Portable Devices Re...
 
Notifications
Clear all

Portable Devices Registry Key

11 Posts
3 Users
0 Likes
1,674 Views
(@randomaccess)
Posts: 385
Reputable Member
Topic starter
 

Does anyone know where I might find information about the portable devices registry key in windows 7?

Im trying to figure out something about iOS devices where when you connect them to the computer they load up as a Portable Device rather than the volume

Basically if youve already added a device to your computer, and unlocked it, you can obtain access to the DCIM folder….my testing has been inconsistant, it doesn't always work after you've unlocked the device, but sometimes it does and I'm trying to figure out why

So far I know that the registry key for the device is created under HKLM/System/Enum/USB under the specific DeviceID and then an instance is created for the last device that was plugged in. But after that I'm a bit lost.

Any help would be greatly appreciated.

(Apologies if this should go in the general forensics topic)

 
Posted : 26/11/2012 6:33 am
(@coligulus)
Posts: 165
Estimable Member
 

Are the Escrow keybags stored on the host machine not the mechanism used by the computer to allow access to iDevices which have previously been connected when unlocked? I'm pretty sure this is the mechanism used by the devices to enable the host computer to read and decrypt files from the device which would otherwise be un-acquirable due to the device being locked and consequently encrypted.

Colin

 
Posted : 26/11/2012 1:18 pm
(@randomaccess)
Posts: 385
Reputable Member
Topic starter
 

Right. I'm not sure.

 
Posted : 27/11/2012 2:20 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Does anyone know where I might find information about the portable devices registry key in windows 7?

Not to be too blunt about it, but have you tried Google?

Im trying to figure out something about iOS devices where when you connect them to the computer they load up as a Portable Device rather than the volume

Basically if youve already added a device to your computer, and unlocked it, you can obtain access to the DCIM folder….my testing has been inconsistant, it doesn't always work after you've unlocked the device, but sometimes it does and I'm trying to figure out why

I'm not really clear on what you're asking here. "Unlocked"? I've connected both an iTouch and an iPhone to my Win7 system in order to copy images out of the DCIM folder, and haven't had to "unlock" either one that I'm aware of.

So far I know that the registry key for the device is created under HKLM/System/Enum/USB under the specific DeviceID and then an instance is created for the last device that was plugged in. But after that I'm a bit lost.

I'm a bit unclear as to how this applies to the Windows Portable Devices key.

As something of a side note, I've had digital cameras be visible as WPDs, rather than (as what I would suspect you're leaning toward…) as a USB removable storage device.

 
Posted : 27/11/2012 3:19 am
(@randomaccess)
Posts: 385
Reputable Member
Topic starter
 

Yep, checked google, but couldnt find anything that helped me along. Or I did, and didnt realise it. Also checked your books, but I either missed stuff about portable devices, or it wasnt there. The USB key information helped a lot though.

So explaining the story
When you plug in an iOS device that has a passcode it installs a driver
You may or may not be able to see it as a portable device on your system (its varied across machines that ive tested).
So thumbs up, secure it's got a password so i shouldnt be able to access the DCIM folder

Then i disconnect it, and unlock the handset, and plug it in.
It installs another driver (and creates a new registry key underneath the old one in the Enum/USB key. This one contains information like the name on the iOS device (last one connected) - havent checked the lastwrite time but I'd hazzard a guess that it will be indicative of the last time someone plugged in an iOS device of that specific device ID - this information is simarly found in the appdata folder for itunes, provided they synced it.
Now that that's all done, you can see the pictures in the DCIM folder.

Great, but now i disconnect it and lock it. then plug it back in. and i can see the device again under portable devices, and even though its locked, i can still access the DCIM folder under portable devices.

This isnt consistant. I could do it on my machines, but took it to a different computer and it didnt work.

The point of this investigation is that when we get given iPhone 4S+ and iPad2+ we have to turn them away saying it's currently not possible to get anything off it. Now I know this is not necessarily the case.
If i can figure out what the registry needs to "unlock" the device when it's connected, then I may be able to generate a key, add it to my examination PC's registry and connect the suspect device to view the DCIM folder.

 
Posted : 27/11/2012 11:32 am
(@randomaccess)
Posts: 385
Reputable Member
Topic starter
 

I'm not really clear on what you're asking here. "Unlocked"? I've connected both an iTouch and an iPhone to my Win7 system in order to copy images out of the DCIM folder, and haven't had to "unlock" either one that I'm aware of.

I'm guessing that's because you've connected them to that system before when they've been in an unlocked state, or they're synced to that machine which means you need to give it the passcode but i may be wrong

otherwise, it might have something to do with similar devices being connected
which is what i'm trying to figure out….a way to get access to the folder for an "unknown" device

 
Posted : 27/11/2012 11:34 am
(@coligulus)
Posts: 165
Estimable Member
 

I think the issue here is indeed the Escrow key bags. Once you have connected a device in an unlocked fashion to the computer the key bag should be copied over whether you sync or not. This is what gives the OS the necessary authorisation to a) mount the disk and b) decrypt the files. Once the key bag is stored on the computer you can then access the DCIM folder - and actually other application folders too with the right tools - without having to unlock the device.

The issue which I think you will find is that without that initial connection in an unlocked state there will be no ability to access the device when locked.

In the scenario you are talking about it may well be possible to recover the escrow key bag from a machine which the device has synced with previously and copy those to forensic machine etc in order to trick the device into thinking it has connected to your workstation before. You may then be able to acquire a backup of the device which you can work through to recover data.

Food for thought.

Colin

 
Posted : 27/11/2012 1:48 pm
(@randomaccess)
Posts: 385
Reputable Member
Topic starter
 

Colin I think you're on the right track.
I've done a bit of research and that's probably it.

I've got a bit more testing to do, but as it stands, my original method of restoring the image of the original computer to disk and connecting a locked device to that (or potentially to a VM but I'd have to test it), would get access to the DCIM folder.

The only other thing I can think of to test would be to copy down the lockdown folder from the original device and then attempt to create the registry key from the device. But i'd have to determine the algorithm used to calculate the escrow keys, and that might be a little tricky.

Thanks for your help

 
Posted : 28/11/2012 1:00 am
(@randomaccess)
Posts: 385
Reputable Member
Topic starter
 

Alright, all done

No registry modification required
Go to C\ProgramData\Apple\Lockdown on the synced PC and copy the <device>.plist to your examination PC and then plug in your locked device.

Then you have access to the DCIM folder when it's plugged in.

Next step is how to generate that escrow keybag? That's a significantly more substantial task though

 
Posted : 29/11/2012 2:27 am
(@coligulus)
Posts: 165
Estimable Member
 

I think you'll find that the plist you are talking about is the Escrow key bag, that is why you can see the DCIM folder.

When you have it up and running, try iExplorer to see whether or not you can access any of the application folders when the device is connected too. Without the passcode this is the best kind of connection you are going to get.

 
Posted : 29/11/2012 2:17 pm
Page 1 / 2
Share: