HELP! : How to imag...
 
Notifications
Clear all

HELP! : How to image a Windows Surface RT (ARM)

11 Posts
8 Users
0 Likes
7,473 Views
4Rensics
(@4rensics)
Posts: 255
Reputable Member
Topic starter
 

Morning.

I'm currently battling with a Windows Surface RT running on the old ARM chipset. (The Surface is from 2013)

There is no boot to BIOS/UFEI. So I've had to boot to Windows (8.1 I think) but I can't run FTK Imager lite or command line because they are not signed by Microsoft and the exe's wont run.
I found a dd.exe to try, but same as above again.

Does anybody know or any tools that I can use to get an image of this 32GB eMMC. (Chip off is not an option…yet!)

Any help much appreciated.

4F

 
Posted : 08/03/2019 10:36 am
(@mahoney)
Posts: 2
New Member
 

Volume+ and power key should get you to the UEFI. If this doesn't work on your ARM tablet you may still be able to boot from USB.

Secure Boot only allows 'trusted' OSs, of which Ubuntu is one of them. You'll need to edit the boot config files from your Kali/Backtrack bootable USB to resemble the trusted Ubuntu ones. Fingers crossed, the Surface you have is set to try to boot from USB first.

Also try Volume- and power key to get to the boot menu.

 
Posted : 08/03/2019 11:58 am
4Rensics
(@4rensics)
Posts: 255
Reputable Member
Topic starter
 

Thank you. Maybe it wasn't working because I was trying with a Paladin USB. I'll try with my Kali USB and see if that works. I did try booting with the Vol up and Vol down to no affect.

Thanks.

 
Posted : 08/03/2019 2:56 pm
hectic_forensics
(@hectic_forensics)
Posts: 40
Eminent Member
 

Try connecting the Paladin USB with a powered USB hub. That has worked for me in the past - obviously with any Secure Boot etc disabled.

 
Posted : 11/03/2019 9:27 am
AccessDenied
(@accessdenied)
Posts: 6
Active Member
 

Thank you. Maybe it wasn't working because I was trying with a Paladin USB. I'll try with my Kali USB and see if that works. I did try booting with the Vol up and Vol down to no affect.

Thanks.

Hello,

Did you have any success acquiring this Surface? I have Surface RT Model 1516 and the device just wont to boot into UEFI when Vol+ and Power button are pressed.

Any suggestions would be appreciated.

Cheers

 
Posted : 20/03/2019 3:17 pm
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

You can use YUMI to create a UEFI compatible Live USB with Kali Linux that will work with Surfaces

https://www.pendrivelinux.com/yumi-multiboot-usb-creator/

I have multiple working 8GB Live USB Kingston brand drives I can image to a DD file and upload to you if you wish. You will need to write the DD image to your own USB drive, but once done correctly, you will be able to boot your Surface to Kali and then use Guymager within Kali to make a forensic image of the Surface.

My experience with Surfaces is that Surfaces come from the factory Bitlocker encrypted standard and Microsoft does NOT provide the Bitlocker keys!!!!!

So, you might be left with capturing a live forensic image.

 
Posted : 20/03/2019 6:00 pm
AccessDenied
(@accessdenied)
Posts: 6
Active Member
 

Thanks for the info, would appreciate if you could create a DD image of them.

Cheers

 
Posted : 21/03/2019 8:03 am
(@mahoney)
Posts: 2
New Member
 

My experience with Surfaces is that Surfaces come from the factory Bitlocker encrypted standard and Microsoft does NOT provide the Bitlocker keys!!!!!

Workaround for the factory BitLocker encryption
1. Copy the DD image bit-for-bit onto a blank USB drive.
2. Attach the USB to a Windows machine via a USB write-blocker.
3. Windows will automatically decrypt the drive.
4. Use FTK Imager to re-image as a logical drive.

Workaround for user-encrypted BitLocker encryption
1. After you get your physical DD image, boot the Surface normally and login (you'll need a local Admin account).
2. Launch CMD and run manage-bde -protectors C -get -type RecoveryPassword
3. Make a note of the long numerical password.
4. You can use EnCase or Nuix to decrypt your physical DD image, or continue below
5. Copy the DD image bit-for-bit onto a blank USB drive.
6. Attach the USB to a Windows machine via a USB write-blocker.
7. Windows will prompt for the recovery password - enter it here to decrypt the drive.
8. Use FTK Imager to re-image as a logical drive.

 
Posted : 21/03/2019 10:24 am
(@tic-tac)
Posts: 24
Eminent Member
 

You can't boot any other OS than Windows RT on those ARM devices. Microsoft have made sure that the secure boot will stay on at all times. There have been some successful attempts in the past at disabling the secure boot (e.g. this discussion - https://forum.xda-developers.com/windows-8-rt/rt-development/disabling-secure-boot-surface-rt-t3360721), however all those security holes have been patched by Microsoft.

If it is a fully up to date Windows RT 8.1 device, your chances of booting any other OS are very, very slim. Even if you would suceed, you would need an OS that can run on an ARM CPU, and some custom drivers most likely D

 
Posted : 21/04/2019 6:15 pm
 IanR
(@ianr)
Posts: 1
New Member
 

You can use YUMI to create a UEFI compatible Live USB with Kali Linux that will work with Surfaces

https://www.pendrivelinux.com/yumi-multiboot-usb-creator/

I have multiple working 8GB Live USB Kingston brand drives I can image to a DD file and upload to you if you wish. You will need to write the DD image to your own USB drive, but once done correctly, you will be able to boot your Surface to Kali and then use Guymager within Kali to make a forensic image of the Surface.

My experience with Surfaces is that Surfaces come from the factory Bitlocker encrypted standard and Microsoft does NOT provide the Bitlocker keys!!!!!

So, you might be left with capturing a live forensic image.

I Currently have a Surface 1 (RT) on my desk as part of a job.
Ive also managed to acquire a test device which is doing a good imitation of a brick as far as booting into anything other than it's onboard copy of windows 8.1 😯

Before I resort to switching on the subject one and copying the files to a pen drive…. would you be so kind as to send me the DD ? any tips for turning off the safe boot switch would be most welcome (I've tried (with a test device) volume up while powering on, all I get is a black screen, requiring a 30 second power button hold to power down)

Many Thanks
Ian

 
Posted : 02/05/2019 8:37 am
Page 1 / 2
Share: