Deleted BBM extract...
 
Notifications
Clear all

Deleted BBM extraction from physical or chip-off

RonS
 RonS
(@rons)
Active Member

Since the interest in BBM messages is still very relevant, I would like to share with you that the next UFED Physical Analyzer release will add deleted BBM extraction from the physical dumps and chip-offs.

This is a fruit of a long research that ended with success.

Ron Serber

Quote
Topic starter Posted : 03/09/2012 10:56 pm
sideshow018
(@sideshow018)
Member

As a fan of the Chipoff process with Blackberry's, this is good news……B

ReplyQuote
Posted : 04/09/2012 12:19 am
trewmte
(@trewmte)
Community Legend

Hi Ron

If a user of a BB smartphone has
i) 'exhausted' the ten password attempts and
ii) failed to gain access eg thus data erased by the BB smartphone
can you confirm which data can be recovered by the new UFED in the above circumstances?

Thank you.

I have recently been asked about BB regarding i) and ii). For the avoidance of doubt I have in mind BB knowledge base

KB10385 http//btsc.webapps.blackberry.com/btsc/viewdocument.do?noCount=true&externalId=KB10385&sliceId=1&cmd=displayKC&dialogID=294491&docType=kc&isLoadPublishedVer=&stateId=294492&docTypeID=DT_SUPPORTISSUE_1_1&ViewedDocsListHelper=com.kanisa.apps.common.BaseViewedDocsListHelperImpl

Multiple attempts to type in a password prompts a warning that data will be wiped from the BlackBerry smartphone

Environment

BlackBerry® smartphones

Overview

You have typed an incorrect password into your BlackBerry® smartphone up to five times and received a warning that the next failed attempt will wipe the data from your BlackBerry smartphone.

Cause

As a security feature, the BlackBerry smartphone is designed to allow a maximum of 10 attempts by the BlackBerry smartphone user to type the correct password. After the tenth attempt, if the correct password has not been typed, all data is erased from the BlackBerry smartphone in order to discourage its theft or misuse.

The counter for the incorrect password is shared between the BlackBerry smartphone, BlackBerry Desktop Software and a BlackBerry Bridge connection to a BlackBerry PlayBook tablet. If the password is entered incorrectly in any of these locations, the counter will be reflected on the smartphone.

Resolution

If you are certain that the password you are typing into the BlackBerry smartphone is correct, complete the following steps

Note If you are using the Duress Notification Address policy, skip steps 1 through 3 (for more information regarding the Duress Notification Address policy, refer to page 53 of the Policy Reference Guide).

Deliberately type in an incorrect password five times on your BlackBerry smartphone.
Before the BlackBerry smartphone allows a further attempt, you will be prompted to type the word blackberry in plain text.
Instead of asterisks, the text you have been entering for the password will now show in plain text. Check to verify that it is correct.
If the password is still being rejected by your BlackBerry smartphone as incorrect, connect the BlackBerry smartphone to a computer that has BlackBerry® Desktop Manager installed.
A prompt will appear in BlackBerry Desktop Manager to type the password for the BlackBerry smartphone. Type your password to rule out missed key strokes, incorrect symbols, or a problem with the BlackBerry smartphone.

Note If you do not use the alt or shift key when entering the password on the BlackBerry smartphone, the password will consist of the corresponding letters on the keypad.
If the password that you typed is still rejected and your BlackBerry smartphone is on a BlackBerry® Enterprise Server that has software version 4.0 or later, contact your BlackBerry Enterprise Server administrator and request that your password be reset.

Note Research In Motion does not have
Access to your existing BlackBerry smartphone password.
The ability to change the password for you.

If you are not on a BlackBerry Enterprise Server or using BlackBerry Protect, and you have forgotten your password, there is no way to have the password changed without wiping all data from your BlackBerry smartphone.

ReplyQuote
Posted : 04/09/2012 10:22 am
Doug
 Doug
(@doug)
Active Member

Sounds exciting Ron! D

ReplyQuote
Posted : 04/09/2012 1:50 pm
RonS
 RonS
(@rons)
Active Member

trewmte,

Blackberry physical extraction is not limited to the new UFED Touch, it is also available on UFED Classic.

Regarding your question, the physical extraction itself does not provide a solution for locked devices.
For locked devices, the solution would be to perform a chip-off and then use UFED Physical Analyzer to decode that chip-off image. This process will yield deleted BBM messages using the next UFED PA version.

Ron

ReplyQuote
Topic starter Posted : 04/09/2012 9:28 pm
mobileterry
(@mobileterry)
New Member

Ron,

Does the cellebrite UFED have the capability to decrypt a chip-off image that is from devices that had both password protection and content-protection (encryption) enabled?

ReplyQuote
Posted : 16/11/2012 2:35 pm
RonS
 RonS
(@rons)
Active Member

mobileterry,

Generally the answer is yes, but it depends on the device and the BB OS version.

Ron

ReplyQuote
Topic starter Posted : 16/11/2012 5:41 pm
mobileterry
(@mobileterry)
New Member

Thanks Ron,

How long does the decoding/decryption usually take if strong encryption and password protection are turned on? (from a chipoff image) Doesn't it have to brute-force the password or key?

ReplyQuote
Posted : 17/11/2012 1:49 am
RonS
 RonS
(@rons)
Active Member

It depends on many factors and will not always work.
See PM

ReplyQuote
Topic starter Posted : 17/11/2012 1:47 pm
Coligulus
(@coligulus)
Active Member

Gregg,

To answer your question I think that you will have no luck getting anything back if the device has had the passcode entered incorrectly X times and caused a wipe to commence.

I had this same issue with a customer who gave me 12 variations of a password to try, obviously I was going to only be able to try 10 of those, so, after prioritising the list of 12, 10 passwords were entered, each of which was unsuccessful. The device commenced the wiping operation. I attempted to remove the battery and replace, but the wiping continued once the battery was replaced.

After this I took a physical acquisition using UFED and got absolutely nothing back. It is my understanding that the wipe operation doesn't just replace the file system but actually zeros out the memory space first.

If my memory serves me correctly it was an 8520 which I did this on.

Colin

ReplyQuote
Posted : 22/11/2012 3:31 pm
trewmte
(@trewmte)
Community Legend

Thanks Colin, appreciate your reply. You are confirming with the model you tested what the early report wrote about BB's on-board security enabled wipe capability is still relevant today.

ReplyQuote
Posted : 22/11/2012 5:12 pm
Share: