ForensicAnalysisofMobileMalware·Chapter9 311 Forensic Examination of a BlackBerry Since the BlackBerry is an always-on push-messaging device, information can be pushed to it at any time. It is important to note that the information that is pushed has the potential of overwriting any data that was previously deleted. The difficultly is that the device has a mul- titude of applications that may receive information and increase the difficulty of an attempt to recover information from an unaltered file system. The initial step to preserve the informa- tion is to eliminate the ability of the device to receive this data push. A Faraday cage (bag) will aid in making the radio seem as if it is off. Do not turn the device off. The BlackBerry is not really "off " unless power is removed for an extended period, or the unit is placed in stor- age mode. On top of this, as soon as the unit is powered back on, any items that were in the queue waiting to be pushed to the device could possibly be pushed, thus altering the system. It is quite possible that a change in state, such as a power-off of the BlackBerry, could result in a program being run on the unit that will allow the device to accept remote commands. Acquisition of Information Considerations The considerations for the BlackBerry are similar in some ways to the PDA devices, but there are some differences. The following covers some of the issues that can arise when