Information Technology Reference
In-Depth Information
BlackBerry backup analysis
BlackBerry backup files can be found natively on hard drives or other external media dur-
ing a forensic investigation or may exist as the forensic image created by the examiner in
order to complete their forensic investigation. Sometimes, the backup file contains more
usable data than a physical image. Again, it all depends on the device model, the method of
acquisition and the forensic tool used for analysis. As previously mentioned, BlackBerry
backup files exist as IPD and BBB files and are created by the BDM or the BlackBerry
Link software. When created by a user, the BlackBerry backup files are commonly stored
in the My Documents folder on a Windows platform. The backup file contains various
databases (tables) present on the BlackBerry device. It is named by default in the format
Backup (yyyy-mm-dd).ipd .
Best practices suggest searching for IPD and BBB files across digital media suspected of
containing BlackBerry backup files since the user can modify the filename of the backup.
If the BlackBerry backup file was recovered from a hard drive or other digital media, the
following two formats may exist:
Loaderbackup (yyyy-mm-dd).ipd
AutoBackup ((yyyy-mm-dd).ipd
The Loaderbackup file is created automatically when the device OS is being updated.
This ensures that required data is readily available should the device crash during the up-
grade. The Autobackup file is created when the user elects to have the device set to back
up on a regular or scheduled basis or when the device is synced with a PC.
A full backup of a BlackBerry device should contain details such as address book, e-mail,
SMS, call logs, and more. However, the backup file may not contain all the application data
because the third-party applications may not always provide access to their data. A backup
file contains the following information:
File header : The header contains information about the RIM signature, database
version, number of databases in the current file, and so on, as shown in the follow-
ing table:
Name
Length (in bytes)
Offset
RIM signature
37
0x0
Search WWH ::




Custom Search