Good day all,
I currently have a MS Surface Pro 3 tablet that is password protected and I need to acquire. I did find another posting here (http//www.forensicfocus.com/Forums/viewtopic/t=12716/) with instructions on how to create a WinPE boot disk and do it that way. I followed all the instructions and was able to create my drive, however the issue I'm running into is when I'm booted into the CMD of the tablet and try and assign a drive letter to my boot disk I keep getting this error "Assigning or removing drive letters on the current boot or pagefile volume is not allowed". Now I've tested this in a VM environment without issues, so I'm not sure what might be the trouble. If anyone has had luck acquiring a Surface Pro and could lend a hand, it would be greatly appreciated.
Thanks
Try
You might find that once booted to DEFT, for example, you will be able to preview the data using File Manager (mount the Surface Pro drive as Read Only) and then be able to get to the evidence you need, image it with Guymager, etc.
As long as the whole Surface Pro drive contents are not encrypted by the password you are encountering, you should be fine.
Regards,
Larry
Essentially, the whole idea of booting a WinFE is to prevent (the otherwise default behaviour in "normal" PE's ) the mounting of the disk (the whole disk) as this process may (in some cases) alter the disk signature.
The (internal) disk is then not accessed by the Mount Manager, on a WinFE 5, depending on SanPolicy settings, it can also be kept "offline"
http//
https://
http//
assigning a drive letter to any volume of the disk is of course out of question.
But it is still accessible as \\.\PhysicalDrive object, so it can be imaged alright.
jaclaz
I guess the big thing for me is being able to access Encase imager on the root of one of the partitions on my USB drive. The only way I see the drive is through diskpart.
I guess the big thing for me is being able to access Encase imager on the root of one of the partitions on my USB drive. The only way I see the drive is through diskpart.
That may depend on the specific device (Fixed vs. Removable, or if you prefer a USB hard disk may behave differently from a USB stick, since all hard disks are "Fixed" while most USB sticks are "Removable") and on the specific settings you have in your WinFE, do READ the given thread
http//
provided that you have in your hands (as it is likely since you are talking of a Surface Pro 3) a WinFE 5.0 or 5.1
In any case what is preventing you from adding the imaging tool to the winFE build, i.e. on the same volume the WinFE boots from, that does have a drive letter anyway?
jaclaz
Befgore I forget, here
https://
is a nice .pdf
https://
where the acquisition of a Surface Pro (not 3) is detailed.
jaclaz
The problem with imaging Surface Pro may have little to do with actually imaging the device (booting from an external USB flash and running an imaging tool is usually sufficient). The actual problem could do with BitLocker encryption. If the suspect used their Microsoft Account as an administrative account on the Surface Pro, then the entire C partition will be encrypted with BitLocker. If this is the case, you will need to unlock this partition before imaging the disk. Unlocking a BitLocker partition is possible by accessing https://
Alternatively, if you have a memory dump (RAM dump) of that tablet that was captured while the disk was unlocked, you can extract BitLocker binary decryption keys from that memory dump, and use those keys to mount the encrypted partition (e.g. with https://
If the suspect used their Microsoft Account as an administrative account on the Surface Pro, then the entire C partition will be encrypted with BitLocker. If this is the case, you will need to unlock this partition before imaging the disk.
Or image it "as is" and decrypt it later, this approach has been reported as working here
http//www.forensicfocus.com/Forums/viewtopic/t=12904/
or maybe that only works for 7 and not for 8/8.1? ?
jaclaz
I don't see why it wouldn't work like that *providing* that the correct Recovery Key is available (which is not always the case). Generally speaking, if a RAM dump is available (and was taken while the tablet was in an unlocked state), one can extract the binary decryption keys out of it, and use them to mount the encrypted volume later on.
Good ) .
To sum up, if one has the Bitlocker recovery key TWO alternative approaches are possible
- unencrypting the disk and then image it
- image it "as is" and later decrypt the image
[/listo]
If one has NOT the key, the only possible way is to acquire the decryption key from a memory dump (provided that the machine has been found and seized when On AND unlocked as if locked a Firewire attack is not possible on the Surface as it has no Firewire ports) or - possibly - finding it in the hiberfil.sys (if the machine was found Off AND hibernation had been used AND the volume had been mounted at hibernation time).
jaclaz