±Your Account
Membership:
New Today: 7
New Yesterday: 3
Overall: 24203
Visitors: 50±Latest Webinar
±Latest Articles
· Android Forensics
· Geo-tagging & Photo Tracking On iOS
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
· Geo-tagging & Photo Tracking On iOS
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
±Follow Us
±Latest Jobs
Back to top
Skip to content
Skip to menu
Back to top
Back to main
Skip to menu
Go to page 1, 2 Next
In my experience, the Xbox 360 has a proprietary file and folder format that obscures the majority of data created by user profile activity. It is possible to extract some time and date information about game saving and last games played but associating this information with a 'real' user profile name seems to be something that Microsoft encode in a proprietary format.
Mounting the partition table stored in a forensic image of an Xbox 360 hard disk sems to be beyond EnCase and FTK although data carving for images is possible, so browsing a mounted disk image is left to a small app called Xplorer 360, this may change with the advent of FATX support on Windows 7.
The Xbox hard disk is FATX formatted and the hard disk firmware prevents 'cloned' hard disks from being used. Flashing the firmware of a similar make and model hard disk, explained here Xbox 360 HDD Hack may be a sound basis for a restore but I have a sneaky feeling that the serial number of the original hard disk is part of the header in a lot of system files and could cause the restore to fail.
Until these issues are sorted, I have simply been acquiring a forensic image of the hard disk (in case comparison is needed later) and then performing a live examination of the device to identify email accounts and user profile names etc.
PS3 consoles will have no problem working with a 'clone' of the original hard disk but again a live examination is neccessary as the PS3 hard disk is encrypted.
_________________
Neddy
Forensic Computer Analyst (LE)
BSc (Hons)
!(-.-)!~~
XBOX 360
XBOX 360
Posted: Tue Sep 29, 2009 8:32 am
Afternoon all. I am looking for information on doing a forensic investigations done on the xbox 360. I know the old xbox could be used to store data on I am just interested in if anyone has done an investigation on the 360. Any Help would be highly appreciated 
-
Velandra - Newbie
Re: XBOX 360
Posted: Tue Sep 29, 2009 9:06 am
Hi there,
I did some research into forensically analysing the Xbox 360 and the PS3. Are you looking for anything in particular?
I did some research into forensically analysing the Xbox 360 and the PS3. Are you looking for anything in particular?
-
scuzz - Member
Re: XBOX 360
Posted: Fri Oct 02, 2009 3:38 pm
Hi scuzz!- scuzz
I did some research into forensically analysing the Xbox 360 and the PS3. Are you looking for anything in particular?
In my experience, the Xbox 360 has a proprietary file and folder format that obscures the majority of data created by user profile activity. It is possible to extract some time and date information about game saving and last games played but associating this information with a 'real' user profile name seems to be something that Microsoft encode in a proprietary format.
Mounting the partition table stored in a forensic image of an Xbox 360 hard disk sems to be beyond EnCase and FTK although data carving for images is possible, so browsing a mounted disk image is left to a small app called Xplorer 360, this may change with the advent of FATX support on Windows 7.
The Xbox hard disk is FATX formatted and the hard disk firmware prevents 'cloned' hard disks from being used. Flashing the firmware of a similar make and model hard disk, explained here Xbox 360 HDD Hack may be a sound basis for a restore but I have a sneaky feeling that the serial number of the original hard disk is part of the header in a lot of system files and could cause the restore to fail.
Until these issues are sorted, I have simply been acquiring a forensic image of the hard disk (in case comparison is needed later) and then performing a live examination of the device to identify email accounts and user profile names etc.
PS3 consoles will have no problem working with a 'clone' of the original hard disk but again a live examination is neccessary as the PS3 hard disk is encrypted.
_________________
Neddy
Forensic Computer Analyst (LE)
BSc (Hons)
!(-.-)!~~
-
neddy - Senior Member
-
bbbhhh - Newbie
Re: XBOX 360
Posted: Wed Oct 21, 2009 5:40 am
I'm potentially about to embark on a similar investigation, except this time I have no xbox hard drive, only the memory card. Has anyone looked at these before?
-
jgoss - Senior Member