Developer Tools From Microsoft

1
Developer Tools From Microsoft

• Forensic requirements

2
Windows Programming

• Events and messages
• Windows applications are event-driven
• Typical events
• keyboard, mouse, timer, and system-change (e.g.
  window size change) events
• Device drivers (where applicable) and Windows
  translate event into message
• Relevant window procedure processes message

3
(No Transcript)
4
Message flow

• Queued messages

5
Embedded Visual Tools 3.0

• Pocket PC
• Pocket PC 2002
• Smartphone 2002
• Win32
• MFC
• ATL

6
Embedded Visual Basic

• All Windows CE 3.0 based platforms
• Embedded Visual Basic

7
Embedded Visual C 4.0

• Windows CE .NET based platforms
• Win32
• MFC
• ATL

8
Visual Studio .NET 2003

• Pocket PC
• Pocket PC 2002
• Windows CE .NET based platforms
• .NET compact framework
• ASP .NET mobile controls

9
Choice of Tools

• Developers who want to build traditional GUI
  applications can choose between the
• Microsoft Win32 Application Programming
  Interface (API),
• The object-oriented approach of the Microsoft
  Foundation Class (MFC) library,
• The rich programming model and tool support for
  the .NET Compact Framework

10
Win32 API C/C

• Strengths
• Smallest and fastest .exe files and DLLs.
• Lowest memory overhead.
• Required for device drivers.
• Required for control panel applets.
• Required for shell extensions, such as the Today
  screen on Pocket PC, user interface skin,
  Software Input Panel, and so on.
• No runtime required

11
Win32 API C,C

• Weak Points
• Quirky API.
• Object cleanup is the responsibility of the
  application/driver programmer, making this API
  prone to memory leaks.
• Low-level API"the assembly language of
  Windows"with difficult to follow code
• Procedure-oriented API, not object-oriented.

12
MFC C

• Object-oriented. Inheritance, Encapsulation,
  Polymorphism
• Container classes support arrays, lists, object
  maps and simplify data handling.
• Type safety.
• Complete MFC source code ships with Embedded
  Visual Tools.
• Good tool support. A set of wizards assists in
  adding message handlers to windows, virtual
  functions, adding forms, and adding classes.

13
MFC C

• Object cleanup only semi-automatic, therefore
  less prone to memory leaks than Win32, but still
  vulnerable since MFC is thin wrapper on top of
  Win32.
• Size of runtime. The mfc300.dll build is 404 KB.

14
.NET Compact Framework (C and Microsoft Visual
Basic .NET)

• Strengths
• Well-designed programming interface.
• Object-oriented. Inheritance, Encapsulation,
  Polymorphism, also called function overloading.
• Container classes support arrays, lists,
  hashtables, dictionaries, and stacks.
• Type safety.
• Namespaces.
• Automatic garbage collection eliminates memory
  leaks.
• Portable machine instruction set, MSIL / CIL,
  provides binary portable of executable (.exe
  .dll) files.
• Web service clients are quick and easy to write.
• Support for handling XML.
• Tool supportIntegrated Forms Designer makes it
  easy to drag drop items from a toolbox code
  behind UI elements is automatically generated.

15
.NET Compact Framework

• Size of runtime -less than 2 MB.
• Overhead of calls between managed and unmanaged
  code is high.
• COM Interoperability somewhat clumsy. Requires
  writing Win32 wrappers that call the COM
  interface functions.

16
Summary

• All of the other APIs ultimately rely on the
  Win32 API.
• Any other tool that you use will end up calling
  Win32 functions to make the real work happen
• The Win32 API is the way to go for building the
  smallest software. Unlike MFC and the .NET
  Compact Framework, Win32 does not require a
  separate runtime to operate. Instead, the
  operating system itself is the runtime.

17
RAPI

• RAPI are a special set of APIs provided by
  Windows CE,using which a desktop application can
  communicate directly with the device.
• Each RAPI is a RemoteProcedureCall (RPC) in which
  the desktop application acts as a client and the
  Windows CE in the mobile device is the server.
• The four main functionalities provided by RAPI
  are
• Application calls
• Database calls
• File Operation calls
• Registry Operation calls

18
Using RAPI to Find Remote Files
We can initialise the RAPI subsystem by calling
CeRapiInit
Function called from interface of application
running on the desktop
void CRemoteFileAccessOnUpdateFileButton()
HRESULT hr CeRapiInit() if ( hr !
ERROR_SUCCESS ) return
Rapi permits desktop to act like a client
19
RAPI access
Create a structure to fill
typedef struct _CE_FIND_DATA DWORD
dwFileAttributes FILETIME ftCreationTime FILETIM
E ftLastWriteTime DWORD nFileSizeHigh
//0, unless the overall file size is
gtMAXDWORD DWORD nFileSizeLow //file
size in bytes DWORD dwOID //CE
Object Identifier for this file WCHAR
cFileNameMAX_PATH //Unicode file name
CE_FIND_DATA
20
RAPI
User interface sets this to true if creation time
required
DWORD dwFileAttributeFlags FAF_NAME if(
m_CreationTimerequest ) dwFileAttributeFlag
s FAF_CREATION_TIME if( m_LastWriteTimeReque
st ) dwFileAttributeFlags FAF_LASTWRITE_TIME
if( m_FoldersOnlyRequest )
dwFileAttributeFlags FAF_FOLDERS_ONLY if(
m_CEOID ) dwFileAttributeFlags FAF_OID
BOOL bOk CeFindAllFiles( (LPCWSTR)wszFileName
0,
dwFileAttributeFlag
s, dwFoundCount,

pFindDataArray ) if(!bOk )
return
Main Function
Return a list of _CE_FIND_DATA structs
21
RAPI
CeFindAllFiles() returned a pointer to a
dynamically allocated array of CE_FIND_DATA
structures
22
Forensic Analysis

• RAPI is a feature available for listing and
  gaining information from a Windows CE device
• It is a low level programming tool for developers
  
• Tools built for investigating devices could use
  this feature

23
Case Study

• In the next set of tutorials you should study the
  paper outlining the approach to a forensic
  investigation of a PDA which has cellular access
• Note the early shutting off of the cellular links
  so that the device does not alter from the time
  of the investigation
• Note the tools used

24
Conclusions

• Note the ways in which applications can
  communicated in the mobile area
• Note the file types and architectures of
  applications
• Note the major toolkits utilising J2me, .NET
• Note the operating systems available and problems
  this may produce in any investigation of mobile
  devices