±Forensic Focus Partners

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 0
New Yesterday: 5
Overall: 27212
Visitors: 46

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

Portable Devices Registry Key

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

Portable Devices Registry Key

Post Posted: Sun Nov 25, 2012 8:33 pm

Does anyone know where I might find information about the portable devices registry key in windows 7?

Im trying to figure out something about iOS devices where when you connect them to the computer they load up as a Portable Device rather than the volume

Basically if youve already added a device to your computer, and unlocked it, you can obtain access to the DCIM folder....my testing has been inconsistant, it doesn't always work after you've unlocked the device, but sometimes it does and I'm trying to figure out why

So far I know that the registry key for the device is created under HKLM/System/Enum/USB under the specific DeviceID and then an instance is created for the last device that was plugged in. But after that I'm a bit lost.

Any help would be greatly appreciated.

(Apologies if this should go in the general forensics topic)  

randomaccess
Senior Member
 
 
  

Re: Portable Devices Registry Key

Post Posted: Mon Nov 26, 2012 3:18 am

Are the Escrow keybags stored on the host machine not the mechanism used by the computer to allow access to iDevices which have previously been connected when unlocked? I'm pretty sure this is the mechanism used by the devices to enable the host computer to read and decrypt files from the device which would otherwise be un-acquirable due to the device being locked and consequently encrypted.

Colin
_________________
Colin Mortimer
AirWatch 

Coligulus
Senior Member
 
 
  

Re: Portable Devices Registry Key

Post Posted: Mon Nov 26, 2012 4:20 pm

Right. I'm not sure.  

randomaccess
Senior Member
 
 
  

Re: Portable Devices Registry Key

Post Posted: Mon Nov 26, 2012 5:19 pm

- randomaccess
Does anyone know where I might find information about the portable devices registry key in windows 7?


Not to be too blunt about it, but have you tried Google?

- randomaccess

Im trying to figure out something about iOS devices where when you connect them to the computer they load up as a Portable Device rather than the volume

Basically if youve already added a device to your computer, and unlocked it, you can obtain access to the DCIM folder....my testing has been inconsistant, it doesn't always work after you've unlocked the device, but sometimes it does and I'm trying to figure out why


I'm not really clear on what you're asking here. "Unlocked"? I've connected both an iTouch and an iPhone to my Win7 system in order to copy images out of the DCIM folder, and haven't had to "unlock" either one that I'm aware of.

- randomaccess

So far I know that the registry key for the device is created under HKLM/System/Enum/USB under the specific DeviceID and then an instance is created for the last device that was plugged in. But after that I'm a bit lost.


I'm a bit unclear as to how this applies to the Windows Portable Devices key.

As something of a side note, I've had digital cameras be visible as WPDs, rather than (as what I would suspect you're leaning toward...) as a USB removable storage device.  

keydet89
Senior Member
 
 
  

Re: Portable Devices Registry Key

Post Posted: Tue Nov 27, 2012 1:32 am

Yep, checked google, but couldnt find anything that helped me along. Or I did, and didnt realise it. Also checked your books, but I either missed stuff about portable devices, or it wasnt there. The USB key information helped a lot though.


So explaining the story:
When you plug in an iOS device that has a passcode it installs a driver
You may or may not be able to see it as a portable device on your system (its varied across machines that ive tested).
So thumbs up, secure it's got a password so i shouldnt be able to access the DCIM folder

Then i disconnect it, and unlock the handset, and plug it in.
It installs another driver (and creates a new registry key underneath the old one in the Enum/USB key. This one contains information like the name on the iOS device (last one connected) - havent checked the lastwrite time but I'd hazzard a guess that it will be indicative of the last time someone plugged in an iOS device of that specific device ID - this information is simarly found in the appdata folder for itunes, provided they synced it.
Now that that's all done, you can see the pictures in the DCIM folder.

Great, but now i disconnect it and lock it. then plug it back in. and i can see the device again under portable devices, and even though its locked, i can still access the DCIM folder under portable devices.

This isnt consistant. I could do it on my machines, but took it to a different computer and it didnt work.

The point of this investigation is that when we get given iPhone 4S+ and iPad2+ we have to turn them away saying it's currently not possible to get anything off it. Now I know this is not necessarily the case.
If i can figure out what the registry needs to "unlock" the device when it's connected, then I may be able to generate a key, add it to my examination PC's registry and connect the suspect device to view the DCIM folder.  

randomaccess
Senior Member
 
 
  

Re: Portable Devices Registry Key

Post Posted: Tue Nov 27, 2012 1:34 am

- keydet89
I'm not really clear on what you're asking here. "Unlocked"? I've connected both an iTouch and an iPhone to my Win7 system in order to copy images out of the DCIM folder, and haven't had to "unlock" either one that I'm aware of.


I'm guessing that's because you've connected them to that system before when they've been in an unlocked state, or they're synced to that machine which means you need to give it the passcode: but i may be wrong

otherwise, it might have something to do with similar devices being connected
which is what i'm trying to figure out....a way to get access to the folder for an "unknown" device  

randomaccess
Senior Member
 
 
  

Re: Portable Devices Registry Key

Post Posted: Tue Nov 27, 2012 3:48 am

I think the issue here is indeed the Escrow key bags. Once you have connected a device in an unlocked fashion to the computer the key bag should be copied over whether you sync or not. This is what gives the OS the necessary authorisation to a) mount the disk and b) decrypt the files. Once the key bag is stored on the computer you can then access the DCIM folder - and actually other application folders too with the right tools - without having to unlock the device.

The issue which I think you will find is that without that initial connection in an unlocked state there will be no ability to access the device when locked.

In the scenario you are talking about it may well be possible to recover the escrow key bag from a machine which the device has synced with previously and copy those to forensic machine etc in order to trick the device into thinking it has connected to your workstation before. You may then be able to acquire a backup of the device which you can work through to recover data.

Food for thought.

Colin
_________________
Colin Mortimer
AirWatch 

Coligulus
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 2
Go to page 1, 2  Next