BlackBerry deleted ...
 
Notifications
Clear all

BlackBerry deleted data

wotsits
(@wotsits)
Active Member

It's well known how more recent iOS and iPhone models limit the ability of forensics to recover deleted data and obtain system images, whereas Android devices are still relatively forensics friendly.

How do BlackBerry devices fair? Can system images be obtained? How about deleted data and internet evidence?

Thank you

Quote
Topic starter Posted : 26/06/2015 1:19 am
eyez0n
(@eyez0n)
Junior Member

From ForensicFocus' homepage the other day…

http//articles.forensicfocus.com/2015/06/23/future-of-mobile-forensics/

ReplyQuote
Posted : 26/06/2015 2:15 am
wotsits
(@wotsits)
Active Member

Interesting read thank you. But the section on Blackberry was the shortest.

If the device is not encrypted or you can decrypt it can you obtain a physical acquisition of a blackberry and how effective is obtaining deleted data?

ReplyQuote
Topic starter Posted : 26/06/2015 5:59 am
jaclaz
(@jaclaz)
Community Legend

If the device is not encrypted or you can decrypt it can you obtain a physical acquisition of a blackberry and how effective is obtaining deleted data?

1) Yes.
2) 73.2%.

See
http//www.slideshare.net/andrey.belenko/ios-and-blackberry-forensics

73.2% of 0 devices (the number that is expected to be found without encryption enabled and with a known device password) represents however a nice, round 0.

jaclaz

ReplyQuote
Posted : 26/06/2015 1:59 pm
wotsits
(@wotsits)
Active Member

Well, I have just checked my BlackBerry and encryption was not set by default so I assume most are not. So I'm confused. If the encryption is not turned on can an image be acquired or is there some other encryption preventing this?

How about deleted data, any experiences?

ReplyQuote
Topic starter Posted : 01/07/2015 6:03 am
jaclaz
(@jaclaz)
Community Legend

Well, I have just checked my BlackBerry and encryption was not set by default so I assume most are not.

Interesting use of assumptions ) , a whole new level of synecdoche
https://en.wikipedia.org/wiki/Synecdoche

So yes, on the typical Blackberry (which you assume to be unencrypted given the large data sample you examined) you can make an acquisition and it is likely that you will be able to get around 73.2% of deleted data, provided that you know the device password (or if it set to off).

This is still exactly the same answer already posted, and comes mainly from the given source
http//www.slideshare.net/andrey.belenko/ios-and-blackberry-forensics
and more specifically from this slide
http//image.slidesharecdn.com/iosandbbforensics-121213032238-phpapp02/95/ios-and-blackberry-forensics-39-638.jpg
while the 73.2% is an indicative number that can vary depending on the specific device and case.

jaclaz

ReplyQuote
Posted : 01/07/2015 4:07 pm
UnallocatedClusters
(@unallocatedclusters)
Senior Member

Very timely post for my practice - I have a client's Blackberry 9630 from which all email and text messages have been apparently deleted. This of course did not make the client's attorney very happy.

I see from the Elcomsoft slides that only Cellebrite can make a physical image of BB devices.

QUESTION Has anyone tried using Chimera Tools to unlock a BB, which could then in theory allow a physical image to be made using FTK Imager?

If so, then I could possibly use FTK Imager or Mount Image Pro to mount the FTK Imager created forensic image, then use TestDisk to copy out folders and files, and then use Forensic Explorer to carve for deleted files.

Thoughts?

ReplyQuote
Posted : 01/07/2015 10:13 pm
v.katalov
(@v-katalov)
Member

Here's a good article on BlackBerry forensics http//www.nist.gov/forensics/upload/5-Punja-nist-2014-bb-forensics-FULL.pdf

In short, physical acquisition of legacy models (prior to BB 10) is only possible for unlocked devices. And for BB 10, physical acquisition is not possible at all.

ReplyQuote
Posted : 14/07/2015 3:31 pm
Share:
Share to...