Microsoft Surface RT 2 Tablet

 

Software:

Windows 8.1 RT

Storage:

2GB RAM

32GB storage

CPU:

(ARM)NVIDIA Tegra 4 Quad Core 1.71

Inputs/Outputs:

(1) 3.0 USB

(1) microSD

(1) microHDMI

5-point multi-touchscreen

Wi-Fi (802.11 a/b/g/n)

Bluetooth 4.0

3.5 megapixel front-facing camera

5.0 megapixel rear-facing camera

(2) microphones

(1) 3.5mm jack

Stereo speakers

Magnetic power cord

Volume button

Touch Windows button

Sleep/awake home button

Magnetic keyboard connector

(Microsoft, 2014)

 

 

 Steps of the Process

            The first step done before data acquisition was to identify all input and output devices there are on our Surface RT 2 tablet. These inputs and outputs will allow us to gain access into the system to acquire the data needed for our analysis phase. One of the most frustrating aspects of the Windows 8.1 RT system is how locked down it is and the lack of advanced control the end-user has on the device. To get past this I researched ways to jailbreak the tablet and found that currently there is no released or documented jailbreaking procedure for the Windows 8.1 RT architecture on the Surface RT 2. There is a jailbreak for Windows 8.0 RT but Microsoft put out a patch for that jailbreak using what they call PatchGuard. If one were to try the 8.0 jailbreak on an 8.1 device then PatchGuard will cause the device to blue screen of death (BSOD). Developers at xda-developers.com are currently working on a workaround for these issues (XDA, 2014). Until then it seems as though imaging the Surface RT 2 is out of the question. The closest thing to data acquisition is using live analysis and use the devices “File History” option to pull over a backup of the user’s known files.

Acquisition

            To use the File History option in the Surface RT 2 one would have to know the password for the device. Other password cracking devices will not work as the tablet does not allow any programs to run on it without an approved signature. The tablet also doesn’t allow booting options to be available to the end user due to the Secure Boot enabled on all Surface RT 2 tablets. Microsoft’s recommendation for resetting a password is to either reset it online if the password is through a Microsoft Account, or resetting the tablet back to its factory settings with the option to not affect the user’s files. This would be very risky for a forensic investigator because this option could potentially delete any data within unallocated space, the potential to completely remove deleted files, delete system data, and also clear out meta-data. In this scenario the suspect has given the password willingly.

            The File History option is found within Control Panel à System and Security à File History. I connected an external hard drive to the device and chose that as my File History extraction point. The File History option pulls over files from the user’s library, desktop, contacts, and favorites. The File History option does not make an image of the drive and does not pull over any deleted files, meta-data, or logs but this is the closest thing there is to data acquisition at this time. To look for other information on the device the investigator could also use live analysis to search the registry and device user specific program files in File Explorer.

Analysis

            Due to the lack of ability for data acquisition live analysis with the knowledge of the user’s password is the best case scenario for investigators at this time. The Surface RT 2 tablet does give one access to ‘regedit’ to view registry entries and Windows Explorer will allow one to view the networked drives and also the user’s SkyDrive for files that are not stored locally on the tablet. There are various applications to view within the tablet. Once in the tablet there you can access any of the apps that the user uses. The Surface RT 2 has a Home Screen that shows apps as tiles that the user can select. Some tiles will change the image they are displaying, such as the Netflix app which will flip through images of movies that are on the users Queue List. One interesting thing about the Photo tile is that it will show various photos from the user’s photo list but even if an image has been recently deleted the Photo tile will still use the deleted image’s thumbnail to show up on the tile.

            The Home Screen is not the only area to find information and access applications. You can access the Applications List (swipe up in the Home Screen as through the Application List were hiding out of view underneath the Home Screen)  to view all currently installed applications on the tablet. There is also a Desktop screen that allows the user to view the tablet in a similar fashion that previous Windows operating system’s main interfaces looked like. File Explorer can be accessed through either way to explore the user’s libraries, SkyDrive, and partition drives. While looking into the C: drive the tablet shows 3 folders: Program Files, Users, and Windows. By giving the option to view hidden folders and files the C: drive also shows a ProgramData folder.

          Within the ProgramData folder I found 4 folders: HP, Microsoft, Microsoft Help, and regid.1991-06.com.microsoft. Seeing an HP folder was curious and upon digging down through this HP folder I found that this folder was created for a printer that was connected to the tablet, specifically an HP Deskjet 3510 series by following: C:/ProgramData/HP/windows/HP Deskjet 3510 series/XmlFileCache/ and some other folders but none of the file contained specific information for spools or recently printed data.

          C:/Users/ seemed to look pretty standard with other Windows User’s folders. It contained a Default, Public, and the main user’s folder. Once in the main user’s folder it held investigator’s favorite low hanging fruit areas such as: AppData, Contacts, Desktop, Documents, Downloads, Favorites, Links, Music, Pictures, Saved Games, Searches, SkyDrive, and Videos. Within C:/Users/EndUser/Searches/ there are two files: Everywhere and Indexed Locations. Both of these files show a web history of visited URL’s and Indexed Locations showed the URL’s as well as files that had been created and modified but not files that were simply accessed. C:/Users/EndUser/AppData/Local/Microsoft/Windows/History/ also contains web history pages.

         I found a folder  called Picture Password located at: C:/Users/EndUser/AppData/Local/Microsoft/Windows/PicturePassword/ which contains two versions of the picture our end user used for their gesture password. The images are called: Cloud, and Sanitized. These pictures remained after the user switched from the character password to a gesture password and then back to a character password.

          I found the user’s desktop background photos navigate through C:/Users/EndUser/AppData/Local/Microsoft/Windows/Themes/RoamedThemeFiles/DesktopBackground/ and it held different themes the user had been using. This is interesting because the photo used on our tablet does not exist within the user’s normal photo album and this location seems to be the only place it is stored. The photo could be synced with the user’s SkyDrive or Microsoft account.

            Without an image of the tablet device if an investigator can gain access with a gesture/character password and explore the suspect’s Surface RT 2 tablet with live analysis there is still quite a lot of information to gain. There are some issues when an investigator cannot obtain a forensic image of a suspect’s device.

Issues Encountered

           Some of the issues encountered had to do with the live analysis of the tablet. This is not known to be ‘forensically sound’ as there is no write-blocking or hashing mechanism to show that the data was not altered during the acquisition and analysis phase of the investigation. Doing live analysis also does not let the investigator look at deleted files or meta-data. Not having access to this information and also not having an accepted method of proving that the device’s data held integrity throughout the investigation could cause problems if evidence is found and needs to be admissible in court.

            The hardest part about this entire project was attempting to jailbreak the Surface RT 2 tablet to allow the data on the device to be imaged and acquired. The Surface RT 2 tablet does not allow options for alternative booting processes because of PatchGuard and Secure Boot so it can boot only off of its own hardware and only execute the programs downloaded from the Microsoft app store or has an approved certificate and signature. To image the tablet we need to either look at the system before it is booted into or run an imaging program, such as FTK imager, to gain an image of the tablet but because there is no approved imaging software that Microsoft has allowed to run on the tablet and there is no jailbreak for the tablet (yet) then there is not a publicly known way to image the Surface RT 2, yet.

            Another issue encountered was getting through the password of the tablet. Secure Boot would cause big problems if I did not have the password for the tablet. There are two ways the tablet can be locked, one being locked with a Microsoft account and the other having a local password. In the past to get through a password on a suspect’s computer one could boot into a disk or USB and run a program that could access the device’s SAM and either alter or completely remove the password which then allows access to the user’s information. The Surface RT 2 tablet does not allow alternate booting because of Secure Boot which causes this to be a problem for the investigator. Brute force password cracking could also pose a larger problem if the password is not a word password but a gesture password set by the suspect. The Surface RT 2 tablet is a touchscreen tablet and Microsoft created the tablets experience heavily in gestures to navigate through the interface. Along with these gestures is the option to unlock the tablet with a gesture password. The end user can choose any picture they wish and then with the combination of finger taps, lines, and circles a gesture password is created. If the password is unknown and brute force password guesses aren’t working then gaining access to complete a live analysis of the tablet or do the File History option will not be available.

Conclusion

            As shown Microsoft’s new Surface RT 2 tablet is a forensic investigator’s nightmare until further problems are solved to obtain a forensically sound image of the tablet which will allow for better analysis and integrity checks of the data. The Surface RT 2 is a reflection of the difficulties forensic investigators deal with as many different devices are released into the markets and sometimes being used to assist criminal activity. Even though I was not able to jailbreak the device and gain a forensic image I was able to show how data can be obtained to further investigations.

            Where this device has quite a lot of safe guards in place to keep a jailbreak option unavailable it is truly just a matter of time until an exploit is found. If a software exploit is found for jailbreaking this could allow imaging software to run on the device or allow the connections of hardware write-blockers to then imaging software to run on a different device. This option should be explored as the Surface RT 2 tablet has an ARM based processor that could make it difficult for heavy imaging programs to run even if the system is jailbroken.

          Attacking the system’s hardware is another option to gain access to data on the system. The Surface RT 2 differs from the first generation Surface RT. The Surface RT 2 has removable memory once opened and data could potentially be extracted if the right device was obtained for an investigator (iFixit, 2013). The problem with this option is that there is a possibility of destroying data by physical damage to the tablet. A breakdown by iFixit.com shows how difficult physically deconstructing the Surface RT 2 tablet can be. Once open the device could have the removable memory removed and read with a special device or attempt to JTAG the tablet to extract raw data and then carve usable data out of it. This could be quite the intensive processes and for those investigators who are in a time crunch might want to look for a quicker data extraction method.

References

gilly_uk. (2012, November 30). Microsoft Surface RT. Retrieved March 5, 2014, from Forensic Focus: http://www.forensicfocus.com/Forums/viewtopic/p=6563490/

iFixit. (2013, October). Surface 2 Teardown. Retrieved March 5, 2014, from iFixit: http://www.ifixit.com/Teardown/Microsoft+Surface+Pro+2+Teardown/18604

Microsoft. (2014). Surface 2. Retrieved March 5, 2014, from Surface: http://www.microsoft.com/surface/en-us/products/surface-2

XDA. (2014, March 14). [RT] Windows RT 8.1 Jailbreak Discussion. Retrieved March 14, 2014, from XDA-Developers: http://forum.xda-developers.com/showthread.php?t=2663906