C Hacking
Computer H ki
Forensic Investigation
M d l XXXIII
Module XXXIII
Blackberry Forensics
Module Objective
This module will familiarize you with the following:
yg
Features of BlackBerry
BlackBerry as an operating system
How BlackBerry works
BlackBerry Security
Collecting evidence from Blackberry
Review of evidence
BlackBerry Attacks
Protecting Stored data
Data Hiding in BlackBerry
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
EC-Council
Module Flow
Introduction
Introduction
Features of BlackBerry
Features of BlackBerry
BlackBerry as
How BlackBerry works
How BlackBerry works
Oi S
Operating System
BlackBerry Security
Evidence Collection
Evidence Review
BlackBerry Attacks
BlackBerry Attacks
Protecting Stored data
g
Data Hiding in BlackBerry
Data Hiding in BlackBerry
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
EC-Council
Blackberry: Introduction
Personal wireless handheld device that supports email
Personal wireless handheld device that supports email,
mobile phone capabilities, text messaging, web browsing
and other wireless information services
Wireless email solution for mobile professionals
Commonly used for business purposes
Commonly used for business purposes
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
EC-Council
BlackBerry Functions
Blackberries can be used:
" To compose, send and receive messages
" As a Phone
" To access Wireless Internet
" As Tethered Modem
" As an Organizer
" For sending SMS
" For Instant Messaging
" For Corporate Data Access
" As Paging service
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
EC-Council
BlackBerry as Operating System
BlackBerry OS 4.0 is the new version of BlackBerry
yO 40 y
Features of BlackBerry OS 4.0:
" Over-the-Air activation
" Ability to synchronize contacts and appointments with MS
Outlook
" New Password Keeper program to store sensitive information
" Ability to change wallpaper and standby image
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
EC-Council
How BlackBerry (RIM) Works
The user is provided with a wireless handheld device
The device has an integrated wireless modem, which allows
communication over BellSouth Intelligent Wireless Network
The device is equipped with RIM's software implementation of
proprietary wireless-oriented protocols
The mobile device is supported by the proprietary RIM-operated
The mobile device is supported by the proprietary, RIM-operated
BlackBerry Message Center
The Message Center sends the message to its destination using
standard Internet email protocols
RIM has a BlackBerry Enterprise Server for integration with
corporate email systems
il
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
EC-Council
How BlackBerry Works (cont d)
Desktop
RIM PDA
Email System
BlackBerry Device
BlackBerry Device
Microsoft
(Proprietary)
Outlook
RIM Modem
BlackBerry
BlackBerry
RIMs Wireless protocol
Desktop
Redirector
BlackBerry
Message Center
Mailbox
Mailbox
SMTP/POP
Synchronization
via Internet
Mailbox Interface
Microsoft Exchange
Third Party
y
Message Center
BlackBerry
BlackBerry
Enterprise Server
Message Center
Generic
Internet
Corporate message center
Corporate message center
ISP Message Center
ISP Message Center
Source: http://www.freeprotocols.org/LEAP/Manifesto/article/OperationWhiteberry/split/node7.html
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
EC-Council
Generi
ic Internet
e
c
Generic Internet
Corporate Internet
BlackBerry Serial Protocol
It i d t b k up, restore, and synchronize data
It is used to back t d h i d t
between the BlackBerry handheld unit and the desktop
software
BlackBerry Serial protocol comprises simple packets
BlackBerry Serial protocol comprises simple packets
and single byte return codes
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
EC-Council
BlackBerry Security
Using a strong encryption scheme BlackBerry safeguards:
Using a strong encryption scheme, BlackBerry safeguards:
" Integrity
" Confidentiality, and
" Authenticity of data
" Authenticity of data
It keeps data encrypted while in transit between BlackBerry
Enterprise Server and BlackBerry devices
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
EC-Council
BlackBerry Wireless Security
Transport encryption options
" Choose either Triple DES ( Data Encryption Standard) or AES (Advanced
Encryption Standard) to encrypt messages and data
Content protection
C i
" Enforce all local encryption data (messages, address book entries, calendar
entries, memos, and tasks) via IT policy
entries, memos, and tasks) via IT policy
Password Keeper
" Password Keeper securely stores p ( g
py password entries on the device (e.g.
banking passwords, PINs, etc.) using AES encryption technology
Wireless encryption key regeneration
" Users regenerate encryption keys directly from their device
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
EC-Council
BlackBerry Security for Wireless Data
Source: http://www.blackberry.com/products/enterprisesolution/security/data.shtml
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
EC-Council
BlackBerry Security for Wireless Data
(cont d)
(cont d)
Source: http://www.blackberry.com/products/enterprisesolution/security/data.shtml
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
EC-Council
Security for Stored Data
To secure information stored on BlackBerry devices you can make
To secure information stored on BlackBerry devices, you can make
password authentication mandatory through the customizable IT
policies of the BlackBerry Enterprise Server
The Bl kB Enterprise S does not store any email data
Th BlackBerry E i Server d il or d
To increase protection from unauthorized parties, there is no staging
area between the server and the BlackBerry device where data is
decrypted
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
EC-Council
Forensics
RIM's push technology adds new dimension to forensics
pgy
investigation of a PDA
T diti l PDA d t b h i d ith h t
Traditional PDAs need to be synchronized with a host
computer
BlackBerrys are synchronized wirelessly by pushing data
into the device
As BlackBerry is switched on, the items that are waiting
will be pushed to the device from the server immediately
will be pushed to the device from the server immediately
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
EC-Council
Acquisition
Leave the RIM in a  off state when:
" power is removed for an extended period of time or the unit is placed in data
storage mode
" unit is turned back  on from an  off or true powered down state
Turn off the radio, if RIM is in  on state
" Take the RIM to secured location to turn it on and immediately shut down the
radio before examination
Get the password, if the RIM is password protected
" To get the password, SHA-1 hash is stored on the RIM
" Direct-to-hardware solution is taken, if the password is not available
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
EC-Council
Collecting Evidence from Blackberry
Evidence is collected by
do d by:
" Gathering Logs
 It violates the forensic method by requiring the investigator to
It violates the forensic method by requiring the investigator to
record logs kept on the unit that will be wiped after an image is
taken
" Imaging and Profiling
 An image is taken from file system as long as the logs are not
required
required
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
EC-Council
Collecting Evidence from Blackberry:
Gathering Logs
Gathering Logs
Logs are reviewed by Unit control functions:
og d by U o o o
" Mobitex2 Radio Status
 It provides information on Radio Status, Roam & Radio,
Transmit or Receive and Profile String
i i d fil i
" Device Status
 It provides information on memory allocation, port status file
It provides information on memory allocation port status, file
system allocation and CPU WatchPuppy
" Battery Status
 It provides information on battery type, load, status and
It provides information on battery type load status and
temperature
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
EC-Council
Collecting Evidence from Blackberry:
Gathering Logs (cont d)
Gathering Logs (cont d)
" Free Mem
 It provides information on memory allocation, Common port,
File system, Watchpuppy, OTA status, Halt and Reset
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
EC-Council
Collecting Evidence from Blackberry:
Imaging and Profiling
Imaging and Profiling
It is a method of extracting the logs from a developed image
It is a method of extracting the logs from a developed image
Acquire an image or a bit-by-bit backup using SDK utility that dumps
the contents of the Flash RAM into a file, which is examined with hex
editor
Program Loader is used for inspection by taking the image
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
EC-Council
Review of Evidence
Information is reviewed by:
Information is reviewed by:
" Hex editor
 Information available regarding the bitwise file storage
method used by the RIM OS
" Simulator
 Set the simulator to match the network and model of the
investigated unit
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
EC-Council
Simulator - Screenshot
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
EC-Council
Simulator - Screenshot
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
EC-Council
Blackberry Attacks
BlackBerry Attack Toolkit along with BBProxy software exploit
"BlackBerry Attack Toolkit along with "BBProxy" software exploit
the vulnerability of any company s website
 Attack vector" links and tricks the users by downloading the
 A k " li k d i k h b d l di h
malicious software
 Blackjacks or  Hijacks legal users' BlackBerry devices and replaces
them on network with harmful devices
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
EC-Council
Protecting Stored Data
Clean the BlackBerry device memory
Clean the BlackBerry device memory
Protect stored messages on the messaging server
Encrypt application password and storage on the BlackBerry device
Protect storage of user data on a locked Blackberry device
Limit the Password authentication to ten attempts
Use AES (Advanced Encryption Standard) technology to secure the
( d d i d d) h l h
storage of password keeper and password entries on BlackBerry device
(e.g. banking passwords and PINs)
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
EC-Council
Data Hiding in BlackBerry
Data can be hidden on a RIM device in different ways such
Data can be hidden on a RIM device in different ways such
as:
" Hidden databases
" Partition gaps
" Obfuscated data
Data can be hidden in the gap between the OS/Application
g p / pp
and Files partitions
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
EC-Council
BlackBerry Signing Authority Tool
It helps the developers by protecting the data and intellectual property
It enables the developers to handle access to their sensitive APIs
(Application Program Interfaces) and data by using public and private
(Application Program Interfaces) and data by using public and private
signature keys
It uses asymmetric private/public key cryptography to validate the
It uses asymmetric private/public key cryptography to validate the
authenticity of signature request
It allows external developers to request, receive, and verify the
signatures for accessing specified API and data in a secure environment
Source: http://www.blackberry.com/developers/downloads/signingauthority/
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
EC-Council
Summary
Blackberry is a personal wireless handheld device that supports email, mobile
phone capabilities, text messaging, web browsing, and other wireless
information services
BlackBerry safeguards Integrity Confidentiality, and Authenticity of data
BlackBerry safeguards Integrity, Confidentiality and Authenticity of data
using a strong encryption scheme
BlackBerry Serial Protocol is used to back up, restore, and synchronize data
between the BlackBerry handheld unit and the desktop software
RIM's push technology adds new dimension to forensics investigation of a
PDA
PDA
To secure information stored on BlackBerry devices, you can make password
authentication mandatory through the customizable IT policies of the
BlackBerry Enterprise Server
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
EC-Council
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
EC-Council
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
EC-Council