Black Berry IPD Files

IPD Files Demystified

Black Berry handheld devices have long been a favorite of the corporate executive but now with the release of a more mainstream multimedia capable mobile device in the Pearl and an aggressive advertising campaign, the Black Berry is bound to become a more popular device with non corporate types as well.

This mini white paper discusses the structure of the Black Berry backup or IPD file for the forensic examiner.

The IPD What is it?

The Black Berry Desktop software creates a proprietary backup of the databases on the Black Berry Handheld. This file is by default named in the following fashion

Backup-(current date,time and year)-.ipd

The files also default to the user’s “My Documents” folder. This, of course, may be changed by a user. The IPD file itself is a database of the databases.

IPD STRUCTURE

Below is a graphic of the IPD file.

As you can see from the graphic the IPD file begins with Inter@ctive Pager Backup/Restore File. The examiner may find this to be of use in search strings to find hidden or unallocated files.

Following this “header” the structure follows as is shown in the graphic below.

Here we can see that we have an one byte line feed (x/OA) followed by an one byte version (x/02) and a two byte indicator of the number of data bases in the file (in the above case x/3F).

Finally the names of the Databases follow after a 1 byte separator (x/00).

DATABASE NAME STRUCTURE

The databases within the file are constructed as follows

  • Database name length 2 bytes the length includes terminating null
  • Database name As long as the name length above

This is illustrated in the following graphic

After the database name length and name the database follows the following structure

  • Database ID Two bytes zero based position in the list of DB name blocks
  • Record Length 4 bytes
  • Database version 1 byte
  • DatabaseRecordHandler 2 bytes
  • Record Unique ID 4 bytes
  • Field length #1 2 bytes
  • Field type #1 1 byte
  • Field data #1 As long as field length
  • Field length #m 2 bytes
  • Field type #m 1 byte
  • Field data #m As long as the field length

The database has a unique id that is followed by the record length and the record ID. Each record will have a variable number of fields (as shown in the table by field #1 …field #m) that have a structure of length, type and data.

This is illustrated in the below graphic

This short white paper attempted to show the structure of the Black Berry backup file commonly known as the IPD file. The IPD file can be loaded into a Black Berry simulator or third party software such as the Amber Black Berry Converter to extract evidence. Examiners are encouraged to do their own research and validation into the file.

CITATIONS

1. http://www.BlackBerry.com/developers/journal/jan_2006/ipd_file_format.shtml

Advertisements

7 comments

  1. Cygnus

    Hi, thanks for this article !
    I tried to find the structure for ipd file, but both links are outdated ..
    Would you have a copy of it ?
    Thanks again !

  2. dan

    1. What does IPD stand for ???
    2. The graphics mentioned in this article are not opening please.
    3. Where to find the Amber Black Berry converter ??

  3. gdv

    [I tried to post the following comment 2 days ago, but was not yet subscribed as a WordPress user, so I don’t see the comment posted when I’m logged in. If I’m not logged in, the post appears but says it is awaiting moderation. So I apologize if it eventually ends up appearing twice here.]

    @Cygnus (or anyone else searching for the original BlackBerry.com article):

    I just revisited this site after first visiting it Dec 31, 2008. At that time I tried to leave the following post, but was unable to do so (for some reason I no longer recall, if I ever knew)… …so since I still have the draft I wrote at that time, and the links in it are still good today, I’ll post it now:

    Try an Internet Archive Wayback Machine (http://www.archive.org/web/web.php) search for archived versions of the page.

    For example, I found a link to an archived version of the original Mar 12 2007 link above (http://www.blackberry.com/developers/journal/jan_2006/ipd_file_format.shtml) dated April 28, 2007 on the Wayback page that still works at this time:

    http://web.archive.org/web/20070428052118/http://www.blackberry.com/developers/journal/jan_2006/ipd_file_format.shtml

    A Wayback Machine search for the Aug 31 2008 link above (http://na.blackberry.com/eng/developers/resources/journals/jan_2006/ipd_file_format.jsp) only yielded archives without the images or that wouldn’t load properly (at least in my browser), but a Google search for “BlackBerry Developers Journal” yielded http://na.blackberry.com/eng/devjournals/resources/journals/, and the January 2006 issue has a link to the article at: http://na.blackberry.com/eng/devjournals/resources/journals/jan_2006/ipd_file_format.jsp (which appears to be the current URL of the link posted Aug 31, 2008 above).

    There is also a link on that page to a PDF version at http://na.blackberry.com/eng/devjournals/resources/journals/jan_2006/BlackBerryDeveloperJournal-0301.pdf

  4. Darek Wax

    It was extremely interesting for me to read that article. Thanx for it. I like such topics and anything that is connected to this matter. I would like to read a bit more on that blog soon.

    Truly yours

Let Me Know Whatcha Think....

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s