Friday, March 23, 2012
Whats in an IPD?
I responded to an email yesterday on the CCE list serve about what data might be backed up from a BlackBerry into an IPD file. This very long response is cited again below with some links to downloads and typo corrections.
The subsequent offline conversation resulted in a request if I could post a document that outlines what can be found on a BB device. Hence I thought I would share what is already available on the Internet across all the listserves I belong to.
I have attached a PDF document of the presentation I gave at the Mobile Forensics Conference in Chicago in 2009. There are over 100 slides in this presentation which is based on the research data I collected between 2008-2009 with assistance of my LE colleagues. So a word of caution: Information may be outdated in this document.
Link to skydrive containing two articles:
1. MFW 2009 Presentation on BlackBerry Forensics
2. Published article in SSDFJ on Mobile Device Forensics
RE what is contained in an IPD file? There is a list of databases that describe the contents of the IPD within the MFW 2009 presentation. This is not an updated list by any means and is based on what ABC Amber BlackBerry Converter (now Elcomsoft BlackBerry Explorer - EBBE) parses. In other words more databases exist within the IPD file that are NOT parsed with ABC/EBBE. When you open the ABC or EBBE tool there is a link (in the left pane) to the databases listing that identifies what the tool will parse. This will provide a general idea of what you can expect to find in an IPD file.
One important thing to be aware of is that within the IPD file structure there is a database called the Content Store: this database contains the hardware identifier information such as BB model number, its PIN #, IMEI (if GSM), ESN or MEID (if CDMA), network frequencies upon which the device operates on and also the device's phone number has been observed in this as well. So how do we find this data: try a key word search, case sensitive for GSM or CDMA and you should hit on it quite easily.
For those that are into self induced headaches and general mental anguish you can read this article about the IPD structure: http://code.google.com/p/bbIPD/ - likely the only decent open source article I have purused. And if you still havent had enough then see this link: http://us.blackberry.com/devjournals/resources/journals/jan_2006/ipd_file_format.jsp.
To get a raw level understanding or view of the IPD databases please download Rubus, by CCL Forensics (a FREE tool developed by Alex Caithness) - http://www.cclforensics.com/Software/rubus-ipd-de-constructor-utility.html. For those that are python oriented and have scripting skills (sadly i dont - sigh) see this link http://code.google.com/p/ccl-ipd/.
For more free goodies please see the Yogesh Khatri's execellent blog: http://www.swiftforensics.com/2012/01/blackberry-ipd-research-phone-history.html and also his IPD Extractor EnScript (v6 only) IPD Extractor. This EnScript extracts data from blackberry backup files,PD files - http://www.swiftforensics.com/p/downloads.html.
If you have gotten this far in the email then, check out this site: http://chirashi.zenconsult.net/- it has several good articles on BB Forensics, Malware analysis and other DF based content. It is maintained by a very good friend, teacher, and fellow research colleague Sheran Gunasekera (On a side note he is publishing a book on Android Apps Security - http://www.apress.com/mobile/android/9781430240624).
Is there newer updated content? Yes - there is Advanced BlackBerry Forensics Course that I have developed for Teel Technologies. This is 13 chapters worth of material (roughly about 700-800 pages, I have lost count). No, there is no secret sauce in this training, just hard earned understanding, many countless late nights, and days of doing digital forensics. LE sensitive content is excluded purposely from this material. No its not for sale as an eBook or self published print copy, yet - although I have tinkered with the idea and don't quite have the right solution in mind yet for publication. Course outline can be found here: http://www.teeltech.com/tt3/blackberry4.asp?cid=16.
Check the Teel Tech website for the next set of scheduled classes for LE members. Now the caveat (why does there always have to be a but.....) sorry I cant help it. My primary LE job in digital forensics restricts what I can and cannot do. Hence the Advanced BlackBerry Course is restricted to LEO or LEO affiliates only. I cannot teach groups or entities that engage in defence work. No, its not a personal thing; I dont hold anything against respectable DF consultants/practitioners that work for Defence.
Okay for those non LEO folks that are groaning right about now and rightly so..there is an Advanced Smart Phone Class that is offered by Teel Technologies where the first 6 chapters of the Advanced BlackBerry Course are presented in a condensed format, see link: http://www.teeltech.com/tt3/smartphoneclass.asp?cid=18.
Dr Gary Kessler has done a wonderful job of transposing the contents of these chapters into power points for upcoming future Advanced Smart Phone Classes. As I am not involved in directly teaching this class or its development, I dont believe there is a LE only restriction. Please check with Teel Technologies however to verify this. I hope this information will help someone. I welcome any replies.