±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36223
New Yesterday: 2 Visitors: 174

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

HELP! : How to image a Windows Surface RT (ARM)

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2 
  

mahoney
Newbie
 

Re: HELP! : How to image a Windows Surface RT (ARM)

Post Posted: Mar 21, 19 10:24

- UnallocatedClusters


My experience with Surfaces is that Surfaces come from the factory Bitlocker encrypted standard and Microsoft does NOT provide the Bitlocker keys!!!!!


Workaround for the factory BitLocker encryption:
1. Copy the DD image bit-for-bit onto a blank USB drive.
2. Attach the USB to a Windows machine via a USB write-blocker.
3. Windows will automatically decrypt the drive.
4. Use FTK Imager to re-image as a logical drive.

Workaround for user-encrypted BitLocker encryption:
1. After you get your physical DD image, boot the Surface normally and login (you'll need a local Admin account).
2. Launch CMD and run manage-bde -protectors C: -get -type RecoveryPassword
3. Make a note of the long numerical password.
4. You can use EnCase or Nuix to decrypt your physical DD image, or continue below:
5. Copy the DD image bit-for-bit onto a blank USB drive.
6. Attach the USB to a Windows machine via a USB write-blocker.
7. Windows will prompt for the recovery password - enter it here to decrypt the drive.
8. Use FTK Imager to re-image as a logical drive.  
 
  

Tic-Tac
Newbie
 

Re: HELP! : How to image a Windows Surface RT (ARM)

Post Posted: Apr 21, 19 18:15

You can't boot any other OS than Windows RT on those ARM devices. Microsoft have made sure that the secure boot will stay on at all times. There have been some successful attempts in the past at disabling the secure boot (e.g. this discussion - forum.xda-developers.c...t3360721), however all those security holes have been patched by Microsoft.

If it is a fully up to date Windows RT 8.1 device, your chances of booting any other OS are very, very slim. Even if you would suceed, you would need an OS that can run on an ARM CPU, and some custom drivers most likely Very Happy  
 
  

IanR
Newbie
 

Re: HELP! : How to image a Windows Surface RT (ARM)

Post Posted: May 02, 19 08:37

- UnallocatedClusters
You can use YUMI to create a UEFI compatible Live USB with Kali Linux that will work with Surfaces:

www.pendrivelinux.com/...b-creator/


I have multiple working 8GB Live USB Kingston brand drives I can image to a DD file and upload to you if you wish. You will need to write the DD image to your own USB drive, but once done correctly, you will be able to boot your Surface to Kali and then use Guymager within Kali to make a forensic image of the Surface.

My experience with Surfaces is that Surfaces come from the factory Bitlocker encrypted standard and Microsoft does NOT provide the Bitlocker keys!!!!!

So, you might be left with capturing a live forensic image.




I Currently have a Surface 1 (RT) on my desk as part of a job.
Ive also managed to acquire a test device which is doing a good imitation of a brick as far as booting into anything other than it's onboard copy of windows 8.1 Shocked

Before I resort to switching on the subject one and copying the files to a pen drive.... would you be so kind as to send me the DD ? any tips for turning off the safe boot switch would be most welcome (I've tried (with a test device) volume up while powering on, all I get is a black screen, requiring a 30 second power button hold to power down)

Many Thanks
Ian  
 
  

gweilo
Newbie
 

Re: HELP! : How to image a Windows Surface RT (ARM)

Post Posted: May 03, 19 07:31

- Tic-Tac
You can't boot any other OS than Windows RT on those ARM devices. Microsoft have made sure that the secure boot will stay on at all times. There have been some successful attempts in the past at disabling the secure boot (e.g. this discussion - forum.xda-developers.c...t3360721), however all those security holes have been patched by Microsoft.

If it is a fully up to date Windows RT 8.1 device, your chances of booting any other OS are very, very slim. Even if you would suceed, you would need an OS that can run on an ARM CPU, and some custom drivers most likely Very Happy


Tic-Tac is right, as far I know there's no solution to boot with a Linux distro on a Windows Surface RT (ARM).

For the Surface tablet with Windows RT 8.0 there is a possibility to Jailbreak it and then launch unsigned software, for example an x86 emulator or an ARM-compiled unsigned software in order to make a forensic copy.

For the Windows RT 8.1 there's currently no possibility to jailbreak the device but there is a method to image the logical volumes of the device by using DISM.

* First you need to have an access to the system, in other words you have to log into the system. If you don't have the user password, you must find a way to find it.
* When you are logged in the system, you need to generate the bitlocker-key. These devices are automatically protected with bitlocker when you register the system the first time with your Windows live account.
* You'll need the key to unencrypt your image file.

* Then, when the OS is booted, hold on the left shift-key and click on reboot
* You should see the advanced options menu
* Click on Troubleshoot -- > Advanced Options -- > Command prompt
* If everything's worked fine a command prompt should appear. That's it, now you can use the command dism to make a volume disk image.
* If needed you can use diskpart to assign a letter to the hidden volumes/other partitions.
* Use the command Diskpart -- > list volume -- > select volume X -- > assign letter=X
* Ok now that every volume is assigned, now you can use the command dism

dism /capture-image /imagefile:X:\"yourimagefile".WIM /capturedir:c:\ /name:winrt

/imagefile : choose the path and the name of the file you want to create
/capturedir : choose the volume you want to copy
/name : choose a label

* Now that the primary volume is copied, you can append the hidden volumes to your image.
* Use the command

dism /append-image /imagefile:X:"yourimagefile" /capturedir:d:\ /name:system

* You have now a .wim file !
* Copy your Wim file on your work computer.
* Open a command prompt and use the dism command again.
* You need to "mount" your file to extract the files on your computer.
* First type

dism /get-wiminfo /wimfile:X:"path to your wim file"

* Normally you should see the different partitions that you have imaged, each one corresponding to an index.
* Type now the following command

"dism /mount-wim /wimfile:X:"path to your wim file" /index:X /mountdir:X:\path to extract the files"

/index: choose the number of the index (volume) you want to extract
/mountdir: choose the directory where to extract the files

* Once finished to unmount type the following command dism /unmount-wim /mountdir:X:"path to your wim file" /discard  
 

Page 2 of 2
Page Previous  1, 2