Forensics

M 8 0 0 0 1 1 8 0 M 8 0 0 0 1 1 8 1 M 8 0 0 0 1 1 8 2

RASHID AL MEHRBI TALAL AL ISMAIL ALI AL KAF

Outline

ŏ Problem Statement

ŏ Introduction

ŏ Why BlackBerry?

ŏ Related Work

ŏ Methodology

ŏ Results & Discussion

ŏ Future Work

ŏ Conclusion

Outline

The purpose of this presentation,

is

to examine

ABlackberry

Curve8520

Outline

The Blackberry as a device in its various guises is seen as the modern executive’s talisman of technology designed by Canadian company Research In Motion (RIM) since 1999.

BlackBerry phones function as a personal digital assistant and portable media player. They are primarily known for their ability to send and receive (push) Internet e-mail wherever mobile network service coverage is present, or through Wi-Fi connectivity. They support a large array of instant messaging features, including BlackBerry messenger (Valli & Jones, 2008).

The Blackberry device family has changed from being a simple digital diary into a fully portable electronic office suite.

BlackBerry commands a 11.7% share of worldwide Smartphone sales, making it the fourth most popular device manufacturer after Google, Nokia, and Apple (Valli & Jones, 2008).

There is evidence to suggest that a Blackberry is a very secure device however, Blackberry has the same basic fundamental flaw it has a human operator.

Introduction

Outline

BlackBerry has gained a reputation in the mobile space during the past decade or so as the "most secure" handheld device and mobile platform available.

The BB is used as a telephony device, email, contacts management and calendaring device by persons or institutions that want a “secure” means of interacting with stakeholders.

Blackberry’s are typically used by corporate and government enterprises due to their security features and excellent corporate software. Of the 12 million subscribers to RIM services worldwide, over 8 million are corporate users (Valli & Jones, 2008).

This profile makes the Blackberry a target device for industrial spying, espionage or good old fashioned blackmail.

The Blackberry has a couple of transport encryption options, which are the Triple Data Encryption Standard (DES) and the Advanced Encryption Standard (AES). The Blackberry has another feature that is referred to as the Password Keeper, which offers the capability of securely storing password entries on the devices, which could consist of banking passwords, PINs, and so on. This important information is protected by AES encryption (Wiles, J., & Cardwell, K., & Reyes, A. 2010)

Why BlackBerry ?

Outline

Worldwide, the loss of phones either by theft or simple loss runs into the millions per annum, of which a percentage of these must be Blackberry.

Why BlackBerry ? (Cont.)

Outline

An address book , calendar, and to-do-list

To compose, send, and receive messages

As a phone

To access the Internet

As a tethered modem, allowing notebook computers to access the internet anywhere

As an organizer

For sending SMS messages

For instant messaging

For corporate data access

As a paging service

(Ec-Council, 2010)

A Blackberry can be used in the following ways:

Outline

The field of Small Scale Digital Devices is still an emerging field with a good portion of ongoing researches that’s being done per annum.

Not more than few researches have been published related to Blackberry forensics.

Some of the researches outlined different topics such as:

• Methodologies and tools available to perform a forensic examination of a RIM (BlackBerry) device (Burnette, 2002)

• Data Hiding (Burnette, 2002)

• Forensic Recoverability of Data from 2nd Hand Blackberry Devices (Valli & Jones, 2008)

Related Work

Outline

In this research a RIM Blackberry Curve 8520 device was forensically examined after a logical backup has been acquired from the device using a RIM tool that is Blackberry Desktop Manager.

The fundamental rule in any forensic acquisition is that no contamination or alteration should occur to the original evidence/data during the forensic analysis.

For that, the examination of the device was conducted under forensically sound conditions without jailbreaking the file system.

This research adheres to the Computer Forensics Tools Testing program guidelines established by the National Institute of Standards and Technology (NIST).

Methodology

Outline

This research applied the logical acquisition method where a bit-by-bit copy of all the data (e.g., directories and files) stored within the Blackberry device file system was acquired using the Blackberry Desktop Manager

The logical backups would prove a previous synchronization between the Blackberry device and the computer that has been previously synched with.

To make sure that the forensic acquisition is legally sound, the use of XRY hardware-based write blocker was taken into consideration so that the forensic workstation's address book, calendar, image files, email accounts and other data are not copied to the Blackberry flash memory

MethodologyLogical Acquisition

Outline

The general NIST's approach for forensic tool testing was applied to the examination methodology. Examination procedures will include:

Examination Requirements:

The acquisition approach will concentrate on extracting data from the Blackberry curve 8520 internal flash memory. The examination will attempt to locate data within the logical copy and types of data stored on the Blackberry.

Examination Plan and Test Cases:

The test case scenario includes a predefined data set that includes all data types stored on the Blackberry device.

Acquisition and Examination Tools:

To create a logical backup for the Blackberry Curve internal flash memory, Blackberry Desktop Manager will be needed for that purpose. Moreover, for data analysis and recovery six different tools such as Elcomsoft Backup Explorer (Amber) 9.05, XRY 5.2, MagicBerry 3.1.0, phoneMiner 1.0.1.1, IPDdump 0.3, and BlackBerry Backup Extractor 0.72.

MethodologyExamination Process

Outline

Examination Environment Setup and Test Procedures

Only one forensic workstation was used during the forensic examination. That workstation was configured with Windows 7 operating system platform. The logical acquisition and examination was conducted on the same workstation. Before starting the acquisition process, all the aforementioned acquisition and analysis tools were installed and configured properly prior to use.

Results

The aim of the forensic examination is to show what type of evidentiary data can be retrieved from the logical backup and where that data is located.

MethodologyExamination Process

Outline

A personal BlackBerry curve 8520 device was prepared for the examination:

• The device was wiped and prepared for the examination purpose

• Subscription to blackberry service from Etisalat was made ( BlackBerry Basic)

• Two contacts were added to the device ( Hulk Hogan, Jimi Hendrix)

Three data files were sent to the targeted Blackberry using Bluetooth from another BB

• Music file titled “GUN.mp3”

• Video file titled “amazing cars.mp4”

• Image files titled “fast and furious.jpeg” & “top key.jpeg”

• Use of Blackberry IM to communicate with another BB device contact

• Browsing two specific websites (Facebook, Gmail)

• Send Email , MMS , SMS using the targeted device

• A Call was made using the targeted device

Note: There was no Micro SD card. After the scenario was accomplished the SIM card was removed from the targeted device.

Results and DiscussionScenarios

OutlineResults and Discussion -ToolsSOFTWARE VERSION DISCREPTION

Desktop Manager 2.1.3 (build 10) Helps you quickly and effortlessly sync your BlackBerry Smartphone with your Mac computer, so you can do more of what you love on your BlackBerry Smartphone.

BlackBerry Backup Extractor0.72

The software can extract data stored in the IPD file easily and automatically, only one click is needed to extract data through its simple and easy to use interface

MagicBerry 3.1.0IPD reader that can read and extract: SMS Messages, Phone Call Logs, Address Book, Service Book, Tasks, memos, Calendar and export them.

Elcomsoft Backup Explorer9.05

Extracting, analyzing, printing or exporting the content of a BlackBerry backup.

XRY 5.2 Performing a secure forensic extraction of data from a wide variety of mobile devices

Phoneminer 1.0.1.1 Accessing your data from your BlackBerry backup files, allowing you to retrieve previously inaccessible data.

IPDdump 0.3 RC4 Utility that enables the user to navigate thought and extract records from a Blackberry backup

CPUID 1.961(PC WIZARD)

Powerful utility designed especially for detection of hardware . It's able to identify a large scale of system components and supports the latest technologies and standards.

OutlineResults and Discussion - Evidence

XRY

Elcomsoft Blackberry Backup Explorer

BlackBerry PIN Code

Contacts

Device Unique ID IMEI

OutlineResults and Discussion - EvidenceElcomsoft Blackberry Backup Explorer

Call Logs

MMS Browser History

SMS

OutlineResults and Discussion - EvidenceEvidence/ Data location

OutlineResults and Discussion- Comparison

OutlineFuture Work

To validate the outcoming results, the same scenarios could be applied to other models of BlackBerry where the analysis should take place using the same tools.

Blackberry SDcard and SIM card could be included in further analysis.

Anti-forensics assumption could be taken into consideration

Phone is locked with password

Encrypted Blackberry backup files

OutlineConclusion

After using six different tools, it turned out that some tools provide better result than others, but still, its not possible to say that the ultimate software is there. .

Good understanding of proper seizure and preservation techniques could help minimizing any possible effect that might alter/contaminate the original evidence.

Mobile forensics is a young field that is only now starting to surface. Also, lots of tools need to be developed and tested for different models of Blackberry phones beside the working experience with this type of phones and understanding the way it function could help forensic investigators to be proficient in this filed.

OutlineReferences

Burnette, M. (2002) Forensic Examination of a RIM (BlackBerry) Wireless Device. Retrieved on October 16, 2011 from www.mandarino70.it/Documents/Blackberry%20Forensics.pdf

Reyes, A., Wiles, J. (2007) The Best Damn Cybercrime and Digital Forensics Book Period, Retrieved on October 18, 2011 fromhttp://books.google.com/books?hl=en&lr=&id=hI3dqOyboegC&oi=fnd&pg=PR2&dq=The+best+damn+cybercrime+and+digital+forensics+book+period&ots=GIlCe2VQxH&sig=VQJ18c-Ti3-SiSPFUuma3gTVuBg

Valli, C., Jones A. (2008) A Study into the Forensic Recoverability of Data from 2nd Hand Blackberry Devices: World-Class Security, Foiled by Humans. Retrieved on October 17, 2011 from http://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1848&context=ecuworks

Outline

THANK YOU

4orYour Attention !