If you didn’t already know, there is now a Mac version of the Blackberry Desktop Manager available. When used, the program allows a user to create a full backup of their device both automatically, or on-demand – encrypted, or not. I have only tried this out a couple of times, so here is what I can tell you so far…
The files have the extension “.bbb” – not the traditional .ipd file we are used to and appears to use the following naming convention:
- “BlackBerry”<MODEL_NAME> (<DEVICE_PIN>) (<YYYYMM-DD>) -<TYPE_OF_BACKUP>.bbb
- If another .bbb file is created on the same date, a numeric identifier and additional “-” is be added to the naming convention between the (<YYYYMM-DD>) and the <TYPE_OF_BACKUP> field
- Example file names: “BlackBerry Storm (XXXXXXXX) (2009-10-02) – Full.zip” and “BlackBerry Storm (XXXXXXXX) (2009-10-02) – 2 – Full.zip”
The .bbb file appears to be a compound file which contains the following items in the root once explored:
- BlackBerry_Backup.xml – contains an apparent list of artifacts with the quantity of each reported
- Directory: Applications – may be empty
- Directory: Databases – Contains a “Databases.ipd” file
- Directory: Internal_Media_Card – may be empty, but if not, the file inside will be named “archive_xxxxxxxxx.zip” and will contain data backed up from the media card
Although the latest version (7.15) of ABC Amber Blackberry Converter does NOT yet support the .bbb file, you can still process these files in one of two ways:
- Bring the .bbb file into FTK or EnCase and navigate down to the Databases directory to export the .ipd file
- Simply change the .bbb extension to .zip and export the .ipd file
- Add the .ipd to ABC for analysis and reporting
Regardless of encryption, the .bbb file can be opened and the .xml file and directory structure reported above can still be viewed:
- The .xml still reports the same data as the non-encrypted backup
- If the .ipd is encrypted, a value will be reported within the following tags in the .xml file: “<salt>XXXXXX</salt>”
- If the .ipd is encrypted, the first 48 bytes of the file will read: “Inter@ctive Pager Backup/ Restore File Encryption”
- If the .ipd is not encrypted, the value will be absent and the tag will read: “<salt />”
- If the .ipd is not encrypted, the first 48 bytes of the file will read: “Inter@ctive PagerBackup/Restore File..a…Atta” – notice the word “Encryption” is missing
If you have additional information related to the processing of .bbb files, feel free to email me with details!
Danny Garcia
Miami, Florida
http://www.twitter.com/danmiami
http://www.linkedin.com/garciadanny
——————-
Danny Garcia is a full time law enforcement officer since 1992 and is the supervisor of a forensic computer laboratory in Miami, Florida. He is also a contract instructor with Mobile Forensics, Inc.
United States copyright law protects all materials contained in this document. You may not alter or remove any trademark, copyright or other notice from copies of the content.
Tags: acquire, acquisition, analysis, blackberry, evidence, forensics, Mobile Forensics, technical
UPDATE…. Amber Blackberry Converter now supports .bbb files directly.