Comments on: Black Berry Forensic Exams-How-To

By: Forensics:Blackberry Links « Data – Where is it?

Forensics:Blackberry Links « Data – Where is it? — Mon, 24 Aug 2009 21:16:05 +0000

[...] How to image a blackberry (2007) [...]

By: Cognitive

Cognitive — Tue, 27 Jan 2009 02:13:10 +0000

I just got a 8707g to analyze and we had purchased Encase for a computer forensic job earlier this year. When the customer asked to look at the Blackberry we got Neutrino since we got a discount for buying Encase. Mistake!!! Only after I got the phone and learned the model number did I find out through the Guidance Software forums that Neutrino will only look at the logical data and not the physical. The SIM card was removed so there was only the 64MB of RAM, which Neutrino can’t read. I did make a backup of the phone using the desktop software, even prior to reading this article. But, I feel as if I’m at a dead end now. Is there a way to access the data and what I guess would be unallocated space on the 64MB of RAM? The 8707g doesn’t have any SD card slots so there are no external memory options.

I downloaded the demo version of Paraben’s Device Seizure because they claim it will grab the physical memory, which is what I need. But, I didn’t find anything useful and maybe they limited it so I can’t see anything.

By: numenorian

numenorian — Wed, 07 Jan 2009 13:56:41 +0000

The short answer is no. This is a logical dump of the Blackberry database file. You will have to find a way to get at the internal memory at a lower level to look for the hexidecimal headers (such as FFh D8h for a jpeg).

By: dyo

dyo — Tue, 06 Jan 2009 19:12:01 +0000

Can you recover deleted pictures from a blackberry curve’s internal memory using this method?

By: Keith

Keith — Tue, 18 Nov 2008 18:58:19 +0000

Thanks for the article.
J. Oquendo’s comment mentions that suite which has a bunch of features, but it does not support most of the “advanced” features for the Blackberry anyway so your advice is helpful. AccessData’s product does not yet support Blackberries and Paraben’s Device Seizure product supports them but does not suck in deleted data. They are working on that.
http://www.oxygen-forensic.com/en/models/

By: J. Oquendo

J. Oquendo — Tue, 18 Nov 2008 17:29:36 +0000

Definitely not trying to impress so please excuse my choice of words. Trying to give relevant information. Remember, the purpose of the forensics is to preserve and to detect. If done improperly, your evidence goes out the door. So once again apologies for my tone.

Sincerely
Jesus Oquendo

By: numenorian

numenorian — Sun, 12 Oct 2008 23:53:57 +0000

I approved your comment J. Oquendo because I dont censor. However, the size of your ego is immense. Manners my friend, manners. If your really wanted to help people you might post helpful comments.

I look forward to seeing you in court.

By: J. Oquendo

J. Oquendo — Sun, 12 Oct 2008 19:28:16 +0000

And how exactly is this “Blackberry Forensics”? If all you’re doing is retrieving information from the IPD files, then you’re doing a half baked job. Remember information stored on memory that has been wiped can be retrieved. The IPD file solely stored what someone has backed up. The bits off the memory cards are worth going after. For this I recommend Oxygen Forensic Suite. Or you can simply create a bit by bit copy of the device and do some filecarving to recreate what’s missing.

Your definition of simply looking at an IPD file doesn’t do much in fact if I was going against you in a court of law, I’d retrieve enough evidence to make you go back and study forensics for a couple more years.

J. Oquendo
http://www.infiltrated.net/?page_id=2

By: Anthony Harris

Anthony Harris — Thu, 04 Sep 2008 08:03:31 +0000

Great article, many thanks, would it be possible to restore the graphics on the BlackBerry page please, the graphics referred to in the documentation do not display. Again many thanks very helpful.