Link to document.
Paper by Walter Ridgewell.
This thesis is a comprehensive look at modern video game devices and their susceptibility to various network attacks, as well as the potential of these devices to become threat carriers. Includes analysis of the Xbox 360, PlayStation 3, PlayStation portable, and Nintendo Wii. A long, but excellent read.
You may have read that the PlayStation 3 was recently hacked, allowing users to develop their own homebrew applications for the device (or to play pirated games). This development has a number of implications for digital forensic investigators, most notably the increased risk of coming across a modified system used for illegal activity. When the console first launched, users were able to install a second operating system alongside the primary operating system, a feature Sony has since disabled via firmware updates. Now, with the ability to execute foreign code on the system, it is once again possible to run Linux (or some other derivative) on the PS3, making the system a potential source of evidence for investigators.
On the plus side, this exploit can potentially allow programmers to develop forensic tools specifically for the PS3. Hopefully it won’t be too long before we see a file system dump utility, or perhaps a more targeted tool that exports user messages or other relevant data. Ideally, we’ll end up with the ability to mount the PS3’s file system in Linux or Windows.
As far as I know, this is the only XBox forensics tool that was actually written with forensics in mind. I’ll have to see if my department can get a copy to play around with.
Greetings from Protowise Labs!
We are happy to announce the official release of XFT 2.0 Game Console Forensics toolkit. In conjunction with the release, Protowise Labs will be hosting a series of Game Console Forensics Training sessions over the course of the year. The full day training session includes 8 hours of classroom and hands on sessions, including FATX (Original Xbox) and XTAF (Xbox 360) file system forensics, ATA key recovery and drive unlocking, forensic issues with the Xbox 360, and forensic issues and implications of other game consoles. Training is $650.00 per seat and includes one XFT license with free updates for 1 year. Please do not make travel arrangements until training has been confirmed by us via email on or before August 27, 2010. After registration, you will receive an email invoice, at which time payment is due. We will send a confirmation email one month prior to training day, at which time you should make travel arrangements. Again, please do not make travel arrangements prior to confirmation. To register, click the registration link below or go to http://www.protowise.com and click the registration link. You can view the training syllabus on the Protowise website. Seats are limited so if the class fills up we will open another session to be scheduled shortly after September.
REGISTER NOW for the September 27, 2010 training in The Woodlands, Texas.
We hope to see you in The Woodlands in September!
Link to paper.
Paper by Scott Pancoast.
This paper goes into great detail describing the PlayStation Portable and its capabilities, accessories, and peripherals. It also discusses the file system and other system attributes, and outlines a forensic method for examination.
Link to article.
The writer of the above post has claimed to have found an exploit for the PS3 which allows “full memory space access” and “hypervisor level access to the processor”. If this is true, this exploit could pave the way for homebrew development for the PS3, including the development of tools which could aid in forensic examination of the device.
Here is another article that gives a less-technical explanation.
Link to paper.
Paper by Alex Barnett.
This paper is a broad overview of the last two generations of home consoles and the current generation of handheld consoles. The paper focuses on the potential uses of video game devices to commit or assist in illegal activities, and argues that they should be treated no differently than normal computers in the context of an investigation. It goes on to highlight the lack of research, methodologies, and tools available for analysis of these devices.
Written for CIT581V: Special topics in Cyber Forensics at Purdue University.
Link to publication.
Paper by Scott Conrad, Greg Dorn, and J. Philip Craiger.
This paper is a very detailed overview of the current state of PlayStation 3 forensics. It goes into great detail revealing problems with current forensic approaches (due to the extensive security restrictions placed on the device’s native OS partition), and also discusses capabilities and the potential for such devices to yield useful evidence. The paper concludes by proposing a forensic technique to be used in the absence of more traditional methods, and goes on to suggest several steps for future work on the console.
Xbox 360s use standard 2.5″ SATA drives, but due to the fact that they are formatted with the FATX file system, common forensic tool suites such as Encase and FTK are unable to read them.
However, there are several 3rd party tools that have been released by members of the hacking and modification community that can read FATX and display the contents of the drive in a GUI from within Windows. Consider giving these a try:
Also, Linux can mount FATX volumes with proper modifications to the kernel. Please see this page of the Xbox-Linux wiki for more details.
If you are dealing with a modified console running Linux, please see these sites for more information:
Link to publication.
Paper by Halvar Myrmo.
This paper researches the following questions:
- Does the installation of a new game console in the home open for new vulnerabilities that we are not aware of?
- Are there more potential vulnerabilities in a console that has been modified, than in an unmodified console?
- Do we need to take special precautions when connecting a new game console to the home network?
- Does users of game and virtual worlds consider their privacy protection in the same way they do when using other services on the Internet?
It also provides a broad overview of consoles from the current and previous generation as well as a summary of their components and technical capabilities. The paper also details several experiments involving the game consoles and several common network security tools (Nmap, Nessus, Metasploit, and others).
Overall, this paper is an excellent primer for those unfamiliar with the capabilities of modern video game devices, and may also be of interest to those seeking a more technical understanding of these devices.