Recovering BlackBerry Messenger Forensic Artifacts

This is the fourth blog post in a series of five about recovering third-party mobile chat applications for your digital forensics investigations.

BlackBerry Messenger (BBM) was the original mobile messaging application, geared towards business users and productive consumers. Originally available only on BlackBerry devices, BBM has since gone cross-platform and is now accessible to Android and iOS users.

Why are BBM Artifacts Important to Your Mobile Forensics Investigations?

While consumer interest in BlackBerry devices has been on the decline, the recent OS extension of BBM has increased the application’s user-base substantially. It’s become widely popular in North America, but even more noteworthy is the adoption of BBM in countries such as Indonesia and South Africa, where it is the number one mobile chat application.

The Key Artifacts That Need to Be Found When Investigating BBM

Imaging and gaining root access to BlackBerry devices can be challenging, making it difficult to retrieve key artifacts from its operating system. The analysis of BBM artifacts from Android and iOS, on the other hand, is relatively straightforward.

BBM artifacts are stored in a SQLite database called master.db, which can be found in the following locations:

For Android, BBM artifacts can be found at:

/data/data/com.bbm/files/bbmcore/master.db

For iOS, BBM artifacts can be found at:

/private/var/mobile/Applications/%GUID%/Library/bbmcore/master.db

The master.db database contains several tables that provide a wealth of information on a user’s BBM contacts, invitations, messages, file transfers, profiles, and GPS data (if enabled on the device). This data is unencrypted on the device and can be viewed with any SQLite viewer.

There are quite a few tables of interest that store the data mentioned above. The TextMessages table contains the messages along with timestamps and other relevant data. The Contacts, Profile and Users tables store contact and user details including profile pictures and registration details. The FileTransfers and FileTransferData store data on any files that were transferred between BBM users. There are some additional tables found in the master.db database that might be of forensic value to an investigator.

The screenshot below is an example of the detailed information available in the TextMessages table for a BBM conversation between two parties. Included in this information is message content, timestamps for sent and received messages, status, state (whether the message has been delivered, read, etc.), PINs, participants, and attachments (if applicable).

BBM for iOS and Android has also recently been updated to include BBM Channels. Previously only available on BlackBerry devices, BBM Channels allows users to subscribe to various “channels” of interest such as a famous person, brand, or organization. Users can interact with that channel by posting and responding to comments and questions.

There are various tables located within the master.db file which will identify channels that a user has subscribed to. Specifically, investigators should examine TableChannels, ChannelPosts, and ChannelComments for artifacts that may be relevant to their case.

Recovering BBM artifacts with Internet Evidence Finder (IEF)

IEF is able to recover BBM evidence from both iOS and Android devices. The software parses data from the master.db database and displays the information within the report viewer, under categories for BBM Messages, Profiles, and Contacts.

From there, IEF will further parse display name, PIN number, personal message, last update (date/time), profile picture, location, and time zone details from any profile or contact listed in master.db. IEF will also display the type, status, state, display name, PIN, sent/received date and time, content, conversation ID, participants, and attachments for any messages it recovers. Any message data stored in unallocated space can also be recovered by IEF, potentially locating valuable deleted conversation details.

 

  1. Message delivery details
  2. User details
  3. Timestamp information
  4. Message contents
  5. Chat participants

The recovery of BBM artifacts from iOS and Android can be quite useful for an investigator dealing with potential mobile chat evidence. IEF is able to parse and carve valuable data from the master.db database, helping investigators recover the necessary evidence quickly and efficiently.

As always, please let me know if you have any questions, suggestions or requests. I can be reached by email at jamie.mcquaid@magnetforensics.com.

Here are some related resources you might also be interested in:

  1. Read the next blog in our series: Using Dynamic App Finder to Recover More Mobile Artifacts
  2. See what IEF is all about: Attend a Demo
  3. Try IEF for Free:

Jamie McQuaid
Forensics Consultant, Magnet Forensics