BlackBerry Messenger (BBM) started as the original mobile messaging application geared towards business users and productive consumers. Originally available only on BlackBerry devices, BBM has since gone cross-platform and is now also available to Android and iOS users. This expansion has grown the BBM user-base despite declining consumer interest in BlackBerry devices. Popular in markets beyond just North America, BBM is even the number one mobile chat application in countries such as Indonesia and South Africa.
Forensic analysis of BBM
Analysis on BlackBerry devices can be difficult due to the challenges of imaging these devices and gaining root access, however the analysis of BBM artifacts is relatively straightforward for both Android and iOS devices.
The information is stored in a SQLite database called master.db and can be found in the following locations:
For Android:
/data/data/com.bbm/files/bbmcore/master.db
For iOS:
/private/var/mobile/Applications/%GUID%/Library/bbmcore/master.db
The master.db database contains several tables providing a wealth of information around a user’s BBM contacts, invitations, messages, file transfers, profiles, as well as any GPS data if enabled on the device. This data is unencrypted on the device and can be viewed with any SQLite viewer.
The image below shows a wealth of information surrounding a BBM conversation between two parties including the message content, timestamps for sent and received, status, state (whether the message has been delivered, read, etc.), PINs, participants, and attachments (if any).
Image may be NSFW.
Clik here to view.
BBM for iOS and Android has also recently been updated to include BBM Channels. Previously only available on BlackBerry devices, BBM Channels allows the user to subscribe to various “channels” of interest such as a famous person, brand, or organization, etc. Users can interact with that channel by posting or responding to comments and questions.
Image may be NSFW.
Clik here to view.
There are various tables located within the master.db file containing details about the channels to which the user has subscribed. Tables Channels, ChannelPosts, and ChannelComments might be of evidentiary value depending on your investigation and certainly warrant a further look.
Recovering BBM artifacts with Internet Evidence Finder (IEF)
Added to version 6.3, IEF is able recover BBM evidence from both iOS and Android devices. IEF parses data from the master.db database and displays the information to the investigator within the report viewer under categories for BBM Messages, Profiles, and Contacts.
Image may be NSFW.
Clik here to view.
From there, IEF will parse the display name, PIN number, personal message, last update date/time, profile picture/avatar, location, and time zone details from any profiles and contacts listed in the master.db. IEF will also display the type, status, state, display name, PIN, sent/received date/time, content, conversation ID, participants, and attachments for any messages it recovers. IEF will also carve any message data it finds in unallocated space, recovering potentially valuable deleted conversation details.
Image may be NSFW.
Clik here to view.
Overall, the recovery of BBM artifacts on iOS and Android is a relatively straightforward process and can be quite useful for an investigator dealing with potential mobile chat evidence. IEF is able to parse and carve the most valuable data from the master.db database helping the investigator recover the necessary evidence quickly and efficiently.
As always, please let me know if you have any questions, suggestions or requests. I can be reached by email at jamie.mcquaid(at)magnetforensics(dot)com.
Jamie McQuaid
Forensics Consultant, Magnet Forensics
Clik here to view.
