Matt, you’re a digital forensics analyst at SYTECH. Tell us a bit about your role and what it involves.
My role at SYTECH predominantly involves the extraction and analysis of embedded devices, such as mobile phones, tablets, satellite navigation systems, games consoles, unknown devices etc. The examinations I am involved in vary considerably and range from indecent images of children (IIOC) to providing assistance in murder investigations. Working for a private organisation, such as SYTECH, allows me to experience both prosecution and defence based cases.
What first made you interested in digital forensics as a field?
It was the varied nature of the work accompanied by the opportunity to make a difference that attracted me to the field of Digital Forensics.
I really didn’t want a mundane or repetitive job; I wanted a career that would provide both challenges and stimulation, so far I have not been disappointed! I have a real passion for forensics and love what I do.
At DFRWS you presented some research on forensic analysis of a Sony PS4. Could you briefly outline this for our readers?
The Sony PlayStation 4 is the most powerful 8th generation games console on the market. As of March 2015, there are over 20,000,000 devices in worldwide circulation. The console’s security features, such as encryption, face recognition technology and passcode protection, make this device the perfect weapon for criminals. Therefore it was essential that an analysis method be devised for this device. The proposed best practice methodology is the result of over 50 experiments conducted upon the PlayStation 4 over a 12 month period.
In the first instance the console’s hard drive is removed, imaged and restored upon a duplicate HDD using a Linux based system. A shadow drive is then inserted between the console and the duplicate drive, which receives all write requests and as such prevents the alteration of data stored upon the HDD. The operational effectiveness of the shadow drive was evaluated in the following manner: The duplicate HDD was imaged and verified. An online analysis of the console’s Internet web browser was conducted and the HDD removed and verified. A comparison of both the MD5 & SHA-1 hash values concluded that no alterations were made to the HDD during the analysis.
A technique that can be exploited by the user enables images viewed online to be stored upon the device. These images are stored as screen captures and can easily be copied to a USB pen drive for evidential purposes. Image and video content acquired via the console and saved to an alternative device (under a different file name) contain metadata that includes the device make & model, firmware version used, original file name and the date and time created. This information can be correlated to the suspected device responsible for creating the artefacts.
One of the greatest challenges with the PlayStation 4 is the continuous updating of system firmware. It has been observed that firmware updates take place at around 8 week intervals and provide additional features as well as “system stability” updates (suspected updating of encryption keys). For each firmware update where the experiments were repeated, the results differ considerably between firmware versions.
You mentioned that one investigative challenge is that Sony is now storing the majority of PlayStation data on the PlayStation Network rather than on each device. Talk us through the unique challenges associated with this, and how they might be addressed.
Having previously evaluated the operational effectiveness of the shadow drive when viewing non PlayStation Network (PSN) dependent content, a second experiment focusing upon PSN was conducted. The experiment involved connecting the console to PSN and sending a single message to a friend, whilst utilising the shadow drive. The console was then rebooted and the message content analysed. The first iteration demonstrated that the message was not visible upon rebooting the console. For validity reasons, the experiment was repeated. On this occasion both the initial and second messages were visible. The experiment was repeated a final time and it was apparent that all messages sent whilst connected via a shadow drive were visible. Therefore, the shadow drive does not prevent data stored in PSN being altered. This presents a significant challenge as data stored in the PSN is duplicated, in part, upon the console’s HDD, meaning that an investigator accessing PSN content without a shadow drive could potentially overwrite existing data or unintentionally delete vital evidence.
The best solution is to use a secondary console to view PSN content. Creating a basic user account without any data will result in that account being populated with the user’s content upon logging into PSN, including unique PSN gamer ID, profile information, messages, party, friends, What’s New, Notifications etc. In addition, an investigator can also access partial PSN data by logging into the suspect’s account via a PC browser. The Sony Entertainment Network (SEN) can be used to prove ownership and contains the user’s real name, address, credit card details etc.
Additional challenges are presented by the console’s remote access features: such options should be disabled, the console restarted and the changes verified prior to conducting an online analysis of the device. In addition, investigators should disable the PSN automatic login feature in order to prevent the alteration of PSN content.
How do you think the world of digital forensics will change over the next few years?
The industry trends seem to indicate a significant increase in the use of security features such as encryption, biometrics and passcode protection. Over the coming years such features are likely to become more widely utilised, and as a result present greater challenges to forensic investigators.
It has been said for many years that the line between personal computers and embedded systems is becoming increasingly blurred. The technological advancements, accompanied by larger storage capacities, will continue to present significant problems for digital investigators. According to Sony, the PlayStation 4 possesses 43 times the processing power of the PlayStation 2 and 10 times that of the PlayStation 3. One can’t help but wonder what the PlayStation 5 will have in store for us!
The sharing capabilities of the PlayStation 4 enable social media websites such as Facebook, Twitter and Youtube to be synced with the device. Tablets and mobile phones also encourage users to share content via social media applications, the whole area seems to be expanding at an alarming rate.
We only need look at the development in mobile phone forensics over the past 5 years to see how far the field of digital forensics has already come. The challenges faced by investigators in the coming years will greatly surpass those seen in previous years, providing a solution to these is far from impossible. Perhaps the greatest change to the field of digital forensics will be the operational requirement for dedicated Research & Development teams within every organisation. We might also see a significant shift from traditional forensic techniques and the reliance upon industry standard tools. There has been a great deal of debate in this area and as to whether or not the whole forensics process is becoming automated. I think it’s an interesting discussion and one that is likely to continue in the future.
I am currently continuing further research into game console forensics and intend on presenting the results at DFRWS 2016, Switzerland.
Matt Davies is a Digital Forensics Analyst at Sytech, who work on digital investigations across all areas including criminal justice, civil litigation and corporate.
Forensic Focus interviewed Matt at DFRWS, the annual Digital Forensics Research Workshop, which took place in Dublin from the 23rd-26th of March. The next workshops will be held in Philadelphia in August 2015, and Switzerland in March 2016. You can find out more and register here.
Original Forensic Focus Article