Smartphone Forensics: Part 3
In part two of this series I discussed some of the difficulties involved with conducting forensics investigations on iPhones. Are these investigations easier when mobile devices other than iPhones are the targets of investigation? The answer is that it depends.
Let’s begin with BlackBerry forensics. A simple way to conduct a forensics investigation on a BlackBerry is to use the BlackBerry Desktop Manager to make a backup of the databases on this device. To do this, click on the Backup/Restore icon. The Backup/Restore dialog box will appear. Click on Backup (for a full backup) or Advanced (for special backup options). The backup file will by default be named:
Backup-(current date,time and year)-.ipd
All backup files are by default created in the BlackBerry’s My Documents folder for the current user, but you can easily change the default to any folder owned by any user by clicking the Options button in the Backup/Restore dialog box. Each file produced by the backup process has the following format:
<Line feed> – 1 byte – value 0A
<Version> – 1 byte – value 02
<Number of databases in file> – 2 bytes
<Database name separator> – 1 byte
<Database name block#1>
<Database name block#2>
<Database name block#n>
<Database data block#1>
<Database data block#2>
<Database data block#n>
Note that information such as the number of databases contained in the backup file and the name of each database precedes the data blocks. Each data block has the following format:
<Database ID>2 bytes
<Record length>4 bytes
<Database version>1 byte
<Record unique ID>4 bytes
<Field length #1>2 bytes
<Field type #1>1 byte
<Field data #1>As long as the field length
<Field length #m>2 bytes
<Field type #m>1 byte
<Field data #m>As long as the field length
The field data content is formatted in a manner that resembles the format of the data a tool such as TcpDump that sniffs network data dumps. Three columns of data are displayed:
- The first column displays the offset from byte 0 in hexadecimal numbers starting with zero and incrementing by 10 for each displace row. The first column in the first row thus has an entry of 0, the first column in the second row has an entry of 10, the first column in the third row has an entry of 20, and so on.
- The second column displays hexadecimal data nibble-by-nibble, with each nibble separated from the neighboring ones by a space. Exactly 10 bytes of data are displayed in each row.
- The third column displays the data in ASCII, again 10 bytes per row. Here you can readily read and analyze the content of each database.
The following is an example of how field data are displayed:
0 | 49 6E 74 65 72 40 63 74 69 76 65 20 50 61 67 65 | Inter@ctive Page
10 | 72 20 42 61 63 6B 75 70 2F 52 65 73 74 6F 72 65 | r Backup/Restore
Curiously, “Inter@ctive Pager Backup/Restore” is always the first part of every field data dump.
Once you have completed the procedures described up to this point, you’ll want to transfer the backed up data to another device such as a PC. One way to do this is to use a free Research in Motion (RIM) tool called the “Simulator.” You can download this tool by going to the following URL:
Unfortunately, different versions of the Simulator are available for different versions of BlackBerry devices. You’ll thus need to find and download the Simulator that is appropriate for the particular BlackBerry device that is targeted in your forensics investigation. Install and run the Simulator and then click on the Backup/Restore icon. After ensuring that the USB cable connects the BlackBerry and the device to which the forensics dump is to be written, click the Restore option for the ipd file you want to transfer.
The major limitation of using BlackBerry’s built-in backup program is that it produces a file-by-file, not a bit-by-bit backup. For some purposes this type of backup might be acceptable, but widely accepted forensics procedures dictate that a bit-by-bit backup be made. To obtain this type of backup, you’ll need to use a third-party forensics tool that works on BlackBerrys.
One major advantage of the BlackBerry in forensics investigations is that you don’t have to do anything like “jailbreaking” (discussed in my previous blog entry) to run a forensics tool on BlackBerry devices. Still, conducting forensics investigations on these devices involves more procedural steps than might meet the eye and thus is just about as difficult as conducting such investigations on iPhones. The bottom line is that there are no instant and easy solutions for forensics on smartphones.