Windows Mobile 6, File Encryption and Incident Response

With the advent of Windows Mobile 6 came a file system filter driver for encrypting data on Secure Digital (SD) cards, which are frequently used to store sensitive data. Previously, to gain access to users' data, an attacker could simply steal their SD card. Breaking the device's PIN protection was completely unnecessary.

In order to protect users and enterprises alike, Microsoft implemented on-device encryption for SD cards. The down side, however, is that the master key used for this encryption is non-persistent between hard resets. There is currently no escrow mechanism, which is clearly stated by Microsoft: [1]

There isn't any key escrow or recovery in this release. We realize this is very important to many enterprise customers. Feel free to add your comments about how important this is to your organization as it helps us prioritize the work for the future. If you don't want key escrow, that would also be good to hear.

As a result, if a device undergoes a hard reset, nobody will be able to recover the encrypted documents from the storage card.

Also noted by Microsoft [1] is that, when a file is encrypted on a storage card, its filename is modified. This can be useful in identifying such files to people performing incident response. The format used for encrypted files is [filename].[extension].[GUID].menc. The .menc extension tells the Windows Mobile device that it's an encrypted file and the [GUID] represents the encryption key on the device.

The implementation relies on a master key that by default is stored under the \Windows\ directory (\Windows\System\default.mky). Anyone who has to respond to incidents involving Windows Mobile 6 devices and wants any chance of decrypting files held on SD cards (and who doesn't have a spare Cray in the office) should ensure that they grab copies of the master keys.

[1] Windows Mobile 6 Storage Card Encryption FAQ
http://blogs.msdn.com/windowsmobile/archive/2007/03/26/windows-mobile-6-storage-card-encryption-faq.aspx