Difference between pages "Blackberry Forensics" and "Tools:Network Forensics"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
m
 
Line 1: Line 1:
== Warning for BlackBerry Forensics ==
+
=Network Forensics Packages and Appliances=
BlackBerry devices come with password protection. The owner has the capability to protect all data on the phone with a password. The user may also specify the amount of attempts for entering the password before wiping all data from the device.
+
; [[Burst]]
 +
: http://www.burstmedia.com/release/advertisers/geo_faq.htm
 +
: Expensive IP geo-location service.
  
[[Image:Image1.jpg]]
+
; [[chkrootkit]]
 +
: http://www.chkrootkit.org
  
If you exceed your password attempts limit (defaults to 10, but you can set it as low as 3), you will be prompted one last time to type the word BlackBerry.  
+
; [[cryptcat]]
 +
: http://farm9.org/Cryptcat/
  
[[Image:Image2.jpg]]
+
; [[Enterasys Dragon]]
 +
: http://www.enterasys.com/products/advanced-security-apps/index.aspx
 +
: Instrusion Detection System, includes session reconstruction.
  
The device will then wipe. It will be reset to the factory out-of-the-box condition (default folder structure), and the password reset. You will lose everything in the device memory, with no possibility of recovery. It will not reformat the microSD card, since that's not part of the factory configuration. The phone will still be usable, and the operating system will be unchanged. So this technique cannot be used to roll back from an OS upgrade problem.
+
; [[MaxMind]]
 +
: http://www.maxmind.com
 +
: [[IP geolocation]] services and data provider for offline geotagging. Free GeoLite country database. Programmable APIs.
  
Obviously this is a serious problem if you need to perform forensics on the device. The best work around is to work with the owner of the device and hopefully get them to disclose the password.
+
; [[netcat]]
 +
: http://netcat.sourceforge.net/
  
== Acquiring BlackBerry Backup File (.ipd) ==
+
; [[netflow]]/[[flowtools]]
 +
: http://www.cisco.com/warp/public/732/Tech/nmp/netflow/index.shtml
 +
: http://www.splintered.net/sw/flow-tools/
 +
: http://silktools.sourceforge.net/
 +
: http://www.vmware.com/vmtn/appliances/directory/293 Netflow Appliance (VMWare)
  
1. Open Blackberry’s Desktop Manager<br/>
+
; NetIntercept
2. Click “Options” then “Connection Settings” <br/>
+
: http://www.sandstorm.net/products/netintercept
[[Image:4.JPG]]<br/>
+
: NetIntercept captures whole packets and reassembles up to 999,999 TCP connections at once, reconstructing files that were sent over your network and creating a database of its findings. It recognizes over 100 types of network protocols and file types, including web traffic, multimedia, email, and IM.
4. Select “USB-PIN: 2016CC12” for connection<br/>
+
[[Image:1.JPG]]<br/>
+
5. Click “Detect”, then it should show a dialog box saying it found the device<br/>
+
6.     Click "OK" to return to the main menu<br/>
+
7. Double click “Backup and Restore”<br/>
+
[[Image:2.JPG]]  <br/>
+
8.      Click "Backup"<br/>
+
[[Image:5.JPG]]<br/>
+
9. Save the .ipd file<br/>
+
[[Image:3.JPG]]<br/>
+
  
== Opening Blackberry Backup Files (.ipd) ==
+
; [[NetworkMiner]]
1. Purchase Amber BlackBerry Converter from [http://www.processtext.com/abcblackberry.html]
+
: http://networkminer.wiki.sourceforge.net/NetworkMiner
<br>Or
+
: NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool or to parse PCAP files for off-line analysis.
<br>Download Trial Version
+
<br><br>2. Use File | Open and point the program to the BlackBerry backup file (.ipd).
+
<br><br>3. Navigate to the appropriate content by using the navigator icons on the left.
+
  
== Available Information Using Amber Blackberry Converter ==
+
; [[rkhunter]]
{|
+
: http://rkhunter.sourceforge.net/
| A || B
+
|-
+
| C || D
+
|}
+
  
== Blackberry Simulator ==
+
; [[ngrep]]
 +
: http://ngrep.sourceforge.net/
  
This is a step by step guide to downloading and using a Blackberry simulator. For this example I downloaded version 4.0.2 in order to simulate the 9230 series.
+
; [[nslookup]]
 +
: http://en.wikipedia.org/wiki/Nslookup
 +
: Name Server Lookup command line tool used to find IP address from domain name.
  
1. Select a simulator to download from the drop-down list on the [https://www.blackberry.com/Downloads/entry.do?code=060AD92489947D410D897474079C1477]Blackberry website. Click ''Next''.
+
; [[Sguil]]
 +
: http://sguil.sourceforge.net/
  
2. Look through the list and download BlackBerry Handheld Simulator v4.0.2.51.
+
; [[Snort]]
 +
: http://www.snort.org/
  
3. Enter your proper user credentials and click ''Next'' to continue.
+
; [[ssldump]]
 +
: http://ssldump.sourceforge.net/
  
4. On the next page, reply accordingly to the eligibility prompt and click ''Next'' to continue.*
+
; [[tcpdump]]
 +
: http://www.tcpdump.org
  
5. Agree or disagree to the SDK agreement and click ''Submit'' to continue.*
+
; [[tcpextract]]
 +
: http://tcpxtract.sourceforge.net/
  
6. The next page will provide you with a link to download the .ZIP file containing the wanted simulator.
+
; [[tcpflow]]
 +
: http://www.circlemud.org/~jelson/software/tcpflow/
  
* - If you disagree at any of these point you will not be able to continue to the download.
+
; [[truewitness]]
 +
: http://www.nature-soft.com/forensic.html
 +
: Linux/open-source. Based in India.
  
INCOMPLETE, WILL COMPLETE BY 11.3.2008
+
; [[etherpeek]]
 +
: http://www.wildpackets.com/products/etherpeek/overview
  
Below is an example of a 7510 simulator. These simulators ARE capable of connecting to Blackberry Desktop Manager.
+
; [[Whois]]
 +
: http://en.wikipedia.org/wiki/WHOIS Web service and command line tool to look up registry information for internet domain.
 +
: http://www.arin.net/registration/agreements/bulkwhois.pdf Bulk WHOIS data request from ARIN
  
[[Image:Image3.jpg]]
+
; [[IP Regional Registries]]
 +
: http://www.arin.net/community/rirs.html
 +
: http://www.arin.net/index.shtml American Registry for Internet Numbers (ARIN)
 +
: http://www.afrinic.net/ African Network Information Center (AfriNIC)
 +
: http://www.apnic.net/ Asia Pacific Network Information Centre (APNIC)
 +
: http://www.lacnic.net/en/ Latin American and Caribbean IP Address Regional Registry (LACNIC)
 +
: http://www.ripe.net/ RIPE Network Coordination Centre (RIPE NCC)
  
== Blackberry Protocol ==
+
; [[Wireshark]] / Ethereal
http://www.off.net/cassis/protocol-description.html
+
: http://www.wireshark.org/
 +
: Open Source protocol analyzer previously known as ethereal.
  
Here is a useful link to the Blackberry Protocol as documented by Phil Schwan, Mike Shaver, and Ian Goldberg. The article goes into great description of packet sniffing and the protocol as it relates to data transfer across a USB port.
+
; [[Xplico]]
 +
: http://www.xplico.org/
 +
: Open Source Network Forensic Analysis Tool (NFAT). Protocols supported: [http://www.xplico.org/status.html HTTP, SIP, FTP, IMAP, POP, SMTP, TCP, UDP, IPv4, IPv6, ...]
 +
 
 +
=Command-line tools=
 +
 
 +
[[arp]] - view the contents of your ARP cache
 +
 
 +
[[ifconfig]] - view your mac and IP address
 +
 
 +
[[ping]] - send packets to probe remote machines
 +
 
 +
[[tcpdump]] - capture packets
 +
 
 +
[[snoop]] - captures packets from the network and displays their contents ([[Solaris]])
 +
 
 +
[[nemesis]] - create arbitrary packets
 +
 
 +
[[tcpreplay]] - replay captured packets
 +
 
 +
[[traceroute]] - view a network path
 +
 
 +
[[gnetcast]] - GNU rewrite of netcat
 +
 
 +
[[packit]] - packet generator
 +
 
 +
[[nmap]] - utility for network exploration and security auditing
 +
 
 +
==ARP and Ethernet MAC Tools==
 +
 
 +
[[arping]] - transmit ARP traffic
 +
 
 +
[[arpdig]] - probe LAN for MAC addresses
 +
 
 +
[[arpwatch]] - watch ARP changes
 +
 
 +
[[arp-sk]] - perform denial of service attacks
 +
 
 +
[[macof]] - CAM table attacks
 +
 
 +
[[ettercap]] - performs various low-level Ethernet network attacks
 +
 
 +
==CISCO Discovery Protocol Tools==
 +
[[cdpd]] - transmit and receive CDP announcements; provides forgery capabilities
 +
 
 +
==ICMP Layer Tests and Attacks==
 +
[[icmp-reset]]
 +
 
 +
[[icmp-quench]]
 +
 
 +
[[icmp-mtu]]
 +
 
 +
[[ish]] - ICMP shell (like SSH, but uses ICMP)
 +
 
 +
[[isnprober]]
 +
 
 +
==IP Layer Tests==
 +
[[iperf]] - IP multicast test
 +
 
 +
[[fragtest]] - IP fragment reassembly test
 +
 
 +
==UDP Layer Tests==
 +
 
 +
[[udpcast]] - includes UDP-receiver and UDP-sender
 +
 
 +
==TCP Layer==
 +
 
 +
[[lft]] http://pwhois.org/lft - TCP tracing
 +
 
 +
[[etrace]] http://www.bindshell.net/tools/etrace
 +
 
 +
[[firewalk]] http://www.packetfactory.net

Revision as of 12:49, 13 June 2008

Network Forensics Packages and Appliances

Burst
http://www.burstmedia.com/release/advertisers/geo_faq.htm
Expensive IP geo-location service.
chkrootkit
http://www.chkrootkit.org
cryptcat
http://farm9.org/Cryptcat/
Enterasys Dragon
http://www.enterasys.com/products/advanced-security-apps/index.aspx
Instrusion Detection System, includes session reconstruction.
MaxMind
http://www.maxmind.com
IP geolocation services and data provider for offline geotagging. Free GeoLite country database. Programmable APIs.
netcat
http://netcat.sourceforge.net/
netflow/flowtools
http://www.cisco.com/warp/public/732/Tech/nmp/netflow/index.shtml
http://www.splintered.net/sw/flow-tools/
http://silktools.sourceforge.net/
http://www.vmware.com/vmtn/appliances/directory/293 Netflow Appliance (VMWare)
NetIntercept
http://www.sandstorm.net/products/netintercept
NetIntercept captures whole packets and reassembles up to 999,999 TCP connections at once, reconstructing files that were sent over your network and creating a database of its findings. It recognizes over 100 types of network protocols and file types, including web traffic, multimedia, email, and IM.
NetworkMiner
http://networkminer.wiki.sourceforge.net/NetworkMiner
NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool or to parse PCAP files for off-line analysis.
rkhunter
http://rkhunter.sourceforge.net/
ngrep
http://ngrep.sourceforge.net/
nslookup
http://en.wikipedia.org/wiki/Nslookup
Name Server Lookup command line tool used to find IP address from domain name.
Sguil
http://sguil.sourceforge.net/
Snort
http://www.snort.org/
ssldump
http://ssldump.sourceforge.net/
tcpdump
http://www.tcpdump.org
tcpextract
http://tcpxtract.sourceforge.net/
tcpflow
http://www.circlemud.org/~jelson/software/tcpflow/
truewitness
http://www.nature-soft.com/forensic.html
Linux/open-source. Based in India.
etherpeek
http://www.wildpackets.com/products/etherpeek/overview
Whois
http://en.wikipedia.org/wiki/WHOIS Web service and command line tool to look up registry information for internet domain.
http://www.arin.net/registration/agreements/bulkwhois.pdf Bulk WHOIS data request from ARIN
IP Regional Registries
http://www.arin.net/community/rirs.html
http://www.arin.net/index.shtml American Registry for Internet Numbers (ARIN)
http://www.afrinic.net/ African Network Information Center (AfriNIC)
http://www.apnic.net/ Asia Pacific Network Information Centre (APNIC)
http://www.lacnic.net/en/ Latin American and Caribbean IP Address Regional Registry (LACNIC)
http://www.ripe.net/ RIPE Network Coordination Centre (RIPE NCC)
Wireshark / Ethereal
http://www.wireshark.org/
Open Source protocol analyzer previously known as ethereal.
Xplico
http://www.xplico.org/
Open Source Network Forensic Analysis Tool (NFAT). Protocols supported: HTTP, SIP, FTP, IMAP, POP, SMTP, TCP, UDP, IPv4, IPv6, ...

Command-line tools

arp - view the contents of your ARP cache

ifconfig - view your mac and IP address

ping - send packets to probe remote machines

tcpdump - capture packets

snoop - captures packets from the network and displays their contents (Solaris)

nemesis - create arbitrary packets

tcpreplay - replay captured packets

traceroute - view a network path

gnetcast - GNU rewrite of netcat

packit - packet generator

nmap - utility for network exploration and security auditing

ARP and Ethernet MAC Tools

arping - transmit ARP traffic

arpdig - probe LAN for MAC addresses

arpwatch - watch ARP changes

arp-sk - perform denial of service attacks

macof - CAM table attacks

ettercap - performs various low-level Ethernet network attacks

CISCO Discovery Protocol Tools

cdpd - transmit and receive CDP announcements; provides forgery capabilities

ICMP Layer Tests and Attacks

icmp-reset

icmp-quench

icmp-mtu

ish - ICMP shell (like SSH, but uses ICMP)

isnprober

IP Layer Tests

iperf - IP multicast test

fragtest - IP fragment reassembly test

UDP Layer Tests

udpcast - includes UDP-receiver and UDP-sender

TCP Layer

lft http://pwhois.org/lft - TCP tracing

etrace http://www.bindshell.net/tools/etrace

firewalk http://www.packetfactory.net