±Your Account
Membership:
New Today: 0
New Yesterday: 4
Overall: 24209
Visitors: 46±Latest Webinar
±Latest Articles
· Android Forensics
· Geo-tagging & Photo Tracking On iOS
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
· Geo-tagging & Photo Tracking On iOS
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
±Follow Us
±Latest Jobs
Back to top
Skip to content
Skip to menu
Back to top
Back to main
Skip to menu
Go to page Previous 1, 2
Portable Devices Registry Key
Re: Portable Devices Registry Key
Posted: Tue Nov 27, 2012 3:00 pm
Colin I think you're on the right track.
I've done a bit of research and that's probably it.
I've got a bit more testing to do, but as it stands, my original method of restoring the image of the original computer to disk and connecting a locked device to that (or potentially to a VM but I'd have to test it), would get access to the DCIM folder.
The only other thing I can think of to test would be to copy down the lockdown folder from the original device and then attempt to create the registry key from the device. But i'd have to determine the algorithm used to calculate the escrow keys, and that might be a little tricky.
Thanks for your help
I've done a bit of research and that's probably it.
I've got a bit more testing to do, but as it stands, my original method of restoring the image of the original computer to disk and connecting a locked device to that (or potentially to a VM but I'd have to test it), would get access to the DCIM folder.
The only other thing I can think of to test would be to copy down the lockdown folder from the original device and then attempt to create the registry key from the device. But i'd have to determine the algorithm used to calculate the escrow keys, and that might be a little tricky.
Thanks for your help
-
randomaccess - Senior Member
Re: Portable Devices Registry Key
Posted: Wed Nov 28, 2012 4:27 pm
Alright, all done
No registry modification required
Go to C:\ProgramData\Apple\Lockdown on the synced PC and copy the <device>.plist to your examination PC and then plug in your locked device.
Then you have access to the DCIM folder when it's plugged in.
Next step is how to generate that escrow keybag? That's a significantly more substantial task though
No registry modification required
Go to C:\ProgramData\Apple\Lockdown on the synced PC and copy the <device>.plist to your examination PC and then plug in your locked device.
Then you have access to the DCIM folder when it's plugged in.
Next step is how to generate that escrow keybag? That's a significantly more substantial task though
-
randomaccess - Senior Member
Re: Portable Devices Registry Key
Posted: Thu Nov 29, 2012 4:17 am
I think you'll find that the plist you are talking about is the Escrow key bag, that is why you can see the DCIM folder.
When you have it up and running, try iExplorer to see whether or not you can access any of the application folders when the device is connected too. Without the passcode this is the best kind of connection you are going to get.
_________________
Colin Mortimer
FishNet Security
When you have it up and running, try iExplorer to see whether or not you can access any of the application folders when the device is connected too. Without the passcode this is the best kind of connection you are going to get.
_________________
Colin Mortimer
FishNet Security
-
Coligulus - Senior Member
Re: Portable Devices Registry Key
Posted: Sat Dec 01, 2012 7:00 pm
yeah it is the keybag
although i found some interesting things afterwards
i took the keybag from my laptop
and then the keybag from my work pc
they were completely different for the same phone, same passcode
and they both worked, i switched them out and could access my phone still
also i checked iexplorer on a mac and couldnt get anywhere further than DCIM, but i need to do a more thorough investigation
What i want to have a think about is how the keys are generated so i can create the plist and use it to open a phone without actually having the original laptop
so from what i can gather...the plist contains some information about the computer you use to connect to, and it has to have an identifier for the phone. it doesnt relate to the passcode, because i changed the passcode on the phone and even though it created a new plist with a completely different key, it still worked with the previous plist
the quest continues
although i found some interesting things afterwards
i took the keybag from my laptop
and then the keybag from my work pc
they were completely different for the same phone, same passcode
and they both worked, i switched them out and could access my phone still
also i checked iexplorer on a mac and couldnt get anywhere further than DCIM, but i need to do a more thorough investigation
What i want to have a think about is how the keys are generated so i can create the plist and use it to open a phone without actually having the original laptop
so from what i can gather...the plist contains some information about the computer you use to connect to, and it has to have an identifier for the phone. it doesnt relate to the passcode, because i changed the passcode on the phone and even though it created a new plist with a completely different key, it still worked with the previous plist
the quest continues
-
randomaccess - Senior Member