It is possible to acquire an image of a bit-by-bit backup using the Blackberry Software Development Kit (SDK). The SDK is available from RIM at http://www.blackberry.com.
The SDK utility dumps the contents of the Flash RAM into a file. Once the Flash RAM is dumped, it can be examined and reviewed using traditional methods with your favourite hex editor or other tool. At this point it is basically a raw image file. This is a memory image of course, so you cannot carve files in the same manner as from an NTFS partition, but it is similar to memory forensics. Strings are available and the image will hold binary files and a number of databases.
As for commercial tools, I do not think that there are a great deal to choose from. A few do exist, but I generally have been sticking to the SDKs as the commercial tools are not as mature as they could be.
In addition to reviewing the evidence with traditional methods, you can use the Simulator from the SDK to match the network and model of the investigated unit. The simulator crashes on a number of non-standard calls as RIM have not thought of things that are not designed for the Blackberry in the first place. It does act as a Blackberry for the most part and you can copy image files such that you do not alter evidence.
The SDKs are a good start if you have some programming skills. E.g.
- There is a Yahoo developer group with a few people working in this area- http://tech.groups.yahoo.com/group/BB386dev/
This group has no commercial quality code, but there is source that you can use to do the following:
- View the contents of any file in the user flash area
- Dump Flash memory
There are some tools in the SDK that you can use to dump flash. Also the Yahoo site used to have a tool hosted called "programmer.exe" that would dump the complete flash (bit wise) from a BB and save it as a raw image. I have not checked the link location for a while and have a copy anyway. The SDK has replaced the “programmer.exe” file with the javaloader application (javaloader.exe). I do not know which versions support which phone off the top of my head and would have to look up the SDK documentation. The newer Blackberries certainly use the Java version.
There are several places where you can hide information in a Blackberry. It is possible to create hidden databases and hide information in partition gaps. Data can also be hidden in the gap between the OS/application and file partitions.
Alternatively, numerous tools and methods to attack a Blackberry are available. Firstly, there is a toolset called the Blackberry Attack Toolkit, which along with the BBProxy software can be used to
The Presentation and toolkit for blackjacking are available at:
BBScreenShooter and BBScreenStream use “javaloader.exe” from RIM to function. They can provide screen shots and captures
Have a look at (http://na.blackberry.com/eng/developers/started/) for more information.
“JL_Cmder” will allow you to issue the following commands:
- deviceinfo - Displays information about the handheld.
- eventlog - Retrieves and displays the handheld event log.
- screenshot - Takes a picture of the handheld screen. (OS 4.0.2+ required)
- wipe - Erases the handheld OS. Not really, but that is the simpliest way to explain it.
- resettofactory - Removes the IT Policy from the device. (OS 4.3+ required).
The man file follows:
Usage: JavaLoader [-u] [-p
-u Connect to USB handheld (default is serial) -p Specifies the serial port (serial handhelds only) -p Specifies the handheld PIN (USB handhelds only) -b Specifies the baud rate (serial handhelds only) -d0 Disables VM debug mode -d1 Enables VM debug mode -w Connects using the specified password -q Quiet mode Lists modules on the handheld -d Display dependency information -s Display siblings Provides information from the handheld Loads modules onto the handheld Retrieves modules from the handheld Provides information on the specified modules -d Display dependency information Wipes the handheld -a Wipe applications only -f Wipe filesystem only Erases modules on the handheld -f Force erase of in-use modules Enables VM debug mode Retrives the handheld event log Sets the time on the handheld to the current time Turns the handheld's radio on or off Enumerates all USB handhelds Provides sibling information on the specified modules Retrieves the current screen contents and saves it as a BMP file