BlackBerry’s Hidden Technologies Essay (Article)

Perform Imaging and Profiling

Imaging is the process through which a replica of the digital device contents is made. This process makes it possible for analysis to be made on a copy instead of the original therefore protecting the original from changes. The SDK utility which dumps the flash RAM contents into a file is used to take the image from the file system.

The Program Loader software which is used to perform inspection causes a reset every time it is run. This reset may necessitate a file system cleanup which means that getting a partition table may cause changes in the file system and corrupt data. These undesirable results can be avoided by using the batch command which groups all command switches into a single access therefore preventing multiple resets.

Acquiring the Information

If the BlackBerry device is presented to the investigator with power off, he should leave it off until it has been examined. If the device is powered, the investigator should turn the wireless communications off but leave the device on for a number of reasons:

• To begin with, the BlackBerry device is only completely off is power is removed for an extended period of time or if the device is in data storage mode. When the GUI is used to turn off the unit, only the display, keyboard and radio are turned off.
• In its off state, items on the queue may be pushed to the unit before the radio is turned off
• Lastly, the device may have a program installed which accepts remote commands via e-mail. Such commands may allow a remote attacker to delete or alter information.

In case the device is password protected, the password should be obtained and the investigator should avoid making attempts to guess the password since too many failed attempts may cause the memory to be wiped. In case password cannot be obtained, the hardware should be accessed directly.

Hidden Data in BlackBerry Devices

It is possible to hide data on Blackberry devices by use of hidden databases, partition gaps, and obfuscated data. Some custom written databases do not show icons in the Ribbon GUI but tools such as the Rim Walker can be used to identify such databases.

Once identified, it is possible to view the databases through the savefs command. Hidden data can be stored in the gap between the Operating System and Files partitions.

The alloc command in the Program Loader can be used to view the partition table and the savefs and loadfs commands can be used to view space between partitions. Data that is stored at the end of the file system space is saved even after device reset and it can be viewed with the savefs command. However, the data cannot be modified.

Acquire Log Information

The log-gathering procedure requires that an image be taken and then wiped from the record of logs of the device. This makes this procedure a violation of standard forensic methods which require data to be left intact and unmodified. The investigator should access the logs on the original device before making use of the SDK tool. Hidden controls such as mobitex2 Radio Status, Device Status, Battery Status, and Free Mem should be used to review logs as opposed to using the standard UI.

Mobitex2 Radio Status is a control which provides access to four logs. Radio Status which shows the state of radio functions. Roam & radio records base and roam information. The log wraps at 16 entries and loses information in the event of a reset. Transmit/receive: this lot records transmissions and receptions, gateway MAN addresses, type and size of the data transmitted. It also keeps date stamps for every transmission from network and device. Profile string records interaction with the last utilized radio tower.

Shortcut keys can be used to access the radio status: Blackberry: Func+Cap+R

Simulator: Ctrl+Shift+R

Device Status function provides information on; memory allocation, port status, file system allocation, and CPU WatchPuppy. Detailed information can be obtained by selecting a line in the device Status.

Shortcut keys can be used to access Device Status:

Blackberry: Func+cap+B (or V)

Simulator: Ctrl+Shift+B (or V)

Battery status gives information on the battery type, load, status and the temperature.

Free Mem function provides detailed information on memory allocation in the device

Comm Port function provides the port status

File System gives the basic values for free space and handles. However, the number of handles found in SDK guides is limited.

CPU WatchPuppy logs an entry whenever applications make use of the CPU over a predetermined threshold. The function terminates processes that do not release the CPU.

Change To function logs the last items synchronized via wireless calendaring and gives access to debugging information.

Halt & Reset function makes the unit to reread the file system and it may lead to file system cleanup. The data that is marked as deleted in the cleanup process will be permanently deleted.

Program Loader

This is a command-line tool used for imaging and analysis and it contains the following commands:

savefs: This command writes a hex dump of the flash RAM to FILESYS.DMP in the directory where the Program Loader is. The file size is equal to the flash RAM available in the device. The file can be viewed through a hex editor. The investigator should rename and write-protect the file since the Program Loader will overwrite FILESYS.DMP when it is run with savefs. The investigator should also create a hash of the file to prove integrity later in the investigation.

dir: this command provides a list of applications that are on the device. It also specifies their memory location. It is a useful command when trying to emulate the original device on a PC. An investigator should highlight any nonstandard or missing applications.

ver: This command gives a list of the applications available on the device and their version numbers. This function is useful when trying to emulate the device on a PC. As with the dir command, the investigator should take note of nonstandard and/or missing applications.

map: this command displays detailed flash RAM and SRAM maps.

alloc: this command shows a partition table that lists the breakpoints between application memory and file system memory. The investigator should look out for unused sectors and the difference between the end of the file area and the start of the OS and applications area as this could reveal the existence of hidden data between the partitions.

batch [filename]: This command groups previous commands into a single communication session. Al commands can be grouped together except the savefs and loadfs options which should be performed independently. An image should be made with savefs before any other operation is undertaken. In case passwords are required, the Wpassword switch can be used on the command line or as the fist line in the batch file.

Review the Information

Information can be reviewed using the hex dump in two ways

• A manual review of the hex files can be undertaken using a hex editor. This will enable access to the whole file system including deleted records
• Alternatively, the hex file can be loaded into the BlackBerry SDK Simulator for review. The SDK can decode dates on expired records.

Simulator

The BlackBerry SDK Simulator emulates a real handheld BlackBerry in operation with the exception that it is controlled on a PC. One does not need to handle the original unit so as to load dump files into the simulator.

The simulator can be used by following these steps

1. Rename the FILESYS.DMP file
2. When the program loads, the file will be loaded provided the DMP file is n the same folder as the simulator and all simulator options are set to match. The file should not be in read-only mode since it will be overwritten to match the last state of the simulator.
3. The simulator should be configured to match the network and model of the investigated device
4. The simulator should be set to prompt for applications and then load the applications from the SDK inventory.
5. Click Control and then Start Simulation to run the simulator.
6. The command: OSLoader.exe OsPgrMb.dll/sl is used to connect the simulator to the PC’s serial port.

Checklist for Protecting Stored Data

• Ensure password authentication is mandatory by using the customizable IT policies of the Blackberry Enterprise Server
• Increase protection against unauthorized parties by removing staging area between the server and the BlackBerry device where data is decrypted and collected before sending it to the BlackBerry.
• Clean up BlackBerry devices’ memory periodically
• Protect messages that are stored on the server
• Encrypt the application password and the memory of the BlackBerry device
• Data stored by the user on a locked BlackBerry Device should be protected.
• Limit password authentication attempts to 10
• Use Advanced Encryption Standard technology to secure sensitive passwords on the BlackBerry device.