IPD Files Demystified

Black Berry handheld devices have long been a favorite of the corporate executive but now with the release of a more mainstream multimedia capable mobile device in the Pearl and an aggressive advertising campaign, the Black Berry is bound to become a more popular device with non corporate types as well.

This mini white paper discusses the structure of the Black Berry backup or IPD file for the forensic examiner.

The IPD What is it?

The Black Berry Desktop software creates a proprietary backup of the databases on the Black Berry Handheld. This file is by default named in the following fashion

Backup-(current date,time and year)-.ipd

The files also default to the user’s “My Documents” folder. This, of course, may be changed by a user. The IPD file itself is a database of the databases.

IPD STRUCTURE

Below is a graphic of the IPD file.

As you can see from the graphic the IPD file begins with Inter@ctive Pager Backup/Restore File. The examiner may find this to be of use in search strings to find hidden or unallocated files.

Following this “header” the structure follows as is shown in the graphic below.

Here we can see that we have an one byte line feed (x/OA) followed by an one byte version (x/02) and a two byte indicator of the number of data bases in the file (in the above case x/3F).

Finally the names of the Databases follow after a 1 byte separator (x/00).

DATABASE NAME STRUCTURE

The databases within the file are constructed as follows

• Database name length 2 bytes the length includes terminating null
• Database name As long as the name length above

This is illustrated in the following graphic

After the database name length and name the database follows the following structure

• Database ID Two bytes zero based position in the list of DB name blocks
• Record Length 4 bytes
• Database version 1 byte
• DatabaseRecordHandler 2 bytes
• Record Unique ID 4 bytes
• Field length #1 2 bytes
• Field type #1 1 byte
• Field data #1 As long as field length
• Field length #m 2 bytes
• Field type #m 1 byte
• Field data #m As long as the field length

The database has a unique id that is followed by the record length and the record ID. Each record will have a variable number of fields (as shown in the table by field #1 …field #m) that have a structure of length, type and data.

This is illustrated in the below graphic

This short white paper attempted to show the structure of the Black Berry backup file commonly known as the IPD file. The IPD file can be loaded into a Black Berry simulator or third party software such as the Amber Black Berry Converter to extract evidence. Examiners are encouraged to do their own research and validation into the file.

CITATIONS

1. http://www.BlackBerry.com/developers/journal/jan_2006/ipd_file_format.shtml

Here’s a how-to for Black Berry forensic examinations. Just a fraction of the cost you’d have to pay for a 90 minute webinar at some training sites-FREE.

I hope its useful for you.

HARDWARE NEEDED

• BlackBerry (duh)
• USB Cable
• Cradle (if its that type)
• Forensic Computer (see the reference to the BlackBerry)

SOFTWARE NEEDED

• BlackBerry Desktop Software
• BlackBerry Simulator for your device model (more on this later)
• Amber Blackberry Converter-not free but only 19.95 USD for a license-plus you get a thirty day trial.

Ok now that we are armed with our needed equipment, lets proceed to do our forensic magic.

USING THE DESKTOP SOFTWARE AND SIMULATOR

First install the desktop software. After this is done, you need to make sure that the connection is set for USB. Look at Options->Connection Settings and from the combo box select USB. Ok now connect the suspect’s Blackberry to your system (did you protect it from the network and make sure it was charged…? )

!!CAVEAT!!: If the BlackBerry needs a PIN-get it or get the PUK. This will not work without it. If you fail to do this, and use up your attempts to enter PIN/PUK you will wipe the device.

Now with the device connected make a backup of the handheld. Double Click the Backup/restore Icon and then choose backup (this may differ depending on the version of desktop software you are using). Direct the backup (*.ipd File) to where you want to save it and name it. Then make sure you choose all databases. I recommend making a working copy and a archive copy. Now reseal and store your exhibit.

Ok time to get out the Simulator…but wait, you say, how do I know what Simulator I need to use…there are so many choices. Glad you asked. Prior to downloading the Simulator you neeed to check something on the BlackBerry-its OS version. This is located from the mail screen under Options-About. You are looking for the platform version number as shown below (specific to my BB).

Blackberry 7130e
WirelessHandheld (CDMA)
v4.1.0.268(Platform 2.2.0.9)

Once you have this go to the link above and find the Simulator for this group of BlackBerry Devices download and install the Simulator.

Now with that installed, fire up the Simulator for your device. The Desktop software should be fooled into thinking a BB device is connected tot he computer.

Again, choose the backup/restore icon and this time restore the backup file you created. Make sure to choose all the databases. Once this completes you are looking at the exact handheld you seized albeit virtually. Pretty cool huh? Just take screencaps/vids of the device and you have your evidence.

Two side notes the Similator behaves just like a regular BB, i.e. you can click the trackwheel and escape key. If you want to see call times make sure that you enable call logging by going to the phone icon, clicking the trackwheel, coosing options and “call logging”.

USING AMBER BLACKBERRY CONVERTER

This is even easier. Once you have fired up the converter, simply click the link that says to load the IPD and the converter will load the file and show you tabs for SMS, EMAIL, call records and contacts..notice the options for PDF, HTML and Excel export…How easy is THAT?? One thing it doesnt do is pull out pictures (though it grabs MMS) that are saved…bummer but only a small one.

OTHER TIPS/TRICKS

Take the *.IPD file and load it into EnCase or FTK and index. This can give you fast access to keywords. You can also carve for pictures (though not deleted).

If you have read to here, I hope you have found this useful. I plan to add a short discussion on the structure of the IPD file-WARNING HEX AHEAD!!!