Introduction:
In today’s average home, there are many potential sources of digital evidence, from home PCs and obvious mobile phones to less common ‘pen-drives’ and PDAs. All have been subjected to extensive scrutiny by those involved in the legal process and academics, as their properties have been shown to have forensic value. As of yet there is comparatively little research evidence on the forensic properties of modern game consoles, when we consider how they can be used in an increasingly ‘PC-like’ fashion, this is an area capable of offering considerable amounts of data with probative value in criminal or civil legal proceedings.
Computer forensics is a relatively new discipline that combines elements of law and computer science to collect and analyze data from computer systems, networks, wireless communications, and storage devices in a manner that is admissible as evidence in court. Game consoles now provide the type of data that can be subjected to forensics due to the addition of memory (both internal and external) capable of ‘store’ data beyond mere computer game information.
With the addition of storage capabilities beyond simple game data (ie hard drives capable of storing music, video, pictures, etc.), game consoles can use ‘web’ functionality and therefore , they are likely to generate ‘persistent’ and ‘volatile’ data with forensic value. With an increasing amount of multimedia features, game consoles are becoming “entertainment centers” within the average home.
The machines most likely to provide usable forensic data are the Xbox360 and PS3 and, due to their prevalence in homes (combined sales figures for the UK are around six million units), these are the machines in which a pattern of use would be similar to the most accepted. forensic data sources (i.e., home computers).
Microsoft Xbox 360:
This game console can support external memory cards for game data and media storage; however, these are rarely used due to their small size (both physically and in terms of data capacity). The most commonly used memory for the Xbox360 comes in the form of a removable hard drive that ranges in size from twenty gigabytes up to two hundred and fifty gigabytes (allowing for large amounts of music, video, photos, etc.) and is essential to enable functionality on line on the machine. On an unmodified machine, this online functionality refers to ‘Xbox live’, the online multiplayer gaming and digital media delivery service operated by Microsoft. This service allows users to:
• Download content from Xbox Live
• Sign in and update social networking and media services like Facebook, Twitter, Zune and Last.fm
• Add people to ‘friend lists’ for gaming and/or communication
• Send text/picture/voice messages (unsolicited) to other users
Many of the functions performed in the console have a date and time attached to when the function was performed (or at least when it was last accessed or modified); this could potentially provide corroboration of a defendant’s location at a specific time. Communication possible through the use of the Xbox Live messaging system may provide evidence of illegal activity, as messages are automatically stored for up to 30 days before being deleted from the system; however, all messages sent through Xbox Live are retained on Microsoft servers and can be retrieved on any console. user profile is logged in, therefore any mention of a crime in a text or audio message could be retrieved by an expert investigator.
The functionality of the Xbox360 can be extended by modifying the internals to allow playing illegally downloaded (piracy) software, or an operating system such as Linux can be installed and allow an Xbox360 to have almost all the functions of a PC (and associated data). ). activity logs)
• Full Internet access (beyond the mother Xbox Live)
• Email
• Chat logs
• Pirate games
One important detail to keep in mind is that, at least from the outside, a modified console and an unmodified console can look exactly the same. While it is true that some members of the modding community choose to apply various skin mods to their consoles, many do not and therefore the console could be mistaken for a standard device.
Sony Playstation 3:
The PS3 is similar to the Xbox360 in terms of potential forensic viability. Large amounts of digital media can be stored on your hard drive, and PlayStation Network (similar to Xbox Live) allows users to send messages in the same way as with Xbox360.
There are two key differences between these consoles, firstly, the PS3 has full ‘out of the box’ internet browsing capability, even an unmodified PS3 would contain more usable data in terms of internet browsing history, downloads, etc. . both on the hard drive and in the system ‘data cache’. Second, it was possible to install third-party operating systems on the PS3 without modifying the system to enable it; this is currently disputed in US courts, as Sony removed this feature to help prevent software piracy on the machine. It’s still possible to install a second operating system (for whatever purpose) though, which now requires some hard drive modifications to enable this feature, giving the PS3 almost all the functionality of a PC.
Motion Control – Move and Kinect:
In the last months of 2010 a new functionality was added to PS3 (Move) and Xbox360 (Kinect), ‘Motion Control’. Using cameras and motion tracking software, the console can interpret the movement of the user’s body and replicate it ‘in game’. From an evidentiary standpoint, this provides another type of data to collect from a game console, pretty much broadening the scope of what data stored on these machines can be used for. The cameras are actually used to record the user of the motion control software at certain points in game activity, this can be stored, this could be abused and used to send videos of underage children or obscene videos over Xbox Live . The videos could also be used to capture suspects involved in criminal activity, with the videos having a date and time attached, analysis could determine a location, thus corroborating or refuting the validity of the defendants’ claim as to their location. at the time of a crime. .
Nintendo Wii:
The Nintendo Wii currently boasts higher sales figures than the Xbox360 and PS3 combined. It looks like a ‘non-gamer’ game console and has lower technical specifications than its two competitors, making it less of a target for modding, although data with forensic properties can still be extracted. The Nintendo Wii can use its own Opera-based web browser; markers are preserved and may be worth noting. The Wii also keeps a basic daily log of system usage and also maintains a contact list of added friends, as well as the messages those friends have sent. It’s also worth noting that images can be sent via the player’s messaging system, which are then saved to system flash storage or an external SD (stick) card. As with most modern consoles, several Linux distributions have been ported to the system (Wii Linux), which means that it could be used in the same way as any desktop PC and should be treated as such.
Sony PlayStation Portable (PSP):
A portable gaming device can be defined as a gaming system that is small enough to take outside the home and runs on batteries. While not as powerful as a console, handheld gaming devices have made significant strides in power since their inception and can now incorporate features similar to PDAs. The PlayStation Portable can be used to access the Internet, store images and movies, and can be modified to run third-party operating systems, so forensic data can be retrieved from memory and “data cache.”
Nintendo DS/DSi/3DS:
All Nintendo DS units can establish ad-hoc wireless connections with other units to use a player-to-player chat program called Pictochat. Pictochat has been used in the past by predators to lure children to them. The DSi incorporates an SD card reader, which can be used to hide illicit materials. The DSi also incorporates a 0.3 megapixel camera that can store images on its internal flash RAM or SD card.
Forensic analysis of game consoles in the real world:
For illustrative purposes, here are some actual crime cases involving game consoles, hopefully illustrating the need to investigate game consoles just as thoroughly as more traditional computer forensics targets.
An example of game consoles being used in the same way as a PC and providing usable forensic data would be an August 2010 incident in the US involving a one-year-old boy also using the Xbox Live messaging service. Officers recovered the defendants’ Xbox 360, two computers and a flash drive and discovered sixteen child pornography images of various children.
Folsom Police Detective Andrew Bates stated, “Parents need to realize that gaming systems like Xbox and PlayStation, when connected to the Internet, can be used like other technology, like a computer or phone; Users can talk to each other, send text messages or send photos. , making these systems another potential threat.”
Useful data recoverable from Xbox Live was found in a case where a man turned himself in to police after threatening a witness against him in an ongoing criminal investigation. He was charged with witness tampering, witness intimidation and two second counts. degree of bullying
There are documented cases of unsolicited indecent images being sent via Xbox Live and PlayStation Network, here a couple was sent a message from an unknown user account, upon opening it discovered it contained an indecent image of a child and immediately contacted the police. An investigation could determine the time and date this image was received and whether or not the user who received it requested it by retrieving previous communications.
In another incident, a PS3 user persuaded an 11-year-old girl to email him nude photos of herself (which he later forwarded to contacts in other US states). No other device was used to commit these crimes and could go undetected in a regular investigation.
On another occasion, a man is accused of manipulating several girls on Xbox Live; this was discovered by the discovery of a mobile phone and Xbox360 data recovery.
Given the myriad ways in which gaming consoles can now provide investigators with usable forensic data, it is crucial that the potential rewards of gaming machine forensics investigation are fully understood, and even more so that attorneys Whether for the prosecution or the defense, find an expert witness with the necessary skills to support your case. It is possible to commit the types of crimes typically associated with a PC on a gaming machine, and it is possible to recover equally important data from a gaming machine. Therefore, the proper seizure and investigation of these devices should have the same priority as other communication and digital storage devices.