Friday, March 13, 2009

Blackberry Server Log Analysis

Hello Reader,

        To the end user the blackberry server is what their blackberries get their email from. But there are multiple methods of communication a blackberry is capable of relaying, logging and recovering by an informed investigator.

  1. Email
  2. SMS
  3. Blackberry Messenger
  4. PIN Messaging
  5. Phone Call Log

The blackberry server will create the following type of logs in total:

  • ALRT - BES Alert
  • BBIM - BlackBerry Instant Messenger (4.1)
  • BBUA - BlackBerry User Administration Service (BRK)
  • CBCK - Backup Connector
  • CEXC - Exchange PIM Connector
  • CMNG - Management Connector
  • CTRL - BlackBerry Controller
  • DISP - BlackBerry Dispatcher
  • MAGT - BlackBerry Mailbox Agent (aka BlackBerry Messaging Agent)
  • MDAT - Mobile Data Services
  • MDSS - MDS Services (4.1)
  • MDSS-DISCOVERY - MDS Services (4.1)
  • POLC - Policy Service
  • ROUT - Router
  • SYNC - BlackBerry SyncServer
  • PhoneCallLog (4.1)
  • PINLog (4.1)
  • SMSLog (4.1)


     

(Thanks Wikipedia http://en.wikipedia.org/wiki/BlackBerry_Enterprise_Server)

  1. Email – The blackberry server logs will store when a device connects to the server to pull email and delivers mail and other messages. When you are dealing with a time sensitive issue of did a message get received/sent/deleted from a blackberry these logs may be your best source of evidence if a enough time has passed to let the message be deleted from the blackberry device itself before imaging. Regarding imaging blackberry devices I personally use Paraben's device seizure (found here http://www.paraben-forensics.com/catalog/product_info.php?products_id=405) to do the device acquisition.

    The MAGT log with a name like "<Blackberry server name>_MAGT_01_20090108_0001.txt" will be a listing of every action taking place regarding the delivery of messages/calendar items/etc.. to every blackberry communicating with the server. You will find them in multiple segments per day. This is the place to look if the timing of the delivery/deletion/forwarding of a message from a blackberry is at issue.

  2. SMS – When configured to do so the blackberry server will log into a csv file the following fields:

    "Name.ID,"Email Address","Type of Message","To","From","Callback Phone Number","Body","Send/Received Date","Server Log Date","Overall Message Status","Command","UID"

    With a file name such as "SMSLog_20070927.csv" with one log being created per day.

    The file is written out in utf16 so be aware of that if you to parse it out.


 

  1. Blackberry Messenger – This is a blackberry IM program that according to my current research will not be logged on the server without creating an account to relay all the messages to. Without prior configuration the only way to recover these messages is from the device itself.


 

  1. PIN Messaging – This is the PIN messaging log. PIN Messages are those messages sent between blackberries directly through the blackberry server directed to the PIN assigned to the blackberry by the server. By default the blackberry server will log into a csv the following fields:

    "Name.ID,"PIN","Email Address","Type of Message","To","Cc","Bcc","From","Subject","Body","Send/Received Date","Server Log Date","Overall Message Status","Command","UID"

    With a file name such as "PINLog_20070927.csv" with one log being created per day.

    The file is written out in utf16 so be aware of that if you to parse it out. I'm writing a parser now to dump them all into a mysql database that I will post when I correct a weird multiline message that I've found. Special bonus it's a perl script that correctly handles utf16.


 

  1. Phone Call Log – This is a log of all of the calls being made out of the blackberry devices, note this only applies to calls made on blackberries connected to this blackberry server. This includes missed calls, outgoing calls and incoming calls that I've seen to date. By default the blackberry server will log into a csv the following fields:

    "Name.ID","Type of Call","Name","Phone Number","Start Date","Server Log Date","Elapsed Time","Memo","Command","UID"

    With a file name such as "PhoneCallLog_20070927.csv" with one log being created per day.

    The file is written out in utf16 so be aware of that if you to parse it out.

All of the CSV files will load into excel directly if you import them, otherwise if there is a large number of dates in question I would recommend parsing them into some kind of database so you can pull records by the user's name or PIN.

Depending in the current configuration of the blackberry server after the date in question or the changes you make to a server now in preparation (if you are internal) a large amount of responsive data that the user may not believe exists will be available to you. Don't expect your blackberry admin to be aware of this data existing but make sure to ask for a copy of the log director regardless.