XBox Forensics Toolkit Enhances Criminal Investigation Possibilities

Computer scientist David Collins has probably spent more time messing around with the Microsoft XBox, other gaming consoles, and PDAs in the name of forensic science than anyone else in the world. But then, it's his job as the digital forensics expert at Sam Houston State University.

According to Collins, criminals often hide illicit data on the XBox in the hope that a gaming console will not be seen as a likely evidence target, especially when conventional personal computers are also present in the same premises.

For all of us, cell phones, smart phones, PDAs, game consoles and other devices now provide a convenient means to store lots of digital information, such as images, video, audio, program and text files. But that's something that criminals also have been fast to recognize. Such devices like the XBox also proved a simple way for criminals to possess and hide illegal material.

Collins has now developed a forensic toolkit that allows police and other investigators the chance to lay bare the contents of XBox hard disks.

Collins' XFT utility, as he calls it, can mount an image of the FATX file system used by the XBox, allowing the user to explore in detail the directory structure. Collins points out that unlike the standard FAT32, NTFS, and similar systems used by the hard disks in personal computers, there is little documentation on the proprietary FATX system. However, it is possible nevertheless to acquire an image of a FATX hard disk and to mount it on another device.

"Once the XBox file system is mounted, the analyst can use shell commands to browse the directory tree, open files, view files in hex editor mode, list the contents of the current directory in short or long mode and expand the current directory to list all associated subdirectories and files," explained Collins in a university news statement.

He adds that his XFT can also record investigative sessions for playback in a court of law, important from a legal perspective. This protects the defendant from falsified evidence as well as providing more solid presentation of evidence for the prosecution.

Collins plans to develop the toolkit software further, turning it into a fully functional forensic operating system that can be packaged as both a bootable operating system from a hard disk and a "live" bootable compact disk. a explains how future work on XFT will involve making the into

"This implementation will be open source, designed from the ground up as a forensic operating system," said Collins in his statement. "This will remove any and all proprietary operating system dependencies, making the forensic process as transparent as possible."

Photo of XBox 360 Elite by Jamie McCall. CC Attribution-No Derivative Works 2.0 Generic