Package deployment API

BlackBerry Optics

users can now interact with a hardened

Python

interpreter that is present locally on each endpoint that is running

BlackBerry Optics

v2.3.1000 or later. This new feature allows users to interact with their endpoints in an efficient and technical manner to accomplish tasks on endpoints in an automated fashion. By default,

BlackBerry

is supporting 5 capabilities to collect different forensic artifacts from targeted endpoints. These capabilities include:

Collecting master file table (MFT) artifacts from NTFS volumes.

Collecting entire

Windows

registry hives from endpoints.

Collecting entire

Windows

event log files from endpoints.

Collecting web browser history databases from

Chrome

Firefox

Internet Explorer

, Edge,

Opera

, and

Safari

Collecting common application execution records, including Amcache, Prefetch, and Shimcache.

Users can also configure and deploy custom packages to conduct custom, scripted actions against endpoints. This allows customers to upload in-house or third-party scripts and applications to

BlackBerry

’s cloud services and deploy them to endpoints. This scripting is done via interacting with the local

Python

interpreter built into

BlackBerry Optics

, allowing for an easily extensible set of capabilities.

After packages have been deployed and executed on endpoints, users can automatically upload the resulting data to SMB shares or SFTP servers for centralized collection and analysis by other forensic or incident response tools. Users can also configure packages to store the results locally on the endpoints for retrieval at a later time.

The

BlackBerry Optics

package deployment supports up to 20 packages for your organization. Each package has a maximum file size of 15MB. These capabilities and workflows around the package deployment feature are exposed via

BlackBerry

’s API.

Create package execution

Get package executions

Get package execution

Delete package execution