My Road to Digital Forensics Excellence

Archive for May, 2010

Blackberry IPD Files

Posted by Paul Bobby on May 6, 2010

I have added a new enscript to the “My Files” page that can partially parse a Blackberry IPD file. The great tool, ABC Amber Blackberry Converter, does a fantastic job, and for the price, can’t be beat. But I found the format of the IPD file at the website, so why not give it a go in Enscript?

It’s an interesting structure in that the entire file must be processed before any data can be retrieved. Each component of the IPD file is called a database. For example, SMS text messages are stored in the “SMS Messages” database, but there is no pointer to the start of the data, and so the initial list of databases must be parsed, followed by each individual database until you get to the start of the SMS Messages. Blackberry indicates that they are okay with this inefficient processing during both creation and reading of the file since it is designed as a backup method only and not a real-time data store.

The enscript, in its current form, will only parse the contents of the SMS Messages database. There are some unknowns which I have yet to figure out, namely:

1. How do I get the timestamp information for the SMS Message?
2. What are all the Field Types?

I believe the timestamp is encoded somehow in one of the Fields of the database.


Posted in EnCase | Tagged: | 3 Comments »