Acer Laptop with eM...
 
Notifications
Clear all

Acer Laptop with eMMC and UEFI Imaging Issues

10 Posts
5 Users
0 Likes
1,640 Views
spo7046
(@spo7046)
Posts: 17
Active Member
Topic starter
 

My issue is that I cannot image an EMMC on an acer laptop. It is a password protected windows OS with unknown bitlocker/encryption. Below is what I have done thus far.

I have gone through numerous posts and websites trying to figure out how to image this laptop. The laptop, an Acer R3-131T-C28S, uses a 32GB EMMC for storage. I do not have the ability to chip-off. I didn't check the chip to see if it is capable of an ISP extraction, but on another forum there were no pin-outs available. On that forum, they suggested using Paladin or Kali to do the extraction. I downloaded the recent versions of 32 bit and 64 bit Kali, as well as Paladin 7 and Paladin Edge. I created a bootable USB drive with UnetBootin and Rufus. The laptop uses UEFI and has the ability to switch to legacy. In legacy I was able to boot the system with Kali 32 and 64, as long as I used edd=off and acpi=off prior to starting Kali forensic option. I was not able to see the EMMC to image it. I had the same result with Paladin. I then tried Detego, and had to use the same commands to get Detego to boot to the desktop. Again I wasn't able to see the laptop's storage. While talking to another examiner he thought it was possible that Linux wasn't seeing the EMMC because it was turned off by the legacy setting in BIOS. I then turned off legacy and went back to UEFI. I had to create an admin password so I could edit security settings, but was able to disable safe booting. This allowed Detego to boot to the desktop immediately, but it still couldn't see the EMMC. Detego's support informed me they know this is an issue that they will resolve in the next version. I tried Kali (32 and 64 bit versions) and Paladin to no avail. They now lockup during the loading process. Once I choose the version (forensic, safe mode with no apci) the screen which normally shows the processes loading, goes black and the system appears to be locked. I have let it sit for 15 minutes, and it didn't load to the desktop.

Any suggestions would be appreciated.

Thanks,

Steve

 
Posted : 10/11/2017 11:39 pm
thefuf
(@thefuf)
Posts: 261
Reputable Member
 

This could be a problem with drivers for a storage device. As a last resort, when no other options are available, you can try the acquisition using a custom GRUB distribution (like this, this particular image requires the legacy boot option enabled). After booting to the GRUB shell, type "ls" to see what drives were recognized and if an internal drive is visible (since GRUB is using BIOS interrupts to interact with drives, you will likely see an internal drive).

 
Posted : 11/11/2017 12:00 am
spo7046
(@spo7046)
Posts: 17
Active Member
Topic starter
 

Thank you. I will try that tomorrow.

 
Posted : 11/11/2017 5:37 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

This could be a problem with drivers for a storage device. As a last resort, when no other options are available, you can try the acquisition using a custom GRUB distribution (like this, this particular image requires the legacy boot option enabled). After booting to the GRUB shell, type "ls" to see what drives were recognized and if an internal drive is visible (since GRUB is using BIOS interrupts to interact with drives, you will likely see an internal drive).

As a side note, the normal grub4dos has an internal dd command (besides a geometry one that is useful to check disks like device presence and identify them).

The issue with it is that the program is extremely slow (when compared with more common Linux or Windows dd programs.

Last time I really had to use it, it was a smallish 4 Gb device and it took - if I recall correctly - more than 12 hours, I beleive because the USB BIOS was partcularly slow.

Newish versions of the 0.4.6a "branch" do have an internal USB stack that maybe will shorten the times, but it depends on the actual controller and BIOS

At the moment the "considered stable enough" version is 30-08-2017
http//grub4dos.chenall.net/downloads/grub4dos-0.4.6a-2017-08-30/

jaclaz

 
Posted : 12/11/2017 2:06 pm
Sanchez
(@sanchez)
Posts: 5
Active Member
 

You could give DEFT a try. With these types of devices I've found DEFT Zero to be more successful.

 
Posted : 12/11/2017 8:26 pm
ssstu
(@ssstu)
Posts: 12
Active Member
 

Hi Steve,

I am experiencing a slightly similar issue, however, with NVMe SSDs instead.

I was recently in possession of a HP Stream laptop that had a eMMc storage medium and recently branched out onto here (see original post https://www.forensicfocus.com/Forums/viewtopic/t=16021/

I did have success imaging it using Paladin, however, processing using X-Ways indicated that some sectors were corrupt and advised to reimage again.

In the end I created a WinFE 10 boot disk which worked perfectly (no issue encountered).

Hope this helps.

 
Posted : 13/11/2017 10:26 am
spo7046
(@spo7046)
Posts: 17
Active Member
Topic starter
 

You could give DEFT a try. With these types of devices I've found DEFT Zero to be more successful.

Thanks for the response. One of the issues I am having is the system appears to lockup when booting into the different Linux systems. I haven't let it just sit there. I let DEFT Zero sit there for about 15 minutes, and after choosing my option it never left the starting splash screen.

 
Posted : 13/11/2017 2:54 pm
spo7046
(@spo7046)
Posts: 17
Active Member
Topic starter
 

Hi Steve,

I am experiencing a slightly similar issue, however, with NVMe SSDs instead.

I was recently in possession of a HP Stream laptop that had a eMMc storage medium and recently branched out onto here (see original post https://www.forensicfocus.com/Forums/viewtopic/t=16021/

I did have success imaging it using Paladin, however, processing using X-Ways indicated that some sectors were corrupt and advised to reimage again.

In the end I created a WinFE 10 boot disk which worked perfectly (no issue encountered).

Hope this helps.

Thanks for the response. I did create a WinFE bootable USB today. It took about a half hour for this laptop to load to a desktop, and it still wasn't loaded correctly. Not sure what the problem is with this system, but it has been a pain in the rear!! I have to leave for a bit, so I am going to just let it run and see if it will get to a workable desktop.

 
Posted : 13/11/2017 2:58 pm
spo7046
(@spo7046)
Posts: 17
Active Member
Topic starter
 

I was unable to get WinFE to successfully boot to the desktop. Same issue existed with each of the Linux distros as well. Due to time constraints, the report had to be completed an hour ago. Thanks for everyone's help.

 
Posted : 13/11/2017 7:49 pm
thefuf
(@thefuf)
Posts: 261
Reputable Member
 

I was unable to get WinFE to successfully boot to the desktop. Same issue existed with each of the Linux distros as well. Due to time constraints, the report had to be completed an hour ago. Thanks for everyone's help.

And what about GRUB? Did you try it?

 
Posted : 13/11/2017 7:54 pm
Share:
Share to...