Issue acquiring Mic...
 
Notifications
Clear all

Issue acquiring Microsoft Surface Pro 4

7 Posts
6 Users
0 Likes
986 Views
one234
(@one234)
Posts: 16
Active Member
Topic starter
 

Hi all, I was wondering if you might have a clue to an issue I encountered recently.

I went onsite to image a Microsoft Surface Pro 4 (Model # 1724) the other day. I disabled secure boot and used Paladin 7 x64 live distro to perform acquisition into a connected USB external hard drive. The acquisition finished without any error but, when I checked the acquired image in FTK Imager/EnCase, the largest partition shows up as an Unrecognized file system. In the header of the partition I can see the ‘FVE-FS’ signature, but the operating system shows it does not have Bitlocker enabled on the drive.

Would you happen to have any idea what might have gone wrong, and what can be done if we were to image the device again?

Would appreciate any thoughts, thanks so much in advance!!

 
Posted : 30/11/2018 1:33 am
(@dandaman_24)
Posts: 172
Estimable Member
 

Have had similar before, we restored the image to a HDD and connected it to forensic machine where it showed up as being bitlockered, but mounted in the clear anyway. It was down to clear key encryption.

 
Posted : 30/11/2018 6:52 am
kastajamah
(@kastajamah)
Posts: 109
Estimable Member
 

Depending on the case, you might want to see if a Bitlocker key can be generated from the device. You should be able to enter that key in EnCase and decrypt the partition. That will save you time with reimaging. Or you could do a live image from the device.

 
Posted : 30/11/2018 4:46 pm
watcher
(@watcher)
Posts: 125
Estimable Member
 

I believe that MS Surface Pro's automatically implement Bitlocker by default. It's almost certainly a Bitlocker image. You'll need the Recovery Key to analyze it.

 
Posted : 30/11/2018 11:40 pm
minime2k9
(@minime2k9)
Posts: 481
Honorable Member
 

With Surface Pro's, I think disabling secure boot deletes the bitlocker key from the device.
Prior to this, the easiest way is to boot into the device and create an image of the decrypted filesystem.
Other than this, a copy of the recovery key is located in the One Drive account of the MS account linked to the device, if there is one.

 
Posted : 03/12/2018 8:32 am
 Dimi
(@dimi)
Posts: 13
Active Member
 

This worked for me.

https://lockandcode.com/software/windows-rt-acquisition-tools

 
Posted : 03/12/2018 10:50 am
minime2k9
(@minime2k9)
Posts: 481
Honorable Member
 

This worked for me.

https://lockandcode.com/software/windows-rt-acquisition-tools

That's for the old windows tablets running a mobile processor, won't work for any of the newer surfaces

 
Posted : 03/12/2018 11:08 am
Share: