A Practitioners Guide to Xbox 360 Forensics

Dr. Ashley Podhradsky, Dr. Rob DOvidio, and Cindy Casey

Drexel University
 Individuals are utilizing non-traditional devices to perform tasks once completed
by PCs

These devices are increasingly becoming both the target and means of criminal
activity

Digital forensic community tasked with creating new ways of analyzing non-
traditional devices

No longer feasible to examine devices exercising electronic ethnocentricity -

using computers to measure where data is, and how it should be structured or
stored

As devices advance, so must the examiners methodologies

Digital investigators may need to think outside the box when examining devices
like gaming consoles and other non-traditional devices- Creativity and Innovation
are essential!
 Media reports document the involvement of
gaming consoles in a variety of crimes:

Child Exploitation
Drug Trafficking
Piracy
Stalking / Harassment
Cracking/Hacking
Identity theft
Credit Card Fraud
Phishing
 The Xbox 360 is not only similar to a personal
computer - it is actually more powerful
Detachable 250GB hard drive

IBM customized power PC-based CPU containing three

symmetrical cores each capable of running 3.2 GHz

512 MB GDDR3 RAM

700 MHz DDR (theoretically supplying a swift 1400 MB per

second maximum bandwidth) memory
Photos Browser history Credit Card

Pirated Media Buddy List Buddy

Communication
Chat Logs Email Instant Messages
IP Address Shares Session Start/End
Times

Software accessed Profiles

 Identify and acquire digital drives and/or
removable media
Understand the file structure and OS of Xbox
360 (FATX)
Research available tools for analysis
Identify native data vs user data
Identify what, if any, data could be extracted
forensically for criminal or misuse purpose
Identify any potential OOV for volatile data
 Commercial Tools Open-Source Tools

XFT 2.0 New Developed by Modio

David Collins, Sam Houston Xplorer360
State University, Distributed
by Protowise Labs wxPirs

EnCase v6 Digital Forensic Framework

(DFF)
Forensic Toolkit 3.1 (FTK)
Hex Editor XV132
Data Rescues DD (DrDD)
ProDiscover Basic
FTK Imager
 The Investigative Process

Consoles examined for signs of modification none noted

Drives extracted using T10 and T4 Torx wrenches
Hard drives indiscriminately numbered to preserve objectivity
No difficulty encountered accessing data due to locked drives
Pre and post Md5 and SHA-1 hashes were recorded for validation
purposes
Drives accessed using a USB 2.0 SATA adaptor and 50/60 Hz
power supply cable
Software write-blocking was utilized to prevent altering data
 Offshoot of the more familiar FAT32

FATX does not contain the backup

boot or file system information
sectors found in FAT32

FATX does not support Unicode

Xbox 360 designed primarily for

entertainment as opposed to
productivity
Xbox 360 Partitions as viewed in Modio
 EnCase Credit Card Hit

The Identification Number identified this as a Bank of America Discover Card

EnCase looks for numbers encoded with ASCII digit characters that match
valid credit card company identifiers
These numbers are then run against the Luhr formula (an algorithm used
to validate credit cards and social security numbers)
 Xplorer360 Gamer Modification Tool

Saved Game File with Users Name

Open source utility that enables gamers to open and view, edit, or export
data from their Xbox hard drives through their PC
Useful for initial analysis
Failed to show Partition 1
 FTK Imager

Profile saved data revealing a users name as seen in FTK Imager

After the drives contents were opened and dumped using Xplorer360,
the extracted files were opened in FTK Imager for analysis
Partition3\$SystemUpdate\su20076000_00000000 (August 2007
Update) extracted from Modio as viewed in wxPirs

Microsoft updates of August 2007 and 2009 overwrote the first stage
boot loader to prevent console modifications (referred to by gamers as
Homebrew Lockout)
Makes it difficult to analyze systems bootstrapping process and
subsequent drive structure
Xbox contains a secret boot block (Huang, MIT 2001)
 XFT 2.0 Xbox Cache

User's friend's list containing gamer tags of other players

Can establish connection between users for law enforcement
Poses risk to anyone in contact with user of compromised system
Gamer tags can be searched through online gamer databases and
social networking sites for more information about player
 Each time data is accessed through the program, it is
logged in a file until the case is manually is closed
Helps ensure findings are admissible in a court of law
 XFT 2.0

XFT enables recovering deleted files but not viewing their contents

Useful for law enforcement agencies in cases involving child

sexual exploitation where the hash values obtained can be
compared against known values from the CVIP (Child Victim
Identification Program) database
 Extracted Marketplace Database

Viewed in Notepad
Strings of text in German, Italian, and French discovered International
Marketplace or Security through Obscurity?
Further demonstrations of user information in plain text while Microsoft
proprietary data is encrypted
 Sector 4 ProDiscover Basic

On all drives - JOSH, followed by digits and a date:

Possible Digital ID
Microsoft numbering or cataloging scheme
Developers signature (i.e.; Joshua Gilpatrick, Microsoft Xbox
Program Manager)
 Microsoft defines three categories of NAT (Network
Address Translation) on their consoles -open,
moderate, and closed
First sector to contain data is sector 1, although
previous research concluded first data is found on
sector 4
Partition 1was viewable in Modio, but not in
Xplorer360
Drive information (i.e.: type, serial number) located
in sector 10
 Findings
One sample contained a second set of Xbox files-
possibly for backward compatibility or the result of
two merged drives
Drives mounted to PC running Linux can be
searched using common Linux commands such as
grep
Data recovered -cache with buddy list, 2 user
names, partial or abbreviated city name, credit card
number, user gamer tags
 Ashley Podhradsky, D. Sc., is an Assistant Professor in the Computing and
Security Program at Drexel University. Dr. Podhradsky teaches and conducts
research in digital forensics and information security. Her research has been
recognized in academic conferences and journals within the U.S. and
internationally.

Dr. Rob DOvidio is an Assistant Professor at Drexel University, where he

teaches for the Criminal Justice Program and directs Drexels research
program in computer crime and digital forensics. Dr. D'Ovidio has worked
with the New York City Police Department and Philadelphia Police
Department on research projects involving computer crime.

Cindy Casey has an A.A.S. in computer forensics and completed her

internship with the Montgomery Country District Attorneys Offices
Computer Crime Unit. Ms. Casey, a student of Dr. Podhradsky, is currently
enrolled in the Computing and Security Technology program at Drexels
Goodwin College of Technology and Professional Studies.