Category Archives: Gaming

The Evolution of Mobile Phone Evidence

The Evolution of Mobile Phone Evidence

From Best Guess to Precise Prediction, a Science Emerges

By Daren M Greener CEng BSc CITP MBCS.
Principal Consultant, SYTECH – Digital Forensics.

 

Synopsis

The integration of the mobile phone has seamlessly interwoven itself into many aspects of everyday life with inbuilt and associated technologies that made it the must have device it is today.

 

This article provides a general review to the evolution of mobile phone evidence and in particular Cell-Site Analysis, highlighting how technological and sociological change has brought about a maturity to its application whilst litigation attitudes to this branch of digital forensics have not always kept pace.

 

Cell-Site Analysis (movement and location) is one of the fundamental components in a trident of mobile telecommunication evidence that also includes Attribution (who operated a particular phone) and Communications Analysis (who interacts with who and at what level).

Cell-Site Analysis Trident
Cell-Site Analysis Trident

 

Background – What is Cell-Site Analysis?

Cell-Site Analysis is a discipline of digital forensics that essentially examines the historic location and movement of mobile phones based upon record of the wireless link used to transfer call-events between ‘the network’ and mobile phone device (handset).

 

Each mobile phone network provider (Vodafone, O2, EE, etc.) maintains a network of transceivers (transmitter & receiver) throughout the country in distribution of service coverage/provision.

 

Many of these transceivers (cell-masts) are now common place and widely recognised for what they are standing like sentinels adjourning motorway networks or as great skeletal leviathans on high vantage points. Many more surreptitiously blend into the background of our surroundings, hidden on rooftops or disguised as street furniture such as lampposts, flagpoles and occasional modern artwork.

Cell-Site Analysis Masts
Cell-Site Analysis Masts

Typical Cell-Mast structures and antenna equipment

 

Importantly though, each network transceiver (cell-site) is uniquely identifiable. Therefore, the service provision from each transceiver is traceable and quantifiable with regards to the area of service cover.

 

As the mobile phone networks have grown and expanded over time, then the number and diversity of transceivers (cell-sites) has increased dramatically with the resulting coverage areas becoming ever more localised (smaller) to cope with greater capacity demands.

 

 

The Popularity of Mobile Phone Evidence.

As the adoption of the mobile phone infiltrated into society, towards the end of the 1990’s, it brought about a frequent source of information within criminal investigations that could, amongst other things, indicate the general movement and location of a suspect(s). Additionally, this evidential record of movement and activity could in turn be compared against a suspect’s account or alibi when such was offered.

 

  • In essence, the mobile phone represented, and continues to be, a personal tracking device.

 

Never before had law enforcement/forensic science had access to such a recorded stream of reference points that could indicate, without witness, a person’s general movements along with a  record of who they had been in contact with over a prescribed period of time.

 

Previously, such evidence would be reliant on fingerprinting or a possible DNA trace at a specific location – subject to the close scrutiny required to find such evidence. There was a greater reliance upon witnesses or informants to provide information with regards to a suspect’s whereabouts.

 

The introduction of electronic banking services during the mid-1980’s had been a catalyst to early electronic activity tracking. The introduction of the Automated Teller Machine (ATM / cash point) in 1985 was followed by the arrival of the debit card in 1987 and both provided a limited source of information when tracking a person’s location or movements in accordance with their purchasing/financial activity.

 

For law enforcement the adoption of the mobile phone has been akin to having a string of eye-witnesses or informants all pointing in sequence to the area of a suspect. ‘He’s over here, he’s over there, he went that way and no he wasn’t over there.’

 

In the early stages Cell-Site Analysis was often applied to define where a person (and their phone) could not have been to support or refute an alibi or allegation.

 

A suspect may have stated that they had spent an evening at home whilst their corresponding Cell-Site activity may have contradicted such assertion and demonstrate widespread movements and activity.

 

Predominantly mobile phone evidence often provides the glue to bring other evidence into sequence.  It acts like fly-paper attracting and sticking other items of evidential value – eye witness accounts, DNA recovery, CCTV footage, ANPR sightings and payment transactions etc – into a pattern of chronological consistency.

 

  • The greater the level of transaction within the mobile phone records the stronger the bond of the glue.

 

A Note on Attribution

A crucial aspect to the value of obtainable evidence is the attribution of the mobile phone to a particular person. Attribution applies both in terms of phone ownership and actual usage at the time when cell-site data or communication activity was recorded. (“it’s not my phone” or “I lend it to others” or “many people have access to it”)

 

  • The attribution of a mobile phone is a process in its own right and the subject of much debate beyond the remit of this article. However, similar to the advances of Cell-Site Analysis the ever involving technical and social change continues to produce far more intrinsic user profiling to cement attribution assertions.


 

Developments and effects – The rise and rise of phone ownership and use.

The mobile phone revolution started to gather pace in the late 1990’s as the cost of ownership started to become within the grasp of the mass populous.

 

  • In January 1999 Ofcom estimated that approximately 27% (1 in every 4) of UK adults owned, or had access to, a mobile phone.
  • Just 12 months later that figure had almost doubled and stood at 46% and by November 2001 the figure had risen to 75% (3 in every 4). (OfTel, 2002).

 

Cell-Site Analysis Map
Cell-Site Analysis Map
  • In recent figures, from 2014, the level of UK mobile phone ownership stood at 93% of the adult population (Ofcom).

 

1993    Digital mobile phone networks started to emerge from frontrunners Mercury and Vodafone quickly followed by Orange in 1994. Initial consumer take-up was slow and mostly aimed at the business executive in acknowledgement of the high cost of ownership and usage.

 

Early networks suffered from poor coverage in non-metropolitan areas and internment service quality.  This generated a demand and competition for network companies to dramatically expand their network coverage.

 

 

During the early adoption phones the biggest inhibitor to phone ownership was cost both in terms of handset ownership and monthly running expense from subscription fees and relatively high usage costs.

 

In 1996 Motorola introduced its ‘Startac’ handset the world’s first Clam Shell design with the promise of up-to 8-day battery life.  In the UK the handset retailed at £1,400.

Motorola StarTac Handset
Motorola StarTac Handset

 

1997    In attempt to address the issue of usage costs mobile phone companies introduced ‘pre-pay options to unshackle consumers from the requirement of a monthly contract. The move was to prove a huge success.

 

The subsequent explosion of mobile phone ownership was driven by many social factors but predominantly by the reduction of cost and through advances in handset design and desirability.  Since the turn of the millennium the growth in mobile phone ownership has been exponential.

 

1999    In January 1999 ‘Oftel’ reported that approximately 27% (1 in every 4) of UK adults owned, or had access to, a mobile phone. In the same year (1999) Supermarkets started to sell pre-pay mobile phone bundles with a price point under £100.

 

Unsubscribed pre-pay – ‘burn’ phones

One affliction to the criminal investigation process was, and still remains, the unsubscribed pre-pay option, which adds to the burden of the attribution process.

 

The popularity of pre-pay options and the ease of access to unregistered SIM cards led to the use of short life ‘burn’ phones.  Such phones are frequently acquired by individual’s intent on criminal activity and deployed for very limited periods of time before being discarded and replaced on a regimental basis.

 

2001    In November 2001 UK adult mobile phone ownership had risen to 75% (OfTel 2002) and it had become the norm for a person to own or have access to a mobile phone device.  As a consequence the mobile phone became a more frequent source of potential evidence in criminal investigations.

 

At this time the mobile phone networks deployed 2nd generation (2G) cell-sites. These 2G cell-sites have a theoretical coverage range of 35-kilometres. This value was frequently bandied by barristers as the de-facto argument to throw at cell-site evidence when it got to the courtroom.

 

In reality few, if any, of the deployed 2G cell-sites afforded ranges reaching the quoted theoretical level.  However, at the time, it was not uncommon to find rural based cell-sites with a coverage range in the order of 15 to 20 kilometres and urban based city/town centre cell-sites would often extend in excess of 5 kilometres.  Therefore, the level of affordable accuracy was far from precise and Cell-Site Analysis was frequently referred to as an un-precise science. A further inhibitor to early Cell-Site Analysis was the infrequency of phone usage, which still remained limited due to call and text messaging tariffing.

 

As the consumer boom in mobile phone ownership took hold it drove forward widespread investment and development both for mobile networks and mobile phone devices. At the turn of the millennium mobile phone networks had grown to cover all major cities and towns with 2nd Generation (2G) cell-sites. As the demand for services continued to increase so did the number of mobile phone users at any given location and especially within busy urban environments.

 

The coverage area of a mobile phone cell-site can sustain a finite number of active users/subscribers.  Generally the greater the volume of mobile devices at, or in any, particular location/area then the smaller the size of cell-site required to sustain those devices and combat the signal to noise ratio (SNR) problems.

 

 

 

In 2001 the vogue for mobile phone handsets was for smaller compact designs and few at the time had colour displays. Ericson’s T68 handset was the manufacturer’s first with a colour display.

 

Evolution of Samsung Handsets
Evolution of Samsung Handsets

 

2002    It wasn’t until 2002 that mainstream mobile phone devices started to include a camera option to further enhance their desirability.  This additional option would in part contribute to a greater demand for the transference of digitised data (pictures/video) across the mobile phone network.

 

Coincidently, the development and popularity of the camera option was to play a major part in improving the evidential value of recovering a mobile phone device as the stored imagery (of a subject or their family/associates) would often prove vital in the attribution of a mobile phone device to a particular person.

 

Handset data could also provide vital information with regards to a person’s association with others and in certain cases actual evidence of crimes themselves as criminals took trophy pictures of their actions or ill-gotten gains.

 


 

2003 – Hutchison introduce 3G services   

In 2003, in response to the demand for a greater range of services and higher data transfer speeds, Hutchison introduced the third generation 3G network.  Other network operators would eventually catch-up with the introduction of their own 3G network in tandem with their existing 2G networks.

 

The major impact of the 3G network from a Cell-Site Analysis perspective was that it pulled the rug from under the theoretical 35 kilometre range argument as 3G operated at a higher frequency and had much reduced range potential.

 

Additionally, it created situations where a mobile phone would utilise combinations of 2G and 3G cell-sites, which in-turn improved analysis when examining the service and overlap of the differing technologies at relevant locations of interest.

 

2003 – Blackberry impact upon messaging

In 2003 ‘Blackberry’ came to the market with its RIM 850 device that it marketed as a Personal Digital Assistant or PDA. Significantly, Blackberry were to introduce the Blackberry Messaging (BBM) service that offered instant messaging without the costs then often associated to text messaging.

In the fullness of time, other third-party offerings for instance messaging services came to the fore that could be operated on cross-platform devices.

RIM PDA
RIM PDA

 

To an extent BBM still remains a commonly used communication mechanism uncovered in investigations into Organised Crime Groups.

 

In 2004 Nokia, the then world leading handset manufacturer, released the 7610 handset which was the first to feature a 1 mega-pixel camera.

 

In 2004 Motorola gained huge success with the introduction of the Motorola ‘Razr’ handset with its brushed aluminium casing and 2.2inch TFT screen it became a must have fashion accessory that led to eventual sales of over 130 million devices.  Despite the 0.3megapixel camera and 5MB (yes mega-bytes) of non-expandable memory it would be the top selling phone 2004 – 2006.

Motorola Razr
Motorola Razr Handset

 

In 2006 many network operators were offering of “all you can eat” data plans such had been the growth in demand from consumers now embracing mobile data services.

 

By 2007 Ofcom were reporting 73.5 million active UK mobile subscriptions. (UK Population for 2007 was 61.3 million). Many consumers now ran two or more phones or would use secondary subscriptions for data services.

 

The double-phone use is often found to apply in criminal investigations where a suspect may operate, or be accused of operating, what is often termed ‘Clean Phone’ ‘Dirty Phone’ separating out personal life (clean-phone) and otherwise dubious activity (dirty-phone).

 

In essence though, when such strategies are applied by those engaging in criminal activity the double use of phones merely adds to the level of obtainable evidence. That evidence can subsequently be compared and combined to show a much greater consistency to other events. Additionally, twice the amount of cell-site data may prevail to afford greater scrutiny, particularly in the identification of specifically defined travel patterns.

 

Ofcom reported that by the end of 2007, 17 percent of all mobile users (12.5 million) were using 3G, which had been an 11 percent increase on the previous year.  The uptake in 3G subscriptions would continue to rise.

 

Within the realm of Cell-Site Analysis it was now becoming common place to find a subject’s phone switching between 2G and 3G technologies within the Call Data Records under scrutiny.  This added greatly to the level of analysis that could be applied, as examination could be made into where the two technologies would overlap and where one takes over from another.

 

2007 – Apple gets a bite of the market

In 2007 Apple Inc. branched out into the mobile phone market with the release of the Apple iPhone. Apple already had a loyal customer base from successful sales of IT and multi-media devices and its multi-media management platform ‘i-Tunes’, which was established in 2001.

The introduction of the iPhone was a major development to the ‘Smartphone’ market that intensified brand competition, which continues to drive technological and ascetical development of mobile phones.

 

The capabilities and functions of mobile phones continued to diversify to provide extra added benefit to the consumer in the battle for brand popularity.

Apple iPhone
Apple iPhone

 

A growing number of mobile phones would incorporate GPS technology, which in turn could provide Satellite Navigation functionality. Wi-Fi transceivers were also being incorporated into mobile phone devices to extend the connectivity options for access to the internet and other digital devices.

 

October 2007 saw the commencement of a program to switch over the existing analogue terrestrial TV broadcasting on to a digital broadcast that was to be completed by October 2012.

 

The resulting changeover made particular frequency bands available that were sold under licensed to communication network providers for further expansion and development of the mobile phone network.

 

2008    In 2008 the 4th generation (4G) network was under development in timely anticipation of the ravenous demand for high speed data transfers from media hungry consumers. It would be four years in development before the roll-out of 4G cell-sites that commenced in 2012.

 

The expansion of the mobile phone networks continued to see the installation of more 2G and 3G Cell-Sites (particularly 3G) nationally and generally a continual reduction in the size of cell-site coverage areas across urban and rural environments.

 

  • Governmental policy amended certain planning restrictions in order to facilitate a wide-spread expansion of mobile phone and data networks within the UK.

 

2010    In 2010 the Mobile Network Operator ‘EE’ was formed (then as Everything Everywhere and latter abbreviated to EE) from a merger of network operators T-Mobile and Orange.  Effectively it meshed together the network resources (cell-sites) of each provider.

 

In respect of the Cell-Site Analysis the creation of EE improved the affordable accuracy level when applying analysis in respect of T-Mobile or Orange phones. The merging of networks now allowed analysis to show where and why service ‘crossed-over’ between T-Mobile and Orange resources. Furthermore, the increase of cell-masts now jointly available led to a general reduction in the size of coverage areas of individual cell-sites.

 

The developments of Smartphone capabilities have driven an ever expanding ‘apps’ market covering all manner of entertainment, service, information, and function.

 

2011    In October 2011 Apple announced that their App Store listed over 500,000 application titles for download, that number then exceeded the 1 million mark by October 2013.  The latest figures announced by Apple (Jan 2015) claim that the App Store contained over 1.4 million titles to choose from and that total App Store downloads had exceeded 75 billion.

 

The ‘apps’ themselves often provide a vital source of information in the attribution and/or profiling of a subjects lifestyle and associations.

 

2013 – 2014   Mass Messaging

Deloitte estimated the volume of instant messages composed in Britain doubled from 160 billion in 2013 to 300 billion by the end of 2014. This equates to approximately 820 million instant messages transacted daily (about 12 messages per day sent by every UK resident).


 

Social Media Revolution.

The Smartphone phenomena supports, and is supported by, the social media revolution as it provides the ‘take anywhere – always connected’ portal to access and function. Over the last decade the development of the ‘mobile device’ (Phones, PDA, Tablets, Laptops) has been a perfect marriage to the social media revolution.

 

The rapid adoption of ‘social media’ and the notion of ‘always being connected’ have seen the creation of vast global business empires transacting multi-billion dollar acquisition deals. What makes this more remarkable is that the majority of those business empires predominantly provide a free of charge service to the majority of their subscriber base.  Here we look at a few of the movers and shakers of the social media world.

 

August 2003 Skype              Voice and Video Calling

  • Skype – launched in 2003 and purchased in August 2005 by Ebay for 2.6 billon dollars. It was sold to Microsoft in 2011 for 8.5 billon dollars (Doug Aamoth, Time.com, May 2011)

 

February 2004            Facebook       Social Media Services

  • 3 billon active users by June 2014

 

February 2005            YouTube        Video Sharing Website

  • Conceived in the wake of the 2004 Boxing Day tsunami. In 2015 YouTube’s website claimed more than 1 billion users and estimated 300 hours of video were uploaded every minute and 50% of YouTube views being made from a mobile device.

 

March 2006                Twitter            Social Media Services

  • First ‘Tweet’ posted by the company on 21st March 2006. In 2015 Twitter reported 288 million monthly active users sending over 500 million tweets daily with 80% of users accessing via a mobile device.

 

November 2009         Whatsapp      Instant Messaging App

  • WhatsApp can be used to send messaging, images, video and audio media messages.
  • In October 2014 WhatsApp was considered the most popular messaging app with more than 600 million active users. By January 2015 this had risen to 700 million users.

 

October 2010             Instagram       Mobile Online Multi-Media Sharing

  • Following launch in October 2010 Instagram rapidly gained popularity. The Instagram website of 2015 reported daily uploads of more than 60 million photos by its online community of over 300 million subscribers.

 

September 2011        Snapchat        Mobile online multi-media messaging

  • According to Snapchat in May 2014, the app’s users were sending 700 million photos and videos per day.

 

The development and adoption of both mobile devices and social media highlights the rapid technological and sociological changes that now make a mobile phone the most intrinsic and intrusive evidential hub into everyday life and personal detail.

 

Additionally, the continual rising scale of customer interaction is phenomenal and generates colossal volumes of network traffic.  This continues to drive heavy investment into the underlying network infrastructures that keep mobile phone devices connected.

 

This has again led to a greater level and diversification of technology deployed to maintain and support the connected community.

 

Through development of mobile phones networks there are now 2G, 3G and 4G cell-sites with, differing frequency ranges within these technologies.  The diversification of underlying digital networks from founding 2G technologies is now complemented by increasing numbers of Micro and Pico cell-sites. Development and diversification continue to expand and enhance the level of analysis that can be applied in respect of mobile phone usage and its evidential value.

 

 The main challenge today

One of the on-going challenges facing (mobile phone evidence) Cell-Site Analysis is to educate both Law Enforcement and Litigators that the afforded evidential value has risen exponentially along with the growth and development of the mobile phone networks (technological) and the growth in phone usage (sociological).

 

As the evidential value of Cell-Site Analysis has increased the actual cost of its application has drastically reduced from the overly exhortation prices once charged by entities that monopolised and exploited the Law Enforcement (Prosecution) market.

 

The cost reduction is due to a number of factors including; standardisation of Call Data Records, control on underlying data costs, the development and availability of surveying equipment options, and a wider pool of expertise. These factors, blended with commercial competition have driven down the cost of application.

 

However, as a consequence of the rapid growth the complexity of the mobile phone network, with regard to Cell-Site Analysis, is ever more involved and requires in-depth analysis if it is to be utilised effectively.

 

During the current climate of austerity and budget reductions the prosecution markets are outsourcing less and relying more upon their limited internal resources to provide basic overviews of cell-mast usage. This can have a negative effect both for an actual investigation and ultimately on the criminal justice process, for either prosecution of defence.   It further demines the true value of Cell-Site Analysis and extends the negative viewpoint of an imprecise science.

 

The evidential value of evidence cannot reach full potential if it is not accurately understood.  If the primary decision maker (defendant or juror) is not empowered with the information in an understandable form then the usefulness of the evidence may not be achieved or worse be perceived to establish unsupported facts.

 

When well-presented evidence is produced showing that a properly attributed phone is intrinsically linked to all, or even the majority, of an incident’s milestones and where the overall pattern of consistency can be shown to be robust then such evidence may convince a subject to admit their involvement and guilt. Where this happens, and it often does, the resultant early admission of guilt saves the taxpayer the expenditure of a costly trial process.  Such capital saving cannot be achieved on the back of summary analysis and poorly presented evidence.

 

 

Download – The Evolution of Mobile Phone Evidence.pdf

Forensic analysis of a Sony PlayStation 4: A first look – Presentation Slides – Matt Davies – SYTECH

To accompany the fantastic research carried out by Matt Davies (SYTECH) et al. from:

http://sytech-consultants.com/forensic-analysis-of-a-sony-playstation-4-a-first-look-matthew-davies-digital-forensic-analyst-sytech/

The presentation slides from the DFRWS (Digital Forensics Research Conference) Europe 2015 Annual Conference are now available below:

Forensic analysis of a Sony PlayStation 4 – Matt Davies – SYTECH

Forensic Focus Interview – Matt Davies – Digital Forensics Analyst – SYTECH

Matt, you’re a digital forensics analyst at SYTECH. Tell us a bit about your role and what it involves.

My role at SYTECH predominantly involves the extraction and analysis of embedded devices, such as mobile phones, tablets, satellite navigation systems, games consoles, unknown devices etc. The examinations I am involved in vary considerably and range from indecent images of children (IIOC) to providing assistance in murder investigations. Working for a private organisation, such as SYTECH, allows me to experience both prosecution and defence based cases.

What first made you interested in digital forensics as a field?

It was the varied nature of the work accompanied by the opportunity to make a difference that attracted me to the field of Digital Forensics.

I really didn’t want a mundane or repetitive job; I wanted a career that would provide both challenges and stimulation, so far I have not been disappointed! I have a real passion for forensics and love what I do.

At DFRWS you presented some research on forensic analysis of a Sony PS4. Could you briefly outline this for our readers?

The Sony PlayStation 4 is the most powerful 8th generation games console on the market. As of March 2015, there are over 20,000,000 devices in worldwide circulation. The console’s security features, such as encryption, face recognition technology and passcode protection, make this device the perfect weapon for criminals. Therefore it was essential that an analysis method be devised for this device. The proposed best practice methodology is the result of over 50 experiments conducted upon the PlayStation 4 over a 12 month period.

In the first instance the console’s hard drive is removed, imaged and restored upon a duplicate HDD using a Linux based system. A shadow drive is then inserted between the console and the duplicate drive, which receives all write requests and as such prevents the alteration of data stored upon the HDD. The operational effectiveness of the shadow drive was evaluated in the following manner: The duplicate HDD was imaged and verified. An online analysis of the console’s Internet web browser was conducted and the HDD removed and verified. A comparison of both the MD5 & SHA-1 hash values concluded that no alterations were made to the HDD during the analysis.

A technique that can be exploited by the user enables images viewed online to be stored upon the device. These images are stored as screen captures and can easily be copied to a USB pen drive for evidential purposes. Image and video content acquired via the console and saved to an alternative device (under a different file name) contain metadata that includes the device make & model, firmware version used, original file name and the date and time created. This information can be correlated to the suspected device responsible for creating the artefacts.

One of the greatest challenges with the PlayStation 4 is the continuous updating of system firmware. It has been observed that firmware updates take place at around 8 week intervals and provide additional features as well as “system stability” updates (suspected updating of encryption keys). For each firmware update where the experiments were repeated, the results differ considerably between firmware versions.

You mentioned that one investigative challenge is that Sony is now storing the majority of PlayStation data on the PlayStation Network rather than on each device. Talk us through the unique challenges associated with this, and how they might be addressed.

Having previously evaluated the operational effectiveness of the shadow drive when viewing non PlayStation Network (PSN) dependent content, a second experiment focusing upon PSN was conducted. The experiment involved connecting the console to PSN and sending a single message to a friend, whilst utilising the shadow drive. The console was then rebooted and the message content analysed. The first iteration demonstrated that the message was not visible upon rebooting the console. For validity reasons, the experiment was repeated. On this occasion both the initial and second messages were visible. The experiment was repeated a final time and it was apparent that all messages sent whilst connected via a shadow drive were visible. Therefore, the shadow drive does not prevent data stored in PSN being altered. This presents a significant challenge as data stored in the PSN is duplicated, in part, upon the console’s HDD, meaning that an investigator accessing PSN content without a shadow drive could potentially overwrite existing data or unintentionally delete vital evidence.

The best solution is to use a secondary console to view PSN content. Creating a basic user account without any data will result in that account being populated with the user’s content upon logging into PSN, including unique PSN gamer ID, profile information, messages, party, friends, What’s New, Notifications etc. In addition, an investigator can also access partial PSN data by logging into the suspect’s account via a PC browser. The Sony Entertainment Network (SEN) can be used to prove ownership and contains the user’s real name, address, credit card details etc.

Additional challenges are presented by the console’s remote access features: such options should be disabled, the console restarted and the changes verified prior to conducting an online analysis of the device. In addition, investigators should disable the PSN automatic login feature in order to prevent the alteration of PSN content.

How do you think the world of digital forensics will change over the next few years?

Security Features
The industry trends seem to indicate a significant increase in the use of security features such as encryption, biometrics and passcode protection. Over the coming years such features are likely to become more widely utilised, and as a result present greater challenges to forensic investigators.

Technological Evolution
It has been said for many years that the line between personal computers and embedded systems is becoming increasingly blurred. The technological advancements, accompanied by larger storage capacities, will continue to present significant problems for digital investigators. According to Sony, the PlayStation 4 possesses 43 times the processing power of the PlayStation 2 and 10 times that of the PlayStation 3. One can’t help but wonder what the PlayStation 5 will have in store for us!

Social Media
The sharing capabilities of the PlayStation 4 enable social media websites such as Facebook, Twitter and Youtube to be synced with the device. Tablets and mobile phones also encourage users to share content via social media applications, the whole area seems to be expanding at an alarming rate.

We only need look at the development in mobile phone forensics over the past 5 years to see how far the field of digital forensics has already come. The challenges faced by investigators in the coming years will greatly surpass those seen in previous years, providing a solution to these is far from impossible. Perhaps the greatest change to the field of digital forensics will be the operational requirement for dedicated Research & Development teams within every organisation. We might also see a significant shift from traditional forensic techniques and the reliance upon industry standard tools. There has been a great deal of debate in this area and as to whether or not the whole forensics process is becoming automated. I think it’s an interesting discussion and one that is likely to continue in the future.

I am currently continuing further research into game console forensics and intend on presenting the results at DFRWS 2016, Switzerland.

Matt Davies is a Digital Forensics Analyst at Sytech, who work on digital investigations across all areas including criminal justice, civil litigation and corporate.

Forensic Focus interviewed Matt at DFRWS, the annual Digital Forensics Research Workshop, which took place in Dublin from the 23rd-26th of March. The next workshops will be held in Philadelphia in August 2015, and Switzerland in March 2016. You can find out more and register here.

Original Forensic Focus Article

PlayStation 4 - Digital Forensics

Forensic Focus – DFRWS Europe 2015 Annual Conference – Recap – PlayStation 4 Forensics

“Adding to the discussion of forensic analysis of entertainment devices, Matt Davies from SYTECH followed Roeloffs’ talk with a first look at the forensic analysis of a Sony PlayStation 4. It was possible to retrieve a great deal of information from the machine Davies analysed, he explained, but one of the challenges for future investigations will be that Sony is increasingly storing user data on the PlayStation Network rather than on the actual device.”

PlayStation 4 - Digital Forensics
PlayStation 4 – Digital Forensics

 

Forensic analysis of a Sony PlayStation 4 – A first look

 

This article is a recap of some of the main highlights of the Digital Forensics Research Workshop (DFRWS) held in Dublin from the 23rd – 26th of March 2015. Over the next few weeks Forensic Focus will also be bringing you a number of interviews and research updates from the conference.

Conference Highlights

DFRWS began with a series of workshops held at the Hilton Double Tree in Dublin. Frédéric Baguelin and Solal Jacob from Arxsys demonstrated Digital Forensics Framework and provided exercises for the attendees, who were able to perform a full forensic analysis of a provided disk image. The workshop covered several areas including Skype and SQLite analysis, antivirus scanning, bookmarking, tagging and reporting.

Upstairs in the meeting rooms, Michael Cohen from Google discussed the recently released Rekall platform, and how to use it for memory analysis in forensic investigations. An overview of memory analysis as a topic for study was also given, and the whole workshop was conducted as an interactive, hands-on tutorial, allowing participants to experience how Rekall can be used in live cases.

Day two began with a keynote address from Troels Oerting, the former Head of European Crime at Europol, who set the tone for much of the rest of the conference when he discussed the need for international collaboration between academics, law enforcement agents and corporations.

Oerting spoke about the need to create applications and platforms that can perform three tasks: (1) protecting people’s privacy, (2) creating security, and (3) being convenient for members of the general public to use. Step (3) is particularly difficult; many of the publicly available privacy protection tools are cumbersome and difficult for the average user to operate.

The following talk was another keynote address, this time from Chris Ashton, the Director of Spectrum Engineering at Inmarsat. The talk covered the search for MH370, the Malaysian Airlines flight which disappeared in March 2014.

Ashton described how GPS satellites are used to track a plane’s location and how the radio waves that the plane uses to communicate with the satellite can help investigators to present a set of position arcs. These arcs can then be used to determine the path the aeroplane is taking, assuming that the start position is known, that the craft is travelling at a specific speed, and that it has not made several untracked manoeuvres.

The problem with this method is that a number of assumptions have to be made in order for search teams to be able to begin looking for a missing craft; it is equally possible for a plane to have gone in a different direction, as long as it is travelling away from the last point at which it communicated with the satellite.

Throughout the keynote address, attendees were updated on how the search for MH370 has been conducted so far, and what the next steps will be in the ongoing inquiry.

The remainder of the day focused on a series of sessions in which papers were presented, including a piece of research by David Gugelmann et al on traffic aggregation and visualisation forensics, which won the ‘Best Paper’ prize at Wednesday night’s dinner.

Other highlights included Son Dinh discussing spam campaign detection and characterisation using w-shingling and the Jaccard coefficient. Certain challenges were addressed, such as spammers using obfuscation techniques to prevent themselves from being detected.

One theme that kept coming up during the conference was the need for cyberpsychology to be more widely recognised and for social scientists to work together with forensic analysts and digital forensic researchers in order to better analyse cybercrimes. Phil Penrose from Police Scotland elaborated on this theme when he discussed the psychological impact of being suspected of a crime, such as having indecent images of children on a machine. The average time between the seizure of equipment and forensic analysis is three months, but it can take up to three years. During this time, suspects must live with the consequences of their friends and neighbours knowing what they are suspected of, and not all of them are ultimately found guilty.

Graeme Horsman demonstrated how to find evidence of mobile phone usage by a driver when investigating road traffic accidents, including how to find traces of passive activity such as re-reading a message or scrolling through a Twitter feed. iPhones and Android devices were covered, with suggestions for future research into Blackberries and other devices.

Tor forensics on Windows machines was the next topic of discussion, with Mattia Epifani from RealityNet talking about how pagefile and hiberfil can uncover evidence of browsing activities. Forensic Focus interviewed Mattia about his talk; you can read the interview here.

The final session of Tuesday focused on memory and malware analysis and began with Michael Cohen discussing how to effectively conduct memory analysis by emulating the way in which code looks at memory. Paria Shirani brought the day to a close with a presentation of SIGMA: a model-driven graph-traces matching approach for identifying reused functions in binary code.

Wednesday began with David-Olivier Jacquet-Chiffelle discussing fraud in forensic science and what can be done both to identify and to combat it. The overlaps between digital forensics and the other forensic sciences were discussed, and how real-world traces can be duplicated in the digital world. “The virtual world is a concept of the mind – an abstraction to something that is purely material” said Jacquet-Chiffelle, arguing that there is no such thing as a true distinction between “virtual” and “real” reality.

A broad vision and unifying language, as is the case in physics and mathematics, are needed if digital forensics is to become a true forensic science and perform its function both in criminal cases and in the furthering of knowledge.

Following the keynote, Mark Roeloffs gave a demonstration of smart TV forensics, looking at digital traces left on a Samsung smart television and how they can be used in criminal investigations. There was particular attention given to the possibility for pictures and multimedia files being displayed on a smart TV – if you enter a suspect’s home and there does not appear to be a computer present, it is important to remember that the smart TV may be being used in lieu of a PC or laptop.

Adding to the discussion of forensic analysis of entertainment devices, Matt Davies from Sytech followed Roeloffs’ talk with a first look at the forensic analysis of a Sony Playstation 4. It was possible to retrieve a great deal of information from the machine Davies analysed, he explained, but one of the challenges for future investigations will be that Sony is increasingly storing user data on the Playstation Network rather than on the actual device.

The next part of the programme was a panel discussion about forensic tool validation, which covered several thorny topics including how misinterpretation of a few bytes of data can result in significant implications for a suspect, and how forensic tool validation is often a luxury that, in reality, law enforcement officers cannot afford if they want to close a case.

Philipp Amann’s talk in the afternoon followed on nicely from this discussion, as it focused on how to design digital investigation laboratories for robustness and resilience. Amann spoke about staff turnover and knowledge drain as two of the predominant problems, something which was highlighted by the research he presented which showed that 50% of digital forensic examiners working in law enforcement leave within the first five years.

Thursday’s programme began with Jean-Dominique Nollet from the European Cybercrime Centre discussing data analytics in cybercrime. Once again, the need for collaboration was addressed, not only between professionals and academics in digital forensics itself, but also across other disciplines, particularly the social sciences.

There are also challenges surrounding public perception which must be dealt with, and the social sciences could be a big help in this respect. In particular, arguments for accessing data for forensic investigations whilst respecting the privacy concerns of members of the public is of the utmost importance if forensic examiners are to be able to do their jobs effectively.

The differences between the ways in which service providers deal with digital investigations compared with traditional investigations was also a topic for discussion. Telephone networks are happy to cooperate with law enforcement agencies where necessary and warranted, but internet service providers and those who create applications for public use are not always so ready to cooperate.

The remainder of Thursday was devoted to discussions of big data forensics, with panels speaking about challenges with triage in investigations that contain huge amounts of data to be analysed within a short time frame. Both the technical and the public perception sides of the challenge were discussed, with most members agreeing that there are legitimate public concerns regarding privacy but that these need to be addressed in a sensible and sensitive manner in order to allow investigations to proceed.

The day concluded with breakout groups over lunch, with each group being given a different topic that had been discussed during the conference. Everyone then reconvened to present their conclusions and talk about possibilities for future research.

Entertainment Highlights

One of the most notable elements of DFRWS as a conference is its organisers’ determination to ensure that attendees have a good time and get the most they can for their registration fee. Nightly entertainment was arranged for all attendees, which included a Viking Splash Tour of Dublin to show people around the city; a visit to The Barge, one of Dublin’s landmark pubs overlooking the canal; a forensic rodeo in which attendees were split into teams over dinner and given a forensic challenge to solve; and a final evening meal at a tapas restaurant for those who were interested in discussing future DFRWS events.

http://articles.forensicfocus.com/2015/04/07/dfrws-europe-2015-annual-conference-recap/

PlayStation 4 - Digital Forensics

Forensic analysis of a Sony PlayStation 4: A first look – Matthew Davies – Digital Forensic Analyst – SYTECH

Abstract

The primary function of a games console is that of an entertainment system. However the latest iteration of these consoles has added a number of new interactive features that may prove of value to the digital investigator. This paper highlights the value of these consoles, in particular Sony’s latest version of their PlayStation. This console provides a number of features including web browsing, downloading of material and chat functionality; all communication features that will be of interest to forensic investigators. In this paper we undertake an initial investigation of the PlayStation 4 games console. This paper identifies potential information sources of forensic value with the PlayStation 4 and provides a method for acquiring information in a forensically sound manner. In particular issues with the online and offline investigative process are also identified.

Keywords

  • PlayStation 4;
  • Games console;
  • Online investigation;
  • Small scale digital device;
  • Embedded system

Introduction

Gone are the days of games consoles being regarded as mere entertainment systems. Games console technologies are advancing at a far greater rate than that of game console forensics. This is evident from devices like the PlayStation 3, relatively little is known of this console in terms of forensic analysis, yet the PlayStation 4 has been released. It has been identified by several authors including, (Xynos et al., 2010), (Conrad et al., 2009), and (Turnbull, 2008) that the distinction between games consoles and personal computers is becoming increasingly blurred. Modern gaming consoles possess far greater functionality and processing speed, and connectivity features similar to standard PCs. Game console forensics will continue to become a specialist area, with its own bespoke challenges to the digital investigator.

Currently there are over 10 million Sony PlayStation 4 games consoles in worldwide circulation (Peckham, 2014). At present there is little information available offering forensic investigators an insight into what information of interest is stored on this device, or how to acquire data in a forensically sound fashion. This paper seeks to provide a greater insight into the PlayStation 4 in relation to a digital investigation, and to present a methodology that can provide guidance to investigators working with such a system.

The rest of this paper is arranged as follows. Section 2 highlights literature that has helped shape our investigation, Section 3 presents the forensic challenges an analyst may encounter, Section 4 describes the empirical experiment methodology we undertook to discover what data is of importance, Section 5describes the forensic analysis of the PlayStation 4, Section 6 presents our methodology for extracting useful information, Section 7 and Section 8 highlight conclusions and future considerations.

Literature review

Games platforms present a number of challenges in terms of accessing and interpreting data, as each system is a proprietary platform with a unique operating system. While there has been work on the forensic analysis and acquisition of data from other game platforms, there has been little work to date on the Sony PlayStation 4. However we can learn of the types of challenges we are likely to face with such a device by reviewing recent work in similar embedded systems.

Microsoft Xbox One

Previous work (Moore et al., 2014) has provided a preliminary analysis of an Xbox One, using initial exploratory methods such as file carving, keyword searches, network forensics and file system analysis. The greatest challenge faced by Moore et al. (2014) appears to be the encrypted and/or compressed nature of the files and game network traffic, thus making extraction and analysis somewhat difficult. However, an analysis of the NTFS filesystem did allow for file timestamps to be recovered, and some encrypted network traffic could be related back to which game was played.

Sony PlayStation 3

The analysis conducted by Conrad et al. (2009) was of particular interest as we were presented with similar challenges to those posed by the Sony PlayStation 4. A series of experiments was conducted by Conrad et al. (2009) on the PlayStation 3 and established that, due to the console’s utilisation of AES encryption (Ridgewell, 2011); a native analysis method was required. The write blocker experiment conducted byConrad et al. (2009) concluded that it is not possible to prevent evidence being altered during the analysis of the Sony PlayStation 3. However the methodology produced by Conrad et al. (2009) remains valid, as the analysis undertaken by investigators is repeatable.

According to Ridgewell (2011) the PlayStation 3 adopts an AES 128 encryption format, exploitable through the various processes of retrieving the cryptographic keys used by Sony, identified by hacking group fail0verflow. They also utilised various network forensic techniques and software tools in order to evaluate the console’s security vulnerabilities, observing that the PlayStation 3 TCP & UDP communications are unencrypted.

Microsoft Xbox 360

The work undertaken by Xynos et al. (2010) expands upon the research of Vaughan, 2004 and Burke and Craiger, 2007 and Dementiev (2006), establishing that is possible to recover remnants of information relating to online gameplay from the consoles hard drive; such as time and date stamps and the online gamer ID’s of all players that had participated. As highlighted in Read et al. (2013) there is a need to keep up to date with the modding community, as some developments may have far reaching consequences, which could even include hiding entire partitions from forensics tools.

Identified forensic challenges

The greatest challenge presented to digital investigators in relation to the PlayStation 4 is the non-standard file system; unlike the Xbox One that at least allows NTFS metadata retrieval (Moore et al., 2014). The hard drive contained in the system appears encrypted and this presents a significant barrier. The hard drive can be imaged via a write blocker, however its encrypted nature means it would be difficult to provide an in depth analysis that includes operating system artifacts. For this reason the most useful route is via the user interface, as with other embedded and smart devices (Sutherland et al., 2014), whilst using appropriate write blocking technology to prevent changes to the data.

A further challenge is the user’s ability to alter the information stored within the PlayStation Network (PSN). A user accessing a PSN account via an alternative console, PS4 Companion APP (Sony, 2014a) or PlayStation Vita (Sony, 2014b) possesses the ability to modify or remove potential evidence.

As with many other eighth generation games consoles, the sharing of user-generated content via social media is prevalent on the PlayStation 4. The very nature of sharing hi-scores, game achievements and recorded videos with others requires the device to be connected to the Internet and use of Sony’s cloud services. From a forensic investigator’s perspective, this may mean the hard drive is not the most important data source as it has been in previous generations of games systems. It is possible that user generated content will not even appear on the hard drive at all; online investigations may be required to obtain evidence.

Analytical procedure

In the production of any guidance or methodology for information extraction, which may be relied upon in courtroom proceedings, standard best practice must be adhered to. In the UK the Association of Chief Police Officers (ACPO) Good Practice Guide for Digital Evidence version 5 (Association of Chief Police Officers (2012)) provides current best practice for evidence acquisition. All tests performed on the PlayStation 4 have been carried out with respect to ACPO guidance.

Preliminary analysis

We performed an initial study of available literature and an empirical investigation of the PlayStation 4 to identify the areas that a digital forensic investigation may wish to examine. In particular, the Frequently Asked Questions (FAQ) posted by Shuman on the official PlayStation blog (Shuman, 2013) proved to be insightful when trying to identify which areas to analyse. The empirical investigation comprised of powering on the PlayStation 4, navigating through the various in-game menus and noting areas that may provide evidence of usage and/or communication during an investigation. We primarily concentrated on finding areas that may help identify the who, what, when and where aspects of an investigation. The “who” focused on identifying which user generated the evidence (The PlayStation 4 can hold up to 16 user profiles (Sony Computer Entertainment America and LLC, 2014)), “what” content can be created with the new features of the device, timestamp information to indicate “when” the information was generated, “where” the information could be stored (hard drive, external media, Internet/cloud). After exhausting the features on the device, a number of areas were revealed that could help answer these questions. The features found to be of interest are detailed in Table 1.

Table 1.Features of interest to investigators.
Features Reason
PlayStation Network (PSN) The vast majority of features available to Sony PlayStation 4 users are reliant upon a PSN membership.
Sony Entertainment Network (SEN) Viewing SEN content through a PC web browser, will reveal the user’s real name, address, credit or debit card information, transaction history, linked devices and sub account information.
Internet Browser The Internet browser does not support PDF or office documents. Thumbnails are stored in the browser history provide an indication of user’s most recent activity. Google search terms, Google map searches, 100 web pages visited, 100 Bookmarks (Sony Entertainment Inc, 2014) and 8 most recently visited webpages are available.
ShareFactory The ShareFactory enables players to share, via USB/social media, content recorded via the PlayStation camera or recent game footage. In addition, users possess the ability to edit footage and to record voiceovers or video commentary.
System Storage Management Provides system storage information such as D disk usage, application saved data, video & screen captures and available disk space.
Error History A log of various errors encountered by the system, including time/date values, error codes and the nature of the error.
What’s New Recent user activity and those on their friends list including recent gameplay, recent achievements and new additions to their friends list.
Trophies Relate to specific gaming titles and provide time/date values of when achievements were awarded.
Profile Personal data/unique user handles and other content generated by a user.
Friends A user’s friends in their Friends list can be linked to Facebook. Is it possible to find communications between the user of the system and others. Real name requests can be sent, meaning that a user’s real name will be displayed in all communications. Up to 2000 friends.
Party Messages The Party feature allows up to 8 users to enter a group conversation.
Messages Messages between individuals and multiple users.

Experiment methodology

An experimental methodology was devised by empirically exploring the areas identified in Table 1 and noting locations that may be of interest to an investigator, an overview of the process we undertook is presented in Fig. 1. The methodology was created to assess if it was possible to retrieve data from each location. This involved deliberately introducing data into those different areas and observing if it could be retrieved later. During the course of the experiment, firmware updates became available for the PlayStation 4. Each revision was noted, installed, and the experiment methodology was run again to assess if there were any negative impacts to the evidence acquisition process described in Section 6. The following selection of firmware was used: 1.01, 1.50, 1.51, 1.52, 1.60, 1.61, 1.62, 1.70, 1.72, 1.75 and 1.76 (the latest at the time of writing). Unfortunately we were unable to test all revisions, as the console would only allow us to update to the latest, skipping incremental versions.

Full-size image (60 K)
Fig. 1.

Empirical exploration of the PlayStation 4.

The experiment was carried out (for each firmware version) as follows.

Activate video capture device, record time.

Ensure that all of our actions on the system are recorded for future reference.

Activate PlayStation 4. Record time as set on console. Observe any offset between real time and time on console. Offset must be applied to any data retrieved to ensure correct time is recorded.

Introduce sample dataset, record time and data introduced. The sample data (detailed in Section 4.3) is designed to deliberately cause the console to store information in relevant areas from Table 1. Through meticulous recording, we can later identify if our actions are retrievable from the PlayStation 4.

Turn off PlayStation 4. Deactivate video capture device, record time. The video capture provides evidence of our introduced changes to the system during this iteration of the experiment.

Forensically image PlayStation 4 hard drive. Though the files are inaccessible, we keep an image of the hard drive as best evidence such that if our empirical investigation alters evidential data, we can restore the hard drive from the image file and reassess. We used FTK Imager v.3.1.5 to create the forensic images, and the EnCase E01 format to compress files, as the uncompressed RAW images are large.

Turn on PlayStation 4; investigate areas in Table 1 to identify user actions introduced during this experiment iteration.

Compare the data retrieved in relation to the data introduced. Note information, timestamps and any other items indicating use of the PlayStation 4.

After a new firmware update was applied, the hard drive was forensically wiped and then reinitialised in the PlayStation 4 to ensure any recovered data was from the current iteration of the experiment and not from a prior run. The purpose of running the experiment after a change in firmware is to determine if these changes will help or impede our ability to obtain data.

Test data

The PlayStation 4 can store information on the local hard drive and online. Different accounts had to be created in order to assess the features in Table 1. Local (offline) user accounts comprised of three users, User1, User2 and User3. Two further online accounts, the free PSN (PlayStation Network) account and the subscription-based PlayStation Plus account was also created to ensure all features would be available. The PlayStation Plus account was used to download a free title, “War Thunder”, and participate in online gameplay to check for usage later.

To assess the messages functions, contacts were added to the Friends List and both individual and group messages were sent to selected users. A Facebook account was created to enable both the social media aspect of The ShareFactory and the Share button feature on the DualShock 4 controller. A number of other Facebook users were linked to this account to determine if they appeared elsewhere on the console.

The Trophies feature worked with both offline and online game play. Two software titles available to us, “Call of Duty: Ghosts” and “Need For Speed Most Wanted” were used in both modes to assess if usage patterns could be determined by in-game trophy awards.

To assess the Error History, we observed that interacting with Internet dependent features offline would result in error messages being added to the log. We would remove the Internet connection, note the time and the function accessed, and then determine if the information was generated. This knowledge allowed us to deliberately create known system errors to assess the Error History feature.

The Internet browser is known to store 100 visited websites in its history and bookmarks, and 8 most recently used webpages. To assess this, we accessed 103 websites and stored 103 bookmarks, consisting of direct links to images, web pages, websites and duplicate entries.

A number of features allow the user to store data to a FAT32 formatted USB memory stick. We stored ShareFactory projects and pictures obtained from the Internet web browser to a flash drive for later analysis.

Forensic analysis of a PlayStation 4

As presented in Fig. 1, a number of different tests were conducted to assess the ability of a forensic investigator to identify usage of a PlayStation 4. The test data in Section 4.3 was introduced to successive firmware updates (see Section 4.2), and any notable changes between revisions are discussed below.

Initial findings

An initial triage of a PlayStation 4 hard disk, using FTK Imager v3.1.1.8, revealed that the disk structure consists of an unknown filesystem split into 15 partitions as can be seen in Fig. 2. Our analysis of the PlayStation 4 will concentrate on using the native user interface to locate information.

Full-size image (46 K)
Fig. 2.

Sony PlayStation 4 partitions viewed from FTK Imager on a 400GB drive.

Data carving test

We employed the data carving utility of AccessData’s Forensic ToolKit (FTK) v3.2 in an attempt to retrieve additional files from a forensic image taken of the PlayStation 4. FTK v3.2 was unable to detect the presence of any files. This strongly suggests either encryption or a bespoke container format.

Web browser, bookmarks history and recent items

Several experiments were conducted upon the PlayStation 4 Internet web browser. The first of which aimed to determine whether the browser stores only unique websites visited, as seen in the PlayStation 3 (Conrad et al., 2009). The experiment involved visiting 103 websites and selecting various web links. It was noted during the experiment that in addition to all web links selected, Google search terms also appear in the PlayStation 4 web browser history. Furthermore, an analysis of the web browser history, bookmarks and most frequently used pages concluded that the time & date upon which events occurred, is not obtainable via the native interface.

Further experiments involved utilising the Internet web browser to store pictures upon the console’s hard drive. It was established that there are only two means by which to successfully complete this task. The first is by storing web images as bookmarks, the second is to store screenshots captured via the share button on the DualShock 4 controller.

Time & date test

We conducted a system wide analysis of the Sony PlayStation 4, focussing upon the retrieval of date and time stamp information. It was discovered that the majority of features, such as Trophies, What’s New etc., provided such information. In contrast, applications such as the Internet web browser did not present any form of date and time information, whilst the Party and Messages features presented only the dates upon which messages were sent and received.

Drive backup and restoration

After performing an analysis of the PlayStation 4 via the user interface, we tried restoring the hard drive back to the acquired image taken before turning on the console. The purpose of this was to determine if the system would accept a previously stored system, which a forensic examiner could use to verify their findings. We converted our image to RAW before transferring onto the drive with the UNIX tool dd. FTK Imager (v3.1.5) was used to verify the restored drive that confirmed it was identical to the image file. The console booted the restored version without any issues.

Offline write blocker test

Inspired by Conrad et al. (2009) we used a Tableau T35is write blocker as a man-in-the-middle given it has SATA ingress and egress connections (Fig. 3). We kept the system offline to examine what could be obtained from the hard drive alone. Unlike Conrad’s experiment on the PlayStation 3, we were able to successfully boot the PlayStation 4 and view data via the in-game menus. However, any functions attempting to write to the hard drive (such as System Storage Management calculating storage space) caused the system to become unstable and stop responding. A hard reset was required to boot the system again.

Full-size image (36 K)
Fig. 3.

Tableau T32is used as a man-in-the-middle between the PlayStation 4 and its hard drive.

An offline analysis of the PlayStation 4 utilising the T35is concluded that it is possible to retrieve the key information outlined in Table 1 with the exception of the ShareFactory, System Storage Management and What’s New. It was noted during the analysis that any interaction with some PSN dependent features would result in the generation of system errors due to the system being offline. The T35is prevented the errors from being written to the log and the system became unstable.

These results were obtainable for all firmware revisions up to and including 1.62. After we conducted the experiment during the firmware 1.70 iteration, we found that all the PSN areas of the console were now inaccessible offline, and required logging into the PSN network.

During the firmware 1.72 iteration experiment, it was only possible to recover data relating to the Internet web browser and system setting information.

Furthermore on firmware 1.75 the system would boot successfully with the write blocker but any attempt made to open the Applications pane would result in system instability. From 1.75 onwards we had to use a Voom Shadow 3 (see Section 5.8 below) to let the PlayStation 4 write changes to a buffer whilst maintaining forensic integrity of the original drive.

Online write blocker test

This experiment compliments that in Section 5.6; by using a T35is write blocker (up to firmware 1.72) or a Voom Shadow 3 (firmware 1.72 and later) and enabling the Internet connection to allow access to online content, whilst disabling the ability to make changes to the local hard drive. We felt it was necessary to assess whether such a method would also prevent the modification of PSN dependent content. The experiment consisted of sending multiple messages to a specific user, whilst utilising the write blocker as a pass-through.

Upon restarting the console it was noted that the message sent was not visible. In order to validate the results the experiment was repeated. The second iteration revealed that the content of both messages were now visible. The results indicate that, investigators must be wary of messages previously sent via the PSN can be cached locally and remotely potentially leading to differences between an online and offline investigation.

Shadow drive test

The changes implemented in firmware version 1.75 prevented us from conducting an analysis of the Sony PlayStation 4 whilst utilizing the Tableau T35is write blocker. Accessing any of the menus in the same fashion as on earlier firmware resulted in system instability. As such a suitable alternative method of maintaining evidential integrity was sought.

The Voom Shadow 3 (Fig. 4) was identified as a potential alternative. In order to assess the device’s suitability, we connected the Voom Shadow 3 as a bridge between the PlayStation 4 and its hard drive. The console successfully booted and we were able to fully navigate the system without the stability issues experienced with the Tableau.

Full-size image (27 K)
Fig. 4.

: A PlayStation 4 hard drive connected via the Voom Shadow 3.

Shadow drive offline analysis test

An offline analysis of the Sony PlayStation 4 ensued, focussing upon the recovery of data relating to the key features identified in Table 1. It was established that, in contrast to the analysis conducted upon Firmware version 1.72 with the Tableau (see Section 5.6), data associated with the features below were now obtainable offline with the Voom Shadow 3:

Internet web browser

System Storage Management

System time & date

Error History

Capture Gallery

Basic profile information

Party Messages

Messages

Notifications

Shadow drive online web browser analysis

We used the Voom Shadow 3 to conduct an online analysis of the PlayStation 4 Internet web browser. The console was provided a LAN Internet connection and powered on. We selected the user and proceeded to sign out of the PlayStation Network (PSN). The console’s web browser was then launched; nine selections were made from the web browser history and the respective websites visited. The browser history was documented and the console restarted. The history, bookmarks and most frequently used pages were consulted and revealed that the alterations made during the analysis had not been stored.

Shadow drive validation procedure

The PlayStation 4 hard drive was removed and imaged using FTK Imager v3.1.1. It was reconnected and the online Internet web browser analysis performed. We then removed the drive and verified its integrity. Both the generated MD5 & SHA1 hash values were a match.

Local account passcode login

A local account used throughout the experiments was selected, and the passcode was set equal to ‘0000’ in Settings/Users/Login Settings/Passcode Management. The console was rebooted ensuring the Voom Shadow 3 was in write protect mode. We were subsequently prompted to enter the login passcode. We selected options/forgotten passcode and were then prompted to login to PSN. We then selected a new passcode, 9999 and access to the system was granted. The console was rebooted, prompting the login passcode. We entered 0000 and access to the system was granted. This allows an investigator to unlock a PlayStation 4 to look at local content without making changes to the system.

The PlayStation network

Up to firmware version 1.70 the PSN dependent content, such as Profile and Trophies could be accessed while the console was offline. From 1.70 onwards we had to connect the console to the Internet to access such information. This could be conducted with specialist hardware like the Voom Shadow 3 drive used in earlier experiments, but we explored the possibility of using the login data on a separate PlayStation 4 unit. Starting with a forensically zeroed hard drive on an identical specification PlayStation 4, a local account User1 was created and the menus were navigated to ensure the absence of data. We connected the system to the Internet and logged into the PSN with our account credentials. The following information was now available, even though this system had not been used to generate any content:

Trophies

Profile

Party Messages

Messages

Friends

What’s New

USB upload test

Various file formats were copied from a desktop workstation onto a FAT32 formatted flash drive. The files were stored in a folder labelled PS4 and consisted of 4 jpeg, 1 png, 2 pdf and a variety of Microsoft Office formats. The USB flash drive was then inserted into the PlayStation 4 and several attempts were made to upload the files. We found it was not possible to upload such files onto the PlayStation 4.

USB download test

We investigated what type of content a user may download onto a memory stick. The ShareFactory was used to create videos of gameplay and the Internet web browser was used to perform Google searches for pictures of vehicles. Each picture was enlarged to full screen, by pressing square on the DualShock 4 controller, and a screen capture acquired. We used the Capture Gallery to publish duplicates of the content to the USB flash drive.

Using an Exif viewer allowed us to view the metadata from the fullscreen captures (Fig. 5). The image description field relates directly to the file name present upon the Sony PlayStation 4. The file name is provided by default and users are unable to make alterations to it from the console. In addition, the metadata also presents the firmware version installed upon the console when the image was acquired. Furthermore, we see that the PlayStation 4 is also identified as the camera model.

Full-size image (41 K)
Fig. 5.

: End of file marker for MP4 files generated by ShareFactory.

An analysis of the USB storage device was then conducted using the hex viewer in FTK Imager. It was observed that the MP4 generated via the ShareFactory contain the Application code (CUSA 0057) and the file name, which is the date and time upon which the file was created on the PlayStation 4 (Fig. 6).

Full-size image (40 K)
Fig. 6.

Exif data from a PlayStation 4 generated image.

Proposed best practice methodology for the forensic analysis of the Sony PlayStation 4

To obtain the information described in Table 1 a forensic investigator should carry out the following steps:

1.

Remove and forensically image the PlayStation 4 hard drive. Disable Internet connectivity. As discussed in Section 5.5, the image could be used to restore from at a later date to verify results.

2.

Reconnect hard drive with a SATA write blocker that has a buffer feature (in Section 5.8 we described usage of a VOOM Shadow 3) as a man-in-the-middle between drive and console.

3.

Activate video capture device, record time. Switch on PlayStation 4 and synchronize the DualShock controller.

4.

Record time and date as presented on PlayStation 4 and take note of any difference with actual time. This offset will need to be applied to any timestamps (see Section 5.4) retrieved from the system.

5.

Navigate to and record the data presented in the various functions as follows:

a.

Error History – The Error History should be viewed first as errors may be introduced by the analyst during the investigation.

b.

Internet Web Browser – Record history, bookmarks, and most recently opened.

c.

System Storage Management

d.

Capture Gallery – A USB drive may be used to download all content from the Capture Gallery (screenshots and videos, see Section 5.15).

e.

Basic Profile Information

f.

Party Messages

g.

Messages

h.

Notifications

i.

Error History – Record the errors generated during the course of the investigation.

6.

Power off PlayStation 4, video capture device, record time.

If the PSN network login credentials are available, further information as detailed in 5.13 may be obtained on another PlayStation 4 console. If unavailable, a decision will need to be made by the investigator whether to take the original system online. Even with a write blocker, the danger using the original system is that cached content may be pushed online and update/overwrite existing information.

Conclusions

The proposed best practice methodology would allow digital investigators to perform an analysis of a write protected Sony PlayStation 4. The alteration of data is prevented and thus evidential integrity is maintained.

The amount of information retrievable however is directly dependent upon the firmware version installed on the console. Table 2 demonstrates that, during an offline analysis, it is possible to recover all user profile information from a console with up to firmware version 1.62 with a standard write blocker. Version 1.70 had limitations when viewing PSN content offline whilst 1.75 required the use of an advanced write blocker to view anything of substance. Similarly, Table 3 identifies what is retrievable during an online investigation for comparison.

Table 2.Information obtainable during an offline investigation.
Firmware version 1.62 1.72 1.75/1.76
Browser
ShareFactory
Capture Gallery
System Storage Management
Error History
What’s New
Trophies
Profile P
Friends
Party
Messages
Notifications P P
System Settings
✓ = Fully Retrievable.✗ = Not Retrievable.

P = Partially Retrievable.

Table 3.Information obtainable during an online investigation.
Firmware version 1.62 1.72 1.75/1.76
Browser
ShareFactory
Capture Gallery
System Storage Management
Error History
What’s New
Trophies
Profile
Friends
Party
Messages
Notifications
System Settings
✓ = Fully Retrievable.✗ = Not Retrievable.

As the Sony PlayStation 4 will not readily allow users to downgrade firmware, it is not possible to restore to previous revisions that allow greater offline access. As such, investigators will continue to be challenged by future firmware updates.

Further challenges are faced by the growing array of content only available online. Although evidence of usage is available on the console, many of the artifacts are only available when the PSN network is connected. Investigators may inadvertently alter data stored online by not disabling the network connectivity, and malicious users may use other devices to deliberately alter or remove incriminating content.

Future considerations

There are a growing number of accessories and interactivity options for the PlayStation 4 that may require investigation in their own right. The PlayStation camera enables users to utilize enhanced security features such as facial recognition to login. This could be used to secure the console, but could also be used to prove account ownership on a multi-user system if an individual was able to unlock a specific account. Future research should consider the implications of the PlayStation 4 connection capabilities with the Sony Vita and the PlayStation Companion App on smartphones and tablets. Any evidence of ownership data transfer and communications will be of interest to investigators.

References

    • Burke and Craiger, 2007
    • P. Burke, P. Craiger
    • Xbox forensics. Journal of digital forensics practice
    • Taylor & Francis, New York (2007), pp. 275–282
    • Dementiev, 2006
    • D. Dementiev
    • Defeating Xbox (utilizing DOS and Windows tools)
    • (2006) [Unpublished]
    • Read et al., 2013
    • H. Read, K. Xynos, I. Sutherland, G. Davies, T. Houiellebecq, F. Roarson, et al.
    • Manipulation of hard drive firmware to conceal entire partitions
    • Digit Investig, 10 (4) (2013), pp. 281–286
    • Sutherland et al., 2014
    • Iain Sutherland, Konstantinos Xynos, Huw Read, Andy Jones, Tom Drange
    • A forensic overview of the LG Smart TV
    • presented at the 12th Australian Digital Forensics Conference 2014 SRI Security Congress, “Security on the Move” 1-3 December, 2014, Perth, Western Australia  (2014)
    • Turnbull, 2008
    • B. Turnbull
    • Forensic investigation of the Nintendo Wii: a first glance
    • Small Scale Digital Forensics J, (2)1 (2008), pp. 1–7

 

Authors

  • Matthew Davies – SYTECH – Digital Forensic Analyst
  • Huw Read – University of South Wales
  • Konstantinos Xynos –  University of South Wales
  • Iain Sutherland – Noroff University College

Forensic analysis of a Sony PlayStation 4 – A first look – PDF Download

 

http://www.sciencedirect.com/science/article/pii/S1742287615000146