Search This Blog

Tuesday, January 11, 2011

Black Berry IPD Files

IPD Files Demystified
Black Berry handheld devices have long been a favorite of the corporate executive but now with the release of a more mainstream multimedia capable mobile device in the Pearl and an aggressive advertising campaign, the Black Berry is bound to become a more popular device with non corporate types as well.
This mini white paper discusses the structure of the Black Berry backup or IPD file for the forensic examiner.
The IPD What is it?
The Black Berry Desktop software creates a proprietary backup of the databases on the Black Berry Handheld. This file is by default named in the following fashion
Backup-(current date,time and year)-.ipd
The files also default to the user’s “My Documents” folder. This, of course, may be changed by a user. The IPD file itself is a database of the databases.
IPD STRUCTURE
Below is a graphic of the IPD file.

As you can see from the graphic the IPD file begins with Inter@ctive Pager Backup/Restore File. The examiner may find this to be of use in search strings to find hidden or unallocated files.
Following this “header” the structure follows as is shown in the graphic below.

Here we can see that we have an one byte line feed (x/OA) followed by an one byte version (x/02) and a two byte indicator of the number of data bases in the file (in the above case x/3F).
Finally the names of the Databases follow after a 1 byte separator (x/00).
DATABASE NAME STRUCTURE
The databases within the file are constructed as follows
  • Database name length 2 bytes the length includes terminating null
  • Database name As long as the name length above
This is illustrated in the following graphic

After the database name length and name the database follows the following structure
  • Database ID Two bytes zero based position in the list of DB name blocks
  • Record Length 4 bytes
  • Database version 1 byte
  • DatabaseRecordHandler 2 bytes
  • Record Unique ID 4 bytes
  • Field length #1 2 bytes
  • Field type #1 1 byte
  • Field data #1 As long as field length
  • Field length #m 2 bytes
  • Field type #m 1 byte
  • Field data #m As long as the field length
The database has a unique id that is followed by the record length and the record ID. Each record will have a variable number of fields (as shown in the table by field #1 …field #m) that have a structure of length, type and data.
This is illustrated in the below graphic

This short white paper attempted to show the structure of the Black Berry backup file commonly known as the IPD file. The IPD file can be loaded into a Black Berry simulator or third party software such as the Amber Black Berry Converter to extract evidence. Examiners are encouraged to do their own research and validation into the file.
CITATIONS
1. http://www.BlackBerry.com/developers/journal/jan_2006/ipd_file_format.shtm
Publishing By at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)