Xbox One - forensic...
 
Notifications
Clear all

Xbox One - forensic investigation

5 Posts
4 Users
0 Likes
1,587 Views
Novunix
(@novunix)
Posts: 35
Eminent Member
Topic starter
 

I have tried velocity with no success, FATXplorer is 360 only and IEF pulls back nothing at all.
I've cloned the drive and turned it on and have the user and profile name, but anything else requires a connection to Xbox Live.

Has anyone had any joy recovering browser history, app usage or anything from the XBone?

Thank you

 
Posted : 28/10/2015 2:38 pm
(@mcman)
Posts: 189
Estimable Member
 

It's my understanding that the user partition is encrypted on the xbox one which is why you wouldn't be able to carve out anything. Here's a decent write up to get you started if you haven't seen it yet.

http//www.dfrws.org/2014/proceedings/DFRWS2014-7.pdf

I also haven't checked the mod forums lately, they would be the best place to follow if you're trying to see if the encryption has been cracked.

Jamie

 
Posted : 28/10/2015 5:18 pm
(@chris55728)
Posts: 49
Eminent Member
 

I did some analysis on an XBOX ONE when they first came out and it does appear that the data is encrypted on the hard drive.

Without connecting to the Internet, there's not a lot you can get off it unfortunately.

When I was testing I created a dummy Skype account, chatted to myself and was able to 'see' the chat when I logged in on a PC using the same Skype credentials so that's something at least. Obviously you'd need the permission of the owner to do that in a real world scenario.

You can also change the setting on the XBOX ONE so that you appear invisible when logged in (similar to Microsoft Messenger) so if you did get the login credentials of the offender/victim you could login on their XBOX ONE without alerting anyone else and record what you find.

We use a Hauppauge HD PVR Rocket to record the 'desktop' of consoles that we examine. It works on XBOX ONE, XBOX 360, PS3, PS4 and Wii.

Cheers,

Chris

 
Posted : 28/10/2015 5:54 pm
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

I have not attempted this, but you may want to run TestDisk (http//www.cgsecurity.org/wiki/TestDisk) against a mounted forensic image of the Xbox One.

TestDisk might be able to reveal files and folders with partitions that are otherwise not visible just by previewing the forensic image file in FTK Imager.

I am suggesting this because TestDisk was successful in revealing and exporting files and folders from a Nokia Lumia Windows phone forensic image.

There were many partitions in the Windows phone forensic image file, but none of them were encrypted - the partitions' file and folder structure was just not visible without TestDisk.

Regards,

Larry

 
Posted : 28/10/2015 10:25 pm
Novunix
(@novunix)
Posts: 35
Eminent Member
Topic starter
 

Thank you for your responses.

Reading the white paper confirms my suspicions and I will have a go with test disk, but it does appear that Microsoft heavily employ encryption and new file types across the disk.

 
Posted : 29/10/2015 2:26 pm
Share: