Capturing RAM Dumps and Imaging eMMC Storage on Windows Tablets

Oleg Afonin, Danil Nikolaev, Yuri Gubanov © Belkasoft Research

While Windows desktops and laptops are relatively easy to acquire, the same cannot be said about portable Windows devices such as tablets and convertibles (devices with detachable keyboards). Having no FireWire ports and supplied with a limited set of external ports, these devices make attaching acquisition media more complicated in comparison to their full-size counterparts. Equipped with soldered, non-removable eMMC storage, Windows tablets are extremely difficult to image while following the required forensic routine. Finally, the obscure Windows RT does not allow running unsigned desktop applications at all while restricting the ability to boot into a different OS, making forensic acquisition iffy at best.

In this article, we will have a look at how Windows-based portable electronic devices are different from traditional laptops and desktops, review new security measures and energy saving modes presented by Windows tablets and discuss hardware, methods and tools we can use to acquire the content of their RAM and persistent storage.

Security Model of Windows Tablets

Tablets running Windows 8, 8.1 and Windows RT are designed with certain security measures to prevent unauthorized access to their content if a device is lost or stolen. These security measures are similar to those present in desktop devices, and differ significantly from the approach employed by Google and Apple.

In Windows 8 and 8.1 installed on a tablet, security measures include optional whole-disk encryption (with BitLocker) and Secure Boot, an option to prevent booting into a non-recognized (unsigned) OS, effectively preventing the use of Linux-based bootable drives often used for digital forensics.

Note that Secure Boot is optional, but is often activated by default in the system’s UEFI. BitLocker keys can be retrieved from the user’s Microsoft Account ( or extracted from a memory dump (if captured while the tablet is running).

Secure Boot

Secure Boot, even if activated in the tablet’s UEFI BIOS, can usually be disabled by booting into UEFI (by using the combination of Volume-DOWN and Power keys). However, if UEFI BIOS is protected with a password, resetting the password could be difficult. Notably, Secure Boot does not prevent booting from external media per se. If you have a bootable recovery image of Windows 8.1 or a bootable Windows PE 5.1 flash drive, these already carry the required signatures and can be used to start the tablet even if Secure Boot is enabled.

Please register to access full versions of Belkasoft articles

Oleg Afonin, Danil Nikolaev, Yuri Gubanov © Belkasoft Research