On newer Blackberry phones, a db called the “Phone History” is now present (in IPD files). Anyone who has tried to parse a blackberry (BB) IPD file (or messed with the advanced syncing options in the BB Desktop Manager) will know that it consists of several databases internally. The IPD file is like a TAR archive of all these databases. The database that stores all call history information is the “Call Logs” database. Most tools (free and commercial) all deal with the database just fine. Now RIM has now introduced a new database called “Phone History” which also stores Call log information, albeit not in its entirety. On RIM’s website, the only description for this database is:
But the IPD file I have with me does not seem to adhere to RIM’s definition. After some discussions with the folks at the DFIR mailing list, Chris Pavan (42 LLC), Shafiq Punja (who has been a keen researcher of IPD files for a long time) and the CTO of Oxygen Forensics (which claims to parse this db but did not work for my ipd), it seems that the exact purpose of this db is yet unknown. Shafiq has also seen this and tells me that RIM snuck in this new db somewhere in the beginning of 2011. Oxygen Forensic's CTO had this to say:
Analyzing the “Phone History” Database
What I’ve noticed is that not every call has an entry here, only the last time a call was made. So if there were 100 calls but only to 10 unique numbers for which calls were received/placed/missed, then 10 entries would be found here each storing the last time called. You do find multiple entries for the same number at times, but they are separated by a month or more. Regardless of how or why RIM puts these entries here, the fact is that they are present and are very good sources of evidence of call activity. The normal "Call Logs" db only has calls for 30 days, but this database has entries that are much older. BB allows a user to selectively delete call records, these have a 1:1 relationship with the "Call Logs" db, so if a user deletes a call record, it gets deleted there too. But since a user has no interaction with the "Phone History" db, if an entry was made here by the BB internally, then it stays put, in effect, giving the investigator "deleted call data". This db captures the date & time of call, phone number, contact name and call type information, only not the call duration!
Technical Specifications for parsing “Phone History” db
The format of each DB record header (same for every record in IPD file) is
2 byte DB ID
4 byte Length
3 bytes version + record Handle
4 bytes record ID
This is followed by the individual fields, having this format:
2 byte Field Length
1 byte Field Type
x byte Field Data (x = Field Length)
Each record within the DB consists of a header and several fields. Fields present in the "Phone History" db are shown below.
“Stores information pertaining to phone call history with specific participants (complete history of incoming and outgoing phone calls with selected recipients)”
But the IPD file I have with me does not seem to adhere to RIM’s definition. After some discussions with the folks at the DFIR mailing list, Chris Pavan (42 LLC), Shafiq Punja (who has been a keen researcher of IPD files for a long time) and the CTO of Oxygen Forensics (which claims to parse this db but did not work for my ipd), it seems that the exact purpose of this db is yet unknown. Shafiq has also seen this and tells me that RIM snuck in this new db somewhere in the beginning of 2011. Oxygen Forensic's CTO had this to say:
“What we think about this DB is that its data is used as a dictionary of phone numbers used for substitution when a user is typing a new message and entering the number. So even if a record with this phone number has been deleted from the log this number can be used for substitution. Also, it looks like that durations for each record reflect cumulative length of all calls related to this phone number, not a single call. So, this DB is not a kind of copy of the Call Log but a separate data...”
Analyzing the “Phone History” Database
What I’ve noticed is that not every call has an entry here, only the last time a call was made. So if there were 100 calls but only to 10 unique numbers for which calls were received/placed/missed, then 10 entries would be found here each storing the last time called. You do find multiple entries for the same number at times, but they are separated by a month or more. Regardless of how or why RIM puts these entries here, the fact is that they are present and are very good sources of evidence of call activity. The normal "Call Logs" db only has calls for 30 days, but this database has entries that are much older. BB allows a user to selectively delete call records, these have a 1:1 relationship with the "Call Logs" db, so if a user deletes a call record, it gets deleted there too. But since a user has no interaction with the "Phone History" db, if an entry was made here by the BB internally, then it stays put, in effect, giving the investigator "deleted call data". This db captures the date & time of call, phone number, contact name and call type information, only not the call duration!
Technical Specifications for parsing “Phone History” db
The format of each DB record header (same for every record in IPD file) is
2 byte DB ID
4 byte Length
3 bytes version + record Handle
4 bytes record ID
This is followed by the individual fields, having this format:
2 byte Field Length
1 byte Field Type
x byte Field Data (x = Field Length)
Each record within the DB consists of a header and several fields. Fields present in the "Phone History" db are shown below.
ID
|
Field
|
1
|
0x73 always
|
2
|
Unknown, could be number of times called
|
3
|
Date/Time of Last Call (Format is BB date, same used in Call Logs)
|
4
|
Call Type (PLACED = 1, RECEIVED = 0, MISSED =2)
|
5
|
Phone Number (ASCII String)
|
6
|
0 or 0xFFFFFFFFFFFFFFFF only
|
7
|
|
8
|
Always 1
|
9
|
DB Record UID
|
10
|
Name of Contact (ASCII String)
|
Below is a db snippet in a hex editor for a single record.
Please drop me an email or a comment if you have anything to share regarding the "Phone History" db.
Update 2012-01-10: Oleg (CTO of Oxygen Forensics) says their next version coming out next week will support parsing and displaying the results from this db. Personally, I look forward to this, it is a great tool for smartphone forensics. He also provided new information, Record ID=7 is the uid for contact.
Update 2012-01-10: Oleg (CTO of Oxygen Forensics) says their next version coming out next week will support parsing and displaying the results from this db. Personally, I look forward to this, it is a great tool for smartphone forensics. He also provided new information, Record ID=7 is the uid for contact.
Yogesh - very informative post. I enjoyed the learning opportunity...thank you! Shafik Punja
ReplyDelete