SlideShare ist ein Scribd-Unternehmen logo

Comparison of android and black berry forensic techniques

Yury Chemerkin
Yury Chemerkin

As digital data is omnipresent now, the digital forensics has quickly become a legal necessity. Mobile devices have quickly grown and extend their own features which simplifying makes them less unique. Developers API, SDK, NDK provide great opportunity to build live, DLP or spyware for data extracting. http://hakin9.org/hakin9-extra-412/

Technologie
1 von 10
Downloaden Sie, um offline zu lesen
Hakin9 EXTRA COMPARISON OF ANDROID AND BLACKBERRY FORENSIC TECHNIQUES YURY CHEMERKIN As digital data is omnipresent now, the digital forensics has quickly become a legal necessity. Mobile devices have quickly grown and extend their own features which simplifying makes them less unique. Developers API, SDK, NDK provide great opportunity to build live, DLP or spyware for data extracting. What you will learn... What you should know... • How many differences between BlackBerry • Basic knowledge about Forensics (Classic and Android forensics techniques and Live) • Basic knowledge about BlackBerry Forensics • Basic knowledge about Android Techniques T his mainly based on examine how many differences do financial application data, media data (Audio/Photos/Videos) exist between BlackBerry and Android OS. It’s would and other data even file structure, browser data (web history as interested to highlight whether one techniques provide a timeline and bookmarks), and shared folders. more easy implementation, investigation and handling or not, One of the main ongoing considerations for analysts is what common differences examiners may encounter and what preventing the device from any changes, that’s sometimes they should as concept be involved to forensic handling with achievable, like making a network/cellular connection, because these platforms. “Android Forensics: Investigation, Analysis and it may bring in new data, overwriting evidence, etc. Any interac- Mobile Security for Google Android” written by Andrew Hoog tion with the devices, whether you simply move it or even physi- and my article “To Get Round To The Heart Of Fortress” pub- cally unplug the device, will modify them. If you instead decide lished in Hakin9 Extra are the basis of my researching. to examine the device while it is running, all interactions change the device. To further complicate an investigation, it is possible Mobile Forensics that the computer is leveraging encryption and, while the de- Mobile device forensics is relating to recovery of digital evidence vice is running, that data may be accessible. However, if the or data from a mobile device. The memory type, custom inter- device is powered off and you don’t have the encryption keys, face and proprietary nature of mobile devices require a differ- then you may permanently lose the ability to recover that data. ent forensic process compared to other forensics. Nowadays Android devices are nearly impossible to forensically analyze mobile extraction techniques tend to be less unique especially without any kind of impacting, because unlike desktops, note- throughout logical acquisition. This level manages with known books, and servers, Android storage cannot be easily removed data types for any user and this data set rarely differs among of that often leads to changes by changing state from turn off to iOS, Android or BlackBerry. This data set often contains the fol- powered or something else. There was a little data stored of- lowing items such as messages (SMS/MMS/Email/IM), social ten on SIM-card when mobile phones were first introduced. network data, contacts, calendar, phone logs, wallet and other It was possible to remove the SIM card to extract data. 28 4/2012 (11)
Comparison of Android and BlackBerry Forensic Techniques connections by clicking around tray and date’n’time place on Did you know? your home screen. Both ways need you to have an access to Device Switched On devices for password locked case. Moreover, the device con- If the device is in the on state, you act immediately to get power tinues running with temporal data remains. SIM card removing to the mobile device. Now it will not lose the volatile information. doesn’t bring the same result, because your device reboots or Then you need to take the device to a secure location like a Fara- wipes out like BlackBerry. day Cage or turn off the radio before beginning the examination There are several techniques is pertaining to mobile forensic: Device Switched Off • Physical acquisition technique is a bit-by-bit copy of an en- If the device is in the off state, you need to take the device to the tire physical store. It has the advantage of allowing deleted shielded location before attempting to switch on or place the de- files and data remnants to be examined. Physical extrac- vice in room that can block the signal well enough to prevent the tion acquires information from the device by direct access data push. This case for Android not BlackBerry means the best chance to boot device into recovery mode to test for connectivi- to the flash memories. Generally this is harder to achieve ty and root access and access to data without booting into nor- because the device vendors needs to secure against arbi- mal operational mode (if only USB debugging is enabled or owne- trary reading of memory so that a device may be locked to r’s device have rooted it). a certain operator. • Logical acquisition technique is a bit-by-bit copy of logical Device in its Cradle storage objects (e.g., directories and files) that reside on If device is in cradle, you have to remove any connection from the a logical store (e.g., a file system partition). Logical acqui- PC despite possibility that a sophisticated suspect might have a sition has the advantage that system data structures are tripwire device and once it disconnected it could activate script to easier for a tool to extract and organize. This usually does erase potential evidence. not produce any deleted information, due to it normally be- ing removed from the file system of the phone. However, in Password Protected some cases the phone may keep a database file of infor- The thing has to be known when it comes to password protec- mation which does not overwrite the information but simply tion is the fact that the password itself is not stored on the device. marks it as deleted and available for later overwriting. The only thing stored on the device is a hash of the plain-text pas- • Manual acquisition technique as kind of utilizing of the user sword. This storage is similar to the storage used by the majority of operating systems out there. interface to investigate the content of the memory. There- fore the device is used as normal and pictures are taken from the screen. The disadvantage is that only data visible Wireless Connection to the operating system can be recovered and that all data You must avoid any further communication activities, if possible. Eliminate any wireless activity by placing the device into an cage are only available in form of pictures. that can isolate the device. The last acquisition has no difference among of BlackBerry or Android, so I miss this. Logical techniques often provide easy External Memory Card and fast data extracting and accessing that physical cause of You must not initiate any contact before taking components off. This includes any devices that supported external media types of time operating. Logical methods manage with non-deleted data cards. are accessible on the storage. The point is that previous case is about “simple” data type(format), while SQL db files as all-in-one file may keep deleted data in the database. While recovery of the As many examiners likely know, it is important to isolate the deleted data requires special tools and techniques, it is possible device from the network as soon as possible. In the worst- to recover deleted data from a logical acquisition. Physical tech- case scenario, a remote wipe could be initiated on the device niques as techniques aimed to gain deleted data without relying which would prevent the recovery of any data. While most on the file system itself to access the data, so it is missed too. remote wipes are done over the data network, some can be Let’s gain the main logical acquisition differences between triggered over SMS, and hence ensure the device is fully iso- two kind platform throughout way to data store, developers lated to prevent remote wipes. In other circumstances, ad- API and tools, free and paid investigation tools, logs, backup ditional messages on the device could be received or even some more and others tricks. removed by triggers outside your control. To prevent a con- nection mobile devices will often be transported and exam- Forensic Investigation ined from within a Faraday cage. As it may be a bit expensive, of the Android vs BlackBerry there is a more powerful way named air-plane mode or some- A BlackBerry is a handheld mobile device engineered for email. kind techniques are almost look likes in the same manner on All models now come with a built-in mobile phone, making the both devices. It brings disadvantage sometimes. Talking about BlackBerry an obvious choice for users with the need to access Android you should press and hold the Power off button and their email from somewhere besides the comfort of a desk chair. select Airplane mode at first, and then press Menu (from the The BlackBerry device is always on and participating in some home screen), then Settings, then the Wireless option which is form of wireless push technology. Because of this, the Black- generally near the top. You also may turn off Mobile Networks Berry does not require some form of desktop synchronization from this screen. If you’re going to disable wireless connection like the other mobile device does. BlackBerry OS has numer- like Bluetooth or WiFi you have to walk out home screen to ous capabilities and features like over the air activation, ability to the settings that have upset because you’re not sure whether synchronize contracts and appointments with Microsoft Outlook, you have enough time or not. On another hand, only touch or a password keeper program to store sensitive information and flip BlackBerry model bring the really fast way to turn on/off all the ability to customize your BlackBerry display data. www.hakin9.org/en 29
Hakin9 EXTRA An Android powers millions of phones, tablets, and other de- is commonly found on other mobile devices. The final type of vices and brings the power of Google and the web into your pass code currently found on Android devices is a full, alpha- hands. With an amazingly fast browser, cloud sync, multi- numeric code. If you the screen of the device is active, strong tasking, easy connect & share, and the latest Google apps consideration should be given to checking and potentially (and thousands of other apps available on Google Play) your changing its settings. For devices that have pass codes, there Android powered device is beyond smart. Android has a large is a short period of time (from less than a minute up to about community of developers writing applications (“apps”) that ex- 1 hour) where full access to the device is possible without re- tend the functionality of the devices. While Android is designed entering the pass code. Sometimes possible to determine the primarily for smartphones and tablets, the open and customiz- pattern lock of a device by enhancing photographs of the de- able nature of the operating system allows it to be used on oth- vice’s screen. The lesser the interaction a first responder has er electronics, including laptops and netbooks, smartbooks, with the screen, the higher the success rate of this technique. ebook readers, and smart TVs (Google TV). Further, the OS has seen niche applications on wristwatches, headphones, Password Extraction/Bypassing car CD and DVD players, smart glasses, refrigerators, vehi- cle satnav systems, home automation systems, games con- So-called Smudge Attack for Android’s pattern lock soles, mirrors, cameras, portable media players landlines, As Android devices used the pattern lock for pass code protec- and treadmills. tion instead of a numeric or alphanumeric code, there’s a inter- esting option that a clean touch screen is primarily, but touch Push-Technology screen marked with fingerprint and fingerprint’s directed a good You see the changes provide goals a wide-spaced. Since the solution to bypass pattern lock. BlackBerry is all always on, push messaging, device information can be pushed to it at any time. Note that pushed information Screen Lock Bypass App for Android has the ability to overwrite any data that possibly was previously Security researcher Thomas Cannon recently developed a tech- deleted. The BlackBerry device is not really “off” unless power nique that allows a screen lock bypass by installing an app is removed for an extended period. If the blackberry is powered through the new web-based Android Market. This technique back off then any items that were in the queue waiting to be utilizes a new feature in the web-based Android Market that pushed to the device could possibly be pushed before you could allows apps to be installed directly from the web site. As such, stop them. In android case, you have a bit more time to set state, you must have access to the Android Market using the primary you even may don’t touch it to not update email folder except Gmail user name and password for the device, which may be inbox folder and malicious cases like BlackBerry Playbook not accessible from the primary computer of the user. Alternatively, real BlackBerry device BIS or BES data plan. Android brings you could access the Android Market if you knew the user name push feature only with enterprise connection, after ~5 seconds and password and had sufficient authority. Changing the user’s you press power button to display turn on or when you run ap- Gmail password would not work in this instance. plications, however even gmail application need a time or manu- The procedure is quite simple really. Android sends out ally “update”-button pressing to retrieve new data from Internet. a number of broadcast messages which an application can receive, such as SMS received. An application has to register Password Protection its receiver to receive broadcast messages and this can be BlackBerry devices come with password protection. The owner done at run time, or for some messages, at install time. When has the capability to protect all data on the phone with a pass- a relevant message comes in, it is sent to the application word. He may also specify the amount of attempts for entering and if the application is not running it will be started automati- the password before wiping all data from the device. If you ex- cally. Once launched it is just a matter of calling the disableKe- ceed your password attempts limit (defaults to 10, but you can yguard() method in KeyguardManager. This is a legitimate API set it as low as 3, Playbook may differ from 5 to 10), you will to enable applications to disable the screen lock when, say, be prompted one last time to type the word BlackBerry. The an incoming phone call is detected. After finishing the call the device will then wipe. It will be reset to the factory out-of-the- app ought to enable the screen lock again, but we just keep box condition, and the password reset. You will lose everything it disabled. in the device memory, with no possibility of recovery. It will not reformat the microSD card if it’s smartphone external storage, Use Gmail User/Pass for Android because that’s not part of the factory configuration, but if you On most Android phones, you can circumvent the pass code have a BlackBerry Playbook you’ll get factory defaults at all. if you know the primary Gmail user name and password reg- The phone will still be usable, and the operating system will be istered with the device. After a number of failed attempts (ten unchanged. So this technique cannot be used to roll back from attempts on the G1), you will be presented with a screen that an OS upgrade problem. asks if you forgot your pass code. From there, you can enter the The ability to circumvent the pass code on an Android de- Gmail user name and password and you will then be prompted vice is becoming more important as they are utilized frequently to reset the pass code. This technique does not require the and, in most cases, do not allow data extraction as well as for phone to be online as it uses credential information cached on BlackBerry. While there is no guaranteed method, there are a the phone. So, if you’ve already get somehow this credential number of techniques which have worked in certain situations. data, it’s good. Others, if you do not have the current Gmail user There are three types of pass codes Android devices currently name and password, but have sufficient authority (i.e., court or- support. The first is a pattern lock as default on the initial An- der) to reset the password, you could attempt to compel Google droid devices when users are accessing the device should to reset the account password. You would then have to connect draw a pattern on the locked phone. The second type of pass the Android device to the network and gain access. This issue code is the simple personal identification number (PIN) which presents many challenges, including the need to place the de- 30 4/2012 (11)
Comparison of Android and BlackBerry Forensic Techniques vice online, putting it at risk for remote wipe in addition to mak- Of Fortress”. As I know Android didn’t provide the same hotkeys. ing changes to the device. These log events depend on debug information added by de- velopers, so it often may not exist. Password brute-force for BlackBerry Another way to collect the log information is using loader. You can access encrypted information stored in password-pro- exe from BB SDK tools or BBSAK. It extracts a full copy of tection backups if the original password is known or recovered BlackBerry event log to text file stored on your drive. Let’s see with Elcomsoft Phone Password Breaker (http://www.elcomsoft. some useful command of javaloader. com/eppb.html). Elcomsoft Phone Password Breaker grants fo- rensic access to protected information stored in BlackBerry de- JAVA LOADER USAGE vices by recovering the original plain-text password. The toolkit Usage: JavaLoader [-p<pin>] [-d0|-d1] [-w<password>] [-q] allows eligible customers acquiring bit-to-bit images of devices’ <command> file systems, extracting phone secrets (passcodes, passwords, -p<pin> Specifies the handheld PIN and encryption keys) and decrypting the file system dump. Ac- (hex pin prefix ‘0x’) cess to most information is provided in real-time. In addition to -w<password> Connects using the specified Elcomsoft Phone Password Breaker, the toolkit includes the password ability to decrypt images of devices’ file systems, as well as <command> is one of a free tool that can extract the encrypted file system out of the dir [-d] [-s] [-1] Lists modules on the handheld device in raw form. To unlock Apple backups even faster, the -d Display dependency information tool engages the company’s patent-pending GPU acceleration -s Display siblings technology. -1 Single column output Three key features are: deviceinfo Provides information on the handheld save {<module> ... | -g Retrieves modules from • Decrypt encrypted BlackBerry backups <group>} the handheld • Recover original plain-text passwords -g Retrieves all modules in • GPU acceleration a specified group info [-d] [-s] [-v] <.cod Provides information on Spyware for BlackBerry file> the specified modules As some kind of attack as was presented by Thomas Cannon -d Display dependency information and previously described, you had have installed spyware to ex- -s Display sibling information tract password from device. Almost of all possible techniques to -v Display verbose module live extracting from BlackBerry was discussed several times in information my articles, so I briefly remind it some tricks. First tricks exploits eventlog Retrives the handheld event log default feature to show password without asterisks that’s a pos- radio on|off Turns the handheld’s radio sible to screen-capture. If restricted API disable you’ve have a on or off BIS device, it works. Second trick is about scaled preview for siblinginfo <.cod file> Provides sibling information typed character through virtual keyboard. Third tricks provides on the specified modules you techniques to steal password during synchronization from screenshot <.bmp file> Retreives the contents of the BlackBerry Desktop Software as well as redrawing your own specified screen and saves as fake-window to catch typed password. a BMP file. logstacktraces Dumps the stack traces for all threads to the event log Classic Forensic A typical forensic investigator performs the investigation by To extract event log from device hand-reading mail and data files, checking for system activities through different log files, and verifying the consistency of the • Plug it to PC via USB cable data through the time stamps associated with files on the file • Open command shell and type javaloader.exe -wPASSW system. First, forensic software must be running on the local eventlog log.txt where PASSW your password for device. machine, and may have to be installed. Second, running such software locally risks damaging or contaminating data. Third, if Command dump gives us all .cod modules stored on device in the machine has been compromised, the investigation may pro- root subfolder dump.To get dump of BlackBerry device let’s use duce suspect results - or worse, may alert the attacker. a Loader from BlackBerry Device Mangaer. LOADER USAGE Gathering Logs and dumps Usage: loader.exe /<command> command is one of: BlackBerry eventlog output filename The main classic forensic procedure of evidence collection vio- screenshot output filename lates the forensic method by requiring the investigator to re- screenshot active output file cord logs kept and dump. Investigator can view some log on screenshot primary output file the device pressing hotkeys or throughout several applications screenshot axuliary output file from BlackBerry SDK Tools. Don’t forget that the counter is al- deviceinfo output filename ways running, even when the radio is turned off, so to be sure dir output filename to record these values as soon as possible to avoid log over- radio on|off writes. BlackBerry hotkeys for quickly extracting log data was dump output filename discussed with details in my articles “To Get Round To The Heart www.hakin9.org/en 31
Hakin9 EXTRA Dump extracting is the same the log previous. However, be- private keys or application id keys as well as SQL db files may fore you will be asking to enter a device’s password. Note, store all upload, downloaded and transferred data via an appli- dump beginning is required a device reboot. It can erase log to cation often without ciphering. They contain as much more data overwriting some information. Do not forget about encryption than BlackBerry at first glance, however, if developers didn’t feature of BlackBerry Storage Protection based on Password hear about it or didn’t build them, they might get anything valu- & ECC. If it is on the dump result is empty obvious. Dumps and able. logs will provide you information about device like hardware id, The most know developer tool and command from Android pin, os version, others id, name-version-size-created date for SDK is adb pull command that provides copying to the files .cod modules with their dependency as well as vendor info or to desktop workstation for further analysis. Unless an Android description. Event log also can provide with date-time stamp device has root access or is running a custom ROM, the adb and guids of applications. daemon running on the device that proxies the recursive copy only runs with shell permissions. As such, some of the more Android forensically relevant files are not accessible. However, there are As some kind of data storage mechanism available to develop- still files which can be accessed. Successful accessing aims to ers is the network to store and retrieve data on your own web- extracting(copying) the entire “/data” partition to the local direc- based services via packages named as java.net and android. tory. If devices has not have root access, this technique may net. These packages provide developers with the low-level API appear to be of little value. However, on nonrooted devices, an to interact with the network, web servers, etc. As an interesting adb pull can still access useful files such as unencrypted apps, example, such files (text log or xml) may store an actions with most of the tmpfs file systems that can include user data such date and time stamps, error/warning/successful authenticate as browser history, and system information found in “/proc,” “/ events, logins, some data as email addresses, access keys, sys,” and other readable directories (Table 3). Table 3. ANDROID DEBUG BRIDGE (ADB) USAGE command description -d directs command to the only connected USB device; returns an error if more than one USB device is present. -s <serial number> directs command to the USB device or emulator with the given serial number. Overrides ANDROID_ SERIAL environment variable. devices list all connected devices connect <host>[:<port>] connect to a device via TCP/IP Port 5555 is used by default if no port number is specified. disconnect [<host>[:<port>]] disconnect from a TCP/IP device. Port 5555 is used by default if no port number is specified. Using this ocmmand with no additional arguments will disconnect from all connected TCP/IP devices. device commands: adb push <local> <remote> copy file/dir to device adb pull <remote> [<local>] copy file/dir from device adb sync [ <directory> ] copy host->device only if changed (-l means list but don’t copy) (see ‘adb help all’) adb shell run remote shell interactively adb shell <command> run remote shell command adb logcat [ <filter-spec> ] View device log adb forward <local> <remote> forward socket connections forward specs are one of: tcp:<port> localabstract:<unix domain socket name> localreserved:<unix domain socket name> localfilesystem:<unix domain socket name> dev:<character device name> jdwp:<process pid> (remote only) adb jdwp list PIDs of processes hosting a JDWP transport adb install [-l] [-r] [-s] <file> push this package file to the device and install it (‘-l’ means forward-lock the app) (‘-r’ means reinstall the app, keeping its data) (‘-s’ means install on SD card instead of internal storage) adb uninstall [-k] <package> remove this app package from the device (‘-k’ means keep the data and cache directories) adb bugreport return all information from the device that should be included in a bug report. adb help show this help message adb version show version num DATAOPTS: (no option) don’t touch the data partition -w wipe the data partition -d flash the data partition 32 4/2012 (11)
Comparison of Android and BlackBerry Forensic Techniques Data Extracting through the Backup Device Seizure. So, what you’ll be able to do with “Magic Berry IPD Parser”: Android Android did not provide a mechanism for users to backup their • Read ipd files personal data. As a result, a large number of backup applica- • Split ipd files tions were developed and distributed on the Android Market. For • Export MS Messages, Phone Calls Log, Memos, Tasks, users running custom ROMs, there was an even more powerful Calendar, and Address Book to CSV backup utility developed called nandroid. Many of the backup • Edit Service Books utilities have a “Save to SD Card” option (which users found • Merge two ipd files extremely convenient) as well as several options to save to “the cloud.” Either way, users could take a backup of their de- Elcomsoft Blackberry Backup Explorer allows forensic special- vices, and if needed they could restore required data. This is not ists investigating the content of BlackBerry devices by extract- only a great way for users to protect themselves from data loss, ing, analyzing, printing or exporting the content of a BlackBerry but it can be a great source of information for forensic analysts. backup produced with BlackBerry Desktop Software. Elcomsoft Anyway, backup area is covered by following items: Blackberry Backup Explorer supports BlackBerry backups made with PC and Mac versions of BlackBerry Desktop Software. You • Application install files (if phone has root access, this in- can export information from BlackBerry backups into a variety cludes APK Data and Market Links) of readable formats (PDF, HTML, DOC, RTF,..). Also Blackberry • Contacts Backup Explorer can access encrypted information stored in • Call log password-protection backups if the original password is known • Browser bookmarks or recovered with Elcomsoft Phone Password Breaker. Elcom- • SMS (text messages) soft Phone Password Breaker grants forensic access to pro- • MMS (attachments in messages) tected information stored in BlackBerry devices by recovering • System settings the original plain-text password. Elcomsoft Blackberry Backup • Home screens (including HTC Sense UI) Explorer is totally the same with Amber BlackBerry Converter. • Alarms As an alternative to acquiring the BlackBerry through “Black- • Dictionary Berry IPD Reader”, Paraben’s Device Seizure is a simple and • Calendars effective method to acquire the data. Device Seizure was de- • Music playlists signed from the ground up as a forensic grade tool that has • Integrated third-party applications been upheld in countless court cases. Despite of that the backup API is now available the synchroni- • SMS History (Text Messages) zation provide outlook linking. • Deleted SMS (Text Messages) Regardless of the backup app, forensic analysts should • Phonebook (both stored in the memory of the phone and determine if one was installed and, if so, where the backup on the SIM card) data is stored. The SD card should be examined as well as • Call History other devices such as a computer or laptop. The data saved in – Received Calls a backup is obviously of significant value in an examination. – Dialed Numbers – Missed calls BlackBerry – Call Dates & Durations First, you need to download and install BlackBerry Desktop • Scheduler Manager. Use the following link to select and download the • Calendar install file that fits your system or version. Once BB Desk- • To-Do List top Manager installed, connect the device to PC. Then Click • Filesystem (physical memory dumps) “Back up” button for a full backup of the device or use the – System Files advanced section for specific data. In the options, you can – Multimedia Files (Images, Videos, etc.) find a destination folder where your “.ipd” file will save. Note, – Java Files that ipd-file can be encrypted with password less even than – Deleted Data 4 characters. BlackBerry backups contain essential informa- • GPS Waypoints, Tracks, Routes, etc. tion stored in the device. User data such as email, SMS and • RAM/ROM MMS messages, Web browsing history and cache, call logs, • PDA Databases pictures and photos, contacts, calendars, appointments, and • E-mail other organizer information are stored in BlackBerry backups. Access to information stored in BlackBerry backups can be There’s a briefly general draft to examine data with Paraben essential for investigations, and is in high demand by foren- Device Seizure. sic customers. Note, that the backup file does not save your email attachments, moreover if email-message is more than to • Create a new case in Device Seizure with File | New. 8Mb data Base64 non-encoded per whole file (if attachments • Give the case a name and fill in any desired information more than one then each file will encoded and summary size about the case on the next two screens. The third screen limits more faster), there will be only a message with notifica- is a summary of the data entered. If all data is correct click tion about truncation. The most known tool to extracting data Next and then Finish. from .ipd files are MagicBerry IPD Reader, Amber BlackBerry • You are now ready to acquire the phone. Go to Tools | Da- Converter, Elcomsoft BlackBerry Backup Explorer, Paraben ta Acquisition. www.hakin9.org/en 33
Hakin9 EXTRA • You are prompted for the supported manufacturer. Select • Process Management RIM Blackbery. (both Android ‘ n BlackBerry) • Leave supported models at the default selection of autode- • Memos and Tasks tect. (seems only BlackBerry) • Connection type should be set to USB. • Screen-shots • For data type selection select Logical Image (Databases). (both Android ‘ n BlackBerry) • Confirm your selections on the summary page and click • Camera-shots Next to start the acquisition. (both Android ‘ n BlackBerry) • Videocamera-shots BlackBerry Simulation (both Android ‘ n BlackBerry) This feature unfortunately unavailable for Android, so it will be • Clipboard discussed only for BlackBerry. BlackBerry Simulator built for (both Android ‘ n BlackBerry) simulating a backup copy of the physical device. This is helpful • Location tracking if the device is low on battery, needs to be turned off, or you do (cell, wifi, gps, bluetooth) not want to alter the data on the physical device. Following steps (both Android ‘ n BlackBerry) are suitable for each BlackBerry device model. • SMS/MMS/Emails (both Android ‘ n BlackBerry) • Select a simulator from the drop-down list on the BlackBer- • Pictures, Videos, Voice notes, and other file ry website and download it. Then install it (both Android ‘ n BlackBerry) • Select and download BlackBerry Device Manager. Then • File and Folder structure install it. (both Android ‘ n BlackBerry) • Run BlackBerry Device Manager and BlackBerry Simulator • IMs • Select Simulate | USB Cable Connected. (both Android ‘ n BlackBerry) • Select File | Restore to simulate with physical data evi- • Passwords dence on BlackBerry Simulator. (very differ) Also, you mount a SD-card “copy” to the BlackBerry Simulator. Android’s data set stores on internal storage as well as on ex- Now you may turn off blackberry wireless communication hold- ternal, but only internal storage keeps a strong folder structure ing power on and then examine evidence with up state device- because it’s controlled by Android API. Typically internal place simulator. to store any kind of data is “/data/data/” where cache and data- bases stored in “PackageName” folder. Android data stored on Live (Spy) forensic internal and external storage as binary (or simply text) files as In some situations, it is not desirable to shut down, seize the well as packed into xml or SQL-lite database formats. XML for- digital device, and perform the forensic analysis at the lab. For mat allows including Boolean, integer, float or string data types example, if there is an indication that an encryption mechanism provide developers to create, load, and save configuration val- is used on the digital device that was discovered, then the in- ues that power their application. vestigator should not shutdown this digital device. Otherwise, Internal files allow developers to store very complicated after shutdown all the information (potential evidence) that was data types and saved them in several places on the internal encrypted will be unintelligible. By performing Live Analysis, the storage that by default, can only be read by the application investigators attempt to extract the encryption key from the run- and even the device owner is prevented from viewing the files ning system. That’s known as “Live Analysis” or “Non-Classic unless they have root access. While files stored on the internal Forensic”. The goal of any live forensics task should be to ex- device’s storage have strict security and location parameters, tract and preserve the volatile data on a system while, to the files on the various external storage devices have far fewer extent possible, otherwise preserving the state of the system. constraints. Additionally, this is often the first step of an incident response First, one important motivation (beyond cost) for using scenario where a handler is simply trying to determine if an a removable SD card is that the data could be used on other event has occurred. The benefit of using this approach is you devices, presumably upgraded Android devices. If a consumer have a forensically sound data collection from which to proceed purchased a new Android device, inserted their previous SD with a full forensic analysis if the initial analysis indicates one card containing all of his or her family pictures and videos and is required. found they were unable to access them, they would be quite upset. Potential Data as Evidence SQLite is one of the most popular database formats ap- Potential attack vector can be various, however, the most popu- pearing in many mobile systems for many reasons such as lar of them are high quality, open source, tend to be very compact, cross- platform file, and finally, cause of the Android SDK provides • Address Book API to use SQLite databases in their applications. The SQLite (both Android ‘ n BlackBerry) files are generally stored on the internal storage under /data/ • Calendar Events data/<packageName>/databases without any restrictions on (both Android ‘ n BlackBerry) creating databases elsewhere. • Call History All of them you can extract using the official BlackBer- (both Android ‘ n BlackBerry) ry API and Android API routines. Let us examine some of • Browser history and bookmarks them to find out the common sense. What is in an up-to- (both Android ‘ n BlackBerry) date BlackBerry Address Book? A lot of contact’s data, such 34 4/2012 (11)
Comparison of Android and BlackBerry Forensic Techniques as several mobile or home phone number, faxes, emails, Next victim is message (sms, mms, email, further email). work and home addresses, web-pages or dates. Also we Email is one of the most common ways people communicate. can add a IM data and social data. In our Address Book, we From internal meeting requests, distribution of documents and have much valuable information about friends; social net- general conversation one would be pressed to find an organi- work gives an up-to-date avatar, calendar (in spite of our zation of any size that does not rely on email. Studies have calendar that filled our sleeping time at least), GPS location shown that more email is generated every day than phone points, and SW names that provide several pieces of infor- conversations and paper documents combined. Many users mation. Due to victim’s calendar info and GPS info (from store their personal colanders, contacts and even synchronize photo exif or FaceBook likes), private data such as tracking their email clients with their mobile devices. info, habits, time marked a free, time when you’re possible Less interesting part of evidence concludes browser history, sleeping, time when you’re at home/company can come to browser bookmarks, memos, tasks, etc. Such kind of forensic light. In additional, if you involve call history with gps re- has sense in case of violating company policy by visiting cer- cords as two part of evidence you provide yourself with tain sites or time aspect (when the computer was connected to many opportunities to draw a social graph of accomplices. a site at the time when something happened) and reconstruct Extracting all possible fields from the object called PIM is a detailed history of a computer’s use by examining a handful goal for gathering more information about the attacked indi- of files that contain a web browser’s past operation. One more vidual from their profile overall. part of it is “Favorites folder” that contains the URLs of web Classic Forensics techniques manage with BlackBerry sites saved by the user, probably because they are of interest backup file or with data stored on “/data/data/com.android. to the user and are frequently visited explicit storing of these providers.contacts” for Android internal storage. This app links indicates intent. stores the Call Logs for the device in the calls table. There As BlackBerry classic forensic extraction manage with back- are over 30 tables in contacts2.db, so further inspection may up again, Android provide a file-folder storage located “/data/ be required. The data table contains additional values about data/com.android.providers.telephony” filled by the MMS at- contacts and the raw_contacts contains additional data about tachments (images, video, or any other supported data), sms some contacts extending by different accounts including message as database table with all messages. A bit more in- Gmail, Exchange, Facebook, Twitter, and more. If pictures of formation filepath “/data/data/com.android.mms” provides with the contacts are available, they are stored in the files directory cached data or data is outcoming. and named thumbnail_photo_[NNNNN].jpg. Pictures, Videos, Voice notes, and other files. Let’s start Facebook data stores on “/data/data/com.facebook” where from its last object “other files”. Voice notes, videos and pic- fb.db contains nearly all of the information includes albums, tures show us in general what interesting in particular our “vic- info_contacts, notifications, chatconversations, mailbox_mes- tim”. It may be enterprise presentation that he videocaptured sages, photos, chatmessages, search_results, default_user_ or audiocaptured. This case is useful for us, because we don’t images, mailbox_profiles, stream_photos, events, mailbox_ need to intercept API events; all we need is listen file events of threads, friends and others. GMail data is located on “/data/ creating and deleting files. data/com.google.android.gm” which stores each configured Pictures are more inquisitive as camera-snaphots since it Gmail account via separate SQLite database filled by the en- has exif-header. Metadata is, quite simply, data about data. tire e-mail content. GMaps data located on “/data/data/com. Many digital camera manufacturers, such as Canon, Sony google.android.apps.maps” stores amount of information and Kodak implement the use of EXIF headers. This header about maps, tiles, searches, and more in the files directory is stored in an “application segment” of a JPEG file, or as pri- often provide by “search_history.db” or actual spoken direc- vately defined tags in a TIFF file. This means that the resulting tions stored as map data on the SD card in .wav files; the time JPEG or TIFF is still in a standard format readable by applica- stamps on the file prefaced with a “._speech” simplify move- tions that are ignorant of EXIF information. However, not only ment timeline. basic cameras have these headers, but both mobile devices Mentioned on the net password tips are revoked by the ten- provide you “Camera Make” as RIM/BlackBerry/Android/HTC dency inmatter to complexify. How many web sites do you log data as well as “Camera Model” may often be device model. in, Facebook, Myspace, Linkedin, Twitter and any number of GPS tag often renames filename by placing into beginning city other social networking sites? Probably a dozen. Shopping name. To get date and time stamps you don’t need to examine sites? Yes, a several. Emails, IMs, etc. Every site requires EXIF, because it’s enough to check file name again. you to create a password, strong password. Some kind peo- Android Media database located on “/data/data/com.an- ple solve it with digit wallet. All password managers are de- droid.providers.media” contains contain the volume ID as scribing, as is indispensable tool for the active internet and a file system volume ID. If an image was deleted, the thumb- shopping user. In addition, it fully automates the process of nail likely still exists. Also, even if the metadata record is de- entering passwords and other data into websites and saves leted, it is likely recoverable due to the YAFFS2 file system. the user going to the trouble of creating and remembering mul- Also this place is scanned for audio files, albums, and etc by tiple passwords. It is still unsecured. Do not neglect a spyware media scanner to find media data or thumbnails referred to that able to capture screens of your device. Ok, forget about the deleted pictures and videos. Also, YouTube preferences, that kind of malware. Examine a logical way to break into. You including device key(s) and watched videos stores in “/data/ need to see it to type or need to copy into clipboard. Moreo- data/ com.google.android.youtube/”, cached data stores in “/ ver, no one software producer can protect it, because need to data/data/com.google.android.youtube/cache”. put data into public text-box. In other words, end-point object Instant messaging is a well-established means of fast and ef- is vulnerable. By the way, there’s a getClipboard() method to fective communication. IM forensic were to answer the two ques- retrieve the system’s clipboard object though the BlackBerry tions as identifying an author of an IM conversation based strictly API or Android API. on author behavior and classifying behavior characteristics www.hakin9.org/en 35
Hakin9 EXTRA For example, BlackBerry stores all chats (from Google, to emulate data – BlackBerry provides more native user tools Yahoo, Windows Live, BlackBerry Messenger, AIM(AOL)) in to prevent change becoming. plain-text mode in .csv file. File paths are often easy to find too. On the Net Conclusion The BlackBerry devices as well as Android devices share • http://www.amazon.com/Android-Forensics-Investigation-Analysis-Se- the same evidentiary value as any other Personal Digital As- curity/dp/1597496510 - Android Forensics: Investigation, Analysis and sistant (mobile device). As the investigator may suspect of Mobile Security for Google Android. Andrew Hoog • http://hakin9.org/to-get-round-to-the-heart-of-fortress/ - To Get Round most file systems, a delete is by no means a total removal To The Heart Of Fortress. Hakin9 Extra. Yury Chemerkin of data on the device. However, the RIM’s always-on, wire- less push technology adds a unique dimension to forensic examination. Android, instead tends to be more offline and wake up by user actions. YURY CHEMERKIN As the BlackBerry is an always-on, information can be Graduated at Russian State University for the Humanities (http://rggu.com/) pushed to the device through its radio antenna at any time, po- in 2010. At present postgraduate at RSUH. Information Security Researcher tentially overwriting previously “deleted” data. Without warn- since 2009 and currently works as mobile and social infosecurity researcher in ing, applications such as the email client, instant messaging, Moscow. Experienced in Reverse Engineering, Software Programming, Cyber & wireless calendar, and any number of third party applications Mobile Security Researching, Documentation, Security Writing as regular con- may receive information that makes the forensic investigator’s tributing. Now researching Cloud Security and Social Privacy. attempts to obtain an unaltered file system much more dif- Contacts: ficult. In order to preserve the unit, turn the radio off. You make I have a lot of social contacts, that’s way you’re able to choose the most suita- release the same action for Android, however, you need to ble way for you. perform this quickly and the two best ways a Faraday Cage or Regular blog: http://security-through-obscurity.blogspot.com Airplane mode. Airplane mode may be harmful because, the Regular Email: yury.chemerkin@gmail.com device still continues interacts with local data. Otherwise you Skype: yury.chemerkin may not be access to active devices to bypass password. As Other my contacts (blogs, IM, social networks) you’ll find among http links and a native feature android device have a pattern lock bypassed social icons before TimeLine section on Re.Vu: http://re.vu/yury.chemerkin via fingerprinting; blackberry, instead, doesn’t provide this http://4.bp.blogspot.com/-R09jvrMJW6I/TzARr9Ksx6I/AAAAAAAACDo/9CRo techniques, however third-party application may be easy 9LDMjJ0/s1600/Android+robot+Wallpaper+2012+new+hq.jpg found on market especially for Playbook as a tablet. Classic forensics for Android a bit easy than BlackBerry, be- cause for BlackBerry there’s no way except having a Black- Berry Backup file. Moreover, this backup file may be emu- lated after you restore this on BlackBerry Simulator via USB Plugged option; SD card may be copied into folder and at- tached to simulator. Android, instead, doesn’t’ have this fea- ture, but you can extract all database files from plugged device more successful if it’s rooted. If the RIM is password protected, you have to get the pass- word, because the password doesn’t stor on the unit; rath- er an SHA-1 hash of the password stored and compared to a hash of what entered. The examiner only has the oppor- tunity to guess 10 times before a file system wipe occurs to protect the data. This wipe will destroy all non-OS files. No software exists to circumvent the password protection. A di- rect-to-hardware solution will be required if the password is not available. Android devices present opportunity to (after unsuccessful attempts rich limit) unlock device via Google credentials that leads to strongly rule named “placing device online”. It’s a kind of risk to add some changes, but it’s a bet- ter way than BlackBerry. All live techniques may be valuable when you’ve installed “spyware” but don’t offer a successful end according to password. On other hand, live techniques offer you simplifying of investigation, because you don’t need to analyze a SQL-Lite database and can extract data in any suitable format. Live techniques covers the same points data interested for researchers, so there’s no valuable difference between BlackBerry and Android. Commercial tools as well as free provide enough covering data extracting via live tech- niques without needs for develop them. Thus, the RIM’s cur- rently unsurpassed portability is the examiner’s greatest ally more than android if we’re talking about password. If we need 36 4/2012 (11)

Empfohlen

ANALYSIS OF IMAGE WATERMARKING USING LEAST SIGNIFICANT BIT ALGORITHM
ANALYSIS OF IMAGE WATERMARKING USING LEAST SIGNIFICANT BIT ALGORITHMANALYSIS OF IMAGE WATERMARKING USING LEAST SIGNIFICANT BIT ALGORITHM
ANALYSIS OF IMAGE WATERMARKING USING LEAST SIGNIFICANT BIT ALGORITHMijistjournal
 
IG- SpecialReview(12-17-12)
IG- SpecialReview(12-17-12)IG- SpecialReview(12-17-12)
IG- SpecialReview(12-17-12)Michael Palinkas
 
Financial services 20150503
Financial services 20150503Financial services 20150503
Financial services 20150503Clare Nelson, CISSP, CIPP-E
 
Iot forensics
Iot forensicsIot forensics
Iot forensicsAbeis Ab
 
When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.Yury Chemerkin
 
Csec 650 individual assignment i
Csec 650 individual assignment iCsec 650 individual assignment i
Csec 650 individual assignment iDominique Briscoe
 
Online DFS
Online DFSOnline DFS
Online DFSPablo Llanos Urraca
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsNicholas Davis
 

Empfohlen

ANALYSIS OF IMAGE WATERMARKING USING LEAST SIGNIFICANT BIT ALGORITHM
ANALYSIS OF IMAGE WATERMARKING USING LEAST SIGNIFICANT BIT ALGORITHMANALYSIS OF IMAGE WATERMARKING USING LEAST SIGNIFICANT BIT ALGORITHM
ANALYSIS OF IMAGE WATERMARKING USING LEAST SIGNIFICANT BIT ALGORITHMijistjournal
 
IG- SpecialReview(12-17-12)
IG- SpecialReview(12-17-12)IG- SpecialReview(12-17-12)
IG- SpecialReview(12-17-12)Michael Palinkas
 
Financial services 20150503
Financial services 20150503Financial services 20150503
Financial services 20150503Clare Nelson, CISSP, CIPP-E
 
Iot forensics
Iot forensicsIot forensics
Iot forensicsAbeis Ab
 
When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.Yury Chemerkin
 
Csec 650 individual assignment i
Csec 650 individual assignment iCsec 650 individual assignment i
Csec 650 individual assignment iDominique Briscoe
 
Online DFS
Online DFSOnline DFS
Online DFSPablo Llanos Urraca
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsNicholas Davis
 
Anti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and preventionAnti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and preventionSeccuris Inc.
 
Nand mirroring
Nand mirroringNand mirroring
Nand mirroringAndrey Apuhtin
 
Digital forensic science and its scope manesh t
Digital forensic science and its scope manesh tDigital forensic science and its scope manesh t
Digital forensic science and its scope manesh tManesh T
 
IRJET- Identification of Location of Laptop Devices using Raspberry Pi Mo...
IRJET- Identification of Location of Laptop Devices using Raspberry Pi Mo...IRJET- Identification of Location of Laptop Devices using Raspberry Pi Mo...
IRJET- Identification of Location of Laptop Devices using Raspberry Pi Mo...IRJET Journal
 
76 s201924
76 s20192476 s201924
76 s201924IJRAT
 
IRJET - Security Model for Preserving the Privacy of Medical Big Data in ...
IRJET - Security Model for Preserving the Privacy of Medical Big Data in ...IRJET - Security Model for Preserving the Privacy of Medical Big Data in ...
IRJET - Security Model for Preserving the Privacy of Medical Big Data in ...IRJET Journal
 
IoT Agent Design Principles
IoT Agent Design PrinciplesIoT Agent Design Principles
IoT Agent Design Principlesardexateam
 
50120130406038
5012013040603850120130406038
50120130406038IAEME Publication
 
Network monitoring white paper
Network monitoring white paperNetwork monitoring white paper
Network monitoring white paperImaging Network Technology, LLC
 
A study of image fingerprinting by using visual cryptography
A study of image fingerprinting by using visual cryptographyA study of image fingerprinting by using visual cryptography
A study of image fingerprinting by using visual cryptographyAlexander Decker
 
DESIGN AND IMPLEMENTATION OF E-PASSPORT SCHEME USING CRYPTOGRAPHIC ALGORITHM ...
DESIGN AND IMPLEMENTATION OF E-PASSPORT SCHEME USING CRYPTOGRAPHIC ALGORITHM ...DESIGN AND IMPLEMENTATION OF E-PASSPORT SCHEME USING CRYPTOGRAPHIC ALGORITHM ...
DESIGN AND IMPLEMENTATION OF E-PASSPORT SCHEME USING CRYPTOGRAPHIC ALGORITHM ...ijait
 
Internet of Things Forensics
Internet of Things ForensicsInternet of Things Forensics
Internet of Things ForensicsAakashjit Bhattacharya
 
Anti-Forensic Rootkits
Anti-Forensic RootkitsAnti-Forensic Rootkits
Anti-Forensic Rootkitsamiable_indian
 
Addressing security and privacy in io t ecosystem v0.4
Addressing security and privacy in io t ecosystem v0.4Addressing security and privacy in io t ecosystem v0.4
Addressing security and privacy in io t ecosystem v0.4Somasundaram Jambunathan
 
Techno info solutions titles list
Techno info solutions titles listTechno info solutions titles list
Techno info solutions titles listjanani technoinfo
 
Physician Office Presentation
Physician Office PresentationPhysician Office Presentation
Physician Office Presentationfranbodh
 
IRJET- A Review on Colour Image Watermarking based on Wavelet and QR Decompos...
IRJET- A Review on Colour Image Watermarking based on Wavelet and QR Decompos...IRJET- A Review on Colour Image Watermarking based on Wavelet and QR Decompos...
IRJET- A Review on Colour Image Watermarking based on Wavelet and QR Decompos...IRJET Journal
 
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...IJERD Editor
 
IRJET- Enhanced SIT Algorithm for Embedded Systems
IRJET- Enhanced SIT Algorithm for Embedded SystemsIRJET- Enhanced SIT Algorithm for Embedded Systems
IRJET- Enhanced SIT Algorithm for Embedded SystemsIRJET Journal
 
“Secure Password Managers” and “Military-Grade Encryption” on Smartphones: Oh...
“Secure Password Managers” and “Military-Grade Encryption” on Smartphones: Oh...“Secure Password Managers” and “Military-Grade Encryption” on Smartphones: Oh...
“Secure Password Managers” and “Military-Grade Encryption” on Smartphones: Oh...Andrey Belenko
 
Major Google Algorithm Updates: A Brief Overview
Major Google Algorithm Updates: A Brief OverviewMajor Google Algorithm Updates: A Brief Overview
Major Google Algorithm Updates: A Brief OverviewOneThingMKT
 
Advanced SEO - BlogPaws 2015
Advanced SEO - BlogPaws 2015Advanced SEO - BlogPaws 2015
Advanced SEO - BlogPaws 2015Jill Caren
 

Weitere ähnliche Inhalte

Was ist angesagt?

Anti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and preventionAnti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and preventionSeccuris Inc.
 
Digital forensic science and its scope manesh t
Digital forensic science and its scope manesh tDigital forensic science and its scope manesh t
Digital forensic science and its scope manesh tManesh T
 
IRJET- Identification of Location of Laptop Devices using Raspberry Pi Mo...
IRJET- Identification of Location of Laptop Devices using Raspberry Pi Mo...IRJET- Identification of Location of Laptop Devices using Raspberry Pi Mo...
IRJET- Identification of Location of Laptop Devices using Raspberry Pi Mo...IRJET Journal
 
76 s201924
76 s20192476 s201924
76 s201924IJRAT
 
IRJET - Security Model for Preserving the Privacy of Medical Big Data in ...
IRJET - Security Model for Preserving the Privacy of Medical Big Data in ...IRJET - Security Model for Preserving the Privacy of Medical Big Data in ...
IRJET - Security Model for Preserving the Privacy of Medical Big Data in ...IRJET Journal
 
IoT Agent Design Principles
IoT Agent Design PrinciplesIoT Agent Design Principles
IoT Agent Design Principlesardexateam
 
A study of image fingerprinting by using visual cryptography
A study of image fingerprinting by using visual cryptographyA study of image fingerprinting by using visual cryptography
A study of image fingerprinting by using visual cryptographyAlexander Decker
 
DESIGN AND IMPLEMENTATION OF E-PASSPORT SCHEME USING CRYPTOGRAPHIC ALGORITHM ...
DESIGN AND IMPLEMENTATION OF E-PASSPORT SCHEME USING CRYPTOGRAPHIC ALGORITHM ...DESIGN AND IMPLEMENTATION OF E-PASSPORT SCHEME USING CRYPTOGRAPHIC ALGORITHM ...
DESIGN AND IMPLEMENTATION OF E-PASSPORT SCHEME USING CRYPTOGRAPHIC ALGORITHM ...ijait
 
Anti-Forensic Rootkits
Anti-Forensic RootkitsAnti-Forensic Rootkits
Anti-Forensic Rootkitsamiable_indian
 
Addressing security and privacy in io t ecosystem v0.4
Addressing security and privacy in io t ecosystem v0.4Addressing security and privacy in io t ecosystem v0.4
Addressing security and privacy in io t ecosystem v0.4Somasundaram Jambunathan
 
Techno info solutions titles list
Techno info solutions titles listTechno info solutions titles list
Techno info solutions titles listjanani technoinfo
 
Physician Office Presentation
Physician Office PresentationPhysician Office Presentation
Physician Office Presentationfranbodh
 
IRJET- A Review on Colour Image Watermarking based on Wavelet and QR Decompos...
IRJET- A Review on Colour Image Watermarking based on Wavelet and QR Decompos...IRJET- A Review on Colour Image Watermarking based on Wavelet and QR Decompos...
IRJET- A Review on Colour Image Watermarking based on Wavelet and QR Decompos...IRJET Journal
 
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...IJERD Editor
 
IRJET- Enhanced SIT Algorithm for Embedded Systems
IRJET- Enhanced SIT Algorithm for Embedded SystemsIRJET- Enhanced SIT Algorithm for Embedded Systems
IRJET- Enhanced SIT Algorithm for Embedded SystemsIRJET Journal
 
“Secure Password Managers” and “Military-Grade Encryption” on Smartphones: Oh...
“Secure Password Managers” and “Military-Grade Encryption” on Smartphones: Oh...“Secure Password Managers” and “Military-Grade Encryption” on Smartphones: Oh...
“Secure Password Managers” and “Military-Grade Encryption” on Smartphones: Oh...Andrey Belenko
 

Was ist angesagt? (20)

Anti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and preventionAnti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and prevention
 
Nand mirroring
Nand mirroringNand mirroring
Nand mirroring
 
Digital forensic science and its scope manesh t
Digital forensic science and its scope manesh tDigital forensic science and its scope manesh t
Digital forensic science and its scope manesh t
 
IRJET- Identification of Location of Laptop Devices using Raspberry Pi Mo...
IRJET- Identification of Location of Laptop Devices using Raspberry Pi Mo...IRJET- Identification of Location of Laptop Devices using Raspberry Pi Mo...
IRJET- Identification of Location of Laptop Devices using Raspberry Pi Mo...
 
76 s201924
76 s20192476 s201924
76 s201924
 
IRJET - Security Model for Preserving the Privacy of Medical Big Data in ...
IRJET - Security Model for Preserving the Privacy of Medical Big Data in ...IRJET - Security Model for Preserving the Privacy of Medical Big Data in ...
IRJET - Security Model for Preserving the Privacy of Medical Big Data in ...
 
IoT Agent Design Principles
IoT Agent Design PrinciplesIoT Agent Design Principles
IoT Agent Design Principles
 
50120130406038
5012013040603850120130406038
50120130406038
 
Network monitoring white paper
Network monitoring white paperNetwork monitoring white paper
Network monitoring white paper
 
A study of image fingerprinting by using visual cryptography
A study of image fingerprinting by using visual cryptographyA study of image fingerprinting by using visual cryptography
A study of image fingerprinting by using visual cryptography
 
DESIGN AND IMPLEMENTATION OF E-PASSPORT SCHEME USING CRYPTOGRAPHIC ALGORITHM ...
DESIGN AND IMPLEMENTATION OF E-PASSPORT SCHEME USING CRYPTOGRAPHIC ALGORITHM ...DESIGN AND IMPLEMENTATION OF E-PASSPORT SCHEME USING CRYPTOGRAPHIC ALGORITHM ...
DESIGN AND IMPLEMENTATION OF E-PASSPORT SCHEME USING CRYPTOGRAPHIC ALGORITHM ...
 
Internet of Things Forensics
Internet of Things ForensicsInternet of Things Forensics
Internet of Things Forensics
 
Anti-Forensic Rootkits
Anti-Forensic RootkitsAnti-Forensic Rootkits
Anti-Forensic Rootkits
 
Addressing security and privacy in io t ecosystem v0.4
Addressing security and privacy in io t ecosystem v0.4Addressing security and privacy in io t ecosystem v0.4
Addressing security and privacy in io t ecosystem v0.4
 
Techno info solutions titles list
Techno info solutions titles listTechno info solutions titles list
Techno info solutions titles list
 
Physician Office Presentation
Physician Office PresentationPhysician Office Presentation
Physician Office Presentation
 
IRJET- A Review on Colour Image Watermarking based on Wavelet and QR Decompos...
IRJET- A Review on Colour Image Watermarking based on Wavelet and QR Decompos...IRJET- A Review on Colour Image Watermarking based on Wavelet and QR Decompos...
IRJET- A Review on Colour Image Watermarking based on Wavelet and QR Decompos...
 
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
 
IRJET- Enhanced SIT Algorithm for Embedded Systems
IRJET- Enhanced SIT Algorithm for Embedded SystemsIRJET- Enhanced SIT Algorithm for Embedded Systems
IRJET- Enhanced SIT Algorithm for Embedded Systems
 
“Secure Password Managers” and “Military-Grade Encryption” on Smartphones: Oh...
“Secure Password Managers” and “Military-Grade Encryption” on Smartphones: Oh...“Secure Password Managers” and “Military-Grade Encryption” on Smartphones: Oh...
“Secure Password Managers” and “Military-Grade Encryption” on Smartphones: Oh...
 

Andere mochten auch

Major Google Algorithm Updates: A Brief Overview
Major Google Algorithm Updates: A Brief OverviewMajor Google Algorithm Updates: A Brief Overview
Major Google Algorithm Updates: A Brief OverviewOneThingMKT
 
Advanced SEO - BlogPaws 2015
Advanced SEO - BlogPaws 2015Advanced SEO - BlogPaws 2015
Advanced SEO - BlogPaws 2015Jill Caren
 
What One Digital Forensics Expert Found on Hundreds of Hard Drives, iPhones a...
What One Digital Forensics Expert Found on Hundreds of Hard Drives, iPhones a...What One Digital Forensics Expert Found on Hundreds of Hard Drives, iPhones a...
What One Digital Forensics Expert Found on Hundreds of Hard Drives, iPhones a...Blancco
 
Brev loc cloud data storage, backup and recovery pres
Brev loc cloud data storage, backup and recovery presBrev loc cloud data storage, backup and recovery pres
Brev loc cloud data storage, backup and recovery presdanmraz
 
Managing windows xp file systems and storage.2012.university duhok.bioloy.das...
Managing windows xp file systems and storage.2012.university duhok.bioloy.das...Managing windows xp file systems and storage.2012.university duhok.bioloy.das...
Managing windows xp file systems and storage.2012.university duhok.bioloy.das...Dashty Rihany
 
New SEO Strategy for 2014
New SEO Strategy for 2014New SEO Strategy for 2014
New SEO Strategy for 2014Digital Success
 
File system Os
File system OsFile system Os
File system OsNehal Naik
 
Fat and ntfs
Fat and ntfsFat and ntfs
Fat and ntfsLucky Ali
 
Data recovery from storage device
Data recovery from storage deviceData recovery from storage device
Data recovery from storage deviceMohit Shah
 
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)Sam Bowne
 
SEO in the age of Panda, Penguin & Beyond
SEO in the age of Panda, Penguin & BeyondSEO in the age of Panda, Penguin & Beyond
SEO in the age of Panda, Penguin & BeyondNavneet Kaushal
 
NTFS file system
NTFS file systemNTFS file system
NTFS file systemRavi Yasas
 
Storage, San And Business Continuity Overview
Storage, San And Business Continuity OverviewStorage, San And Business Continuity Overview
Storage, San And Business Continuity OverviewAlan McSweeney
 
Google Humming Bird Algorithm Update
Google Humming Bird Algorithm UpdateGoogle Humming Bird Algorithm Update
Google Humming Bird Algorithm UpdateLauren C. Jones
 
Android forensics an Custom Recovery Image
Android forensics an Custom Recovery ImageAndroid forensics an Custom Recovery Image
Android forensics an Custom Recovery ImageMohamed Khaled
 

Andere mochten auch (20)

Major Google Algorithm Updates: A Brief Overview
Major Google Algorithm Updates: A Brief OverviewMajor Google Algorithm Updates: A Brief Overview
Major Google Algorithm Updates: A Brief Overview
 
Advanced SEO - BlogPaws 2015
Advanced SEO - BlogPaws 2015Advanced SEO - BlogPaws 2015
Advanced SEO - BlogPaws 2015
 
Seminar 1
Seminar 1Seminar 1
Seminar 1
 
Panda, Penguin, Hummingbird
Panda, Penguin, HummingbirdPanda, Penguin, Hummingbird
Panda, Penguin, Hummingbird
 
What One Digital Forensics Expert Found on Hundreds of Hard Drives, iPhones a...
What One Digital Forensics Expert Found on Hundreds of Hard Drives, iPhones a...What One Digital Forensics Expert Found on Hundreds of Hard Drives, iPhones a...
What One Digital Forensics Expert Found on Hundreds of Hard Drives, iPhones a...
 
Brev loc cloud data storage, backup and recovery pres
Brev loc cloud data storage, backup and recovery presBrev loc cloud data storage, backup and recovery pres
Brev loc cloud data storage, backup and recovery pres
 
Managing windows xp file systems and storage.2012.university duhok.bioloy.das...
Managing windows xp file systems and storage.2012.university duhok.bioloy.das...Managing windows xp file systems and storage.2012.university duhok.bioloy.das...
Managing windows xp file systems and storage.2012.university duhok.bioloy.das...
 
9781111306366 ppt ch4
9781111306366 ppt ch49781111306366 ppt ch4
9781111306366 ppt ch4
 
New SEO Strategy for 2014
New SEO Strategy for 2014New SEO Strategy for 2014
New SEO Strategy for 2014
 
File system Os
File system OsFile system Os
File system Os
 
File Carving
File CarvingFile Carving
File Carving
 
Fat and ntfs
Fat and ntfsFat and ntfs
Fat and ntfs
 
Data recovery from storage device
Data recovery from storage deviceData recovery from storage device
Data recovery from storage device
 
Windows File Systems
Windows File SystemsWindows File Systems
Windows File Systems
 
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
 
SEO in the age of Panda, Penguin & Beyond
SEO in the age of Panda, Penguin & BeyondSEO in the age of Panda, Penguin & Beyond
SEO in the age of Panda, Penguin & Beyond
 
NTFS file system
NTFS file systemNTFS file system
NTFS file system
 
Storage, San And Business Continuity Overview
Storage, San And Business Continuity OverviewStorage, San And Business Continuity Overview
Storage, San And Business Continuity Overview
 
Google Humming Bird Algorithm Update
Google Humming Bird Algorithm UpdateGoogle Humming Bird Algorithm Update
Google Humming Bird Algorithm Update
 
Android forensics an Custom Recovery Image
Android forensics an Custom Recovery ImageAndroid forensics an Custom Recovery Image
Android forensics an Custom Recovery Image
 

Ähnlich wie Comparison of android and black berry forensic techniques

Comparison of android and black berry forensic techniques
Comparison of android and black berry forensic techniquesComparison of android and black berry forensic techniques
Comparison of android and black berry forensic techniquesSTO STRATEGY
 
State of art of mobile forensics
State of art of mobile forensicsState of art of mobile forensics
State of art of mobile forensicsSTO STRATEGY
 
Resources for Lawyers Who Have Experienced Theft of Client Information
Resources for Lawyers Who Have Experienced Theft of Client InformationResources for Lawyers Who Have Experienced Theft of Client Information
Resources for Lawyers Who Have Experienced Theft of Client InformationOregon Law Practice Management
 
Blackberry playbook – new challenges
Blackberry playbook – new challengesBlackberry playbook – new challenges
Blackberry playbook – new challengesYury Chemerkin
 
ContentsMobile Forensic3Introduction3What It Is3How I.docx
ContentsMobile Forensic3Introduction3What It Is3How I.docxContentsMobile Forensic3Introduction3What It Is3How I.docx
ContentsMobile Forensic3Introduction3What It Is3How I.docxrichardnorman90310
 
Blackberry playbook – new challenges
Blackberry playbook – new challengesBlackberry playbook – new challenges
Blackberry playbook – new challengesSTO STRATEGY
 
ResearchPaperITDF2435
ResearchPaperITDF2435ResearchPaperITDF2435
ResearchPaperITDF2435Manuel Garza
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidencerakesh mishra
 
To get round to the heart of fortress
To get round to the heart of fortressTo get round to the heart of fortress
To get round to the heart of fortressSTO STRATEGY
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsdeaneal
 
computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfGnanavi2
 
Version 3.6 Powerpoint March10
Version 3.6 Powerpoint March10Version 3.6 Powerpoint March10
Version 3.6 Powerpoint March10jpmccormack
 
Improving data confidentiality in personal computer environment using on line...
Improving data confidentiality in personal computer environment using on line...Improving data confidentiality in personal computer environment using on line...
Improving data confidentiality in personal computer environment using on line...Damir Delija
 
Mobile_Forensics- General Introduction & Software.pptx
Mobile_Forensics- General Introduction & Software.pptxMobile_Forensics- General Introduction & Software.pptx
Mobile_Forensics- General Introduction & Software.pptxgouriuplenchwar63
 
Closing the gaps in enterprise data security: A model for 360 degrees protection
Closing the gaps in enterprise data security: A model for 360 degrees protectionClosing the gaps in enterprise data security: A model for 360 degrees protection
Closing the gaps in enterprise data security: A model for 360 degrees protectionFindWhitePapers
 
SOK:An overview of data extraction techniques from mobile phones
SOK:An overview of data extraction techniques from mobile phonesSOK:An overview of data extraction techniques from mobile phones
SOK:An overview of data extraction techniques from mobile phonesAshish Sutar
 
Analyzing Vulnerabilities in the Internet of Things
Analyzing Vulnerabilities in the Internet of ThingsAnalyzing Vulnerabilities in the Internet of Things
Analyzing Vulnerabilities in the Internet of ThingsIke Clinton
 

Ähnlich wie Comparison of android and black berry forensic techniques (20)

Comparison of android and black berry forensic techniques
Comparison of android and black berry forensic techniquesComparison of android and black berry forensic techniques
Comparison of android and black berry forensic techniques
 
State of art of mobile forensics
State of art of mobile forensicsState of art of mobile forensics
State of art of mobile forensics
 
Resources for Lawyers Who Have Experienced Theft of Client Information
Resources for Lawyers Who Have Experienced Theft of Client InformationResources for Lawyers Who Have Experienced Theft of Client Information
Resources for Lawyers Who Have Experienced Theft of Client Information
 
Blackberry playbook – new challenges
Blackberry playbook – new challengesBlackberry playbook – new challenges
Blackberry playbook – new challenges
 
ContentsMobile Forensic3Introduction3What It Is3How I.docx
ContentsMobile Forensic3Introduction3What It Is3How I.docxContentsMobile Forensic3Introduction3What It Is3How I.docx
ContentsMobile Forensic3Introduction3What It Is3How I.docx
 
Blackberry playbook – new challenges
Blackberry playbook – new challengesBlackberry playbook – new challenges
Blackberry playbook – new challenges
 
pda forensics
pda forensicspda forensics
pda forensics
 
ResearchPaperITDF2435
ResearchPaperITDF2435ResearchPaperITDF2435
ResearchPaperITDF2435
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidence
 
To get round to the heart of fortress
To get round to the heart of fortressTo get round to the heart of fortress
To get round to the heart of fortress
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdf
 
Version 3.6 Powerpoint March10
Version 3.6 Powerpoint March10Version 3.6 Powerpoint March10
Version 3.6 Powerpoint March10
 
Improving data confidentiality in personal computer environment using on line...
Improving data confidentiality in personal computer environment using on line...Improving data confidentiality in personal computer environment using on line...
Improving data confidentiality in personal computer environment using on line...
 
Latest presentation
Latest presentationLatest presentation
Latest presentation
 
Mobile_Forensics- General Introduction & Software.pptx
Mobile_Forensics- General Introduction & Software.pptxMobile_Forensics- General Introduction & Software.pptx
Mobile_Forensics- General Introduction & Software.pptx
 
Blackberry final
Blackberry finalBlackberry final
Blackberry final
 
Closing the gaps in enterprise data security: A model for 360 degrees protection
Closing the gaps in enterprise data security: A model for 360 degrees protectionClosing the gaps in enterprise data security: A model for 360 degrees protection
Closing the gaps in enterprise data security: A model for 360 degrees protection
 
SOK:An overview of data extraction techniques from mobile phones
SOK:An overview of data extraction techniques from mobile phonesSOK:An overview of data extraction techniques from mobile phones
SOK:An overview of data extraction techniques from mobile phones
 
Analyzing Vulnerabilities in the Internet of Things
Analyzing Vulnerabilities in the Internet of ThingsAnalyzing Vulnerabilities in the Internet of Things
Analyzing Vulnerabilities in the Internet of Things
 

Mehr von Yury Chemerkin

Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...Yury Chemerkin
 
Red october. detailed malware description
Red october. detailed malware descriptionRed october. detailed malware description
Red october. detailed malware descriptionYury Chemerkin
 
Comment crew indicators of compromise
Comment crew indicators of compromiseComment crew indicators of compromise
Comment crew indicators of compromiseYury Chemerkin
 
Appendix g iocs readme
Appendix g iocs readmeAppendix g iocs readme
Appendix g iocs readmeYury Chemerkin
 
Appendix f (digital) ssl certificates
Appendix f (digital) ssl certificatesAppendix f (digital) ssl certificates
Appendix f (digital) ssl certificatesYury Chemerkin
 
Appendix e (digital) md5s
Appendix e (digital) md5sAppendix e (digital) md5s
Appendix e (digital) md5sYury Chemerkin
 
Appendix d (digital) fqd ns
Appendix d (digital) fqd nsAppendix d (digital) fqd ns
Appendix d (digital) fqd nsYury Chemerkin
 
6071f3f4 40e6-4c7b-8868-3b0b21a9f601
6071f3f4 40e6-4c7b-8868-3b0b21a9f6016071f3f4 40e6-4c7b-8868-3b0b21a9f601
6071f3f4 40e6-4c7b-8868-3b0b21a9f601Yury Chemerkin
 
Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...Yury Chemerkin
 
Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...Yury Chemerkin
 
The stuxnet computer worm. harbinger of an emerging warfare capability
The stuxnet computer worm. harbinger of an emerging warfare capabilityThe stuxnet computer worm. harbinger of an emerging warfare capability
The stuxnet computer worm. harbinger of an emerging warfare capabilityYury Chemerkin
 
Stuxnet. analysis, myths, realities
Stuxnet. analysis, myths, realitiesStuxnet. analysis, myths, realities
Stuxnet. analysis, myths, realitiesYury Chemerkin
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedYury Chemerkin
 
Sophos ransom ware fake antivirus
Sophos ransom ware fake antivirusSophos ransom ware fake antivirus
Sophos ransom ware fake antivirusYury Chemerkin
 
Six months later – a report card on google’s demotion of pirate sites
Six months later – a report card on google’s demotion of pirate sitesSix months later – a report card on google’s demotion of pirate sites
Six months later – a report card on google’s demotion of pirate sitesYury Chemerkin
 
Security in the cloud planning guide
Security in the cloud planning guideSecurity in the cloud planning guide
Security in the cloud planning guideYury Chemerkin
 
Security configuration recommendations for apple i os 5 devices
Security configuration recommendations for apple i os 5 devicesSecurity configuration recommendations for apple i os 5 devices
Security configuration recommendations for apple i os 5 devicesYury Chemerkin
 
Render man. hacker + airplanes = no good can come of this
Render man. hacker + airplanes = no good can come of thisRender man. hacker + airplanes = no good can come of this
Render man. hacker + airplanes = no good can come of thisYury Chemerkin
 

Mehr von Yury Chemerkin (20)

Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
 
Red october. detailed malware description
Red october. detailed malware descriptionRed october. detailed malware description
Red october. detailed malware description
 
Comment crew indicators of compromise
Comment crew indicators of compromiseComment crew indicators of compromise
Comment crew indicators of compromise
 
Appendix g iocs readme
Appendix g iocs readmeAppendix g iocs readme
Appendix g iocs readme
 
Appendix f (digital) ssl certificates
Appendix f (digital) ssl certificatesAppendix f (digital) ssl certificates
Appendix f (digital) ssl certificates
 
Appendix e (digital) md5s
Appendix e (digital) md5sAppendix e (digital) md5s
Appendix e (digital) md5s
 
Appendix d (digital) fqd ns
Appendix d (digital) fqd nsAppendix d (digital) fqd ns
Appendix d (digital) fqd ns
 
6071f3f4 40e6-4c7b-8868-3b0b21a9f601
6071f3f4 40e6-4c7b-8868-3b0b21a9f6016071f3f4 40e6-4c7b-8868-3b0b21a9f601
6071f3f4 40e6-4c7b-8868-3b0b21a9f601
 
Jp3 13
Jp3 13Jp3 13
Jp3 13
 
Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...
 
Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...
 
The stuxnet computer worm. harbinger of an emerging warfare capability
The stuxnet computer worm. harbinger of an emerging warfare capabilityThe stuxnet computer worm. harbinger of an emerging warfare capability
The stuxnet computer worm. harbinger of an emerging warfare capability
 
Stuxnet. analysis, myths, realities
Stuxnet. analysis, myths, realitiesStuxnet. analysis, myths, realities
Stuxnet. analysis, myths, realities
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learned
 
Sophos ransom ware fake antivirus
Sophos ransom ware fake antivirusSophos ransom ware fake antivirus
Sophos ransom ware fake antivirus
 
Six months later – a report card on google’s demotion of pirate sites
Six months later – a report card on google’s demotion of pirate sitesSix months later – a report card on google’s demotion of pirate sites
Six months later – a report card on google’s demotion of pirate sites
 
Security in the cloud planning guide
Security in the cloud planning guideSecurity in the cloud planning guide
Security in the cloud planning guide
 
Security configuration recommendations for apple i os 5 devices
Security configuration recommendations for apple i os 5 devicesSecurity configuration recommendations for apple i os 5 devices
Security configuration recommendations for apple i os 5 devices
 
Render man. hacker + airplanes = no good can come of this
Render man. hacker + airplanes = no good can come of thisRender man. hacker + airplanes = no good can come of this
Render man. hacker + airplanes = no good can come of this
 
Msft oracle brief
Msft oracle briefMsft oracle brief
Msft oracle brief
 

Kürzlich hochgeladen

Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 

Kürzlich hochgeladen (20)

Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 

Comparison of android and black berry forensic techniques

  • 1.
  • 2. Hakin9 EXTRA COMPARISON OF ANDROID AND BLACKBERRY FORENSIC TECHNIQUES YURY CHEMERKIN As digital data is omnipresent now, the digital forensics has quickly become a legal necessity. Mobile devices have quickly grown and extend their own features which simplifying makes them less unique. Developers API, SDK, NDK provide great opportunity to build live, DLP or spyware for data extracting. What you will learn... What you should know... • How many differences between BlackBerry • Basic knowledge about Forensics (Classic and Android forensics techniques and Live) • Basic knowledge about BlackBerry Forensics • Basic knowledge about Android Techniques T his mainly based on examine how many differences do financial application data, media data (Audio/Photos/Videos) exist between BlackBerry and Android OS. It’s would and other data even file structure, browser data (web history as interested to highlight whether one techniques provide a timeline and bookmarks), and shared folders. more easy implementation, investigation and handling or not, One of the main ongoing considerations for analysts is what common differences examiners may encounter and what preventing the device from any changes, that’s sometimes they should as concept be involved to forensic handling with achievable, like making a network/cellular connection, because these platforms. “Android Forensics: Investigation, Analysis and it may bring in new data, overwriting evidence, etc. Any interac- Mobile Security for Google Android” written by Andrew Hoog tion with the devices, whether you simply move it or even physi- and my article “To Get Round To The Heart Of Fortress” pub- cally unplug the device, will modify them. If you instead decide lished in Hakin9 Extra are the basis of my researching. to examine the device while it is running, all interactions change the device. To further complicate an investigation, it is possible Mobile Forensics that the computer is leveraging encryption and, while the de- Mobile device forensics is relating to recovery of digital evidence vice is running, that data may be accessible. However, if the or data from a mobile device. The memory type, custom inter- device is powered off and you don’t have the encryption keys, face and proprietary nature of mobile devices require a differ- then you may permanently lose the ability to recover that data. ent forensic process compared to other forensics. Nowadays Android devices are nearly impossible to forensically analyze mobile extraction techniques tend to be less unique especially without any kind of impacting, because unlike desktops, note- throughout logical acquisition. This level manages with known books, and servers, Android storage cannot be easily removed data types for any user and this data set rarely differs among of that often leads to changes by changing state from turn off to iOS, Android or BlackBerry. This data set often contains the fol- powered or something else. There was a little data stored of- lowing items such as messages (SMS/MMS/Email/IM), social ten on SIM-card when mobile phones were first introduced. network data, contacts, calendar, phone logs, wallet and other It was possible to remove the SIM card to extract data. 28 4/2012 (11)
  • 3. Comparison of Android and BlackBerry Forensic Techniques connections by clicking around tray and date’n’time place on Did you know? your home screen. Both ways need you to have an access to Device Switched On devices for password locked case. Moreover, the device con- If the device is in the on state, you act immediately to get power tinues running with temporal data remains. SIM card removing to the mobile device. Now it will not lose the volatile information. doesn’t bring the same result, because your device reboots or Then you need to take the device to a secure location like a Fara- wipes out like BlackBerry. day Cage or turn off the radio before beginning the examination There are several techniques is pertaining to mobile forensic: Device Switched Off • Physical acquisition technique is a bit-by-bit copy of an en- If the device is in the off state, you need to take the device to the tire physical store. It has the advantage of allowing deleted shielded location before attempting to switch on or place the de- files and data remnants to be examined. Physical extrac- vice in room that can block the signal well enough to prevent the tion acquires information from the device by direct access data push. This case for Android not BlackBerry means the best chance to boot device into recovery mode to test for connectivi- to the flash memories. Generally this is harder to achieve ty and root access and access to data without booting into nor- because the device vendors needs to secure against arbi- mal operational mode (if only USB debugging is enabled or owne- trary reading of memory so that a device may be locked to r’s device have rooted it). a certain operator. • Logical acquisition technique is a bit-by-bit copy of logical Device in its Cradle storage objects (e.g., directories and files) that reside on If device is in cradle, you have to remove any connection from the a logical store (e.g., a file system partition). Logical acqui- PC despite possibility that a sophisticated suspect might have a sition has the advantage that system data structures are tripwire device and once it disconnected it could activate script to easier for a tool to extract and organize. This usually does erase potential evidence. not produce any deleted information, due to it normally be- ing removed from the file system of the phone. However, in Password Protected some cases the phone may keep a database file of infor- The thing has to be known when it comes to password protec- mation which does not overwrite the information but simply tion is the fact that the password itself is not stored on the device. marks it as deleted and available for later overwriting. The only thing stored on the device is a hash of the plain-text pas- • Manual acquisition technique as kind of utilizing of the user sword. This storage is similar to the storage used by the majority of operating systems out there. interface to investigate the content of the memory. There- fore the device is used as normal and pictures are taken from the screen. The disadvantage is that only data visible Wireless Connection to the operating system can be recovered and that all data You must avoid any further communication activities, if possible. Eliminate any wireless activity by placing the device into an cage are only available in form of pictures. that can isolate the device. The last acquisition has no difference among of BlackBerry or Android, so I miss this. Logical techniques often provide easy External Memory Card and fast data extracting and accessing that physical cause of You must not initiate any contact before taking components off. This includes any devices that supported external media types of time operating. Logical methods manage with non-deleted data cards. are accessible on the storage. The point is that previous case is about “simple” data type(format), while SQL db files as all-in-one file may keep deleted data in the database. While recovery of the As many examiners likely know, it is important to isolate the deleted data requires special tools and techniques, it is possible device from the network as soon as possible. In the worst- to recover deleted data from a logical acquisition. Physical tech- case scenario, a remote wipe could be initiated on the device niques as techniques aimed to gain deleted data without relying which would prevent the recovery of any data. While most on the file system itself to access the data, so it is missed too. remote wipes are done over the data network, some can be Let’s gain the main logical acquisition differences between triggered over SMS, and hence ensure the device is fully iso- two kind platform throughout way to data store, developers lated to prevent remote wipes. In other circumstances, ad- API and tools, free and paid investigation tools, logs, backup ditional messages on the device could be received or even some more and others tricks. removed by triggers outside your control. To prevent a con- nection mobile devices will often be transported and exam- Forensic Investigation ined from within a Faraday cage. As it may be a bit expensive, of the Android vs BlackBerry there is a more powerful way named air-plane mode or some- A BlackBerry is a handheld mobile device engineered for email. kind techniques are almost look likes in the same manner on All models now come with a built-in mobile phone, making the both devices. It brings disadvantage sometimes. Talking about BlackBerry an obvious choice for users with the need to access Android you should press and hold the Power off button and their email from somewhere besides the comfort of a desk chair. select Airplane mode at first, and then press Menu (from the The BlackBerry device is always on and participating in some home screen), then Settings, then the Wireless option which is form of wireless push technology. Because of this, the Black- generally near the top. You also may turn off Mobile Networks Berry does not require some form of desktop synchronization from this screen. If you’re going to disable wireless connection like the other mobile device does. BlackBerry OS has numer- like Bluetooth or WiFi you have to walk out home screen to ous capabilities and features like over the air activation, ability to the settings that have upset because you’re not sure whether synchronize contracts and appointments with Microsoft Outlook, you have enough time or not. On another hand, only touch or a password keeper program to store sensitive information and flip BlackBerry model bring the really fast way to turn on/off all the ability to customize your BlackBerry display data. www.hakin9.org/en 29
  • 4. Hakin9 EXTRA An Android powers millions of phones, tablets, and other de- is commonly found on other mobile devices. The final type of vices and brings the power of Google and the web into your pass code currently found on Android devices is a full, alpha- hands. With an amazingly fast browser, cloud sync, multi- numeric code. If you the screen of the device is active, strong tasking, easy connect & share, and the latest Google apps consideration should be given to checking and potentially (and thousands of other apps available on Google Play) your changing its settings. For devices that have pass codes, there Android powered device is beyond smart. Android has a large is a short period of time (from less than a minute up to about community of developers writing applications (“apps”) that ex- 1 hour) where full access to the device is possible without re- tend the functionality of the devices. While Android is designed entering the pass code. Sometimes possible to determine the primarily for smartphones and tablets, the open and customiz- pattern lock of a device by enhancing photographs of the de- able nature of the operating system allows it to be used on oth- vice’s screen. The lesser the interaction a first responder has er electronics, including laptops and netbooks, smartbooks, with the screen, the higher the success rate of this technique. ebook readers, and smart TVs (Google TV). Further, the OS has seen niche applications on wristwatches, headphones, Password Extraction/Bypassing car CD and DVD players, smart glasses, refrigerators, vehi- cle satnav systems, home automation systems, games con- So-called Smudge Attack for Android’s pattern lock soles, mirrors, cameras, portable media players landlines, As Android devices used the pattern lock for pass code protec- and treadmills. tion instead of a numeric or alphanumeric code, there’s a inter- esting option that a clean touch screen is primarily, but touch Push-Technology screen marked with fingerprint and fingerprint’s directed a good You see the changes provide goals a wide-spaced. Since the solution to bypass pattern lock. BlackBerry is all always on, push messaging, device information can be pushed to it at any time. Note that pushed information Screen Lock Bypass App for Android has the ability to overwrite any data that possibly was previously Security researcher Thomas Cannon recently developed a tech- deleted. The BlackBerry device is not really “off” unless power nique that allows a screen lock bypass by installing an app is removed for an extended period. If the blackberry is powered through the new web-based Android Market. This technique back off then any items that were in the queue waiting to be utilizes a new feature in the web-based Android Market that pushed to the device could possibly be pushed before you could allows apps to be installed directly from the web site. As such, stop them. In android case, you have a bit more time to set state, you must have access to the Android Market using the primary you even may don’t touch it to not update email folder except Gmail user name and password for the device, which may be inbox folder and malicious cases like BlackBerry Playbook not accessible from the primary computer of the user. Alternatively, real BlackBerry device BIS or BES data plan. Android brings you could access the Android Market if you knew the user name push feature only with enterprise connection, after ~5 seconds and password and had sufficient authority. Changing the user’s you press power button to display turn on or when you run ap- Gmail password would not work in this instance. plications, however even gmail application need a time or manu- The procedure is quite simple really. Android sends out ally “update”-button pressing to retrieve new data from Internet. a number of broadcast messages which an application can receive, such as SMS received. An application has to register Password Protection its receiver to receive broadcast messages and this can be BlackBerry devices come with password protection. The owner done at run time, or for some messages, at install time. When has the capability to protect all data on the phone with a pass- a relevant message comes in, it is sent to the application word. He may also specify the amount of attempts for entering and if the application is not running it will be started automati- the password before wiping all data from the device. If you ex- cally. Once launched it is just a matter of calling the disableKe- ceed your password attempts limit (defaults to 10, but you can yguard() method in KeyguardManager. This is a legitimate API set it as low as 3, Playbook may differ from 5 to 10), you will to enable applications to disable the screen lock when, say, be prompted one last time to type the word BlackBerry. The an incoming phone call is detected. After finishing the call the device will then wipe. It will be reset to the factory out-of-the- app ought to enable the screen lock again, but we just keep box condition, and the password reset. You will lose everything it disabled. in the device memory, with no possibility of recovery. It will not reformat the microSD card if it’s smartphone external storage, Use Gmail User/Pass for Android because that’s not part of the factory configuration, but if you On most Android phones, you can circumvent the pass code have a BlackBerry Playbook you’ll get factory defaults at all. if you know the primary Gmail user name and password reg- The phone will still be usable, and the operating system will be istered with the device. After a number of failed attempts (ten unchanged. So this technique cannot be used to roll back from attempts on the G1), you will be presented with a screen that an OS upgrade problem. asks if you forgot your pass code. From there, you can enter the The ability to circumvent the pass code on an Android de- Gmail user name and password and you will then be prompted vice is becoming more important as they are utilized frequently to reset the pass code. This technique does not require the and, in most cases, do not allow data extraction as well as for phone to be online as it uses credential information cached on BlackBerry. While there is no guaranteed method, there are a the phone. So, if you’ve already get somehow this credential number of techniques which have worked in certain situations. data, it’s good. Others, if you do not have the current Gmail user There are three types of pass codes Android devices currently name and password, but have sufficient authority (i.e., court or- support. The first is a pattern lock as default on the initial An- der) to reset the password, you could attempt to compel Google droid devices when users are accessing the device should to reset the account password. You would then have to connect draw a pattern on the locked phone. The second type of pass the Android device to the network and gain access. This issue code is the simple personal identification number (PIN) which presents many challenges, including the need to place the de- 30 4/2012 (11)
  • 5. Comparison of Android and BlackBerry Forensic Techniques vice online, putting it at risk for remote wipe in addition to mak- Of Fortress”. As I know Android didn’t provide the same hotkeys. ing changes to the device. These log events depend on debug information added by de- velopers, so it often may not exist. Password brute-force for BlackBerry Another way to collect the log information is using loader. You can access encrypted information stored in password-pro- exe from BB SDK tools or BBSAK. It extracts a full copy of tection backups if the original password is known or recovered BlackBerry event log to text file stored on your drive. Let’s see with Elcomsoft Phone Password Breaker (http://www.elcomsoft. some useful command of javaloader. com/eppb.html). Elcomsoft Phone Password Breaker grants fo- rensic access to protected information stored in BlackBerry de- JAVA LOADER USAGE vices by recovering the original plain-text password. The toolkit Usage: JavaLoader [-p<pin>] [-d0|-d1] [-w<password>] [-q] allows eligible customers acquiring bit-to-bit images of devices’ <command> file systems, extracting phone secrets (passcodes, passwords, -p<pin> Specifies the handheld PIN and encryption keys) and decrypting the file system dump. Ac- (hex pin prefix ‘0x’) cess to most information is provided in real-time. In addition to -w<password> Connects using the specified Elcomsoft Phone Password Breaker, the toolkit includes the password ability to decrypt images of devices’ file systems, as well as <command> is one of a free tool that can extract the encrypted file system out of the dir [-d] [-s] [-1] Lists modules on the handheld device in raw form. To unlock Apple backups even faster, the -d Display dependency information tool engages the company’s patent-pending GPU acceleration -s Display siblings technology. -1 Single column output Three key features are: deviceinfo Provides information on the handheld save {<module> ... | -g Retrieves modules from • Decrypt encrypted BlackBerry backups <group>} the handheld • Recover original plain-text passwords -g Retrieves all modules in • GPU acceleration a specified group info [-d] [-s] [-v] <.cod Provides information on Spyware for BlackBerry file> the specified modules As some kind of attack as was presented by Thomas Cannon -d Display dependency information and previously described, you had have installed spyware to ex- -s Display sibling information tract password from device. Almost of all possible techniques to -v Display verbose module live extracting from BlackBerry was discussed several times in information my articles, so I briefly remind it some tricks. First tricks exploits eventlog Retrives the handheld event log default feature to show password without asterisks that’s a pos- radio on|off Turns the handheld’s radio sible to screen-capture. If restricted API disable you’ve have a on or off BIS device, it works. Second trick is about scaled preview for siblinginfo <.cod file> Provides sibling information typed character through virtual keyboard. Third tricks provides on the specified modules you techniques to steal password during synchronization from screenshot <.bmp file> Retreives the contents of the BlackBerry Desktop Software as well as redrawing your own specified screen and saves as fake-window to catch typed password. a BMP file. logstacktraces Dumps the stack traces for all threads to the event log Classic Forensic A typical forensic investigator performs the investigation by To extract event log from device hand-reading mail and data files, checking for system activities through different log files, and verifying the consistency of the • Plug it to PC via USB cable data through the time stamps associated with files on the file • Open command shell and type javaloader.exe -wPASSW system. First, forensic software must be running on the local eventlog log.txt where PASSW your password for device. machine, and may have to be installed. Second, running such software locally risks damaging or contaminating data. Third, if Command dump gives us all .cod modules stored on device in the machine has been compromised, the investigation may pro- root subfolder dump.To get dump of BlackBerry device let’s use duce suspect results - or worse, may alert the attacker. a Loader from BlackBerry Device Mangaer. LOADER USAGE Gathering Logs and dumps Usage: loader.exe /<command> command is one of: BlackBerry eventlog output filename The main classic forensic procedure of evidence collection vio- screenshot output filename lates the forensic method by requiring the investigator to re- screenshot active output file cord logs kept and dump. Investigator can view some log on screenshot primary output file the device pressing hotkeys or throughout several applications screenshot axuliary output file from BlackBerry SDK Tools. Don’t forget that the counter is al- deviceinfo output filename ways running, even when the radio is turned off, so to be sure dir output filename to record these values as soon as possible to avoid log over- radio on|off writes. BlackBerry hotkeys for quickly extracting log data was dump output filename discussed with details in my articles “To Get Round To The Heart www.hakin9.org/en 31
  • 6. Hakin9 EXTRA Dump extracting is the same the log previous. However, be- private keys or application id keys as well as SQL db files may fore you will be asking to enter a device’s password. Note, store all upload, downloaded and transferred data via an appli- dump beginning is required a device reboot. It can erase log to cation often without ciphering. They contain as much more data overwriting some information. Do not forget about encryption than BlackBerry at first glance, however, if developers didn’t feature of BlackBerry Storage Protection based on Password hear about it or didn’t build them, they might get anything valu- & ECC. If it is on the dump result is empty obvious. Dumps and able. logs will provide you information about device like hardware id, The most know developer tool and command from Android pin, os version, others id, name-version-size-created date for SDK is adb pull command that provides copying to the files .cod modules with their dependency as well as vendor info or to desktop workstation for further analysis. Unless an Android description. Event log also can provide with date-time stamp device has root access or is running a custom ROM, the adb and guids of applications. daemon running on the device that proxies the recursive copy only runs with shell permissions. As such, some of the more Android forensically relevant files are not accessible. However, there are As some kind of data storage mechanism available to develop- still files which can be accessed. Successful accessing aims to ers is the network to store and retrieve data on your own web- extracting(copying) the entire “/data” partition to the local direc- based services via packages named as java.net and android. tory. If devices has not have root access, this technique may net. These packages provide developers with the low-level API appear to be of little value. However, on nonrooted devices, an to interact with the network, web servers, etc. As an interesting adb pull can still access useful files such as unencrypted apps, example, such files (text log or xml) may store an actions with most of the tmpfs file systems that can include user data such date and time stamps, error/warning/successful authenticate as browser history, and system information found in “/proc,” “/ events, logins, some data as email addresses, access keys, sys,” and other readable directories (Table 3). Table 3. ANDROID DEBUG BRIDGE (ADB) USAGE command description -d directs command to the only connected USB device; returns an error if more than one USB device is present. -s <serial number> directs command to the USB device or emulator with the given serial number. Overrides ANDROID_ SERIAL environment variable. devices list all connected devices connect <host>[:<port>] connect to a device via TCP/IP Port 5555 is used by default if no port number is specified. disconnect [<host>[:<port>]] disconnect from a TCP/IP device. Port 5555 is used by default if no port number is specified. Using this ocmmand with no additional arguments will disconnect from all connected TCP/IP devices. device commands: adb push <local> <remote> copy file/dir to device adb pull <remote> [<local>] copy file/dir from device adb sync [ <directory> ] copy host->device only if changed (-l means list but don’t copy) (see ‘adb help all’) adb shell run remote shell interactively adb shell <command> run remote shell command adb logcat [ <filter-spec> ] View device log adb forward <local> <remote> forward socket connections forward specs are one of: tcp:<port> localabstract:<unix domain socket name> localreserved:<unix domain socket name> localfilesystem:<unix domain socket name> dev:<character device name> jdwp:<process pid> (remote only) adb jdwp list PIDs of processes hosting a JDWP transport adb install [-l] [-r] [-s] <file> push this package file to the device and install it (‘-l’ means forward-lock the app) (‘-r’ means reinstall the app, keeping its data) (‘-s’ means install on SD card instead of internal storage) adb uninstall [-k] <package> remove this app package from the device (‘-k’ means keep the data and cache directories) adb bugreport return all information from the device that should be included in a bug report. adb help show this help message adb version show version num DATAOPTS: (no option) don’t touch the data partition -w wipe the data partition -d flash the data partition 32 4/2012 (11)
  • 7. Comparison of Android and BlackBerry Forensic Techniques Data Extracting through the Backup Device Seizure. So, what you’ll be able to do with “Magic Berry IPD Parser”: Android Android did not provide a mechanism for users to backup their • Read ipd files personal data. As a result, a large number of backup applica- • Split ipd files tions were developed and distributed on the Android Market. For • Export MS Messages, Phone Calls Log, Memos, Tasks, users running custom ROMs, there was an even more powerful Calendar, and Address Book to CSV backup utility developed called nandroid. Many of the backup • Edit Service Books utilities have a “Save to SD Card” option (which users found • Merge two ipd files extremely convenient) as well as several options to save to “the cloud.” Either way, users could take a backup of their de- Elcomsoft Blackberry Backup Explorer allows forensic special- vices, and if needed they could restore required data. This is not ists investigating the content of BlackBerry devices by extract- only a great way for users to protect themselves from data loss, ing, analyzing, printing or exporting the content of a BlackBerry but it can be a great source of information for forensic analysts. backup produced with BlackBerry Desktop Software. Elcomsoft Anyway, backup area is covered by following items: Blackberry Backup Explorer supports BlackBerry backups made with PC and Mac versions of BlackBerry Desktop Software. You • Application install files (if phone has root access, this in- can export information from BlackBerry backups into a variety cludes APK Data and Market Links) of readable formats (PDF, HTML, DOC, RTF,..). Also Blackberry • Contacts Backup Explorer can access encrypted information stored in • Call log password-protection backups if the original password is known • Browser bookmarks or recovered with Elcomsoft Phone Password Breaker. Elcom- • SMS (text messages) soft Phone Password Breaker grants forensic access to pro- • MMS (attachments in messages) tected information stored in BlackBerry devices by recovering • System settings the original plain-text password. Elcomsoft Blackberry Backup • Home screens (including HTC Sense UI) Explorer is totally the same with Amber BlackBerry Converter. • Alarms As an alternative to acquiring the BlackBerry through “Black- • Dictionary Berry IPD Reader”, Paraben’s Device Seizure is a simple and • Calendars effective method to acquire the data. Device Seizure was de- • Music playlists signed from the ground up as a forensic grade tool that has • Integrated third-party applications been upheld in countless court cases. Despite of that the backup API is now available the synchroni- • SMS History (Text Messages) zation provide outlook linking. • Deleted SMS (Text Messages) Regardless of the backup app, forensic analysts should • Phonebook (both stored in the memory of the phone and determine if one was installed and, if so, where the backup on the SIM card) data is stored. The SD card should be examined as well as • Call History other devices such as a computer or laptop. The data saved in – Received Calls a backup is obviously of significant value in an examination. – Dialed Numbers – Missed calls BlackBerry – Call Dates & Durations First, you need to download and install BlackBerry Desktop • Scheduler Manager. Use the following link to select and download the • Calendar install file that fits your system or version. Once BB Desk- • To-Do List top Manager installed, connect the device to PC. Then Click • Filesystem (physical memory dumps) “Back up” button for a full backup of the device or use the – System Files advanced section for specific data. In the options, you can – Multimedia Files (Images, Videos, etc.) find a destination folder where your “.ipd” file will save. Note, – Java Files that ipd-file can be encrypted with password less even than – Deleted Data 4 characters. BlackBerry backups contain essential informa- • GPS Waypoints, Tracks, Routes, etc. tion stored in the device. User data such as email, SMS and • RAM/ROM MMS messages, Web browsing history and cache, call logs, • PDA Databases pictures and photos, contacts, calendars, appointments, and • E-mail other organizer information are stored in BlackBerry backups. Access to information stored in BlackBerry backups can be There’s a briefly general draft to examine data with Paraben essential for investigations, and is in high demand by foren- Device Seizure. sic customers. Note, that the backup file does not save your email attachments, moreover if email-message is more than to • Create a new case in Device Seizure with File | New. 8Mb data Base64 non-encoded per whole file (if attachments • Give the case a name and fill in any desired information more than one then each file will encoded and summary size about the case on the next two screens. The third screen limits more faster), there will be only a message with notifica- is a summary of the data entered. If all data is correct click tion about truncation. The most known tool to extracting data Next and then Finish. from .ipd files are MagicBerry IPD Reader, Amber BlackBerry • You are now ready to acquire the phone. Go to Tools | Da- Converter, Elcomsoft BlackBerry Backup Explorer, Paraben ta Acquisition. www.hakin9.org/en 33
  • 8. Hakin9 EXTRA • You are prompted for the supported manufacturer. Select • Process Management RIM Blackbery. (both Android ‘ n BlackBerry) • Leave supported models at the default selection of autode- • Memos and Tasks tect. (seems only BlackBerry) • Connection type should be set to USB. • Screen-shots • For data type selection select Logical Image (Databases). (both Android ‘ n BlackBerry) • Confirm your selections on the summary page and click • Camera-shots Next to start the acquisition. (both Android ‘ n BlackBerry) • Videocamera-shots BlackBerry Simulation (both Android ‘ n BlackBerry) This feature unfortunately unavailable for Android, so it will be • Clipboard discussed only for BlackBerry. BlackBerry Simulator built for (both Android ‘ n BlackBerry) simulating a backup copy of the physical device. This is helpful • Location tracking if the device is low on battery, needs to be turned off, or you do (cell, wifi, gps, bluetooth) not want to alter the data on the physical device. Following steps (both Android ‘ n BlackBerry) are suitable for each BlackBerry device model. • SMS/MMS/Emails (both Android ‘ n BlackBerry) • Select a simulator from the drop-down list on the BlackBer- • Pictures, Videos, Voice notes, and other file ry website and download it. Then install it (both Android ‘ n BlackBerry) • Select and download BlackBerry Device Manager. Then • File and Folder structure install it. (both Android ‘ n BlackBerry) • Run BlackBerry Device Manager and BlackBerry Simulator • IMs • Select Simulate | USB Cable Connected. (both Android ‘ n BlackBerry) • Select File | Restore to simulate with physical data evi- • Passwords dence on BlackBerry Simulator. (very differ) Also, you mount a SD-card “copy” to the BlackBerry Simulator. Android’s data set stores on internal storage as well as on ex- Now you may turn off blackberry wireless communication hold- ternal, but only internal storage keeps a strong folder structure ing power on and then examine evidence with up state device- because it’s controlled by Android API. Typically internal place simulator. to store any kind of data is “/data/data/” where cache and data- bases stored in “PackageName” folder. Android data stored on Live (Spy) forensic internal and external storage as binary (or simply text) files as In some situations, it is not desirable to shut down, seize the well as packed into xml or SQL-lite database formats. XML for- digital device, and perform the forensic analysis at the lab. For mat allows including Boolean, integer, float or string data types example, if there is an indication that an encryption mechanism provide developers to create, load, and save configuration val- is used on the digital device that was discovered, then the in- ues that power their application. vestigator should not shutdown this digital device. Otherwise, Internal files allow developers to store very complicated after shutdown all the information (potential evidence) that was data types and saved them in several places on the internal encrypted will be unintelligible. By performing Live Analysis, the storage that by default, can only be read by the application investigators attempt to extract the encryption key from the run- and even the device owner is prevented from viewing the files ning system. That’s known as “Live Analysis” or “Non-Classic unless they have root access. While files stored on the internal Forensic”. The goal of any live forensics task should be to ex- device’s storage have strict security and location parameters, tract and preserve the volatile data on a system while, to the files on the various external storage devices have far fewer extent possible, otherwise preserving the state of the system. constraints. Additionally, this is often the first step of an incident response First, one important motivation (beyond cost) for using scenario where a handler is simply trying to determine if an a removable SD card is that the data could be used on other event has occurred. The benefit of using this approach is you devices, presumably upgraded Android devices. If a consumer have a forensically sound data collection from which to proceed purchased a new Android device, inserted their previous SD with a full forensic analysis if the initial analysis indicates one card containing all of his or her family pictures and videos and is required. found they were unable to access them, they would be quite upset. Potential Data as Evidence SQLite is one of the most popular database formats ap- Potential attack vector can be various, however, the most popu- pearing in many mobile systems for many reasons such as lar of them are high quality, open source, tend to be very compact, cross- platform file, and finally, cause of the Android SDK provides • Address Book API to use SQLite databases in their applications. The SQLite (both Android ‘ n BlackBerry) files are generally stored on the internal storage under /data/ • Calendar Events data/<packageName>/databases without any restrictions on (both Android ‘ n BlackBerry) creating databases elsewhere. • Call History All of them you can extract using the official BlackBer- (both Android ‘ n BlackBerry) ry API and Android API routines. Let us examine some of • Browser history and bookmarks them to find out the common sense. What is in an up-to- (both Android ‘ n BlackBerry) date BlackBerry Address Book? A lot of contact’s data, such 34 4/2012 (11)
  • 9. Comparison of Android and BlackBerry Forensic Techniques as several mobile or home phone number, faxes, emails, Next victim is message (sms, mms, email, further email). work and home addresses, web-pages or dates. Also we Email is one of the most common ways people communicate. can add a IM data and social data. In our Address Book, we From internal meeting requests, distribution of documents and have much valuable information about friends; social net- general conversation one would be pressed to find an organi- work gives an up-to-date avatar, calendar (in spite of our zation of any size that does not rely on email. Studies have calendar that filled our sleeping time at least), GPS location shown that more email is generated every day than phone points, and SW names that provide several pieces of infor- conversations and paper documents combined. Many users mation. Due to victim’s calendar info and GPS info (from store their personal colanders, contacts and even synchronize photo exif or FaceBook likes), private data such as tracking their email clients with their mobile devices. info, habits, time marked a free, time when you’re possible Less interesting part of evidence concludes browser history, sleeping, time when you’re at home/company can come to browser bookmarks, memos, tasks, etc. Such kind of forensic light. In additional, if you involve call history with gps re- has sense in case of violating company policy by visiting cer- cords as two part of evidence you provide yourself with tain sites or time aspect (when the computer was connected to many opportunities to draw a social graph of accomplices. a site at the time when something happened) and reconstruct Extracting all possible fields from the object called PIM is a detailed history of a computer’s use by examining a handful goal for gathering more information about the attacked indi- of files that contain a web browser’s past operation. One more vidual from their profile overall. part of it is “Favorites folder” that contains the URLs of web Classic Forensics techniques manage with BlackBerry sites saved by the user, probably because they are of interest backup file or with data stored on “/data/data/com.android. to the user and are frequently visited explicit storing of these providers.contacts” for Android internal storage. This app links indicates intent. stores the Call Logs for the device in the calls table. There As BlackBerry classic forensic extraction manage with back- are over 30 tables in contacts2.db, so further inspection may up again, Android provide a file-folder storage located “/data/ be required. The data table contains additional values about data/com.android.providers.telephony” filled by the MMS at- contacts and the raw_contacts contains additional data about tachments (images, video, or any other supported data), sms some contacts extending by different accounts including message as database table with all messages. A bit more in- Gmail, Exchange, Facebook, Twitter, and more. If pictures of formation filepath “/data/data/com.android.mms” provides with the contacts are available, they are stored in the files directory cached data or data is outcoming. and named thumbnail_photo_[NNNNN].jpg. Pictures, Videos, Voice notes, and other files. Let’s start Facebook data stores on “/data/data/com.facebook” where from its last object “other files”. Voice notes, videos and pic- fb.db contains nearly all of the information includes albums, tures show us in general what interesting in particular our “vic- info_contacts, notifications, chatconversations, mailbox_mes- tim”. It may be enterprise presentation that he videocaptured sages, photos, chatmessages, search_results, default_user_ or audiocaptured. This case is useful for us, because we don’t images, mailbox_profiles, stream_photos, events, mailbox_ need to intercept API events; all we need is listen file events of threads, friends and others. GMail data is located on “/data/ creating and deleting files. data/com.google.android.gm” which stores each configured Pictures are more inquisitive as camera-snaphots since it Gmail account via separate SQLite database filled by the en- has exif-header. Metadata is, quite simply, data about data. tire e-mail content. GMaps data located on “/data/data/com. Many digital camera manufacturers, such as Canon, Sony google.android.apps.maps” stores amount of information and Kodak implement the use of EXIF headers. This header about maps, tiles, searches, and more in the files directory is stored in an “application segment” of a JPEG file, or as pri- often provide by “search_history.db” or actual spoken direc- vately defined tags in a TIFF file. This means that the resulting tions stored as map data on the SD card in .wav files; the time JPEG or TIFF is still in a standard format readable by applica- stamps on the file prefaced with a “._speech” simplify move- tions that are ignorant of EXIF information. However, not only ment timeline. basic cameras have these headers, but both mobile devices Mentioned on the net password tips are revoked by the ten- provide you “Camera Make” as RIM/BlackBerry/Android/HTC dency inmatter to complexify. How many web sites do you log data as well as “Camera Model” may often be device model. in, Facebook, Myspace, Linkedin, Twitter and any number of GPS tag often renames filename by placing into beginning city other social networking sites? Probably a dozen. Shopping name. To get date and time stamps you don’t need to examine sites? Yes, a several. Emails, IMs, etc. Every site requires EXIF, because it’s enough to check file name again. you to create a password, strong password. Some kind peo- Android Media database located on “/data/data/com.an- ple solve it with digit wallet. All password managers are de- droid.providers.media” contains contain the volume ID as scribing, as is indispensable tool for the active internet and a file system volume ID. If an image was deleted, the thumb- shopping user. In addition, it fully automates the process of nail likely still exists. Also, even if the metadata record is de- entering passwords and other data into websites and saves leted, it is likely recoverable due to the YAFFS2 file system. the user going to the trouble of creating and remembering mul- Also this place is scanned for audio files, albums, and etc by tiple passwords. It is still unsecured. Do not neglect a spyware media scanner to find media data or thumbnails referred to that able to capture screens of your device. Ok, forget about the deleted pictures and videos. Also, YouTube preferences, that kind of malware. Examine a logical way to break into. You including device key(s) and watched videos stores in “/data/ need to see it to type or need to copy into clipboard. Moreo- data/ com.google.android.youtube/”, cached data stores in “/ ver, no one software producer can protect it, because need to data/data/com.google.android.youtube/cache”. put data into public text-box. In other words, end-point object Instant messaging is a well-established means of fast and ef- is vulnerable. By the way, there’s a getClipboard() method to fective communication. IM forensic were to answer the two ques- retrieve the system’s clipboard object though the BlackBerry tions as identifying an author of an IM conversation based strictly API or Android API. on author behavior and classifying behavior characteristics www.hakin9.org/en 35
  • 10. Hakin9 EXTRA For example, BlackBerry stores all chats (from Google, to emulate data – BlackBerry provides more native user tools Yahoo, Windows Live, BlackBerry Messenger, AIM(AOL)) in to prevent change becoming. plain-text mode in .csv file. File paths are often easy to find too. On the Net Conclusion The BlackBerry devices as well as Android devices share • http://www.amazon.com/Android-Forensics-Investigation-Analysis-Se- the same evidentiary value as any other Personal Digital As- curity/dp/1597496510 - Android Forensics: Investigation, Analysis and sistant (mobile device). As the investigator may suspect of Mobile Security for Google Android. Andrew Hoog • http://hakin9.org/to-get-round-to-the-heart-of-fortress/ - To Get Round most file systems, a delete is by no means a total removal To The Heart Of Fortress. Hakin9 Extra. Yury Chemerkin of data on the device. However, the RIM’s always-on, wire- less push technology adds a unique dimension to forensic examination. Android, instead tends to be more offline and wake up by user actions. YURY CHEMERKIN As the BlackBerry is an always-on, information can be Graduated at Russian State University for the Humanities (http://rggu.com/) pushed to the device through its radio antenna at any time, po- in 2010. At present postgraduate at RSUH. Information Security Researcher tentially overwriting previously “deleted” data. Without warn- since 2009 and currently works as mobile and social infosecurity researcher in ing, applications such as the email client, instant messaging, Moscow. Experienced in Reverse Engineering, Software Programming, Cyber & wireless calendar, and any number of third party applications Mobile Security Researching, Documentation, Security Writing as regular con- may receive information that makes the forensic investigator’s tributing. Now researching Cloud Security and Social Privacy. attempts to obtain an unaltered file system much more dif- Contacts: ficult. In order to preserve the unit, turn the radio off. You make I have a lot of social contacts, that’s way you’re able to choose the most suita- release the same action for Android, however, you need to ble way for you. perform this quickly and the two best ways a Faraday Cage or Regular blog: http://security-through-obscurity.blogspot.com Airplane mode. Airplane mode may be harmful because, the Regular Email: yury.chemerkin@gmail.com device still continues interacts with local data. Otherwise you Skype: yury.chemerkin may not be access to active devices to bypass password. As Other my contacts (blogs, IM, social networks) you’ll find among http links and a native feature android device have a pattern lock bypassed social icons before TimeLine section on Re.Vu: http://re.vu/yury.chemerkin via fingerprinting; blackberry, instead, doesn’t provide this http://4.bp.blogspot.com/-R09jvrMJW6I/TzARr9Ksx6I/AAAAAAAACDo/9CRo techniques, however third-party application may be easy 9LDMjJ0/s1600/Android+robot+Wallpaper+2012+new+hq.jpg found on market especially for Playbook as a tablet. Classic forensics for Android a bit easy than BlackBerry, be- cause for BlackBerry there’s no way except having a Black- Berry Backup file. Moreover, this backup file may be emu- lated after you restore this on BlackBerry Simulator via USB Plugged option; SD card may be copied into folder and at- tached to simulator. Android, instead, doesn’t’ have this fea- ture, but you can extract all database files from plugged device more successful if it’s rooted. If the RIM is password protected, you have to get the pass- word, because the password doesn’t stor on the unit; rath- er an SHA-1 hash of the password stored and compared to a hash of what entered. The examiner only has the oppor- tunity to guess 10 times before a file system wipe occurs to protect the data. This wipe will destroy all non-OS files. No software exists to circumvent the password protection. A di- rect-to-hardware solution will be required if the password is not available. Android devices present opportunity to (after unsuccessful attempts rich limit) unlock device via Google credentials that leads to strongly rule named “placing device online”. It’s a kind of risk to add some changes, but it’s a bet- ter way than BlackBerry. All live techniques may be valuable when you’ve installed “spyware” but don’t offer a successful end according to password. On other hand, live techniques offer you simplifying of investigation, because you don’t need to analyze a SQL-Lite database and can extract data in any suitable format. Live techniques covers the same points data interested for researchers, so there’s no valuable difference between BlackBerry and Android. Commercial tools as well as free provide enough covering data extracting via live tech- niques without needs for develop them. Thus, the RIM’s cur- rently unsurpassed portability is the examiner’s greatest ally more than android if we’re talking about password. If we need 36 4/2012 (11)