午夜福利1000集合

Legal team hack Xbox memory for defence evidence

Investigators have found a way to use software vulnerabilities to tease forensic evidence from the games console
Getting inside the Xbox ecosystem
Getting inside the Xbox ecosystem
(Image: Nick Veasey/Getty)

LEAVING a software vulnerability unpatched can give hackers a way to seize control of your computer. Such vulnerabilities can also be useful if you鈥檙e in the digital forensics business.

So say Chris Hargreaves and Joe Rabaiotti at Cranfield University in Shrivenham, UK. They have found a way to use vulnerabilities to tease forensic evidence out of games consoles, smartphones and e-books, where access to the inner workings is restricted by the manufacturer.

In 2009, they were hired as investigators by a legal team appealing against the conviction of a vendor of so-called 鈥渕odchips鈥 for the Microsoft Xbox. Because these chips enable the console to run pirated games, the vendor was ruled to have broken copyright laws. The defence team thought that analysis of a 鈥渕odded鈥 console鈥檚 random access memory (RAM) might reveal whether copyright laws had been breached.

But the Xbox is a 鈥渃losed ecosystem鈥, says Rabaiotti, so you cannot run the analytical tools used for forensic investigations into, say, desktop PCs. So how could they get a peek at its RAM? Microsoft could not help because, as the maker of Xbox, it was working with the prosecution.

鈥淭he tools used for the forensic examination of, say, desktop PCs, won鈥檛 work on the Xbox鈥

Then inspiration struck. The pair knew the Xbox could be modified to run the Linux operating system, and also that the first edition of an Xbox game called MechAssault has a vulnerability called a buffer overflow, which allows new sets of instructions to be run when inserted into the game鈥檚 code.

So they wrote some Linux-based code that exploited the MechAssault vulnerability. It enabled them to burn a copy of the RAM鈥檚 contents onto a disc (Digital Investigation, ). The appeal was ultimately lost, but the pair say such data-accessing exploits could have further uses, prying data from RAM in other closed-ecosystem devices, such as e-book readers and smartphones.

Others agree. RAM is 鈥渁 bucket of fascinating stuff鈥, providing rich forensic data, says Nick Furneaux of CSI Tech in Bristol, UK. But care has to be taken not to alter the data, says Shaun Hipgrave of forensics firm FTS in Sevenoaks, UK. 鈥淎s long as evidential integrity is maintained, we consider all data-extraction methods to be valid.鈥

Topics: Computer crime