Advertisement
Guest User

Untitled

a guest
Mar 31st, 2012
774
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 34.22 KB | None | 0 0
  1. Association for Information Systems
  2. AIS Electronic Library (AISeL)
  3. AMCIS 2011 Proceedings - All Submissions
  4. 8-5-2011
  5. Identity Theft and Used Gaming Consoles:
  6. Recovering Personal Information from Xbox 360
  7. Hard Drives
  8. Dr. Asley L. Podhradsky
  9. Drexel University
  10. Dr. Rob D'Ovidio
  11. Drexel University
  12. Cindy Casey
  13. Drexel University
  14. This material is brought to you by AIS Electronic Library (AISeL). It has been accepted for inclusion in AMCIS 2011 Proceedings - All Submissions
  15. by an authorized administrator of AIS Electronic Library (AISeL). For more information, please contact elibrary@aisnet.org.
  16. Recommended Citation
  17. Podhradsky, Dr. Asley L.; D'Ovidio, Dr. Rob; and Casey, Cindy, "Identity Theft and Used Gaming Consoles: Recovering Personal
  18. Information from Xbox 360 Hard Drives" (2011). AMCIS 2011 Proceedings - All Submissions. Paper 54.
  19. http://aisel.aisnet.org/amcis2011_submissions/54
  20. 1
  21. Identity Theft and Used Gaming Consoles:
  22. Recovering Personal Information from Xbox 360 Hard Drives
  23. Dr. Ashley L. Podhradsky, Drexel University
  24. Dr. Rob D’Ovidio, Drexel University
  25. Cindy Casey, Drexel University
  26. Keywords: Digital Forensics, Identity Theft, Xbox Gaming Console, Data Sanitization
  27. Abstract
  28. Traditionally, when individuals wanted
  29. online access they connected their PCs to
  30. the internet. Now, non-traditional devices
  31. such as cell phones, smart phones, and
  32. gaming consoles serve as common means of
  33. online access. Gaming consoles, just like
  34. PCs need proper sanitization processes to
  35. help fight identity theft. Individuals
  36. understand you cannot simply throw away a
  37. computer that has your personal data on it
  38. without some sort of sanitization process;
  39. gaming consoles are no different. Simply
  40. returning your console back to “factory
  41. state” will not do the trick, you need to take
  42. things one step further.
  43. In this research paper the authors aim
  44. to bring awareness to the gaming public,
  45. researchers and practitioners that
  46. improperly discarding used consoles without
  47. proper sanitization practices can
  48. inadvertently release personal data which
  49. can result in identity theft. The researchers
  50. will demonstrate through a case study how
  51. easy it is to steal an identity through a
  52. discarded Xbox. Finally, the researchers
  53. will demonstrate how gamers can sanitize
  54. their game consoles when upgrading their
  55. systems to ensure their identity is not at risk
  56. when the used device is retired.
  57. 1. Introduction
  58. Identity theft occurs when an individual’s
  59. personal data is obtained and fraudulently
  60. used by another, typically for monetary
  61. profit [1]. With as little as a person’s name,
  62. social security number, or date of birth, a
  63. thief can cause major damage [1]. Although
  64. the most common type of identity theft is
  65. credit card theft, stolen identities can be
  66. used for immigration, tax, medical,
  67. residential, and social security fraud to name
  68. a few [2]. As reported by the President’s
  69. Identity Theft Task Force, what makes
  70. identify crime so successful and lucrative is
  71. that the victims typically do not know they
  72. have been victimized until late into the life
  73. cycle of the theft [2]. By the time a victim
  74. finds out his identity has been stolen, usually
  75. via a bad credit report or a rejected credit
  76. application, the thief has already enjoyed the
  77. spoils of his crime and has moved on to the
  78. next victim [2].
  79. In their 2010 Identity Theft Report,
  80. Javelin Strategies, a research firm that
  81. analyzes trends in identity theft, revealed
  82. that identity theft increased a staggering
  83. 11% percent between 2008 and 2009 [3].
  84. According to the Federal Trade
  85. Commission’s most recent survey,
  86. approximately one out of every four
  87. Americans is at risk of being victimized
  88. 2
  89. each year. With an identity stolen every
  90. three seconds in the United States, fraud has
  91. reached epidemic proportions [4]. It is
  92. important to note that these numbers do not
  93. include those who do not report, or are not
  94. even aware, that they have had their
  95. identities stolen. Therefore, the researches
  96. hypnotize this staggering statistic to be even
  97. higher.
  98. Due to their tendency to engage in riskier
  99. activities such as sharing computers,
  100. utilizing unprotected wireless access points,
  101. and uploading videos, younger adults tend to
  102. be the most vulnerable of the populace.
  103. However, securing computers and
  104. advocating online safety are not the only
  105. countermeasures that can curtail these
  106. escalating statistics. Personal data used in
  107. identity theft can be obtained through a
  108. multiplicity of means, many of which are
  109. not even considered by the general public as
  110. posing a potential threat.
  111. In addition to computers, other devices
  112. such as cell phones, smart phones and
  113. gaming systems also store copious amounts
  114. of personal or confidential data. Most
  115. individuals do not realize when using these
  116. devices that their personal information is
  117. being copied and stored. Even when the
  118. device is considered data-free using
  119. conventionally practiced sanitation methods
  120. such as erasing or over-writing the hard
  121. drive, sensitive data can still be retrieved
  122. [5]. Any device over which personal
  123. information is sent or stored and then is not
  124. sanitized correctly creates the perfect storm
  125. for identity theft. Instead of going through
  126. the trouble of hacking into someone’s
  127. Bluetooth device or peering over the
  128. shoulder of a laptop in public – the criminal
  129. merely has to purchase a used gaming
  130. system at an online auction site, and the
  131. identity comes to him.
  132. The researchers acquired three used
  133. gaming consoles for the purpose of this
  134. paper and research. Two consoles were
  135. purchased from eBay and a popular online
  136. classified forum, and one was retrieved after
  137. being discarded.
  138. 2. Xbox Gaming Console
  139. While personal data can be extracted
  140. from Sony’s PS3 and Nintendo’s Wii
  141. gaming systems, Microsoft’s Xbox is the
  142. most popular among American consumers,
  143. selling over thirty-nine million consoles, six
  144. million more than their top competitor, the
  145. PS3 [6]. When Bill Gates first announced
  146. his plans for the Xbox gaming system in
  147. January 2000, at the International Electronic
  148. Consumers Show in Las Vegas, some critics
  149. proclaimed that this new console was
  150. nothing more than a “...PC in a black box
  151. [7].” These critics proved to be correct.
  152. The Xbox console is not only similar to a
  153. personal computer - it is actually more
  154. powerful than the average personal
  155. computer. The hardware and technical
  156. specifications found in today’s Xbox
  157. console includes a detachable 250GB hard
  158. drive, an IBM customized power –PC based
  159. CPU containing three symmetrical cores
  160. each capable of running 3.2 GHz, a 512 MB
  161. GDDR3 RAM (which reduces the heat
  162. dispersal burden and is capable of
  163. transferring 4 bits of data per pin in 2 clock
  164. cycles for increased throughput), and 700
  165. MHz DDR (theoretically supplying a swift
  166. 1400 MB per second maximum bandwidth)
  167. memory [8].
  168. The file data format used in Xbox is the
  169. FATX which is an offshoot of the more
  170. 3
  171. familiar FAT32 found on computers and
  172. flash media [9]. In fact, the two possess
  173. virtually identical format and file data
  174. layouts. Unlike the FAT32 however, the
  175. FATX does not contain the backup boot or
  176. file system information sectors found in
  177. FAT32. Additionally, FATX does not
  178. support Unicode, which is often utilized by
  179. examiners when performing forensic
  180. analyses [10]. The reasoning behind these
  181. variations in file formatting is that the Xbox
  182. was designed primarily for entertainment as
  183. opposed to productivity. Thus, redundancy
  184. and legacy are apparently forfeited in order
  185. to increase the system’s speed [33].
  186. Some of the personal data which can
  187. potentially be retrieved from consoles
  188. include, but are not limited to the following:
  189. • User’s name
  190. • Address
  191. • Telephone number
  192. • Credit card information
  193. • Personal chat logs
  194. • Personal blog records
  195. Credit cards are used to purchase games
  196. through the Live Arcade, pay for Xbox Live
  197. membership, and buy merchandise such as
  198. gamer icons and console themes at Xbox’s
  199. Live Marketplace. One popular movie
  200. subscription service, Netflix, even permits
  201. its members to rent movies using credit
  202. cards directly though their Xbox consoles
  203. [20]. Other personal information is used to
  204. create profiles, chat, and blog. In fact, the
  205. Xbox is even capable of keeping a gamers’
  206. blog for the user by monitoring the account
  207. and automatically generating blog entries
  208. about their daily activities. However, as is
  209. true with any technology, these
  210. advancements also create more
  211. vulnerabilities.
  212. Recently Microsoft released the Kinect
  213. motion-sensing peripheral for Xbox 360.
  214. Kinect relies on biometrics, thus enabling
  215. players to turn on their console with a wave
  216. of the hand or palm scan [11]. With body
  217. movements and voice recognition, users can
  218. control their characters in the game. If trying
  219. to reestablish credit and other finances
  220. destroyed due identity theft is not complex
  221. enough, imagine how difficult it may be to
  222. recover a palm, fingerprint, or even a retina
  223. scan. While this may sound like something
  224. out of a science fiction novel, it is not that
  225. implausible.
  226. With the emergence of the Kinetc
  227. gaming bundle, more users will be selling or
  228. trading their current consoles either because
  229. they are outmoded or to financially offset
  230. the cost of acquiring a newer system. In
  231. addition to selling the system in its entirety,
  232. some users may elect to sell or swap the
  233. hard drive independent of the console.
  234. Oftentimes, after acquiring numerous
  235. games, storing countless television shows,
  236. or amassing a plethora of other data, the user
  237. may seek to change a drive out of necessity
  238. because a larger drive is required.
  239. Not all Xbox consoles are sold for profit
  240. or to upgrade to a better system. According
  241. to demographics, the majority of Xbox users
  242. are young males between the ages of
  243. eighteen and thirty [12]. These statistics
  244. correlate with the medium age of Americans
  245. who embrace or practice green living
  246. [13,14]. Thus, a considerable number of
  247. Xbox users may choose to recycle their
  248. gaming systems and its components in lieu
  249. of destroying them or tossing them into a
  250. landfill.
  251. 4
  252. A quick look on eBay provides a small
  253. snapshot of how many systems are sold
  254. daily. At the date of this study, there were
  255. over 1,500 Xbox gaming systems for sale in
  256. the United States alone [15]. It is relative to
  257. note that these listings are subject to change
  258. by the minute and do not include Xbox hard
  259. drives being sold devoid of a console.
  260. Thus, the probability that more Xbox
  261. devices will fall into the hands of
  262. unscrupulous individuals can be expected to
  263. increase in light of the following
  264. occurrences:
  265. • Emergence of newer (next
  266. generation) gaming consoles and
  267. bundles
  268. • More users seeking to offset gaming
  269. costs due to the recession
  270. • Increasing conservation awareness
  271. and recycling efforts
  272. • Gaining popularity of cloud gaming
  273. Typically, when an individual decides to
  274. sell or trade their Xbox console or hard drive
  275. they delete, or erase their personal data and
  276. history believing the information is
  277. permanently gone. However, this common
  278. practice does not remove data from the
  279. console at all, it merely alters it [5]. When
  280. data is deleted, it is not really erased; in fact,
  281. it is not even necessarily moved. In most
  282. cases, the information or file stays exactly
  283. where it was. What changes is the path and
  284. filename of the data known as the directory
  285. entry. The first letter of the file is modified
  286. and marked with a character indicating it is
  287. available to be rewritten. There it will stay
  288. intact until new data is written over the
  289. existing data (overwriting).
  290. More savvy Xbox users may opt to
  291. reformat the console’s hard drive in order to
  292. destroy sensitive information. Theoretically,
  293. when an Xbox drive is reformatted, every
  294. available block of space is filled with zeros,
  295. or ASCII NUL bytes (0x00). Successfully
  296. overwriting a drive is not only contingent
  297. upon both the logical and physical condition
  298. of the drive, but the methodology utilized as
  299. well. It would be problematic at best to say,
  300. with any degree of certainty, that all
  301. information can be eradicated.
  302. According to Microsoft’s Online Xbox
  303. Support tutorials, once the Xbox console is
  304. reformatted, “…all of the information saved
  305. on that device is erased and cannot be
  306. recovered [16].” This information was
  307. reiterated by Microsoft via email after we
  308. contacted Xbox’s customer support
  309. inquiring how to securely and permanently
  310. remove personal data from the system. One
  311. of the objectives of this project is to
  312. ascertain exactly how accurate this
  313. consumer directed information actually is.
  314. 3. The Investigation
  315. Two Xbox gaming consoles were
  316. purchased randomly from an online auction
  317. site and a popular classified forum
  318. respectively. An additional hard drive was
  319. retrieved after being discarded by the
  320. original user. Once removed from the
  321. consoles (if applicable), the drives were
  322. extracted using T10 and T4 Torx wrenches.
  323. To preserve objectivity, each drive was
  324. randomly numbered (001 through 003). It is
  325. relevant to note, that when purchasing used
  326. gaming systems from online auction sites,
  327. identity thieves have somewhat of an
  328. advantage – the seller’s name and mailing
  329. address appears right on the package when it
  330. arrives. Likewise, if acquired from a
  331. classified forum such as craigslist [17]
  332. 5
  333. unscrupulous individuals can amass the
  334. seller’s name, telephone number or email
  335. address, and various other tidbits of
  336. information by way of social engineering.
  337. A variety of tools were utilized to
  338. examine the drives. The reasoning for this
  339. was twofold. First, there is not a great deal
  340. of information available to date regarding
  341. the structure and forensic examination of
  342. gaming consoles. This is not because
  343. gaming consoles are new per se, but rather
  344. that they have evolved so rapidly over the
  345. past decade. Secondly, no one tool was
  346. capable of presenting the drives in their
  347. entirety. Some of the software used to
  348. examine the Xbox drives included, but was
  349. not limited to:
  350. • XPlorer360- Freeware tool that
  351. allows access to all discoverable
  352. Xbox partitions and memory cards.
  353. Xplorer360 allows access to both
  354. physical and logical areas of the
  355. drive [18]
  356. • FTK 3.0- Forensic Toolkit (FTK),
  357. produced by AccessData is a
  358. commercial suite of applications for
  359. forensic analysis of digital media,
  360. including Xbox consoles [19]
  361. • FTK Imager- Freeware tool from
  362. AccessData which allows users to
  363. forensically image and analyze
  364. drives [20]
  365. • Modio- Freeware modding tool that
  366. allows Xbox users open their system
  367. to allow for customized use of their
  368. console [21]
  369. • wxPirs- Freeware tool that allows
  370. extraction of access to PIRS (themes
  371. or gamertags), LIVE (content
  372. downloaded from Xbox Live), or
  373. CON (internal files specific to Xbox)
  374. container files on Xbox 360’s [22]
  375. • ProDiscover Basic- Freeware tool
  376. based on the commercial
  377. ProDiscover allows viewing of each
  378. sector to determine data storage
  379. locations [23]
  380. • Digital Forensic Framework (DFF)-
  381. Is an open source tool that aids in the
  382. collection and analysis of digital
  383. evidence [24]
  384. • Hex Editor XV132 – Freeware hex
  385. editing tool that runs in memory and
  386. doesn’t need to be installed on the
  387. host system, incorporates a built in
  388. hex to string, and allows bookmarks
  389. [25]
  390. • XFT 2.0- Commercial Xbox toolkit
  391. developed by Protowise Labs that
  392. allows for access to configuration,
  393. modification, and user files, included
  394. recovering deleted files [26]
  395. • Data Rescue’s DD (DrDD)-
  396. Freeware tool that recovers deleted
  397. files off of corrupted storage devices
  398. or partitions, while not designed for
  399. gaming consoles, it was used to
  400. determine functionality [27]
  401. • EnCase Forensic v6 – Commercial
  402. forensic analysis tool by Guidance
  403. Software (Guidance Software ,
  404. 2011)
  405. In addition to the above software, several
  406. operating systems were also employed
  407. during our analysis. This was done to not
  408. only to eliminate the possibility that any of
  409. the software limitations encountered were
  410. the direct result of an incompatible OS, but
  411. also to gain a clearer understanding of the
  412. 6
  413. FATX file structure. The operating systems
  414. utilized for this study were:
  415. • Windows XP
  416. • WIN 7 (Ultimate)
  417. • Red Hat Fedora 14
  418. • Ubuntu 10.10
  419. Determining which operating system to
  420. use created somewhat of a dichotomy at
  421. times. While the majority of the tools
  422. available only operate in a Windows
  423. environment, the Linux operating system
  424. appeared to be the most compatible with the
  425. actual gaming console itself. In fact,
  426. gamers seeking to download and play
  427. unsigned copies of Xbox games, or elicit
  428. superior gaming and dashboard options, can
  429. modify their console using Linux. This is
  430. referred to as soft-modding or simply
  431. modding. Microsoft discourages these types
  432. of system changes, which if executed will
  433. void the system’s warranty [28].
  434. In a recent effort to discourage console
  435. modifications, Microsoft released an
  436. Xbox360 update in early August 2009. This
  437. was referred to as the “homebrew lockout”
  438. by the Free60 Project, an organization which
  439. both promotes and supports users running
  440. homebrew applications and Linux operating
  441. systems on their Xbox360 gaming consoles.
  442. The update overwrote the first stage boot
  443. loader (responsible for starting the system
  444. when it is turned on) thus causing any
  445. updates or modifications made by the user to
  446. render their system useless [29]. This
  447. information can be of significant importance
  448. to digital examiners who are seeking to
  449. establish or understand the system’s
  450. bootstrapping process and subsequent drive
  451. structure, particularly given how thorny this
  452. task can be.
  453. Since the Xbox does not contain the same
  454. type of BIOS found in a PC, it should not be
  455. expected to boot like the typical PC. In fact,
  456. as early as 2002, MIT researcher, Andrew
  457. Huang, noted in his detailed study of the
  458. Xbox’s structure that the Xbox contains a
  459. “secret boot block [30]’. Perhaps this was an
  460. attempt by Microsoft to deter tampering and
  461. possibly initially, although not very
  462. successfully, as a security mechanism. This
  463. information is pertinent because if the boot
  464. block is a decoy – then what else might be a
  465. red herring?
  466. An example of this ambiguity was found
  467. upon examination of the hard drive’s
  468. partitions. Partition 1, the second partition
  469. encountered when opening an Xbox drive,
  470. appears to be empty – that is, when it can be
  471. found. There could be several reasons for
  472. this. It might be reserved for future use or
  473. simply just not accessible. Another option is
  474. that it could be a lure – a hard drive honey
  475. pot of sorts to deflect, and possibly detect,
  476. unauthorized access or changes.
  477. 7
  478. Image 1- Partitions as viewed in Modio
  479. Partition 1 was only viewable on two of
  480. the hard drives examined; including one
  481. sample containing a second or merged set of
  482. files. These integrated or legacy files were
  483. located on Partition 3, as seen in the capture
  484. below using the open source utility, Modio,
  485. as indicated in image 1.
  486. Modio is a modding utility that allows
  487. Xbox users to manipulate their consoles. It
  488. is also handy for viewing image files on the
  489. fly without needing to export them first into
  490. another program, as demonstrated in image
  491. 2. However, the option to extract files is also
  492. available. Although not yet tested by NIST,
  493. further evaluation of this utility might prove
  494. valuable to law enforcement agencies.
  495. The hard drives were accessed using a
  496. USB 2.0 to SATA adaptor with a 50/60 Hz
  497. power supply cable. Imaging with Access
  498. Data’s Forensic Toolkit 3.0 (FTK) was a
  499. timely process which did not yield
  500. extremely productive results. The limited
  501. results obtained could be attributed to the
  502. FATX file structure of the Xbox. The
  503. extracted files were inspected by examining
  504. the raw data to determine if the drives were
  505. intact, deleted, or reformatted.
  506. All three of the drives exhibited signs of
  507. being overwritten as evidenced by large
  508. sections of zeros in non-program specific
  509. files. It would be difficult at best however to
  510. declaratively state the drives were
  511. reformatted without further studies as each
  512. operating system has its own unique way of
  513. performing this process and while the Xbox
  514. does share some similarities with a PC, it
  515. cannot truly be measured using the same
  516. criteria [31].
  517. Xplorer360
  518. One of the more useful tools employed
  519. was a utility called Xplorer360. Xplorer360
  520. is an open source program that enables
  521. gamers to open and view, edit, or export
  522. data from their Xbox hard drives through
  523. their PC. The results were very swift with
  524. the hard drive opening in under a minute.
  525. Partitions and their subsequent subfolders
  526. are displayed in the left hand pane. More
  527. detailed information about a selected file or
  528. directory is displayed in the right pane.
  529. Although earlier studies of the Xbox drive
  530. found that Partition 0 was an empty partition
  531. [32], our analysis found two drives that did
  532. exhibit files on Partition 0, as demonstrated
  533. Image 2- Viewing files in Modio
  534. 8
  535. in image 3. This empty partition was
  536. initially attributed to the extra file mentioned
  537. earlier on Partition 3, Xbox1 (Partition
  538. 3\Compatibility\Xbox1), which when
  539. observed using traditional forensic tools
  540. such as FTK 3.0, appeared to be on the only
  541. drive in our study that possessed an empty
  542. partition 0. However, after utilizing popular
  543. modding tools such as Modio and
  544. EXplorer360, we were able to ascertain that
  545. the two drives containing data in partition 0
  546. included the drive with the additional Xbox1
  547. folder. The drive which did not contain
  548. viewable data in Partition 0 was the newest
  549. of the three drives as ascertained from sector
  550. 4 (7-02-09). This indicates that the empty
  551. Partition 0 may be the result of the August
  552. 2009 update, which as mentioned earlier
  553. reportedly overwrote the first stage boot
  554. loader.
  555. Image 3 -Partition 0, Viewed in
  556. Xplorer360 showing a JA folder and an aoA
  557. file
  558. Ironically, although FTK 3.0 did not
  559. generate any remarkable user data
  560. independently, additional data was revealed
  561. later using FTK Imager. After the drive’s
  562. contents were opened and dumped using
  563. Xplorer360, the extracted files were opened
  564. in FTK Imager for analysis. One test drive
  565. produced a file containing a user’s name.
  566. This file, which contained profile saved
  567. data, was identified as
  568. Partition3\Content\0000000000000000\4D5
  569. 707D4\00000001\BTL save, and last
  570. modified on 8/28/2007, as demonstrated in
  571. Image 4. Other personal data obtained from
  572. the same drive included a user’s first name
  573. and a partial or abbreviated city name.
  574. Image 4 – Profile saved data revealing a user’s
  575. name as seen in FTK Imager
  576. 9
  577. In partition 3, under system update files
  578. (Partition3\$SystemUpdate) was a 6.96 MB
  579. Pirs file named su20076000_00000000.
  580. Extracting this file and opening it with
  581. wxPirs revealed a list of xexp files, as
  582. demonstrated in Image 5. WxPirs is another
  583. open source utility commonly used by
  584. gamers seeking to modify their gaming
  585. consoles. It enables users to open PIRS,
  586. CON, and LIVE files - commonly found on
  587. the Xbox360 drive.
  588. Image 5 - Partition3\$SystemUpdate\
  589. su20076000_00000000 extracted from Modio as
  590. viewed in wxPirs.
  591. The xexp files were then extracted from
  592. wxPir and opened further with a Hex Editor
  593. (XV132). Once opened in the Hex Editor we
  594. could see that the files contained symbol
  595. table data - most likely used for linking
  596. programs to other programs. Xexp files are
  597. software development files that store
  598. information about a program and that
  599. program’s functions [16]. This particular
  600. system update was found on all three of the
  601. hard drives, as demonstrated in Image 6.
  602. Image 6 - $flash_bootanim.xexp file extracted from
  603. wxPirs as viewed in XV132
  604. These particular system update files were
  605. identified as belonging to an update released
  606. by Microsoft in January 2007 [34].
  607. Apparently, similar to the August 2009
  608. update discussed earlier, this was possibly
  609. another attempt to keep gamers from
  610. modifying their consoles. It is also
  611. interesting to note that the August 2009
  612. update was not found in the system update
  613. folder of any of the drives examined.
  614. A closer inspection of the sectors on each
  615. drive was performed using ProDiscover
  616. Basic and Digital Forensic Framework
  617. (DFF). ProDiscover Basic is the demofreeware
  618. version of Technology Pathway’s
  619. ProDiscover Forensics. It enables digital
  620. examiners to scrutinize a hard drive’s
  621. clusters and files hidden in slack space.
  622. Digital Forensic Framework (DFF) is an
  623. open source cross-platform tool for
  624. examining digital media. It is a rather
  625. efficient utility which enables the user to
  626. find hidden data. While neither ProDiscover
  627. Basic nor DFF were useful for drive
  628. acquisition, once the drives were extracted
  629. using DataRescue’s DD (DrDD), they were
  630. very instrumental in our research.
  631. On two of the drives, including the one
  632. with the assimilated systems, the first piece
  633. of data observed was found on sector two -
  634. ©Axb-Microsoft proprietary programming
  635. code). In the other drive, the first sector
  636. containing data was sector four. All three
  637. drives had a rather interesting find in sector
  638. four, the name JOSH, followed by some
  639. digits and a date, as indicated in image 7 and
  640. table 1.
  641. Drive Name Digits Date
  642. 001 JOSH 97-001 03-19-07
  643. 002 JOSH 49-001 07-02-09
  644. 003 JOSH 78-001 08-07-08
  645. Table 1 – Sector 4 data found
  646. 10
  647. Image 7 – Sector 4 in ProDiscover Basic
  648. This could signify a number of things
  649. including a digital ID, some type of
  650. Microsoft numbering or cataloging scheme,
  651. or the developer’s signature (i.e.; Joshua
  652. Gilpatrick, Microsoft Xbox Program
  653. Manager). Later, we encountered files with a
  654. similar structure (i.e.;CON hx8123 97-001
  655. 03-19-07). Information regarding the hard
  656. drive itself was located in sector ten, as
  657. demonstrated in Image 8.
  658. Image 8 – Sector 10, Hard Drive Information as seen
  659. in DFF
  660. Examining the Xbox drive using EnCase
  661. can be extremely productive - depending on
  662. what you are looking for. Image 9 shows
  663. some of the data obtained on one of the
  664. drives imaged with EnCase. In this
  665. particular instance, we can see NAT
  666. (Network Address Translation) rules for a
  667. site called Bungle.net, where Halo players
  668. can have their stats tracked or purchase
  669. games and merchandise [36].
  670. Microsoft defines three categories of Nat
  671. on their consoles- open, moderate, and
  672. closed. These attributes, or policies, control
  673. the amount of user access to Live services.
  674. The ports used are UDP (User Datagram
  675. Protocol) ports 3074, 5060, and 5061. (OAI
  676. Networks, 2011) Considering that UDP is a
  677. connectionless protocol, this could present a
  678. considerable vulnerability (i.e.: UDP 5060
  679. and weak SIP or Brute Force Attack) of
  680. which the user is not informed about. Thus,
  681. when gamers who are not familiar with
  682. NAT or VoIP weaknesses elect to change
  683. their settings in an effort to host games or
  684. communicate with other players, they are
  685. also unknowingly introducing more
  686. vulnerabilities into their system.
  687. Image 9 –Microsoft’s defined NAT as viewed in
  688. EnCase
  689. Another benefit of utilizing EnCase is its
  690. ability to discover credit card information on
  691. a hard drive by looking for numbers
  692. encoded with ASCII digit characters that
  693. match valid credit card company identifiers.
  694. These numbers are then run against the Luhr
  695. 11
  696. formula (an algorithm used to validate credit
  697. cards, social security numbers, and other
  698. identification numbers) [27]. Performing a
  699. fast scan on one of the drives resulted in a
  700. possible credit card hit as demonstrated in
  701. Image 10. Although this does not
  702. definitively prove there are any credit card
  703. numbers on the hard drive, it is highly
  704. probable given the results obtained. The
  705. Bank Identification Number in this hit
  706. identifies this as a Bank of America
  707. Discover Card [37].
  708. Image 10 – EnCase credit card hit
  709. Utilizing a new tool, XFT 2.0, developed
  710. by David Collins, a computer scientist at
  711. Sam Houston State University and
  712. distributed by Protowise Labs, (Protowise
  713. Labs, 2011), files which were deleted on the
  714. drives were discovered however, the file’s
  715. contents’ were not retrievable.
  716. Despite a few minor shortcomings, with
  717. XFT 2.0, examiners were able to recover
  718. user names, gamer tags, and a cache
  719. containing a user’s player list complete with
  720. the gamer tags of other Xbox players. This
  721. finding is extremely significant because it
  722. can not only aid law enforcement seeking to
  723. establish a connection between users, but it
  724. can also pose a risk to anyone who has been
  725. in contact with a user whose system has
  726. been compromised. Gamer tags can be
  727. searched through any number of gamer
  728. databases or social networking sites to gain
  729. additional information about a player.
  730. Image 11, Cache containing Player’s “Buddy-
  731. List”
  732. While XFT does not enable users to read
  733. larger files such as databases, it does enable
  734. the option to export the data. In one
  735. example, we exported the marketplace
  736. database for closer examination using
  737. notepad. After a quick look through the file,
  738. we came to the text “Purchase History
  739. Items”, and decided to take a closer look in
  740. DFF. Once in DFF, strings of text in
  741. German, Italian, and French were
  742. discovered. Because Xbox is an
  743. international platform, one might expect to
  744. see multiple languages in the marketplace
  745. data file. The real red flag here is that while
  746. we could not locate the boot loader in or
  747. around the partition one would expect to
  748. find it, we were able to locate the user’s
  749. purchase history where we would expect to
  750. – in the marketplace. This suggests that the
  751. system information is more secure than the
  752. user’s personal data.
  753. 12
  754. Image 12, Marketplace Database opened in
  755. Notepad
  756. Of equal significance is that while
  757. Microsoft’s proprietary files and databases
  758. were encrypted, multiple instances of user
  759. data was in plain text. This practice is
  760. apparently not exclusive to Microsoft. In a
  761. recent class action suit filed against Sony
  762. Computer Entertainment America LLC, in
  763. response to the much publicized PS3
  764. Security breach of April 2011, SONY
  765. allegedly failed to encrypt user data. This
  766. unencrypted information included, but was
  767. not limited to, credit card data, names, birth
  768. dates, and passwords of a staggering 77
  769. million console users [40].
  770. While the researches acknowledge that
  771. the average thief may not utilize all of the
  772. tools or methodologies performed in this
  773. project, it doesn’t take all of the information
  774. we discovered to steal someone’s identity.
  775. Through social engineering and the internet,
  776. a thief can construct a full profile of their
  777. victim rather easily. Additionally, the
  778. majority of the information discovered can
  779. be found using open-source tools readily
  780. available for download on the internet.
  781. 4. Steps Consumers Should Take
  782. When consumers sell or dispose of their
  783. used Xbox 360’s they need to take more
  784. steps than simply returning the device back
  785. to “factory settings.” During this project
  786. researchers were able to recover personal
  787. identifying information from an Xbox 360
  788. that had in fact been returned back to the
  789. original “factory setting.” The original eBay
  790. posting coupled with investigative tools
  791. such as ProDiscover, showed the media was
  792. indeed written with 0’s. However, it is the
  793. opinion of the researchers that not all of the
  794. partitions are overwritten during the factory
  795. setting process.
  796. When consumers are upgrading to a new
  797. Xbox and need to sanitize their old device, it
  798. is the opinion of the researchers that users
  799. should physically remove the HD from the
  800. console (as indicated in section 2), and run a
  801. software sanitizer on the drive.
  802. There are several options available for
  803. both open source and commercial data
  804. sanitization tools. Table 2, Open Source and
  805. Commercial Sanitization Tools, highlights
  806. popular sanitization tools.
  807. When selecting a tool, the authors note it
  808. is important to select a tool that emphasizes
  809. patterns in write fill in addition to passes.
  810. This is imperative to making sure that slack
  811. and unallocated space is overwritten.
  812. Book and Nuke, by DBAN is a free tool
  813. downloadable online. The researchers tested
  814. Boot and Nuke by sanitizing a drive with the
  815. tool then attempted to recover residual data.
  816. The drive was searched and forensically
  817. analyzed, however no residual data could be
  818. recovered. The process included acquiring
  819. a new drive, forensically imaging the drive
  820. with FTK Imager, acquiring an MD5 and
  821. SHA-1 hash, placing data on the drive,
  822. 13
  823. running Boot and Nuke on the drive,
  824. forensically imaging with FTK imager, and
  825. obtaining a final hash. The hash files were
  826. the same and no data was found, therefore
  827. the researchers can infer that the drives are
  828. indeed sanitized [8].
  829. Given the simple process of using Book
  830. and Nuke, the researches pose the question
  831. why there is not better sanitization process
  832. in any of the key industries studied with the
  833. DFDR study?
  834. Table 2: Available Sanitization Tools
  835. Tool Price Platform Where to Find the Tool
  836. Darik’s Boot &
  837. Nuke
  838. Free Unix/Linux,
  839. Mac, Windows
  840. Tool can be found at
  841. http://www.dband.sourceforge.net
  842. SecureClean $39.95 Windows Tool can be found at
  843. http://www.whitecanyon.com/securecleanclean-
  844. hard-drive.php
  845. Erase Free Windows Tool can be found at http://eraser.heidi.ie/
  846. Wipe Free Unix Tool can be found at
  847. http://www.wipe.sourceforge.net
  848. 14
  849. 5. Conclusion
  850. Identity theft is a very serious problem
  851. that every year continues to surpass the
  852. previous year’s record. Each year more
  853. individuals have their identity stolen, most
  854. through emerging techniques. Five years
  855. from now, identities will be stolen on
  856. devices and technology that do not yet exist.
  857. Given the increased use of technology and
  858. digital records, and the introduction of more
  859. non-traditional devices such as the Xbox
  860. gaming console that hosts personal
  861. identifying information, individuals have a
  862. multitude of devices that house their data.
  863. Consumers have to be extremely vigilant
  864. when it comes to their own data. Relying on
  865. 3rdparties to protect their personal
  866. information is not recommended.
  867. The researchers found that Microsoft
  868. protected their proprietary system files well;
  869. however, they did not do a sufficient job in
  870. protecting their customer’s data. Consumers
  871. need to be diligent about protecting their
  872. own data, and not assume their technology is
  873. going to do it for them. Section 4
  874. highlighted tools and approaches consumers
  875. should take when discarding any used
  876. device, especially an Xbox 360. Data
  877. Sanitization is even more pressing when the
  878. device is sold to another consumer.
  879. Returning your Xbox back to factory
  880. settings is only effective for the Xbox and
  881. Microsoft proprietary data, not the user data.
  882. Future work will include analyzing the
  883. Microsoft Xbox Kinect motion system.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement