±Your Account
Membership:
New Today: 1
New Yesterday: 3
Overall: 24197
Visitors: 35±Latest Webinar
±Latest Articles
· Android Forensics
· Geo-tagging & Photo Tracking On iOS
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
· Geo-tagging & Photo Tracking On iOS
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
±Follow Us
±Latest Jobs
Back to top
Skip to content
Skip to menu
Back to top
Back to main
Skip to menu
Go to page 1, 2, 3, 4 Next
My guess is that a copy of Windows 8 RT would be needed, and I don't think that you can find one copy in the shop round the corner..., but once you have one you would also need to find some compatible hardware to test it, find a way to boot it from USB, and verify that it doesn't write to the target device storage when booting, find a way to add to it a dd-like tool (as Windows RT supposedly can only use apps that come from the Windows store) etc., etc.
jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. -
I think that you should try that on *another* specimen of the Surface, hard as it can be to find one.
I mean, there is really no (yet) data/documents/reports/*anything* about the thingy, for all we know the "new, improved" user experience may well include an *automagic* "wipe before re-installing as factory" feature.
IMHO this is - depending on the nature of the case - acceptable collateral damage, in any case such a procedure "subtracts" data, it cannot "create" evidence.
I mean, booting the thingy may delete or overwrite a few files, or change their access dates, it won't ever materialize a CP image or the map of the bank's caveau that wasn't there...
Cannot say, but it "sounds" something like the US Government may require under the Patriot Act or something like that, not something that the EU would impose.
jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. -
Microsoft Surface RT
Microsoft Surface RT
Posted: Fri Nov 30, 2012 3:26 pm
Hey,
It hasn't taken long since the release of this tablet before we have had to respond to a security incident involving one. The only problem we have is making a forensic image of the device. We have secured the offending device and have purchased a test device to attempt a forensic copy of the device but so far we have failed.
Has anyone attempted and succeeded in creating a forensic image of the new Surface RT?
Regards
Gilly
It hasn't taken long since the release of this tablet before we have had to respond to a security incident involving one. The only problem we have is making a forensic image of the device. We have secured the offending device and have purchased a test device to attempt a forensic copy of the device but so far we have failed.
Has anyone attempted and succeeded in creating a forensic image of the new Surface RT?
Regards
Gilly
-
gilly_uk - Member
Re: Microsoft Surface RT
Posted: Sat Dec 01, 2012 7:06 pm
I just looked at the ifixit teardown for it.
I thought it had an ssd but its just some samsung nand flash chips soldered onto the board
www.ifixit.com/Teardow...wn/11275/2
id like to find out how you'd do it to
so my suggestions are as follows:
if you have access to a cellebrite, find out if they support it yet
or the more reasonable option, get a copy of windows 8, put it on a usb or portable hard disk and then try to boot into it form the surface (if thats possible). I dont think any of the other live cds will work because as of windows8 you need a signed OS
last resort is always boot it up, document the process and live aquisition i guess.
I thought it had an ssd but its just some samsung nand flash chips soldered onto the board
www.ifixit.com/Teardow...wn/11275/2
id like to find out how you'd do it to
so my suggestions are as follows:
if you have access to a cellebrite, find out if they support it yet
or the more reasonable option, get a copy of windows 8, put it on a usb or portable hard disk and then try to boot into it form the surface (if thats possible). I dont think any of the other live cds will work because as of windows8 you need a signed OS
last resort is always boot it up, document the process and live aquisition i guess.
-
randomaccess - Senior Member
Re: Microsoft Surface RT
Posted: Sun Dec 02, 2012 7:49 am
- randomaccess
... or the more reasonable option, get a copy of windows 8 ...
My guess is that a copy of Windows 8 RT would be needed, and I don't think that you can find one copy in the shop round the corner..., but once you have one you would also need to find some compatible hardware to test it, find a way to boot it from USB, and verify that it doesn't write to the target device storage when booting, find a way to add to it a dd-like tool (as Windows RT supposedly can only use apps that come from the Windows store) etc., etc.
jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. -
-
jaclaz - Senior Member
Re: Microsoft Surface RT
Posted: Mon Dec 03, 2012 2:59 am
Thanks for the ideas, ill give the windows 8 boot USB a try.
The only way it seems so far to get into the recovery mode of the device is to use a recovery usb created from the Surface.
If their is a way to image the device and it leaves a trace we would just have to say this in our report that due to the device the only way to image it was to make the following changes and just hope its accepted.
P.S Does anyone know if corportations like Microsoft. Apple and Samsung etc have to provide law enforcement/ Government with a way to image these devices in the event of a legal event using one of said devices.
The only way it seems so far to get into the recovery mode of the device is to use a recovery usb created from the Surface.
If their is a way to image the device and it leaves a trace we would just have to say this in our report that due to the device the only way to image it was to make the following changes and just hope its accepted.
P.S Does anyone know if corportations like Microsoft. Apple and Samsung etc have to provide law enforcement/ Government with a way to image these devices in the event of a legal event using one of said devices.
-
gilly_uk - Member
Re: Microsoft Surface RT
Posted: Mon Dec 03, 2012 4:12 am
i dont think they have to do anything
but there's probably a contact you could find to ask questions
how would you go about determining that you havent left any remnants?
Im guessing you cant just image it twice, because the time on the device would be connstantly changing and the EFI is stored on the nand...unless im wrong, but then testing is in order
i dont think theyve started selling the surface down in aus yet so havent had a chance to play with it
but there's probably a contact you could find to ask questions
how would you go about determining that you havent left any remnants?
Im guessing you cant just image it twice, because the time on the device would be connstantly changing and the EFI is stored on the nand...unless im wrong, but then testing is in order
i dont think theyve started selling the surface down in aus yet so havent had a chance to play with it
-
randomaccess - Senior Member
Re: Microsoft Surface RT
Posted: Mon Dec 03, 2012 4:22 am
- gilly_ukThanks for the ideas, ill give the windows 8 boot USB a try.
The only way it seems so far to get into the recovery mode of the device is to use a recovery usb created from the Surface.
I think that you should try that on *another* specimen of the Surface, hard as it can be to find one.
I mean, there is really no (yet) data/documents/reports/*anything* about the thingy, for all we know the "new, improved" user experience may well include an *automagic* "wipe before re-installing as factory" feature.
- gilly_uk
If their is a way to image the device and it leaves a trace we would just have to say this in our report that due to the device the only way to image it was to make the following changes and just hope its accepted.
IMHO this is - depending on the nature of the case - acceptable collateral damage, in any case such a procedure "subtracts" data, it cannot "create" evidence.
I mean, booting the thingy may delete or overwrite a few files, or change their access dates, it won't ever materialize a CP image or the map of the bank's caveau that wasn't there...
- gilly_uk
P.S Does anyone know if corportations like Microsoft. Apple and Samsung etc have to provide law enforcement/ Government with a way to image these devices in the event of a legal event using one of said devices.
Cannot say, but it "sounds" something like the US Government may require under the Patriot Act or something like that, not something that the EU would impose.
jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. -
-
jaclaz - Senior Member
Re: Microsoft Surface RT
Posted: Mon Dec 03, 2012 9:54 am
Apologies if you've already read it, but take a glance through this
technet.microsoft.com/...e.10).aspx
The backup can create a VHD file of the device to a USB drive. Ok, it's not forensically sound, and you wont get unallocated, but it would be a start. I believe it uses the existing shadow copies to write the backup
technet.microsoft.com/...ackup.aspx
technet.microsoft.com/...e.10).aspx
The backup can create a VHD file of the device to a USB drive. Ok, it's not forensically sound, and you wont get unallocated, but it would be a start. I believe it uses the existing shadow copies to write the backup
technet.microsoft.com/...ackup.aspx
-
Pedro281 - Member