Information Technology Reference
In-Depth Information
Forensic tools for BlackBerry analysis
Several forensic tools are available to parse data from BlackBerry backup files and forensic
images of BlackBerry devices. The best tools should provide access to the raw database
files to ensure that data not supported by the forensic tool could be manually parsed by the
examiner and to avoid deleted data not being recovered. Knowing where to find the data on
devices takes practice and the examiner should be trained on examining data from Black-
Berry devices.
Some forensic tools available include Cellebrite Physical Analyzer, Oxygen Forensics
Suite, Microsystemation XRY, AccessData MPE+, and several others. Some tools are spe-
cifically designed to analyze BlackBerry backup files. Common tools that provide support
for backup files include Oxygen Forensics IPD Viewer, Elcomsoft BlackBerry Backup Ex-
plorer, and BlackBerry Backup Extractor. Bulk Extractor, created by Dr. Simson Garfinkle,
is a free tool that can parse data from raw BlackBerry image files (physical dumps) even if
the password is unknown.
Bulk Extractor scans the image file and pulls useful information (calls, URLs, e-mail ad-
dresses, and more) without parsing the file system and provides the results to the examiner.
Bulk Extractor can be downloaded from
http://digitalcorpora.org/downloads/
bulk_extractor/
. An example of a Bulk Extractor output for telephone numbers is shown in
the following screenshot:
