You want the BlackBerry Event Log? beg damnit!

It’s been quite a while since my last post.  I’ve been a bit on the busy side with work, family and a bit of research.  Inspired by a friend and fellow researcher – Cst. Shafik Punja, I decided to look deeper into BlackBerry connectivity via USB.  If I succeeded at understanding this topic, I would be able to directly connect to a BlackBerry device and collect all the information that I wanted.  I wouldn’t be bound by tools like JavaLoader or the Desktop Manager and would have the freedom to write my own tools.  Well, I succeeded at understanding this and went a step further, I’m releasing a tool today.

I know that many forensic analysts are always looking at ways to pull data off mobile devices without installing invasive tools.  So I set about coding a tool to do something simple — pull the BlackBerry Event Log (you can open the event log from a BlackBerry device by holding down “ALT” and typing “LGLG”) from a BlackBerry device.  Sure, JavaLoader does this, so to differentiate the tool from JavaLoader, I made it a little more intelligent.  I called it beg – BlackBerry Eventlog Grepper.  beg can add a little bit of sanity to the madness that is the BlackBerry event log.  In other words, it translates the seemingly gibberish looking data to a more human friendly format.

Example Event Log Output:

guid:0x3B91E1630F0745BC time:2010/06/30 22:45:40.0 severity:Always Log type:String app:net.rim.tunnel data:Clos-MagicRudyAPN.rim
guid:0x316C1626A9DDC375 time:2010/06/30 22:45:40.0 severity:Always Log type:String app:net.rim.tcp data:clos
guid:0xB2EC7A712090AD8F time:2010/06/30 22:45:46.0 severity:Always Log type:String app:net.rim.smsui data:UTSC
guid:0xB2EC7A712090AD8F time:2010/06/30 22:45:46.0 severity:Always Log type:String app:net.rim.smsui data:UTSC
guid:0xB2EC7A712090AD8F time:2010/06/30 22:45:54.0 severity:Always Log type:String app:net.rim.smsui data:UTSC
guid:0xB2EC7A712090AD8F time:2010/06/30 22:45:54.0 severity:Always Log type:String app:net.rim.smsui data:UTSC
guid:0xB2EC7A712090AD8F time:2010/06/30 22:45:57.0 severity:Always Log type:String app:net.rim.smsui data:UTSC
guid:0x647E5DBBC34B5549 time:2010/06/30 22:46:09.0 severity:Always Log type:String app:net.rim.clock data:+CHG
guid:0xDAA64EAD4E49C5D5 time:2010/06/30 22:46:09.0 severity:Always Log type:String app:net.rim.usb.pwd data:CbCn
guid:0x5D41D4729582C2DA time:2010/06/30 22:46:09.0 severity:Always Log type:String app:RootRegister data:usbConnectionStateChange:1

I started by looking at the phone calls that are written to the event log.  One thing you may notice from the event log is this:  If you delete a call from your call history, the event log does not delete it.  So if you pull the event logs, you will be caught in a lie.  I know that my friend in Law Enforcement would find this invaluable, so I started there.  For now, beg is able to dump the event logs, dump only the phone event logs and translate the phone event logs into something more readable.  The output looks something like this:

sheran@devbox:~/progs$ ./beg -p -r
Connected to 20fe2f60
2010/06/30 21:07:55.0: Incoming Call from +622157939018
2010/06/30 22:29:19.0: Outgoing Call to 02114045
2010/06/30 22:30:37.0: Outgoing Call to +628119917931
2010/06/30 22:41:54.0: Outgoing Call to +6281219684934
2010/06/30 22:53:27.0: Outgoing Call to +6281219684934
sheran@devbox:~/progs$

Inner workings

First, I’d like to quickly go over the two main ways that you can connect to your BlackBerry device.  One of the initial methods I used was to write a Python script to take advantage of the libusb and PyUSB libraries.  I would then send raw commands back and forth.  These commands were sniffed from legitimate connections made between the BlackBerry and either JavaLoader or Desktop Manager.  The second method was to use an already existing library called Barry.  Barry was developed to allow Linux users to sync their BlackBerry devices on .  Since most of the work was already done, I decided to go with method 2 – using the Barry library.  So bear in mind that you will need to install the Barry library and it’s pre-requisites first.

To use beg, just download it and untar/gzip it to a folder.  Then, have a look through the README file. It contains everything you would ever need to know.  For the moment, beg only works on Linux distributions and does require the Barry library and libusb library.  Support can always be found by getting in touch via the Contact page.