Hello all,
I have recently been analyzing a few blackberry devices using oxygen, paraben, and mpe+ for cross verification. I have been looking at the event logs for activity but after searching the web for hours I can't find a guide for exact meanings of events in these logs. For example, I have an entry that states "RIM_DRM_WIPE_EXPIRED EXECUTED SUCCESSFULLY". I assume this means a device wipe occurred but the term "expired" was bothering me. Have been looking for some sort of references or documentation on blackberry event logs but have come up empty. I even called blackberry support and they did not have an answer for me. I assume the logs are for development purposes but if anyone has come across this problem and can aid in the translation of these events it would be much appreciated. Thanks in advance.
its a blackberry torch 9810 by the way
I believe the "DRM" is the key to this puzzle. It probably has something to do with deleting licensing files or the media files themselves.
FYI, regular methods to extract BB event logs provide a relatively short period of time of this log (few days if not less).
Event log that is extracted from a physical BB extraction can get months of such BB event log history.
Cellebrite UFED PA has a dedicated plugin to extract the BB event log from physical extractions.
Hope this helps.
Ron
Ron,
Thanks RON. I had access to the UFED for a limited time but no longer have it as a tool. The UFED is head and shoulders above every other tool I have used. These event logs are in the time frame I am interested in but I am not able to definitively come to a conclusion on the meaning of the events. I can assume the meaning of some, but it seems there is no documentation that can confirm my assumptions unfortunately.