Hi everybody.
I hope this subject doesn't previously exist. I promise I have tried to search for it in the forum, but I simply didn't find what I was looking for.
My question is the following in the enterprise environment, most of the management guys make use of BB, iPhone or something like that over "normal" phones. In the specific case of BB, what is your favorite Forensic Tool for this? As far as clients in my region are concernced, Blackberry is used the most, and hence my question.
We are mainly considering Device Seizure and Oxygen… though the last one doesn't seem to make the acquisitions in a "forensic sound way".
Thanks in advance!
What is a "forensic sound way"?
Hope this helps…
http//
blackberry desktop manager creates a back up of the databases. you can examine the backed up data using ABC Amber Converter. additionally, you can view the backup in EnCase and run a script for file signatures. With regards to Oxygen not being 'forensic' - how so? You can also use XRY.
But if are looking for a cheap alternative consider using the bb desktop manager to back up and abc converter to read the data. regardless of which tools you use, you should create a back up of the databases.
What I meant with "Forensic sound" is to extrapolate the concept from the computers world to the mobile devices world, involving not to change anything on the process.
@KVS379 as far as I have read in Oxygen documentation, it seems like it "installs" or "uploads" something in the BB to be able to make the connection.
What I meant with "Forensic sound" is to extrapolate the concept from the computers world to the mobile devices world, involving not to change anything on the process.
Yeah, I kind of get that, but I'm still wondering what "forensic sound" means in general. You're referring to acquiring data in a manner where nothing is changed, and yet that's not how things happen in the physical world.
Case in point…and shoutz to Rob Lee for giving me this example years ago…you can be walking down the street or through a park at night and find a stabbing/mugging victim. You call 911, and EMS arrives, assesses and stabilizes the victim, and takes them to the hospital. At the hospital, doctors operate on the victim…if they save his life, LE can still find the assailant and convict them of attempted murder, or if the victim expires as a result of the wounds, can get the assailant for murder.
If things had to be done "forensic sound" as is often described, then the coroner would have to show up and "expire" the victim before any investigation could be done.
Now, I'm not suggesting that we go about altering data willy-nilly. However, what I am saying is that too often, buzzwords are used because someone else used them, and for no other reason. Yes, we need to take care in handling and managing data/evidence…of course. But too often, we reach paralysis because we're so concerned about being "forensic sound".
What if we can map the physical realm to the digital one? EMS and LE have procedures that they follow…so should we. That way, if/when we DO alter something, we can justify having done so. I think that's more important that simply not doing anything at all b/c we're afraid that we'll change something…but we can't describe what will be changed.
Completely agree. I suppose I should have explained in more detail our usual scenario most of my cases involve the acquisition of some piece of electronic evidence already preserved and stored under the custody of a notary public. This way, it makes absolutely no sense to modify anything at all, since the device is already "dead" (off) when I arrive for the acquisition.
That is why I use so much the concept "forensic sound", because I am scarcely never called for a "live" computer acquisition.
@iruiper you are correct - oxygen does indeed upload an agent. so is it forensic then? I don't think so - but this is debatable and i'm sure a few ppl will disagree with me. have a look at the poll thats posted about validating mobile phone forensic tools.
Point is you are writing to the handset (bb). but at the same time, can any of the so called 'forensic' software programs out there classify themselves as 'forensically sound'? …
When performing an extraction on a handset that uses the GSM 07.05 protocol to retrieve messages and a message that is 'unread' the status changes to 'read' after the extraction. data has therefore been altered and therefore cannot be considered forensic.
anyways, to come back to what tools you should use I still recommend you backup with bb desktop manager and read it with abc converter.
For BB's it's possible to go without the Agent application - you should select the tool (not Oxygen Forensic Suite at this time, but soon it will be) that analyzes IPD backups.
The same - for iPhones.
But for Symbian OS, Windows Mobile and Android devices your "change nothing" scenario is simply unrealizable. Any tool that uses logical approach actually changes some data inside the smartphones specified above. That's because all logical protocols were developed for Sync purposes, not for forensics.
Let's see what we have to extract information from smartphones by logical tools
1. Symbian OS. If your preferred tool uses AT commands, you simply cannot access a lot of vital information. If it uses SyncML (stands for Synchronization Markup Language), sync log is updated inside a phone, and moreover - in many cases phone requires the extra SyncML add-ons to be installed during the acqusition process. Besides that - again, a lot of forensic information (including event log and custom message folders) is still not accessible.
2. Windows Mobile. There is no way to bypass ActiveSync protocol if your logical tools connects to WM device via USB cable. Do you think the "ActiveSync" sounds forensically? wink
3. Android devices. No AT commands, no SyncML, no PC backup utility. You simply have no alternatives to Agent application.
That's why we developed OxyAgent for Symbian, WM and Android devices. It doesn't modify any data (except the memory it occupies when installing), allows to extract much more information than other logical tools and can bypass ActiveSync for WM phones by connecting directly to the device via Bluetooth.
To sum it up - the only way to "change nothing" for the majority of smartphones is the physical analysis. Otherwise you should understand and admit that the changes in device memory will happen even if you simply plugged the cable to a phone or opened standard Contacts application to manually browse phonebook.
P.S. We recently published PowerPoint presentation about the Agent application usage in Oxygen Forensic Suite. If it could be interesting to the community, here is the link http//
To add my 2p to this conversation….
People should remember that most handsets utilise a two-way communication with the forensic machine in order to pass data. the data is passed in a logical, readable format (ie. like a vcard) or in the BlackBerry's case - even with the Desktop software - the handset offers the data out in a database.
Make your whole process forensic and auditable as the software can't do it on its own!
Just a note - use Amber with some care - the timestamps aren't always spot on.
I am a fan of RTL's Aceso unit for BlackBerrys. It always seems to work well and it can extract some interesting thumbnail files from the file system which can be pretty handy on occasions.