Tag Archives: IP

Xbox Live stakeouts and console searches

CSI: Xbox—how cops perform Xbox Live stakeouts and console searches

In June 2009, a Massachusetts state trooper was gathering evidence in a case that involved a suspect having sex with an underage girl. He hoped to find one crucial piece of evidence—video of the encounter—on a digital device from the suspect’s home. But the device wasn’t a computer; it was the suspect’s game console. The investigator was stumped as to how to sift the device for clues, and he turned to a digital forensics mailing list for help.

I am working on a case where it is believed that the suspect may have recorded himself having sex with a 14 year old girl using an Xbox 360. The Xbox was set up in his bedroom and had a webcam attached to it that was pointed directly at his bed.

The suspect did record two other victims, and those videos were found on his PC in a different room. All of the victims say that they were not aware that they were being recorded and that his PC was not in the room at the time of the incidents.

Does anyone know if it is possible to record video with an Xbox 360? I looked at the hard drive using Explorer360 and was able to locate a large file (460 MB) that was created on the same day as the incident but I am unable to extract any useful data from it.

That state trooper was not alone in his desire to crack open a console and look for evidence. Consoles today play an increasing part in even local police investigations across the country. Thanks to a recent Anonymous hack of a California cybercrime investigator’s e-mail account, we can take a glimpse inside that world. The e-mail cache contains a huge array of mailing list traffic in which investigators ask other for help examining digital devices, from cell phones to computers to gaming consoles. We’ve spent the last few weeks plowing through the list to better understand how digital forensics are being used by local police across the US. What stands out is just how aware cops have become about the many uses of digital devices; the list includes numerous questions about the Xbox, the PS3, the Nintendo DS, cell phones, iPods, and even (once) a Zune.

In many cases, however, they’ve been frustrated in their attempts to find incriminating data. A September 2007 e-mail from the Wichita, Kansas Forensic Computer Crimes Unit asked for help with an Xbox 360, for instance, since standard PC forensic tools are of limited utility.

We are at the end of a large acquisition (2TB) human trafficking and exploitation case and the case goes to jury today, but there has been one question unanswered. We never found the movie file of a co-defendant and the 15 year old victim. The last place to look is a Xbox 360 that was seized with WMC Extender software. I have taken the SATA HD (Seagate 20GB) out and tried to image it, but nothing I have will recognize the HD. I tried hardware write blocks, software write blocks and connecting straight into a Linux box…[no] luck…

So, any ideas left out there on checking to see if he did store any images or movie files on this HD?

In other cases, the Xbox itself contains no illicit material, but its usage logs can still shed light on a case, or undermine an alibi. In August 2011, for instance, an investigator at the Orange County (NY) District Attorney’s Office asked the mailing list for help.

On the X-box 360 kinect does anyone know if the date/time is user set or it comes from the server? I have a picture of the screen which shows a folder with a date. This is a Rape case where the defense is trying to introduce pictures from the X-box 360 of the victim playing a day after the rape. I do not have the X-box but I’m attaching the defenses picture. Any help would be appreciated.

Gaming logs were also being searched for in a January 2011 case from Binghamton, New York.

I have a question for the nerds and nerdettes: we have an xbox coming in on a homicide, or I guess a babycide, and we need to find out if the thing was being played during certain hours… I’m assuming we will be looking at saved games, or checkpoints reached.

Consoles can also be burgled. A July 2008 case from Washington, DC involves the theft of an Xbox 360, after which the victim told police that “I received an e-mail from Microsoft indicating that a charge was placed on my credit card to purchase Xbox 360 points. This charge originated from my Xbox Live internet account that I registered on my Xbox before it was stolen.”

In this case, the victim took to the Internet and was able to tell the investigator that “their own research has shown where stolen Xboxes were recovered by victims after service of a court order to Microsoft for the IP address where the Xbox is connecting.” The investigator didn’t quite know what to make of this—the level of technical knowledge on the mailing list varied widely—but to his credit, he was willing to do some legwork. And if what the victim told him turned out to be true, “it may assist me in solving a rash of burglaries that happened on a college campus.”

Finally, console-related crime includes good old-fashioned weird behavior. As a detective from the Eugene, Oregon Financial Crimes Unit told the list in January 2010:

Got an inquiry from our admin aide. A caller at a local coffee shop reported something suspicious involving a male/female couple appearing in their store at the same time/day each week. Each time they had several visitors to their table, each bringing an Xbox. The couple did something to the Xbox, charged their “customer” $50, then sent them on their way. I’ve had no experience with gaming systems (other than playing them!), so other than the fact this seems very odd behavior, I’m not sure what might be going on here.

Anyone have a possible explanation for this behavior? The only thing that came to mind was perhaps an on-the-fly repair operation.

Similar stories abound for other consoles, like the PS3, which can be the source of even more mischief than the Xbox due to its one-time ability to run Linux and function even more like a general purpose computer. From Longview, Texas:

I recently did a PS3 on a P2P [peer-to-peer file-sharing] case. The ‘bad guy’ had installed yellow dog linux at one point on the PS3. the hard drive was behind a flap on one end. I removed a couple of screws and pulled out the drive, hooked it to a write-blocker, and it imaged fine. He was storing a lot of cartoon porn…..

Consoles aren’t just sources of forensic data; they can also be used as bait. A recent case from Fort Lauderdale, Florida shows how local police can use game consoles to nab suspects.

During the three-day trial, a Fort Lauderdale Police detective testified that he was undercover trying to make arrests for dealing in stolen property. He was dressed in disheveled clothing to pass as a drug addict. He carried around with him a brand new Xbox 360 videogame system and a car radio in a tattered garbage bag. He came into contact with [Edrawin] Canady at his place of work, a commercial garage, and tried to sell the Xbox and the radio. Canady was standing with another individual, Charles Hall, at the time.

Canady initiated contact by calling out to the detective to ask what he had in the bag. The detective explained that he had a new Xbox which he got from a friend who worked at Walmart. Both Canady and Hall inspected the items in the bag and began to negotiate a price with the detective. Canady initially offered to pay sixty dollars in cash for both items. The detective testified that this amount was “way below market value for both items.” Eventually Hall offered to throw in forty dollars worth of crack cocaine, to which the detective agreed. Canady handed the detective sixty dollars in cash and Hall removed a bottle containing crack cocaine from a nearby car and handed it to the detective. Canady and Hall took the Xbox and the radio and the detective left. The detective signaled to nearby police officers, and both Canady and Hall were arrested on the spot.

(Seem a little unfair? An appeals court agreed, reversing Canady’s conviction for trafficking in stolen property. The court noted that offering to sell a single Xbox and a radio was hardly “red flag” knowledge of stolen goods. But the court maintained Canady’s conviction for cocaine delivery.)

Finally, consoles can also provide a way for investigators to find and even interact with their suspects. And when that interaction leads to voice chatting, cops have a whole new way to conduct undercover ops.

Building a “Frankenbox”

Do police actually hang out on Xbox Live, trying to strike up audio chats with criminal suspects, then recording the conversations as evidence for investigations in robberies, child porn cases, and more? Apparently they do. A Microsoft presentation to law enforcement, included in the leaked e-mails, makes clear that “investigators may participate in Xbox live in undercover operations.” The company even sketches out diagrams for recording suspect conversations by building a special “Frankenbox.”

Investigators have long wanted access to IP-based voice services like Skype and, more recently, those offered on game consoles. Thanks to laws like CALEA, they already possess potent wiretap capabilities on traditional phone networks. Internet communications can be tapped, but when they are also encrypted, things get difficult. (When communications are peer-to-peer, rather than passing through central servers, this can get even dicier.) In 2010, the FBI was pushing to extend CALEA to a much broader array of Internet applications, forcing the companies behind them to provide built-in, realtime backdoor access to encrypted communications. The agency backed off a bit in 2011, but it still has its sites on IP-based voice chatting of all kinds.

Microsoft may have an eventual answer. A company patent filing came to light in 2011 on ways to intercept Internet calls, which “may include audio messages transmitted via gaming systems, instant messaging protocols that transmit audio, Skype and Skype-like applications, meeting software, video conferencing software, and the like.” (Emphasis added; remember that Microsoft now owns Skype.)

Undercover investigators welcome
Undercover investigators welcome
Source: Microsoft

In the meantime, investigators may not be able to eavesdrop on others, but they can build their own investigative rigs to capture Xbox Live chats in which they participate.

Source: Microsoft

The task is more complicated than just capturing the audio output from the Xbox, since game chat isn’t routed through the speaker outputs. Instead, investigators need to build a small “Frankenbox” splitter that can send headset audio to a mixer and from there on to any standard audio/video recording device.

How to capture Xbox audio chats
How to capture Xbox audio chats
Source: Microsoft

Microsoft can also provide IP addresses for Xbox Live logins, registration and billing information, titles of games accessed, etc, but the actual content of user communications does not appear to be logged by the company, nor is it stored on the Xbox hard drive or memory stick—to the chagrin of investigators in many cases, who report looking for logs and chat data on seized console hard drives, but coming up empty.

As consoles incorporate more features—voice chat, video cameras, Web browsers, online storefronts, Linux—they will prove increasingly common targets for police action. It took years for the general public to realize just how much a common computer could say about a person, what with search engine histories, Web browsing histories, deleted files, and stored e-mails. Game consoles aren’t that revealing, but they’re getting closer. What does your console say about you?

Update: The website consoleforensics.com posted a copy of the presentation gleaned from the mailing list in 2011. If you want a look at the complete presentation, it’s available here.

Photo illustration by Aurich Lawson

CSI: Xbox—how cops perform Xbox Live stakeouts and console searches.

ISPs in The Netherlands warned to block The Pirate Bay

Internet Service Providers Ziggo and XS4ALL have been given ten days to block access to the popular bittorrent website The Pirate Bay, the court in The Hague ruled on Wednesday.

The case was brought forward by the authors’ rights lobby group Stichting Brein which campaigns against illegal downloading.

The two internet firms have been ordered to block three IP addresses and 24 domain names which relate to The Pirate Bay – including the Belgian version of the site: depiraatbaai.be.

Stichting Brein unsuccessfully fought to have Ziggo block access to the illegal file sharing site in the summer of 2010; then they argued that because The Pirate Bay isn’t located on a Ziggo server, Ziggo can’t be held responsible for restricting access to the website, and a lower court dismissed the case.

If the two companies fail to meet the deadline, they will be forced to pay 10,000 euros for every day the site is accessible. They are both considering an appeal.

The Pirate Bay is the largest torrent tracker in existence, after facing many raids, shut downs and court rulings, the website still remains online and fully operational. Almost two years ago, The Pirate Bay “Four” were fined$3.6 million and one year in prison, none of which they have paid.

ISPs in The Netherlands warned to block The Pirate Bay – Neowin.net.

In recent weeks we discovered BitTorrent pirates at the RIAA, Sony, Fox, Universal and even law-abiding organizations such as the Department of Homeland Security. By now it should be clear that people are using BitTorrent pretty much everywhere, and not only for lawful downloads. Today we can add the U.S. House of Representatives to that list, the place where lawmakers are drafting the much discussed “Stop Online Piracy Act” (SOPA).

houseYouHaveDownloaded is a treasure trove full of incriminating data on alleged BitTorrent pirates in organizations all across the world.

Unauthorized downloads occur even in the most unexpected of places, from the palace of the French President, via the Church of God, to the RIAA.

Although we don’t plan to go on forever trawling the archives, we felt that there was at least one place that warranted further investigation – the U.S. House of Representatives. Since it’s the birthplace of the pending SOPA bill, we wondered how many of the employees there have engaged in unauthorized copying.

The answer is yet again unambiguous – they pirate a lot.

In total we found more than 800 IP-addresses assigned to the U.S. House of Representatives from where content has been shared on BitTorrent. After a closer inspection it quickly became clear the House isn’t just using it for legitimate downloads either, quite the opposite.

Below we’ll list a few of the 800 hits we found on YouHaveDownloaded, which in turn represent just a fraction of total downloads since the site only tracks a limited percentage of total BitTorrent traffic. Again, this is real and confirmed data that is just as good as the evidence used by the RIAA when they sued tens of thousands of people for file-sharing.

Something that immediately caught our eye are the self-help books that are downloaded in the House. “Crucial Conversations- Tools for Talking When Stakes Are High,” for example, may indeed be of interest to the political elite in the United States. And “How to Answer Hard Interview Questions And Everything Else You Need to Know to Get the Job You Want” may be helpful for those who aspire to higher positions.





Books tend to be popular in the House because we found quite a few more, including “Do Not Open – An Encyclopedia of the World’s Best-Kept Secrets” and “How Things Work Encyclopedia”. But of course the people at the heart of democracy are also downloading familiar content such as Windows 7, popular TV-shows and movies.





And there was another category we ran into more than we would have wanted too. It appears that aside from self-help books, House employees are also into adult themed self-help videos. We’ll list one of the least explicit here below, but that’s just the tip of the iceberg.



Although the above is interesting, as the House is the place where lawmakers are currently trying to push though SOPA, this revelation might actually help their cause. If even people at the House are “stealing” content, we really need SOPA to counter it, they may say.

The question is though, whether SOPA will be able to break the habits of millions of Americans, as there will always be alternatives available. And even if it manages to put a dent in the current piracy rates, is that really worth it considering the potential damage SOPA can do to the open Internet and legal businesses?



If you frequently download stuff via BitTorrent, you probably already know that it’s not exactly a model of privacy and anonymity. But if you were in any doubt about that fact, a new website may well hammer the message home.

YouHaveDownloaded is a Russian site that tracks users across the web, monitoring BitTorrent traffic to and from individual IP addresses. But if that’s not enough to give you the heebie-jeebies, get this – they’re also identifying and collecting data on all of the files that you’ve been downloading, and exposing the information publicly on their website.

Image via TorrentFreak

The site’s owners claim to already be tracking around 20 percent of all public BitTorrent traffic, and their database has swollen to include well over 51 million users, 100,000 torrents, and almost 2 million files totalling more than 97TB of data.

The database is growing, and it’s searchable too. When people visit their site, they’re immediately greeted with their download history, if the site has been able to harvest data from their IP address, but users can also search for files and other IP addresses to see who’s been downloading what.

The site’s developers say that they created it in part as a wake-up call. TorrentFreak spoke with Suren Ter, a co-founder of the site, who explained: “We just want to remind people that the internet is not a place to expect privacy. Nowadays, many people use it without understanding what information they leave behind. Even those who understand choose to ignore it quite often.”

If you’ve been downloading content like this on BitTorrent, seek help. 

Of course, if you use a proxy or a VPN, or you’re taking similar privacy-enhancing precautions, you should find that your torrent history is relatively shielded from prying eyes. (And if you use a dynamic IP, you may well end up seeing a list of stuff that someone else has downloaded.) But if you do find that your history is splayed across a web page for all to see, then take this as the slap in the face that you need to do more to protect yourself while engaging in BitTorrent action.

The team behind the site are keen to emphasise that their aims are not nefarious, and that they’re only aggregating information that’s already publicly available. But they do give users the option to remove their IP addresses from the database, stating that “we don’t have to accommodate requests for removal, but we are nice people”.

The developers also plan to develop a more secure and private file-sharing protocol. Suren Ter explains: “The general idea is similar to what Bitcoin does. The key is to have an anonymous and reliable identity for each peer, and a Bitcoin-like signature chain algorithm will help.” Although they believe their idea is sound in theory, they’re some way off being able to implement them in practice. Until then, make sure your system is properly shielded from prying eyes.

Be sure to head on over to YouHaveDownloaded.com to see how many of those nasty, freaky vids that you torrented over the weekend have made it into their database.

The site that’s tracking and publishing your BitTorrent downloads