Puttering around with BlackBerry forensics — Part 2
Okay then. It apparently takes me a while between posts. I’ve been keeping a bit busy with several projects and it has been difficult to find the time to conduct much research or write blog posts. I do have an upcoming white-paper that I will release somewhere in November. It includes source code to the toolkit that I will release as well. The topic is loosely based on BlackBerry forensics and malware. In this case, however, it won’t be on how to find data, but will instead focus on how you can destroy or introduce large quantities of misleading data to frustrate and annoy malware controllers and forensic analysts. Probably not going to win many friends in certain circles with this, but at least I can force everyone to change their analysis methods.
Today, girls and boys, we’re going to look at the second utility I released that helps with analyzing BlackBerry data. Behold! ConParse!
ConParse
ConParse is a utility that helps you take a look inside a BlackBerry .con file. The .con file is generated when you choose to backup your BBM contacts on your device. These days, RIM allows you to back your BlackBerry Messenger (5 and above) contacts up to some remote location that we will henceforth refer to as the cloud. But if you fancied, you could also back up your BBM contact list to your device memory or SD Card. I present the obligatory screenshots below, thereby providing you with both hands and a flashlight. Access the screens by selecting Options from your BlackBerry messenger application.
Now then. If we take a quick peek inside the .con file it looks a right mess of randomly placed hexadecimal characters and readable text, much like most other binary files. Since not everyone is able to grok raw hex data when they look at it and because no prior documentation existed for it, I set out to make sense of this beast. If prior documentation did exist, then will the person who wrote it please speak with their SEO provider? Because you’re getting ripped off big time. If you care to dig through my source code, you may find some details on the file structure itself. If looking at badly written source code gives you hives, then I will try to explain it here.
The .con file header is interesting. The first byte tells you the size of a unique string of bytes to follow. So far it has always been 32 bytes. This 32 byte string is a signature or hash of your .con file. Its sole purpose is to ensure that you do not import .con files belonging to other devices. I haven’t bothered reverse engineering the .cod files yet to see what they use to generate this signature. In the tests I did, however, it is evident that the signature differs each time you generate a backup file and swapping signatures from other devices will render your backup file invalid.
20 C3DCA86024DCCC531A96199327B7F4E7224EF4FF52E7C0978C02C9E5F347D87F 7F80 00 00 70 05
In the byte sequence above (all hex), the first byte indicates the size of the signature (32 bytes), then the signature of 32 bytes follows.
Now that the signature is out of the way, the actual file header begins. The bytes 0x7F 0×80 indicate the start of the .con file. After this, the next 4 bytes indicate the size of the remaining data in the file. In this case it is 28677 bytes.
Immediately after this, the records start. You can find some of the following types of records in a .con file:
- Your name and device PIN
- All your contacts and groups (their PINS, names, custom names you’ve chosen for them, status messages, etc)
- Your profile picture
- Timezone and Country flag image filename
- Base64 Code and Hex Code (Haven’t looked at these extensively yet, but could have something to do with an authorization code and/or the string used to generate your QR Code)
00 08 0A 32 31 30 30 30 30 41
The record above is a device PIN record. The first two bytes indicate the size of the record, then third byte indicates the record type and the remaining bytes (up to the record size) contain the data. RIM follows the same principle of storing size and type before data as it did in the IPD databases.
That’s it. You’re now a .con file expert. Go forth and dissect the crap out of the file. Use ConParse as a guideline or just use it to parse out .con files at your next party — guaranteed to get you laid.
Here’s another screenshot of the type of output you can expect from ConParse. Admittedly, it is just a couple of steps away from raw hex.
