±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 32899
New Yesterday: 0 Visitors: 181

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

.rem Blackberry files

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

.rem Blackberry files

Post Posted: Wed Nov 28, 2012 7:13 am

Has anyone has any luck decoding / decrypting these files?

We are trying to look at a selection files left by an uninstalled Blackberry application.  

triran
Senior Member
 
 
  

Re: .rem Blackberry files

Post Posted: Mon May 13, 2013 1:52 am

Self-ping.

Since BlackBerry uses the AES, and the device password is instrumental in encrypting the data, I would think decrypting/decoding the data would have to be done by brute force method, and the degree of difficulty would be directly proportional to the length of the password used to encrypt the data.  

Astro
Member
 
 
  

Re: .rem Blackberry files

Post Posted: Wed May 15, 2013 1:05 pm

The encryption key method is selectable by the user. Password only (probably a short, easy to break password), device key (a randomly selected key unique to the device), or a combination of the two. The password only method should be breakable as the password has to be typed on a mobile keyboard and is likely to be simple. If the device key is involved, you're probably out of luck.

Here's a somewhat out of date document from BlackBerry's knowledge base: btsc.webapps.blackberr...HelperImpl

I have had no luck decrypting them, but I haven't really tried that hard.  

Bulldawg
Senior Member
 
 
  

Re: .rem Blackberry files

Post Posted: Wed May 29, 2013 2:41 am

Yes, Elcomsoft makes a program that can brute force the micro sd card and obtain the Blackberry password if the card was encrypted using the Device Password mode. It doesn't work if a Device Key is in use.

I use "Device Password & Device Key," but the "Device Password" mode is still useful. I temporarily switch the mode to "Device Password" if I want to move the card to a different BlackBerry or if I want to perform a security wipe on my BlackBerry. It's the only way encrypted files will remain meaningfully accessible if the BlackBerry undergoes a security wipe. I even recommend the "Device Password" only mode to beginner users who don't have good backup habits and want some level of security and for whom the likelihood of someone trying to crack his BlackBerry with a media card software attack is minimal and unlikely.  

Astro
Member
 
 
  

Re: .rem Blackberry files

Post Posted: Wed May 29, 2013 7:56 am

Hi all,

If the encryption was made on the device, you can decrypt the files on-the-fly using BlackBerry Desktop Manager (with write blocking on) and as the files are being transferred from the phone to the PC, they are decrypted.

The .REM bit should be removed, although you might have to manually rename files.

Neil  

nsbuck
Senior Member
 
 
  

Re: .rem Blackberry files

Post Posted: Wed May 29, 2013 6:03 pm

- nsbuck
Hi all,

If the encryption was made on the device, you can decrypt the files on-the-fly using BlackBerry Desktop Manager (with write blocking on) and as the files are being transferred from the phone to the PC, they are decrypted.

The .REM bit should be removed, although you might have to manually rename files.

Neil


What is write blocking?

Also, the BlackBerry that was used to encrypt the files has to be unlocked and the password has to be known for this to work. When I connect my BlackBerry to Desktop Software using the USB cable, Desktop Software prompts me for the BlackBerry's password in order to connect even if my BlackBerry is unlocked. (It even has the maximum of ten tries feature.) If the BlackBerry is locked, Desktop Software tells me to unlock it before it will proceed.

Once you've hooked up the BlackBerry to Desktop Software, .rem files that you drag and drop from the media card to your pc using Desktop Software will be decrypted. You won't be able to decrypt a .rem file without Desktop Software; if you use the USB ("mass storage mode") method and drag the files to the pc without Desktop Software, they'll still have the .rem extension.

Elcomsoft's software brute forces one file from the BlackBerry's media card if the card was encrypted using the "Device Password" mode. If successful, it provides the user the password that was used to encrypt the card. If that password is still in use on that BlackBerry, the user can unlock it. I would think that if it can crack the password using the card, someone could find a way to decrypt all the .rem files on the card even if the device password has been changed or there isn't a device, only the card.

As for the OP, I don't think Desktop Software would help in his situation. It sounds like the .rem files he's looking to decrypt are not ordinary user accessible files that Desktop Software could reach, rather they're some kind of system files left over from an uninstalled application. I hope he follows up and posts how he made out with that.  

Astro
Member
 
 
  

Re: .rem Blackberry files

Post Posted: Thu May 30, 2013 2:45 pm

Astro,

Yes you will not be able to remove the .REM without the Desktop Manager but you will also need to remove the encryption settings beforehand (I forgot to mention that in my previous post).

If the handset is locked, the passcode maybe (long shot) stored on the memory card, however we never needed to travel this route and we have so far been given the passcode for phones with encryption enabled.

We use write blocking software which ensures data cannot be written to USB device (however the device needs to be plugged in to a USB port after you have enabled this feature).  

nsbuck
Senior Member
 
 

Page 1 of 2
Go to page 1, 2  Next