Join Us!

HELP! : How to imag...
 
Notifications
Clear all

HELP! : How to image a Windows Surface RT (ARM)  

  RSS
4Rensics
(@4rensics)
Active Member

Morning.

I'm currently battling with a Windows Surface RT running on the old ARM chipset. (The Surface is from 2013)

There is no boot to BIOS/UFEI. So I've had to boot to Windows (8.1 I think) but I can't run FTK Imager lite or command line because they are not signed by Microsoft and the exe's wont run.
I found a dd.exe to try, but same as above again.

Does anybody know or any tools that I can use to get an image of this 32GB eMMC. (Chip off is not an option…yet!)

Any help much appreciated.

4F

Quote
Posted : 08/03/2019 10:36 am
mahoney
(@mahoney)
New Member

Volume+ and power key should get you to the UEFI. If this doesn't work on your ARM tablet you may still be able to boot from USB.

Secure Boot only allows 'trusted' OSs, of which Ubuntu is one of them. You'll need to edit the boot config files from your Kali/Backtrack bootable USB to resemble the trusted Ubuntu ones. Fingers crossed, the Surface you have is set to try to boot from USB first.

Also try Volume- and power key to get to the boot menu.

ReplyQuote
Posted : 08/03/2019 11:58 am
4Rensics
(@4rensics)
Active Member

Thank you. Maybe it wasn't working because I was trying with a Paladin USB. I'll try with my Kali USB and see if that works. I did try booting with the Vol up and Vol down to no affect.

Thanks.

ReplyQuote
Posted : 08/03/2019 2:56 pm
hectic_forensics
(@hectic_forensics)
Junior Member

Try connecting the Paladin USB with a powered USB hub. That has worked for me in the past - obviously with any Secure Boot etc disabled.

ReplyQuote
Posted : 11/03/2019 9:27 am
AccessDenied
(@accessdenied)
New Member

Thank you. Maybe it wasn't working because I was trying with a Paladin USB. I'll try with my Kali USB and see if that works. I did try booting with the Vol up and Vol down to no affect.

Thanks.

Hello,

Did you have any success acquiring this Surface? I have Surface RT Model 1516 and the device just wont to boot into UEFI when Vol+ and Power button are pressed.

Any suggestions would be appreciated.

Cheers

ReplyQuote
Posted : 20/03/2019 3:17 pm
UnallocatedClusters
(@unallocatedclusters)
Senior Member

You can use YUMI to create a UEFI compatible Live USB with Kali Linux that will work with Surfaces

https://www.pendrivelinux.com/yumi-multiboot-usb-creator/

I have multiple working 8GB Live USB Kingston brand drives I can image to a DD file and upload to you if you wish. You will need to write the DD image to your own USB drive, but once done correctly, you will be able to boot your Surface to Kali and then use Guymager within Kali to make a forensic image of the Surface.

My experience with Surfaces is that Surfaces come from the factory Bitlocker encrypted standard and Microsoft does NOT provide the Bitlocker keys!!!!!

So, you might be left with capturing a live forensic image.

ReplyQuote
Posted : 20/03/2019 6:00 pm
AccessDenied
(@accessdenied)
New Member

Thanks for the info, would appreciate if you could create a DD image of them.

Cheers

ReplyQuote
Posted : 21/03/2019 8:03 am
mahoney
(@mahoney)
New Member

My experience with Surfaces is that Surfaces come from the factory Bitlocker encrypted standard and Microsoft does NOT provide the Bitlocker keys!!!!!

Workaround for the factory BitLocker encryption
1. Copy the DD image bit-for-bit onto a blank USB drive.
2. Attach the USB to a Windows machine via a USB write-blocker.
3. Windows will automatically decrypt the drive.
4. Use FTK Imager to re-image as a logical drive.

Workaround for user-encrypted BitLocker encryption
1. After you get your physical DD image, boot the Surface normally and login (you'll need a local Admin account).
2. Launch CMD and run manage-bde -protectors C -get -type RecoveryPassword
3. Make a note of the long numerical password.
4. You can use EnCase or Nuix to decrypt your physical DD image, or continue below
5. Copy the DD image bit-for-bit onto a blank USB drive.
6. Attach the USB to a Windows machine via a USB write-blocker.
7. Windows will prompt for the recovery password - enter it here to decrypt the drive.
8. Use FTK Imager to re-image as a logical drive.

ReplyQuote
Posted : 21/03/2019 10:24 am
Tic-Tac
(@tic-tac)
New Member

You can't boot any other OS than Windows RT on those ARM devices. Microsoft have made sure that the secure boot will stay on at all times. There have been some successful attempts in the past at disabling the secure boot (e.g. this discussion - https://forum.xda-developers.com/windows-8-rt/rt-development/disabling-secure-boot-surface-rt-t3360721), however all those security holes have been patched by Microsoft.

If it is a fully up to date Windows RT 8.1 device, your chances of booting any other OS are very, very slim. Even if you would suceed, you would need an OS that can run on an ARM CPU, and some custom drivers most likely D

ReplyQuote
Posted : 21/04/2019 7:15 pm
IanR
 IanR
(@ianr)
New Member

You can use YUMI to create a UEFI compatible Live USB with Kali Linux that will work with Surfaces

https://www.pendrivelinux.com/yumi-multiboot-usb-creator/

I have multiple working 8GB Live USB Kingston brand drives I can image to a DD file and upload to you if you wish. You will need to write the DD image to your own USB drive, but once done correctly, you will be able to boot your Surface to Kali and then use Guymager within Kali to make a forensic image of the Surface.

My experience with Surfaces is that Surfaces come from the factory Bitlocker encrypted standard and Microsoft does NOT provide the Bitlocker keys!!!!!

So, you might be left with capturing a live forensic image.

I Currently have a Surface 1 (RT) on my desk as part of a job.
Ive also managed to acquire a test device which is doing a good imitation of a brick as far as booting into anything other than it's onboard copy of windows 8.1 😯

Before I resort to switching on the subject one and copying the files to a pen drive…. would you be so kind as to send me the DD ? any tips for turning off the safe boot switch would be most welcome (I've tried (with a test device) volume up while powering on, all I get is a black screen, requiring a 30 second power button hold to power down)

Many Thanks
Ian

ReplyQuote
Posted : 02/05/2019 9:37 am
gweilo
(@gweilo)
New Member

You can't boot any other OS than Windows RT on those ARM devices. Microsoft have made sure that the secure boot will stay on at all times. There have been some successful attempts in the past at disabling the secure boot (e.g. this discussion - https://forum.xda-developers.com/windows-8-rt/rt-development/disabling-secure-boot-surface-rt-t3360721), however all those security holes have been patched by Microsoft.

If it is a fully up to date Windows RT 8.1 device, your chances of booting any other OS are very, very slim. Even if you would suceed, you would need an OS that can run on an ARM CPU, and some custom drivers most likely D

Tic-Tac is right, as far I know there's no solution to boot with a Linux distro on a Windows Surface RT (ARM).

For the Surface tablet with Windows RT 8.0 there is a possibility to Jailbreak it and then launch unsigned software, for example an x86 emulator or an ARM-compiled unsigned software in order to make a forensic copy.

For the Windows RT 8.1 there's currently no possibility to jailbreak the device but there is a method to image the logical volumes of the device by using DISM.

* First you need to have an access to the system, in other words you have to log into the system. If you don't have the user password, you must find a way to find it.
* When you are logged in the system, you need to generate the bitlocker-key. These devices are automatically protected with bitlocker when you register the system the first time with your Windows live account.
* You'll need the key to unencrypt your image file.

* Then, when the OS is booted, hold on the left shift-key and click on reboot
* You should see the advanced options menu
* Click on Troubleshoot – > Advanced Options – > Command prompt
* If everything's worked fine a command prompt should appear. That's it, now you can use the command dism to make a volume disk image.
* If needed you can use diskpart to assign a letter to the hidden volumes/other partitions.
* Use the command Diskpart – > list volume – > select volume X – > assign letter=X
* Ok now that every volume is assigned, now you can use the command dism

dism /capture-image /imagefileX\"yourimagefile".WIM /capturedirc\ /namewinrt

/imagefile choose the path and the name of the file you want to create
/capturedir choose the volume you want to copy
/name choose a label

* Now that the primary volume is copied, you can append the hidden volumes to your image.
* Use the command

dism /append-image /imagefileX"yourimagefile" /capturedird\ /namesystem

* You have now a .wim file !
* Copy your Wim file on your work computer.
* Open a command prompt and use the dism command again.
* You need to "mount" your file to extract the files on your computer.
* First type

dism /get-wiminfo /wimfileX"path to your wim file"

* Normally you should see the different partitions that you have imaged, each one corresponding to an index.
* Type now the following command

"dism /mount-wim /wimfileX"path to your wim file" /indexX /mountdirX\path to extract the files"

/index choose the number of the index (volume) you want to extract
/mountdir choose the directory where to extract the files

* Once finished to unmount type the following command dism /unmount-wim /mountdirX"path to your wim file" /discard

ReplyQuote
Posted : 03/05/2019 8:31 am
Share: