I may be showing my ignorance here, but we just took a physical image of a Surface 3 tablet using FTK Imager and I have unrecognized file systems in the image. Why is this so if it was a live acquisition? Is it bitlocker? Does anyone know how I can get at these files? Or do I need to go back and do a logical acquisition live using FTK Imager?
Did you boot to the OS itself?
If so, when you image you need to select the drive letter rather than the physical disk.
Surfaces have TPM and are bitlockered by default, even if no password/PIN is set.
If you booted to an external pen drive, you may struggle to get an image now as after you turn secure boot off (to boot to an external device) it will require a recovery key which is located in the owners Microsoft account.
As above, will be bitlocker protected by default.
I did a few of these recently and had success with the following method
1.Boot to CAINE (or similar) and take a physical image using Guymager
2.Boot the surface and log in (assume you have credentials since you have taken an image with FTK already)
3.open command prompt (as administrator), type
manage-bde -protectors C -get
(I am assuming C is the encrypted OS partition, change to the relevant drive letter if not)
This should display the bitlocker recovery password - make a note of it or take a picture or both.
Use the recovery password to decrypt the physical image you took with Caine (FTK for example will simply ask you for the recovery key when you add the image in).
This has generally worked well for me, also means you get an "untouched" image as oppose to having to image it live.
Failing that, as minime points out, select the drive letter and not the whole disk with FTK Imager.
Thank you both for your replies. I will need to decrypt it in EnCase or FTK then before I can access the files.
Its frustrating that the files are still encrypted even though it was imaged live.
Live and learn I guess.
1.Boot to CAINE (or similar) and take a physical image using Guymager
2.Boot the surface and log in (assume you have credentials since you have taken an image with FTK already)
……
This has generally worked well for me, also means you get an "untouched" image as oppose to having to image it live.
Failing that, as minime points out, select the drive letter and not the whole disk with FTK Imager.
How did you get it to boot into the OS after booting to a LIVE distribution? As once you've turned the secure boot off it would ask for the recovery key, meaning you couldn't then log in.
Hi Minime
I didn't encounter this issue, after imaging within the Linux distro I restarted it and let it boot into windows as normal. Maybe I got lucky but we had 2 surface pros and a surface book the other week and this worked on them all.