Authors: Jason Moore, Ibrahim Baggili (University of New Haven), Andrew Marrington (Zayed University), Armindo Rodrigues
DFRWS USA 2014
Video game consoles can no longer be viewed as just gaming consoles but rather as full multimedia machines, capable of desktop computer-like performance. The past has shown that game consoles have been used in criminal activities such as extortion, identity theft, and child pornography, but with their ever-increasing capabilities, the likelihood of the expansion of criminal activities conducted on or over the consoles increases. This research aimed to take the initial step of understanding the Xbox One, the most powerful Microsoft console to date. We report the outcome of conducting a forensic examination of the Xbox One, and we provide our Xbox One data set of hard drive images and unique files so that the forensic community may expand upon our work. The Xbox One was found to have increased security measures over its predecessor (Xbox 360). The encryption of the data and the new file types introduced made it difficult to discern potential digital evidence. While these added security features caused great difficulty in forensically acquiring digital forensic artifacts, some important and interesting digital evidence was gathered using open-source tools. We were able to find digital evidence such as times that the user initially set up the console, and times when the system was restored or shutdown. We were also able to determine what games and applications had been downloaded along with when the games were played. Finally, through our network forensic experiments, we were able to determine that various applications had different levels of security and that game traffic was encrypted.