Information Technology Reference
In-Depth Information
Creating a BlackBerry backup
With BlackBerry devices, a significant amount of data can be extracted using the
Black-
Berry Desktop Manager
(
BDM
) or
BlackBerry Link
(BlackBerry 10 devices), which
can be downloaded for free. This method of acquiring data from a BlackBerry device
sometimes proves to obtain and provide data for examiners to analyze. Again, the passcode
must be known for the examiner to create a backup of a BlackBerry device. Acquiring this
logical backup is recommended because it can provide a form of validation for the data ac-
quired through forensic tools. The backup file exists as a BBB or IPD file and contains dif-
ferent types of data stored on the BlackBerry device, including call logs, calendar items,
contacts, pictures, e-mail, and more.
A
BlackBerry Backup
(
BBB
) file is created when BDM v7.0 and later versions or a Mac
computer is used to create the backup file. The BBB file will either be a ZIP container
comprised of an IPD file or DAT files, depending on the method to create the backup file.
A BBB file that contains an IPD file has the same file header as a ZIP file. In Hex, this file
header is
0x504B
. An
Inter@ctive Pager Backup
(
IPD
) is created when BDM v6.0 or
earlier is used to create the backup file. Commercial forensic tools may also create Black-
Berry backup files and use the IPD format. Shafik Punja maintains a blog, highly dedicated
to his work on BlackBerry, that provides a deeper look into BlackBerry backup files (
ht-
It is important to note here that, by default, the
BDM
is configured to synchronize some
data between the device and the computer. Hence, it is important to disable this feature in
order to prevent any changes of data on the device. In a forensic process, even a minor
change, such as altering the time zones on a device, would make it difficult for an investig-
ator to analyze when specific events exactly occurred and will be even more difficult to de-
fend in court. Hence it is necessary to disable the synchronization process in the BDM by
disabling the options as shown in the following screenshot. The option
Update device data
and time
is selected by default, so it is necessary to explicitly deselect this option. It is the
examiner's job to ensure that total control is maintained during the entire forensic process.
This means that the forensic workstation is sterile and free of old data and that the tools are
not set to automatically read/write data to and from the BlackBerry device. If the BDM re-
quires the device be connected in order to select the options, it is wise to attempt the set-
tings with a test BlackBerry device of the same model as your evidence.
