Sunday, October 27, 2019

Forensic Analysis Of A Playstation 3 Console Information Technology Essay

Forensic Analysis Of A Playstation 3 Console Information Technology Essay researching all the information that is available to me about the playstation 3 gaming system, from what the console connects to, the file structure of the hard disk, what features the system has e.g. internet, chat, email, online gaming. The deliverable that will be present at the end of this would be detailed research about the gaming system with everything that is needed to know to progress with the project. 2.2 Analysis the objective that I have for my analysis is to perform all the tasks that I have talked about (playing online games etc) then after each of these stages will then make an image of the hard disk of the system and look at the image in FTK to see if any changes have been made to the disk after the task has been completed. To illustrate an example of this would be to start a chat message with someone, then turn off the system remove the hard disk, image the hard disk, then load the image into FTK and look to see if any traces of the chat are present on the hard disk (date/time stamps). When writing up the findings of the investigation a document will be presented with all the processes went through, what tools used. The deliverable that I expect to have at the end of this objective would be disk images of the various tasks with a detailed report of my findings and a document showing all processes and tools used, and also a set of guidelines of how I found the evidence on t he system. If no evidence can be found on the HDD of the console then other areas of analysis will have to be explored from using different tools such as scalpel and photorec and also using different types of hardware like Bus Doctor. 2.3 Evaluation the objective for the evaluation is to forensically wipe the hard disk to the Playstation 3 system that was used, then giving this along with my guidelines and tasks completed to another person. The other person will go ahead and complete the series of tasks that were previously performed on the system, follow the guidelines and see if the they can find the same evidence as previously found, if the person can find the evidence that is in my guidelines then this proves that the guidelines created are correct. The deliverable at the end of this objective would be the test data of the other person which will then be written up, to show whether my guidelines are correct/incorrect. 3. Why gaming systems are an issue. In the recent years games systems have evolved immensely allowing the gamer to experience more realistic graphics and sound quality. This is because the systems have been updated to such a high standard some of what like a standalone computer, giving the user a lot more gigabyte/terabyte storage space, because of this the user has more room to store data on the disk whether it be images, videos or music. In relation to this the old Ps3 systems that were first released had the option to add another OS (operating system) on the hard drive so you could have Linux running on the system this means that the system can be used as a normal machine, Sony have no disabled this feature on the most current firmware of the console. A news report that was found on the ABC news website (http://abcnews.go.com/technology/story?id=7009977page=1) describes of how a user used his Playstation 3 system to get a young girl aged 11 to send dirty pictures of herself from her Playstation to his. It also says how the criminal threw his computer out as he didnt need it anymore. Using this example that has been found shows how criminals are adapting to the new technology and using it to their advantage to commit crimes. The growth of these gaming consoles means that they are more like a standalone computer coming standard with massive hard drives and encryption on the disks meaning that as forensics examiners it makes it harder to retrieve data from some of these devices and takes longer for the imaging process to complete. In regard to a forensic examiner the game systems are a big problem because the development of the consoles have evolved over the years and now contain multiple CPUs and graphics cards, and with the onboard storage that the same of a desktop computer users are able to save their pictures, music and video to these devices. Also using the features of the console from downloading and install the most current firmware and streaming media from a different network location. With the Playstation 3 you create a user/s for use with machine, so when the system is turned on it asks which user you would like to sign in as. With relation to the Xbox 360 console where hacking communities have found loopholes which allow the Xbox console to run unsigned code which means that the Linux OS can be booted up onto the machine allowing this console to be used just like a desktop PC. If Linux can be booted up onto the machine then this means it could be used for illegal usage example (file storage), although the first release of the Playstation 3 allowed this feature Sony have now stopped the boot of Linux and other Operating systems on its machines, but if a hack or loophole was found in their security then this would mean that this system could be used for malicious ways just like and Xbox or standalone PC. A post from January 26th, 2010 explains how hacker George Hotz has hacked the PS3 he revealed on his blog that he has achieved read/write access to the entire system memory and HV level access to the processor. If this is true then this means that the playstation can be used to run unsigned code and other o perating systems can be loaded onto the device, meaning that full desktop usage can be applied storing all kinds of information on the system. Also the Jailbreak that was leaked online was able to fool the system into thinking that a game was being played from a Blu-ray disc, but it was actually playing from the HDD, this could only be the start, people are making small but beneficial steps into fully hacking the Playstation 3 console. 4. Research 4.1 About the Playstation 3 The project that will be created will be about the analysis of the hard disk drive of a Playstation 3 console which is the most up to date console alongside the Xbox 360 and the Nintendo Wii. The Sony Playstation which is the next step in the gaming world provides the gamer with a new console to experience the most up to date graphics and high definition games and movies with the help of the consoles Blu ray drive. Since the console release in November 2006 the unit has sold over 38.1 million worldwide according to (http://www.eurogamer.net/articles/ps3-has-sold-38-1m-units-worldwide). Since the release of the console there have been many different models of the system from USB ports, Flash card readers and hard drive support, this means that the system and its components are always changing. All the games and movies that the console play are in the format of Blu ray this mean that the content that you are playing or watching are in the high definition format giving a more crystal clear picture and sound. 4.2 Online gaming. DSCI0056.JPG FIGURE 1 Picture of Playstation Store menu. The Playstaion 3 system offers the use of the internet whether it is a wired or wireless connection, because of this it is giving the user full access to the World Wide Web meaning they can access all the information that they would access on a standalone computer from social networking sites, videos, pictures etc. While playing games on the console you have the option on many games to play online this gives the user the capability to play the game of choice with other users of the game all over the world. To be able to do this you need to have a multiplayer capable of online game play, you must also have a Playstation network account which will give you access to other users and also need the Playstation to be connected to the wired/wireless internet. You can also create a Playstation network account where users are able to play online games with any person/s all over the world, they can add buddies and stay in close contact with the people they meet online either by email or chat. Because of the email and chat facilities available on the console it is just like a social networking site where people are able to exchange information with each other and possible pictures and other bits of material that can be deemed as illegal or offensive. The console also comes with full internet access via the browser the user can access any website that he/she wishes from the console and even downloading images, videos to the consoles hard disk drive. 4.3 The Hard disk. The hard disk in the Playstation 3 can come in various sizes from 40gb all the way up to a massive 320gb (factory), but there is an option to easily remove and replace the hard disk of the system, this can be done by purchasing a 2.5 5400rpm SATA hard drive which is the same hard disk used in laptop computers. To replace the hard drive of the system photocopies of the instruction manual are below. img013.jpg img014.jpg img015.jpg After these steps have been completed you then have a new HDD in your system whether it is a higher or lower capacity. Because the hard disk of the console is the same as the ones that they store in laptop computers the capacity of these disks can be great allowing a great deal of information such as images, videos or music to be stored on the disk to view with the console. A website was found (http://dcemu.co.uk/psgroove-payload-released-that-decrypts-firmware-files-by-graf_chokolo-346424.html) Where Graf_Chokolo has released a version of PSGroove payload, this allows the developers to see full details of the PS3 system firmware complete with decrypted contents. Graf_Chokolo goes onto to explain how to put the source code onto the system, he goes onto explain that my payload has two stages. The 1st stage is actually a PSGroove payload, which initializes the gelic device and allocates memory needed for the 2nd stage. Compile the 1st stage binary, convert it to C hex array and replace the PSGroove payload. (Appendix 16) Graf_Chokolo goes on to explain the second stage, this stage decrypts the CORE_OS_PACKAGE.pkg from a PUP file, it then runs some isolated SPU module or dumps FLASH, the binary of the file is then sent over the Ethernet with sendfile. The 1st stage receives the data and then stores it in a memory region of size 64kb, after the upload is complete, the 1st stage code jumps to the 2nd stage code and executes it. (Appendix 16) Another piece of information from this website is to be able to decrypt packages from a PUP file, first you need to extract a revoke list for the packages from PUP file 3.41 e.g. (RL_FOR_PACKAGE.pkg), then extract it convert it to C hex array and paste it into rvk_pkg_341.c. (Appendix 16) 4.4 Playstation 3 system updates With the use of the internet in the Playstation there is an option to keep the software of the system up to date this will provide you with the latest security updates, parental controls and the display options. By updating to the latest update you will enhance what the console is capable of. If you would like to find out the current software that your system is currently running you go to the settings category and then from there select system settings then system information within this the current system software will be displayed. You can update the current software of the system in a number of ways this is shown by the following methods. System update if the ps3 is connected to the internet got to settings then system update then click update via the internet the console will then check to see if there is an update available for the console if there is an update available it will download and install the update for you. There is also another option to update via the pc this is done by visiting the website eu.playstation.com you then follow the on screen instructions to download to the pc. After the download has finished you will then need to save the update to a ps3 compatible device either a memory stick/duo, USB drive or even a PSP console. Before putting the update into the system you will have to create a folder called PS3 then a folder called UPDATE once it has then been connected to the system you then navigate to system update then update via storage media. By allowing or accepting the system update new security can be put in place on the system, because Sony regularly release new firmware updates for the console the security of the device is constantly being updated. 4.5 Specifications Below are the specifications of the Playstation console. CPU Cell Broadband Engine GPU RSX Audio Output LPCM 7.1ch, Dolby Digital, Dolby Digital Plus, Dolby True HD, DTS, DTS-HD, AAC Memory 256MB XDR Main RAM, 256MB GDDR3 VRAM Hard disk 2.5 serial ATA 320GB Inputs/Outputs Hi-speed USB, USB 2.0 Networking Ethernet (10BASE-T, 100BASE-TX, 100BASE-T) x 1 IEEE 802.11 b/g Bluetooth 2.0 (EDR) Controller Wireless controller Bluetooth Resolution 1080p, 1080i, 720p, 576p, 576i HDMI OUT connector 1 AV MILTI OUT connector 1 DIGITAL OUT connector 1 BD/DVD/CD drive Read rate BD x 2 (BD-ROM) DVD x 8 (DVD-ROM) CD x 24 (CD-ROM) Power AC 200 -240 v, 50 / 60 HHHHz Power consumption Approx 230w External Dimensions Approx 290 x 65 x 290mm Mass Approx 3.0kg Operating temperature 5 35 degrees The Playstation 3 Console also includes RSA BSAFE Cryptographic software from RSA security Inc. RSA BSAFE software provides the security functionality necessary to allow developers to meet the stringent FIPS 140 and Suite Requirements for offering products to the U.S. government agencies. (Appendix 18) Many leading companies including Adobe, Oracle, Hypercom, Skyworks, Sony and Nintendo rely on RSA BSAFE software to provide the foundational security functionality by their respective software and device applications. (Appendix 18) RSA security protects the integrity and confidentiality of information throughout his lifecycle, RSA offers industry leading solutions in identity assurance and access control, encryption key management, compliance and security information management and fraud protection. (Appendix 18) http://www.rsa.com/node.aspx?id=1204 4.6 File Sharing The Playstation 3 console also allows the ability for you to share files via the console and your desktop computer, to be able to do this you need to make sure that both your computer and console are connected to the same network. If you would like to stream all the media from your windows media player like music, videos and pictures. You can do this by going into tools and options of windows media player and selecting library, then configure sharing you then check the box that says share my media to and your Playstation 3 will be in the list. In the settings tab of this you can then select which media that you wish to share music, pictures, video you then click ok. If you then turn on the console you will then see thumbnails of the compatible media that can be played on the system. http://www.wirelesshdadapter.com/wp-content/uploads/Media%20Server%20Ps3%20Software_2.jpg (Appendix 17) 4.7 previous work While completing research to find out if any other analysis of the Playstation console was carried out a paper was found published by the University of Central Florida where they conducted a Forensic Analysis of a Sony Playstation 3 Console, where they conducted a number of tests on the machine to see if any of the data could be extracted from the console. The tests that they completed where the following; An encryption test this test was to determine if it was possible to locate a picture once it had been copied to the console. The steps they took in completing this were to copy a image to a removable media, then plug this into the console and copy the image to the hard drive of the system, shut the console down and the image the hard drive. The next stage was to analyse the hard drive in FTK using its use of a data carving feature to see if the picture could be carved out of the image, although stated that FTK was unsuccessful in identifying files and folders on the partition (Appendix 6), even though only one tool was used while completing this task if other tools were used then maybe a different outcome would be found the tools that could be used alongside FTK to find the image could be scalpel or Photorec which are both data carving tools. The paper also talks about a write blocker test, where the hard drive was placed behind a write blocker before connecting the hard disk to the console, the consoles hard disk was then removed then placed behind a write blocker, then plugged into the console, the console was then turned on and they found that the console would power up but not boot up, by replacing the write blocker with a bridge the console was to power and boot up as normal. (Appendix 6) The test result then explains that the console must be able to write to the hard drive before it will boot up, though it also shows that the hard drive does not have to be directly connected to the console (Appendix 6) regarding the result of this test a write blocker cannot be placed between the hard drive and the console or the console will not boot up. Although many other tests were performed on the console all the test results were inconclusive or negative form this paper, they concluded in the end that Sony has successfully locked-down the PS3 By using other tools that are an alternative to FTK, these tools might be able to identify something that FTK is unable to do thus providing more information to data on the HDD of the console. Another paper called Xbox 360: A digital forensic investigation of the hard disk drive (Appendix 4) was written with details and findings of the hard disk drive of the Xbox 360, where a USB drive was plugged into the machine and using Bus Doctor to analyse what was being written between the Xbox console are the hard disk drive. And states that it is seamless and not as intrusive as mod chipping or installing other operating systems (Appendix 4). This method could be applied to the Playstation 3 console to see what is being written between the console and the hard disk drive of the Sony console. 4.8 Playstation 3 security architecture A pdf file was found that detailed the security architecture of the Playstation console, http://www.ps3news.com/PS3-Dev/playstation-3-security-architecture-pdf-released/ , the paper details that the system controller for the console if CXD2973GB and this is the hardware that is responsible for powering up the CBEA processor and it is directly connected via BIO/IF hardware bus. The console also contains a secure boot the secure boot of the CBEA includes random selected SPE in order to avoid sniffing per boot, a fake encryption/decryption state in all other SPE during secure boot to add fake sequence, a root key which is used to then decrypt the key vault and or the boot code (Appendix 15). The key vault of the Playstation 3 is an encrypted file containing all the keys to trust devices and processes, hard disk AES keys (Appendix 15). 5. Summary The research that has taken place shows all the relevant information about the Playstation 3 console, explaining what the machine allows you to do and how to update the firmware of the system. Although the system seems to be very secure, the images taken will be analysed to see if any relevant data can be taken from the disk these will be the objectives previously proposed, failing finding anything on the images of the HDD the console will be connected up to Bus Doctor a protocol analyser to see what is happening when the system is booted up and what data can be captured. Although a paper has been written on the analysis of the Playstation 3 console (appendix 6) new hardware and software have come to market since the paper was written in 2009, the PS3 Jailbreak has made its way by being able to run unsigned code on the console and giving the user power to copy games to the hard drive of the console. 6. Future Work/Where next After and image of the Playstation HDD was taken, it was then loaded into FTK forensic toolkit where the contents of the disk was looked at. After loading it into the software immediately it could be noticed that the hard disk was encrypted, searches were completed to see if any string of text and data carved items could be found on the disk the result was negative. More images of the hard disk will be taken when performing tasks then loaded into the FTK toolkit program if no strings of text can be found another approach will have to take place, the use of other programs that are available Scalpel and Photorec can be used to identify any interesting information on the HDD of the console. Another approach would be to try and capture what is going on with the system when it is booted up because the encryption must be deactivated when the system is booted up to allow the system access to the hard disk. The other data carving tools that could be used in combination with FTK will be scalpel and photorec. Scalpel which reads the database of the header and the footer definitions and extracts matching files from a set of image files or raw device. Scalpel will carve files from FATx, NTFS, ext2/3 or raw partitions. (Appendix 12) Photorec which is a data recovery tool to recover lost files on hard disks and other media, Photorec ignores the file system of the media and goes after the underlying data, so the software will still work if the medias file system has been severely damaged or reformatted.(Appendix 13). Bus Doctor which allows to capture what is being called/written to the hard disk when the console has been turned on this can provide good information to find out what is happening when the console is turned on. during the research a website was found that describes how the psjailbreak now supports 3.42 and 3.50, which allows the user to run unapproved content on the system (pirated games), and also allows for the running of the Linux OS on the system. They sister site of this company (www.psdowngrade.com) allows the downgrading of the firmware of the system, if the psjailbreak is applied to the console maybe the decryption key can be found and then lead to the decryption of the HDD of the system. This could be done by plugging in the psjailbreak and finding out what calls it makes to the system and possibly the decryption can be found from this method. Another method would be to connect the Playstation system up to a protocol analyser (busdoctor) this will capture what data is written when the system is booted up.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.