Skip Navigation

Package deployment API

BlackBerry Optics
users can now interact with a hardened
Python
interpreter that is present locally on each endpoint that is running
BlackBerry Optics
v2.3.1000 or later. This new feature allows users to interact with their endpoints in an efficient and technical manner to accomplish tasks on endpoints in an automated fashion. By default,
BlackBerry
is supporting 5 capabilities to collect different forensic artifacts from targeted endpoints. These capabilities include:
  • Collecting master file table (MFT) artifacts from NTFS volumes.
  • Collecting entire
    Windows
    registry hives from endpoints.
  • Collecting entire
    Windows
    event log files from endpoints.
  • Collecting web browser history databases from
    Chrome
    ,
    Firefox
    ,
    Internet Explorer
    , Edge,
    Opera
    , and
    Safari
    .
  • Collecting common application execution records, including Amcache, Prefetch, and Shimcache.
Users can also configure and deploy custom packages to conduct custom, scripted actions against endpoints. This allows customers to upload in-house or third-party scripts and applications to
BlackBerry
’s cloud services and deploy them to endpoints. This scripting is done via interacting with the local
Python
interpreter built into
BlackBerry Optics
, allowing for an easily extensible set of capabilities.
After packages have been deployed and executed on endpoints, users can automatically upload the resulting data to SMB shares or SFTP servers for centralized collection and analysis by other forensic or incident response tools. Users can also configure packages to store the results locally on the endpoints for retrieval at a later time.
The
BlackBerry Optics
package deployment supports up to 20 packages for your organization. Each package has a maximum file size of 15MB. These capabilities and workflows around the package deployment feature are exposed via
BlackBerry
’s API.