Expert Testimony: Gaming forensics


In today’s average home, there are many potential sources of digital evidence, from the obvious home PC and mobile phone to the less common “pen drive” and PDA. Everyone has been thoroughly reviewed by legal procedures and scholars because their property has been proven to have forensic value. So far, there have been few investigations on the forensic nature of modern game consoles. If we consider how to use them in an increasingly “PC-style” manner, the field can provide a large amount of evidence-worthy data. Criminal or civil court procedures.

Computer forensics is a relatively new discipline that combines elements of law and computer science to collect and analyze data from computer systems, networks, wireless communications, and storage devices in a way that can be used as evidence in court. With the addition of internal memory (internal and external) that can “store” data beyond pure computer game information, gaming machines can now provide data that can be analyzed forensically.

In addition to simple game data (for example, a hard disk drive capable of storing music, videos, pictures, etc.), a storage function is added, and the game machine can use the “network” function, so it is likely to generate both “persistent” and “volatile” Sex data “. Forensic value. With the increase of media functions, game consoles have become “entertainment centers” for ordinary families.

The machines most likely to provide usable forensic data are Xbox360 and PS3. Because they are prevalent in the home (the combined sales figures in the UK are about 6 million units), the use of these machines is similar to the more acceptable sources of machine forensic data For example, a home computer).

Microsoft Xbox 360:

The game console can support external memory cards for game data and media storage, but due to their small size (physical and data capacity), they are rarely used. The most commonly used memory for the Xbox 360 is in the form of a removable hard disk, ranging in size from 20 GB to 250 GB (allowing large amounts of music, videos, photos, etc.), and for allowing online functions on the machine. On an unmodified computer, this online feature is called “Xbox live”, which is an online multiplayer game and digital media delivery service operated by Microsoft. The service allows users to:

• Download content from Xbox Live

• Log in and update social networks and media services, such as Facebook, Twitter, Zune and

• Add people to the “friend list” for gaming and / or communication

• Send (unsolicited) text / picture / voice messages to other users

Many functions performed on the console have a time and date that is attributed to the execution time of the function (or at least when it was last accessed or changed). It is possible to confirm the position of the defendant at the appointed time. Possible communication through the use of the Xbox Live messaging system can provide evidence of illegal activity, because messages are automatically stored for up to 30 days before being deleted from the system, but all messages sent via Xbox live are kept on Microsoft servers, And you can restore the user’s personal information has been logged in on any console, so a skilled investigator may mention the crime in a text or audio message.

The functions of Xbox360 can be expanded by modifying the internal structure to allow the playing of illegally downloaded software (piracy), or an operating system such as Linux can be installed, and Xbox360 is allowed to have almost all functions (and related data) activity records of the PC)

• Full access to the Internet (not just Xbox Live)


•chat record

• Pirated games

An important detail to note is that, at least from the outside, the modified console and the unmodified console can look identical. Indeed, some members of the “refitted” community have chosen to make various case changes to their consoles, but many have not, so the console may be mistaken for standard equipment.

Sony Playstation 3:

PS3 is similar to Xbox360 in potential forensic feasibility. A large amount of digital media can be stored on its hard drive, and the PlayStation Network (similar to Xbox live) allows users to send messages just like the Xbox 360.

There are two main differences between these consoles. First of all, PS3 has a complete “open and use” Internet browsing function, even if the unmodified PS3 has more available data in Internet search history, downloads, etc. On the hard drive and system “data cache”. Second, you can install a third-party operating system on PS3 without any modification to enable it. Currently, this is causing controversy in the US courts because Sony has removed this feature to prevent software piracy on the machine. In any case, you can still install the second operating system (for any purpose), and now you need to make some modifications to the hard drive to enable this feature, so that PS3 has almost all the functions of the PC.

Motion Control-Mobile and Kinect:

In the last few months of 2010, PS3 (Move) and Xbox360 (Kinect) added a new function “Motion Control”. By using a camera and motion tracking software, the console can interpret the user’s body movements and copy them in the game. From the point of view of evidence, this provides another kind of data to be collected from gaming machines. In fact, this expands the range of uses of the data stored on these machines. These cameras are actually used to record users of motion control software. These users can be stored in certain locations of game activities, which may be abused and used to send videos of minor children or obscene videos through Xbox live. These videos can also be used to capture suspects of criminal activity, with date and time attached, and the analysis can determine the location, thereby confirming or proving the validity of the defendant ’s claim to his location at the time of the crime. .

Nintendo Wii:

Currently, Nintendo Wii sales are higher than the combined Xbox360 and PS3. It is regarded as a “non-player” gaming machine, and its technical specifications are lower than those of its two competitors. Therefore, although forensic data can still be extracted from it, its modification targets are few. Nintendo Wii can use a web browser based on the first-party Opera. Bookmarks are kept and may be worth noting. Wii also keeps basic daily logs of system usage, and keeps the contact list of added friends and messages sent by these friends. It’s also worth noting that images can be sent through the player messaging system and then saved to the system’s flash memory or external SD (memory) card. Like most modern consoles, various distributions of Linux have been ported to the system (Wii Linux), which means it can be used in the same way as any desktop PC, so it should be treated as such.

Sony PlayStation Portable (PSP):

A portable gaming device can be defined as a gaming system that is small enough to be carried into a home and run on batteries. Although portable gaming devices are not as powerful as consoles, they have made significant advances in power since the early days and may now include PDA-like functions. PlayStation Portable can be used to access the Internet, store images and movies, and can be modified to run third-party operating systems, so forensic data can be recovered from memory and “data cache”.

Nintendo DS / DSi / 3DS:

All Nintendo DS units can establish a temporary wireless connection with other units to use a player-to-player chat program called Pictochat. Predators have used Pictochat in the past to attract children. DSi is equipped with an SD card reader, which can be used to hide illegal materials. DSi also integrates a 0.3 megapixel camera that can store images in its internal flash RAM or SD card.

Forensics of game consoles in the real world:

For illustrative purposes, here are some real-world examples of crimes involving gaming machines, hoping to illustrate the necessity of investigating gaming machines, just like the more traditional computer forensics goals.

An example of using a game console in the same way as a PC and providing available forensic data will be an incident that occurred in the United States in August 2010. It is found that Xbox Live users in Florida are requesting 10 nude photos. The year-old boy also uses the Xbox real-time messaging service. The officer retrieved the defendant’s Xbox 360, two computers and a flash drive, and found 16 child pornographic images of different boys.

Andrew Bates, police detective of Folsom, said: “Parents should run gaming systems like Xbox and PlayStation after connecting to the Internet and can use it for other technologies such as computers or phones; users can talk to each other and send text messages Or send photos to make these systems another potential threat. “

Someone in the ongoing criminal investigation threatened a witness to surrender to his witness after being surrendered to a police officer. He was accused of tampering with the witness, intimidating the witness and two second counts, thereby obtaining useful data from Xbox live. Degree harassment.

There are recorded examples of sending uninvited indecent images through Xbox live and PlayStation Network. Here is a pair of messages from an unknown user account. After opening, it was found that it contained an indecent image of a little boy and immediately contacted the police contact. By retrieving previous communications, the survey will be able to determine the time and date the image was received and whether the user who received the image requested the image.

In another incident, PS3 users persuaded an 11-year-old girl to email him his nude photos (he then forwarded it to contacts in other states in the United States). No other equipment is available to commit these crimes, and it may not be discovered during regular investigations.

On another occasion, a man was accused of grooming several young girls on Xbox Live. This was discovered by discovering the phone and restoring Xbox360 data.

Considering the variety of ways in which gaming machines can now provide investigators with available forensic data, it is essential to fully understand the potential benefits of conducting forensic investigations on gaming machines. In addition, lawyers-whether prosecuting or defending- Find an expert witness Have the necessary skills to support their case. Types of attacks that are generally associated with PCs on gaming machines can be implemented, and data of equal importance can be retrieved from gaming machines. Therefore, proper seizure and investigation of these devices should have equal priority with other digital storage and communication devices.


Source by Simon Lang