The document discusses techniques for analyzing data from BlackBerry and Android mobile devices for forensic purposes. It compares the approaches used for each mobile operating system and describes the types of data that can be extracted, including contacts, messages, call history, photos and more. The document outlines both logical extraction techniques using forensic software as well as physical acquisition methods. It also discusses challenges like password protection, network isolation techniques to prevent remote wiping, and bypassing authentication to access encrypted device data.
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
MOBILE FORENSICS RESEARCH ON ANDROID AND BLACKBERRY
1. ANDROID
FORENSICS
MOBILE
VOl.2NO.4
STEP BY STEP ANALYSIS OF FACEBOOK
AND TWITTER DATA ON ANDROID DEVICES
EMULATION DETECTION TECHNIQUES FOR ANDROID
ANDROID FORENSICS A CASE STUDY
OF THE NAXUS S VIRTUAL DEVICE
APPROACH TO EXTRACTING DATA USING HARDWARE
AND SOFTWARE MECHANISMS
POTENTIAL IDENTITY THEFT OVER APPLE’S iOS DEVICES
CELLEBRITE A “STANDARD” IN MOBILE FORENSICS
HOW TO ADDRESS END USER RISK AGREEMENT FOR BYOD
Issue 03/2013 (8) April
2. STATE_OF_ART OF
MOBILE FORENSICS
Comparative research of techniques on
BlackBerry OS (incl. PlayBook) and Android OS
by Yury Chemerkin
At present, the BlackBerry holds the palm of insufficient security
examination despite of existing approaches more than Android
(because Android was not developed to be secured) but all
security techniques implemented in these mobile devices are
indecisive argument on security. It means its argument to the
forensics. All security agencies are facing with dealing with
mobiles forensics repeatedly.
What you will learn:
• What’s the difference between similar mobile OS based on different
kernels (BB OS, Playbook OS)
• How’s differ the Android forensics
from BlackBerry
What you should know:
• Basic knowledge on forensics
Android & BlackBerry
• Basic knowledge on classic forensics techniques and live forensics (live monitoring) techniques
22
F
orensics tools may give incredible opportunity to gain all kind
of data but there are too many
slight objections. Until companies go
in only one of ways – classic forensics or live monitoring (DLP or else)
– it fails, because of limited cases and
therefore forensics field need more effective synthesis of mechanism.
Introduction
Mobile device forensics is relating to
recovery of digital evidence or data
from a mobile device. The memory
type, custom interface and proprietary nature of mobile devices require a different forensic process
compared to other forensics. Mobile extraction techniques tend to be
unique less especially throughout
logical acquisition. This level manages with known data types for any
user and this data set rarely differs
among of iOS, Android or BlackBerry. Data set often contains the following items such as messages (SMS/
MMS/Email/IM), social network data, contacts, calendar, phone logs,
wallet and other financial application
data, media data (Audio/Photos/Videos) and other data even file structure, browser data (web history as a
timeline and bookmarks), and shared
folders.
Nowadays mobile devices provide
amount of features to integrate all
possible communications following
aggregation with data on BlackBerry
as well as Android. The native and
third party applications often connect to the email, maps IM messenger and social statutes. They keep
users connected and do far more.
The BlackBerry apps environment
is known is wide-bind and amazing
than Android. On another hand, An-
3. STATE_OF_ART OF MOBILE FORENSICS
droid has enough not only third-party applications
that is very different but also hundreds variations
depend on manufacturer. As opposed to the BlackBerry PlayBook is on QNX OS offers implemented
modern technologies take away from real development. All above brings in the zoo-world of mobile
phones and highlights issues of misusing security techniques in development area. New special
skills that forensics experts required rarely based
on experience only.
Each year the classic forensics techniques face
on a huge problem while live forensics (or live
monitoring) gives new opportunities to manipulate with data. Sometimes, company IT Policy or
OS vision may be helpful to be sure that no triggers will break investigation. Physical approach
is trust but nonoperability, while logical is more
dangerous because of synchronization process
via network, cellular, and OTA. There are too many cases when it cannot afford not to use prevent methods or tools to simplify the classic forensics. This paper describes technical problems
encountered by forensics as well as different live
solutions maybe useful and those became “right”
way with vendors’ development.
Approach
There are several techniques are pertaining to mobile forensic:
• Physical acquisition technique is a bit-by-bit copy
of an entire physical stories, doing a full physical
copy (i.e., all the bits in memory, not just the files)
of the entire memory store on the device.
• Logical acquisition technique is a bit-by-bit copy of logical storage objects (e.g., directories
and files).
• Using commercially available forensic software
tools (as extend previous) which, as time passes, are becoming increasingly more capable
and sophisticated.
• Backup – this technique is relatively easy, and
it allows a significant amount of user-created
data (photographs, songs, and emails, texts) to
be preserved.
• Manual acquisition technique is user interface
utilizing to get pictures of data from the screen,
simply manipulating the phone (by navigating
through the email, photographs, or contacts
list, for example) while videotaping and/or photographing the results.
As the manual acquisition has no difference
among mobile devices, so it would be missed as
well as physical acquisition aimed to gain deleted
data without relying on the file system itself. Logical techniques highlights easy and fast data extracting, "simple" data type (format) or SQL-based
type (format).
www.eForensicsMag.com
Potential Data as Evidence
Potential attack vector can be various, however,
the most popular of them are:
Table 1. Extractable data
Type
OS
BlackBerry
BlackBerry
Smarpthone Playbook
Address Book
+
-
Calendar Events
+
-
Call History
+
-
Browser history and
bookmarks
+
+
Process Management
+
-
Memos and Tasks
+
-
Screen-shots
+
+
Camera-shots
+
+
Videocamera-shots
+
+
Clipboard
+
+
Location tracking (cell, wifi, +
gps, bluetooth)
+
SMS/MMS/Emails/IM
+
-
Saved Messages
+
-
Pictures, Videos, Voice
notes, and other files
+
+
File and Folder structure
+
+
IMs
+
-
Passwords
+
+
Clipboard
+
+
Network Isolantion
One of the main ongoing considerations for analysts is preventing the device from any network
changes that is achievable for PlayBook sometimes, which has not cellular connection, but
only a network connection (Wi-Fi, 4G). As mentioned early it might bring in new data. However, any interaction with the devices like plugging
and unplugging the device will modify them. The
first idea is dismounting encryption or preventing of blocking to examine the device while it
is running. PlayBook as another else device is
difficult to analyze forensically without negative
affecting because of storage cannot be easily
removed, storage is only internal and there no
external storage like SD-card as it is for BlackBerry smartphone.
The worst case in forensics is remote wiping initiated or data added/overwritten outside control
from any triggers often SMS or incoming call is impossible through BlackBerry Bridge even: SMS for
23
4. BlackBerry Bridge simply didn’t developed and incoming call notification cannot be caught as well
as all Bridge’s events throughout API. Nevertheless, forensics experts still have to prevent a connection.
A powerful way “airplane mode” (or the same
named in different way) helps. Android problem to
stop network communications is awful GUI and forensics officer should press and hold the Power off
button and select Airplane mode at first (if this hotkey will work) or then press Menu (from the home
screen), Settings, finally, the Wireless option which
is generally near the top. It’s only to disable cellular network while to block wireless connection
like Bluetooth or Wi-Fi he have to walk out home
screen to the settings that have upset because
time is counting and no one can be sure if setting
GUI is the same among devices. BlackBerry allows do it very quickly by clicking on tray on home
screen.
Push-Technology
BlackBerry (smartphone) was primary engineered
for email and come with a built-in mobile phone
providing access to the email from anywhere. It is
always on and participating in wireless push technology and does not require any kind of desktop
synchronization like the others.
BlackBerry PlayBook is an add-on for BlackBerry smartphone only, because BlackBerry Bridge
accesses mail, calendaring and contacts directly from a tethered BlackBerry phone. PlayBook
does not have neither push technology for email/
calendar/else (only IMAP4 and POP3 except MS
Exchange link) nor BIS except BlackBerry Mobile Fusion that managed non-blackberry smartphone devices and BES existed in company. In
addition, email and social accounts may broke
and ask user reenter his password that may help
to discard pushing data. It means the PlayBook
is not all always on there is rarely types of information can be pushed to it following overwriting
or deletion.
Similar to the PlayBook, Android gives a time
to change network state. For example, only main
email box folders maybe changed via IMAP or Exchange because PlayBook or Android need a time
or manually “update”-button pressing to retrieve
new data from Internet. As opposed to smartphone, PlayBook and Android was made filled
by stand-alone applications that might use internet connect in standby mode or when applications swiped down; by default, PlayBook has option to restrict activity in this state. The PlayBook
address-book application has Facebook, Twitter
and LinkedIn connections, but synchronizing has
never happened before user runs application and
waits until it is done. Sometimes it takes one minute even or more.
24
Password Protection
BlackBerry devices come with password protection and attempt limit (by defaults – five out ten,
min – three out ten; PlayBook may differ from five
to ten where “ten” is often for PlayBook device
and “five” is for BlackBerry Desktop Software
and plugged PlayBook). If it is exceed, device
will wipe then (factory resetting). All data stored
on external memory will keep because that’s not
part of the factory configuration if talking about
smartphone not PlayBook, which has not external storage.
The ability to circumvent the pass code on an Android device is becoming more important as they
are utilized frequently and do not allow data extraction in most cases as well as for BlackBerry.
There are three types of pass codes on Android.
• pattern lock as default on the initial Android
devices when users are accessing the device
should draw a pattern on the locked phone.
• pass code is the simple personal identification
number (PIN) which is commonly found on other mobile devices.
• full alphanumeric code that’s more secure than
PIN.
If the device screen is active, it should be checked
to change existing short period (from less than a
minute up to about 1 hour).
Password Extraction and Byspassing
BlackBerry
Accessing encrypted information stored in password-protected backups it possible via Elcomsoft
products that offer to restore the original password of backup and device. The toolkit allows eligible customers acquiring bit-to-bit images of devices’ file systems, extracting phone secrets (pass
codes, passwords, and encryption keys) and decrypting the file system dump. It also reads BlackBerry Wallet data and Password Keeper data. The
recovery of BlackBerry password is possible only if
the user-selectable Device Password security option is enabled to encrypt media card data.
Android
As Android devices used the pattern lock for pass
code protection instead of a numeric or alphanumeric code, there’s an interesting option that a
clean touch screen is primarily, but touch screen
marked with fingerprint and fingerprint’s directed a good solution to bypass pattern lock. Therefore, it is possible to determine the pattern lock of
a device by enhancing photographs of the device’s
screen [6].
Android has so-called Password and Pattern
Lock Protection. Password Lock can contain characters, numbers, and special marks while the first
5. STATE_OF_ART OF MOBILE FORENSICS
of them looks like a number set of gestures that
must be performed to unlock device where is allowed to choose at least four of nine points in tendigit set. Directions between them will be stored in
file “/data/system/gesture.key” on internal storage
as hashed sequence of byte via SHA-1. Password
Lock’s file is stored in file “/data/system/pc.key” on
internal storage as hashed sequence of byte via
SHA-1 too. It works only if the device is already
rooted and has USB Debugging mode ON.
Live techniques (or spyware)
Security researcher Thomas Cannon [6] developed a technique that allows a screen lock bypass
by installing directly an app through the new webbased Android Market. The procedure is quite simple really. Android sends out a number of broadcast messages that an application can receive,
such as SMS received. An application has to register its receiver to receive broadcast messages.
Once application launched it is just calling the
disableKeyguard() method in KeyguardManager.
This is a legitimate API to enable applications to
disable the screen lock e.g. an incoming phone
call is detected.
Similar techniques for BlackBerry were discussed [1], [4], [5]:
• default feature to show password without asterisks that's a possible to screen-capture. If
“screenshot” API isn’t disable it works (by defaults it’s allowed)
• scaled preview for typed character through virtual keyboard. It works too and maybe screenshooted. As further consideration agent may
XOR two screenshots and extract preview of
pressed key as well as typed text.
• stealing password during synchronization from
BlackBerry Desktop Software. It works because of security issues of Windows API.
Moreover, it works not only to grab device
password but backup password too.
• redrawing fake-window to catch typed password on device. Some social engineering aspect to announce “something is crashed and
lock the device, please unlock by re-entering a
password”
The last two techniques (stealing and redrawing)
work on PlayBook as well. Moreover, developers
must have a swipe-down event listeners else application will not be closed or minimized until battery discharges.
Classic Forensics
Gathering Logs and Dumps
The main evidence procedure violates the forensic
method by requiring to record logs kept and dump.
It is possible to view some debug log on the device
www.eForensicsMag.com
pressing hotkeys on BlackBerry smartphone, while
Android and Playbook did not provide the same
feature, or throughout SDK Tools.
BlackBerry Smartphone
The BlackBerry SDK tools or BBSAK Allow to extract BlackBerry event logs to the text file via USB.
Two tools named “javeloader.exe” and “loader.exe”
allow to extract not only events logs but also dump
of device, all executable modules (.cod file), with
dependence modules, screenshots, device info.
The first of them needs PIN and Password while
the second does not [1].
BlackBerry PlayBook
All SDK provided by RIM, e.g. Adobe Air SDK has a
tool “blackberry-connect” is just a wrapper for “Connect.jar”. But before connect RSA key-pair should
be generated by “ssh-keygen -t rsa -b 4096” and
“Dev Mode” option enabled. Then should be typed
target ip (often 169.254.0.1 for USB), device password and ssh key as parameters. This tools extracts
device information (like os, fingerprint, hardware
id, vendors id, debug mode tokens, etc.), application list information (like module, version, icon ID,
name, vendor, source, etc.) and more. Also, Wi-Fi
logs stored ip, dns, subnet mask, information about
(un-)successful attempts may only be analysed by
manual acquisition.
Android
Some kind of data storage mechanism providing the low-level interaction with the network, web
servers, etc. is available to the developers to store
and retrieve via packages named as java.net and
android.net. Such log-files store actions with date
and time stamps, error/warning/successful authenticate events, logins, some data as email addresses, access keys, private keys or application id keys
as well as SQL db files may store all upload, downloaded and transferred data via an application often without ciphering. They might contain as much
more data than BlackBerry if only developers hear
and use them.
Similar to the BlackBerry, Android has an SDK
tool “adb” to gather information too that as a daemon running on the device and proxies the recursive copy only runs with shell permissions. Successful accessing aims to extracting (copying) the
entire “/data” partition to the local directory and such
useful files such as unencrypted apps, most of the
tmpfs file systems that can include user data such
as browser history, and system information found in
“/proc,” “/sys,” and other readable directories.
Backup
BlackBerry Smartphone and Tablet
Managing with backup starts with BlackBerry
Desktop Manager that results “.ipd” (early, now it is
25
6. .bbb file is just compress with tar) in a destination
folder. This file stores
• on BlackBerry smartphone very granulated data (incl. settings) like Address Book, Alarm, Attachment, AutoText, BlackBerry Bridge, BlackBerry Wallet, Bluetooth, Browser, Calendar,
Camera, Certificate, etc.
• on BlackBerry tablet only Application Data,
Media and Settings. As PlayBook does not
provide native Password Wallet, many third
party applications often save data in shared
documents folder in .db format easy analysed
if no encryption.
BlackBerry Simulation
This feature unfortunately unavailable for Android
and PlayBook, despite of that’s very useful and
valuable. The BlackBerry Simulator built for simulating a backup copy of the physical device. This is
helpful if the device is low on battery, needs to be
turned off, or else not to alter the data on the physical device.
Android
Android did not provide a mechanism for users
to backup their personal data despite of that the
backup API is now available the synchronization
provide outlook linking. Instead, a large number of
backup applications were developed and distributed on the Android Market, often with “Save to SD
Card” feature as well as putting into cloud.
Anyway, backup area is covered by following
items:
• Application installers (if phone has root access,
this includes APK Data and Market Links)
• Contacts, Call log, Calendars
• Browser bookmarks
• SMS (text messages), MMS (attachments in
messages)
• System settings
• Home screens (including HTC Sense UI)
• Alarms, Dictionary, Music playlists
• Integrated third-party applications
Live Forensics (include files on
storage)
There some situations that is not desirable to shut
down, seize the digital device, and perform the forensic analysis at the lab. For example, if there
is an indication that an encryption mechanism is
used on the digital device that was discovered,
then the investigator should not shutdown this digital device. Otherwise, after shutdown all the information (potential evidence) that was encrypted will
be unintelligible. By performing Live Analysis, the
investigators attempt to extract the encryption key
from the running system.
26
An up-to-date BlackBerry has many data, such
as several mobile or home phone number, faxes,
emails, work and home addresses, web-pages or
dates; IM data and social data, private data such
as tracking info, habits, time marked a free, time
when user’s possible sleeping, time when user’s
at home/company can come to light and many
else. However, all those can be extracted only
with API or Backup file. Android’s data set stores
on internal storage and on external, but only internal storage keeps a strong folder structure
because Android API controls it. Typically internal place to store any kind of data is “/data/data/”
where cache and databases stored in “PackageName” folder. Android data stored on internal and
external storage as binary (or simply text) files as
well as packed into xml or SQLlite database formats. XML format allows including Boolean, integer, float or string data types provide developers to create, load, and save configuration values
that power their application. Internal files allow
developers to store very complicated data types
and saved them in several places on the internal
storage that by default, can only be read by the
application and even the device owner is prevented from viewing the files unless they have root
access. While files stored on the internal device’s
storage have strict security and location parameters, files on the various external storage devices have far fewer constraints. SQLite is one of
the most popular database formats appearing in
many mobile systems for many reasons such as
high quality, open source, tend to be very compact, cross-platform file, and finally, cause of the
Android SDK provides API to use SQLite databases in their applications. The SQLite files are
generally stored on the internal storage under /
data/data/<packageName>/databases without any
restrictions on creating databases elsewhere.
The Android contact (address book) data is
stored in file “/data/data/com.android.providers.
contacts” on internal storage. This stores the call
logs for the device in the calls table. There are
over 30 tables in contacts2.db contains additional
values about contacts and additional data about
some extending by different accounts – Gmail,
Exchange, Facebook, Twitter, etc. If pictures of
the contacts are available, they are stored in
the files directory and named thumbnail_photo_[NNNNN].jpg. Additionally, a Facebook data
stores in file “/data/data/com.facebook/fb.db” and
contains nearly all of the information includes albums, info_contacts, notifications, chatconversations, mailbox_messages, photos, chatmessages, search results, default user images, mailbox
profiles, stream photos, events, mailbox threads,
friends and others. Gmail data is located in “/data/
data/com.google.android.gm” which stores each
configured Gmail account via separate SQLite
7. STATE_OF_ART OF MOBILE FORENSICS
database filled by the entire e-mail content.
GMaps data located on “/data/data/com.google.
android.apps.maps” stores amount of information
about maps, tiles, searches, and more in the files
directory often provide by “search_history.db” or
actual spoken directions stored as map data on
the SD card in .wav files; the time stamps on the
file prefaced with a “._speech” simplify movement
timeline. In addition, Android provide a file-folder storage located “/data/data/com.android.providers.telephony” filled by the MMS attachments
(images, video, or any other supported data), sms
message as database table with all messages. A
bit more information filepath “/data/data/com.android.mms” provides with cached data or data is
outcoming.
Clipboard is breakable too because user have to
see a password to retype in another application that
can easily be screen-captured or to copy into clipboard that not protected, because user still have
to put data (password) into non-protected text-box,
sometimes in plaintext even. In other words, endpoint object is vulnerable. As Clipboard API exists
like getClipboard() on BlackBerry, getData() on
PlayBook, getText() on Android.
To access to the Pictures, Videos, Voice notes,
and other files, some of them may be videocaptured or audiocaptured, forensics expert rarely
need to intercept API events or break root rights;
all needs is listen file events of creating and deleting files or grab these files from internal/external storage. Pictures are more inquisitive as camera-snapshots since it has EXIF-header. Metadata
is, quite simply, data about data. EXIF header is
stored in an “application segment” of a JPEG file,
or as privately defined tags in a TIFF file. Not only
basic cameras have these headers, but both mobile devices provide the “Camera Make” as RIM/
BlackBerry/Android/HTC data as well as “Camera
Model” may often be device model. GPS or date
tag often renames filename by placing into beginning city name except Android and PlayBook. They
place GPS and date tag in EXIF only.
Instant messaging is a well-established means
of fast and effective communication. IM forensic
were to answer the two questions as identifying
an author of an IM conversation based strictly on
author behaviour and classifying behaviour characteristics. For example, BlackBerry smartphone
stores all chats (from Google, Yahoo, Windows
Live, BlackBerry Messenger, AIM(AOL)) in plaintext mode in .csv file. File paths are often easy to
find too [1].
On Playbook each application has access to its
own working directory in the file system, and might
access to the shared folder (sandbox) because
of the access to the files and folders governed
by UNIX-style groups and permissions. It means
applications cannot create new directories in the
www.eForensicsMag.com
working directory; they can only access the folders
listed below.
Table 2. Playbook shared folders structure
Folder
What data contains
Access
type
app
The installed application’s
files.
read-only
data
The application’s private
data.
read and
write
access
temp
The application’s temporary
working files.
read and
write
access
logs
System logs for an
application (stderr and
stdout)
read and
write
access
shared
Subfolders that contain
shared data grouped by
type.
no access
shared/
bookmarks
Web browser bookmarks
that can be shared among
applications.
read and
write
access
shared/
books
eBook files that can be
shared among applications.
read and
write
access
shared/
clipboard
Data copied or cut from
another application (txt,
html, uri format).
read and
write
access
shared/
documents
Documents that can be
shared among applications.
read and
write
access
shared/
downloads
Web browser downloads.
read and
write
access
shared/misc Miscellaneous data that
can be shared among
applications.
read and
write
access
shared/
music
Music files that can be
shared among applications.
read and
write
access
shared/
photos
Photos that can be shared
among applications.
read and
write
access
shared/
videos
Videos that can be shared
among applications.
read and
write
access
shared/
voice
Audio recordings that can be read and
shared among applications. write
access
Despite of mentioned folders there is ability to
recreate folder structure partially and have readonly access to files [7].
27
8. References
[1] Y. Chemerkin, “To get round to the heart of fortress,” Hakin9 Extra Magazine, Software Press Sp. z o.o. Sp. Komandytowa 02-682 Warszawa, vol. 1 №3 Issue 03/2011 (03) ISSN 1733-7186, pp. 20–37, August 2011
[2] Y. Chemerkin, “Comparison of Android and BlackBerry Forensic Techniques,” Hakin9 Extra Magazine, Software
Press Sp. z o.o. Sp. Komandytowa 02-682 Warszawa, vol. 11 №4 Issue 04/2012 (11) ISSN 1733-7186, pp. 28–36, April
2012
[3] Y. Chemerkin, “When Developer’s API Simplify User-Mode Rootkits Developing,” Hakin9 Mobile Magazine, Software Press Sp. z o.o. Sp. Komandytowa 02-682 Warszawa, vol. 2 №2 Issue 02/2012 (3) ISSN 1733-7186, pp. 16–21,
February 2012
[4] Y. Chemerkin, “When Developers API Simplify User-Mode Rootkits Development – Part II,” Hakin9 OnDemand
Magazine, Software Press Sp. z o.o. Sp. Komandytowa 02-682 Warszawa, vol. 1 №4 Issue 04/2012 (4) ISSN 17337186, pp. 56–81, July 2012
[5] A. Hoog, Android Forensics: Investigation, Analysis and Mobile Security for Google Android. Syngress, 2011.
[6] D. M. Gomez, A. Davis, BlackBerry PlayBook Security: Part one. NGS Secure, 2011.
[7] Y. Chemerkin “Insecurity of blackberry solutions: Vulnerability on the edge of the technologies,” vol. 6, pp. 20-21,
December 2011 [Annual InfoSecurity Russia Conf., 2011]
[8] Y. Chemerkin, “BlackBerry Playbook – New Challenges” Hakin9 E-Book Magazine, Software Press Sp. z o.o. Sp. Komandytowa 02-682 Warszawa, vol. 1 №3 Issue 03/2012 (3) ISSN 1733-7186, pp. 1–34, September 2012
Conclusion
The BlackBerry devices as well as Android devices share the same evidentiary value as any other
Personal Digital Assistant (mobile device). As the
investigator may suspect of most file systems, a
delete is by no means a total removal of data on
the device. However, the BlackBerry smartphone
is always-on, wireless push technology adds a
unique dimension to forensic examination. Android
and Playbook instead tends to be more offline and
wake up by user actions. Moreover, the trend of
app world installation only is coming that means
complication only.
All mentioned above highlights value and up-todate techniques on forensics area, some of them
based on issues misunderstanding development
concepts or else. Similar to the BlackBerry, Pushtechnology allows information be pushed through
its radio antenna at any time, potentially overwriting previously “deleted” data. Classic Forensics
techniques or DLP system is ineffective to stop it
because of time, applications that exchanged data
in real-time. In addition, the password has a longterm problem. Some techniques very impactful but
limited special cases. It’s obvious Android should
be rooted, BlackBerry smartphone should have
a backup or correspond to the forensics methods
and tools, while Playbook limits with shared folder
only and there’s no way to root it or mirror all data
to the PlayBook simulator as it was for BlackBerry
smartphone. The files store on external or internal
storage might be useful to obtain some data stored
in backup or available to API. It means forensics
needs more practical and preventive techniques to
extract data. Simply using developer’s API helps to
grab data like password for social networks or mail
inbox in blackberry smartphone cases that do not
stored anywhere. In addition, IM chats do not store
else external/internal storage and can only be accessible in way data extracting but if password is
known and storage does not encrypted. It means
28
live techniques through API make sense only.
Moreover, there is technique preventing successful USB or Bluetooth connection as a live-agent
performing DDoS to the event-listener [8].
Finally, all security holes or vendor vision about
security on their OS are very astounding to use, it
reduces the risks for loss of valuable data and improve existing solutions. In addition, forensics expert protected from almost all objectives capable
break and stop forensics investigation.
Author bio
Currently in the postgraduate program at
RSUH on the Cloud Security thesis. Experience in Reverse Engineering, Software
Programming, Cyber & Mobile Security
Research, Documentation, and as a contributing Security Writer. Also, researching Cloud Security and Social Privacy. The
last several years, worked on mobile & social security, forensics, cloud security & compliance & transparency.
yury.chemerkin@gmail.com