Difference between pages "Microsoft PocketPC" and "BitLocker: how to image"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Overview)
 
(Traditional Imaging)
 
Line 1: Line 1:
__TOC__
 
  
=Overview=
+
= Imaging Options =
A Pocket PC is commonly referred to as a handheld computer that runs a version of Microsoft’s proprietary mobile operating systems.
+
  
[[Image:Pocketpc.jpg|thumb|Acer Pocket PC]]
+
There are multiple ways to image a computer with bitlocker security in place.
  
Microsoft Pocket PC, sometimes referred to as P/PC or PPC, is based upon the Windows CE framework.  Variants of this operating system include versions such as Pocket PC 2000, Pocket PC 2002, Windows Mobile 2003/2003 SE, and Windows Mobile 5.0.  Variants also exist for [[SmartPhones]], such as Windows Mobile 2003 Smartphone edition. 
+
== Offline Imaging ==
  
One of the key benefits of Microsoft's Windows Mobile platform is file format compatibility with the desktop versions of the company's productivity software.  Mobile versions of Microsoft software, such as Pocket Word, Pocket Excel, and Pocket PowerPoint, allow individuals to view and edit these files outside of the home and office.  
+
One can make an offline image with the image containing encrypted information.
  
Another benefit is integration with Microsoft's cross-platform solution, the .NET Framework.  The .NET Framework and its associated class libraries handle things such as memory management, file I/O, and many other functions. The .NET Framework allows programmers to develop code in one of several .NET languages, such as C# and VB.NET.  Pocket PCs run a simplified version of the framework called the .NET Compact Framework.
+
Options to offline decrypt the information, provided the password or recovery password is available, exists some are:
 +
* [http://www.hsc.fr/ressources/outils/dislocker/ dislocker]
 +
* [[EnCase]] (as of version 6) with the (optional) encryption module
 +
* [[libbde]]
  
In order to maintain synchronization and connectivity with desktop computers, Microsft developed the ActiveSync program.  The user merely has to connect the Pocket PC to the desktop computer in order to synchronize items such as appointments, contact lists, and even multimedia files.
+
The recovery password is a long series of digits broken up into 8 segments.
 +
<pre>
 +
123456-123456-123456-123456-123456-123456-13456-123456
 +
</pre>
  
In 2001, [[PDAs]] running Palm OS variants held a market share of about 72%, while Pocket PC held a meager 15% of the market.  However, by the fourth quarter of 2004, Microsoft Pocket PC and Palm OS were practically tied with regards to market share -- Pocket PC-based devices had a market share of 40.2% while Palm OS claimed 40.7% of the market.  This upward trend clearly illustrates the growing popularity of Pocket PC-based devices, and thus the increased likelihood that one will encounter such a device in the field.
+
Note that there is no white space in the recovery password including not at the end, e.g. EnCase does not accept the recovery password if there is trailing white space.
  
 +
The recovery password can be recovered from a BitLocker enabled computer provided it can be logged into or if stored in escrow.
  
== History ==
+
The basic steps are:
  
Windows CE, which serves as the framework for the Pocket PC operating systems, began its life in November of 1996The NEC MobilePro 200 and the Casio A-10 were the first two PDA-type devices available with this early version of the operating system, which was dubbed Handheld PC 1.0.
+
# Make an offline full disk image.
 +
# Recover the password, this can be done by booting the original computer, or by creating a clone and booting the clone(booting from a clone has not been tested at this time.)
 +
## Once booted log into the computer
 +
## Use the BitLocker control panel applet to display the password.  This can also be done from the command-line.
 +
## record the password
 +
#:
 +
# For EnCase v6 or higher with the encryption module installed
 +
## Load the image into EnCase
 +
## You will be prompted for the password.  Simply enter it and continue.
 +
## If you prefer to have an un-encrypted image to work with other tools or share with co-workers, you can "re-acquire" the image from within EnCase.  The new image will have unencrypted data.
 +
## After adding the encrypted image into your case, simply right click on the drive in the left panel and select acquire. Select "do not add to case".  You will be presented a dialog window to enter new information about the image.  Make sure the destination you select for your new image does not exist.
  
Subsequently, Microsoft released iterations of its mobile operating systems with names such as Handheld PC 2.0 (1997), Palm-Size PC 2.0 (1998), Handheld PC Professional Edition (1998).
+
== Live Imaging ==
  
As development of Windows CE continued, manufacturers began to build more esoteric devices around it, such as internet TV set-top boxes and web-enabled telephones. 
+
=== FTK Live Imaging of a physical drive ===
  
Pocket PC officially began its public life when it was previewed at the Consumer Electronics Show in 2000.  Codenamed "Rapier", the first version of the Pocket PC operating system was simply named Pocket PC.
+
Using FTK Imager lite, it was determined a live image of the physical system disk resulted in an image with an encrypted bitlocker container on it.
  
=Pocket PC Variants=
+
Note that the phrase "physical" here corresponds directly with FTK Imagers use of the term in their image acquire menu.
  
==Pocket PC 2000==
+
=== FTK Live Imaging of a logical partition ===
  
Pocket PC 2000, based on Micrsoft's Windows CE 3.0 platform, was a first step towards the familiar appearance and functionality that is offered by Windows Mobile 5.0.  Devices running Pocket PC 2000 ranged from the Askey PC010, which had a 16-color grayscale screen with no expansion slots, to the Casio EM-500, which had a 64k color screen and provisions for upgraded pheripherals such as cameras.  Pocket PC 2000 launched with versions of Pocket Word, Pocket Excel, and Microsoft Reader bundled.  ActiveSync 3.1, which provided an easier way to install applications onto the Pocket PC, was required to synchronize with host desktop machines.
+
This has not been verified to work or fail at this time.
  
==Pocket PC 2002==
+
Note that the phrase "logical" here corresponds directly with FTK Imagers use of the term in their image acquire menu.
Codenamed "Merlin," Pocket PC 2002 was Microsoft's Windows CE 3.0-based upgrade to Pocket PC 200.  Pocket PC 2002 offered many improvements over the previous operating system, including a Terminal Service Client, a new mail Inbox, Windows Media Player 8.0, improved versions of Pocket Word and MS Reader, and many other features.
+
  
There were three service packs (EUUU1/2/3) released which addressed bugs and other issues in the original release.
+
=== FTK Live Files and Folders collections ===
  
==Windows Mobile 2003 & 2003 Second Edition==
+
This was not attempted, but it seems reasonable to assume this will collect unencrypted files.
Windows Mobile 2003, codenamed "Ozone", was officially released in June of 2003.  The operating system is based on Microsoft's Windows CE 4.2, which claimed to provide a more responsive system when compared with devices running Windows CE 3.0.  This version of the operating system added many useful features, including a picture viewer, built-in Bluetooth and WiFi support, Windows Media Player 9.0, as well as a host of Personal Information Management application improvements.  This version of Windows Mobile required ActiveSync 3.7 to communicate with a host computer.
+
  
Windows Mobile Second Edition, released in 2004, added support for 640x480 VGA resolution, portrait and landscape display modes, DPI settings, and many other improvements.
+
== See Also ==
 +
* [[BitLocker Disk Encryption]]
 +
* [[Defeating Whole Disk Encryption]]
  
==Windows Mobile 5.0==
+
[[Category:Disk encryption]]
Windows Mobile 5.0, based off of Windows CE 5.0, was released on May 10, 2005.  Windows Mobile 5.0 brought many changes to the Pocket PC landscape.  For one, with this release, the phone and PDA versions of the OS have merged into one encompassing OS, instead of two separate versions of the same one.  Additionally, while past versions of Pocket PC software utilized the RAM of a PDA for program and data storage, Windows Mobile 5.0 uses a PDA's hardware more like a traditional computer.  The operating system and user data is stored in the more persistent ROM of the device, and RAM is used in a way more similar to that of a desktop PC.  This has implications for forensics, as data stored on these devices is now less volatile.
+
[[Category:Windows]]
 
+
=Pocket PC Devices=
+
 
+
[[Image:Treo.jpg|thumb|Treo 700w]]
+
 
+
In recent years, a number of manufacturers have elected to produce Pocket PC devices.  Some of these makers include companies such as:
+
 
+
*  Acer
+
*  Asus
+
*  Audiovox
+
*  Dell
+
*  HP
+
*  Mitac
+
*  Motorola
+
*  Samsung
+
*  Siemens
+
*  Symbol
+
*  Treo
+
 
+
Because different manufacturers are targeted at different segments of the market, such as business and consumers, the features and functionality of these devices sometimes differ greatly.  For example, some devices have built-in capability for taking images and videos, while other devices have tools such as biometric fingerprint readers and barcode scanners.
+
 
+
=References=
+
 
+
[http://www.hpcfactor.com/support/windowsce/ The History of Microsoft Windows CE]
+
 
+
[http://palmtops.about.com/cs/pdafacts/a/Palm_Pocket_PC.htm Palm vs. Pocket PC-The Great Debate]
+
 
+
[http://www.windowsfordevices.com/news/NS8063885791.html Gartner: Windows CE ties Palm]
+
 
+
[http://en.wikipedia.org/wiki/Pocket_PC Wikipedia: Pocket PC]
+
 
+
[http://www.pocketpcfaq.com PocketPC FAQ]
+

Revision as of 01:04, 15 July 2013

Contents

Imaging Options

There are multiple ways to image a computer with bitlocker security in place.

Offline Imaging

One can make an offline image with the image containing encrypted information.

Options to offline decrypt the information, provided the password or recovery password is available, exists some are:

The recovery password is a long series of digits broken up into 8 segments.

123456-123456-123456-123456-123456-123456-13456-123456

Note that there is no white space in the recovery password including not at the end, e.g. EnCase does not accept the recovery password if there is trailing white space.

The recovery password can be recovered from a BitLocker enabled computer provided it can be logged into or if stored in escrow.

The basic steps are:

  1. Make an offline full disk image.
  2. Recover the password, this can be done by booting the original computer, or by creating a clone and booting the clone. (booting from a clone has not been tested at this time.)
    1. Once booted log into the computer
    2. Use the BitLocker control panel applet to display the password. This can also be done from the command-line.
    3. record the password
  3. For EnCase v6 or higher with the encryption module installed
    1. Load the image into EnCase
    2. You will be prompted for the password. Simply enter it and continue.
    3. If you prefer to have an un-encrypted image to work with other tools or share with co-workers, you can "re-acquire" the image from within EnCase. The new image will have unencrypted data.
    4. After adding the encrypted image into your case, simply right click on the drive in the left panel and select acquire. Select "do not add to case". You will be presented a dialog window to enter new information about the image. Make sure the destination you select for your new image does not exist.

Live Imaging

FTK Live Imaging of a physical drive

Using FTK Imager lite, it was determined a live image of the physical system disk resulted in an image with an encrypted bitlocker container on it.

Note that the phrase "physical" here corresponds directly with FTK Imagers use of the term in their image acquire menu.

FTK Live Imaging of a logical partition

This has not been verified to work or fail at this time.

Note that the phrase "logical" here corresponds directly with FTK Imagers use of the term in their image acquire menu.

FTK Live Files and Folders collections

This was not attempted, but it seems reasonable to assume this will collect unencrypted files.

See Also