select “USB-PIN: 2016CC12” for connection<br/>
 +
[[Image:1.JPG]]<br/>
 +
5. Click “Detect”, then it should show a dialog box saying it found the device<br/>
 +
6.     Click "OK" to return to the main menu<br/>
 +
7. Double click “Backup and Restore”<br/>
 +
[[Image:2.JPG]] <br/>
 +
8.      Click "Backup"<br/>
 +
[[Image:5.JPG]]<br/>
 +
9. Save the .ipd file<br/>
 +
[[Image:3.JPG]]<br/>
 +
<br>
  
==Fossil==
 
  
==Garmin==
+
== Opening Blackberry Backup Files (.ipd)* ==
 +
* Trial Version 6.7 was used in this example
  
==Kyocera==
+
1. Purchase Amber BlackBerry Converter ($19.95/user or $59.95/unlimited) or Download the Trial Version from http://www.processtext.com/abcblackberry.html
  
Kyocera acquired QUALCOMM Incorporated's Code Division Multiple Access (CDMA) wireless phone business in February 2000 and incorporates QUALCOMM's CDMA technology in the development and manufacture of wireless phones. An agreement with Palm Inc. to license the Palm OS platform was reached by Kyocera and Palm after QUALCOMM's acquisition. It is the foundation for a suite of smartphones.
+
<br>2. Use File | Open and point the program to the BlackBerry backup file (.ipd).
  
==QualComm==
+
[[Image:ABCOpen.JPG]]
  
In September 1998, QUALCOMM introduced the pdQ smartphone which was the first CDMA digital wireless phone to integrate the Palm OS software. QUALCOMM’s CDMA handset business was later bought by Kyocera in February 2000.
+
<br>3. Navigate to the appropriate content by using the navigation icons on the left and/or top.
 +
<br>[[Image:ABCView.JPG|600 px]]<br>
 +
<small>click for enlarged version</small>
 +
<br>
  
==Samsung==
+
=== Advanced Export Options ===
 +
You may also export each subsection of acquired data to different file types such as pdf, txt, and html, etc.<br>
 +
1. Select the appropriate content from the navigation items on the left.<br>
 +
2. Either select an individual row or click "Select All" to export all rows.<br>
 +
[[Image:ABCExportSelectAll.JPG]]<br><br>
 +
3. Click "Fields to export" button<br>
  
==Sony Cli&Egrave;==
+
[[Image:ABCExportButton.JPG]]<br><br>
  
==Symbol==
+
4. Select all the criteria for that subsection in which you wish to export and click "OK"<br>
  
==TapWave==
+
[[Image:ABCExportFields.JPG]]<br><br>
  
==TRG==
+
5. Select your output type from the bottom list of selections and click "Save As..."<br>
 +
[[Image:ABCExportOptions.JPG]]<br><br>
  
==Handspring Visor==
 
  
The original creators of the PalmPilot, Jeff Hawkins, Donna Dubinsky, and Ed Colligan, left Palm Computing after desputes with the parent company 3com. As a result, the trio founded Handspring in 1998. The first product released in 1999 was called the Handspring Visor, a clone of the original PalmPilot with minor additions, that used the newly created Palm OS. One of it's most prominent features was USB support and an expansion slot for memory cards, both of which were not yet popular at the time.
+
== Blackberry IPD File Format (.ipd) ==
  
The Visor line includes:
+
For a more advanced and in depth look at the file format of (.ipd) backup files visit the following site.
<ul>
+
<br><br>
<li>Visor and Visor Deluxe</li>
+
http://na.blackberry.com/eng/devjournals/resources/journals/jan_2006/ipd_file_format.jsp
<li>Visor Prism</li>
+
<br><br>
<li>Visor Platinum</li>
+
<li>Visor Edge</li>
+
<li>Visor Neo</li>
+
<li>Visor Pro</li>
+
</ul>
+
  
==Treo==
+
== Acquisition with Paraben's Device Seizure ==
Treo manufacturers a variety of devices, including the LifeDrive, Treo 650 and 700w, Palm Z22 and Tx, and the Tungsten E2.  Each of these devices is marketed at a different segment of the market.  For example, the LifeDrive contains a 4GB integrated hard drive and is advertised as a portable multimedia device that plays videos and MP3s.  The LifeDrive Also includes integrated WiFi and Bluetooth capabilities.  The Treo 650 and 700w are the company's Smartphones.  The Treo 650 runs Palm OS, while the 700w runs on Windows Mobile.  The Z22, Tx, and Tungsten E2 are primarily designed to be personal organizers.
+
  
=Forensics=
+
As an alternative to acquiring the Blackberry through Amber Blackberry Converter, Paraben's Device Seizure is a simple and effective method to acquire the dataThe only drawback, is that this method takes significantly more time to acquire than using Amber Blackberry Converter.
Forensics for Palm devices is a nascent fieldThere are several tools available for the image acquisition and analysis of Palm devices.
+
  
==EnCase==
+
1. Create a new case in Device Seizure with File | New.
EnCase, published by Guidance Software, is a complete cyber forensics software package that handles all steps of the investigative process, from the acquisition to the report creation. The software includes built-in capabilities for performing MD5 hashing, data carving, deleted file recovery, and many other functions.
+
  
Although traditionally relegated to the realm of desktop computer forensics investigations, EnCase does support the acquisition and analysis of a limited number of Palm devices.  
+
2. Give the case a name and fill in any desired information about the case on the next two screens.  Nothing is actually required to be entered.  The third screen is a summary of the data entered.  If all data is correct click Next and then Finish.
  
==Paraben==
+
3. You are now ready to acquire the phoneGo to Tools | Data Acquisition.
Paraben has a software application that is specifically designed for PDA forensics,PDA Seizure. This comprehensive tool allows PDA data to be acquired, viewed, and reported on, all within a Windows environment.  The software comes equiped with quite a few key features.  These features include the ability to encrypt saved case files, Blackberry OS support, built-in recovery of Palm passwords, enhanced viewing on file data, complete physical and logical acquisition for Palm PDA devices, and many moreIt has a few draw backs, in that some of the material acquired from the PDAs is hard to interpret by a person that is not computer savi. Although, on the other hand it has features like a search portion that allows you to enter a search term and PDA Seizure will bring up all files that have that term in them.  This allows the investigator to look for case specific information easily and quickly.
+
  
=References=
+
4. You are prompted for the supported manufacturer.  Select RIM Blackbery (Physical).<br/>
http://www.answers.com/topic/palm-os
+
[[Image:Image10.JPG]]<br/><br/>
  
http://www.palm.com/us/
+
5. Leave supported models at the default selection of autodetect.<br/>
 +
[[Image:Image11.JPG]]<br/><br/>
  
http://www.encase.com
+
6. Connection type should be set to USB.<br/>
 +
[[Image:Image12.JPG]]<br/><br/>
  
http://www.paraben.com
+
7. For data type selection select Logical Image (Databases).<br/>
 +
[[Image:Image13.jpg]]<br/><br/>
  
http://en.wikipedia.org/wiki/Palm_(PDA)
+
8. Confirm your selections on the summary page and click Next to start the acquisition.
  
http://www.etech4sale.com/products/partinfo-id-116929.html
+
== BlackBerry Simulator ==
 +
 
 +
This is a step by step guide to downloading and using a BlackBerry simulator. For this example I downloaded version 4.0.2 in order to simulate the 9230 series.
 +
 
 +
1. Select a simulator to download from the drop-down list on the [https://www.blackberry.com/Downloads/entry.do?code=060AD92489947D410D897474079C1477]BlackBerry website. Click ''Next''.
 +
 
 +
2. Look through the list and download BlackBerry Handheld Simulator v4.0.2.51.
 +
 
 +
3. Enter your proper user credentials and click ''Next'' to continue.
 +
 
 +
4. On the next page, reply accordingly to the eligibility prompt and click ''Next'' to continue.*
 +
 
 +
5. Agree or disagree to the SDK agreement and click ''Submit'' to continue.*
 +
 
 +
6. The next page will provide you with a link to download the .ZIP file containing the wanted simulator.
 +
* - If you disagree at any of these points you will not be able to continue to the download.
 +
 
 +
7. Extract the files to a folder that can easily be accessed (I used the desktop).
 +
 
 +
8. In that folder, find the xxxx.bat file (where xxxx is the model number of the device that is being simulated). The simulator should now open an image that resembles the phone.
 +
 
 +
9. In the ''BlackBerry 7230 Simulator'' window, select ''Simulate'' | ''USB Cable Connected''.  Refer to ''Figure BS-1'' for further reference.
 +
 
 +
[[Image:7230_1.JPG]]
 +
 
 +
''Figure BS-1''
 +
 
 +
10. Open BlackBerry Desktop Manager.  If there are no Outlook profiles created there will be a prompt on how to create one.  Click ''OK'' to continue.  If the BlackBerry xxxx Simulator has properly connected to the BlackBerry Desktop Manager, ''Connected'' should be displayed at the bottom of the BlackBerry Desktop Manager window.  Refer to ''Figure BS-2'' for further reference.
 +
 
 +
[[Image:BBDM_1.JPG]]
 +
 
 +
''Figure BS-2''
 +
 
 +
11. Double click ''Backup and Restore'' | select ''Restore...''.  Refer to ''Figure BS-2'' for further reference.
 +
 
 +
12. Navigate to the directory where an .ipd file that has been previously backed up is stored and select Open to load that file to the Simulator.  See the Acquiring BlackBerry Backup File section above on information on how to backup a physical BlackBerry.
 +
 
 +
== Blackberry Protocol ==
 +
http://www.off.net/cassis/protocol-description.html
 +
 
 +
Here is a useful link to the Blackberry Protocol as documented by Phil Schwan, Mike Shaver, and Ian Goldberg. The article goes into great description of packet sniffing and the protocol as it relates to data transfer across a USB port.

Revision as of 01:53, 8 December 2008

Warning for BlackBerry Forensics

BlackBerry devices come with password protection. The owner has the capability to protect all data on the phone with a password. The user may also specify the amount of attempts for entering the password before wiping all data from the device.

Image1.jpg

If you exceed your password attempts limit (defaults to 10, but you can set it as low as 3), you will be prompted one last time to type the word BlackBerry.

Image2.jpg

The device will then wipe. It will be reset to the factory out-of-the-box condition (default folder structure), and the password reset. You will lose everything in the device memory, with no possibility of recovery. It will not reformat the microSD card, since that's not part of the factory configuration. The phone will still be usable, and the operating system will be unchanged. So this technique cannot be used to roll back from an OS upgrade problem.

Obviously this is a serious problem if you need to perform forensics on the device. The best work around is to work with the owner of the device and hopefully get them to disclose the password.


Acquiring BlackBerry Backup File (.ipd)* Updated

* Version 4.6 was used in this example

Prerequisites:
Download and install Blackberry Desktop Manager.
Use the following link to select and download the install file that fits your system or version.
https://www.blackberry.com/Downloads/entry.do?code=A8BAA56554F96369AB93E4F3BB068C22

Once Desktop Manager is installed:
1. Open Blackberry’s Desktop Manager.
2. Click “Options” then “Connection Settings”

BBManager4 6 Options.JPG

4. If the Desktop Manager hasn't already done so, select “USB-PIN: Device #” for connection type. Your device # may not be the same as the image below.

BBManager4 6 Connect.JPG

5. Click "OK" to return to the main menu.

6. Click “Backup and Restore”.

BBManager4 6 Backup.JPG

7. Click the "Back up" button for a full backup of the device or use the Advanced section for specific data.

BBManager4 6 Backup1.JPG

8. Select your destination and save the ".ipd" file.

BBManager4 6 Save.JPG


Acquiring BlackBerry Backup File (.ipd)

1. Open Blackberry’s Desktop Manager
2. Click “Options” then “Connection Options”
4.JPG
4. Select “USB-PIN: 2016CC12” for connection
1.JPG
5. Click “Detect”, then it should show a dialog box saying it found the device
6. Click "OK" to return to the main menu
7. Double click “Backup and Restore”
2.JPG
8. Click "Backup"
5.JPG
9. Save the .ipd file
3.JPG


Opening Blackberry Backup Files (.ipd)*

* Trial Version 6.7 was used in this example

1. Purchase Amber BlackBerry Converter ($19.95/user or $59.95/unlimited) or Download the Trial Version from http://www.processtext.com/abcblackberry.html


2. Use File | Open and point the program to the BlackBerry backup file (.ipd).

ABCOpen.JPG


3. Navigate to the appropriate content by using the navigation icons on the left and/or top.
ABCView.JPG
click for enlarged version

Advanced Export Options

You may also export each subsection of acquired data to different file types such as pdf, txt, and html, etc.
1. Select the appropriate content from the navigation items on the left.
2. Either select an individual row or click "Select All" to export all rows.
ABCExportSelectAll.JPG

3. Click "Fields to export" button

ABCExportButton.JPG

4. Select all the criteria for that subsection in which you wish to export and click "OK"

ABCExportFields.JPG

5. Select your output type from the bottom list of selections and click "Save As..."
ABCExportOptions.JPG


Blackberry IPD File Format (.ipd)

For a more advanced and in depth look at the file format of (.ipd) backup files visit the following site.

http://na.blackberry.com/eng/devjournals/resources/journals/jan_2006/ipd_file_format.jsp

Acquisition with Paraben's Device Seizure

As an alternative to acquiring the Blackberry through Amber Blackberry Converter, Paraben's Device Seizure is a simple and effective method to acquire the data. The only drawback, is that this method takes significantly more time to acquire than using Amber Blackberry Converter.

1. Create a new case in Device Seizure with File | New.

2. Give the case a name and fill in any desired information about the case on the next two screens. Nothing is actually required to be entered. The third screen is a summary of the data entered. If all data is correct click Next and then Finish.

3. You are now ready to acquire the phone. Go to Tools | Data Acquisition.

4. You are prompted for the supported manufacturer. Select RIM Blackbery (Physical).
Image10.JPG

5. Leave supported models at the default selection of autodetect.
Image11.JPG

6. Connection type should be set to USB.
Image12.JPG

7. For data type selection select Logical Image (Databases).
Image13.jpg

8. Confirm your selections on the summary page and click Next to start the acquisition.

BlackBerry Simulator

This is a step by step guide to downloading and using a BlackBerry simulator. For this example I downloaded version 4.0.2 in order to simulate the 9230 series.

1. Select a simulator to download from the drop-down list on the [1]BlackBerry website. Click Next.

2. Look through the list and download BlackBerry Handheld Simulator v4.0.2.51.

3. Enter your proper user credentials and click Next to continue.

4. On the next page, reply accordingly to the eligibility prompt and click Next to continue.*

5. Agree or disagree to the SDK agreement and click Submit to continue.*

6. The next page will provide you with a link to download the .ZIP file containing the wanted simulator.

  • - If you disagree at any of these points you will not be able to continue to the download.

7. Extract the files to a folder that can easily be accessed (I used the desktop).

8. In that folder, find the xxxx.bat file (where xxxx is the model number of the device that is being simulated). The simulator should now open an image that resembles the phone.

9. In the BlackBerry 7230 Simulator window, select Simulate | USB Cable Connected. Refer to Figure BS-1 for further reference.

7230 1.JPG

Figure BS-1

10. Open BlackBerry Desktop Manager. If there are no Outlook profiles created there will be a prompt on how to create one. Click OK to continue. If the BlackBerry xxxx Simulator has properly connected to the BlackBerry Desktop Manager, Connected should be displayed at the bottom of the BlackBerry Desktop Manager window. Refer to Figure BS-2 for further reference.

BBDM 1.JPG

Figure BS-2

11. Double click Backup and Restore | select Restore.... Refer to Figure BS-2 for further reference.

12. Navigate to the directory where an .ipd file that has been previously backed up is stored and select Open to load that file to the Simulator. See the Acquiring BlackBerry Backup File section above on information on how to backup a physical BlackBerry.

Blackberry Protocol

http://www.off.net/cassis/protocol-description.html

Here is a useful link to the Blackberry Protocol as documented by Phil Schwan, Mike Shaver, and Ian Goldberg. The article goes into great description of packet sniffing and the protocol as it relates to data transfer across a USB port.