Expert Witness: Games Console Forensics
May 3, 2017
In today’s average home there exist many potential sources of digital evidence, from the obvious home PCs and mobile phones to the less common ‘pen-drives’ and PDA’s. All have been subject to comprehensive scrutiny from people involved in the legal process and academics since their properties have been shown to have forensic value. So far comparatively little evidence of investigation into the forensic properties of modern gaming consoles exists, if we consider how they can be utilised in an increasingly ‘PC-like’ manner, this is an area capable of proffering considerable amounts of data with evidentiary value in criminal or civil court proceedings.
Computer forensics is a relatively new discipline combining elements of law and computer science to collect and analyse data from computer systems, networks, wireless communications and storage devices in a way that is admissible as evidence in a courtroom. Gaming consoles now provide the kind of data which can undergo forensic analysis because of the addition of memory (both internal and external) capable of ‘storing’ data beyond mere computer game information.
With the addition of storage capabilities beyond simple game data (i.e. hard drives capable of storing music, video, pictures etc.) gaming consoles are able to utilise ‘web’ functionality and therefore will likely generate both ‘persistent’ and ‘volatile data’ with forensic value. With an increasing amount of media functionality gaming consoles are becoming ‘entertainment hubs’ within the average household.
The machines most likely to provide usable forensic data are the Xbox360 and PS3 and due to their prevalence in homes (combined sales figures for the UK are around six million units) these are the machines where a pattern of use would be similar to more readily accepted sources of forensic data (i.e. home computers).
Microsoft Xbox 360:
This gaming console can support external memory cards for game data and media storage, however these are infrequently utilised because of small size (both physically and in terms of data capacity). The most commonly used memory for the Xbox360 comes in the form of a detachable hard-drive ranging in size from twenty gigabytes to two-hundred and fifty gigabytes (allowing vast amounts of saved music, videos, photos etc.) and is essential in allowing online functionality on the machine. On an unmodified machine this online functionality refers to ‘Xbox live’, the online multiplayer gaming and digital media delivery service operated by Microsoft. This service allows users to:
• Download content from Xbox live
• Log onto and update social networking and media services such as Facebook, Twitter, Zune and Last.fm
• Add people to ‘friends lists’ for gaming and/or communication
• Send (unsolicited) text/picture/voice messages to other users
Many of the functions performed on the console have a time and date attributed to when the function was performed (or at least when it was last accessed or altered); this could potentially provide corroboration of a defendant’s location at a specified time. The communication possible through use of the Xbox live messaging system can provide evidence of illegal activity as messages are automatically stored for up to 30 days before deletion from the system, however all messages sent via Xbox live are retained on Microsoft servers and recoverable on any console the user profile is signed into, therefore any mention of a crime in a text or audio message would potentially be retrievable by a skilled investigator.
The functionality of the Xbox360 can be extended by modifying the internals to allow the playing of illegally downloaded software (piracy) or an operating system such as Linux could be installed and allow an Xbox360 to have almost all the functions of a PC (and associated data records of activity)
• Full access to the Internet (beyond mere Xbox live)
• Chat logs
• Pirated games
One important detail to note is that, at least from the outside, a modified console and an unmodified console can look exactly the same. While it is true that some members of the ‘modding’ community opt to apply various case modifications to their consoles, many do not, and therefore the console could be mistaken for a standard device.
Sony Playstation 3:
The PS3 is similar to the Xbox360 in terms of potential forensic viability. Large amounts of digital media can be stored on its hard drive, and the PlayStation Network (similar to Xbox live) allows users to send messages much in the same way as with the Xbox360.
There are two key differences between these consoles, firstly, the PS3 has full internet browsing capability ‘straight out of the box’, even an unmodified PS3 would contain more usable data in terms of Internet search history, downloads etc. on both the hard drive and the system ‘data cache’. Secondly, it was possible to install third party operating systems on the PS3 without any modification to the system to enable it; this is currently in dispute in the US courts as this feature was removed by Sony to help prevent software piracy on the machine. Regardless, installing a second operating system (for whatever purpose) is still possible, now requiring some hard drive modification to enable this function, allowing the PS3 almost all the functionality of a PC.
Motion Control – Move & Kinect:
In the final months of 2010 new functionality was added to the PS3 (Move) and the Xbox360 (Kinect), ‘Motion Control’. Using cameras and motion tracking software the console is able to interpret user body movement and replicate it ‘in game’. From an evidential point of view, this provides another type of data to be collected from a gaming console, practically this expands the scope of what data stored on these machines can be used for. The cameras are actually used to record the user of the motion control software at certain points of game activity this can be stored, this could be abused and used to send videos of underage children or obscene videos via Xbox live. The videos could also be used to capture suspects involved in criminal activity, with the videos having a date and time attached, analysis could determine a location, thereby corroborating or disproving the validity of a defendants claim as to their location at the time of an offence.
The Nintendo Wii currently boasts higher sales numbers than the Xbox360 and PS3 combined. It is seen as a gaming console for ‘non-gamers’ and has lower technical specifications than both of its competitors, as such it is less of target for modification, although data with forensic properties can still be extracted from it. The Nintendo Wii can utilize a first-party Opera-based web browser; bookmarks are retained, and may be worth noting. The Wii also retains a basic, daily log of system usage, and also keeps a contact list of added friends, as well as the messages those friends have sent. Also worth noting is that images may be sent over the player messaging system, which are then saved to the system flash storage or to an external SD (memory) card. As is true of most modern consoles, various distributions of Linux have been ported to the system (Wii Linux), meaning that it could be utilized in the same way as any desktop PC and should be treated as such.
Sony PlayStation Portable (PSP):
A portable game device can be defined as a gaming system that is small enough to be carried outside of the home and runs on batteries. While not as powerful as a console, portable game devices have made significant advances in power since their early days, and may now incorporate functions similar to PDAs. The PlayStation Portable may be used to access the Internet, store images and movies, and can be modified to run 3rd party operating systems, therefore forensic data is recoverable from the memory and ‘data cache’.
Nintendo DS / DSi / 3DS:
All Nintendo DS units can establish ad-hoc wireless connections to other units to utilize a player to player chat program called Pictochat. Pictochat has been used in the past by predators to lure children to them. The DSi incorporates an SD card reader, which may be used to hide illicit materials. The DSi also incorporates a 0.3 megapixel camera which can store images on its internal flash RAM or SD card.
Games Console Forensics in the Real World:
For illustration purposes here are a few real world instances of crimes involving gaming consoles, hopefully illustrating the need to investigate gaming consoles just as thoroughly as more traditional computer forensic targets.
An example of gaming consoles being used in the same manner as a PC and providing usable forensic data would be an incident that occurred in August 2010 in the USA whereby an Xbox live user based in Florida was discovered to have been soliciting naked pictures of a 10 year old boy also using the Xbox live messaging service. Officers recovered the defendants Xbox 360, two computers and a flash drive and discovered sixteen child-pornography images of various boys.
Folsom Police Detective Andrew Bates stated that “parents should realize gaming systems like Xbox and PlayStation, when connected to the internet, can be used as other technology, such as a computer or telephone; users can speak to one another, text, or send photos, thus making these systems another potential threat.”
Useful data recoverable from Xbox live was found in a case where a man surrendered himself to police after threatening a witness against him in an on-going criminal investigation, he was charged with tampering with a witness, intimidating a witness and two counts of second-degree harassment.
There are documented instances of unsolicited indecent images being sent via Xbox live and PlayStation Network, here a couple were sent a message from an unknown user account, upon opening it discovered it contained an indecent image of a young boy and immediately contacted the police. An investigation would be able to determine the time and date this image was received and whether or not it was solicited by the user receiving the image by retrieving previous communications.
N another incident a PS3 user persuaded an 11 year old girl to email him nude pictures of herself (which he subsequently forwarded on to contacts in other US states). No other devices were used to commit these offences and would potentially go undiscovered in an ordinary investigation.
On another occasion a man is accused of grooming several young girls over Xbox live; this was uncovered by the discovery of a mobile phone and recovery of Xbox360 data.
Considering the myriad of ways in which gaming consoles can now provide investigators with usable forensic data it is crucial that the potential rewards of forensic investigation of gaming machines are fully comprehended, and furthermore, that lawyers -whether prosecution or defence – find an expert witness with the necessary skills to support their case. It is possible to commit the types of offences typically associated with a PC on a gaming machine and it possible to retrieve data of equal significance from a gaming machine. Therefore correct seizure and investigation into of these devices should have equal priority alongside other digital storage and communication devices.