Video Game Device Forensics

You may have read that the PlayStation 3 was recently hacked, allowing users to develop their own homebrew applications for the device (or to play pirated games).  This development has a number of implications for digital forensic investigators, most notably the increased risk of coming across a modified system used for illegal activity.  When the console first launched, users were able to install a second operating system alongside the primary operating system, a feature Sony has since disabled via firmware updates.  Now, with the ability to execute foreign code on the system, it is once again possible to run Linux (or some other derivative) on the PS3, making the system a potential source of evidence for investigators.

On the plus side, this exploit can potentially allow programmers to develop forensic tools specifically for the PS3.  Hopefully it won’t be too long before we see a file system dump utility, or perhaps a more targeted tool that exports user messages or other relevant data.  Ideally, we’ll end up with the ability to mount the PS3′s file system in Linux or Windows.

Link to article.

The writer of the above post has claimed to have found an exploit for the PS3 which allows “full memory space access” and “hypervisor level access to the processor”.  If this is true, this exploit could pave the way for homebrew development for the PS3, including the development of tools which could aid in forensic examination of the device.

Here is another article that gives a less-technical explanation.

Link to publication.

Paper by Scott Conrad, Greg Dorn, and J. Philip Craiger.

This paper is a very detailed overview of the current state of PlayStation 3 forensics.  It goes into great detail revealing problems with current forensic approaches (due to the extensive security restrictions placed on the device’s native OS partition), and also discusses capabilities and the potential for such devices to yield useful evidence.  The paper concludes by proposing a forensic technique to be used in the absence of more traditional methods, and goes on to suggest several steps for future work on the console.