Friday, December 16, 2011

New Stuff

Some folks are aware that I recently changed positions, and I'm now with Applied Security, Inc.  My new title is "Chief Forensics Scientist", and yes, it is as cool as it sounds.  We do DF analysis of systems and mobile devices for our customers, focus on proactive security in order to promote immediate (as opposed to "emergency") response, and provide in-depth, focused DFIR training.  As part of DF analysis, we also do research-type engagements..."how does this affect that, and what kinds of traces does it leave?"  Pretty cool stuff.

Part of the work we do involves mobile devices, which is not something I'd really had an opportunity to dig into...until now.  Well, I take that back...in the upcoming WFA 3/e (due out on 7 Feb 2012, I'm told...and I've been told folks are already ordering it!), I do mention examining application files, to include backups of mobile devices and smart phones.  These backups...whether via the Blackberry Desktop Manager or iTunes (for iPhones, iTouch devices, or iPads) can contain a good deal of valuable data.  Again...I do not talk about examining the devices, but instead point out that the backup files may be valuable sources of data.

To kind of dabble in mobile device forensics a bit, I recently pulled an old Blackberry 7290 out of mothballs, powered it up and began running through passwords I may have used to lock it.  As it wasn't on the any cellular network and didn't have WiFi capability, it was effectively isolated from any network.  Once I unlocked it, I downloaded the Blackberry Desktop Manager and used it to backup the device, creating a .ipd file.  I then downloaded Elcomsoft's Blackberry Backup Explorer (trial available) and ran that, to pull up old SMS texts, emails, etc. It was pretty interesting the things that I found...kind of a blast from the past.  What I saw got me to thinking about how useful this stuff could be with respect to DF analysis in general.

I should point out that Elcomsoft also has an iOS forensic product (restricted to special customers), as well as a number of password cracking products.

I also gave Reincubate.com's Blackberry Backup Extractor a shot, as well.  The unregistered version of the tool only converts the first 5 entries in any database it finds, and the output is Excel spreadsheets placed in various folders, depending upon the database that's parsed.

Reincubate also has an iPhone Backup Extractor product.

One tool I'm aware of for parsing .ipd files that I haven't tried yet is MagicBerry.

I also wanted to see how JavaLoader worked against the Blackberry device itself, so I installed all of the necessary dependencies and ran that tool...pretty cool stuff.  I dumped device information, the event log, as well as directory listings, directly from the device.  Now, keep in mind, this is not particularly what one would call "forensically sound", but it is a way to gather additional information from the device after you've followed and documented a more stringent procedure.

Some lessons learned with the Blackberry...at this point, if I don't have the password for the device, I'm not getting anywhere.  I couldn't even create a backup/.ipd file for the device if I didn't have a password.  However, I could access the .ipd file with the tools I mentioned without having the password.  This is very useful information if you find that a user has the Blackberry Desktop Manager installed, and has created one or more .ipd files.

Something else that may be of interest to an examiner is that when I start the BB Desktop Manager, with no device connected to my system, the UI has information about the device already displayed.  This has to be stored somewhere on the system...I just haven't found it yet.  I've talked to some LE who like to boot the image they're analyzing and capture screenshots for use during court proceedings...this might be a very useful technique to use.

So, if you're conducting an exam and find that the user had the BlackBerry Desktop Manager installed, and you find an .ipd file (or several files), depending upon the goals of your exam, it may be well worth your time to dig into that backup.

In some ways, this is a pretty timely post, given this FoxNews article...seems that old hard drives aren't the only source of valuable information.

5 comments:

Andrew Case said...

People really should include looking for phone backups as part of their initial steps. I have had so many cases where there is evidence (USBSTOR or otherwise) that a phone was plugged in/used, but that can't be retrieved... usually it being a personal device and requiring court intervention to retrieve, which takes time if it happens at all.

Also had a recent case where the employee had reported his iPhone lost about 4 months before the investigation, which just happened to be the timeframe of interest, but by analyzing the backup, we still could build a pretty solid case.

I usually work on Linux with loopback mount, so its really as simple as:

find ./ -name "*.ipd"

for BB and:

find ./ -name MobileSync

for iPhones

Keydet89 said...

Andrew,

Agreed. With Windows, it's as simple as:

dir /s *.ipd

This is important enough to create a plugin for the forensic scanner for this, even if just to point it out to an investigator.

Pragmatopian said...

Another good resource for Blackberry devices are the simulators available from RIM. They're mainly for developer use, but I find them a convenient way to 'mount' backups in order to browse them as if using the original device but without the contamination issues. It's also a good way to get good quality screenshots (e.g. if needed for reporting).

Andrew Case said...

@harlan

indeed... in the pre-scanner days (which I plan to dig into more deeply soon), I basically have a bash script that runs a bunch of different 'find' commands to pull out stuff that is immediately interesting..

A few categories are:

- non-ie web browsers installed (chrome, firefox, safari, opera)

- common anti-forensics tools (CCleaner, registry mechanic)

- Phone backups (BB, Apple)

- transfer programs (winscp, filezilla, dropbox, and a couple others)

Obviously it doesn't cover 100% of non-standard, but interesting apps, but it helped me immediately refine the investigation for many cases.

Keydet89 said...

Andrew,

Right now, most of this can be done by examining the Prefetch files, as well as running the MUICache.pl RegRipper plugin, particularly for those tools that do not create a key in the root of the Software hive.

I'm already considering adding a plugin to look for the smartphone backup files, and including verbiage in the output to tie it to USBStor info.