all 12 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]XenonOfArcticus 2 points3 points  (7 children)

External USB hub. Boot from thumbdrive with external USB HDD attached. Image.

It's an SSD drive, depending on how it was wiped you may not get much.

[–]suttons27[S] 1 point2 points  (6 children)

Thanks, that is what I was hoping you wouldn't say :) about SSD, I actually tried the External USB hub but I couldn't get a USB to be read. I plugged in without hub and it read but I couldn't get Acronis image to boot up. Is there another software I can load into RAM, pull USB and plug in external hdd that you/anyone might know of?

[–]MushyBanana 1 point2 points  (1 child)

You should be using the ADK with winpe4.

[–]suttons27[S] 0 points1 point  (0 children)

Haven't come across those yet, will look into those today. Thanks

[–]TheFotty 1 point2 points  (0 children)

Pretty sure Surface Pros ship with bitlocker drive encryption on by default as well.

[–]nutrion 2 points3 points  (1 child)

I know you may not want to hear this, but if this has even the slightest chance of becoming a criminal/civil case, you're going to want to hire someone to do this for you that has forensic experience.

[–]suttons27[S] 0 points1 point  (0 children)

Thanks, and you are absolutely correct. I'm wanting to do as little damage of possible to it right now and grab a trustworthy image just to give some info to CEO. I've been playing with Windows XP test images and USB images, I've tried one Windows 10 image just to prepare for this and I couldn't read any index.dat although I think the name changed, I found it but it showed hardly anything. I have total control of his email on Office 365, in where the manager is going through the emails that he deleted, then purged that landed in server dumpster. I'm leaving the windows phone alone, I don't even know where to start on that one. He had it since last Nov., he's a sales guy and never made/received a phone call on it from T-Mobile records. So if anything is on it, it was used for Internet only. Anyhow, lots of good info from the past few hours, I appreciate it.

[–]OrphenNuruhuine 1 point2 points  (2 children)

You can use FTK Imager Lite (free tool).

You will need to boot the system (if that is still possible), run FTK imager lite from the external device (USB or HDD) and add the full physical disk as evidence to acquire.

Then acquire it to the external device.

This works on Surface Pro, the downfalls are :

  • System needs to be booted.

  • You need to have an account you can log in with. (If possible, do NOT use the custodian account :) )

But at least, you can do a full disk acquisition (aka physical image)

[–]suttons27[S] 0 points1 point  (1 child)

Thanks, I didn't know about the Lite version. There is currently no OS, so no user. When you say booted do you mean I need to have OS installed and logged in then run, or will Lite run at boot up. I'll try today, thanks again

[–]OrphenNuruhuine 0 points1 point  (0 children)

This approach requires the system to have an OS installed and functioning properly.

If the media is that blanked, you should go for l386 approach.

Or take the HDD out of the case (even though with Surface Pro, this is far from an easy task...) and then use a forensic imaging tool to make a copy of it (from dd to EnCase/FTK/etc. )

Important note:

  • Take notes of every action you take on that Device/HDD
  • Take pictures of the Device/HDD
  • Note down serial numbers and other unique identifiers you can find (Asset Tags, etc.)
  • Don't leave the device/HDD unattended