Cybersecurity

Forensically Imaging a Microsoft Surface Pro 4

Coalfire Cybersecurity Team

August 29, 2017

This content is provided "as is" and is more than a year old. No representations are made that the content is up-to date or error-free. 

Working on digital forensics can sometimes create some challenging situations. Recently, we received a couple of Microsoft Surface Pro tablets to image and analyze. Having conducted forensics for a while, I realized that, depending on the version, imaging this tablet could be a challenge. Some setbacks normally associated with Surface tablets include not being able to remove the hard drive, the inability to place the device in target mode, and the hardware being very finicky about what OS can and cannot boot. Ultimately, the challenge comes down to having to use the tablet itself to perform the image, and the only option for input is a single USB port. 

To refresh my memory, I conducted a little online research on the process of imaging a Surface Pro 4 tablet, which revealed a myriad of responses to try. Most of these either stated “try this” or “exactly follow these directions,” but none seemed to be complete solutions. I even tried facing north, standing on one foot, holding various buttons during bootup, chanting various phrases, but nothing worked. So, piecing together what did work and eliminating what didn’t, I finally achieved my objective and was able to successfully boot and image the internal hard drive with no further problems at all.

With these challenges in mind, I felt it could be of benefit to others out there who run into the same situation to have a complete set of guidelines for imaging a Surface Pro 4 tablet. The following instructions utilized various programs to get the job done. Please note that I am not promoting or advocating the use of a specific program; but in my case, this is what worked for me.

To begin with, here is a list of the software/hardware I used to access the Surface tablet and image it successfully: 

  1. USB hub with external power, with at least four available ports
  2. USB flash drive (minimum 8GB, preferably 16GB or more)
  3. USB external hard drive with enough space to hold the contents of the Surface Pro internal hard drive
  4. USB keyboard
  5. USB mouse
  6. Software: Rufus (to create the bootable USB drive from an ISO image)
  7. Software: Paladin (v7) ISO image

The first step is to boot to an external drive. To begin, I created my bootable USB drive with Paladin. For complete transparency, I tried several different software images, but Paladin was the only one that eventually worked for me. I used Rufus to create the bootable USB drive from an ISO image of Paladin. The one real caveat here is that when creating the bootable USB flash drive, you must use the “GPT partition scheme for UEFI” during the creation of the bootable flash drive. I tried the MBR but it would never successfully boot the table. The GPT partition scheme made all the difference and worked perfectly. The other options I selected in Rufus were file system Large FAT32 and 32 kilobytes cluster size, both of which are default settings (as shown in Figure 1). Select the Paladin ISO image from your local system and click start to create the bootable flash drive. When done, you can exit Rufus and remove the USB from the system. First hurdle completed.

Figure 1 - Creating a bootable USB from Paladin ISO

The next step is to prepare the Surface Pro 4 tablet. This part is well documented by Microsoft. While powering up the tablet, hold down the Volume Up button while pressing power. Once turned on and the “Surface” icon is displayed, let go of the Volume Up button. Enter the UEFI settings. The first tab, PC Information, provides you all the hardware and firmware version information for the tablet (this is for informational purposes only). The second tab on the left column, Security, is where you start to make changes. Enter the Secure Boot Change Configuration tab and ensure the Secure Boot configuration is set to “none.” Note all original settings so you can return the settings to their original configuration after imaging is complete. In my case, I had to disable the Trusted Platform Module (TPM), although some other descriptions out there say you do not have to do this step. In the Devices tab, ensure the USB and all devices are set to On. The last changes that need to be made are in the Boot Configuration tab. Move the USB Storage device to the top of the boot order and save the settings. At this point, all changes to the “BIOS” (or what the Surface Tablet considers the BIOS) are complete, and it’s time to shut down and reboot the tablet.

In order to boot the tablet, I had to remove the native Surface Pro 4 tablet keyboard. With the keyboard connected, every attempt to completely boot Paladin failed and it was impossible to continue. This is where a USB hub comes in handy. Remove the native keyboard, connect the USB hub to the tablet and then connect the bootable USB flash drive to the hub, the external keyboard and mouse to the hub, and finally the USB external storage hard drive that you intend to save the internal image to, and it boots as expected.

You are now ready to boot the tablet and complete what many others have seemingly failed to do! Boot the tablet, this time holding down the Volume Down button while powering on the tablet. Again, release the Volume Down button when the “Surface” icon is displayed. This time, the next screen will be the Paladin boot menu (see Figure 2). Select the option “Sumuri Paladin Live Session – Forensic Mode” and let the tablet continue to boot completely into Paladin. 

Figure 2 - Paladin boot menu

Once completely booted, select the “Paladin Toolbox” icon on the bottom toolbar (which should be the far-left icon that appears to be a shield with a toolbox icon embedded on it)

Figure 3 - Paladin, booted.

Now it’s time to image the drive. From here on out, if you’ve used Paladin before, it’s pretty straight forward and the tl;dr on that is “congratulations.” But since I was on a roll taking screenshots, I’ve included the rest of the process, added a few tips, and highlighted some nuances in the process below for those that may be interested. 

First, ensure it sees all the drives connected to the system. Select the “Disk Imager” function, which is a tab on the left-hand side task bar. Once you select the Disk Imager, select/highlight the external storage where you want to save the image files (your destination drive) and then select the “Mount-RW” icon below it to mount the drive Read-Write, which will allow you to save/write data to it.

In Figure 4 below, you can identify that the internal drive (/dev/nvme0n1) is recognized as well as the four (4) partitions on it. You can also see the external storage drive connected to the USB hub (/dev/sda) and the USB flash drive (/dev/sdb), which contains the Paladin OS to which the system booted.

Figure 4 - Paladin Disk Manager

Once your external storage drive has been mounted, select the “Imager” tab on the left-hand task bar, and then select the source drive you wish to image (it’s preferable to image the entire drive; however, you could opt to just select individual partitions as shown below in figure 5).

Figure 5 - Paladin, selecting source drive

Then, select the output format you wish the image to be saved in. As you can see from the drop down menu for the “Image Type” field, Paladin offers numerous options. For the purposes of this example, the “dd (RAW)” format has been selected. This is a mandatory field and must be filled out.

Figure 6 - Paladin, selecting image type

Next, select the drop down menu for the “Destination” field and select your external drive. Note, you should select the external drive that is the partition. For example, the external drive is identified as /dev/sda, and the first partition is identified as /dev/sda1 (this is the partition that showed up after we mounted the drive as RW in the previous steps outlined above). This is a mandatory field as well.

Figure 7 - Paladin, selecting destination drive

In the “Label” field, you must enter a description. This description will be the folder/directory name created on the external drive in which the image will be saved. In this instance, “XXXXXX_Whole_Drive” is not only the description used to name the folder/directory on the external drive, but the file name will also be “XXXXXX_Whole_Drive.xxx” and saved inside the folder/directory created. This label field is mandatory (as you might imagine). Also note that in this figure the options are selected to “Verify after creation” as well as “Segment Size.” This instructs Imager to verify the image after creation and to segment the final image into 4GB sections versus saving it into one large file.  (NOTE: In this example, 4GB was used as the segment size; however, the segment size is also dependent upon the file system used to format the external drive. FAT32 has a file size limit of 2GB, whereas this drive was formatted using NTFS, which allowed the larger file size of 4GB.) These options are NOT mandatory and may be left blank. However, I advise to verify the image after creation; it doesn’t take very much time and can avoid future troubleshooting nightmares. The segmenting of the image is up to the examiner’s discretion/preference.

Figure 8 - Paladin, final few options...

After you have completed the setup, mounting the external storage RW, and selecting your source, image type, destination, label, and options, select “Start” to initiate the imaging. During the imaging of the source, you will see a status/progress bar as well as status updates on the bottom of the screen.

Figure 9 - Paladin, finally at work!

Once imaging is complete, Imager will create a popup window showing the status and completion of the image.

Figure 10 - Paladin log review

When that’s done, verify the image was saved to the external storage device. You will also see that several other log files have been saved to the output directory, such as logs showing the command lines used during this operation, process logs, verification logs, and hash logs. These logs are very important artifacts in a forensic investigation that come in handy if you ever get called to testify!

Once imaging all the drives/partitions is complete, you can shut down Paladin. After Paladin has shut down, disconnect the USB hub (with the mouse, keyboard, USB flash drive, and USB external storage drive), reconnect the native keyboard and reboot the system into the UEFI settings (described above).  Return the settings back to their original settings, restart, and ensure the system boots normally.

Congratulations—at this point, the process is complete.

Using FTK, Encase, or another forensic suite, import the image file and verify the image was completed successfully and is readable. Remember, imaging the entire physical drive of an encrypted device will require the decryption key to access the contents of the drive. Thus, it may be necessary to obtain the BitLocker key, or other decryption key, to access and read the image. 

This completes the imaging process of the Surface Pro 4.

The above is a product of many trial-and-error attempts and ultimately allowed me to access the contents of the drive successfully using my forensic tool of choice.

I hope this guide will aide you in the imaging of a Surface Pro 4 successfully!