±Forensic Focus Partners

Become an advertising partner

±Your Account


Forgotten password/username?

Site Members:

New Today: 0 Overall: 34081
New Yesterday: 1 Visitors: 172

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

Portable Devices Registry Key

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2 

Re: Portable Devices Registry Key

Post Posted: Tue Nov 27, 2012 8:00 pm

Colin I think you're on the right track.
I've done a bit of research and that's probably it.

I've got a bit more testing to do, but as it stands, my original method of restoring the image of the original computer to disk and connecting a locked device to that (or potentially to a VM but I'd have to test it), would get access to the DCIM folder.

The only other thing I can think of to test would be to copy down the lockdown folder from the original device and then attempt to create the registry key from the device. But i'd have to determine the algorithm used to calculate the escrow keys, and that might be a little tricky.

Thanks for your help  

Senior Member

Re: Portable Devices Registry Key

Post Posted: Wed Nov 28, 2012 9:27 pm

Alright, all done

No registry modification required
Go to C:\ProgramData\Apple\Lockdown on the synced PC and copy the <device>.plist to your examination PC and then plug in your locked device.

Then you have access to the DCIM folder when it's plugged in.

Next step is how to generate that escrow keybag? That's a significantly more substantial task though  

Senior Member

Re: Portable Devices Registry Key

Post Posted: Thu Nov 29, 2012 9:17 am

I think you'll find that the plist you are talking about is the Escrow key bag, that is why you can see the DCIM folder.

When you have it up and running, try iExplorer to see whether or not you can access any of the application folders when the device is connected too. Without the passcode this is the best kind of connection you are going to get.
Colin Mortimer

Senior Member

Re: Portable Devices Registry Key

Post Posted: Sun Dec 02, 2012 12:00 am

yeah it is the keybag
although i found some interesting things afterwards

i took the keybag from my laptop
and then the keybag from my work pc
they were completely different for the same phone, same passcode

and they both worked, i switched them out and could access my phone still

also i checked iexplorer on a mac and couldnt get anywhere further than DCIM, but i need to do a more thorough investigation

What i want to have a think about is how the keys are generated so i can create the plist and use it to open a phone without actually having the original laptop

so from what i can gather...the plist contains some information about the computer you use to connect to, and it has to have an identifier for the phone. it doesnt relate to the passcode, because i changed the passcode on the phone and even though it created a new plist with a completely different key, it still worked with the previous plist

the quest continues  

Senior Member

Page 2 of 2
Go to page Previous  1, 2