Posts Tagged ‘technical’

Processing BlackBerry Backup (.bbb) Files

Tuesday, October 20th, 2009

If you didn’t already know, there is now a Mac version of the Blackberry Desktop Manager available. When used, the program allows a user to create a full backup of their device both automatically, or on-demand – encrypted, or not. I have only tried this out a couple of times, so here is what I can tell you so far…

The files have the extension “.bbb” – not the traditional .ipd file we are used to and appears to use the following naming convention:

  • “BlackBerry”<MODEL_NAME> (<DEVICE_PIN>) (<YYYYMM-DD>) -<TYPE_OF_BACKUP>.bbb
  • If another .bbb file is created on the same date, a numeric identifier and additional “-” is be added to the naming convention between the (<YYYYMM-DD>) and the <TYPE_OF_BACKUP> field
  • Example file names: “BlackBerry Storm (XXXXXXXX) (2009-10-02) – Full.zip” and “BlackBerry Storm (XXXXXXXX) (2009-10-02) – 2 – Full.zip”

The .bbb file appears to be a compound file which contains the following items in the root once explored:

  • BlackBerry_Backup.xml – contains an apparent list of artifacts with the quantity of each reported
  • Directory: Applications – may be empty
  • Directory: Databases – Contains a “Databases.ipd” file
  • Directory: Internal_Media_Card – may be empty, but if not, the file inside will be named “archive_xxxxxxxxx.zip” and will contain data backed up from the media card

Although the latest version (7.15) of ABC Amber Blackberry Converter does NOT yet support the .bbb file, you can still process these files in one of two ways:

  • Bring the .bbb file into FTK or EnCase and navigate down to the Databases directory to
export the .ipd file
  • Simply change the .bbb extension to .zip and export the .ipd file
  • Add the .ipd to ABC for analysis and reporting

Regardless of encryption, the .bbb file can be opened and the .xml file and directory structure reported above can still be viewed:

  • The .xml still reports the same data as the non-encrypted backup
  • If the .ipd is encrypted, a value will be reported within the following tags in the .xml file: “<salt>XXXXXX</salt>”
  • If the .ipd is encrypted, the first 48 bytes of the file will read: “Inter@ctive Pager Backup/ Restore File Encryption”
  • If the .ipd is not encrypted, the value will be absent and the tag will read: “<salt />”
  • If the .ipd is not encrypted, the first 48 bytes of the file will read: “Inter@ctive PagerBackup/Restore File..a…Atta” – notice the word “Encryption” is missing

If you have additional information related to the processing of .bbb files, feel free to email me with details!

Danny Garcia
Miami, Florida
http://www.twitter.com/danmiami
http://www.linkedin.com/garciadanny

——————-
Danny Garcia is a full time law enforcement officer since 1992 and is the supervisor of a forensic computer laboratory in Miami, Florida.    He is also a contract instructor with Mobile Forensics, Inc.

United States copyright law protects all materials contained in this document. You may not alter or remove any trademark, copyright or other notice from copies of the content.

  • Share/Bookmark

Tags: , , , , , , ,
Posted in Mobile Forensics | 1 Comment »

The Debate Over “Mobile Forensics” – Really?!

Friday, October 2nd, 2009

This seems to be an ongoing debate that has a simple explanation (in my opinion)…

1. Start with the basic definition of forensics and move forward from there.

SOURCE: http://www.merriam-webster.com/dictionary/forensic
- Function: adjective
- Etymology: Latin forensis public, forensic, from forum forum
- Date: 1659
1: belonging to, used in, or suitable to courts of judicature or to public discussion and debate
2: argumentative, rhetorical
3: relating to or dealing with the application of scientific knowledge to legal problems

2. Let’s move on to define “computer forensics”
SOURCE: US CERT: http://www.us-cert.gov/reading_room/forensics.pdf

We define computer forensics as the discipline that combines elements of law and and computer science to collect and analyze data from computer systems, networks, wireless communications, and storage devices in a way that is admissible as evidence in a court of law.

Remember that there are methodologies used in computer forensics which may be destructive, or not preserve the “original” because of the process used. There are also processes in traditional crime laboratories (DNA, biology, etc.) that also use destructive methodologies, leaving no way for a second examination to take place – even for the defense!

Why do we tend to think that if a tool is marketed as “forensic” – that in fact it is? Don’t we do verification and validation? What happens when we do a logical acquisition of a server? Is it not fact that we are leaving data behind and could be construed as “non-forensic” because it is not a true “bit-by-bit” image?

We all know that cellular telephones are devices that contain data. The only reason there is ANY debate is because companies have developed “forensic” products for these devices. The fact comes down to the examiner’s methodologies used to preserve, analyze, and present the evidence in a legal proceeding.

What we must do as examiners has been roughly outlined in a draft document that I had the honor to be invited to participate in authoring with Sam Brothers, Rick Ayers, and other forensic examiners with the Scientific Working Group on Digital Evidence this past January. The document is titled “Best Practices for Mobile Phone Examinations v1.0” and is available for download, review and your comments at http://swgde.org/documents.html.

There is no debate that cellular telephone data changes all the time. But, we as examiners must recognize that what we are most interested in on cellular telephones is user generated data. We want to see the call logs, text messages, photos, videos, dates and times of activities, etc. This data is written to the phone operating system and is usually retrievable through non-traditional methodologies.

There are also times that we will NOT be able to retrieve the information using “forensic” products, “non-forensic” products (to include flash boxes, bitpim), etc. Do we not oftentimes have “no choice” but to take pictures of the screens we manually navigate to document what the user did? What about if the screen is broken, and there is no way to create a “fraternal clone” 1 as we did back in 2004 when a phone was destroyed and thrown into a canal for a few days? The evidence is there – it is just a matter of documenting HOW you got what you got! At the “tip of the iceberg” is the chip-off technique that is destructive, yet has been used to pull data from phones when all else fails.

The SWGDE document referenced above should help anyone with questions on what is “acceptable” in this field – for now. SWGDE meets again next week to hopefully finalize this document. You still have a chance to submit your comments at their site. Unfortunately, I will not be at this meeting due to a prior teaching engagement. However, my senior examiner will be there, as well as Sam, Rick and others who read these postings.

Finally, another project I gave input on was the often debated certification at www.mfce.us. That’s my 2 cents on the subject…

Danny Garcia
Miami, Florida
http://www.twitter.com/danmiami
http://www.linkedin.com/garciadanny
——————-
Danny Garcia is a full time law enforcement officer since 1992 and is the supervisor of a forensic computer laboratory in Miami, Florida. He is also a contract instructor with Mobile Forensics, Inc.

1 Cindy Murphy coined the term “fraternal clone” and presented the information at the Mobile Forensics World Conference 2009

All materials contained in this document are protected by United States copyright law . You may not alter or remove any trademark, copyright or other notice from copies of the content.

  • Share/Bookmark

Tags: , , , , , , ,
Posted in Computer Forensics, Mobile Forensics | No Comments »