XBOX 360 Forensics

XBOX 360 Forensics is a complete investigation guide for the XBOX game console. Because the XBOX 360 is no longer just a video game console - it streams movies, connects with social networking sites and chatrooms, transfer files, and more - it just may contain evidence to assist in your next criminal investigation. The digital forensics community has already begun to receive game consoles for examination, but there is currently no map for you to follow as there may be with other digital media. XBOX 360 Forensics provides that map and presents the information in an easy-to-read, easy-to-reference format.

This book is organized into 11 chapters that cover topics such as Xbox 360 hardware; XBOX LIVE; configuration of the console; initial forensic acquisition and examination; specific file types for Xbox 360; Xbox 360 hard drive; post-system update drive artifacts; and XBOX Live redemption code and Facebook.

This book will appeal to computer forensic and incident response professionals, including those in federal government, commercial/private sector contractors, and consultants.

• Game consoles are routinely seized and contain evidence of criminal activity

• Author Steve Bolt wrote the first whitepaper on XBOX investigations

1;Front Cover;1 2;XBOX 360 Forensics;4 3;Copyright;5 4;Dedication;6 5;Table of Contents;8 6;Acknowledgments;12 7;About the Author;14 8;Chapter 1. The XBOX 360: Why WeNeed to Be Concerned;16 8.1;Introduction;16 8.2;The XBOX 360;16 8.3;Criminal Uses of the XBOX 360;19 8.4;Poor Mans Virtual Reality Simulator;22 8.5;Summary;22 8.6;References;22 9;Chapter 2. XBOX 360 Hardware;24 9.1;Getting Started with the XBOX 360;24 9.2;Technical Specifications;27 9.3;Hard Drive Disassembly;31 9.4;Summary;36 9.5;References;36 10;Chapter 3. XBOX Live;38 10.1;Introduction;38 10.2;What Is XBOX Live?;39 10.3;Creating an XBOX Live Account and Getting Connected;42 10.4;Creating a Live Account;44 10.5;Summary;47 10.6;References;47 11;Chapter4. Configuration of the Console;50 11.1;Introduction;50 11.2;Getting Started;50 11.3;Network Configuration and Gamertag Recovery;54 11.4;Tour of the Dashboard, Profile Creation, and Gamertag Configuration;63 11.5;Connecting to XBOX Live;64 11.6;Joining XBOX Live;70 11.7;Summary;75 12;Chapter 5. Initial Forensic Acquisition and Examination;76 12.1;Imaging the Console Hard Drive;76 12.2;A First Look at the Contents of the Drive;82 12.3;Additional Information Located on the Drive;97 12.4;Summary;105 12.5;References;105 13;Chapter6. XBOX 360Specific FileTypes;106 13.1;XBOX Content;106 13.2;Summary;118 13.3;References;118 14;Chapter 7. XBOX 360 Hard Drive ;120 14.1;Initial Differences;120 14.2;Examination of the PostSystem Updated Drive;121 14.3;PIRS Files After the Initial System Update;129 14.4;CON and LIVE File Examination;135 14.5;New Images Added After the System Update;144 14.6;Other Artifacts;149 14.7;Summary;149 15;Chapter8. PostSystem Update Drive Artifacts;150 15.1;Examining the XBOX 360 Hard Drive Using Xplorer360;150 15.2;Getting Started;151 15.3;Xplorer360 and the PostSystem Update Drive;163 15.4;Cache Folder;176 15.5;Content Folder;184 15.6;Mindex Folder;199 15.7;Summary;200 15.8;References;201 16;Chapter 9. XBOX Live Redemption Code and Facebook
;202 16.1;XBOX Live;202 16.2;Redeeming the Prepaid Card;203 16.3;Facebook;205 16.4;XBOX Live Facebook Artifacts;211 16.5;Xplorer360 and Facebook;218 16.6;Summary;230 16.7;Reference;230 17;Chapter 10. Game Play;232 17.1;Gaming;232 17.2;Game Artifacts;234 17.3;Xplorer360 and Game Artifacts;237 17.4;Cache Folder Analysis;239 17.5;XBOX Live Friends;246 17.6;Other Cache Files;247 17.7;Content Folder Changes;249 17.8;Summary;258 18;Chapter 11. Additional Files and Research Techniques;260 18.1;Introduction;260 18.2;Additional Files player_configuration_cache.dat and preferences.dat;260 18.3;Network Traffic Examination;263 18.4;Network Capture Box;269 18.5;Decompiling XEX Files;270 18.6;Additional Tools Available for Analysis;278 18.7;Summary;283 18.8;Reference;283 19;Appendix A. Tools Used in This Research;284 19.1;Guidance Softwares EnCase v. 6.16.2 (Forensic Application);284 19.2;IDA Pro v. 6 (Used for Decompiling Files and Debugging);284 19.3;X-Ways Forensic v. 15.5 SR 4 (Forensic Application);285 19.4;Wiebetech Write Blockers;285 19.5;Access Datas Forensic Tool Kit v. 1.70.1 (Forensic Application);285 19.6;wxPIRS (Used to Uncompress PIRS Files);286 19.7;Xplorer360;286 20;Appendix B. List of Products Used to Construct the Off-the-Shelf Capture Box;288 21;Appendix C. Removal of the Hard Drive from the New XBOX 360 Slim and Artifacts Pertaining to Data Migration from One Drive to Another;290 21.1;Data Migration from One Drive to Another, a Short Note;294 22;Appendix D. Other Publications ;296 23;Index;298