±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 34825
New Yesterday: 1 Visitors: 143

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Issue acquiring Microsoft Surface Pro 4

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Issue acquiring Microsoft Surface Pro 4

Post Posted: Thu Nov 29, 2018 7:33 pm

Hi all, I was wondering if you might have a clue to an issue I encountered recently.

I went onsite to image a Microsoft Surface Pro 4 (Model # 1724) the other day. I disabled secure boot and used Paladin 7 x64 live distro to perform acquisition into a connected USB external hard drive. The acquisition finished without any error but, when I checked the acquired image in FTK Imager/EnCase, the largest partition shows up as an Unrecognized file system. In the header of the partition I can see the ‘FVE-FS’ signature, but the operating system shows it does not have Bitlocker enabled on the drive.

Would you happen to have any idea what might have gone wrong, and what can be done if we were to image the device again?

Would appreciate any thoughts, thanks so much in advance!!  

one234
Member
 
 
  

Re: Issue acquiring Microsoft Surface Pro 4

Post Posted: Fri Nov 30, 2018 12:52 am

Have had similar before, we restored the image to a HDD and connected it to forensic machine where it showed up as being bitlockered, but mounted in the clear anyway. It was down to clear key encryption.  

dandaman_24
Senior Member
 
 
  

Re: Issue acquiring Microsoft Surface Pro 4

Post Posted: Fri Nov 30, 2018 10:46 am

Depending on the case, you might want to see if a Bitlocker key can be generated from the device. You should be able to enter that key in EnCase and decrypt the partition. That will save you time with reimaging. Or you could do a live image from the device.  

kastajamah
Member
 
 
  

Re: Issue acquiring Microsoft Surface Pro 4

Post Posted: Fri Nov 30, 2018 5:40 pm

I believe that MS Surface Pro's automatically implement Bitlocker by default. It's almost certainly a Bitlocker image. You'll need the Recovery Key to analyze it.  

watcher
Member
 
 
  

Re: Issue acquiring Microsoft Surface Pro 4

Post Posted: Mon Dec 03, 2018 2:32 am

With Surface Pro's, I think disabling secure boot deletes the bitlocker key from the device.
Prior to this, the easiest way is to boot into the device and create an image of the decrypted filesystem.
Other than this, a copy of the recovery key is located in the One Drive account of the MS account linked to the device, if there is one.  

minime2k9
Senior Member
 
 
  

Re: Issue acquiring Microsoft Surface Pro 4

Post Posted: Mon Dec 03, 2018 4:50 am

This worked for me.


lockandcode.com/softwa...tion-tools  

Dimi
Member
 
 
  

Re: Issue acquiring Microsoft Surface Pro 4

Post Posted: Mon Dec 03, 2018 5:08 am

- Dimi


That's for the old windows tablets running a mobile processor, won't work for any of the newer surfaces  

minime2k9
Senior Member
 
 

Page 1 of 1