Removing the Xbox 360 Hard drive

In order to investigate the hard drive I will need to remove the hard drive from it's case; Its quite an easy task but still, I will show how its done.

DISCLAIMER: BY REMOVING THE XBOX 360 HARD DRIVE FROM IT'S CASE YOU WILL BE VOIDING THE WARRANTY ON THE HARD DRIVE:- YOU HAVE BEEN WARNED.

What's needed;

• T-6 TORX Screw Driver
• T-10 TORX Screw Driver
• Antistatic strap or other means of grounding yourself/discharging static before starting

Remove the hard drive unit from the top of the console. Turn the hard drive unit upside down and place it on a flat surface so the screws and the hard drive connection can be seen.

Using a T-6 TORX screw driver remove the four screws (one screw is under the Microsoft label in the corner); Note: Removing this label invalidates the warranty on the item. Gently separate the top from the chrome bottom; the button, spring and catch may drop off; remove them when you come across them to avoid losing them and reattach on reassembly.

Put the chrome piece to one side, take the other piece and turn it over so you can see the metal case the hard drive is in. Next Remove the four screws with a T-10 TORX screwdriver and lift the metal cover off from the button end.

Now, disconnect the SATA/power cable; move the hard drive down slightly from the connector and then slide the connector off the hard drive. With one hand holding the sides of the plastic piece beneath the metal case in the middle, pull the side down where the hard drive can slide out. Carefully tilt so the hard drive slides to the edge.

Now slide the hard drive all the way out and the hard drive should be fully removed.

Now I can take an image the drive.

Reassemble in reverse order; not forgetting to reattach the catch, spring, button and hard drive connector.

Project shift of focus

In order for my final year project to be viable I will be focusing more on how the Xbox 360 file system works and looking at Xbox 360 specific artefacts that are created through the use of an unmodified Xbox 360.

The information gathered from this will allow me to build a list of artefacts that could be considered known; for example this could be default installation files or system updates. By creating a list of known files it would cut the number of files needed to be searched; reducing time and money spent trying to obtain evidence.

I will be creating a comprehensive user manual for investigators that are performing an Xbox 360 investigation.

I may also look for artefacts left from other applications that run on the Xbox 360 console mentioned in the previous post.

This is a brief description I am yet to perform a MoSCoW (Must have, Should have, Could have, Won't have but would like in the future) analysis for my project.

Creating and gathering artefacts

I will be carrying out a number of experiments to determine if artefacts are created by carrying out certain actions on the Xbox 360; if artefacts are created I intend to locate the artefacts and find out what they mean.

What may generate artefacts?

1. Use of Facebook
2. Use of Twitter
3. Use of Windows messenger
4. Using Xbox live
5. Using Windows media center
6. Logging into console/signing in
7. Playing on games; game saves

I will need to acquire an image of the Xbox 360 hard drive after performing an action on the console that I suspect will create artefacts. So I need a way to take an image of the Xbox hard drive; I will also need to identify a forensically sound method of doing this.

I will also see what artefacts are created on USB drives used on the Xbox 360. I will see if by removing the hard drive the USB drive is used as an alternative; causing artefacts to be created on the device. The USB drive will also be used in conjunction with the hard drive. As with the hard drive I will need a way to image the USB drive in a forensically sound manner.

A network/packet sniffer could be used to monitor the packets sent to and from the console when performing certain experiments. Information may be able to be gathered from analysing the packets; if a network was under surveillance this information could help to determine that a console is being used and the actions being performed on the console.

The Xbox 360 can communicate with other PC's on the network, this means artefacts could be left on the computer that is communicating with the console (for example by using windows media center). The computers hard drive can be imaged and searched for artefacts.

Final year project - Xbox 360 investigation

Hello, my name is Matt Walker and I am in the final year of my forensic computing degree at UCLAN. As you may have gathered this blog is to do with Xbox 360 forensics. I have created this blog to aid me with keeping track of my findings and my progress for my final year project. But also if anyone else is interested console forensics they may find this useful. -feel free to comment

Why am I investigating an Xbox 360 for my final year project?

Today's game consoles are much more complex than they have previously been. Game consoles used to be bought for one thing; playing games. However consoles now are much more powerful and can be used for more than just gaming. Consoles can quite easily play a role in certain crimes and may be overlooked as a source of intelligence.

What will the outcomes of this project be?

• To find out how the Xbox 360 file system works.
• Gain greater knowledge on how the Xbox 360 console works.
• Identify Xbox 360 specific artefacts and their meaning/purpose.
• Identify common artefacts that are of little interest to an examiner (Known Xbox 360 files)
• Find out if artefacts are created from the use of applications and services on the console.
• If these artefacts do exist then, find the location of them and attempt to make sense of what has information has been obtained.
  
• I will use various methods for acquiring evidence and make an analysis of each one to determine what can be gained from each method and which is most effective.
• The importance of Xbox 360 investigations.