312 Chapter9·ForensicAnalysisofMobileMalware Password Protected One thing to consider when it comes to password protection is the fact that the password itself is not stored on the device. The device holds a hash of the plain-text password. This is similar to the method used by the majority of operating systems. Evidence Collection To collect evidence from the BlackBerry, you must violate the traditional forensic methods by requiring the investigator to record logs kept on the unit that will be wiped after an image is taken. You will want to collect evidence from several different log files, including: Radio Status This log lets you enumerate the state of the device's radio functions. Roam and Radio This log has a buffer of up to 16 entries, records information concerning the tower, channel, and so on, and will not survive a reset. Transmit/Receive This log records gateway information and the type and size of data transmitted. Profile String This log contains the negotiation with the last utilized radio tower.