Forums
Main Category
General (Technical,...
Issue acquiring Mic...
 
Notifications
Clear all

Issue acquiring Microsoft Surface Pro 4

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by minime2k9 7 years ago
7 Posts
6 Users
0 Reactions
1,365 Views
RSS
one234
 one234
(@one234)
Active Member
Joined: 13 years ago
Posts: 16
Topic starter 30/11/2018 2:33 am  

Hi all, I was wondering if you might have a clue to an issue I encountered recently.

I went onsite to image a Microsoft Surface Pro 4 (Model # 1724) the other day. I disabled secure boot and used Paladin 7 x64 live distro to perform acquisition into a connected USB external hard drive. The acquisition finished without any error but, when I checked the acquired image in FTK Imager/EnCase, the largest partition shows up as an Unrecognized file system. In the header of the partition I can see the ‘FVE-FS’ signature, but the operating system shows it does not have Bitlocker enabled on the drive.

Would you happen to have any idea what might have gone wrong, and what can be done if we were to image the device again?

Would appreciate any thoughts, thanks so much in advance!!


   
Quote
 dandaman_24
(@dandaman_24)
Estimable Member
Joined: 11 years ago
Posts: 172
30/11/2018 7:52 am  

Have had similar before, we restored the image to a HDD and connected it to forensic machine where it showed up as being bitlockered, but mounted in the clear anyway. It was down to clear key encryption.


   
ReplyQuote
kastajamah
 kastajamah
(@kastajamah)
Estimable Member
Joined: 8 years ago
Posts: 113
30/11/2018 5:46 pm  

Depending on the case, you might want to see if a Bitlocker key can be generated from the device. You should be able to enter that key in EnCase and decrypt the partition. That will save you time with reimaging. Or you could do a live image from the device.


   
ReplyQuote
watcher
 watcher
(@watcher)
Estimable Member
Joined: 19 years ago
Posts: 125
01/12/2018 12:40 am  

I believe that MS Surface Pro's automatically implement Bitlocker by default. It's almost certainly a Bitlocker image. You'll need the Recovery Key to analyze it.


   
ReplyQuote
minime2k9
 minime2k9
(@minime2k9)
Honorable Member
Joined: 14 years ago
Posts: 481
03/12/2018 9:32 am  

With Surface Pro's, I think disabling secure boot deletes the bitlocker key from the device.
Prior to this, the easiest way is to boot into the device and create an image of the decrypted filesystem.
Other than this, a copy of the recovery key is located in the One Drive account of the MS account linked to the device, if there is one.


   
ReplyQuote
 Dimi
(@dimi)
Active Member
Joined: 8 years ago
Posts: 13
03/12/2018 11:50 am  

This worked for me.

https://lockandcode.com/software/windows-rt-acquisition-tools


   
ReplyQuote
minime2k9
 minime2k9
(@minime2k9)
Honorable Member
Joined: 14 years ago
Posts: 481
03/12/2018 12:08 pm  

This worked for me.

https://lockandcode.com/software/windows-rt-acquisition-tools

That's for the old windows tablets running a mobile processor, won't work for any of the newer surfaces


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: