The following paper is a report detailing an attempt at digital forensic data acquisition and analysis of Microsoft’s Surface RT 2 tablet with Windows 8.1 operating system. The paper details the specifications of the tablet device listing its system, CPU, and input/output options, talks about the steps taken throughout the process and then the issues encountered. The paper explains the difficulties of data acquisition at this time due to the system’s controlled and locked down architecture. Even with this controlled environment it is shown how data can still be extracted through means that are not seen as forensically sound by the use of the system’s File History backup option. A live analysis of data in the tablet’s system is also explored. As a reflection on the acquisition and analysis of the Surface RT 2 tablet a section on the issues encountered through the process talks about difficulties encountered in this research as well as the problems investigators are most likely encountering currently. The paper then concludes by discussing the possibilities of how jailbreaking the tablet could open a possibility for imaging these devices and the implications of the device’s processor power.
Microsoft Surface RT 2 Tablet
The electronics market is constantly pushing out new products every year, each a little different from the last. For forensic investigators this can be quite overwhelming as there are almost too many devices to count. Microsoft released the updated Surface tablet, known as the Surface 2 (RT) in October of 2013 (Microsoft, 2014). The Surface RT 2 uses the Windows 8.1 RT operating system as its primary interface for users. Having a Windows 8.1 RT OS makes the tablet controlled and locked down in its abilities for the end-user. This is the tablets main difference with the Surface Pro 2 and because of this it is more difficult for the acquisition phase for forensic investigators.
Windows 8.1 RT
(ARM)NVIDIA Tegra 4 Quad Core 1.71
(1) 3.0 USB
Wi-Fi (802.11 a/b/g/n)
3.5 megapixel front-facing camera
5.0 megapixel rear-facing camera
(1) 3.5mm jack
Magnetic power cord
Touch Windows button
Sleep/awake home button
Magnetic keyboard connector
Steps of the Process
The first step done before data acquisition was to identify all input and output devices there are on our Surface RT 2 tablet. These inputs and outputs will allow us to gain access into the system to acquire the data needed for our analysis phase. One of the most frustrating aspects of the Windows 8.1 RT system is how locked down it is and the lack of advanced control the end-user has on the device. To get past this I researched ways to jailbreak the tablet and found that currently there is no released or documented jailbreaking procedure for the Windows 8.1 RT architecture on the Surface RT 2. There is a jailbreak for Windows 8.0 RT but Microsoft put out a patch for that jailbreak using what they call PatchGuard. If one were to try the 8.0 jailbreak on an 8.1 device then PatchGuard will cause the device to blue screen of death (BSOD). Developers at xda-developers.com are currently working on a workaround for these issues (XDA, 2014). Until then it seems as though imaging the Surface RT 2 is out of the question. The closest thing to data acquisition is using live analysis and use the devices “File History” option to pull over a backup of the user’s known files.
To use the File History option in the Surface RT 2 one would have to know the password for the device. Other password cracking devices will not work as the tablet does not allow any programs to run on it without an approved signature. The tablet also doesn’t allow booting options to be available to the end user due to the Secure Boot enabled on all Surface RT 2 tablets. Microsoft’s recommendation for resetting a password is to either reset it online if the password is through a Microsoft Account, or resetting the tablet back to its factory settings with the option to not affect the user’s files. This would be very risky for a forensic investigator because this option could potentially delete any data within unallocated space, the potential to completely remove deleted files, delete system data, and also clear out meta-data. In this scenario the suspect has given the password willingly.
The File History option is found within Control Panel à System and Security à File History. I connected an external hard drive to the device and chose that as my File History extraction point. The File History option pulls over files from the user’s library, desktop, contacts, and favorites. The File History option does not make an image of the drive and does not pull over any deleted files, meta-data, or logs but this is the closest thing there is to data acquisition at this time. To look for other information on the device the investigator could also use live analysis to search the registry and device user specific program files in File Explorer.
Due to the lack of ability for data acquisition live analysis with the knowledge of the user’s password is the best case scenario for investigators at this time. The Surface RT 2 tablet does give one access to ‘regedit’ to view registry entries and Windows Explorer will allow one to view the networked drives and also the user’s SkyDrive for files that are not stored locally on the tablet. There are various applications to view within the tablet. Once in the tablet there you can access any of the apps that the user uses. The Surface RT 2 has a Home Screen that shows apps as tiles that the user can select. Some tiles will change the image they are displaying, such as the Netflix app which will flip through images of movies that are on the users Queue List. One interesting thing about the Photo tile is that it will show various photos from the user’s photo list but even if an image has been recently deleted the Photo tile will still use the deleted image’s thumbnail to show up on the tile.
The Home Screen is not the only area to find information and access applications. You can access the Applications List (swipe up in the Home Screen as through the Application List were hiding out of view underneath the Home Screen) to view all currently installed applications on the tablet. There is also a Desktop screen that allows the user to view the tablet in a similar fashion that previous Windows operating system’s main interfaces looked like. File Explorer can be accessed through either way to explore the user’s libraries, SkyDrive, and partition drives. While looking into the C: drive the tablet shows 3 folders: Program Files, Users, and Windows. By giving the option to view hidden folders and files the C: drive also shows a ProgramData folder.
Within the ProgramData folder I found 4 folders: HP, Microsoft, Microsoft Help, and regid.1991-06.com.microsoft. Seeing an HP folder was curious and upon digging down through this HP folder I found that this folder was created for a printer that was connected to the tablet, specifically an HP Deskjet 3510 series by following: C:/ProgramData/HP/windows/HP Deskjet 3510 series/XmlFileCache/ and some other folders but none of the file contained specific information for spools or recently printed data.
C:/Users/ seemed to look pretty standard with other Windows User’s folders. It contained a Default, Public, and the main user’s folder. Once in the main user’s folder it held investigator’s favorite low hanging fruit areas such as: AppData, Contacts, Desktop, Documents, Downloads, Favorites, Links, Music, Pictures, Saved Games, Searches, SkyDrive, and Videos. Within C:/Users/EndUser/Searches/ there are two files: Everywhere and Indexed Locations. Both of these files show a web history of visited URL’s and Indexed Locations showed the URL’s as well as files that had been created and modified but not files that were simply accessed. C:/Users/EndUser/AppData/Local/Microsoft/Windows/History/ also contains web history pages.
I found a folder called Picture Password located at: C:/Users/EndUser/AppData/Local/Microsoft/Windows/PicturePassword/ which contains two versions of the picture our end user used for their gesture password. The images are called: Cloud, and Sanitized. These pictures remained after the user switched from the character password to a gesture password and then back to a character password.
I found the user’s desktop background photos navigate through C:/Users/EndUser/AppData/Local/Microsoft/Windows/Themes/RoamedThemeFiles/DesktopBackground/ and it held different themes the user had been using. This is interesting because the photo used on our tablet does not exist within the user’s normal photo album and this location seems to be the only place it is stored. The photo could be synced with the user’s SkyDrive or Microsoft account.
Without an image of the tablet device if an investigator can gain access with a gesture/character password and explore the suspect’s Surface RT 2 tablet with live analysis there is still quite a lot of information to gain. There are some issues when an investigator cannot obtain a forensic image of a suspect’s device.
Some of the issues encountered had to do with the live analysis of the tablet. This is not known to be ‘forensically sound’ as there is no write-blocking or hashing mechanism to show that the data was not altered during the acquisition and analysis phase of the investigation. Doing live analysis also does not let the investigator look at deleted files or meta-data. Not having access to this information and also not having an accepted method of proving that the device’s data held integrity throughout the investigation could cause problems if evidence is found and needs to be admissible in court.
The hardest part about this entire project was attempting to jailbreak the Surface RT 2 tablet to allow the data on the device to be imaged and acquired. The Surface RT 2 tablet does not allow options for alternative booting processes because of PatchGuard and Secure Boot so it can boot only off of its own hardware and only execute the programs downloaded from the Microsoft app store or has an approved certificate and signature. To image the tablet we need to either look at the system before it is booted into or run an imaging program, such as FTK imager, to gain an image of the tablet but because there is no approved imaging software that Microsoft has allowed to run on the tablet and there is no jailbreak for the tablet (yet) then there is not a publicly known way to image the Surface RT 2, yet.
Another issue encountered was getting through the password of the tablet. Secure Boot would cause big problems if I did not have the password for the tablet. There are two ways the tablet can be locked, one being locked with a Microsoft account and the other having a local password. In the past to get through a password on a suspect’s computer one could boot into a disk or USB and run a program that could access the device’s SAM and either alter or completely remove the password which then allows access to the user’s information. The Surface RT 2 tablet does not allow alternate booting because of Secure Boot which causes this to be a problem for the investigator. Brute force password cracking could also pose a larger problem if the password is not a word password but a gesture password set by the suspect. The Surface RT 2 tablet is a touchscreen tablet and Microsoft created the tablets experience heavily in gestures to navigate through the interface. Along with these gestures is the option to unlock the tablet with a gesture password. The end user can choose any picture they wish and then with the combination of finger taps, lines, and circles a gesture password is created. If the password is unknown and brute force password guesses aren’t working then gaining access to complete a live analysis of the tablet or do the File History option will not be available.
As shown Microsoft’s new Surface RT 2 tablet is a forensic investigator’s nightmare until further problems are solved to obtain a forensically sound image of the tablet which will allow for better analysis and integrity checks of the data. The Surface RT 2 is a reflection of the difficulties forensic investigators deal with as many different devices are released into the markets and sometimes being used to assist criminal activity. Even though I was not able to jailbreak the device and gain a forensic image I was able to show how data can be obtained to further investigations.
Where this device has quite a lot of safe guards in place to keep a jailbreak option unavailable it is truly just a matter of time until an exploit is found. If a software exploit is found for jailbreaking this could allow imaging software to run on the device or allow the connections of hardware write-blockers to then imaging software to run on a different device. This option should be explored as the Surface RT 2 tablet has an ARM based processor that could make it difficult for heavy imaging programs to run even if the system is jailbroken.
Attacking the system’s hardware is another option to gain access to data on the system. The Surface RT 2 differs from the first generation Surface RT. The Surface RT 2 has removable memory once opened and data could potentially be extracted if the right device was obtained for an investigator (iFixit, 2013). The problem with this option is that there is a possibility of destroying data by physical damage to the tablet. A breakdown by iFixit.com shows how difficult physically deconstructing the Surface RT 2 tablet can be. Once open the device could have the removable memory removed and read with a special device or attempt to JTAG the tablet to extract raw data and then carve usable data out of it. This could be quite the intensive processes and for those investigators who are in a time crunch might want to look for a quicker data extraction method.
gilly_uk. (2012, November 30). Microsoft Surface RT. Retrieved March 5, 2014, from Forensic Focus: http://www.forensicfocus.com/Forums/viewtopic/p=6563490/
iFixit. (2013, October). Surface 2 Teardown. Retrieved March 5, 2014, from iFixit: http://www.ifixit.com/Teardown/Microsoft+Surface+Pro+2+Teardown/18604
Microsoft. (2014). Surface 2. Retrieved March 5, 2014, from Surface: http://www.microsoft.com/surface/en-us/products/surface-2
XDA. (2014, March 14). [RT] Windows RT 8.1 Jailbreak Discussion. Retrieved March 14, 2014, from XDA-Developers: http://forum.xda-developers.com/showthread.php?t=2663906