Information Technology Reference
In-Depth Information
cial forensic tools applies to devices using BlackBerry OS (Java-based) and not QNX
(BlackBerry 10 OS).
A physical acquisition of a BlackBerry device will capture a complete binary image of the
BlackBerry device. This method of acquisition normally requires the BlackBerry to be
powered off and intercepts the data prior to the device booting. File system acquisitions
may be possible using commercial tools if the device passcode is known. This method of
acquisition normally captures data from the device and the SD card. As mentioned, even
if a physical or file system acquisition is supported and successful, the examiner should
always obtain a logical acquisition to avoid situations where physical data parsing is not
supported by the forensic analysis tool. One of the biggest errors in BlackBerry forensics
occurs when an examiner obtains only a physical image, returns the device to the user/sus-
pect, and then realizes the data is encrypted or cannot be parsed by their analytical tool.
Make sure you do not find yourself in this position by taking the time to acquire the
device using all possible methods. The following screenshot shows security prompts that
the examiner may encounter during the acquisition and/or analysis of a BlackBerry
device:
The encrypted backup file password prompt
The preceding screenshot shows the prompt for the user to enter the password for the en-
crypted backup file when attempting to open the image in Cellebrite Physical Analyzer.
Search WWH ::




Custom Search