Forensic Imaging a Microsoft Surface Pro

Pre-Requisites:

UEFI Configuration:

Make sure the device is fully powered down (not in standby state) by holding down the power button (15-30 seconds) until the screen goes black.

Remove the Surface Pro keyboard and disconnect any accessories

Boot to the UEFI configuration (BIOS) by holding down the Volume-Up button while pressing the power button. Release the power button and hold the volume button until you see the Surface logo.

Under Security turn off Secure Boot

UEFI Security

Under Boot configuration select “USB Storage” and drag to the top of the list.

UEFI Boot configuration

Power off the device again.

Booting with Paladin

Connect the USB hub to the Surface Pro.

Attached to the USB hub you should have:

USB hub and peripherals

PRO Tip – if the USB hub has power buttons for the individual devices make sure all the ports are powered on. 😉  Yes, I did spend about 10 minutes troubleshooting this. (Mondays)

Hold down the Volume-Down key and press the Power button. Continue holding the Volume-down button until you see the Surface logo.

System should now boot to the Paladin USB

Booting from Paladin USB

Select the default (top) option – Sumiri Paladin Live Session – Forensic Mode

Boot menu selection

Once booting is complete, you will be presented with the Paladin Desktop.

Paladin Desktop on Surface Pro

Imaging:

Click on shortcut for  Paladin Toolbox

Note the Warning about Dates/Times and click OK

Date/time warning

Select the Source Device. In this case I’m choosing /dev/sda which will be the entire disk (3 partitions) on the host hard drive.

Specify the image format: Expert Witness Format, EWF (E01)


Populate the case details for the EWF based on case requirements

Populate E01 Case Information

Specify the image Destination

Specify Destination Drive

Label: $hostname of asset

Check Verify after creation

Click Start

Imaging in process

A full disk image and verification will take several hours. When completed you will see Image completed and Verification completed in the green text at the bottom.

Click on the shield in the left corner and select the power button icon to shut down.

Disconnect the bootable USB drive and your destination USB drive.

Verify files/folders created by mounting the external USB drive to your examination system.

4 thoughts on “Forensic Imaging a Microsoft Surface Pro

  1. You fail to mention how you tackle Bitlocker Encryption on the disk image you have just taken. You should also let readers know that by disabling secure boot when they next try to boot the tablet it will refuse until given the BitLocker recovery key. (There are some exceptions to this when the bitlocker clearkey is present on the disk). There are other solutions out there that don’t require disabling secure boot, WinFE.

    Like

  2. Thanks for reading, AmNe5ai. The process above (by imaging the root /sda) maintains the BitLocker encryption on any partitions where it is enabled. When the evidence is analyzed (in corporate scenario) we are leveraging the Bitlocker recovery keys for the assets. Several tools including Magnet Axiom and Arsenal Image Mounter support entering the recovery key to decrypt and mount the .E01 contents.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s