Hi all, I was wondering if you might have a clue to an issue I encountered recently.
I went onsite to image a Microsoft Surface Pro 4 (Model # 1724) the other day. I disabled secure boot and used Paladin 7 x64 live distro to perform acquisition into a connected USB external hard drive. The acquisition finished without any error but, when I checked the acquired image in FTK Imager/EnCase, the largest partition shows up as an Unrecognized file system. In the header of the partition I can see the ‘FVE-FS’ signature, but the operating system shows it does not have Bitlocker enabled on the drive.
Would you happen to have any idea what might have gone wrong, and what can be done if we were to image the device again?
Would appreciate any thoughts, thanks so much in advance!!
Have had similar before, we restored the image to a HDD and connected it to forensic machine where it showed up as being bitlockered, but mounted in the clear anyway. It was down to clear key encryption.
Depending on the case, you might want to see if a Bitlocker key can be generated from the device. You should be able to enter that key in EnCase and decrypt the partition. That will save you time with reimaging. Or you could do a live image from the device.
I believe that MS Surface Pro's automatically implement Bitlocker by default. It's almost certainly a Bitlocker image. You'll need the Recovery Key to analyze it.
With Surface Pro's, I think disabling secure boot deletes the bitlocker key from the device.
Prior to this, the easiest way is to boot into the device and create an image of the decrypted filesystem.
Other than this, a copy of the recovery key is located in the One Drive account of the MS account linked to the device, if there is one.
This worked for me.
https://
This worked for me.
https://
lockandcode.com/software/windows-rt-acquisition-tools
That's for the old windows tablets running a mobile processor, won't work for any of the newer surfaces