It's well known how more recent iOS and iPhone models limit the ability of forensics to recover deleted data and obtain system images, whereas Android devices are still relatively forensics friendly.
How do BlackBerry devices fair? Can system images be obtained? How about deleted data and internet evidence?
Thank you
From ForensicFocus' homepage the other day…
http//articles.forensicfocus.com/2015/06/23/future-of-mobile-forensics/
Interesting read thank you. But the section on Blackberry was the shortest.
If the device is not encrypted or you can decrypt it can you obtain a physical acquisition of a blackberry and how effective is obtaining deleted data?
If the device is not encrypted or you can decrypt it can you obtain a physical acquisition of a blackberry and how effective is obtaining deleted data?
1) Yes.
2) 73.2%.
See
http//
73.2% of 0 devices (the number that is expected to be found without encryption enabled and with a known device password) represents however a nice, round 0.
jaclaz
Well, I have just checked my BlackBerry and encryption was not set by default so I assume most are not. So I'm confused. If the encryption is not turned on can an image be acquired or is there some other encryption preventing this?
How about deleted data, any experiences?
Well, I have just checked my BlackBerry and encryption was not set by default so I assume most are not.
Interesting use of assumptions ) , a whole new level of synecdoche
https://
So yes, on the typical Blackberry (which you assume to be unencrypted given the large data sample you examined) you can make an acquisition and it is likely that you will be able to get around 73.2% of deleted data, provided that you know the device password (or if it set to off).
This is still exactly the same answer already posted, and comes mainly from the given source
http//
and more specifically from this slide
http//
while the 73.2% is an indicative number that can vary depending on the specific device and case.
jaclaz
Very timely post for my practice - I have a client's Blackberry 9630 from which all email and text messages have been apparently deleted. This of course did not make the client's attorney very happy.
I see from the Elcomsoft slides that only Cellebrite can make a physical image of BB devices.
QUESTION Has anyone tried using Chimera Tools to unlock a BB, which could then in theory allow a physical image to be made using FTK Imager?
If so, then I could possibly use FTK Imager or Mount Image Pro to mount the FTK Imager created forensic image, then use TestDisk to copy out folders and files, and then use Forensic Explorer to carve for deleted files.
Thoughts?
Here's a good article on BlackBerry forensics http//
In short, physical acquisition of legacy models (prior to BB 10) is only possible for unlocked devices. And for BB 10, physical acquisition is not possible at all.