A Comparative Analysis of Forensic Methods Used on a Microsoft Surface Book Computer

摘要

The research question being asked by this project is which tool is the most effective at dead forensics and which is the most effective at live forensics when working on time-sensitive cases that involve a Microsoft Surface Book? The Microsoft Surface series of products is an example of one of the new products containing a non-removable solid-state storage drive. These laptop computers are becoming very popular and offer something that most other tablets do not, a full size USB port capable of transferring data on and off the device. This port can allow connectivity of many different device and most simultaneously with the help of a hub. This port can finally allow investigators access to the internal storage of the device. Many techniques were attempted in order to recover data, however due to time constraints this project only tested a few open source techniques along with some commercially developed software. This project examined multiple tools, along with the knowledge and resources needed to perform data recovery. It was found that the Microsoft Surface Book has some form of encryption being utilized at all times even if the user has not enabled BitLocker. The only way this project was able to successfully recover data from the computer was by utilizing FTK Imager on a live system while logged into a profile. This new knowledge will help digital investigators to more effectively gather data both on-scene and in a lab environment.