Welcome to Port3101.org : Your BES Connection Mark forums read | View Forum Leaders
Port3101.org : Your BES Connection

Register Blog Members Sponsors Today's Posts
Quick Login:

Port3101.org > BlackBerry Enterprise Solution > Port 3101: The BES Admin Bar & Grill » BB and BES digital forensics - Need help

Follow Us On





Forum Sponsors


Google Advertisements
Reply
LinkBack Thread Tools Display Modes
BB and BES digital forensics - Need help
 
  #1 (permalink)  
Old 05-21-2010, 01:48 PM
BES Activated
  
Join Date: May 2010
Posts: 1
Default BB and BES digital forensics - Need help
Hi to all port3101 forum members! This is my first post and i apologize in advance if i have started this thread in the wrong forum.

I am a law enforcement officer in Canada, doing digital evidence forensics. I have anlayzed numerous BB devices over the last 6 years. I am seeking assistance in gathering some information on the BES component log BBIM.

I have never seen a BBIM log file. Does some one have one that contains santized data for which i can use and put this log file into a BB forensics book that i am working on? Further does the BBIM log also contain message content or does it just reflect data transactions between BB devices, depending upon the logging level?

BBIM content that is saved to device memory or the memory card is written to a csv file along with a .con and .bak file. Has anyone had a chance to figure these files out.

I know the .con and .bak files contains the following information within:
• Device user’s PIN number
• Device user’s own BlackBerry Messenger name/handle/moniker
• Device user’s status on BBM
• Device user’s JPEG/JPG image that can be seen by his/her BBM contacts
• Device the time zone is set to
• Device user’s BBM contacts identified by their BBM name/handle/moniker, PIN number and status

There are other artifacts that i cannot interpert - can anyone add anything further?

Re the .csv with BBM content please see the attached jpg of sanitized BBM conversation - dates are real and have not been altered. I am interested in finding out how to properly interpret the the 21 digit numeric value

It is apparent that is contains the a yyyymmdd with a string of numerals. Can someone assist me in validating or figuring out the values after the YYYYMMDD?

Full Value: 201001291264804385552
1. YYYYMMDD (first 8 numerals) – 2010-01-29
2. GPS Time in seconds (the next 10 numerals) – 1264804385 = 1/29/2010 3:33:05 PM (-7 GMT) as shown in the figure below from the MapShots website. When using this website to convert GPS time values in seconds, enter the 10 digit value in the seconds field, set your GMT offset and click on “Seconds to Date”.

I look forward to any replies and thank you all for taking the time to read and respond. You can also email me off forum at shafghp@gmail.com.

Cheers

Shafik
Attached Thumbnails
BB and BES digital forensics - Need help-bbm-chat-csv-3.jpg  
Reply With Quote
Sponsored Links
Reply

Bookmarks

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT -4. The time now is 12:37 PM.
Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2012, vBulletin Solutions, Inc.

Contact Us - Port3101.org - Archive - Top

Register FAQ Members
 
Copyright ©2008 - 2009, Port3101.org. All Rights Reserved.

vBulletin skin created by CompletevB.com


SEO by vBSEO 3.3.2 PL2