Black Berry Forensic Examination

Black Berry Forensic Exams-How-To

Here’s a how-to for Black Berry forensic examinations. Just a fraction of the cost you’d have to pay for a 90 minute webinar at some training sites-FREE.
I hope its useful for you.

HARDWARE NEEDED

• BlackBerry (duh)
• USB Cable
• Cradle (if its that type)
• Forensic Computer (see the reference to the BlackBerry)

SOFTWARE NEEDED

• BlackBerry Desktop Software
• BlackBerry Simulator for your device model (more on this later)
• Amber Blackberry Converter-not free but only 19.95 USD for a license-plus you get a thirty day trial.

Ok now that we are armed with our needed equipment, lets proceed to do our forensic magic.

USING THE DESKTOP SOFTWARE AND SIMULATOR

First install the desktop software. After this is done, you need to make sure that the connection is set for USB. Look at Options->Connection Settings and from the combo box select USB. Ok now connect the suspect’s Blackberry to your system (did you protect it from the network and make sure it was charged…? )
!!CAVEAT!!: If the BlackBerry needs a PIN-get it or get the PUK. This will not work without it. If you fail to do this, and use up your attempts to enter PIN/PUK you will wipe the device.
Now with the device connected make a backup of the handheld. Double Click the Backup/restore Icon and then choose backup (this may differ depending on the version of desktop software you are using). Direct the backup (*.ipd File) to where you want to save it and name it. Then make sure you choose all databases. I recommend making a working copy and a archive copy. Now reseal and store your exhibit.
Ok time to get out the Simulator…but wait, you say, how do I know what Simulator I need to use…there are so many choices. Glad you asked. Prior to downloading the Simulator you neeed to check something on the BlackBerry-its OS version. This is located from the mail screen under Options-About. You are looking for the platform version number as shown below (specific to my BB).

Blackberry 7130e
WirelessHandheld (CDMA)
v4.1.0.268(Platform 2.2.0.9)

Once you have this go to the link above and find the Simulator for this group of BlackBerry Devices download and install the Simulator.

Now with that installed, fire up the Simulator for your device. The Desktop software should be fooled into thinking a BB device is connected tot he computer.

Again, choose the backup/restore icon and this time restore the backup file you created. Make sure to choose all the databases. Once this completes you are looking at the exact handheld you seized albeit virtually. Pretty cool huh? Just take screencaps/vids of the device and you have your evidence.

Two side notes the Similator behaves just like a regular BB, i.e. you can click the trackwheel and escape key. If you want to see call times make sure that you enable call logging by going to the phone icon, clicking the trackwheel, coosing options and “call logging”.

USING AMBER BLACKBERRY CONVERTER

This is even easier. Once you have fired up the converter, simply click the link that says to load the IPD and the converter will load the file and show you tabs for SMS, EMAIL, call records and contacts..notice the options for PDF, HTML and Excel export…How easy is THAT?? One thing it doesnt do is pull out pictures (though it grabs MMS) that are saved…bummer but only a small one.

OTHER TIPS/TRICKS

Take the *.IPD file and load it into EnCase or FTK and index. This can give you fast access to keywords. You can also carve for pictures (though not deleted).

If you have read to here, I hope you have found this useful. I plan to add a short discussion on the structure of the IPD file-WARNING HEX AHEAD!!!