Black Berry Forensic Exams-How-To

Here’s a how-to for Black Berry forensic examinations. Just a fraction of the cost you’d have to pay for a 90 minute webinar at some training sites-FREE.

I hope its useful for you.

HARDWARE NEEDED

  • BlackBerry (duh)
  • USB Cable
  • Cradle (if its that type)
  • Forensic Computer (see the reference to the BlackBerry)

SOFTWARE NEEDED

Ok now that we are armed with our needed equipment, lets proceed to do our forensic magic.

USING THE DESKTOP SOFTWARE AND SIMULATOR

First install the desktop software. After this is done, you need to make sure that the connection is set for USB. Look at Options->Connection Settings and from the combo box select USB. Ok now connect the suspect’s Blackberry to your system (did you protect it from the network and make sure it was charged…? )

!!CAVEAT!!: If the BlackBerry needs a PIN-get it or get the PUK. This will not work without it. If you fail to do this, and use up your attempts to enter PIN/PUK you will wipe the device.

Now with the device connected make a backup of the handheld. Double Click the Backup/restore Icon and then choose backup (this may differ depending on the version of desktop software you are using). Direct the backup (*.ipd File) to where you want to save it and name it. Then make sure you choose all databases. I recommend making a working copy and a archive copy. Now reseal and store your exhibit.

Ok time to get out the Simulator…but wait, you say, how do I know what Simulator I need to use…there are so many choices. Glad you asked. Prior to downloading the Simulator you neeed to check something on the BlackBerry-its OS version. This is located from the mail screen under Options-About. You are looking for the platform version number as shown below (specific to my BB).

Blackberry 7130e
WirelessHandheld (CDMA)
v4.1.0.268(Platform 2.2.0.9)

Once you have this go to the link above and find the Simulator for this group of BlackBerry Devices download and install the Simulator.

Now with that installed, fire up the Simulator for your device. The Desktop software should be fooled into thinking a BB device is connected tot he computer.

Again, choose the backup/restore icon and this time restore the backup file you created. Make sure to choose all the databases. Once this completes you are looking at the exact handheld you seized albeit virtually. Pretty cool huh? Just take screencaps/vids of the device and you have your evidence.

Two side notes the Similator behaves just like a regular BB, i.e. you can click the trackwheel and escape key. If you want to see call times make sure that you enable call logging by going to the phone icon, clicking the trackwheel, coosing options and “call logging”.

USING AMBER BLACKBERRY CONVERTER

This is even easier. Once you have fired up the converter, simply click the link that says to load the IPD and the converter will load the file and show you tabs for SMS, EMAIL, call records and contacts..notice the options for PDF, HTML and Excel export…How easy is THAT?? One thing it doesnt do is pull out pictures (though it grabs MMS) that are saved…bummer but only a small one.

OTHER TIPS/TRICKS

Take the *.IPD file and load it into EnCase or FTK and index. This can give you fast access to keywords. You can also carve for pictures (though not deleted).

If you have read to here, I hope you have found this useful. I plan to add a short discussion on the structure of the IPD file-WARNING HEX AHEAD!!!

 

Advertisements

23 comments

  1. Anthony Harris

    Great article, many thanks, would it be possible to restore the graphics on the BlackBerry page please, the graphics referred to in the documentation do not display. Again many thanks very helpful.

  2. J. Oquendo

    And how exactly is this “Blackberry Forensics”? If all you’re doing is retrieving information from the IPD files, then you’re doing a half baked job. Remember information stored on memory that has been wiped can be retrieved. The IPD file solely stored what someone has backed up. The bits off the memory cards are worth going after. For this I recommend Oxygen Forensic Suite. Or you can simply create a bit by bit copy of the device and do some filecarving to recreate what’s missing.

    Your definition of simply looking at an IPD file doesn’t do much in fact if I was going against you in a court of law, I’d retrieve enough evidence to make you go back and study forensics for a couple more years.

    J. Oquendo
    http://www.infiltrated.net/?page_id=2

  3. numenorian

    I approved your comment J. Oquendo because I dont censor. However, the size of your ego is immense. Manners my friend, manners. If your really wanted to help people you might post helpful comments.

    I look forward to seeing you in court.

  4. J. Oquendo

    Definitely not trying to impress so please excuse my choice of words. Trying to give relevant information. Remember, the purpose of the forensics is to preserve and to detect. If done improperly, your evidence goes out the door. So once again apologies for my tone.

    Sincerely
    Jesus Oquendo

  5. Keith

    Thanks for the article.
    J. Oquendo’s comment mentions that suite which has a bunch of features, but it does not support most of the “advanced” features for the Blackberry anyway so your advice is helpful. AccessData’s product does not yet support Blackberries and Paraben’s Device Seizure product supports them but does not suck in deleted data. They are working on that.
    http://www.oxygen-forensic.com/en/models/

    • numenorian

      The short answer is no. This is a logical dump of the Blackberry database file. You will have to find a way to get at the internal memory at a lower level to look for the hexidecimal headers (such as FFh D8h for a jpeg).

  6. Cognitive

    I just got a 8707g to analyze and we had purchased Encase for a computer forensic job earlier this year. When the customer asked to look at the Blackberry we got Neutrino since we got a discount for buying Encase. Mistake!!! Only after I got the phone and learned the model number did I find out through the Guidance Software forums that Neutrino will only look at the logical data and not the physical. The SIM card was removed so there was only the 64MB of RAM, which Neutrino can’t read. I did make a backup of the phone using the desktop software, even prior to reading this article. But, I feel as if I’m at a dead end now. Is there a way to access the data and what I guess would be unallocated space on the 64MB of RAM? The 8707g doesn’t have any SD card slots so there are no external memory options.

    I downloaded the demo version of Paraben’s Device Seizure because they claim it will grab the physical memory, which is what I need. But, I didn’t find anything useful and maybe they limited it so I can’t see anything.

  7. Pingback: Forensics:Blackberry Links « Data – Where is it?
    • Becca

      That is the $64K question, and I have found many people trying to figure out how to access deleted sms, and email on the BB. The pictures are actually much easier, as most data recovery software that will access USB memory will search internal memory on most BB phones. I have used standard ‘disk image’ software to create a RAW image of BB memory from a Torch, but while you can do a search on memory that was erased, BB OS compression leaves the files unreadable, which is my present goal. Unfortunately, BB OS uses a proprietary compression algorithm and I have not been able to uncompress yet. Personally, I thnk there may be some way to use the BB simulator to uncompress, but you have to be able to force it to access ALL internal memory, not just that which is presently in use by the phone. If anyone has any input on how to uncompress BB data files, I would be very interested….

  8. navin Varma

    can anyone help me to recover photos from BB internal memory..?? the pics are dam important to me? i have wiped my photne by miskate, but i really need those pictures, can anyone help me ??

  9. iphone 3gs six look at

    An impressive share! I’ve just forwarded this onto a friend whho
    was conducting a little homework oon this. And he in fact ordered me
    breakfast because I found it for him… lol. So let
    me reword this…. Thanks for the meal!! But yeah, thanx
    for spending time tto discuss this matter here on your
    web site.

  10. heros of camelot cheats tool

    Oh my goodness! Amazing article dude! Thanks, However I am encountering issues with
    your RSS. I don’t understand the reason why
    I cannot join it. Is there anybody getting identical RSS issues?
    Anybody who knows the solution can you kindly respond?
    Thanks!!

  11. jurassic park builder code rouge

    Great blog you have here but I was wanting to know if
    you knew of any message boards that cover the same topics discussed in this article?
    I’d really like to be a part of group where I can get advice from other knowledgeable individuals that share
    the same interest. If you have any recommendations, please let me know.
    Appreciate it!

  12. clash of clans builder

    I blog quite often and I truly appreciate your content.
    The article has really peaked my interest. I’m going to bookmark your
    website and keep checking for new details about
    once per week. I subscribed to your Feed as well.

  13. recovering data from sd card

    One of the greatest angular cheilitis home remedies is application
    of tea tree oil. Tired of the creams, pills, and ointments
    in your ongoing quest to get rid of yeast infections for good.

    These kind of creatures can be introduced to the particular
    lip area through licking these people or perhaps could possibly be brought on
    by putting on false teeth while dentures is usually a suitable location for microorganisms to grow.

Let Me Know Whatcha Think....

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s