±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35522
New Yesterday: 1 Visitors: 128

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

XBox 360

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

neddy
Senior Member
 

XBox 360

Post Posted: Dec 03, 08 03:56

I am currently examining an XBox 360 (20GB HDD) and was wondering if anyone has experience of rebuilding the partition table from a forensicaly acquired image using EnCase?

XBox explorer (a free tool) allows you to see the partitions and file system from a mounted image and I can extract date and time stamps for last saved games and am aware of the FATX file system employed.

However, my question is based on my wish to be able to verify these tools using another case tool and eventually work towards an automated and verified EnScript method for analysis.
_________________
Neddy
Forensic Computer Analyst (LE)
BSc (Hons)
!(-.-)!~~ 
 
  

mobileforensicswales
Senior Member
 

Re: XBox 360

Post Posted: Dec 03, 08 15:53

You might find this paper helpful

www.springerlink.com/c...6r7855248/

I do also know that there is a tool out there that does do Xbox forensics so don't give up hope, it been over a year since I saw it so I'm afraid the name has slipped my mind

Good luck Very Happy  
 
  

alex101
Senior Member
 

Re: XBox 360

Post Posted: Dec 03, 08 17:03

Have a look at this site:-

www.xbox-scene.com/too...pFNMArtNKu

Hope it helps Smile  
 
  

neddy
Senior Member
 

Re: XBox 360

Post Posted: Dec 19, 08 05:52

Having examined the XBox 360 in detail, I can conclude that at the moment the only real information of use (from an unmodded XBox) is acquired by performing a live exam and determining the gamer profile names stored. This information can be used to support a RIPA (LE) request to Microsoft which can determine the relevant user account activity on the Windows Live Network (if any). It seems that the hard disks used by the XBox 360 have been given specific firmware programming by Microsoft, this ensures that a clone without this firmware will be rejected by the XBox. I am going to try to develop/adapt known systems for getting around this sometime in the new year. At the moment I am not sure if such a clone will still be rejected due to the HDD serial number discrepancy, I have noted from my forensic image that the HDD serial number is part of the header in a lot of files. I will advise of any progress.
_________________
Neddy
Forensic Computer Analyst (LE)
BSc (Hons)
!(-.-)!~~ 
 

Page 1 of 1