Saturday, 23 March 2013

Mobile Forensic: How to detect Reconditioned BlackBerry

I just want to share knowledge and experience on how to detect reconditioned BlackBerry. There are 2 methods for this purpose.
The first one is through the Options - Device - Device and Status Information. With this way, we will find any information related to the current condition of BlackBerry such as signal, battery, IP address, free memory and so on. On this state, we type B U Y R, it will display Buyer's Remorse. In Buyer's Remorse, it will show data usage, voice usage and IT policy. If the BlackBerry is a brand new gadget, it must show null value for data and voice usage. If it is not null, or it already has value, so it means the BlackBerry is already used before.
The second method is by using mobile forensic integrated device such as UFED of Cellebrite, XRY of Micro Systemation and so on. With this device, try to perform physical extraction by applying flash memory dumping. With this way, we do forensically sound imaging on the BlackBerry's flash memory. It takes time about 2 to 6 hours. After it finishes, we perform hex analysis. If it is a brand new, the flash memory should contain OS's file system and factory-based applications only. It means that about 1/2 or more at the end of the flash memory will be 00 because the data usage will be minimum and is allocated at the beginning of the flash memory. If at around the end of the flash memory has been allocated with data, it means that the BlackBerry is already used. The other way is to seek the naming model of root directory. The purpose is to find out deleted or wiped files. If a file is deleted, the file actually still exists in its sectors. It just put unallocated information in the root directory. Also if a file is wiped, it only wipes the allocated sectors of the file. The information of the root directory shows the sectors are unallocated. If we can find the naming model of root directory and it shows deleted or wiped files, it means that the BlackBerry is not a brand new gadget. In the other words, it is already used.
If the BalckBerry which is already used and reconditioned is sold as if it is a brand new, it is a crime as the seller cheats customer. The seller can be arrested and sent to the court for his crime.


