±Forensic Focus Partners

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 6
New Yesterday: 7
Overall: 27333
Visitors: 59

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

Portable Devices Registry Key

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2 
  

Re: Portable Devices Registry Key

Post Posted: Tue Nov 27, 2012 3:00 pm

Colin I think you're on the right track.
I've done a bit of research and that's probably it.

I've got a bit more testing to do, but as it stands, my original method of restoring the image of the original computer to disk and connecting a locked device to that (or potentially to a VM but I'd have to test it), would get access to the DCIM folder.

The only other thing I can think of to test would be to copy down the lockdown folder from the original device and then attempt to create the registry key from the device. But i'd have to determine the algorithm used to calculate the escrow keys, and that might be a little tricky.

Thanks for your help  

randomaccess
Senior Member
 
 
  

Re: Portable Devices Registry Key

Post Posted: Wed Nov 28, 2012 4:27 pm

Alright, all done

No registry modification required
Go to C:\ProgramData\Apple\Lockdown on the synced PC and copy the <device>.plist to your examination PC and then plug in your locked device.

Then you have access to the DCIM folder when it's plugged in.

Next step is how to generate that escrow keybag? That's a significantly more substantial task though  

randomaccess
Senior Member
 
 
  

Re: Portable Devices Registry Key

Post Posted: Thu Nov 29, 2012 4:17 am

I think you'll find that the plist you are talking about is the Escrow key bag, that is why you can see the DCIM folder.

When you have it up and running, try iExplorer to see whether or not you can access any of the application folders when the device is connected too. Without the passcode this is the best kind of connection you are going to get.
_________________
Colin Mortimer
AirWatch 

Coligulus
Senior Member
 
 
  

Re: Portable Devices Registry Key

Post Posted: Sat Dec 01, 2012 7:00 pm

yeah it is the keybag
although i found some interesting things afterwards

i took the keybag from my laptop
and then the keybag from my work pc
they were completely different for the same phone, same passcode

and they both worked, i switched them out and could access my phone still

also i checked iexplorer on a mac and couldnt get anywhere further than DCIM, but i need to do a more thorough investigation

What i want to have a think about is how the keys are generated so i can create the plist and use it to open a phone without actually having the original laptop

so from what i can gather...the plist contains some information about the computer you use to connect to, and it has to have an identifier for the phone. it doesnt relate to the passcode, because i changed the passcode on the phone and even though it created a new plist with a completely different key, it still worked with the previous plist

the quest continues  

randomaccess
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 2 of 2
Go to page Previous  1, 2