Monday, 15 November 2010

Xbox 360 hard drive acquisition

Today I am to take an image of the Xbox 360 hard drive in a forensically sound manner. I will be attempting to take an image of the hard drive whilst it is connected to a write blocker.

What I am using;
  • FTK imager v2.9.0.1385 - this will be used to acquire an image of the hard drive.
  • Tableau t3u - this write blocker will be used to prevent the drive being written to.
  • SATA data and power cables - to connect the hard drive to the write blocker.
  • External drive - this will be the destination of the image created.
  • Torx 6,8 screwdriver - used to remove hard drive (Xbox 360 hard drive removal steps).
  • Xbox 360 hard drive (20GB).
FTK imager can create different types of acquisition images. The types I will try are 'dd' and 'E01'. A dd image is a bit by bit copy of the device and is compatible with multiple forensic applications. A E01 image is an EnCase evidence file, this is also a copy of the device however this image includes metadata which can store the integrity data such as MD5 and CRC's for the image. For more information on disk image storage formats have a look here.

Before I can attempt to take an image of the hard disk it has to be removed. Once removed it can be connected to the Tableau T3u write blocker (connection guide) and then connected to the computer via USB. Now that the hard drive is appropriately connected the device can be imaged.

E01 image steps;
  1. Open FTK imager
  2. Click on File > Create disk image
  3. Select the source type (physical drive) and the image source (Xbox hard drive)
  4. Click Add...
  5. Select type 'E01'
  6. Enter case details
  7. Select the destination (external hard drive)
  8. Leave defaults; compression and fragment size
  9. Ensure verify is selected then click start
  10. The imaging process now starts; when imaging is complete allow it to verify and once done click close.
The image of the hard drive was created successfully and was verified; the image of the device is the same as the hard drive. 

The steps for creating a 'dd' image are very similar;

  1. Open FTK imager
  2. Click on File > Create disk image
  3. Select the source type (physical drive) and the image source (Xbox hard drive)
  4. Click Add...
  5. Select type 'dd'
  6. Enter case details
  7. Select the destination (external hard drive)
  8. Leave defaults; compression and fragment size*
  9. Ensure verify is selected then click start
  10. The imaging process now starts; when imaging is complete allow it to verify and once done click close.
The image of the hard drive was created successfully and was verified; the image of the device is the same as the hard drive.

Now that I have an image of the Xbox 360 hard drive I can begin to examine it.

*In order to get a single image as opposed to a split image set the fragment size to 0. Do this only if the file system supports the file size.
Posted by at
Labels: , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)