Monday, 15 November 2010

Xbox 360 hard drive acquisition

Today I am to take an image of the Xbox 360 hard drive in a forensically sound manner. I will be attempting to take an image of the hard drive whilst it is connected to a write blocker.

What I am using;
  • FTK imager v2.9.0.1385 - this will be used to acquire an image of the hard drive.
  • Tableau t3u - this write blocker will be used to prevent the drive being written to.
  • SATA data and power cables - to connect the hard drive to the write blocker.
  • External drive - this will be the destination of the image created.
  • Torx 6,8 screwdriver - used to remove hard drive (Xbox 360 hard drive removal steps).
  • Xbox 360 hard drive (20GB).
FTK imager can create different types of acquisition images. The types I will try are 'dd' and 'E01'. A dd image is a bit by bit copy of the device and is compatible with multiple forensic applications. A E01 image is an EnCase evidence file, this is also a copy of the device however this image includes metadata which can store the integrity data such as MD5 and CRC's for the image. For more information on disk image storage formats have a look here.

Before I can attempt to take an image of the hard disk it has to be removed. Once removed it can be connected to the Tableau T3u write blocker (connection guide) and then connected to the computer via USB. Now that the hard drive is appropriately connected the device can be imaged.

E01 image steps;
  1. Open FTK imager
  2. Click on File > Create disk image
  3. Select the source type (physical drive) and the image source (Xbox hard drive)
  4. Click Add...
  5. Select type 'E01'
  6. Enter case details
  7. Select the destination (external hard drive)
  8. Leave defaults; compression and fragment size
  9. Ensure verify is selected then click start
  10. The imaging process now starts; when imaging is complete allow it to verify and once done click close.
The image of the hard drive was created successfully and was verified; the image of the device is the same as the hard drive. 

The steps for creating a 'dd' image are very similar;

  1. Open FTK imager
  2. Click on File > Create disk image
  3. Select the source type (physical drive) and the image source (Xbox hard drive)
  4. Click Add...
  5. Select type 'dd'
  6. Enter case details
  7. Select the destination (external hard drive)
  8. Leave defaults; compression and fragment size*
  9. Ensure verify is selected then click start
  10. The imaging process now starts; when imaging is complete allow it to verify and once done click close.
The image of the hard drive was created successfully and was verified; the image of the device is the same as the hard drive.

Now that I have an image of the Xbox 360 hard drive I can begin to examine it.

*In order to get a single image as opposed to a split image set the fragment size to 0. Do this only if the file system supports the file size.
Posted by at No comments:
Labels: , , , , , ,

Sunday, 24 October 2010

Removing the Xbox 360 Hard drive

In order to investigate the hard drive I will need to remove the hard drive from it's case; Its quite an easy task but still, I will show how its done.

DISCLAIMER: BY REMOVING THE XBOX 360 HARD DRIVE FROM IT'S CASE YOU WILL BE VOIDING THE WARRANTY ON THE HARD DRIVE:- YOU HAVE BEEN WARNED.

What's needed;
  • T-6 TORX Screw Driver
  • T-10 TORX Screw Driver
  • Antistatic strap or other means of grounding yourself/discharging static before starting



Remove the hard drive unit from the top of the console. Turn the hard drive unit upside down and place it on a flat surface so the screws and the hard drive connection can be seen.




Using a T-6 TORX screw driver remove the four screws (one screw is under the Microsoft label in the corner); Note: Removing this label invalidates the warranty on the item. Gently separate the top from the chrome bottom; the button, spring and catch may drop off; remove them when you come across them to avoid losing them and reattach on reassembly.



Put the chrome piece to one side, take the other piece and turn it over so you can see the metal case the hard drive is in. Next Remove the four screws with a T-10 TORX screwdriver and lift the metal cover off from the button end.



Now, disconnect the SATA/power cable; move the hard drive down slightly from the connector and then slide the connector off the hard drive. With one hand holding the sides of the plastic piece beneath the metal case in the middle, pull the side down where the hard drive can slide out. Carefully tilt so the hard drive slides to the edge.



Now slide the hard drive all the way out and the hard drive should be fully removed.



Now I can take an image the drive.

Reassemble in reverse order; not forgetting to reattach the catch, spring, button and hard drive connector.
Posted by at No comments:
Labels: , , , ,

Saturday, 23 October 2010

Project shift of focus

In order for my final year project to be viable I will be focusing more on how the Xbox 360 file system works and looking at Xbox 360 specific artefacts that are created through the use of an unmodified Xbox 360.

The information gathered from this will allow me to build a list of artefacts that could be considered known; for example this could be default installation files or system updates. By creating a list of known files it would cut the number of files needed to be searched; reducing time and money spent trying to obtain evidence.

I will be creating a comprehensive user manual for investigators that are performing an Xbox 360 investigation.

I may also look for artefacts left from other applications that run on the Xbox 360 console mentioned in the previous post.

This is a brief description I am yet to perform a MoSCoW (Must have, Should have, Could have, Won't have but would like in the future) analysis for my project.
Posted by at No comments:
Labels: , , , , ,

Tuesday, 19 October 2010

Creating and gathering artefacts

I will be carrying out a number of experiments to determine if artefacts are created by carrying out certain actions on the Xbox 360; if artefacts are created I intend to locate the artefacts and find out what they mean.

What may generate artefacts?
  1. Use of Facebook
  2. Use of Twitter
  3. Use of Windows messenger
  4. Using Xbox live
  5. Using Windows media center
  6. Logging into console/signing in
  7. Playing on games; game saves

I will need to acquire an image of the Xbox 360 hard drive after performing an action on the console that I suspect will create artefacts. So I need a way to take an image of the Xbox hard drive; I will also need to identify a forensically sound method of doing this.

I will also see what artefacts are created on USB drives used on the Xbox 360. I will see if by removing the hard drive the USB drive is used as an alternative; causing artefacts to be created on the device. The USB drive will also be used in conjunction with the hard drive. As with the hard drive I will need a way to image the USB drive in a forensically sound manner.

A network/packet sniffer could be used to monitor the packets sent to and from the console when performing certain experiments. Information may be able to be gathered from analysing the packets; if a network was under surveillance this information could help to determine that a console is being used and the actions being performed on the console.

The Xbox 360 can communicate with other PC's on the network, this means artefacts could be left on the computer that is communicating with the console (for example by using windows media center). The computers hard drive can be imaged and searched for artefacts.
Posted by at No comments:
Labels: , , , ,

Wednesday, 13 October 2010

Final year project - Xbox 360 investigation

Hello, my name is Matt Walker and I am in the final year of my forensic computing degree at UCLAN. As you may have gathered this blog is to do with Xbox 360 forensics. I have created this blog to aid me with keeping track of my findings and my progress for my final year project. But also if anyone else is interested console forensics they may find this useful. -feel free to comment

Why am I investigating an Xbox 360 for my final year project?
Today's game consoles are much more complex than they have previously been. Game consoles used to be bought for one thing; playing games. However consoles now are much more powerful and can be used for more than just gaming. Consoles can quite easily play a role in certain crimes and may be overlooked as a source of intelligence.

What will the outcomes of this project be?
  • To find out how the Xbox 360 file system works.
  • Gain greater knowledge on how the Xbox 360 console works.
  • Identify Xbox 360 specific artefacts and their meaning/purpose.
    • Identify common artefacts that are of little interest to an examiner (Known Xbox 360 files)
  • Find out if artefacts are created from the use of applications and services on the console.
    • If these artefacts do exist then, find the location of them and attempt to make sense of what has information has been obtained.
  • I will use various methods for acquiring evidence and make an analysis of each one to determine what can be gained from each method and which is most effective.
  • The importance of Xbox 360 investigations.
Posted by at No comments:
Labels: , , ,
Subscribe to: Posts (Atom)