Information Technology Reference
In-Depth Information
There are a variety of BlackBerry timestamp types that are defined in detail at
ht-
tp://www.swiftforensics.com/2012/03/blackberry-date-formats.html
. When examining
SMS messages, the examiner should use more than one tool to ensure the data is parsed
properly. Currently, there is no standard for how SMS messages are stored on BlackBerry
devices. The SMS messages may be encrypted, compressed, or exist as a proprietary 7-bit
format. Several factors weigh on the format to store the SMS message content, including
device security settings, device model, administrator settings, and more.
Unlike other smartphones, third-party application data cannot be stored internally on the
BlackBerry device memory if the application uses SQLite database storage, which applic-
ations commonly do. All third-party application data will reside on the SD card (or
eMMC) associated to the BlackBerry device in an application folder. More information on
using SQLite on BlackBerry devices can be found at
http://blog.softartisans.com/2011/03/
29/using-sqlite-in-blackberry-applications/
.
These folders and database files must be ex-
amined for relevance to the investigation, as defined in previous chapters. Due to the un-
known nature of RIM and the proprietary methods to store user data, it is recommended
that the examiner examine any database/table recovered from the BlackBerry device that
may be of interest to the investigation. Manual examination is time-consuming, but it will
ensure that data is not overlooked.
