I recently got an Acer Iconia W3 tablet for analysis which was password protected. These are the steps I took to acquire an image of the tablet.
The tablet W3-810 runs an Intel Atom CPU and has Windows 8.1 preloaded. It comes with 32GB or 64 GB internal storage. Although it runs smooth, the downside is that it has only one micro-USB port. This makes it difficult to connect peripherals.
After getting any handheld device, my first instinct is to always check Cellebrite UFED or Oxygen Forensic Suite for compatibility. Why waste time on researching, when there is ready made solution. Unfortunately, there was no support in both the software. UFED had some Acer tablets but they were Android models.
So to boot the tablet from external media we need a micro usb to otg adapter and a USB hub so that we can connect our bootable usb, or an external CD drive and keyboard.
The regular bootable mediums such as Hiren's boot CD or other Windows bootable disks failed. Upon researching more I knew that it is because of UEFI enabled on the tablet. Even though I disable SecureBoot, as shown in this video, it was unable to boot from these boot CDs.
Then I got a Ubuntu 14.10 EFI enabled iso image and tried booting with it. I moved one step forward to the GRUB screen. But again, it was not booting the OS. Then after some more researching, the issue was the EFI was enabled for only 64bit systems. So I needed to find a 32bit EFI enabled disk for booting.
Turns out WinPE environment has a 32bit EFI enabled iso readily available. So I built a winpe iso and again tried to boot the tablet from it with SecureBoot disabled. Finally, I succeeded in getting a command prompt in the environment.
Then I copied the SAM file from the Windows installation of the tablet. Using Hashcat the password was cracked successfully. After getting the password, I got FTK Imager on a USB drive, logged onto Windows and imaged the disk.
One thing to note is that the storage in the tablet is an eMMC chip. So getting deleted contents might be a bit difficult.
No comments:
Post a Comment