Microsoft Surface R...
 
Notifications
Clear all

Microsoft Surface RT

28 Posts
11 Users
0 Likes
2,170 Views
(@gilly_uk)
Posts: 23
Eminent Member
Topic starter
 

Hey,
It hasn't taken long since the release of this tablet before we have had to respond to a security incident involving one. The only problem we have is making a forensic image of the device. We have secured the offending device and have purchased a test device to attempt a forensic copy of the device but so far we have failed.

Has anyone attempted and succeeded in creating a forensic image of the new Surface RT?

Regards

Gilly

 
Posted : 01/12/2012 1:26 am
(@randomaccess)
Posts: 385
Reputable Member
 

I just looked at the ifixit teardown for it.
I thought it had an ssd but its just some samsung nand flash chips soldered onto the board

http//www.ifixit.com/Teardown/Microsoft+Surface+Teardown/11275/2

id like to find out how you'd do it to
so my suggestions are as follows
if you have access to a cellebrite, find out if they support it yet
or the more reasonable option, get a copy of windows 8, put it on a usb or portable hard disk and then try to boot into it form the surface (if thats possible). I dont think any of the other live cds will work because as of windows8 you need a signed OS

last resort is always boot it up, document the process and live aquisition i guess.

 
Posted : 02/12/2012 5:06 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

… or the more reasonable option, get a copy of windows 8 …

My guess is that a copy of Windows 8 RT would be needed, and I don't think that you can find one copy in the shop round the corner…, but once you have one you would also need to find some compatible hardware to test it, find a way to boot it from USB, and verify that it doesn't write to the target device storage when booting, find a way to add to it a dd-like tool (as Windows RT supposedly can only use apps that come from the Windows store) etc., etc.

jaclaz

 
Posted : 02/12/2012 5:49 pm
(@gilly_uk)
Posts: 23
Eminent Member
Topic starter
 

Thanks for the ideas, ill give the windows 8 boot USB a try.

The only way it seems so far to get into the recovery mode of the device is to use a recovery usb created from the Surface.

If their is a way to image the device and it leaves a trace we would just have to say this in our report that due to the device the only way to image it was to make the following changes and just hope its accepted.

P.S Does anyone know if corportations like Microsoft. Apple and Samsung etc have to provide law enforcement/ Government with a way to image these devices in the event of a legal event using one of said devices.

 
Posted : 03/12/2012 12:59 pm
(@randomaccess)
Posts: 385
Reputable Member
 

i dont think they have to do anything
but there's probably a contact you could find to ask questions

how would you go about determining that you havent left any remnants?

Im guessing you cant just image it twice, because the time on the device would be connstantly changing and the EFI is stored on the nand…unless im wrong, but then testing is in order
i dont think theyve started selling the surface down in aus yet so havent had a chance to play with it

 
Posted : 03/12/2012 2:12 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Thanks for the ideas, ill give the windows 8 boot USB a try.

The only way it seems so far to get into the recovery mode of the device is to use a recovery usb created from the Surface.

I think that you should try that on *another* specimen of the Surface, hard as it can be to find one.
I mean, there is really no (yet) data/documents/reports/*anything* about the thingy, for all we know the "new, improved" user experience may well include an *automagic* "wipe before re-installing as factory" feature.

If their is a way to image the device and it leaves a trace we would just have to say this in our report that due to the device the only way to image it was to make the following changes and just hope its accepted.

IMHO this is - depending on the nature of the case - acceptable collateral damage, in any case such a procedure "subtracts" data, it cannot "create" evidence.
I mean, booting the thingy may delete or overwrite a few files, or change their access dates, it won't ever materialize a CP image or the map of the bank's caveau that wasn't there…

P.S Does anyone know if corportations like Microsoft. Apple and Samsung etc have to provide law enforcement/ Government with a way to image these devices in the event of a legal event using one of said devices.

Cannot say, but it "sounds" something like the US Government may require under the Patriot Act or something like that, not something that the EU would impose.

jaclaz

 
Posted : 03/12/2012 2:22 pm
(@pedro281)
Posts: 38
Eminent Member
 

Apologies if you've already read it, but take a glance through this

http//technet.microsoft.com/en-us/library/ee692046(v=surface.10).aspx

The backup can create a VHD file of the device to a USB drive. Ok, it's not forensically sound, and you wont get unallocated, but it would be a start. I believe it uses the existing shadow copies to write the backup

http//technet.microsoft.com/en-gb/magazine/2007.09.backup.aspx

 
Posted : 03/12/2012 7:54 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Apologies if you've already read it, but take a glance through this

http//technet.microsoft.com/en-us/library/ee692046(v=surface.10).aspx

The backup can create a VHD file of the device to a USB drive. Ok, it's not forensically sound, and you wont get unallocated, but it would be a start. I believe it uses the existing shadow copies to write the backup

http//technet.microsoft.com/en-gb/magazine/2007.09.backup.aspx

Pedro281, I guess there has been a misunderstanding, those resources you posted about are NOT about the Surface (RT) tablet thingy, but about the confusingly named Surface 1.0 and 2.0 "software" (Windows Vista 😯 or 7 based)
http//technet.microsoft.com/en-us/library/ee692162(v=surface.10).aspx

Surface

Microsoft Surface is a software platform that is ideal for any scenario in which multiple users want to interact with a single large form-factor device, similar to a wide-screen TV. The focus of Surface is on creating real connections—whether it's connecting customers with information and each other, or connecting a device made for Surface to other devices. Using only their fingers or objects, such as loyalty cards or game pieces like checkers, users interact with a high-end graphical display that can be used as a table, on the wall, or embedded in other fixtures or furniture.

jaclaz

 
Posted : 03/12/2012 9:22 pm
(@pedro281)
Posts: 38
Eminent Member
 

ahh, my bad….. oops

 
Posted : 05/12/2012 6:28 pm
(@paperclip_cce)
Posts: 6
Active Member
 

Hey,
It hasn't taken long since the release of this tablet before we have had to respond to a security incident involving one. The only problem we have is making a forensic image of the device. We have secured the offending device and have purchased a test device to attempt a forensic copy of the device but so far we have failed.

Has anyone attempted and succeeded in creating a forensic image of the new Surface RT?

Regards

Gilly

Any luck with this? Any updates?

I haven't tried this, but, supposedly, you can boot Ubuntu 12.10 (with Secure Boot on).
https://wiki.ubuntu.com/QuantalQuetzal/ReleaseNotes/UbuntuDesktop

According to Ubuntu 12.10 documentation

Ubuntu 12.10 is the first Ubuntu release to support UEFI Secure Boot, a standard for controlling what software can be run on a computer. Supporting Secure Boot, a part of the Windows 8 certification requirements for client systems, ensures that Ubuntu will continue to provide an "it just works" experience on new hardware.

Due to time pressures, only some flavors released with 12.10 will install and boot on Secure Boot hardware

Ubuntu desktop
Ubuntu server
Edubuntu
We expect to enable all other flavors in 13.04.

( https://wiki.ubuntu.com/QuantalQuetzal/ReleaseNotes/UbuntuDesktop#QuantalQuetzal.2BAC8-ReleaseNotes.2BAC8-CommonInfrastructure.Secure_Boot)

Might be worth a try to boot a live Ubuntu 12.10 USB thumb and run "dd" to image the subject media (if you can successfully boot to the live Ubuntu 12.10 desktop).

Additionally make sure you use a large USB thumb drive - perhaps a 64GB. Then, when you create your live USB thumb, make sure to create a "storage" partition to store the DD image to. (Be sure to do a forensic wipe of the 64 GB USB thumb FIRST & document it)

- (Again, I have not tried this, so forgive me if I'm wrong. Just a thought.) -

IF you are successful at imaging the Surface tablet - Let us know.
(Also, not sure if you need this, but I found this nicely written guide about Windows 8 Forensics http//propellerheadforensics.files.wordpress.com/2012/05/thomson_windows-8-forensic-guide2.pdf - Written by AmandaC. F. Thomson, M.F.S. Candidate, Advised by Eva Vincze, PhD The George Washington University, Washington, D.C.)

 
Posted : 08/12/2012 3:51 am
Page 1 / 3
Share: