View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by Research Online @ ECU Edith Cowan University Research Online ECU Publications Post 2013 1-1-2014 Windows surface RT tablet forensics Asif Iqbal Hanan Al Obaidli Andrew Marrington Andy Jones Edith Cowan University Follow this and additional works at: https://ro.ecu.edu.au/ecuworkspost2013 Part of the Computer Sciences Commons 10.1016/j.diin.2014.03.011 Iqbal A., Al Obaidli H., Marrington A., Jones A. (2014). Windows surface RT tablet forensics. Digital Investigation, 11(SUPPL. 1), s87-s93. Available here This Journal Article is posted at Research Online. https://ro.ecu.edu.au/ecuworkspost2013/117 Digital Investigation 11 (2014) S87–S93 Contents lists available at ScienceDirect Digital Investigation journal homepage: www.elsevier.com/locate/diin Windows Surface RT tablet forensics Asif Iqbal a,b,*, Hanan Al Obaidli a, Andrew Marrington b,*, Andy Jones c,d a Athena Labs, Dubai, UAE b Zayed University, Dubai, UAE c Edith Cowan University, Australia d University of South Australia, Australia abstract Keywords: Small scale digital device forensics is particularly critical as a result of the mobility of these Windows RT devices, leading to closer proximity to crimes as they occur when compared to computers. Tablet The Windows Surface tablet is one such device, combining tablet mobility with familiar Surface Microsoft Windows productivity tools. This research considers the acquisition and forensic Small scale digital device forensics analysis of the Windows Surface RT tablet. We discuss the artifacts of both the Windows Acquisition RT operating system and third-party applications. The contribution of this research is to provide a road map for the digital forensic examination of Windows Surface RT tablets. ª 2014 The Authors. Published by Elsevier Ltd on behalf of DFRWS. This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/3.0/). Introduction file systems, data structures and the number of third party applications available on some of these devices makes the The proliferation of smartphones and tablet computers realm of digital forensic research a significantly more has significant implications for digital investigations. As the complicated environment. This complication is highlighted usage of mobile devices continues to expand, so will the by the diversity of research done on different devices as proportion of digital evidence retrieved from these devices well as the changes in the operating systems or hardware of as compared to computer hard disks. According to previously studied devices. Marturana et al. (2011) and the National Institute of This research addresses Windows RT tablets, such as Standards and Technology (NIST) (2001) it is more likely the Surface RT, from a digital forensic acquisition and that law enforcement will encounter a suspect with a analysis perspective. Windows RT is a variant of the mobile device in his/her possession than a PC or laptop. Windows 8 operating system designed for mobile de- Hence studying these devices from a forensic perspective is vices that utilize the ARM architecture. It is optimized for an essential task for both researchers and practitioners in thin and light PCs that have extended battery life. It is digital forensics. Casey (2013) discussed smartphone only available pre-installed on selected tablets and PCs forensic R&D and training, and indicated that the variety of such as the ASUS VivoTab RT, Dell XPS 10, Lenovo Idea- hardware and operating systems in smartphones makes Pad Yoga 11, Samsung ATIV Tab, and Surface RT. Win- the forensic acquisition and analysis of these devices dows RT only runs built-in apps or apps that are significantly different from the computers with which most downloaded from the Windows Store, while other apps forensic practitioners are familiar. This equally applies to such as Adobe Photoshop, and legacy programs that run tablets and other small scale devices, which are equally on the regular Windows operating system cannot run on heterogeneous as their smartphone cousins. The variety of it. However, Windows RT still has a limited desktop mode where the user can use redesigned office appli- cations such as Word, Excel and PowerPoint as well as * Corresponding authors. Zayed University, Dubai, UAE. exploring and arranging folders in a manner similar to E-mail addresses: [email protected] (A. Iqbal), andrew. [email protected] (A. Marrington). the regular desktop mode. http://dx.doi.org/10.1016/j.diin.2014.03.011 1742-2876/ª 2014 The Authors. Published by Elsevier Ltd on behalf of DFRWS. This is an open access article under the CC BY-NC-ND license (http:// creativecommons.org/licenses/by-nc-nd/3.0/). S88 A. Iqbal et al. / Digital Investigation 11 (2014) S87–S93 This paper identifies a forensically sound acquisition computer. Hence, the reset operation may cause the ma- method for a Windows RT device, and describes the file chine to be wiped of all data and for that reason it is system structure and potential forensic artifacts. It is important for digital forensic researchers to investigate the organized as follows: in the next section, we discuss related artifacts left after utilizing this feature. Fleisher was able to research in small scale digital device forensics, and then in find artifacts indicating that this feature was utilized as the Methodology section we discuss our general method- well as other artifacts about the reset or refreshed system. ology. Followed by the Acquisition section which describes Kaart, Klaver and van Baar stated that Windows 8, Windows RT acquisition, then in the Analysis section we which is developed to run on mobile devices, such as tab- discuss analysis of acquired Windows RT images. This lets and phones, as well as on traditional devices such as paper concludes with a synopsis of findings and planned laptops and desktop computers, might still have some of future work in this area. the files from the Windows Phone 7 operating system (Kaart et al., 2013). In their work they reverse-engineered Related work significant parts of the EDB (Microsoft Embedded Data- base) volume format and extensively analyzed the pim.vol The field of small scale device forensics has challenged file that contains information related to contacts, appoint- researchers because the diversity of hardware and operating ments, call history, speed-dial settings and tasks. They also systems of these devices requires different methods of implemented a parser for the EDB volume format structure forensic acquisition and analysis. According to Casey (2013) and compared their results to the traditional approach this is shown in “The effects of switching the camera module using an emulator and the API provided by the Windows CE from Blackberry Curve 9360 devices” by Gisolf et al., which operating system. The parser was able to recover additional deals with the changes in the hardware of Blackberry Curve databases, additional properties per record and unallocated 9360 devices. As well with the work of Quick & Choo who records. Schaefer, Höfken and Schuba discussed the investigated the artifacts left by Dropbox on a Windows 7 acquisition and analysis of a Windows Phone 7 device computer and an Apple iPhone 3G hence study the effect of a (Schaefer et al., 2012). Their work explains the main char- third party application and its relation to the cloud (Casey, acteristics of the platform, the problems that forensic in- 2013 Gisolf et al., 2013, Quick and Choo, 2013). vestigators face, methods to circumvent those problems As a new tablet operating system, Windows RT has and a set of tools to get data from the phone. Data that can gained the interest of a number of researchers. According be acquired from the phone include the file system, the to reports, a hacker named C.L. Rokr (clrokr) has found a registry and active tasks. Based on the file system, further way to bypass the code integrity checking in Windows RT information such as SMSs, Emails and Facebook data can be which allows users to run unsigned code on Surface tab- extracted (Schaefer et al., 2012). lets and other devices, effectively jailbreaking the plat- From this initial search we identified that there is not form (Windows RT jailbroken, 2013). This approach could sufficient scientific work that discusses Windows RT tablets also be utilized for forensic acquisition of these devices. from a digital forensic perspective. The main aim of our The method is possible because most of the Windows RT work will be to investigate the artifacts left on the device as code has been ported directly from Windows 8. This well as acquiring an image of it. porting included a byte in the kernel that sets the mini- mum signing level for code execution. On Windows 8, this Methodology is set to 0 so that any code can be run, but on Windows RT, it is set to 8, meaning that code must be signed by The main purpose of this research is to forensically Microsoft in order to run. Lock and Code Pty Ltd have investigate the Surface RT tablet which runs the Windows developed software that will jailbreak the Windows RT RT operating system. This tablet may contain valuable device using the method described by clrokr, then use a set forensic artifacts, as it combines the traditional tablet of acquisition tools to acquire an image of the device application environment with common office productivity (Freestone, 2013). applications such as Word, PowerPoint and Excel. Along- As mentioned above Windows RT has some similarities side this is the use of the traditional Windows Explorer (File with Windows 8 and as a result, we looked at some of the Explorer) available in the regular Windows Operating work done with regard to this operating system.