 Alright welcome everybody. Wow. Maybe we'll just skip the agenda. The background, this is our scope, we're just going to do, originally we're going to look at network Pcap dumps of the video game systems, Xbox, PS3, we both server side and PS3, then we're going to look at the hard disk of all these different systems. A little closer. Everybody hear me fine? About me my name is Brandon Nezbitt, I'm a security consultant with Trustwave, I'm a member of their incident response team. I do credit card data breach investigations, I've got a little bit of experience and I like beer. The goal here is to take a in depth forensic look of common video game systems, how they're played, well not how they're played but how there's been but looking for game related data that may assist or may aid a forensics investigator in a, you know, compromise investigation. A little note here about consoles. Traditionally, you know, I don't think consoles have really been looked at, forensically, really seriously, I guess. But any more with these seventh generation consoles, the PS3, the 360, the Wii, they're all trying to really be the centerpiece here, maybe not so much the Wii, but, you know, both the PS3 and the 360, they have, they do everything. You can stream media, you can, you know, play Netflix, you can play games, you can play Blu-rays, all this stuff, and, you know, it's not, it could provide a lot if you're doing like a forensic investigation. With regard to the type of media, any type of internet browsing, internet browsing, save game stuff, and we'll get into that in a bit. So first, a little bit of background. Originally, my idea to do this was I was going to do, just try to look for personal information, sense of information. I do credit card data breaches, so I was like, hey, you know, you can buy stuff through these consoles, perhaps, you know, I can find credit card number stored in these things, or user names, passwords, all that fun stuff. So as that kind of, as I discovered that was going to become more of a fool's errand, really went back to a case that I worked on about a year ago in which there was a credit card data breach, and on this system, on this back of house system, there was a C-strike folder, you know, for Counter-Strike, old version, C-strike 1.6, and it was a default kind of a package install. In this install, they had admin mod installed with 1.6, and you know, as you can see here, we have a player's log, all the players that connected to this system that was compromised, you know, credit card numbers were being stolen, and we also had this game server, and we had these IP addresses and these names of people who were connecting to this system at the time. Now, were they the ones who were doing the investigation, or doing the compromise? Probably not, I mean, but the IP addresses that were on here, you know, we were able to trace them back, you know, using a normal GeoIP locate, you could go and see the fake originating in Russia, you could search their names, and you could find their little Steam ID community page, which we'll discuss in a bit, and all kinds of information. So it kind of got me thinking, and before I continue, a quick note on IP addresses and logs, typically IP addresses in a forensics investigation is more or less, more or less moot, really, because I mean, there's really no way for you to guarantee that source, because, matter of fact, we know everybody on the internet is behind seven proxies. And so, but on a video game system, I mean, why would an IP address be a little bit more relevant than, let's say, you know, a security event log? Well, I mean, if you're trying to play a video game through tour, I mean, what's going to happen? You're going to have a very high ping. Some might say over 9,000, and I'm sorry, this is my last name, I promise. All right. A quick note on our methodology. We want to keep warranty voiding to a minimum, because, you know, sure, we could take a PS3, you know, we could take an old one, we could rip it up, we could install a mod chip, and we can try to get access to the hypervisor or, you know, the NAND storage. But that's really kind of outside of a traditional forensics investigation. We really want to keep the tampering to a minimum. But there does exist several challenges with proprietary hardware, custom stuff, there's absolutely no, there's really no scientific documentation on any of these consoles or the software platforms really. The only stuff that you're really going to find with regard to documentation is going to be stuff that the hacker community has done. And PC server stuff, that was acquired using standard forensic, you know, best practices for acquisition. Scope, just real briefly. Again, we're doing network forensics, traditional disk analysis. These are the systems we looked at. Again, obviously, you know, this is just a very small piece of, you know, all the games that are out there and available for people to play. But just try to hit on the big ones. So first we're going to break down the PCAPs. How I did this was on my home network, I just set up an art poison, fired up the Wii, the PS3, had a friend bring over his 360, and just captured and see what we could find. There are some very, all console systems you have multiple ways to connect. I think the Wii is only wireless. Correct me if I'm wrong. But I know the PS3 and the 360, you have wired, wireless. There's Bluetooth, all that fun stuff. And you're going to see some common themes as we just kind of briefly go through the PCAP breakdown. There's a lot of UDP. I mean, you don't need a stateful connection to play a game. All the important stuff, which is really surprising, well, maybe not so much, but all the really important stuff, if you go through like Xbox Live Marketplace, the PlayStation Store online, all this is done over SSL TLS. So it's all, you can browse safely, you can buy safely, it's encrypted. But web browsing, like if you browse the marketplace or the PlayStation Store, it's all typically just like HTTP. So if you're to do a PCAP analysis, you're going to see the same kind of stuff that you would see if you were just, you know, analyzing a PCAP dump from a normal PC. So first, the 360, Xbox Live Marketplace, it's really built on XML, no surprise there. Again, it's identical to other PC traffic that you might see, and you can parse the data from the PCAP, you can extract stuff, you can use something like Foremost or Network Minor, and you could really just pull out images, files, you know, whatever's getting browsed through. And so here's a sample of an XML page that you'd see if you were to, you know, do some PCAP analysis. Here we can see the first thing to really note that's highlighted is the unique ID for the game. I'll elaborate on that when we get to the hard drive analysis. And then there's a constant points. They have a point system when you buy on the Xbox Live. You don't just, you know, give a credit card number and buy stuff, you have to buy points and then spend the points to get what you want. And again, you know, just like any other PCAP dump, you're going to get images that you can extract. And yeah. And important stuff, I actually had a friend, that previous screen that was for Magic, the Gathering, I think. I actually had the guy buy it. And this is the traffic you'd see. It's all SSL, TLS. So the next one is we, again, everything's done over SSL. The one thing to really note though, if the we, even in standby mode, even when you turn it off, it's still broadcasting. It's still going to broadcast out like over some sort of DNS. And as a result of We Connect 24. And that's the website to look for there. And fun fact, well, not really a fun fact, but because you can do Netflix browsing on, you know, the we 360 PS3 anymore, you can, you know, it's done over normal SSL. Authentication is done, sorry, authentication is done over SSL, but everything else is like HTTP stuff. So if you happen to, you know, be breaking down, you can see somebody's Netflix queue. And as you can tell, this individual really doesn't have good taste in movies at all. PS3 browser. They kind of have a custom browser, which is really interesting. Like Network Miner, I have a screenshot there. It does a really good job of kind of identifying it. But, you know, if you have logs and you see this PS3 application lib HTTP, that means you got yourself a PS3 on that network. The one thing that you, that that might be useful for a forensic investigation with regard to PCAP analysis for PS3 is the buddy list. That is done over SSL. So here we have a link down at the bottom, has an avatar, an online name. That would be the person's name. I've obviously obfuscated it to protect, you know, the quote unquote gamer. And so yeah, and here we have an image for the profile. And yes, that is an active image. So there's our gamer. So moving on, so that pretty much it for PCAP analysis. Again, all the important stuff, all the really good stuff that, you know, you know, you would want to get, it's done over SSL. But with regard to forensic investigation, if you do have a PCAP dump, it really would not hurt to go through because you can get a good idea. Because like I said, normal web browsing traffic is going to be like standard like you would from any other internet browser. First hard drive we rip apart is the 360. All about the 360, the only thing to really note here is the last bullet with proprietary storage. They only allow authorized storage devices, which is a, if you're following along on the, well, and the PDF, I actually show how to break it apart, but it's a plastic in case. It's a standard two and a half inch laptop hard drive. Now, if you don't have an Xbox 360 and you want to get a drive to kind of do this on your own, all you got to do is ask. Xbox 360s are notorious for the red ring of death. I'm sure anybody who has one, anybody who kind of follows the scene is aware of the red ring of death. So, you know, all I did was put a quick hat up in Craigslist, hey, I'm looking for a 360 for parts. I need the hard drive. And I got about 20 people saying, hey, you know, do you want more than one? So, and as we'll see, you really should wipe that before you try to sell it. Again, take it apart. It uses, it uses authorized storage. Take apart the hard drive at your own risk. If you were to take apart the hard drive, you're going to avoid the warranty. There's a little Microsoft holo sticker. And yeah, once you do that, you're not going to get your warranty on it. Once the drive is removed, you can just use your favorite acquisition method. I would recommend doing a DD because that way it gives you a lot more options to use some of these third party apps to load up the image. What's on the disk? You're going to have three partitions that are formatted FATX. You have partitions zero, which as far as I know, it's really just system information. Partition two, you're going to have legacy backward compatibility. So meeting like original Xbox games that you can play on the 360, all that information is going to be stored there. And with partition three, game saves content and cash. I do have a link there, which we'll talk about in the next slide. Also, if anybody is storing like media, pictures, music, movies, or anything like that, it is going to be in this directory. So for the 360, I've highlighted the first three things. Those are represent profile IDs. So here we can see for the system, there was three separate profiles that were used for the system. And you can break it down even further. Using that website, we could tell that this person had played Modern Warfare. And here we have a game save starting, you know, November 22, 2005 at 12.59 p.m. So here we have kind of a timestamp. Here we can say, hey, at this particular point in time, somebody on the system was in fact playing a 360. Now, as far as I do know, the MindEx directory, that's where your music is going to be stored. Again, you can find pictures. Now, this would be useful more along the lines of, I guess you could say kind of like a criminal investigation. If more or less, if you were doing like a kiddie porn case, images are going to be stored there. You're going to be able to find it. You can just parse it out. It's really, really simple. You can use tools like Foremost or any other forensic file carving utility to do this. Again, kind of locating the information. Most game specific information is going to be in Partition 3. Really what to look for. Just some bullets, just kind of reiterating what I already said. What can you find? Well, you know, obviously you can find the games that were played on the system. You can determine when they were played, at what times, when was the save generated. You're going to find gamer tags, you know, who are on this person's buddy list. And gamer tags, you can, it's public information. You can simply look it up and get this information. And again, media stored, music, movies, pictures. And again, like Foremost, all that stuff will work quite well. And here's just a screenshot of Foremost doing its thing. And here's some screenshots of the kind of stuff you're going to find. Here we have pictures of, you know, the avatar. The one on the top right is, you know, our gamer of that system. On the bottom left, here we have movies. Those are mostly advertisements for Xbox Live Marketplace. And then the rest of pictures, drive analysis. You can view live files in an allocated space. Viewing the live files is going to require a bit of a third-party utility, something like Explore 360 or WinX, HDD. Or if you have like the effort, if you, or if you want to put forth the effort, you can do some kernel modifications and just mount it into Linux. Some of the file things, some of the file types, they're easily identifiable. Again, there's no scientific documentation on the stuff. So there's really no way to, you know, confirm it. But, you know, we could make a good guess. SU system update, title update, and FM friend manager, I presume. Here we have a screenshot. I've blurred it all out, but it's just a list of gamer tags. Again, you know, you could look it up, you can validate, you can say, oh, these are this person's friends. Quickly, wrapping it up. FatX is the same, you know, file system type or partition type that was used in the Xbox One, so there's a lot of utilities to go through and parse it. There's, it's the same kind of stuff you would find on any other PC. You can generate time frames based on saved data, just doing kind of a live file system analysis. OS, another sense of information, is really closely guarded. Again, no real scientific documentation. If you're going to do like an investigation, really the best thing to do outside of, you know, taking the hard drive in an engine is really just to turn it on. I mean, you could browse the pictures there, you can browse their music, and if they are using this thing to, you know, store, you know, child pornography or whatnot, it's going to be right there. And if you want to rip out the hard drive and scan for images, you know, they're going to see artifacts in there as well, like you would for, you know, temporary internet files. The next one we look at is the Wii. Real briefly about the Wii. The only thing to really note here is the 512 NAND flash storage. That's where OS and Game Save stuff, again, it's really not a lot of space. Getting to the storage, you can use legacy GameCube cartridges, or you can use an SD card, you know, aside from normal pictures, SD cards can be formatted to save games. And again, the 512 NAND storage contains the OS. It's all encrypted by the way, with AES 128 CBC. Unfortunately, I don't know who thought this would be a good design decision, but the decryption keys are on the NAND flash with the drive. So it's pretty trivial to decrypt the whole darn thing. To access the storage, you have two choices. I mean, you could rip the thing apart and just go, you know, crazy with a soldering iron. Or there are plenty of exploits you can use, the banner bomb. I know there was a, I think they patched it now. There was a Legend of Zelda hack that you could use to get to what you needed. What I wound up doing is I just procured a copy of HackMe. I used the banner bomb exploit. You install replacement, you dump the NAND right to an SD card, and you know, you have your little bootme menu. And then from there you dump it, create a file just called NAND.bin, and it creates a separate file called keys.bin. You know, it's intelligent enough to create the key file for you. So you just use a separate utility to go through and decrypt it. And I make a note to this website, these guys do a lot of good work with we hacking and all that. So if you're ever curious, I'd highly recommend checking those guys out. What's on the NAND? Even decrypt it, you're not going to, there's really not a lot. I mean 512 megs of storage is just not a lot of space to begin with. Really, there's some things you'd like to focus on. If you go back to the previous link, they actually have a list of all the directories and what they mean and what you're going to find in there. Shared two, these are a couple of directories to note. Game saves, configs, stuff like that. Network config is stored in plain text. So if you, you know, you connect to Wi-Fi, right? You know, at home I use WPA2 and in clear text it's got my SSID and password and all that fun stuff. And we connect for some other reason, it likes to store your email. Now the Wii I have, I bought this used from somebody else. So I don't know why, I don't know who thought it'd be a good idea, but it will store emails sent and received. So here from the previous owner, you know, you can see that, you know, him and his girlfriend were, well, because I know the guy and his girlfriend, they were talking, she's like, hey, I love you back. So why, you know, it stores email, couldn't tell you, but it is on there. And I guess forensically, if you're doing a forensic investigation, I don't know anybody who really uses the Wii to communicate, but I guess the possibility always exists, right? Now, wrapping up, there's really no security like the Xbox 360. You're really not going to see a whole heck of a lot. The best you're going to get is game saves, browsing, you're going to get the avatars and stuff like that. Look out for SD cards, and again, really not a lot you can do. PS3, briefly, does that, all right. Just kind of, last thing to note, again, the last bullet point is full disc encryption. Before I get to that, getting to the hard drive, it is the easiest hard drive to get to. I mean, for the PS3 slim, the one that we looked at here, it's literally a little flap and a screw and you pull it out. You can easily upgrade. You can buy, you know, a 600 gig hard drive, easily stick it in, turn it on, and it'll do its thing. And no more OOS support. I'll get into that in a bit. What's on the hard drive? Who knows. Like I said, the entire thing is encrypted and there hasn't been any way to really break it. And once they got close, I'm not sure if you guys are familiar with the GeoHoff exploit, was able to get access to hypervisor, and Sony's knee-jerk reaction, of course, was to patch it and just, okay, no more OOS support. So it's kind of theorized, is that the decryption is stored in one of the SPEs of the cell processor. Again, since there's no documentation, it's really no way for us to confirm that. Looking at the raw bits isn't going to help. Again, it's just a bunch of gibberish. PS3, if it's not a slim model, and it hasn't been updated, and there's a way you can determine what patch level it is just by looking at, like, a PCAP dump. You could install Linux. It used to have other OS support, and that's easy to get to. But, you know, if you really want to determine whether or not the other OS is on, again, it's just like the Wii and the 360. Plug it in, turn it on, and there you go. Other OS version info. If you were to do, kind of like, if you had a PCAP dump, you're going to see it's going to go out, it's going to do check for updates and stuff like that, and it's going to download this PS3 update list dot text, and it'll tell you, you know, what version it's running at, and it'll check, there's like a pup file that you can download, so if any reverse engineers are out there, want to figure out what's on these updates, it's really easy because you can just go download it right to your PC. Wrapping up, turn it on, and go. Traditional file analysis, really, not at no go. Most of it's really outside of a traditional forensics investigation. I mean, if you wanted to crack the case, install a mod chip, and kind of go crazy with it, you're more than welcome to, but if you're to do, like, a, you know, a forensic investigation for an actual case you're working on, you're really likely not to do that. Now we leave the consoles, we're going to get to server side. There's a lot of game servers you guys can host. I'm sure you guys are familiar with Unreal, SourceDS. What is it and why? Again, SourceDS stands for Source Dedicated Server. Anybody can host, freely host any games. You don't have to buy the games. You can just download it, and you can host your own game. It runs on both Windows and Linux. It's multi-platform, and obviously there's a lot of games. For this, we focus on Left 4 Dead 2. All other SourceDS games are pretty much the same. Again, that's a huge understatement. I mean, I'm really just kind of glossing over it, but you guys get the idea. I hope. Steam and Source, a primer, just real briefly. It's multi-platform. The one thing to note is, you know, there's over, they reported in January, there's over 25 million active users. So it's not something that's esoteric. There's a lot of people that use this. There's a lot of people to play that, and there's a lot of information that, you know, that could be useful to a forensic investigation if you were to find this installed on a system. So what? Compromise box with this server? It's not as unlikely as you may think. It's actually pretty common if you find a compromise box. You're going to find a not all the time, but chances are there may be a video game server that's installed. I've seen it a few times. I know some of my coworkers have seen it quite a few times as well. Now, Steam itself, it generates a lot of logs, both client and server side. And what can you get from this? IP addresses, Steam IDs, time spent playing, and typed conversations if it's enabled. Only thing to note here is the Steam client. Here you have the UDP ports 2700 or 27,000 to 27015. That's the only thing to really know. Just kind of put it near for your reference. Directory structure. For the source DS server, it's very similar across Nix and Windows. Windows, the only real difference is, you know, Windows is going to be in the program files directory, whereas, you know, Linux, it might be more of a custom path. Now, non-Steam servers exist. Packages installed. Like the earlier example I provided with the IP addresses of the admin mod logs. Now, like I said, you know, we were able to trace all that fun stuff back. All those IPs went back to Russia. We had the Steam IDs. We were able to look it up. And I think we'll get to that slide here in a minute when I talk about the Steam community pages logs. Again, that's where they were located. Really, not a lot to report there. And there's a screenshot of that. What's on the logs? Your log files are going to start out like this. It's going to launch the configuration file first. So if you just open it up initially, you're going to see a bunch of gibberish that really means nothing to anybody other than it's the configuration. You might be able to see, you know, the ARCON password or the contact information of the server admin. But again, if you compromise the box, you're really not going to put valid, I would hope not. You're not going to put valid contact information in there. Continued what's in the logs? Here we can see people connecting. When they're connecting, when they disconnect their names and their Steam ID. Continuing on, the Steam ID, this really is a wealth of information. I imagine that some marketing guy just really loves the whole concept of Steam. It provides, again, a lot of information. Steam IDs, they're in that format. And you can easily look them up. If you have a Steam ID, there's a lot of different websites you can go to, or you can just Google it, and it may take you right to the page. Now, if you have somebody's Steam ID, you can go to their Steam Community page. Now, unless they have this disabled, you're going to get a lot of information about this individual. You're going to have their name, the games they play, how often they play them, when they play them, and all their friends and who they play them with. It's all there, and it's all publicly accessible, and it could be useful to a friend's investigation to give you an idea as to what these users are doing on the system or how often they play. And, now, there's our friend again. Wrapping it up. If you believe that there is a video game system that's installed on here, I mean, obviously, if you have a server and you're doing a forensics investigation, there's a lot of places to get good information. I mean, you have your event logs, you have your file analysis, you know, just standard forensic methodology. But the logs, or the video game server itself, it's a very small footprint of the overall server, and it can provide a wealth of information as to the activity and the general usage of the server. Again, the configuration file, you know, you can find the server admin contact information, and again, it's a very small footprint to look for and the big scheme of things. Windows 7 OSX. In this section, you know, we're going to look at Windows 7. I just bootcamped off to this MacBook Pro. We look at Steam and World Warcraft trial. Unfortunately, didn't buy the full version, but trial, just as good, I imagine. OSX, something to note here, Steam was recently released for the Mac. So now, you can play all these fun games on your Mac. So the Mac, nobody can say the Mac doesn't have games anymore. You can play Half-Life 2, Portal, Team Fortress 2, and there's a lot more on the way. And again, the Mac, you can play, there's a World of Warcraft client for it as well. And just for silliness, when they released it, this was the image they did, or this was their little advertising thing, I thought it was pretty neat. Now, for the method of acquisition, we just use standard forensic methodology. Physical memory dump, volatile data gathering, and then, you know, we did a disk acquisition. That's kind of a high level overview and disk acquisition really why people get into forensics, porn analysis. The point, system profile, profiling. There's a wealth of information that you can be garnered. So if you see somebody, you know, you're looking through these wild con logs and you see somebody's logged on to 10 hours and wow on a Saturday, it's pretty safe to say they probably don't have much of a social life. Information with regard to general activity of the system and account information accessible. The perfect alibi, you know, sorry officer, it's plain TF2. Now, a quick note on that. Again, you know, when you're doing a forensic analysis, when you're doing a forensic look at something and you have these logs, I mean, all that, what this tells you is a particular activity took place at a particular time. Now, if you were to try to tie that to a specific user and you're just using a one log entry, it's probably not going to hold up. You probably need a lot more to go with that, particularly with like a criminal investigation. You're going to have more data points than just, you know, one log entry that somebody connected to a game server. Where you're going to find the stuff, OSX, application, asterisk.app, user profile, and this is a true for any system. Do a MIM dump against it and run strings against it. And that is just a really awesome dictionary file. Just kind of a tip. Windows, program files, user app data, and there's a little bit more security safeguards, I guess. It's a bit of a, a bit of an understatement, I suppose. Warden for WoW is installed by default. Warden is kind of a, it's like a piece of, I don't want to say spyware, but it's a client that enforces the eula of Blizzard's World of Warcraft. It's a client that runs in the background. It's there, it's by default when you install it, it's there. You don't really have much of a choice. On OSX, from what I understand, it is an optional feature. Now for the PCOSX, this is the general location of where you're going to find the data for Steam on a Windows box. Games are stored in a single non-compressed archive, so you're not going to see a bunch of small files. You're going to see a couple of big files and the program files directory. And the con logs are going to be there. Connection log 270, asterisk, asterisk. If you go back to the port list, the 27015 means that person actually connected to, you know, a game. If it was something else, you know, con log, 5,000 or whatever, it's probably not playing a game. It's probably like an update. OSX, lot, lot of the same. And the con log directory is in a different location. User profile, library, application support, Steam logs. The connection log for the user end, if you're connecting out, this is what you're going to see. The log starts. This is your IP address. You started connecting. And the connection complete. And it tells you, you can get a good idea for how long they played on this particular system. So if you need to prove that what actions are taking place on a system during this time, and you have these logs available, you can say, oh, well, you know, this person was playing Left 4 Dead 2 for, you know, 3 hours. Other notes on Steam. Most of the client side stuff, as with, you know, the PS3, the Xbox 360, the Wii, it's all encrypted. You're really not going to see, you're really not going to see a lot. It's all maintained on the server end. So none of it's stored. I know back in the day, Steam used to store your password and plain text in its installed directory. They don't do that anymore. At least, I hope not. They don't. Valve has an anti cheat, has an anti cheat called vac. Again, not much documentation on that, but it functions very much the same way as Warden does for World of Warcraft. Game configure information. You have download directories, and it's noted by app IDs. You can find this. It's all public information. 220 is now marked for downloading. That's an example from a log entry. And here we can tell that at this time, Half-Life 2, it started downloading. Now, we looked at the World of Warcraft trial. What to look for, connection logs. You can find a lot about the user, what realm they play on, their character name, stuff like that. A lot of gamer info. Now, WoW has an official site that maintains all this character information. It's called their Armory. We'll get it in a second. Again, the same data exists. Those are the locations. Here's your connection log. Here you can see when this person connected, where they connected to, and for how long they were connected to it. It's all there. It's all easily readable. And, you know, I'm not saying you should go out and delete these logs. They may assist you. They may, you know, just be littered on your system. But it's there. And, for a forensic investigator, it may be useful. WoW gamer information. Again, WoW Armory, this is another public venue for you to be able to gather information as to, you know, what this user is doing. In the install path, it's going to have the account name, the character name. So, you can go to WoWArmy.com, WoWArmory.com, and search that name. And you're going to see this general character activity. You're going to see what achievements they just got, what time they got them. It's all there. It's all publicly accessible, very much like Steam. So, if, again, if you need to corroborate evidence and timelines, it's all there. Other notes on WoW, Warden, Anti-Cheat, it's there to, again, very curious to call it, very spacious to call it, SpiWare. But, I mean, it's as much SpiWare as Norton is. Rootkit.com, somebody reversed it. They did a really great write-up. I highly recommend you go read it. They do have two-factor authentication, which is something that was interesting. This was a nice little bit that I learned. I didn't realize they were even offering this for video games anymore. You can do two-factor authentication. So, for an optional fee, they can provide you a token that will generate a pin, very much like an RSA token that you may have at work. So, you know, when you log on, let's say somebody compromises your account with maybe a key logger, something like that. They won't be able to log on unless they have that token. So, that's kind of a point of two-factor, right? Battled that earlier. I had a note that's going to extend to StarCraft 2 and Diablo 3, but StarCraft 2 is already out. Didn't really have time to make a write-up on it, but, you know, go StarCraft. Game settings and user configs. Now, what's really interesting, this is just kind of off the wall, not really forensic related. They all validate with hashes. So, you know, your video game, your configuration file, if you try to go in and edit manually, it's going to give you a check somewhere and say, no, this isn't right, don't do this. So, that's another option. Wrapping it up, you know, constant development on engines and games, you know, MMOs, I didn't really touch a lot. Again, World Warcraft barely scratched it. There's a lot of MMOs out there. They have a really long development, long life cycle, EverQuest. That's been around for, hell, it's been around for a long time and they're still coming out with service packs. I mean, I remember, you know, well over a decade ago, you know, people were ranting and raving about EverQuest and I guess people still play it. Big name publishers, they have a very strong commitment to security, but they also have a very strong commitment, not to release documentation on their platforms. So, if you wanted to get some really good technical information like about the warden, about the Valve anti-cheat client, it's just simply not going, you're not going to get it. The information that exists all comes from, you know, you guys, the hacker community. Modern big name publishers, again, not allowed to begin with all the subscription stuff, you know, for personal information. It's all handled server side. So you're not going to find credit card numbers stored on the system. You're not going to find, you know, username and password stored on the system unless, you know, somebody has a plain text file saying my wow account login information. Lastly, you know, not much documentation, proprietary code and all that fun stuff. And it went a lot quicker than I thought. If you're going to sell your console, wipe the drive. It's not that hard. Or if somebody's like, hey, I'd like to buy your Xbox 360. You know, don't give them a hard drive. You can buy their own hard drive. It's not that expensive. Wow. Comparatively speaking, it really isn't. In the not too distant future, these type of logs may be used in a criminal investigation. They may be used to defend you. They may be used to convict you. It depends on really what the case is. And again, like I said, a log entry, all that proved is a particular action took place at a particular time. If you need to tie it back to a particular user, you're going to need a little bit more than just a log entry in general. So it would be an aggregate of things. 7th gen consoles are maintained and updated consistently. The moment you see like an exploit release like the GeoHof thing for the PS3, the next day there's a patch out to fix it. Same thing with the Wii. The moment, like not the moment, but as soon as they can come out with an exploit to get access to the OS, there's a patch out to fix it. And they're really good about making sure that they maintain these patches. If you want to play online with your PS3, you're going to have the latest patch. Same thing with the 360. If you want to play online, if you want to use your thing, you're going to have to have the latest updates. And again, for a forensic investigation, if you're going to look at a console, the first thing you should really do is just turn it on, plug it in, look at it, bring up a controller. You know, if you have a copy of Modern Warfare fired up. And then go through and, you know, if you're looking for pictures, it's all very intuitive. These things are designed to be easy for, you know, 12 year olds to navigate. So it should be fair enough for, or easy enough for an investigator to kind of do their thing. Game servers can add a lot to an investigation. Again, keep out for the logs, and it can tell you a lot about what was going on, on that system during a time frame of a particular compromise. If you're trying to determine what happened on the system, even if it's more or less outside the scope of your investigation, if you try to determine a credit card data breach occurred, it's likely that the attackers didn't install a counter-strike server. But again, you know, it's good information to have for just about anything or any point you're trying to make. Newer PC games much better in security. DRM. Nobody likes DRM. Kind of what Steam is, right? It's just a big DRM client. But they're very good at it, and they're very good about, and then the reason is is because nobody likes cheaters. Well, not everybody, but in general, you know, back in the day, counter-strike, old school, there was a lot of cheating, and it was very easy to do. I mean, anybody with, you know, a modicum of experience could just easily go through with a aimbot and, you know, own an entire server. They got a lot of people upset, hence we developed back, and it's only being developed more and more. It's getting a lot harder to cheat in these online games. Same thing with, you know, bots for World of Warcraft. Sure, you know, you can run a bot, go out and do your thing. Somebody made an example, I think it was an episode of Law and Order where somebody was, their defense was, was playing World of Warcraft at the time, look at the logs, and they're like, oh, well, yeah, but lo and behold, they were using a bot. Well, if you're a forensic investigator and you miss a bot, you should probably find a new line of work. And I guess that's pretty much it. Just a couple of shout outs, spider labs, a couple of friends, and this guy, the anonymous friend on PS3. So if anybody wants a copy of these slides, I think my contact information is in the, is, is somewhere out there on the thing. At worst comes the worst, you can ask me in the Q and A room and I can shoot it off to you. Because I took out a lot of information that was in the slide on the DVD. I go through step by step on the PDF as to how to go about, you know, taking apart your hard drive. You know, there's a lot more images, there's a lot more details, a lot more narrative. Here kind of broke it down and I think that's really early, aren't we? Yeah. Say lovey. So yeah, questions. Yes. The 360 is really good at that. I mean, like I said, is there's really no file system security on it at all? I mean, if you want to just, you know, go through and control through the partition directories, if you want to open it up and like let's say explore 360, it's there. I mean, you'll be able to find it or you know, you can find file system artifacts and like let's say an unallocated space. But like, let's say for the PS3, not a lot. If you do have, I do believe there's, there's various media center applications you can use for, like let's say the PS3 and you can stream movies using this application through your PS3. Now like I said, if you look at the hard drive, not going to see a lot, but if you do look at the PS3 media center, you're going to see, I do believe they maintain a kind of a backlog of what's been, of what was in the buffer, what was wrong, what was being done. But then again, you know, like I said, if you're investigating somebody's PC, there's a lot of other places to get information. But yeah, you can, you can find that information on some systems. We, not so much. Yeah. It's unfortunate too. I mean, the PS3 really is a sophisticated piece of hardware. I mean, I'm not trying to gush, but it's really awesome. It is a shame, there's really no documentation and they're really a stickler for this encryption that's on there. Like I gave the example about, you know, the hard drives, it's easy to replace. If you were to take a hard drive out of one PS3 and put it into another, it's going to ask you to format it and reinstall. So that tells you that these encryption keys are unique per device, which is, wow, really? Whereas, you know, the Wii, it's you know, on the thing, it's on the hard drive itself. Like I said, it's again, it's theorized that these decryption keys for the hard drive exist in one of the SPEs on the cell processor, but as far as what's on the PS3, I really wish I could go into more detail as to how it works, because I would love that information. If there's any developers out here who work on the Sony PS3, I'd love to pick your brain. No, no hands. But, but yeah, I really wish there was more documentation if we could go through and it was little, the system was a little more open-ended. And after taking away the other OS, other OS support as well, I don't know if I took all that out of the slides or not, but originally, I kind of had a bit of a rant about it. I mean, what other system takes away features from its users? Some people bought these systems for the explicit use of, like, hey, I want to install Linux on my PS3, and now you can't do it if you want to, you know, maintain a PS3 as well. I do think, I think there's a class action against that now. Anybody joined in on that? No? Yeah, I've actually heard about that. I heard, what was it, the government had bought a whole bunch of these things that are using for password cracking, because it's a cell processor. I mean, what's it good at? It's good at crunching numbers. I mean, yeah. And again, I said I can't substantiate it either. I mean, all that's really kind of hearsay, right? But yeah, I mean, like they're pretty powerful machines. You can do a lot with them. Again, I just wish the PS3 is a little more open. Any other questions? Well, like you said, like you made a good point, you know, MMOs anymore, these online RPGs, they're a lot of people. Well, from what I understand, they love it because it's a big social thing. I know I was, I was a huge, you know, wild nerd for a long time. I recently quit the addiction. So I mean, people love the social aspect. It's there. I guess you could do that. I mean, it's not entirely impossible. It'd be interesting to see. I mean, as I know, like, for example, World Warcraft, the only reason I mention is because I've got what, 11, 12 million users worldwide, some ridiculous number. So it's, it's, I guess it's possible. I mean, if you can compromise somebody's account, or if you could really get together with like the other social network, or the rest of their social network, it's quite possible to do that, I imagine. Yeah. Any other questions? Yes, no. All right. I guess if there's any other Q and A, thanks for coming, everybody. I appreciate it. Thank you.