As of one month ago and to the best of our knowledge, there was no documented process for acquiring a forensic image of a Microsoft Surface RT device. The reason for this is there are two major challenges inhibiting standard acquisition techniques. #1 is the fact that in order for binaries to execute on the Surface RT they need to be signed by Microsoft and #2 is the Surface RT contains an ARM processor and therefore all binaries must be compiled specifically for the ARM.
Fortunately a “Jail Break” has been release for Surface RT devices which can enable unsigned code to execute on the Surface RT.
And now, Lock and Code have released a basic set of binaries and batch files to assist with acquiring the Surface RT. The “acquisition_tools” zip file along with a paper titled “Acquisition of Microsoft Surface RT” are available for download below. These resources along with the Jail Break and a suitably sized USB device are all you need to create a forensic image (E01) of the Surface RT.
