Introduction:
In today’s average home, there are many potential sources of digital evidence, from the obvious home PCs and mobile phones to the less common pen drives and PDAs. All have been subject to close scrutiny by those involved in the legal process and academics, as their properties have been shown to have forensic value. So far there is comparatively little research evidence into the forensic properties of modern game consoles, considering how they can be used in an increasingly ‘PC-like’ way, this is an area capable of offering considerable amounts of insight. data with probative value in criminal or civil legal proceedings.
Computer forensics is a relatively new discipline that combines elements of law and computer science to collect and analyze data from computer systems, networks, wireless communications, and storage devices in a way that is admissible as evidence in court. Game consoles now provide the kind of data that can be subjected to forensic analysis due to the addition of memory (both internal and external) capable of ‘storing’ data beyond mere computer game information.
With the addition of storage capabilities beyond simple game data (i.e. hard drives capable of storing music, video, images, etc.), game consoles can use ‘web’ functionality and thus , they are likely to generate ‘persistent’ and ‘volatile’ data with forensic value. With an ever-increasing amount of multimedia features, gaming consoles are becoming “entertainment hubs” within the average home.
The machines most likely to provide usable forensic data are the Xbox360 and PS3 and, due to their prevalence in homes (combined sales figures for the UK are around six million units), these are the machines in which a pattern of use would be similar to the most accepted. forensic data sources (i.e. home computers).
Microsoft Xbox 360:
This game console can support external memory cards for game data and media storage; however, these are rarely used due to their small size (both physically and in terms of data capacity). The most commonly used memory for the Xbox360 comes in the form of a removable hard drive that ranges in size from twenty gigabytes to two hundred and fifty gigabytes (allowing large amounts of music, videos, photos, etc. to be stored) and is essential for enabling functionality on line on the machine. On an unmodified machine, this online functionality refers to ‘Xbox live,’ the online multiplayer gaming and digital media delivery service operated by Microsoft. This service allows users to:
• Download Xbox Live content
• Sign in and update social networking and media services like Facebook, Twitter, Zune, and Last.fm
• Add people to ‘friend lists’ for gaming and/or communication
• Send (unsolicited) text/picture/voice messages to other users
Many of the functions performed in the console have a date and time attributed to when the function was performed (or at least when it was last accessed or modified); this could potentially provide corroboration of a defendant’s location at a specific time. Communication made possible through the use of the Xbox Live messaging system may provide evidence of illegal activity, as messages are automatically stored for up to 30 days before being deleted from the system; however, all messages sent over Xbox Live are kept on Microsoft servers and can be retrieved on any console. The user profile is logged in, so any mention of a crime in a text or audio message could be retrieved by a skilled investigator.
The functionality of the Xbox360 can be extended by modifying the internals to allow the playing of illegally downloaded (pirated) software, or an operating system such as Linux can be installed and allow an Xbox360 to have almost all the features of a PC (and the associated data). ). activity logs)
• Full Internet access (beyond Xbox Live mother)
• Email
• Chat logs
• pirate games
An important detail to keep in mind is that, at least from the outside, a modified console and an unmodified console can look exactly the same. While it is true that some members of the ‘modding’ community choose to apply various case mods to their consoles, many do not and therefore the console could be mistaken for a standard device.
Sony PlayStation 3:
The PS3 is similar to the Xbox360 in terms of potential forensic viability. Large amounts of digital media can be stored on your hard drive, and PlayStation Network (similar to Xbox Live) allows users to send messages in the same way as with Xbox360.
There are two key differences between these consoles, firstly the PS3 has full internet browsing capability ‘straight out of the box’, even an unmodified PS3 would contain more usable data in terms of internet search history, downloads etc. . both on the hard drive and in the system ‘data cache’. Second, it was possible to install third-party operating systems on the PS3 without modifying the system to enable it; this is currently under dispute in US courts, as Sony removed this feature to help prevent software piracy on the machine. Regardless, it’s still possible to install a second operating system (for whatever purpose), which now requires some modification to the hard drive to enable this feature, giving the PS3 almost all the functionality of a PC.
Motion control – Move and Kinect:
In the last months of 2010 a new functionality was added to PS3 (Move) and Xbox360 (Kinect), ‘Motion Control’. Using cameras and motion-tracking software, the console can interpret the user’s body movement and replicate it ‘in-game’. From an evidentiary point of view, this provides another type of data to collect from a game console, practically this broadens the scope of what the data stored on these machines can be used for. The cameras are actually used to record the user of the motion control software at certain points in game activity, this can be stored, this could be abused and used to send videos of underage children or obscene videos over Xbox Live . The videos could also be used to capture suspects involved in criminal activity, with the videos having a date and time attached, the analysis could determine a location, thus corroborating or refuting the validity of the defendants’ claim as to their location. at the time of a crime. .
NintendoWii:
The Nintendo Wii currently boasts higher sales figures than the Xbox360 and PS3 combined. It is seen as a ‘non-gamers’ game console and has lower technical specifications than its two competitors, making it less of a target for modification, although data with forensic properties can still be extracted. The Nintendo Wii can use its own web browser based on Opera; bookmarks are preserved and may be worth noting. The Wii also keeps a basic daily log of system usage and also maintains a contact list of friends you’ve added, as well as the messages those friends have sent. It’s also worth noting that images can be sent via the player’s messaging system, which are then saved to the system’s flash storage or an external SD (memory) card. As with most modern consoles, various Linux distributions have been ported to the system (Wii Linux), meaning it could be used in the same way as any desktop PC and should be treated as such.
Sony PlayStation Portable (PSP):
A portable gaming device can be defined as a gaming system that is small enough to take outside the home and is battery powered. While not as powerful as a console, handheld gaming devices have made significant strides in power since their inception and can now incorporate PDA-like features. The PlayStation Portable can be used to access the Internet, store images and movies, and can be modified to run third-party operating systems, so forensic data can be retrieved from memory and the “data cache”.
NintendoDS/DSi/3DS:
All Nintendo DS units can establish ad-hoc wireless connections with other units to use a player-to-player chat program called Pictochat. Pictochat has been used in the past by predators to lure children to them. The DSi incorporates an SD card reader, which can be used to hide illicit material. The DSi also features a 0.3 megapixel camera that can store images on its internal flash RAM or SD card.
Forensic analysis of game consoles in the real world:
For illustrative purposes, here are some actual cases of crime involving gaming consoles, hopefully illustrating the need to investigate gaming consoles as thoroughly as more traditional computer forensics targets.
An example of game consoles being used in the same way as a PC and providing usable forensic data would be an incident that occurred in August 2010 in the US involving a one-year-old boy who also uses the Xbox Live messaging service. Officers recovered the defendants’ Xbox 360, two computers and a flash drive and discovered sixteen child pornography images of multiple children.
Folsom Police Detective Andrew Bates stated, “Parents need to realize that gaming systems like Xbox and PlayStation, when connected to the Internet, can be used like other technology, like a computer or phone; users can talk to each other, send text messages or send photos. , making these systems another potential threat.”
Useful recoverable Xbox Live data was found in a case where a man turned himself in to police after threatening a witness against him in an ongoing criminal investigation. He was charged with tampering with a witness, intimidating a witness and two counts of the second. degree of harassment.
There are documented cases of unsolicited indecent images being sent over Xbox Live and PlayStation Network, here a couple was sent a message from an unknown user account, upon opening it found that it contained an indecent image of a child and was immediately shocked. he contacted the police. An investigation could determine the time and date this image was received and whether or not the user who received it requested it by retrieving previous communications.
In another incident, an 11-year-old girl was persuaded by a PS3 user to email him nude photos of herself (which he then forwarded to contacts in other US states). No other device was used to commit these crimes and could go undetected in an ordinary investigation.
On another occasion, a man is accused of manipulating several girls on Xbox Live; this was discovered by mobile phone discovery and Xbox360 data recovery.
Considering the myriad ways in which gaming consoles can now provide investigators with usable forensic data, it is crucial that the potential rewards of gaming machine forensics are fully understood and, more so, that attorneys , whether for the prosecution or the defense, find an expert witness with the necessary skills to support your case. It is possible to commit the types of crimes typically associated with a PC on a gaming machine, and it is possible to recover data of equal importance from a gaming machine. Therefore, the proper seizure and investigation of these devices should be given the same priority as other digital storage and communication devices.
