Sunday, 5 April 2009

Forensic Recovery and the Blackberry

It is possible to acquire an image of a bit-by-bit backup using the Blackberry Software Development Kit (SDK). The SDK is available from RIM at http://www.blackberry.com.

The SDK utility dumps the contents of the Flash RAM into a file. Once the Flash RAM is dumped, it can be examined and reviewed using traditional methods with your favourite hex editor or other tool. At this point it is basically a raw image file. This is a memory image of course, so you cannot carve files in the same manner as from an NTFS partition, but it is similar to memory forensics. Strings are available and the image will hold binary files and a number of databases.

As for commercial tools, I do not think that there are a great deal to choose from. A few do exist, but I generally have been sticking to the SDKs as the commercial tools are not as mature as they could be.

In addition to reviewing the evidence with traditional methods, you can use the Simulator from the SDK to match the network and model of the investigated unit. The simulator crashes on a number of non-standard calls as RIM have not thought of things that are not designed for the Blackberry in the first place. It does act as a Blackberry for the most part and you can copy image files such that you do not alter evidence.

The SDKs are a good start if you have some programming skills. E.g.

  • http://www.blackberry.com/developers/downloads/jde/index.shtml
I used to have a link to the Blackberry C++ Software Development Kit, but it seems to have changed and moved or have been deleted. I have a copy of the C++ SDK, but the link has moved. The Java SDK is active and this is what I have been using.

  • There is a Yahoo developer group with a few people working in this area- http://tech.groups.yahoo.com/group/BB386dev/

This group has no commercial quality code, but there is source that you can use to do the following:
  • View the contents of any file in the user flash area
  • Dump Flash memory
The group is primarily focused on the older versions.

There are some tools in the SDK that you can use to dump flash. Also the Yahoo site used to have a tool hosted called "programmer.exe" that would dump the complete flash (bit wise) from a BB and save it as a raw image. I have not checked the link location for a while and have a copy anyway. The SDK has replaced the “programmer.exe” file with the javaloader application (javaloader.exe). I do not know which versions support which phone off the top of my head and would have to look up the SDK documentation. The newer Blackberries certainly use the Java version.

There are several places where you can hide information in a Blackberry. It is possible to create hidden databases and hide information in partition gaps. Data can also be hidden in the gap between the OS/application and file partitions.

Alternatively, numerous tools and methods to attack a Blackberry are available. Firstly, there is a toolset called the Blackberry Attack Toolkit, which along with the BBProxy software can be used to
Load exploitable Web site vulnerabilities and hence attack the BlackBerry using a number of JavaScript and Java code issues.. The next Attack Vector involves downloading (what is generally) malicious software to the Blackberry. Such a method is the method of hijacks (or blackjacks). As the name implies, this allows someone to hijack a legal user’s Blackberry and replace them on the network with potentially harmful devices.

The Presentation and toolkit for blackjacking are available at:
  • http://www.praetoriang.net/presentations/blackjack.html
They have also developed Metasploit patches for those who cannot run code manually.

BBScreenShooter and BBScreenStream use “javaloader.exe” from RIM to function. They can provide screen shots and captures

Have a look at (http://na.blackberry.com/eng/developers/started/) for more information.

On top of this, there are a number of other tools that are of use. One such program is “JL_Cmder”. This is short for the “JavaLoader Commander”. The JavaLoader commander is the blackberry command line tool (from RIM and not a random internet source). The “JL_Cmder” programme simplifies the process of accessing most of the common JavaLoader.exe commands. It can also be scripted and used in Java .cab files and even in Javascript from a website.

“JL_Cmder” will allow you to issue the following commands:
  1. deviceinfo - Displays information about the handheld.
  2. eventlog - Retrieves and displays the handheld event log.
  3. screenshot - Takes a picture of the handheld screen. (OS 4.0.2+ required)
  4. wipe - Erases the handheld OS. Not really, but that is the simpliest way to explain it.
  5. resettofactory - Removes the IT Policy from the device. (OS 4.3+ required).
JL_Cmder can be used to automatically export data from the device into a text file for easier reading/imaging. It also has a screenshot function.

The man file follows:
Usage: JavaLoader [-u] [-p|] [-b] [-d0|-d1] [-w] [-q]

  • -u Connect to USB handheld (default is serial)
  • -p Specifies the serial port (serial handhelds only)
  • -p Specifies the handheld PIN (USB handhelds only)
  • -b Specifies the baud rate (serial handhelds only)
  • -d0 Disables VM debug mode
  • -d1 Enables VM debug mode
  • -w Connects using the specified password
  • -q Quiet mode
dir [-d] [-s]
  • Lists modules on the handheld
  • -d Display dependency information
  • -s Display siblings
deviceinfo
  • Provides information from the handheld
load <.cod file> ...
  • Loads modules onto the handheld
save ...
  • Retrieves modules from the handheld
info [-d] <.cod file> ...
  • Provides information on the specified modules
  • -d Display dependency information
wipe [-a|-f]
  • Wipes the handheld
  • -a Wipe applications only
  • -f Wipe filesystem only
erase [-f] ...
  • Erases modules on the handheld
  • -f Force erase of in-use modules
debugmode
  • Enables VM debug mode
eventlog
  • Retrives the handheld event log
settime
  • Sets the time on the handheld to the current time
radio on|off
  • Turns the handheld's radio on or off
enum
  • Enumerates all USB handhelds
siblinginfo <.cod file> ...
  • Provides sibling information on the specified modules
screenshot <.bmp file>
  • Retrieves the current screen contents and saves it as a BMP file

1 comment:

Coder said...

Hello Craig, A nice artical regarding BB forensic... I m also working on the same .... that is to retrieve contacts, mail, messages, multimedia files. Can you help me in this regard.

Would be kind of you...
Waiting for your reply....