- Pedro281

Apologies if you've already read it, but take a glance through this

technet.microsoft.com/...e.10).aspx

The backup can create a VHD file of the device to a USB drive. Ok, it's not forensically sound, and you wont get unallocated, but it would be a start. I believe it uses the existing shadow copies to write the backup

technet.microsoft.com/...ackup.aspx

Pedro281, I guess there has been a misunderstanding, those resources you posted about are NOT about the Surface (RT) tablet thingy, but about the confusingly named Surface 1.0 and 2.0 "software" (Windows Vista or 7 based):
technet.microsoft.com/...e.10).aspx

Surface

Microsoft Surface is a software platform that is ideal for any scenario in which multiple users want to interact with a single large form-factor device, similar to a wide-screen TV. The focus of Surface is on creating real connections—whether it's connecting customers with information and each other, or connecting a device made for Surface to other devices. Using only their fingers or objects, such as loyalty cards or game pieces like checkers, users interact with a high-end graphical display that can be used as a table, on the wall, or embedded in other fixtures or furniture.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

ahh, my bad.....  

- gilly_uk

Hey,
It hasn't taken long since the release of this tablet before we have had to respond to a security incident involving one. The only problem we have is making a forensic image of the device. We have secured the offending device and have purchased a test device to attempt a forensic copy of the device but so far we have failed.


Has anyone attempted and succeeded in creating a forensic image of the new Surface RT?

Regards

Gilly

Any luck with this? Any updates?

I haven't tried this, but, supposedly, you can boot Ubuntu 12.10 (with Secure Boot on).
https://wiki.ubuntu.com/QuantalQuetzal/ReleaseNotes/UbuntuDesktop

According to Ubuntu 12.10 documentation:

Ubuntu 12.10 is the first Ubuntu release to support UEFI Secure Boot, a standard for controlling what software can be run on a computer. Supporting Secure Boot, a part of the Windows 8 certification requirements for client systems, ensures that Ubuntu will continue to provide an "it just works" experience on new hardware.

Due to time pressures, only some flavors released with 12.10 will install and boot on Secure Boot hardware:

Ubuntu desktop
Ubuntu server
Edubuntu
We expect to enable all other flavors in 13.04.
(https://wiki.ubuntu.com/QuantalQuetzal/ReleaseNotes/UbuntuDesktop#QuantalQuetzal.2BAC8-ReleaseNotes.2BAC8-CommonInfrastructure.Secure_Boot)

Might be worth a try to boot a live Ubuntu 12.10 USB thumb and run "dd" to image the subject media (if you can successfully boot to the live Ubuntu 12.10 desktop).

Additionally: make sure you use a large USB thumb drive - perhaps a 64GB. Then, when you create your live USB thumb, make sure to create a "storage" partition to store the DD image to. (Be sure to do a forensic wipe of the 64 GB USB thumb FIRST & document it)

- (Again, I have not tried this, so forgive me if I'm wrong. Just a thought.) -

IF you are successful at imaging the Surface tablet - Let us know.
(Also, not sure if you need this, but I found this nicely written guide about Windows 8 Forensics: http://propellerheadforensics.files.wordpress.com/2012/05/thomson_windows-8-forensic-guide2.pdf - Written by AmandaC. F. Thomson, M.F.S. Candidate, Advised by Eva Vincze, PhD The George Washington University, Washington, D.C.)  

@PaperClip_CCE

The Surface does NOT run Windows 8, it runs Windows RT.

It is NOT a i386 platform, it is an ARM one, for all the info there are, ONLY Windows RT can currently boot on that device, it uses Secure Boot, but it seems like it additionally has a "locked" certificate.

See:
superuser.com/question...rnative-os

On a "generic" Secure Boot enabled hardware, that can have certificates added, Ubuntu will most probably boot, and surely before or later *some* way to by-pass this MS limitation will be found out, but right now it seems like not possible.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

- jaclaz

@PaperClip_CCE

The Surface does NOT run Windows 8, it runs Windows RT.

It is NOT a i386 platform, it is an ARM one, for all the info there are, ONLY Windows RT can currently boot on that device, it uses Secure Boot, but it seems like it additionally has a "locked" certificate.

See:
superuser.com/question...rnative-os

On a "generic" Secure Boot enabled hardware, that can have certificates added, Ubuntu will most probably boot, and surely before or later *some* way to by-pass this MS limitation will be found out, but right now it seems like not possible.

jaclaz

Thanks jaclaz.
I'm aware of this fact. (Forgive me, I should have been clear on that)
I would assume that most people on this forum would know the difference between the Surface running Windows RT (which is locked) with an ARM Cortex-A9, and the Windows 8 Pro model. I should have been clear.

(Again, none of this I have actually tried. Just thinking of possibilities - just trying to help)

Additionally:
Ubuntu 12.10 has a "Texas Instruments OMAP4 (Hard-Float) desktop image" that COULD possibly work:
http://releases.ubuntu.com/quantal/
That version works with ARM Cortex-A9:
https://wiki.ubuntu.com/ARM/OmapDesktopInstall

But if the RT machine is locked via cert requirements.... who knows.

One more thing:
I called EnCase tech support & asked about this. They told me this was a "Pending Request" to have implemented as a feature in (perhaps) future versions of EnCase.

I'm really curious to see how this issue gets resolved.  

- PaperClip_CCE

I'm aware of this fact. (Forgive me, I should have been clear on that)
I would assume that most people on this forum would know the difference between the Surface running Windows RT (which is locked) with an ARM Cortex-A9, and the Windows 8 Pro model. I should have been clear.

Yep , but the topic is about the RT, the Pro version has only been announced at the moment.

From all the info around it seems like the Surface RT is "strictly" locked to Windows RT (and it is very likely that the Surface Pro will be "strictly" locked to Windows 8).

The situation of different manufacturer's tablets (still running RT or 8 ) is likely to be more "open" and undoubtedly before or later someone will find a way to boot to them some alternate OS and/or to image BOTH the non MS and the MS ones.

Right now it seems like the only option is to open the thingy and get to the storage with "mechanical" means, though it is not seemingly "easy-peasy":
www.ifixit.com/Teardow...wn/11275/1
www.techrepublic.com/p...w-selector
but even once you have it open reading the Samsung chip contents may not be easy.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

I think that technet documents relates to the old microsoft surface which was a massive table that you could pass documents around on.