CN106844106A - A kind of method for parsing BlackBerry backup file - Google Patents
A kind of method for parsing BlackBerry backup file Download PDFInfo
- Publication number
- CN106844106A CN106844106A CN201710066898.6A CN201710066898A CN106844106A CN 106844106 A CN106844106 A CN 106844106A CN 201710066898 A CN201710066898 A CN 201710066898A CN 106844106 A CN106844106 A CN 106844106A
- Authority
- CN
- China
- Prior art keywords
- file
- record
- data
- content
- blackberry
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/14—Error detection or correction of the data by redundancy in operation
- G06F11/1402—Saving, restoring, recovering or retrying
- G06F11/1446—Point-in-time backing up or restoration of persistent data
- G06F11/1448—Management of the data involved in backup or backup restore
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/14—Error detection or correction of the data by redundancy in operation
- G06F11/1402—Saving, restoring, recovering or retrying
- G06F11/1446—Point-in-time backing up or restoration of persistent data
- G06F11/1458—Management of the backup or restore process
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/16—File or folder operations, e.g. details of user interfaces specifically adapted to file systems
Abstract
The invention discloses a kind of method for parsing BlackBerry backup file, it is characterised in that comprise the following steps, S1:The backup file of BlackBerry is decompressed, to generate inventory file Manifest.xml and the data folder data file of Databases, the data folder Databases comprising all application programs of BlackBerry;S2:The inventory file Manifest.xml is opened to obtain the management information of application program needed for the data folder Databases, the management information includes owner's mark uid, record number and the application name of each application program;S3:Corresponding owner's mark uid is obtained according to the application name, and uid is identified according to the owner, the corresponding data file is searched and opened in the data folder Databases;S4:The data file, including short message file, contact person's file and call history file are parsed, the present invention solves the problems, such as that prior art can not parse BlackBerry backup file, for the data recovery and Mobile Phone Forensics of BlackBerry provide effective method.
Description
Technical field
The invention belongs to data recovery and electronic evidence-collecting field, it is related to data in mobile phone to recover and Mobile Phone Forensics, more particularly to
A kind of method for parsing BlackBerry backup file.
Background technology
As mobile communication technology constantly develops, the use scope of mobile phone is more and more wider.Cheated however with mobile phone
The criminal activity such as deceive, calumniate and forge also of common occurrence, it is one of this kind of crime of strike that data in mobile phone recovers with Mobile Phone Forensics
Effective means.
Mobile Phone Forensics be exactly from SIM cards of mobile phones, mobile phone is inside and outside put storage card and Mobile Network Operator database in receive
Collect, save the electronic evidence related to analysis from damage, and final therefrom obtain with legal effect, the evidence that can be received by court
Process.In recent years, the criminal activity such as swindled, calumniated and forged using mobile phone to be becoming increasingly rampant, research data in mobile phone recover with
Mobile Phone Forensics technology becomes very urgent.
Blackberry, blueberry (Black berry) mobile phone is different from other and uses the operation such as Symbian, Windows Mobile, ios system
The mobile phone of system, its encryption performance is stronger, safer.In addition, the mobile e-mail equipment of BlackBerry is based on two-way paging technology, carry
For the integrative solution of enterprise mobile working, maximum convenience there is provided the push function of mail:Taken by mail
Actively the mail push that will receive, on the mobile phone of user, network is continually connected without user and checked whether newly business device
Mail, but, up to the present, in the prior art also without a kind of method for effectively parsing BlackBerry backup file.
The content of the invention
The present invention in view of the shortcomings of the prior art and above mentioned problem, proposes a kind of side for parsing BlackBerry backup file
Method, by parsing the data file of application program in data folder Databases, can parse all applications in BlackBerry
The data of program, including short message file, contact person's file and call history file, solving prior art can not effectively parse
The problem of BlackBerry backup file, the described method comprises the following steps:
S1:The backup file of BlackBerry is decompressed, to generate inventory file Manifest.xml and data folder
The data file of Databases, the data folder Databases comprising all application programs of BlackBerry;
S2:The inventory file Manifest.xml is opened so that obtain needed for the data folder Databases should
With the management information of program, owner mark uid, record number and application program of the management information including each application program
Name;
S3:Corresponding owner's mark uid is obtained according to the application name, and uid is identified according to the owner,
The corresponding data file is searched and opened in the data folder Databases;
S4:Parse the data file, including short message file, contact person's file and call history file.
Preferably, file of the backup file for suffix bbb, the document format data is hexadecimal dat
File.
Preferably, the data file has identical data structure.
Preferably, the step S4 is comprised the following steps:
S4011:Open the data file;
S4012:Parse file header, content identification and the application name of the data file:Before the data file
40 bytes are fixed as file header, and the file header is
496E746572406374697665205061676572204261636B75702F526573746F72652046696C650A0
200, the 41st, the content of 42 bytes is content-label, the 43rd, the length that the content of 44 bytes is the application name, from the
The content that 45 bytes rise is the application name, and length is the length of the application name;
S4013:Parse the field in the data file:The field is by identifier, field length and field contents group
Into the content that the application name offsets 2 bytes backward is the identifier, and 4 bytes after the identifier are described
Field length, the content after the field length is the field contents, and the length of the field contents is the field length,
The data file includes one or more described fields, and the field has identical data structure;
S4014:Parse the record in the field:Preceding 7 bytes of each field contents are byte of padding, described
The record for having same data structure by one or more after byte of padding is constituted, and the record is by record length, recording mark
Constituted with record content, the record length accounts for 2 bytes, and the recording mark accounts for 1 byte, the length of the record content
It is the record length;In the data file corresponding to the short message file, the recording mark of the record and institute
State record content and be shown in Table 1:
Table 1:The recording mark and record content of short message file
| Recording mark (hexadecimal) | Record content (hexadecimal) |
| 01 | The short message of java forms receives the time |
| 02 | Telephone number |
| 04 | Short message content |
| 07 | It is empty |
| 09 | It is empty |
| 0B | 00000000 represents reception, and 01000100 represents transmission |
| 0C | It is empty |
| 0F | It is empty |
In the data file corresponding to contact person's file, the recording mark and the record of the record
Content is shown in Table 2:
Table 2:The recording mark and record content of contact person's file
In the data file corresponding to the call history file, the recording mark and the note of the record
Record content is shown in Table 3.
Table 3:The recording mark and record content of call history file
Compared with prior art, the beneficial effects of the invention are as follows:Solving prior art can not effectively parse blackberry, blueberry hand
The problem of machine backup file, for the data recovery and Mobile Phone Forensics of BlackBerry provide a kind of effective method.
Brief description of the drawings
Fig. 1 is main flow chart of the invention.
Fig. 2 is the data structure diagram of inventory file Manifest.xml in the present invention.
Fig. 3 is the process chart of parsing data file in the present invention.
Fig. 4 is the data structure diagram of file header, content identification and application name in data file.
Fig. 5 is the data structure diagram of field in data file.
Fig. 6 is the data structure diagram of the record of short message file.
Fig. 7 is the data structure diagram of the short message content of short message file.
Specific embodiment
The present invention is further elaborated with reference to the accompanying drawings and examples.
As shown in figure 1, a kind of method for parsing BlackBerry backup file, comprises the following steps:
S1:The backup file of BlackBerry is the file of suffix bbb, by the suffix of the suffix RNTO .zip of .bbb,
Decompress the backup file and generate inventory file Manifest.xml and data folder Databases, this document folder
Data files of the Databases comprising all application programs of BlackBerry, these document format datas are hexadecimal dat texts
Part;
S2:Inventory file Manifest.xml is opened to obtain application program needed for data folder Databases
Management information, as shown in Fig. 2 management information includes owner's mark uid, record number and the application name of each application program;
S3:Corresponding owner's mark uid is obtained according to application name, and uid is identified according to the owner, in data file
Searched in folder Databases and open corresponding data file, for example, according to application name Phone History, in inventory
It is 18 that the corresponding owner's mark uid of the application name is found in file Manifest.xml, then in data folder
The data file of the entitled 18.dat of file is searched and opened in Databases;
S4:Parsing data file, including short message file, contact person's file and call history file, to parse short message file
Data file as a example by, step S4 include following steps as shown in Figure 3,
S401:According to inventory file Manifest.xml, search application name " SMS Messages " and find this
The corresponding owner's mark uid of application name is 85, and data file is searched and opened in data folder Databases
85.dat;
S402:Parse file header, content identification and the application name of data file 85.dat:As shown in figure 4, data are literary
Preceding 40 byte of part 85.dat is fixed as file header, and file header is
496E746572406374697665205061676572204261636B75702F526573746F72652046696C650A0
200, the 41st, the content of 42 bytes is content-label 0x0100, the 43rd, the content of 44 bytes be the length of application name
0x0D00, the content from the 45th byte is application name, sees that Fig. 4 right sides are explained shown in " SMS Messages " in column,
Its length is the length 0x0D00 of application name, i.e. 13 bytes;
S403:Field in parsing data file 85.dat:As shown in figure 5, field is by identifier, field length and field
Content is constituted, and the content 0x5500 that application name offsets 2 bytes backward is identifier, 4 byte contents after identifier
0xA1000000 is the field length, and the content after field length is field contents, and black surround scope as shown in Figure 5 is field
Content, the length of field contents is field length 0xA1000000, i.e. 161 bytes;Normally, data file includes one or many
Individual field, each field has identical data structure;
S404:Record in parsing field:As shown in fig. 6, preceding 7 bytes of each field contents are byte of padding, should
The content of the byte of padding in embodiment is 0x051705B6022C48, has identical data by one or more after byte of padding
The record composition of structure, each record is made up of record length, recording mark and record content;The record length accounts for 2 bytes,
Content is 0x4000;Recording mark accounts for 1 byte, and content is 0x01;The length for recording content is record length 0x4000, i.e., 64
Byte;Wherein, recording mark 0x01 represents the short message time of the java forms of the short message, 64 bytes after recording mark 0x01
Content is the short message time, and as shown in data interpreter in Fig. 6, the short message time is 2,014,/07,/18 14:32:29;
Additionally, as shown in fig. 6, recording mark 0x0B represents the transmitting-receiving mark of the short message, its preceding 2 byte content 0x0400 table
The length for showing transmitting-receiving mark is 4 bytes, and the content of 4 bytes is transmitting-receiving mark 0x01000100 thereafter, represents that the short message is to send
Short message;
Secondly, as shown in fig. 6, recording mark 0x02 represents telephone number, its preceding 2 byte content 0x1300 represents the phone
The length of number is 19 bytes, and the content of 19 bytes is thereafter
0x000000002B38363135393038313432353433001000100, represent the telephone number for+
8615908142543;
Again, as shown in fig. 7, recording mark 0x04 represents short message content, its preceding 2 byte content 0x0400 represents the short message
The length of content is 4 bytes, and the content of 4 bytes is 0x4F60597D thereafter, is explained shown in column such as right side in Fig. 7, the short message
Content is " hello ";
In short message file 85.dat, the recording mark and record content that can parse its record are shown in Table 1:
Table 1:The recording mark and record content of short message file
| Recording mark (hexadecimal) | Record content (hexadecimal) |
| 01 | The short message time of java forms |
| 02 | Telephone number |
| 04 | Short message content |
| 07 | It is empty |
| 09 | It is empty |
| 0B | 00000000 represents reception, and 01000100 represents transmission |
| 0C | It is empty |
| 0F | It is empty |
Because the data file of BlackBerry has identical data structure, therefore, can be parsed according to identical method
The data file of other application programs, wherein, in the data file 34.dat corresponding to contact person's file, its record can be parsed
Recording mark and record content be shown in Table 2:
Table 2:The recording mark and record content of contact person's file
Similarly, in the data file 18.dat corresponding to call history file, can parse its record recording mark and
Record content is shown in Table 3.
Table 3:The recording mark and record content of call history file
It should be appreciated that the invention is not restricted to above-mentioned citing, for those of ordinary skills, can be according to upper
State it is bright improved or converted, all these modifications and variations should all belong to the protection domain of appended claims of the present invention.
Claims (4)
1. it is a kind of parse BlackBerry backup file method, it is characterised in that comprise the following steps:
S1:The backup file of BlackBerry is decompressed, to generate inventory file Manifest.xml and data folder
The data file of Databases, the data folder Databases comprising all application programs of BlackBerry;
S2:The inventory file Manifest.xml is opened to obtain application journey needed for the data folder Databases
The management information of sequence, the management information includes owner's mark uid, record number and the application name of each application program;
S3:Corresponding owner's mark uid is obtained according to the application name, and uid is identified according to the owner, in institute
State and search in data folder Databases and open the corresponding data file;
S4:Parse the data file, including short message file, contact person's file and call history file.
2. a kind of method for parsing BlackBerry backup file according to claim 1, it is characterised in that the backup is literary
Part is the file of suffix bbb, and the document format data is hexadecimal dat files.
3. a kind of method for parsing BlackBerry backup file according to claim 2, it is characterised in that the data are literary
Part has identical data structure.
4. it is according to claim 3 it is a kind of parse BlackBerry backup file method, it is characterised in that the step S4
In, parse the data file and comprise the following steps:
S401:Open the data file;
S402:Parse file header, content identification and the application name of the data file:Preceding 40 byte of the data file
File header is fixed as, the file header is 496E746572406374697665205061676572204261636B75702F52
6573746F72652046696C650A0200, the 41st, the content of 42 bytes be content-label, the 43rd, the content of 44 bytes be
The length of the application name, the content from the 45th byte is the application name, and length is the application name
Length;
S403:Parse the field in the data file:The field is made up of identifier, field length and field contents, institute
State application name and offset the content of 2 bytes backward for the identifier, 4 bytes after the identifier are long for the field
Degree, the content after the field length is the field contents, and the length of the field contents is the field length, the number
One or more described fields are included according to file, the field has identical data structure;
S404:Parse the record in the field:Preceding 7 bytes of each field contents are byte of padding, the filling
The record for having same data structure by one or more after byte is constituted, and the record is by record length, recording mark and note
Record content composition, the record length accounts for 2 bytes, and the recording mark accounts for 1 byte, and the length of the record content is institute
State record length;In the data file corresponding to the short message file, the recording mark and the note of the record
Record content is shown in Table 1:
Table 1:The recording mark and record content of short message file
In the data file corresponding to contact person's file, the recording mark of the record and the record content
It is shown in Table 2:
Table 2:The recording mark and record content of contact person's file
In the data file corresponding to the call history file, in the recording mark and the record of the record
Appearance is shown in Table 3.
Table 3:The recording mark and record content of call history file
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710066898.6A CN106844106B (en) | 2017-02-06 | 2017-02-06 | Method for analyzing backup file of blackberry mobile phone |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710066898.6A CN106844106B (en) | 2017-02-06 | 2017-02-06 | Method for analyzing backup file of blackberry mobile phone |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106844106A true CN106844106A (en) | 2017-06-13 |
| CN106844106B CN106844106B (en) | 2021-02-26 |
Family
ID=59121994
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710066898.6A Active CN106844106B (en) | 2017-02-06 | 2017-02-06 | Method for analyzing backup file of blackberry mobile phone |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106844106B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110750388A (en) * | 2019-10-30 | 2020-02-04 | 苏州龙信信息科技有限公司 | Backup analysis method, device, equipment and medium |
| CN111159238A (en) * | 2019-12-26 | 2020-05-15 | 厦门市美亚柏科信息股份有限公司 | Cache file evidence obtaining method based on IOS (input/output system), terminal equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070234349A1 (en) * | 2005-05-17 | 2007-10-04 | Canon Kabushiki Kaisha | Installation method and apparatus |
| CN103049515A (en) * | 2012-12-14 | 2013-04-17 | 北京小米科技有限责任公司 | Method, device and equipment for classifying application programs |
| CN104123197A (en) * | 2013-04-25 | 2014-10-29 | 南京邮电大学 | Method for offline evidence-collecting without holding iOS device |
| CN104915266A (en) * | 2015-06-15 | 2015-09-16 | 上海海漾软件技术有限公司 | Application program protection method and application program protection device |
| CN105554136A (en) * | 2015-12-23 | 2016-05-04 | 北京奇虎科技有限公司 | Backup data restoration method, device and system |
-
2017
- 2017-02-06 CN CN201710066898.6A patent/CN106844106B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070234349A1 (en) * | 2005-05-17 | 2007-10-04 | Canon Kabushiki Kaisha | Installation method and apparatus |
| CN103049515A (en) * | 2012-12-14 | 2013-04-17 | 北京小米科技有限责任公司 | Method, device and equipment for classifying application programs |
| CN104123197A (en) * | 2013-04-25 | 2014-10-29 | 南京邮电大学 | Method for offline evidence-collecting without holding iOS device |
| CN104915266A (en) * | 2015-06-15 | 2015-09-16 | 上海海漾软件技术有限公司 | Application program protection method and application program protection device |
| CN105554136A (en) * | 2015-12-23 | 2016-05-04 | 北京奇虎科技有限公司 | Backup data restoration method, device and system |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110750388A (en) * | 2019-10-30 | 2020-02-04 | 苏州龙信信息科技有限公司 | Backup analysis method, device, equipment and medium |
| CN110750388B (en) * | 2019-10-30 | 2022-06-17 | 苏州龙信信息科技有限公司 | Backup analysis method, device, equipment and medium |
| CN111159238A (en) * | 2019-12-26 | 2020-05-15 | 厦门市美亚柏科信息股份有限公司 | Cache file evidence obtaining method based on IOS (input/output system), terminal equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106844106B (en) | 2021-02-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101304583A (en) | Method and system for implementing individual information backup based on smart card | |
| CN104935735A (en) | Information deletion method and information deletion system | |
| CN101674329B (en) | Internet access method and Internet access system | |
| CN104462509A (en) | Review spam detection method and device | |
| CN103793838A (en) | Advertisement intercepting method and device | |
| CN107545637A (en) | The Activiation method and server of a kind of electronic lock | |
| CN106844106A (en) | A kind of method for parsing BlackBerry backup file | |
| CN101296422A (en) | Data backup method, short message platform and client terminal | |
| CN102026115A (en) | Electronic name card information exchange method and system | |
| CN103916509B (en) | A kind of cell phone address book restoration methods and device | |
| CN105049341A (en) | Method and device for automatically adding remark information to newly-increased instant messaging number | |
| CN103595845B (en) | The method of memory communicating record, device and terminal in Subscriber Identity Module | |
| CN105120046A (en) | Method and device for creating address book according to note information of new number | |
| CN109241031A (en) | Model generating method, model application method, device, system and storage medium | |
| CN102387255A (en) | Method and device for utilizing intelligent card to process third-party expanded service data | |
| CN101800977A (en) | Method and system for collecting mobile terminal user information | |
| CN101102576A (en) | Message processing method and terminal device | |
| CN105913215A (en) | Email processing method and equipment | |
| CN109308229A (en) | A method of restoring wechat chat record | |
| CN101494833B (en) | Method, device and system for sending network message | |
| CN101909252A (en) | Method for deleting sent message | |
| CN100463402C (en) | Method and device for recording display of communication information in communication system | |
| CN106485378A (en) | The transmission method of business datum, system server | |
| CN106125956A (en) | A kind of information-pushing method based on input method and system | |
| CN105120045A (en) | Method and device for creating address book according to note information of new contact name |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 641000 Sichuan province Neijiang City Songshan Road No. 253 Applicant after: Sichuan Miwu Traceless Science and Technology Co.,Ltd. Address before: 641000 Sichuan province Neijiang City Songshan Road No. 253 Applicant before: SICHUAN MWH INFORMATION SECURITY TECHNOLOGY Co.,Ltd. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |