Pre-Requisites:
- 4-port USB hub
- Flash Drive (Paladin bootable) – https://sumuri.com/make-your-own-paladin-usb-2/ created with unetbootin –https://unetbootin.github.io/
- USB hard drive for evidence collection, minimum 1.5x capacity of device being imaged
- Keyboard
- Mouse
- *Keyboard/mouse can be either wired USB or one that leverages an RF dongle. (no Bluetooth)
UEFI Configuration:
Make sure the device is fully powered down (not in standby state) by holding down the power button (15-30 seconds) until the screen goes black.
Remove the Surface Pro keyboard and disconnect any accessories
Boot to the UEFI configuration (BIOS) by holding down the Volume-Up button while pressing the power button. Release the power button and hold the volume button until you see the Surface logo.
Under Security turn off Secure Boot
Under Boot configuration select “USB Storage” and drag to the top of the list.
Power off the device again.
Booting with Paladin
Connect the USB hub to the Surface Pro.
Attached to the USB hub you should have:
- Flash Drive (Paladin bootable) – https://sumuri.com/make-your-own-paladin-usb-2/
- USB hard drive for evidence collection
- Keyboard
- Mouse
- *Keyboard/mouse can be either wired USB or one that leverages an RF dongle. (no Bluetooth)
PRO Tip – if the USB hub has power buttons for the individual devices make sure all the ports are powered on. 😉 Yes, I did spend about 10 minutes troubleshooting this. (Mondays)
Hold down the Volume-Down key and press the Power button. Continue holding the Volume-down button until you see the Surface logo.
System should now boot to the Paladin USB
Select the default (top) option – Sumiri Paladin Live Session – Forensic Mode
Once booting is complete, you will be presented with the Paladin Desktop.
Imaging:
Click on shortcut for Paladin Toolbox
Note the Warning about Dates/Times and click OK
Select the Source Device. In this case I’m choosing /dev/sda which will be the entire disk (3 partitions) on the host hard drive.
Specify the image format: Expert Witness Format, EWF (E01)
Populate the case details for the EWF based on case requirements
Specify the image Destination
Label: $hostname of asset
Check Verify after creation
Click Start
A full disk image and verification will take several hours. When completed you will see Image completed and Verification completed in the green text at the bottom.
Click on the shield in the left corner and select the power button icon to shut down.
Disconnect the bootable USB drive and your destination USB drive.
Verify files/folders created by mounting the external USB drive to your examination system.
Baker Street Forensics 
You fail to mention how you tackle Bitlocker Encryption on the disk image you have just taken. You should also let readers know that by disabling secure boot when they next try to boot the tablet it will refuse until given the BitLocker recovery key. (There are some exceptions to this when the bitlocker clearkey is present on the disk). There are other solutions out there that don’t require disabling secure boot, WinFE.
LikeLike
Thanks for reading, AmNe5ai. The process above (by imaging the root /sda) maintains the BitLocker encryption on any partitions where it is enabled. When the evidence is analyzed (in corporate scenario) we are leveraging the Bitlocker recovery keys for the assets. Several tools including Magnet Axiom and Arsenal Image Mounter support entering the recovery key to decrypt and mount the .E01 contents.
LikeLike
Love that keyboard!
LikeLike
I would have appreciated a warning for non-corporate readers about the effects of automatic bitlocker encryption on Surface laptops when disabling Secure Boot.
I followed this tutorial to image my deceased father-in-law’s PC and now I don’t think we’ll have access due to automatic bitlocker encryption.
LikeLike