±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36783
New Yesterday: 2 Visitors: 165

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Microsoft Surface Pro 3 Imaging?

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

erowe
Senior Member
 

Microsoft Surface Pro 3 Imaging?

Post Posted: Feb 27, 15 20:41

I've been doing some research and testing on how to image the Surface Pro 3 without cracking it open and removing the SSD and I’m not having much luck.

If you have the password FTK Imager works fine from an external USB. The problem there is of course that you’re using the suspect’s live device to image it and leaving all the associated footprints of your activity on it. You also need their cooperation.

Booting to a forensic distro is what I really want to do, but it looks like things are pretty locked down. I can make a UEFI bootable USB using Rufus, but even after changing the BIOS settings I can’t get to a point where the Surface will boot from it. I get an initial red screen and then get redirected to a Bit Locker recovery screen that I can’t get around.

Has anyone had any success imaging Surfaces? I gather there are similar problems booting to some all-in-one computers.

All the videos and publications seem to point to the fact that you used to be able to boot to a USB but no longer can. (Although post I found on Symatec’s forum claims boot USBs created with the Symantec System Restore Wizard works.)

Thanks.

Eric  
 
  

jaclaz
Senior Member
 

Re: Microsoft Surface Pro 3 Imaging?

Post Posted: Feb 28, 15 01:15

How EXACTLY did you set the BIOS rectius stupid UEFI firmware?

winsupersite.com/mobil...s-firmware

It is possible that there is in your case the combination of two things, any among the Secureboot/TPC and an additional bitlocker "layer".

The Surface Pro 3 is reportedly somehow "different" or "more picky" than earlier Surfaces and of most other "All in one", but installing to it - say - Ubuntu is possible:
blog.davidelner.com/du...ace-pro-3/
or debian:
winaero.com/blog/how-t...ace-pro-3/
or suse:
forums.opensuse.org/sh...h-Windows!

So the issue may be on the actual specific "Rufus made" UEFI boot stick, as there are as well reports of "Rufus made" USB sticks used successfully:
www.surfacegeeks.net/f...81-on-sp3/

I would try replicating this last report, as the Windows 8.1 setup is actually a (basic) form of PE, and if it can boot, then *any* PE 5 (or possibly even 4) should boot as well.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

C.R.S.
Senior Member
 

Re: Microsoft Surface Pro 3 Imaging?

Post Posted: Feb 28, 15 13:41

Did you remove the SD Card or any other media? Can you boot Windows, either "To Go" or natively? Since Windows 8 boots from USB without hassles, you can attach any installed hard drive. To Go is configured to keep local drives offline, while native Windows will mount them. However, this should be tolerable when Bitlocker is active.  
 
  

rjo86
Newbie
 

Re: Microsoft Surface Pro 3 Imaging?

Post Posted: Feb 28, 15 22:51

I've not tried it with a Surface 3, but when I first imaged an original Surface Pro my method was:

1. Boot into the UEFI and disable Secure Boot if it is enabled.
2. Save the UEFI changes and immediately power the Surface down.
3. Plug in a USB hub, attach a bootable USB. NOTE: The distro on the bootable USB has to be a 64-bit distro (I used DEFT 7.x at the time).
4. Boot from USB, plug a USB HDD into the hub to save your image to and use Guymager to image the internal SSD.

I did have some issues with the bootable USB and I can't remember if it was rufus/unetbootin/pen drive linux or even manually creating one in cmd line that worked in the end I'm afraid.

Rob  
 
  

cunninghamja
Newbie
 

Re: Microsoft Surface Pro 3 Imaging?

Post Posted: Mar 04, 15 02:45

Below is a link to my process:

winfe.wordpress.com/20...efi-winfe/  
 
  

Adam10541
Senior Member
 

Re: Microsoft Surface Pro 3 Imaging?

Post Posted: Mar 31, 16 11:33

I thought I'd revisit this as I'm currently trying to get a process up to image Surface Pro 3 and 4 (with no luck thus far).

It appears the method used for earlier models by creating a WinPE (Mr Cunningham's guide) will not work with these models.

Does anyone have a successful method (other than live) for acquiring these devices yet?  
 
  

jaclaz
Senior Member
 

Re: Microsoft Surface Pro 3 Imaging?

Post Posted: Mar 31, 16 15:14

- Adam10541

It appears the method used for earlier models by creating a WinPE (Mr Cunningham's guide) will not work with these models.

It appears HOW?

I mean, you did try it and what happened?

Which PE (like 4.x, 5.x, 10.x) did you try?

Just in case, a direct link to the .pfd is here:
winfe.files.wordpress....winfe1.pdf

Here is an indirect confirmation that specifically the Surface Pro 3 can boot from USB (in this case Ubuntu):
blog.davidelner.com/du...ace-pro-3/

But more generally *any* Rufus made USB stick works:
www.thurrott.com/mobil...face-pro-3


jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 

Page 1 of 2
Page 1, 2  Next