I'm attempting to locate some SMS text from a Physical extraction of a blackberry bold 9780 using the latest version of Cellebrite PA. I'm trying to figure out how some of the extracted text messages are encoded though, so I can do a keyword search. Here is an example of a text that has already been parsed out.

Parsed text is:
Let me know when we can have a phone conversation.

In Hex, this phrase is stored as:

03 29 00 17 32 A4 8C 4F 28 DB 69 84 E7 23 C6 41 0F B7 8E 31 EA 76 FB 6E 4C 2B 0E B8 70 75 CE 25 DC 1D 0C 00 00 00 03 29



Other text messages are stored in plain ASCII but I can't figure out what the pattern is, as it appears that both sent and inbox messages are encoded either way. Usually I can sweep the parsed text messages, and look up in the values tab to see how the message is encoded. Most times it's some form of 7Bit PDU encoding.

Is there something else I should be looking for to properly decode this?

Any insight is appreciated!  

It is my understanding that BB sometimes uses some sort of compression when it transmits data back and forth. I was told that they do this to minimize the size of data being transmitted. With that said, I do not know why this sometimes happens and other times it doesn't. I also do not know what kind of algorithm is being used. If I had to make an educated hypothesis, I would surmise that it is likely proprietary, knowing RIM.

I have learned this through my contacts and friends from the Northland (Canada), who see BBs much more than we do.

This may be what you are seeing. Just a thought.

Tim Moniot
Detective, Las Vegas Metro Police Department
Instructor - TeelTech  

it is indeed the case and also in some cases they are also encrypted  

Interesting.. thanks for the replies everyone.

So RonS, I'm not sure if you can speak to this, but is there a publicly released method for identifying some of these texts? I've been asked to see if I can find fragments of deleted texts, but I'm not getting any hits, even on keywords that are in allocated SMS already parsed. So I can't do a proper search not knowing how the texts are encoded. Are you able to speak to how Cellebrite PA identifies SMS and decodes it, so that I can attempt to do it myself within Cellebrite PA? I'd understand if you can't release that info.

Thanks.  

You are correct. I can't.