Analyzing a PS3

dr3167 - yeah that's what I did with the last PS3 we got in, I used a video capture card to grab screens of the internet history.

I did have other evidence from memory sticks, computers, etc. therefore it was more supporting evidence than critical, however it all helped.

I've also heard from various colleagues that you can apply C4P and C4M (image and video scripts) to the image of the PS3 drive within EnCase.

I have tried this already, but the scripts found nothing. This could mean that there is nothing (unlikely), or the scripts are not working. I'm using the newest EnCase and script versions.

Right now the only way I can confirm that there is nothing of value on this particular PS3 is to start it up and film my actions. I just wish that I could copy the image to another 2.5" drive, but I'm guessing the PS3 DRM will not like that too much.

markunread - luckily the PS3 is only a small part of this case as well. Thanks for your response.

EnCase doesn't support the file system of a PS3. The file system used is a proprietary system that is a variation on ext2.

By cloning the drive and filming your actions is the best method available at the moment. If there are videos or pictures of interest while conducting the analysis you will be able to put a USB drive into the PS3 and copy them off.

The PS3 should be using a filesystem called SPUFS or "Synergistic Processing Unit File System".

A "special" version of Linux should have an appropriate driver
http//psubuntu.com/

jaclaz

Thanks for all the responses. I just thought I'd add one last post to outline what I ended up doing with this PS3.

I hashed the suspect drive using Logicube Talon –>
I imaged the suspect drive using EnCase –>
I ran scripts to locate and extract video/image file (result 0 for both) –>
I purchased a 2.5" SATA drive (Seagate Momentus 250GB) and "restored" (via EnCase) the suspect drive image to the new drive (referred to as PS3 Tester) –>
I placed the PS3 Tester into the suspect's PS3 and manually viewed the device, photographing my actions (result nothing of value).

Note It is possible to copy the contents of a PS3 hard drive to another and have the new drive operate properly. I was worried that this would not be possible…but it is.

I'm open to any additional information related to the analysis of the PS3.

I've come back to revisit this topic owing to some recent events with regard to the PS3 and "cracking" it. Register Article I was wondering if anyone here was discussing it yet -)

The way that it currently stands is that each and every PS3 hard disk is encrypted with a key that is (a) different on each machine and (b) is still yet to be uncovered in the cracking process … This means that it is _nearly_ impossible to look at the contents of a PS3 disk … You can't even transplant it into another machine to look at, it must be on the same physical machine. There were rumours of a "slight" hack, that, given enough time, effort and money ( and _obviously_ a duplicate disk ), might have produced _some_ evidence of use - but this turned out to be a hoax -/ Read it here.

If anyone does learn any more - could you please update the thread ? There are obviously a few of us interested …

Kind Regards,

Azrael

I found an interesting paper while doing some background reading for my MSc project (focusing on Wii forensics). It's a bit short on technical details, but looks like a good overview of what can and cannot be captured forensically.

Forensic Analysis of a Sony Play Station 3 Gaming Console

The "Game OS" is encrypted, but if some flavour of linux is installed, the "Other OS" partition is not. However I seem to recall reading that Sony removed the ability to install a second OS on new model PS3s.

Another finding was that the PS3 will not boot when the hard drive is connected through a write-blocker. They suggest removing the original drive, imaging it and copying the image to a new drive which can then be used to boot the PS3 and examine it in the way that dr3167 outlined.

Hope that helps someone.

I found an interesting paper while doing some background reading for my MSc project (focusing on Wii forensics). It's a bit short on technical details, but looks like a good overview of what can and cannot be captured forensically.

Forensic Analysis of a Sony Play Station 3 Gaming Console

Thanks for that - that's great -)

The "Game OS" is encrypted, but if some flavour of linux is installed, the "Other OS" partition is not. However I seem to recall reading that Sony removed the ability to install a second OS on new model PS3s.

Yep, that's correct - the older versions had it as a menu option - this is now missing. Mine has Linux installed, and it is a standard EXT3 filesystem on that partition of the disk. It's a shame really, because it was by far the cheapest way to get hold of a cell processor to play with

Another finding was that the PS3 will not boot when the hard drive is connected through a write-blocker. They suggest removing the original drive, imaging it and copying the image to a new drive which can then be used to boot the PS3 and examine it in the way that dr3167 outlined.

Hope that helps someone.

That's very interesting, and definately is of help to me.

Thanks,

Azrael