Hello,
Here is the phone I am investigating
Blackberry Tour 9630
v5.0 Bundle 1600
BACKGROUND
Analysis goal is to recover deleted emails and/or text messages and possibly determine when emails/texts were deleted.
1. The phone came to me with no emails nor text messages.
2. I used Blackberry Desktop software to create a backup of the phone.
3. I used Elcomsoft's Blackberry Explorer to examine the backup.
4. I then used Chimera Tool to root the phone.
5. I used FTK Imager to create an image of the phone.
6. I used Forensic Explorer to carve the image, which allowed me to recover around 60 deleted photos but no email and no text messages.
Elcomsoft's tool found a "Recipient Cache" with about 130 email addresses in the cache.
RIM says the Recipient Cache is a "list is populated with contacts from the Address Book and contacts that the BlackBerry smartphone user has recently communicated with or communicates with at a high frequency." (SOURCE http//
QUESTIONS
1. Does anyone know which specific file stores the Recipient Cache? I created a full text index in Forensic Explorer to search for emails Elcomsoft recovered from the Recipient Cache but am getting no positive hits.
2. Is anyone familiar with how the Recipient Cache is structured and what data points if any are contained in the cache?
did you ever get a reply to your question?
I have a similar task to retrieve deleted SMS with no luck, or responses..
No responses.
If you are interested in providing forensic phone extraction and drive imaging on a sub-contractor basis, please PM or call me.
Regards,
Larry