Surface Pro Acquisi...
 
Notifications
Clear all

Surface Pro Acquisition

11 Posts
4 Users
0 Likes
1,902 Views
(@beardedtux)
Posts: 2
New Member
Topic starter
 

Good day all,

I currently have a MS Surface Pro 3 tablet that is password protected and I need to acquire. I did find another posting here (http//www.forensicfocus.com/Forums/viewtopic/t=12716/) with instructions on how to create a WinPE boot disk and do it that way. I followed all the instructions and was able to create my drive, however the issue I'm running into is when I'm booted into the CMD of the tablet and try and assign a drive letter to my boot disk I keep getting this error "Assigning or removing drive letters on the current boot or pagefile volume is not allowed". Now I've tested this in a VM environment without issues, so I'm not sure what might be the trouble. If anyone has had luck acquiring a Surface Pro and could lend a hand, it would be greatly appreciated.

Thanks

 
Posted : 16/04/2015 6:49 pm
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

Try

www.deftlinux.com
www.caine-live.net
sumuri.com/product-category/paladin/

You might find that once booted to DEFT, for example, you will be able to preview the data using File Manager (mount the Surface Pro drive as Read Only) and then be able to get to the evidence you need, image it with Guymager, etc.

As long as the whole Surface Pro drive contents are not encrypted by the password you are encountering, you should be fine.

Regards,

Larry

 
Posted : 16/04/2015 7:38 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Essentially, the whole idea of booting a WinFE is to prevent (the otherwise default behaviour in "normal" PE's ) the mounting of the disk (the whole disk) as this process may (in some cases) alter the disk signature.

The (internal) disk is then not accessed by the Mount Manager, on a WinFE 5, depending on SanPolicy settings, it can also be kept "offline"
http//reboot.pro/topic/19687-winfe-sanpolicy-and-noautomount-combinations/
https://technet.microsoft.com/en-us/library/hh825063.aspx
http//www.forensicswiki.org/wiki/WinFE
assigning a drive letter to any volume of the disk is of course out of question.

But it is still accessible as \\.\PhysicalDrive object, so it can be imaged alright.

jaclaz

 
Posted : 16/04/2015 10:31 pm
(@beardedtux)
Posts: 2
New Member
Topic starter
 

I guess the big thing for me is being able to access Encase imager on the root of one of the partitions on my USB drive. The only way I see the drive is through diskpart.

 
Posted : 20/04/2015 6:46 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I guess the big thing for me is being able to access Encase imager on the root of one of the partitions on my USB drive. The only way I see the drive is through diskpart.

That may depend on the specific device (Fixed vs. Removable, or if you prefer a USB hard disk may behave differently from a USB stick, since all hard disks are "Fixed" while most USB sticks are "Removable") and on the specific settings you have in your WinFE, do READ the given thread
http//reboot.pro/topic/19687-winfe-sanpolicy-and-noautomount-combinations/

provided that you have in your hands (as it is likely since you are talking of a Surface Pro 3) a WinFE 5.0 or 5.1

In any case what is preventing you from adding the imaging tool to the winFE build, i.e. on the same volume the WinFE boots from, that does have a drive letter anyway?

jaclaz

 
Posted : 21/04/2015 12:33 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Befgore I forget, here
https://winfe.wordpress.com/2014/10/16/image-a-surface-pro-using-bootable-uefi-winfe/
is a nice .pdf
https://winfe.files.wordpress.com/2014/10/image-a-surface-pro-using-bootable-uefi-winfe1.pdf
where the acquisition of a Surface Pro (not 3) is detailed.

jaclaz

 
Posted : 22/04/2015 9:42 pm
(@v-katalov)
Posts: 52
Trusted Member
 

The problem with imaging Surface Pro may have little to do with actually imaging the device (booting from an external USB flash and running an imaging tool is usually sufficient). The actual problem could do with BitLocker encryption. If the suspect used their Microsoft Account as an administrative account on the Surface Pro, then the entire C partition will be encrypted with BitLocker. If this is the case, you will need to unlock this partition before imaging the disk. Unlocking a BitLocker partition is possible by accessing https://onedrive.live.com/recoverykey or following instructions outlined in http//windows.microsoft.com/en-us/windows-8/bitlocker-recovery-keys-faq

Alternatively, if you have a memory dump (RAM dump) of that tablet that was captured while the disk was unlocked, you can extract BitLocker binary decryption keys from that memory dump, and use those keys to mount the encrypted partition (e.g. with https://www.elcomsoft.com/efdd.html ). This, by the way, is the very reason for capturing memory dumps before imaging the device.

 
Posted : 07/05/2015 3:18 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

If the suspect used their Microsoft Account as an administrative account on the Surface Pro, then the entire C partition will be encrypted with BitLocker. If this is the case, you will need to unlock this partition before imaging the disk.

Or image it "as is" and decrypt it later, this approach has been reported as working here
http//www.forensicfocus.com/Forums/viewtopic/t=12904/
or maybe that only works for 7 and not for 8/8.1? ?

jaclaz

 
Posted : 07/05/2015 7:25 pm
(@v-katalov)
Posts: 52
Trusted Member
 

I don't see why it wouldn't work like that *providing* that the correct Recovery Key is available (which is not always the case). Generally speaking, if a RAM dump is available (and was taken while the tablet was in an unlocked state), one can extract the binary decryption keys out of it, and use them to mount the encrypted volume later on.

 
Posted : 08/05/2015 1:20 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Good ) .
To sum up, if one has the Bitlocker recovery key TWO alternative approaches are possible

  1. unencrypting the disk and then image it
  2. image it "as is" and later decrypt the image
  3. [/listo]

    If one has NOT the key, the only possible way is to acquire the decryption key from a memory dump (provided that the machine has been found and seized when On AND unlocked as if locked a Firewire attack is not possible on the Surface as it has no Firewire ports) or - possibly - finding it in the hiberfil.sys (if the machine was found Off AND hibernation had been used AND the volume had been mounted at hibernation time).

    jaclaz

 
Posted : 08/05/2015 6:17 pm
Page 1 / 2
Share: