By Kevin Cardwell and Craig Wright
Service provider takeaway: Learn how to conduct forensic analysis on the data hidden within the BlackBerry in this section of the chapter excerpt from Syngress Publishing's Alternate Data Storage Forensics.
Download the .pdf of the chapter here.
The BlackBerry is also known as a RIM device. The device is equipped with the RIM software implementation of proprietary wireless-oriented protocols; furthermore, the device is supported by the RIM BlackBerry Message Center. The BlackBerry (RIM) device shares similarities to the PDA devices we discussed earlier; however, the BlackBerry (RIM) device is always-on, and participating in some form of wireless push technology. As a result of this the BlackBerry (RIM) does not require some form of desktop synchronization like the PDA does. This unique component of the BlackBerry (RIM) device adds a different dimension to the process of forensic examination, and in essence this portability can be the examiners greatest ally.
Operating System of the BlackBerry
The current version of the BlackBerry OS has numerous capabilities and features. These features include; over the air activation, ability to synchronize contracts and appointments with Microsoft Outlook, a password keeper program to store sensitive information and the ability to customize your blackberry display data.
BlackBerry Operation and Security
The BlackBerry (RIM) device has an integrated wireless modem; this allows the device to communicate over the BellSouth Intelligent Wireless Network. The BlackBerry (RIM) device uses the BlackBerry Serial Protocol. This protocol is used to backup, restore and synchronize the data that is communicated between the BlackBerry (RIM) handheld unit and the desktop software. This protocol comprises simple packets and single byte return codes. The device uses a strong encryption scheme that safeguards confidentiality, and authenticity of data. It keeps data encrypted while in transit between the enterprise server and the device itself.
The BlackBerry (RIM) has a couple of transport encryption options. These options are the Triple Des (Data Encryption Standard) or AES (Advanced Encryption Standard. Those who want to implement the most secure method will elect to encrypt with the AES algorithm. The Blackberry has another feature that is referred to as the Password Keeper, this feature offers the capability of securely storing password entries on the devices, these could consist of banking passwords, PINs, etc. This critical and important information is protected by AES encryption.
Security for Stored Data
There are several capabilities available on the BlackBerry device when it comes to securing the data that is stored there. The first option we will discuss is the capability to make password authentication mandatory through the customizable IT policies on the BlackBerry Enterprise Server. An additional method of protection from unauthorized parties is the Fact that there is no staging of data between the server and BlackBerry device where data is decrypted.
Forensic Examination of a BlackBerry
Since the BlackBerry (RIM) is all always-on, push messaging device information can be pushed to it at anytime. It is important to note that this information that is pushed does have the potential or overwriting any data that possibly was previously deleted. The problem is compounded by the fact that without warning there are a multitude of applications that may receive information, and make the attempts by the forensic investigator to recover information and an unaltered file system much more difficult. The first step in preserving the information is to eliminate the ability of the device to receive this data push. If possible you could turn the radio off, or a better solution is to take the device to an area where the signal cannot be received, this possibly can be achieved by putting the device inside of" a filing cabinet drawer, but your mileage will vary here. One might think, "I'll just turn it of." This would be a serious mistake! The BlackBerry (RIM) device is not really "off" unless power is removed for an extended period, or the unit is placed in storage mode; furthermore, once the unit is powered back on any items that were in the queue waiting to be pushed to the device could possibly be pushed before you could stop them. As mentioned previously, and we will reiterate it here, it is quite possible that a change to state such as a power off of-the BlackBerry could result in a program being run on the unit that will allow the device to accept remote commands via email.
Acquisition of Information Considerations
The considerations for the BlackBerry (RIM) device are similar in some ways to the PDA devices, but there are some differences, so let's take a look at the considerations you have to make when acquiring evidence from the Blackberry (RIM) device.
Device is in the "off" State
If the unit is off at the time of acquisition, the investigator needs to take the unit to a shielded location before attempting to switch the unit on. If a shielded location is not readily available, you might have success using a safe or other room that can block the signal well enough to prevent the data push. One thing to consider is having a unit available that you can use to walk the network and area to test the coverage, and look for weak coverage areas to use.
Device is in the "on" State
If the device you are examining is in the "on" state then as outlined and detailed above, you need to take the device to a secure location and disable or turnoff the radio before beginning the examination.
One thing that has to be considered when it comes to password protection is the fact that the password itself is not stored on the device, the only thing that is stored on the device is a hashing of the plain text password. This storage is similar to the storage used by the majority of operating systems out there.
To collect evidence from the Blackberry we have to violate the traditional forensic methods by requiring the investigator to record logs kept on the unit that will be wiped after an image is taken. There are several different log files that we want to collect evidence from; Radio Status, this log lets us enumerate the state of the devices radio functions; Roam and Radio, thus log has a buffer of up to 16 entries usually, records information concerning the tower, channel etc, and will not survive a reset; Transmit/Receive, records gateway information, and type and size of data transmitted; Profile String, this contains the negotiation with the last utilized radio tower. Once the log information is extracted and enumerated then the image will be taken. If you do not require or need the log information then the image can be acquired immediately.
Unit Control Functions
The logs are reviewed by using the unit control functions; there are several functions we will discuss. The first function is the Mobitex2 Radio Status, this provides information on the Radio Status, Roam and Radio Transmit or Receive and Profile String. The second control function is the Device Status; it provides information on memory allocation, port status, file system allocation and CPU WatchPuppy. The third control function is the Battery Status, and as the name implies it provides information on battery type, load, status and temperature. The last control function we will discuss is the Free Mem, this provides information on memory allocation, Common Port File System, WatchPuppy, OTA status, Halt and Reset.
Imaging and Profiling
When you are conducting a forensic examination of a BlackBerry (RIM) device we need to conduct imaging and profiling. This is accomplished by extracting the logs from a developed image; acquiring an image of a bit-by-bit backup using the BlackBerry (RIM) software development kit (SDK). The SDK is available from www.blackberry.com and is essential for the forensic examiner when investigating a BlackBerry (RIM) device. The SDK utility dumps the contents of the Flash RAM into a file. Once the Flash RAM is dumped it can be examined and reviewed using traditional methods with your favorite hex editor or other tool. In addition to reviewing the evidence with traditional methods, you can use the Simulator from the SDK to match the network and model of the investigated unit.
Attacking The BlackBerry
We have several tools and methods available that allow us to attack the BlackBerry,
The first tool is the BlackBerry Attack Toolkit, and this toolkit along with the BBProxy software can be used to exploit website vulnerabilities. The second tool is the Attack Vector, this tool links and tricks users by downloading malicious software to the Blackberry. The last method we will discuss is the method of hijacks, or as it is sometimes referred to blackjacks. As the name implies this allows someone to hijack a legal user's BlackBerry (RIM) and replace them on the network with potentially harmful devices.
Securing the BlackBerry (RIM)
We have several things we can do to secure the information on the BlackBerry
(RIM) device. The first thing we can do is clean the BlackBerry (RIM) device memory, and we can protect stored messages on the messaging server. You can encrypt the application password as well as the storage of if it on the BlackBerry (RIM) device; furthermore, you can protect storage of user data on a locked BlackBerry device by limiting the password authentication attempts. It is possible to set a maximum of 10 attempts to gain access to the device. Additionally, you can use AES technology to secure the storage of the password keeper and password entries on the BlackBerry device.
Information Hiding in the BlackBerry (RIM)
When it comes to hiding information in the BlackBerry (RIM) device we have several places we can hide information. You can create hidden databases; you can hide information in partition gaps. Data can be hidden in the gap between the Operating System/Application and file partitions.
BlackBerry (RIM) Signing Authority Tool
This tool helps the developers protect their data and intellectual property. It enables the developers to handle access to their sensitive Application Program Interfaces (APIs). The tool provides this protection by using public and private signature keys. It does this by using asymmetric cryptography to validate the authenticity of the request; furthermore, the signing tool allows developers to exchange API information in a secure manner and environment.
PDA, BlackBerry and iPod Forensic Analysis
PDA Investigative Tips
Introduction to the BlackBerry
The iPod and Linux
About the book
Alternate Data Storage Forensics explores forensic investigative analysis methods when dealing with alternate storage options. The book presents cutting-edge investigative methods from cyber-sleuths professionals. Purchase the book from Syngress Publishing.
Reprinted with permission from Syngress Publishing from Alternate Data Storage Forensics by Amber Schroader and Tyler Cohen (Syngress, 2007)
Dig deeper on Remote Storage Management