Difference between pages "Blackberry Forensics" and "Email Headers"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(redid ABC Amber Black Berry Converter section and added step by instructions with screens, Added Export subsection to ABC)
 
m (replaced obsolete wikipedia link)
 
Line 1: Line 1:
== Warning for BlackBerry Forensics ==
+
'''Email Headers''' are lines of [[metadata]] attached to each [[email]] that contain lots of useful information for a [[forensic investigator]]. However, email headers can be easily forged, so they should never be used as the only source of information.
[[BlackBerry]] devices come with password protection. The owner has the capability to protect all data on the phone with a password. The user may also specify the amount of attempts for entering the password before wiping all data from the device.
+
  
[[Image:Image1.jpg]]
+
== Making Sense of Headers ==
  
If you exceed your password attempts limit (defaults to 10, but you can set it as low as 3), you will be prompted one last time to type the word BlackBerry.  
+
There is no single way to make sense of email headers. Some examiners favor reading from the bottom up, some favor reading from the top down. Because information in the headers can be put there by the user's [[Mail User Agent|MUA]], a server in transit, or the recipient's [[Mail User Agent|MUA]], it can be difficult to determine when a line was added.
  
[[Image:Image2.jpg]]
+
=== Mail User Agents ===
 +
{{main|List of MUA Header Formats}}
 +
Every [[Mail User Agent|MUA]] sets up the headers for a message slightly differently. Although some headers are required under the applicable [http://www.faqs.org/rfcs/rfc2822.html RFC], their format and ordering can vary by client. Almost all clients, however, add their headers in a fixed format and order.
 +
The examiner can use the format and order for each client to show that messages were forged, but not that they were legitimate. For example, if a message purports to be from [[Apple Mail]] but the order or the headers do not match the [[Apple Mail Header Format]], the message has been forged. If the headers of the message do match that format, however, it does not guarantee that the message was sent by that program.
  
The device will then wipe. It will be reset to the factory out-of-the-box condition (default folder structure), and the password reset. You will lose everything in the device memory, with no possibility of recovery. It will not reformat the microSD card, since that's not part of the factory configuration. The phone will still be usable, and the operating system will be unchanged. So this technique cannot be used to roll back from an OS upgrade problem.
+
=== Servers in Transit ===
  
Obviously this is a serious problem if you need to perform forensics on the device. The best work around is to work with the owner of the device and hopefully get them to disclose the password.
+
Mail servers can add lines onto email headers, usually in the form of "Received" lines, like this:
 +
<pre>Received: by servername.recipeienthost.com (Postfix, from userid 506)
 +
id 77C30808A; Sat, 24 Feb 2007 20:43:56 -0500 (EST)</pre>
  
 +
== Message Id Field ==
 +
{{main|Using message id headers to determine if an email has been forged}}. According to the current guidelines for email [http://www.faqs.org/rfcs/rfc2822.html], every message should have a Message-ID field. These id fields can be used to determine if a message has been forged. It is harder, but sometimes possible, to show that a message is authentic using the message id field. Where known, the Message-ID algorithms for known programs are [[List of MUA Header Formats|given on the separate pages for those programs]].
  
== Acquiring BlackBerry Backup File (.ipd)* Updated ==
+
== Signature Fields ==
* Version 4.6 was used in this example
+
{{main|Using signature headers to determine if an email has been forged}}. Some email programs allow users to sign messages. This gives the recipient some assurance that the sender given in the message really sent the message. Obviously these headers can be used by an examiner for the same purpose.
  
Prerequisites:<br/>
+
== Sample Header ==
Download and install Blackberry Desktop Manager. <br/>
+
Use the following link to select and download the install file that fits your system or version. <br/>
+
https://www.blackberry.com/Downloads/entry.do?code=A8BAA56554F96369AB93E4F3BB068C22 <br/>
+
<br/>
+
  
Once Desktop Manager is installed:<br/>
+
This is an (incomplete) excerpt from an email header:
1. Open Blackberry’s Desktop Manager.<br/>
+
2. Click “Options” then “Connection Settings” <br/>
+
  
[[Image:BBManager4 6 Options.JPG]]<br/><br/>
+
Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
 +
        by outgoing2.securityfocus.com (Postfix) with QMQP
 +
        id 7E9971460C9; Mon,  9 Jan 2006 08:01:36 -0700 (MST)
 +
Mailing-List: contact forensics-help@securityfocus.com; run by ezmlm
 +
Precedence: bulk
 +
List-Id: <forensics.list-id.securityfocus.com>
 +
List-Post: <mailto:forensics@securityfocus.com>
 +
List-Help: <mailto:forensics-help@securityfocus.com>
 +
List-Unsubscribe: <mailto:forensics-unsubscribe@securityfocus.com>
 +
List-Subscribe: <mailto:forensics-subscribe@securityfocus.com>
 +
Delivered-To: mailing list forensics@securityfocus.com
 +
Delivered-To: moderator for forensics@securityfocus.com
 +
Received: (qmail 20564 invoked from network); 5 Jan 2006 16:11:57 -0000
 +
From: YJesus <yjesus@security-projects.com>
 +
To: forensics@securityfocus.com
 +
Subject: New Tool : Unhide
 +
User-Agent: KMail/1.9
 +
MIME-Version: 1.0
 +
Content-Disposition: inline
 +
Date: Thu, 5 Jan 2006 16:41:30 +0100
 +
Content-Type: text/plain;
 +
  charset="iso-8859-1"
 +
Content-Transfer-Encoding: quoted-printable
 +
Message-Id: <200601051641.31830.yjesus@security-projects.com>
 +
X-HE-Spam-Level: /
 +
X-HE-Spam-Score: 0.0
 +
X-HE-Virus-Scanned: yes
 +
Status: RO
 +
Content-Length: 586
 +
Lines: 26
  
4. If the Desktop Manager hasn't already done so, select “USB-PIN: Device #” for connection type. Your device # may not be the same as the image below.<br/>
+
== External Links ==
 
+
* [http://en.wikipedia.org/wiki/E-mail#Header Wikipedia entry on email headers]
[[Image:BBManager4 6 Connect.JPG]]<br/>
+
 
+
5.      Click "OK" to return to the main menu.<br/><br/>
+
6. Click “Backup and Restore”.<br/>
+
 
+
[[Image:BBManager4 6 Backup.JPG]]  <br/><br/>
+
 
+
7.      Click the "Back up" button for a full backup of the device or use the Advanced section for specific data.<br/>
+
 
+
[[Image:BBManager4 6 Backup1.JPG]]<br/><br/>
+
 
+
8. Select your destination and save the ".ipd" file.<br/>
+
 
+
[[Image:BBManager4 6 Save.JPG]]<br/><br/>
+
 
+
 
+
== Acquiring BlackBerry Backup File (.ipd) ==
+
 
+
1. Open Blackberry’s Desktop Manager<br/>
+
2. Click “Options” then “Connection Options” <br/>
+
[[Image:4.JPG]]<br/>
+
4. Select “USB-PIN: 2016CC12” for connection<br/>
+
[[Image:1.JPG]]<br/>
+
5. Click “Detect”, then it should show a dialog box saying it found the device<br/>
+
6.      Click "OK" to return to the main menu<br/>
+
7. Double click “Backup and Restore”<br/>
+
[[Image:2.JPG]]  <br/>
+
8.      Click "Backup"<br/>
+
[[Image:5.JPG]]<br/>
+
9. Save the .ipd file<br/>
+
[[Image:3.JPG]]<br/>
+
<br>
+
 
+
 
+
== Opening Blackberry Backup Files (.ipd)* ==
+
* Trial Version 6.7 was used in this example
+
 
+
1. Purchase Amber BlackBerry Converter ($19.95/user or $59.95/unlimited) or Download the Trial Version from http://www.processtext.com/abcblackberry.html
+
 
+
<br>2. Use File | Open and point the program to the BlackBerry backup file (.ipd).
+
 
+
[[Image:ABCOpen.JPG]]
+
 
+
<br>3. Navigate to the appropriate content by using the navigation icons on the left and/or top.
+
<br>[[Image:ABCView.JPG|600 px]]<br>
+
<small>click for enlarged version</small>
+
<br>
+
 
+
=== Advanced Export Options ===
+
You may also export each subsection of acquired data to different file types such as pdf, txt, and html, etc.<br>
+
1. Select the appropriate content from the navigation items on the left.<br>
+
2. Either select an individual row or click "Select All" to export all rows.<br>
+
[[Image:ABCExportSelectAll.JPG]]<br><br>
+
3. Click "Fields to export" button<br>
+
 
+
[[Image:ABCExportButton.JPG]]<br><br>
+
 
+
4. Select all the criteria for that subsection in which you wish to export and click "OK"<br>
+
 
+
[[Image:ABCExportFields.JPG]]<br><br>
+
 
+
5. Select your output type from the bottom list of selections and click "Save As..."<br>
+
[[Image:ABCExportOptions.JPG]]<br><br>
+
 
+
 
+
== Blackberry IPD File Format (.ipd) ==
+
 
+
For a more advanced and in depth look at the file format of (.ipd) backup files visit the following site.
+
<br><br>
+
http://na.blackberry.com/eng/devjournals/resources/journals/jan_2006/ipd_file_format.jsp
+
<br><br>
+
 
+
== Acquisition with Paraben's Device Seizure ==
+
 
+
As an alternative to acquiring the Blackberry through Amber Blackberry Converter, Paraben's Device Seizure is a simple and effective method to acquire the data.  The only drawback, is that this method takes significantly more time to acquire than using Amber Blackberry Converter.
+
 
+
1. Create a new case in Device Seizure with File | New.
+
 
+
2. Give the case a name and fill in any desired information about the case on the next two screens.  Nothing is actually required to be entered.  The third screen is a summary of the data entered.  If all data is correct click Next and then Finish.
+
 
+
3. You are now ready to acquire the phone.  Go to Tools | Data Acquisition.
+
 
+
4. You are prompted for the supported manufacturer.  Select RIM Blackbery (Physical).<br/>
+
[[Image:Image10.JPG]]<br/><br/>
+
 
+
5. Leave supported models at the default selection of autodetect.<br/>
+
[[Image:Image11.JPG]]<br/><br/>
+
 
+
6. Connection type should be set to USB.<br/>
+
[[Image:Image12.JPG]]<br/><br/>
+
 
+
7. For data type selection select Logical Image (Databases).<br/>
+
[[Image:Image13.jpg]]<br/><br/>
+
 
+
8. Confirm your selections on the summary page and click Next to start the acquisition.
+
 
+
== BlackBerry Simulator ==
+
 
+
This is a step by step guide to downloading and using a BlackBerry simulator. For this example I downloaded version 4.0.2 in order to simulate the 9230 series.
+
 
+
1. Select a simulator to download from the drop-down list on the [https://www.blackberry.com/Downloads/entry.do?code=060AD92489947D410D897474079C1477]BlackBerry website. Click ''Next''.
+
 
+
2. Look through the list and download BlackBerry Handheld Simulator v4.0.2.51.
+
 
+
3. Enter your proper user credentials and click ''Next'' to continue.
+
 
+
4. On the next page, reply accordingly to the eligibility prompt and click ''Next'' to continue.*
+
 
+
5. Agree or disagree to the SDK agreement and click ''Submit'' to continue.*
+
 
+
6. The next page will provide you with a link to download the .ZIP file containing the wanted simulator.
+
* - If you disagree at any of these points you will not be able to continue to the download.
+
 
+
7. Extract the files to a folder that can easily be accessed (I used the desktop).
+
 
+
8. In that folder, find the xxxx.bat file (where xxxx is the model number of the device that is being simulated). The simulator should now open an image that resembles the phone.
+
 
+
9. In the ''BlackBerry 7230 Simulator'' window, select ''Simulate'' | ''USB Cable Connected''.  Refer to ''Figure BS-1'' for further reference.
+
 
+
[[Image:7230_1.JPG]]
+
 
+
''Figure BS-1''
+
 
+
10. Open BlackBerry Desktop Manager.  If there are no Outlook profiles created there will be a prompt on how to create one.  Click ''OK'' to continue.  If the BlackBerry xxxx Simulator has properly connected to the BlackBerry Desktop Manager, ''Connected'' should be displayed at the bottom of the BlackBerry Desktop Manager window.  Refer to ''Figure BS-2'' for further reference.
+
 
+
[[Image:BBDM_1.JPG]]
+
 
+
''Figure BS-2''
+
 
+
11. Double click ''Backup and Restore'' | select ''Restore...''.  Refer to ''Figure BS-2'' for further reference.
+
 
+
12. Navigate to the directory where an .ipd file that has been previously backed up is stored and select Open to load that file to the Simulator.  See the Acquiring BlackBerry Backup File section above on information on how to backup a physical BlackBerry.
+
 
+
== Blackberry Protocol ==
+
http://www.off.net/cassis/protocol-description.html
+
 
+
Here is a useful link to the Blackberry Protocol as documented by Phil Schwan, Mike Shaver, and Ian Goldberg. The article goes into great description of packet sniffing and the protocol as it relates to data transfer across a USB port.
+

Revision as of 10:54, 18 July 2008

Email Headers are lines of metadata attached to each email that contain lots of useful information for a forensic investigator. However, email headers can be easily forged, so they should never be used as the only source of information.

Making Sense of Headers

There is no single way to make sense of email headers. Some examiners favor reading from the bottom up, some favor reading from the top down. Because information in the headers can be put there by the user's MUA, a server in transit, or the recipient's MUA, it can be difficult to determine when a line was added.

Mail User Agents

Every MUA sets up the headers for a message slightly differently. Although some headers are required under the applicable RFC, their format and ordering can vary by client. Almost all clients, however, add their headers in a fixed format and order. The examiner can use the format and order for each client to show that messages were forged, but not that they were legitimate. For example, if a message purports to be from Apple Mail but the order or the headers do not match the Apple Mail Header Format, the message has been forged. If the headers of the message do match that format, however, it does not guarantee that the message was sent by that program.

Servers in Transit

Mail servers can add lines onto email headers, usually in the form of "Received" lines, like this:

Received: by servername.recipeienthost.com (Postfix, from userid 506)
	id 77C30808A; Sat, 24 Feb 2007 20:43:56 -0500 (EST)

Message Id Field

Main article Using message id headers to determine if an email has been forged. According to the current guidelines for email [1], every message should have a Message-ID field. These id fields can be used to determine if a message has been forged. It is harder, but sometimes possible, to show that a message is authentic using the message id field. Where known, the Message-ID algorithms for known programs are given on the separate pages for those programs.

Signature Fields

Main article Using signature headers to determine if an email has been forged. Some email programs allow users to sign messages. This gives the recipient some assurance that the sender given in the message really sent the message. Obviously these headers can be used by an examiner for the same purpose.

Sample Header

This is an (incomplete) excerpt from an email header:

Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
        by outgoing2.securityfocus.com (Postfix) with QMQP
        id 7E9971460C9; Mon,  9 Jan 2006 08:01:36 -0700 (MST)
Mailing-List: contact forensics-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <forensics.list-id.securityfocus.com>
List-Post: <mailto:forensics@securityfocus.com>
List-Help: <mailto:forensics-help@securityfocus.com>
List-Unsubscribe: <mailto:forensics-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:forensics-subscribe@securityfocus.com>
Delivered-To: mailing list forensics@securityfocus.com
Delivered-To: moderator for forensics@securityfocus.com
Received: (qmail 20564 invoked from network); 5 Jan 2006 16:11:57 -0000
From: YJesus <yjesus@security-projects.com>
To: forensics@securityfocus.com
Subject: New Tool : Unhide
User-Agent: KMail/1.9
MIME-Version: 1.0
Content-Disposition: inline
Date: Thu, 5 Jan 2006 16:41:30 +0100
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Message-Id: <200601051641.31830.yjesus@security-projects.com>
X-HE-Spam-Level: /
X-HE-Spam-Score: 0.0
X-HE-Virus-Scanned: yes
Status: RO
Content-Length: 586
Lines: 26

External Links