Information Technology Reference
In-Depth Information
BlackBerry forensic image analysis
The method of obtaining the forensic image of a BlackBerry device, whether logical, phys-
ical, or file system, may limit the tools available to analyze the data. For example, a raw
image created using JTAG or chip-off should be ingestible and parsed by any forensic tool
that provides physical analysis support for that model of BlackBerry, as long as the device
was unlocked or the passcode is known. It is best to use more than one tool during your
forensic analysis to verify the results of the forensic image.
BlackBerry file systems are difficult to reconstruct due to the proprietary format developed
by RIM. Unlike other smartphone devices, BlackBerry file systems vary greatly per model.
Commercial tools will attempt to reconstruct the file systems, but the support is low and
may not be accurate. It is best to validate your findings using logical, file system, or backup
file acquisition and analysis to ensure your findings are correct.
Once an examiner gains experience analyzing BlackBerry devices, the files of interest be-
come more apparent regardless of the image format. A physical dump and backup file may
actually contain the same amount of data readily available to the examiner. The tool of
choice to examine the data will determine the amount of access you have to that file. As ex-
plained in previous chapters, deleted data can reside in database files just as Android and
iOS, BlackBerry databases/tables may contain deleted data. If your forensic tool does not
provide access to the native file for export or for examination in Hex, you will miss this de-
leted data.
The following screenshot shows the file system representation of a BlackBerry backup file
in Cellebrite Physical Analyzer. Notice that the
Address Book
is being examined in
raw
hex
. This method of analysis is preferred to validate your logical results or the data
provided in the tool report.
