±Partners and Sponsors

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 6
New Yesterday: 2
Overall: 26983
Visitors: 69

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

Microsoft Surface RT

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2, 3, 4  Next 
  

Microsoft Surface RT

Post Posted: Fri Nov 30, 2012 3:26 pm

Hey,
It hasn't taken long since the release of this tablet before we have had to respond to a security incident involving one. The only problem we have is making a forensic image of the device. We have secured the offending device and have purchased a test device to attempt a forensic copy of the device but so far we have failed.


Has anyone attempted and succeeded in creating a forensic image of the new Surface RT?

Regards

Gilly  

gilly_uk
Member
 
 
  

Re: Microsoft Surface RT

Post Posted: Sat Dec 01, 2012 7:06 pm

I just looked at the ifixit teardown for it.
I thought it had an ssd but its just some samsung nand flash chips soldered onto the board

www.ifixit.com/Teardow...wn/11275/2

id like to find out how you'd do it to
so my suggestions are as follows:
if you have access to a cellebrite, find out if they support it yet
or the more reasonable option, get a copy of windows 8, put it on a usb or portable hard disk and then try to boot into it form the surface (if thats possible). I dont think any of the other live cds will work because as of windows8 you need a signed OS

last resort is always boot it up, document the process and live aquisition i guess.  

randomaccess
Senior Member
 
 
  

Re: Microsoft Surface RT

Post Posted: Sun Dec 02, 2012 7:49 am

- randomaccess

... or the more reasonable option, get a copy of windows 8 ...

My guess is that a copy of Windows 8 RT would be needed, and I don't think that you can find one copy in the shop round the corner..., but once you have one you would also need to find some compatible hardware to test it, find a way to boot it from USB, and verify that it doesn't write to the target device storage when booting, find a way to add to it a dd-like tool (as Windows RT supposedly can only use apps that come from the Windows store) etc., etc.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Microsoft Surface RT

Post Posted: Mon Dec 03, 2012 2:59 am

Thanks for the ideas, ill give the windows 8 boot USB a try.

The only way it seems so far to get into the recovery mode of the device is to use a recovery usb created from the Surface.

If their is a way to image the device and it leaves a trace we would just have to say this in our report that due to the device the only way to image it was to make the following changes and just hope its accepted.


P.S Does anyone know if corportations like Microsoft. Apple and Samsung etc have to provide law enforcement/ Government with a way to image these devices in the event of a legal event using one of said devices.  

gilly_uk
Member
 
 
  

Re: Microsoft Surface RT

Post Posted: Mon Dec 03, 2012 4:12 am

i dont think they have to do anything
but there's probably a contact you could find to ask questions

how would you go about determining that you havent left any remnants?

Im guessing you cant just image it twice, because the time on the device would be connstantly changing and the EFI is stored on the nand...unless im wrong, but then testing is in order
i dont think theyve started selling the surface down in aus yet so havent had a chance to play with it  

randomaccess
Senior Member
 
 
  

Re: Microsoft Surface RT

Post Posted: Mon Dec 03, 2012 4:22 am

- gilly_uk
Thanks for the ideas, ill give the windows 8 boot USB a try.

The only way it seems so far to get into the recovery mode of the device is to use a recovery usb created from the Surface.

I think that you should try that on *another* specimen of the Surface, hard as it can be to find one.
I mean, there is really no (yet) data/documents/reports/*anything* about the thingy, for all we know the "new, improved" user experience may well include an *automagic* "wipe before re-installing as factory" feature.

- gilly_uk

If their is a way to image the device and it leaves a trace we would just have to say this in our report that due to the device the only way to image it was to make the following changes and just hope its accepted.

IMHO this is - depending on the nature of the case - acceptable collateral damage, in any case such a procedure "subtracts" data, it cannot "create" evidence.
I mean, booting the thingy may delete or overwrite a few files, or change their access dates, it won't ever materialize a CP image or the map of the bank's caveau that wasn't there...

- gilly_uk

P.S Does anyone know if corportations like Microsoft. Apple and Samsung etc have to provide law enforcement/ Government with a way to image these devices in the event of a legal event using one of said devices.

Cannot say, but it "sounds" something like the US Government may require under the Patriot Act or something like that, not something that the EU would impose.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Microsoft Surface RT

Post Posted: Mon Dec 03, 2012 9:54 am

Apologies if you've already read it, but take a glance through this

technet.microsoft.com/...e.10).aspx

The backup can create a VHD file of the device to a USB drive. Ok, it's not forensically sound, and you wont get unallocated, but it would be a start. I believe it uses the existing shadow copies to write the backup

technet.microsoft.com/...ackup.aspx  

Pedro281
Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 4
Go to page 1, 2, 3, 4  Next