Windows RT acquisition tool (& guide)

I have posted a quick reference guide for where the interesting RT artefacts are located in the OS

http//www.slideshare.net/bsmuir/windows-rt-evidentiary-artefacts-10

The full paper will be published soon.

Brent Muir

https://www.twitter.com/bsmuir
http//au.linkedin.com/in/brentmuir/

Nice. )

The link to the jailbreak tool is however not right. the .pdf points to thread 2092348, whilst the tool is on thread 2092158
http//forum.xda-developers.com/showthread.php?t=2092158

jaclaz

Thanks for picking that up. That will be amending in the next version of the guide.

Brent

Hi!

I am currently trying to see how it is possible to analyse a windows RT Surface. First, I must thank you for the tools you created. I succesfully used them to acquire the tablet I have.

However, I must confess that I am a bit puzzled regarding the utility of acquiring the physical drive True, that is a real forensic acquisition. But as the main partition is crypted, I can not manage to recover any personnal data.

By the way, I am very confused with this crypting the tablet I use to make the test does not have any password set, and bitlocker is not activated (no key can be recovered).

I tried recovering erased data from the drive C, with very few success. I still managed to recover one file, which proves that finding erased files is not a completly lost cause.

I am now trying other way to access the date, as jailbreaking plus connecting the device to internet is something I do not like. I still do not know what to do without the password or if we encounter a windows RT 8.1.
I am trying to but the tablet in the EFI directly and see what can be done from there, but it does not seems to work.

I was also thinking about desoldering the eMMC chip and analysed directly what's inside. But if I can not uncypher the C partition, it would be useless.

Is there anyone who managed to boot on another OS from a USB drive? It seems to be possible, but I havent't yet managed to do it.