What did they take when they left? Part 1 - Detecting CD Burning

Dear Reader,

We've been discussing server level analysis for the last couple posts but there is plenty to talk about on the desktop. This will be a multi part series discussing different artifacts that we can recover that give us provable facts regarding a user's activity. It is easy to speculate on actions based on speculative data such as access data or related files or dll's accessed on a system but it is always better to rely on a repeatable process that creates a specific artifact each time to explain a user's action.

We only do cases that either lead to civil litigation or are in the process of civil litigation (no criminal work). One of our most common requests is the question, before this employee left did they take any documents with them. There are several places on a system we check to determine if a user has taken a document from the system in some fashion (CD, USB Drive, Emailed out, printed, etc…) and in this post we will discuss how to determine if a user has burned a CD. If you are examining a Windows XP or Windows Server 2003 (I have not been able to test this on Vista or server 2008 yet) image then the system event log will contain eventids 7036 and 7035 as it was generated by the Service Control Manager and will contain in the description a string starting with The IMAPI CD-Burning Service. There will be one such set of entries showing the service starting and stopping on each reboot but any entry not close to a reboot will indicate that a CD is being burned from this system.

An example of a burning entry, yes my machine is named HOSS:

12/11/2008		3:04:13 PM	Service Control Manager	Information	None	7036	N/A
12/11/2008		3:04:13 PM	Service Control Manager	Information	None	7035	NT AUTHORITY\SYSTEM
12/11/2008		3:04:22 PM	Service Control Manager	Information	None	7036	N/A
HOSS	The IMAPI CD-Burning COM Service service entered the running state.
HOSS	The IMAPI CD-Burning COM Service service was successfully sent a start control.
HOSS	The IMAPI CD-Burning COM Service service entered the stopped state.

Sorry for the bad editing here, the full row will not fit in this blog template. The line starts with the date and then continues in the block below. There is one date for each of the IMAPI entries.

If those three entries are not part of a reboot/startup sequence then you have found a user burning a CD. These entries do not have to be in uninterrupted sequence as you see here, but there should be a start and a stop to show a successful burn. This is not just for CDs burned by Windows directly, third party applications will also call this service when burning a CD. You can estimate the size of the data burned to the disk by determining the number of minutes spent burning (the time between the start and stop of the service) multiplied by the write speed of the CDROM. This also applies to DVDs.

I will not discuss how to determine if a CD was accessed in this post as that is material for Part 2 – What was accessed from external drives.

Update: As per the comments below, more activities than just booting and burning will cause these event log entries to show up. I will be doing some more testing to find a better answer.

The Glycemic Index: A Critical Evaluation

The glycemic index (GI) is a measure of how much an individual food elevates blood sugar when it's eaten. To measure it, investigators feed a person a food that contains a fixed amount of carbohydrate, and measure their blood glucose response over time. Then they determine the area under the glucose curve and compare it to a standard food such as white bread or pure glucose.

Each food must contain the same total amount of carbohydrate, so you might have to eat a big plate of carrots to compare with a slice of bread. You end up with a number that reflects the food's ability to elevate glucose when eaten in isolation. It depends in large part on how quickly the carbohydrate is digested/absorbed, with higher numbers usually resulting from faster absorption.

The GI is a standby of modern nutritional advice. It's easy to believe in because processed foods tend to have a higher glycemic index than minimally processed foods, high blood sugar is bad, and chronically high insulin is bad. Yet many people have criticized the concept.  Why?

Blood sugar responses to a carbohydrate-containing foods vary greatly from person to person. For example, I can eat a medium potato and a big slice of white bread (roughly 60 g carbohydrate) with nothing else and only see a modest spike in my blood sugar. I barely break 100 mg/dL and I'm back at fasting glucose levels within an hour and a half. You can see a graph of this experiment here. That's what happens when you have a well-functioning pancreas and insulin-sensitive tissues. Your body shunts glucose into the tissues almost as rapidly as it enters the bloodstream. Someone with impaired glucose tolerance might have gone up to 170 mg/dL for two and a half hours on the same meal.

The other factor is that foods aren't eaten in isolation. Fat, protein, acidity and other factors slow carbohydrate absorption in the context of a normal meal, to the point where the GI of the individual foods become much less pronounced.

Researchers have conducted a number of controlled trials comparing low-GI diets to high-GI diets. I've done an informal literature review to see what the overall findings are. I'm only interested in long-term studies-- 10 weeks or longer-- and I've excluded studies using subjects with metabolic disorders such as diabetes.  

The question I'm asking with this review is, what are the health effects of a low-glycemic index diet on a healthy normal-weight or overweight person? I found a total of seven studies on PubMed in which investigators varied GI while keeping total carbohydrate about the same, for 10 weeks or longer. I'll present them out of chronological order because they flow better that way.  

One issue with this literature that I want to highlight before we proceed is that most of these studies weren't properly controlled to isolate the effects of GI independent of other factors.  Low GI foods are often whole foods with more fiber, more nutrients, and a higher satiety value per calorie than high GI foods.

Study #1. Investigators put overweight women on a 12-week diet of either high-GI or low-GI foods with an equal amount of total carbohydrate. Both were unrestricted in calories. Body composition and total food intake were the same on both diets. Despite the diet advice aimed at changing GI, the investigators found that both groups' glucose and insulin curves were the same!

Study #2. Investigators divided 129 overweight young adults into four different diet groups for 12 weeks. Diet #1: high GI, high carbohydrate (60%). Diet #2: low GI, high carbohydrate. Diet #3: high GI, high-protein (28%). Diet #4: low GI, high protein. The high-protein diets were also a bit higher in fat. Although the differences were small and mostly not statistically significant, participants on diet #3 improved the most overall in my opinion. They lost the most weight, and had the greatest decrease in fasting insulin and calculated insulin resistance. Diet #2 came out modestly ahead of diet #1 on fat loss and fasting insulin.

Study #3. At 18 months, this is by far the longest trial. Investigators assigned 203 healthy Brazilian women to either a low-GI or high-GI energy-restricted diet. The difference in GI between the two diets was substantial; the high-GI diet was supposed to be double the low-GI diet. This was accomplished by a number of differences between diets, including different types of rice and higher bean consumption in the low-GI group.  Weight loss was a meager 1/3 pound greater in the low-GI group, a difference that was not statistically significant at 18 months. Changes in estimated insulin sensitivity were not statistically significant.

Study #4. The FUNGENUT study. In this 12-week intervention, investigators divided 47 subjects with the metabolic syndrome into two diet groups. One was a high-glycemic, high-wheat group; the other was a low-glycemic, high-rye group. After 12 weeks, there was an improvement in the insulinogenic index (a marker of early insulin secretion in response to carbohydrate) in the rye group but not the wheat group. Glucose tolerance was essentially the same in both groups.

What makes this study unique is they went on to look at changes in gene expression in subcutaneous fat tissue before and after the diets. They found a decrease in the expression of stress and inflammation-related genes in the rye group, and an increase in stress and inflammation genes in the wheat group. They interpreted this as being the result of the different GIs of the two diets.

Further research will have to determine whether the result they observed is due to the glycemic differences of the two diets or something else.

Study #5. Investigators divided 18 subjects with elevated cardiovascular disease risk markers into two diets differing in their GI, for 12 weeks. The low-glycemic group lost 4 kg (statistically significant), while the high-glycemic group lost 1.5 kg (not statistically significant).  In addition, the low-GI group ended up with lower 24-hour blood glucose measurements.  This study was a bit strange because of the fact that the high-GI group started off 14 kg heavier than the low-GI group, and the way the data are reported is difficult to understand.  Perhaps these limitations, along with the study's incongruence with other controlled trails, are what inspired the authors to describe it as a pilot study.

Study #6. 45 overweight females were divided between high-GI and low-GI diets for 10 weeks. The low-GI group lost a small amount more fat than the high-GI group, but the difference wasn't significant. The low-GI group also had a 10% drop in LDL cholesterol.

Study #7. This was the second-longest trial, at 4 months. 34 subjects with impaired glucose tolerance were divided into three diet groups. Diet #1: high-carbohydrate (60%), high-GI. Diet #2: high-carbohydrate, low-GI. Diet #3: "low-carbohydrate" (49%), "high-fat" (monounsaturated from olive and canola oil). The diet #1 group lost the most weight, followed by diet #2, while diet #3 gained weight. The differences were small but statistically significant. The insulin and triglyceride response to a test meal improved in diet group #1 but not #2. The insulin response also improved in group #3. The high-GI group came out looking pretty good. 

[Update 10/2011-- please see this post for a recent example of a 6 month controlled trial including 720 participants that tested the effect of glycemic index modification on body fatness and health markers-- it is consistent with the conclusion below]

Overall, these studies do not support the idea that lowering the glycemic index of carbohydrate foods is useful for weight loss, insulin or glucose control, or anything else besides complicating your life.  I'll keep my finger on the pulse of this research as it expands, but for the time being I don't see the glycemic index per se as a significant way to combat fat gain or metabolic disease.

Bangle Capsule, Menurunkan 12 Kg Berat Badan Saya Dengan Cara Sehat

Sebelum dan sesudah minum kapsul Bangle




Indonesia memiliki salah satu tanaman asli yang berkhasiat baik dalam pengobatan, contohnya bangle. Tanaman ini sejak dulu dipercaya sebagai pelangsing perut, terutama para ibu pasca-melahirkan. Bagian yang banyak digunakan adalah rimpangnya. Secara tradisional tanaman yang bernama latin Zingiber purpureum ini juga digunakan untuk mengatasi masuk angin, sembelit, sakit kepala, penghangat tubuh, hingga cacingan.

Bangle mengandung senyawa unik. Dari penelitian diketahui bangle mengandung senyawa yang berfungsi sebagai pengaktif dan senyawa yang bersifat menghambat kinerja enzim lipase. Dengan terhambatnya kinerja enzim tersebut maka penyerapan lemak terhambat dan akan terbuang melalui feses (kotoran).







--------------------------------------------------------------------------------


Indonesia memiliki salah satu tanaman asli yang berkhasiat baik dalam pengobatan, contohnya bangle. Tanaman ini sejak dulu dipercaya sebagai pelangsing perut, terutama para ibu pasca-melahirkan. Bagian yang banyak digunakan adalah rimpangnya. Secara tradisional tanaman yang bernama latin Zingiber purpureum ini juga digunakan untuk mengatasi masuk angin, sembelit, sakit kepala, penghangat tubuh, hingga cacingan.

Bangle mengandung senyawa unik. Dari penelitian diketahui bangle mengandung senyawa yang berfungsi sebagai pengaktif dan senyawa yang bersifat menghambat kinerja enzim lipase. Dengan terhambatnya enzim tersebut maka penyerapan lemak terhambat dan akan terbuang melalui feses (kotoran).

Kini tersedia cara praktis mengkonsumsi rimpang bangle dari Dr. Liza yaitu Bangle Capsule. Produk ini telah banyak digunakan orang untuk membantu menurunkan berat badan. Ibu Engkay Kurniawati (30 tahun) merupakan salah seorang ibu rumah tangga di Bogor yang mengkonsumsi produk tersebut. Selama kurang lebih 6 bulan berturut-turut ia berhasil menurunkan berat badannya hingga 12 kilogram dari awalnya 67 kilogram. ”Dengan Bangle Capsule Dr. Liza berat badan saya turun 1,5 sampai 2 kilogram per bulan. Setiap harinya saya mengkonsumsi Bangle Capsule sesuai dengan dosis yang dianjurkan yaitu 2 kapsul per hari”, ucap Ibu Engkay. Setelah merasa berat badan tubuhnya ideal di angka 54 kilogram kini ia masih tetap mengkonsumsi Produk ini 1 kapsul per hari untuk menjaga kesehatannya.

Menurutnya, Ia tidak merasakan efek samping dari konsumsi produk Bangle Capsule, BAB nya pun lancar. Hanya saja nafsu makannya agak berkurang, tapi tidak membahayakan kesehatannya. Sehari-hari ia cukup mengerjakan pekerjaan rumah tangga, disertai istirahat yang cukup namun hasil yang didapat sangat memuaskannya.

“Tetangga saya di komplek heran dengan perubahan yang terjadi pada berat badan saya, terlebih keluarga saya yang ada di Banten, akhirnya mereka mencoba Bangle Capsule atas rekomendasi saya”, seru Ibu Engkay. Awalnya, Ia pun mengetahui produk ini dari klinik kesehatan yang letaknya tidak jauh dari kompleknya. “Saya makin percaya dengan kemampuan herbal Indonesia dalam menangani berbagai masalah, efek sampingnya pun sangat minim, dan tidak perlu keluar biaya besar, terima kasih liza herbal”, cerita Ibu Engkay.

http://www.lizaherbal.com/main/index.php?option=com_content&task=view&id=170&Itemid=1

SehaatHerbal.Com menyediakan kapsul Bangle Rp.50rb/45 kapsul. Info pemesanan 021-91752768.

Paleopathology at the Origins of Agriculture

In April of 1982, archaeologists from around the globe converged on Plattsburgh, New York for a research symposium. Their goal:

...[to use] data from human skeletal analysis and paleopathology [the study of ancient diseases] to measure the impact on human health of the Neolithic Revolution and antecedent changes in prehistoric hunter-gatherer food economies. The symposium developed out of our perception that many widely debated theories about the origins of agriculture had testable but untested implications concerning human health and nutrition and our belief that recent advances in techniques of skeletal analysis, and the recent explosive increase in data available in this field, permitted valid tests of many of these propositions.

In other words, they got together to see what happened to human health as populations adopted agriculture. They were kind enough to publish the data presented at the symposium in the book Paleopathology at the Origins of Agriculture, edited by the erudite Drs. Mark Nathan Cohen and George J. Armelagos. It appears to be out of print, but luckily I have access to an excellent university library.

There are some major limitations to studying human health by looking at bones. The most obvious is that any soft tissue pathology will have been erased by time. Nevertheless, you can learn a lot from a skeleton. Here are the main health indicators discussed in the book:

• Mortality. Archaeologists are able to judge a person's approximate age at death, and if the number of skeletons is large enough, they can paint a rough picture of the life expectancy and infant mortality of a population.
• General growth. Total height, bone thickness, dental crowding, and pelvic and skull shape are all indicators of relative nutrition and health. This is particularly true in a genetically stable population. Pelvic depth is sensitive to nutrition and determines the size of the birth canal in women.
• Episodic stress. Bones and teeth carry markers of temporary "stress", most often due to starvation or malnutrition. Enamel hypoplasia, horizontal bands of thinned enamel on the teeth, is probably the most reliable marker. Harris lines, bands of increased density in long bones that may be caused by temporary growth arrest, are another type.
• Porotic hyperostosis and cribra orbitalia. These are both skull deformities that are caused by iron deficiency anemia, and are rather creepy to look at. They're typically caused by malnutrition, but can also result from parasites.
• Periosteal reactions. These are bone lesions resulting from infections.
• Physical trauma, such as fractures.
• Degenerative bone conditions, such as arthritis.
• Isotopes and trace elements. These can sometimes yield information about the nutritional status, diet composition and diet quality of populations.
• Dental pathology. My favorite! This category includes cavities, periodontal disease, missing teeth, abscesses, tooth wear, and excessive dental plaque.

The book presents data from 19 regions of the globe, representing Africa, Asia, the Middle East, Europe, South America, with a particular focus on North America. I'll kick things off with a fairly representative description of health in the upper Paleolithic in the Eastern Mediterranean. The term "Paleolithic" refers to the period from the invention of stone tools by hominids 2.5 million years ago, to the invention of agriculture roughly 10,000 years ago. The upper Paleolithic lasted from about 40,000 to 10,000 years ago. From page 59:

In Upper Paleolithic times nutritional health was excellent. The evidence consists of extremely tall stature from plentiful calories and protein (and some microevolutionary selection?); maximum skull base height from plentiful protein, vitamin D, and sunlight in early childhood; and very good teeth and large pelvic depth from adequate protein and vitamins in later childhood and adolescence...
Adult longevity, at 35 years for males and 30 years for females, implies fair to good general health...
There is no clear evidence for any endemic disease.

The level of skeletal (including cranial and pelvic) development Paleolithic groups exhibited has remained unmatched throughout the history of agriculture. There may be exceptions but the trend is clear. Cranial capacity was 11% higher in the upper Paleolithic. You can see the pelvic data in this table taken from Paleopathology at the Origins of Agriculture.

There's so much information in this book, the best I can do is quote pieces of the editor's summary and add a few remarks of my own. One of the most interesting things I learned from the book is that the diet of many hunter-gatherer groups changed at the end of the upper Paleolithic, foreshadowing the shift to agriculture. From pages 566-568:

During the upper Paleolithic stage, subsistence seems focused on relatively easily available foods of high nutritional value, such as large herd animals and migratory fish. Some plant foods seem to have been eaten, but they appear not to have been quantitatively important in the diet. Storage of foods appears early in many sequences, even during the Paleolithic, apparently to save seasonal surpluses for consumption during seasons of low productivity.

As hunting and gathering economies evolve during the Mesolithic [period of transition between hunting/gathering and agriculture], subsistence is expanded by exploitation of increasing numbers of species and by increasingly heavy exploitation of the more abundant and productive plant species. The inclusion of significant amounts of plant food in prehistoric diets seems to correlate with increased use of food processing tools, apparently to improve their taste and digestibility. As [Dr. Mark Nathan] Cohen suggests, there is an increasing focus through time on a few starchy plants of high productivity and storability. This process of subsistence intensification occurs even in regions where native agriculture never developed. In California, for example, as hunting-gathering populations grew, subsistence changed from an early pattern of reliance on game and varied plant resources to to one with increasing emphasis on collection of a few species of starchy seeds and nuts.

...As [Dr. Cohen] predicts, evolutionary change in prehistoric subsistence has moved in the direction of higher carrying capacity foods, not toward foods of higher-quality nutrition or greater reliability. Early nonagricultural diets appear to have been high in minerals, protein, vitamins, and trace nutrients, but relatively low in starch. In the development toward agriculture there is a growing emphasis on starchy, highly caloric food of high productivity and storability, changes that are not favorable to nutritional quality but that would have acted to increase carrying capacity, as Cohen's theory suggests.

Very interesting.

One of the interesting things I learned from the book is that Mesolithic populations, groups that were halfway between farming and hunting-gathering, were generally as healthy as hunter-gatherers:

...it seems clear that seasonal and periodic physiological stress regularly affected most prehistoric hunting-gathering populations, as evidenced by the presence of enamel hypoplasias and Harris lines. What also seems clear is that severe and chronic stress, with high frequency of hypoplasias, infectious disease lesions, pathologies related to iron-deficiency anemia, and high mortality rates, is not characteristic of these early populations. There is no evidence of frequent, severe malnutrition, so the diet must have been adequate in calories and other nutrients most of the time. During the Mesolithic, the proportion of starch in the diet rose, to judge from the increased occurrence of certain dental diseases [with exceptions to be noted later], but not enough to create an impoverished diet... There is a possible slight tendency for Paleolithic people to be healthier and taller than Mesolithic people, but there is no apparent trend toward increasing physiological stress during the mesolithic.

Cultures that adopted intensive agriculture typically showed a marked decline in health indicators. This is particularly true of dental health, which usually became quite poor.

Stress, however, does not seem to have become common and widespread until after the development of high degrees of sedentism, population density, and reliance on intensive agriculture. At this stage in all regions the incidence of physiological stress increases greatly, and average mortality rates increase appreciably. Most of these agricultural populations have high frequencies of porotic hyperostosis and cribra orbitalia, and there is a substantial increase in the number and severity of enamel hypoplasias and pathologies associated with infectious disease. Stature in many populations appears to have been considerably lower than would be expected if genetically-determined maxima had been reached, which suggests that the growth arrests documented by pathologies were causing stunting... Incidence of carbohydrate-related tooth disease increases, apparently because subsistence by this time is characterized by a heavy emphasis on a few starchy food crops.

Infectious disease increased upon agricultural intensification:

Most [studies] conclude that infection was a more common and more serious problem for farmers than for their hunting and gathering forebears; and most suggest that this resulted from some combination of increasing sedentism, larger population aggregates, and the well-established synergism between infection and malnutrition.

There are some apparent exceptions to the trend of declining health with the adoption of intensive agriculture. In my observation, they fall into two general categories. In the first, health improves upon the transition to agriculture because the hunter-gatherer population was unhealthy to begin with. This is due to living in a marginal environment or eating a diet with a high proportion of wild plant seeds. In the second category, the culture adopted rice. Rice is associated with less of a decline in health, and in some cases an increase in overall health, than other grains such as wheat and corn. In chapter 21 of the book Ancient Health: Bioarchaeological Interpretations of the Human Past, Drs. Michelle T Douglas and Michael Pietrusewsky state that "rice appears to be less cariogenic [cavity-promoting] than other grains such as maize [corn]."

One pathology that seems to have decreased with the adoption of agriculture is arthritis. The authors speculate that it may have more to do with strenuous activity than other aspects of the lifestyle such as diet. Another interpretation is that the hunter-gatherers appeared to have a higher arthritis rate because of their longer lifespans:

The arthritis data are also complicated by the fact that the hunter-gatherers discussed commonly displayed higher average ages at death than did the farming populations from the same region. The hunter-gatherers would therefore be expected to display more arthritis as a function of age even if their workloads were comparable [to farmers].

In any case, it appears arthritis is normal for human beings and not a modern degenerative disease.

And the final word:

Taken as a whole, these indicators fairly clearly suggest an overall decline in the quality-- and probably in the length-- of human life associated with the adoption of agriculture.

Blackberry Server Log Analysis

Hello Reader,

        To the end user the blackberry server is what their blackberries get their email from. But there are multiple methods of communication a blackberry is capable of relaying, logging and recovering by an informed investigator.

1. Email
   
2. SMS
   
3. Blackberry Messenger
   
4. PIN Messaging
   
5. Phone Call Log
   

The blackberry server will create the following type of logs in total:

• ALRT - BES Alert
  
• BBIM - BlackBerry Instant Messenger (4.1)
  
• BBUA - BlackBerry User Administration Service (BRK)
  
• CBCK - Backup Connector
  
• CEXC - Exchange PIM Connector
  
• CMNG - Management Connector
  
• CTRL - BlackBerry Controller
  
• DISP - BlackBerry Dispatcher
  
• MAGT - BlackBerry Mailbox Agent (aka BlackBerry Messaging Agent)
  
• MDAT - Mobile Data Services
  
• MDSS - MDS Services (4.1)
  
• MDSS-DISCOVERY - MDS Services (4.1)
  
• POLC - Policy Service
  
• ROUT - Router
  
• SYNC - BlackBerry SyncServer
  
• PhoneCallLog (4.1)
  
• PINLog (4.1)
  
• SMSLog (4.1)
  

  
   

(Thanks Wikipedia http://en.wikipedia.org/wiki/BlackBerry_Enterprise_Server)

1. Email – The blackberry server logs will store when a device connects to the server to pull email and delivers mail and other messages. When you are dealing with a time sensitive issue of did a message get received/sent/deleted from a blackberry these logs may be your best source of evidence if a enough time has passed to let the message be deleted from the blackberry device itself before imaging. Regarding imaging blackberry devices I personally use Paraben's device seizure (found here http://www.paraben-forensics.com/catalog/product_info.php?products_id=405) to do the device acquisition.
   

   The MAGT log with a name like "<Blackberry server name>_MAGT_01_20090108_0001.txt" will be a listing of every action taking place regarding the delivery of messages/calendar items/etc.. to every blackberry communicating with the server. You will find them in multiple segments per day. This is the place to look if the timing of the delivery/deletion/forwarding of a message from a blackberry is at issue.
   

2. SMS – When configured to do so the blackberry server will log into a csv file the following fields:
   

   "Name.ID,"Email Address","Type of Message","To","From","Callback Phone Number","Body","Send/Received Date","Server Log Date","Overall Message Status","Command","UID"
   

   With a file name such as "SMSLog_20070927.csv" with one log being created per day.
   

   The file is written out in utf16 so be aware of that if you to parse it out.
   

 

1. Blackberry Messenger – This is a blackberry IM program that according to my current research will not be logged on the server without creating an account to relay all the messages to. Without prior configuration the only way to recover these messages is from the device itself.
   

 

1. PIN Messaging – This is the PIN messaging log. PIN Messages are those messages sent between blackberries directly through the blackberry server directed to the PIN assigned to the blackberry by the server. By default the blackberry server will log into a csv the following fields:
   

   "Name.ID,"PIN","Email Address","Type of Message","To","Cc","Bcc","From","Subject","Body","Send/Received Date","Server Log Date","Overall Message Status","Command","UID"
   

   With a file name such as "PINLog_20070927.csv" with one log being created per day.
   

   The file is written out in utf16 so be aware of that if you to parse it out. I'm writing a parser now to dump them all into a mysql database that I will post when I correct a weird multiline message that I've found. Special bonus it's a perl script that correctly handles utf16.
   

 

1. Phone Call Log – This is a log of all of the calls being made out of the blackberry devices, note this only applies to calls made on blackberries connected to this blackberry server. This includes missed calls, outgoing calls and incoming calls that I've seen to date. By default the blackberry server will log into a csv the following fields:
   

   "Name.ID","Type of Call","Name","Phone Number","Start Date","Server Log Date","Elapsed Time","Memo","Command","UID"
   

   With a file name such as "PhoneCallLog_20070927.csv" with one log being created per day.
   

   The file is written out in utf16 so be aware of that if you to parse it out.
   

All of the CSV files will load into excel directly if you import them, otherwise if there is a large number of dates in question I would recommend parsing them into some kind of database so you can pull records by the user's name or PIN.

Depending in the current configuration of the blackberry server after the date in question or the changes you make to a server now in preparation (if you are internal) a large amount of responsive data that the user may not believe exists will be available to you. Don't expect your blackberry admin to be aware of this data existing but make sure to ask for a copy of the log director regardless.