±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35615
New Yesterday: 1 Visitors: 184

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

HELP! : How to image a Windows Surface RT (ARM)

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

4Rensics
Senior Member
 

HELP! : How to image a Windows Surface RT (ARM)

Post Posted: Mar 08, 19 11:36

Morning.

I'm currently battling with a Windows Surface RT running on the old ARM chipset. (The Surface is from 2013)

There is no boot to BIOS/UFEI. So I've had to boot to Windows (8.1 I think) but I can't run FTK Imager lite or command line because they are not signed by Microsoft and the exe's wont run.
I found a dd.exe to try, but same as above again.

Does anybody know or any tools that I can use to get an image of this 32GB eMMC. (Chip off is not an option...yet!)

Any help much appreciated.

4F  
 
  

mahoney
Newbie
 

Re: HELP! : How to image a Windows Surface RT (ARM)

Post Posted: Mar 08, 19 12:58

Volume+ and power key should get you to the UEFI. If this doesn't work on your ARM tablet you may still be able to boot from USB.

Secure Boot only allows 'trusted' OSs, of which Ubuntu is one of them. You'll need to edit the boot config files from your Kali/Backtrack bootable USB to resemble the trusted Ubuntu ones. Fingers crossed, the Surface you have is set to try to boot from USB first.

Also try Volume- and power key to get to the boot menu.  
 
  

4Rensics
Senior Member
 

Re: HELP! : How to image a Windows Surface RT (ARM)

Post Posted: Mar 08, 19 15:56

Thank you. Maybe it wasn't working because I was trying with a Paladin USB. I'll try with my Kali USB and see if that works. I did try booting with the Vol up and Vol down to no affect.


Thanks.  
 
  

hectic_forensics
Member
 

Re: HELP! : How to image a Windows Surface RT (ARM)

Post Posted: Mar 11, 19 10:27

Try connecting the Paladin USB with a powered USB hub. That has worked for me in the past - obviously with any Secure Boot etc disabled.  
 
  

AccessDenied
Newbie
 

Re: HELP! : How to image a Windows Surface RT (ARM)

Post Posted: Mar 20, 19 16:17

- 4Rensics
Thank you. Maybe it wasn't working because I was trying with a Paladin USB. I'll try with my Kali USB and see if that works. I did try booting with the Vol up and Vol down to no affect.


Thanks.


Hello,

Did you have any success acquiring this Surface? I have Surface RT Model: 1516 and the device just wont to boot into UEFI when Vol+ and Power button are pressed.

Any suggestions would be appreciated.

Cheers  
 
  

UnallocatedClusters
Senior Member
 

Re: HELP! : How to image a Windows Surface RT (ARM)

Post Posted: Mar 20, 19 19:00

You can use YUMI to create a UEFI compatible Live USB with Kali Linux that will work with Surfaces:

www.pendrivelinux.com/...b-creator/


I have multiple working 8GB Live USB Kingston brand drives I can image to a DD file and upload to you if you wish. You will need to write the DD image to your own USB drive, but once done correctly, you will be able to boot your Surface to Kali and then use Guymager within Kali to make a forensic image of the Surface.

My experience with Surfaces is that Surfaces come from the factory Bitlocker encrypted standard and Microsoft does NOT provide the Bitlocker keys!!!!!

So, you might be left with capturing a live forensic image.  
 
  

AccessDenied
Newbie
 

Re: HELP! : How to image a Windows Surface RT (ARM)

Post Posted: Mar 21, 19 09:03

Thanks for the info, would appreciate if you could create a DD image of them.

Cheers  
 

Page 1 of 2
Page 1, 2  Next