Professional Documents
Culture Documents
Digital Forensic Analysis of A PlayStation 4 Hard Drive With Links To XRY Mobile Forensics
Digital Forensic Analysis of A PlayStation 4 Hard Drive With Links To XRY Mobile Forensics
This project is submitted for the module 6001PROJ/6000PROJ and complies with all relevant LJMU
academic regulations, including plagiarism and collusion.
Table of Contents
1|Page
Literature Review
Prior to the release of the widely popular PlayStation 4, digital forensic analysts had attempted
to conquer the PlayStation 3 architecture to no avail. The PlayStation 3 system was the most
‘technically advanced system’ in the seventh generation of gaming consoles (Sazaki, 2006). Which
leads the investigating team to believe that the PlayStation 4 will surpass the PlayStation 3 and
be an extra challenge to achieve. Conrad et al. (2010) give acknowledgement to this in a chapter
on Advances in Digital Forensics VI with mention of nine different PlayStation 3 models since
the initial release in 2006 to 2009. The main addition to many iterations of the PlayStation 3 being
the increased hard drive size support. The most common model upon release was the original 60
GB with a thicker design, while the ‘Slim’ and ‘Super Slim’ allowed hard drive sizes upwards of
500 GB. This is the same with the PlayStation 4 devices with their frequent changes to remove the
use of touch sensitive buttons power and disc eject in their CUH-1000 models and adding physical
buttons because of consumer reviews. Additionally, the change in architecture in terms of
releasing the PlayStation 4 Slim which changed the size of the device dramatically while another,
far more powerful and 4K capable PlayStation 4 Pro was released.
The chapter by Conrad et al. (2010) also gives mention to how Sony engineers of the PlayStation
3 allowed users to have a separate partition on the hard drive with the intent on allowing a
secondary operating system to be installed alongside the ‘Unix-like (BSD)’ PlayStation operating
system. This was done to discourage users from modifying the PlayStation 3 console with the
intent of ‘hacking’ as was common in competitor consoles, Microsoft’s Xbox 360
(HackingTheXbox, 2017) and Nintendo’s Wii (Dachis, 2011). The same can be achieved in the
PlayStation 4. The way of ‘hacking’ the device however, has changed and is significantly harder
due to the constant updating of the PlayStation 4 firmware to thus preventing the practice of
‘jailbreaking’.
Ridgewell (2011) refers to the PlayStation 3’s encryption format which is AES 128 that has been
exploited using various methods to retrieve the cryptographic keys Sony have to decrypt the hard
drives. Hacking group fail0verflow obtained these keys through methods that the investigating
team were unable to recreate. The methods utilised included network forensic techniques as well
as using software tools to determine the security of the console and find any vulnerabilities that
were present. Additionally, through their network forensics, it came to light that the PlayStation
3 TCP and UDP communications were encrypted.
Conrad et al (2010) analysed the PlayStation 3 & 4 to establish a connection between the AES
encryption. The experiments performed by Conrad et al (2010) showed that evidence was not
easily obtained through the use of write blockers and forensic tools however the methodology
produced by the Conrad et al (2010) remains valid and other investigating teams managed to
repeat the steps taken in other devices. Ridgewell (2011) performed similar tasks on Microsoft’s
Xbox One and retrieved far more information due to the NTFS system type used. For this reason,
the methodology will be used again, altering it for the PlayStation 4 as the proposed method for
gathering data both physically and logically doesn’t seem to be different from previous
generations of the console as shown by Conrad et al. (2010).
Additionally, Sony introduced mobile applications that allow the user to access information about
their device(s) as well as messages from an external device. This prompted further investigation
into the PlayStation system to see what sort of information is held on the devices using the
forensic tool XRY; the investigation would take place on both Android and Apple iOS devices to
ensure that the information that is found and researched either corresponds on both operating
systems or, through rooting an Android, would it give more than the Apple iOS would. However,
knowing that Apple is unwilling to provide or help law enforcement with their devices in terms
2|Page
of providing data (Nakashima, 2016), it seemed plausible to assume that little information could
be found or the information that is found is encrypted. Regardless this still prompted the
investigation to further having the profile link through several means of connectivity.
Furthermore, the Sony handheld device PlayStation Vita links to the profile connecting as if it
were on the main device with the functionality of controlling the main device with a remote
connection like feature. As this is more of a gaming platform than the mobile applications it
seemed relevant to include as it may show more in terms of connecting with other users. Conrad
et al (2010) refer to the PlayStation Vita but do not go into a further investigation with it, allowing
this investigating team to follow the same methodology used for the PlayStation 4 and try to
obtain information. There is a struggle with the Vita however with the memory card used in the
device not being of a regular size (Vita Player, 2015); this could pose a problem trying to access
the memory card using a computer as no adapter exists to host the card but it may be easier to
access the data using the device and its content manager.
Limitations
Regarding the digital investigation of a PlayStation 4, the greatest challenge posed is that the
PlayStation 4 utilises a non-standard file system. This is different to the competitor console, the
Xbox One which allows NTFS metadata retrieval (Moore et al., 2014). The PlayStation 4 hard drive
appears to be encrypted, presenting a logical extraction barrier. With the use of a write blocker,
the hard drive can be imaged however being encrypted provides difficulty to do a full in-depth
analysis. The most appropriate way to obtain evidence in a forensic investigation would be
through the user interface which allows you to view several different artefacts.
Furthermore, the user obtains the ability to alter any information stored within the online service,
PlayStation Network (PSN). The user can access the PlayStation Network account using another
console, the PlayStation 4 Companion Application for mobile devices or the handheld PlayStation
Vita. Access through any of these alternative devices allows the user to modify or remove
potential evidence.
With the increasing use of internet on eighth generation consoles, user-generated content via
social media has become more of a norm (not only on PlayStation 4 consoles but this will be the
focused console). Sharing high scores, game achievements and recorded videos with other online
users requires a device to have an internet connection to use Sony’s online cloud storage service.
From the perspective of a forensic investigation, the hard drive may not be (in this circumstance)
the most important data source as it previously has been. User-generated content is likely to not
appear on the hard drive at all, and if it was to appear it may be encrypted and unusable in the
investigation. This is a limitation to obtaining potential evidence.
Knowing that the PlayStation 4 utilises encryption, it would make sense to do most of the
investigation physically by going onto the device itself and noting down the important findings
with screenshots. However, doing it physically would need the supposed timestamps of the
device to be altered such as the time data was last accessed and modified, when the user last
logged into the device and when messages were last accessed. There is no way of ensuring that
information such as access times and dates are stored on the device or if they exist at all which is
something that the investigating team will take into consideration when doing the preliminary
investigation.
An issue that could arise is the lack of tools that are needed by the investigator to obtain and
access the data. In the report is the use of FTK and XRY as well as using a write blocker. The
investigation team doesn’t own this software or hardware and would require to use resources
from the university, but if neither the software or hardware are available then it would result in
3|Page
the investigation being done purely physically. While this may or may not be a problem it would
still be interesting to see what can be obtained doing both physical and logical extractions of the
PlayStation 4 as well as the applications and the PlayStation Vita.
Procedure of Analysis
As all digital forensic investigations must be, the UK Association of Chief Police Officers (ACPO)
Good Practice Guide for Digital Evidence version 5 guideline will be followed for an investigation
of a digital device.
As the PlayStation 4 has been circulating for several years now, the study of available literature
online for a digital forensic investigator to find the main aspects of the console is expansive.
Director of SIEA (Sony Interactive Entertainment America) Social Media, Sid Shuman, posted in a
Frequently Asked Questions blog post (Shuman, 2013) a useful list of which areas could be
analysed. As expected from a physical extraction of data from a PlayStation (or any live console)
consists of having the device powered up and navigating through the number of different menus
on the system; while doing so it would be beneficial for the investigator to note areas that may
give added evidence to the investigation.
Concentrating on the areas that can find who was involved, what had occurred on the device,
when the incident occurred and where it occurred are usual aspects of any investigation, digital
or not, so these steps seemed most proper to follow. The PlayStation 4 can hold up to 16 user
profiles (Shuman, 2013) with 4 users allowed to be active at any given time – this answer the
“who” section of the investigation, however just as easily as it is for a user to create an account,
they can remove it all the same. It may result in further issues for a forensic investigator, however,
all accounts can be viewed online if the user ID is known.
The “what” question refers to the content that has been created on the device, including any
timestamps which indicate “when” the information was initially generated. In the case of “where”
the information is stored can be categorised into physical hardware such as the internal hard
drive disk of the PlayStation 4 or external media such as a USB drive. Additionally, the PlayStation
4 offers a cloud-based system which allows users to back up information such as images and game
save files amongst other things. There are many areas that could be of interest as found below in
Table 1.
4|Page
System Storage Management Allows the user to view storage information of the
system, saved data from applications, captures
(video and image) and any added disk space
Error History Logs any errors that the system has met during its
uptime. Includes an error code, time & date of the
incident, if it occurred during a game and then
what happened
What’s New Shows activity of the currently logged on user, as
well as those on friends list (achievements, new
friends, new games)
Trophies Unlocked in-game, allows you to compare between
friends, shows time and date of when the trophy
was unlocked
Profile Personal to the user can show real full name,
avatar
Friends Friend’s list can be linked to Facebook (social
media). Possible to see communication between
friends and those who are not yet friends. Can
request the user to see full name, can have up to
2000 friends
Party Messages Up to 8 participants in the party
Messages Between individual participants or multiple
5|Page
as easily accessed by the investigator or the user of the device. Isolating this web page to ensure
no outside users can gain access would be of top priority. To do this, you may have to alter the
password for the account which, in turn, could break the ACPO guidelines. However, with reason
to do so, this should not be an issue.
Figure 2 shows another incredibly important aspect of the SEN webpage. Here, the user could
change their ‘real name’. This – usually – would not be a feature used by many, unless the user
gets married or their legal name changes, the feature would be overlooked by a sizable percentage
of the online community. So, on the off chance this changes when the account is being checked, it
may be to hide the name of the user and take the scent off their name. To prevent any issues such
as this it may be useful too – as above – screenshot with relevant times and dates, and any changes
can be added if made, with the times and dates as proper.
Figure 3 shows more in-depth account details, with information about how long the user has been
using the PlayStation Network service (PSN), their preferred gender, registered email address
and home address. This can all be edited if chosen so by the user, however, this can be used to
track the potential user of the device, as well as being used to decide if the user they believe to
own the device is the correct user. As aforementioned, however, if the user was to change the
details before proper action was taken to note the information shown here, it could create issues
for the investigation and cause inconsistencies within the expert report. For this instance – and
6|Page
instances beyond this – it would be proper to make note of the information shown here with
correct dates and times.
Figure 4 above is the transaction history for the user account associated with
‘lukebargh106@hotmail.co.uk’. Useful information that can be used here is the date the purchase
was made, as well as the account bought from and the amount it was bought for. While the
investigating team may already have a solid amount of evidence to link the account to the console,
it may be worthwhile to take into consideration the transaction history also. Not only can this be
used to decide who the owner of the device is, the investigating team may want to utilise the
Regulation of Investigatory Powers Act 2000 (RIPA) to check the bank account of the person
linked to the account.
With this information, it allows the investigating team to view the supposed transactions between
a specified date and if the amount spent corresponds to that on the transaction history. While this
may not be a lot of valuable information, it gives more of a lead to the investigation by allowing
the team to potentially decide if the card used to buy the items belongs to the owner of the
console.
Additionally, if the card used does not belong to the owner of the console then this brings out
more charges that can be added to a court hearing. Another way of obtaining information about
the investigation could be through a disclosure notice. Investigatory Powers Under Sections 60-
70 Of the Serious Organised Crime and Police Act 2005 states that the authorised prosecutor may
need the person whom it is to give to do all or any of the following:
1.4 A disclosure notice is defined in Section 62(3) as a notice in writing needing the person to
whom it is given to do all or any of the following:
a. answer questions with respect to any matter relevant to the investigation;
b. provide information with respect to any such matter as is specified in the notice;
c. produces such documents, or documents of such descriptions, relevant to the investigation as
are specified in the notice.
Section C, ‘produce such documents, or documents of such descriptions, relevant to the
investigation as are specified in the notice’ could be used about this instance as we would need a
bank statement.
7|Page
Figure 5. SEN Devices
Finally, figure 5 of SEN shows the device associated with the account logged in. While it shows
very little, it does show that a PlayStation 4 is activated with the account. This may not be used in
an investigation, but it is worth noting that the account has one.
My PlayStation
As of February 21, 2018, a new feature website “My PlayStation” was introduced, allowing you to
‘interact with key PSN features from your PC or mobile’. Dunn (2018) claims “The website is
already up and running, so go check it out! Our goal is to bring you a compelling social experience
even when you’re away from your console. We’ll continue to enhance and add more features to
My PlayStation on a regular basis, so make sure to keep checking in.”, however, with regards to
forensic investigations, this poses more of a risk to information being altered during an
investigation into a profile.
Immediately, this page is very similar to the SEN dashboard as prior mentioned. This has been
criticised on forum pages as being ‘a new way to do stuff you can already do’ by popular online
forum The Sixth Axis (2018).
8|Page
Figure 7. My PlayStation messaging
Figure 4 shows a feature not yet seen for PlayStation users. My PlayStation now offers online
messages which have been a positive addition. Prior to this addition, users would only be able to
message using the device itself or by using the PlayStation Companion Application for iOS and
Android devices.
The ‘edit account’ section of the website offers you similar options to that of the SEN dashboard,
however, the main alteration users can achieve is changing their ‘real name’. While this may not
seem as important, having access to both websites at the same time and changing the name can
cause confusion to the case officer and investigating team. The rest of the website poses no real
use to an investigation, for this reason, there is no need to pursue any further evidence from My
PlayStation.
9|Page
PlayStation Network (PSN)
Continuing with the physical extraction of the PlayStation 4 device, this part is the PlayStation
plus subscription section. Here, it shows the user is currently in use of the paid service of PSN. It
shows the current title and length of service the user is subscribed for. In this instance, the user
“Luke Bargh” has a 12-month ongoing subscription which started in October 2017, due to finish
October 2018.
As mentioned previously with the transaction history, noting the time and date that the
subscription was bought with the intention of cross checking with a bank statement of this time
could be beneficial to help decide who owns the device. The only issue that may arise from this is
that you can buy a subscription separately and give it as a gift. Additionally, you can buy a gift
card and use this as a means of paying for the object.
The transaction history will show this as adding to the virtual ‘wallet’ which can also help
differentiate between a card buy and a top up.
Internet Browser
This is the on-device internet browser. While it is relatively basic in its features, it can be used to
potentially commit crime or illicit activities. The above figure shows an online repository of
television programs and movies that can be viewed for free by using streams. In the grand scale
10 | P a g e
of legal issues that can arise from using a PlayStation 4 illegally this is quite tame. Sony does let
the user know that any online behaviour is being checked however.
In the Software Usage Terms (2017), “we reserve the right in our sole discretion to check and
record any or all your Software activity and to remove any of your UGM at our sole discretion,
without further notice to you … This information may be passed to the police or other appropriate
authorities.”, in terms of illicit activity, it is being monitored and, in the instance, that Sony believe
it could become an issue, relevant law enforcement will be notified. By using the PlayStation
device, the user accepts to the Software Usage terms.
Additionally, the browser comes with a history detailing the websites browsed in a basic manner.
Unfortunately, this browsing history does not show when the website was accessed, and this
information cannot be found logically or physically which could be a barrier to forensic
investigators.
Furthermore, if the browser history is cut then the investigator cannot find it again as is possible
in a computer hard drive investigation. Another barrier if the internet browsing history was to be
viewed. For this reason, it would be important to make note of the websites currently on the
browser history in case of any being cut. It is not possible to cut the browser history from another
location, so if the device is physically had, then the browser history will also be had.
11 | P a g e
on it. As well as this it holds save game data which is relatively small in size when compared with
previous generations. The device also allows the user to install and have themes as a cosmetic
improvement to the original theme.
The free space shows how much more data the device can hold. While there is no ‘other’ or
‘miscellaneous’, it is not known where data such as the internet browser history or error logs are
stored. This information can be easily found on the device and usually doesn’t take up a lot of
space though.
An important feature of the PlayStation 4 is the in-depth error history. The error number is
unique to the issue that pertains, this could be in game or in application. Using this error number
on the internet through a search engine will give you an easier understanding of how and why
this happened.
Additionally, the device gives a day of when this happened and a time of when this happened in a
24-hour format. This could be potentially used to pinpoint when a user was on the device. This
doesn’t have a massive impact on an investigation however if the device were to suddenly break
or turn off, the device would provide the user with an error code. This can then be viewed on the
console and noted.
The error history usually doesn’t show much in the way of an investigation as it shows when the
console broke or has an issue that needed the device to give an error code, however suppose this
were to occur during the investigation then it would be easier to decide the cause of the problem
and ensure it does not reoccur.
12 | P a g e
The ‘What’s New’ feature was previously used on the PlayStation 3, however on the PlayStation
4 it was updated to have more of a social media aspect to them. This shows the times and dates
that ‘friends’ of the user were active, it also shows when the user was active and if they have
unlocked any trophies, added new friends or even posted a social update using the ‘What are you
up to?’ feature.
While it does show some information about who is using the device and the people the user
associates with, the only real benefit to viewing this would be to see any text updates. Figure 14
does show an exuberate amount of information but very little of it is of importance, the trophies
obtained by another player is irrelevant as it shows no benefit to the investigator. However, the
first section shows a player adding new friends, this may be beneficial as if it comes to light that
the user of the device has been communicating with another user who then adds more friends
who have no games or trophies it may show that they bought the PlayStation only for
communication. So, while the trophy earning is useless, the adding of inexperienced players and
being able to see what another player is doing shows some usefulness.
Figure 15. PlayStation 4 with case on Figure 16. PlayStation 4 with case off
13 | P a g e
any live data being damaged in the process, a Tableau Forensic SATA/IDE Bridge, Model T35e
write-blocker was used.
The write blocker is powered using a standard 3 prong UK plug, and connects to the computer
using a USB connection. Before turning on the device it is recommended to connect the write
blocker to the hard drive.
2
1
As the physical drive has been aquired, this section must be chosen when selecting the evidence
type as seen in Figure 19 .
Knowing the device that is being investigated, in this case it was the TOSHIBA MQ01ADB100
which is found on the hard drive itself could be beneficial in circumstances where a lot of drives
14 | P a g e
are connected or the investigator is unable to differentiate between two different hard drives. In
this instance, there are two hard drives on the device, however the PlayStation 4 hard drive is not
an SSD so for that reason the top Samsung device was not going to be used as this is the
computer’s storage.
15 | P a g e
Knowing this, FTK has its own inbuild decryption. This did not work and provided no benefit to
the investigation.
Figure 23 is the process of decryption, lasting 4 seconds and providing no evidence to the
investigator as the decrpyption in FTK didn’t manage to open anything on the hard drive. This is
dissappointing as no passwords are known to the investigating team and without the password
or encryption key, very little can be obtained.
Figure 24 is the overall investigation of the hard drive. Seen in the file content section, there are
a lot of hexadecimal characters. This cannot be read by human or computer and without
decryption would provide no signficance to the investigator.
This is useful to the investigator if the file content shown in the ‘hex’ section was readable,
unfortunately the investigator can’t read the hex portion thus resulting in no further investigation
occuring.
16 | P a g e
USB Download Test
During the logical investigation, screenshots were taken using the
‘Share’ button on the Dualshock 4 Controller. Downloading these
to a USB drive allows an investigator to view some more important
data pertaining to the investigation.
To attempt to view this information, Exif Pilot was used. This
shows the make of the device (Sony Interactive Entertainment
Inc.), the model (PlayStation®4) and the current firmware in place
on the device (5.05).
Additionally, it shows the exact time and date the image was taken.
In instances where images are taken using the share function of the
PlayStation 4, it does unfortunately not show the GPS location of
where the device was when the image was taken. This is because
the PlayStation 4 does not carry a GPS chip.
This seemingly is the only information that could be important in
an investigation.
Figure 25. Image downloaded from
PS4 in Exif Pilot
17 | P a g e
computer. In terms of the computer used in this investigation, it was highly powered and reduced
the amount of time it took to retrieve the data dramatically.
18 | P a g e
Figure 27. XRY showing email and passwords to login
With the knowledge of where the information has been gathered from, it would be a good start to
note down where it had been retrieved from, and if used, why it has been and what it was used
for. In this circumstance, the investigating team would be accessing live data in terms of the
account which is an issue in relation to the ACPO guidelines, “Principle 2: In circumstances where
a person finds it necessary to access original data, that person must be competent to do so and be
able to give evidence explaining the relevance and the implications of their actions.” (7Safe, 2018).
The investigating team may decide that they are competent to access the data and the reasoning
behind accessing it is explained as access to the account is needed to follow the user
There were 8 documents that had the word
‘PlayStation’ in it that stored the files in a
PLIST file. This is a settings file used by
macOS applications, this is the iPhone so it
seems appropriate to use .plist. The .plist file
is readable using open-source software such
as plist Editor. Coming into the investigation,
it was made aware that information may be
stored in files such as SQL databases which is
what had been found in the documents. The
next step was to extract all 8 of these files and
Figure 28. PlayStation filtered documents in XRY use tools relevant to their extension, in some
cases a database browser was used.
Going through the list of documents became an issue from the offset as the investigating team are
aware of the encryption Sony have taken into consideration to either prevent the user finding
data, or to protect the user’s data. Initially, CLSUserDefaults.plist.xml was opened using DB
Browser and prompted the investigator to enter a password that was unknown; thus resulted in
moving on to the following files because no sort of key or passphrase was found in previous
investigations.
19 | P a g e
Figure 29. Encrypted file extracted from XRY
The next file, com.playstation.eu.mobilemessages.plist, was opened in PList Editor and provided
little to no information that could be of use in an investigation. It had reference to ‘keys’ but
nothing to suggest what the key would be relevant for. This was frustrating as the name
‘mobilemessages’ suggests that it would show the messages from the device, but this was not
the case. With some of the larger strings of data it occurred to the investigator that it may be some
sort of cipher even though this seems unlikely, regardless it was ran through different cipher
decryption tools available online and provided nothing.
There is an XML View in PList Editor as
well as a List View which is easier to
read with the information being listed
rather than in the XML View where it is
still listed, but in a way that makes it
difficult to interpret.
The figure on the right shows the listed
data with some mentions of time
stamps and dates, as well as other
information that seems irrelevant to
what the investigating team is trying to
search for. Unfortunately, this may be
the norm for these files with Sony Figure 30. XML data from extracted PlayStation file
having little intention of showing their
data, so this is something that is considered going forward.
The files “embedded_SQLite_table_Z_METADATA_row_0_column_Z_PLIST.plist” ranging from 1 to
4 are all empty in terms of data to retrieve, however “group.com.playstation.eu.mobilemessage”
and “com.playstation.eu.playstationadhoc” show the most information regarding the user. While
it may not be as important to the investigation as one would hope, it does shed some light on
where to begin. The first, “com.playstation.eu.playstationadhoc” shows a string
{“onlineID”:”lxtrxi” … which is the username that is associated with the account being
20 | P a g e
investigated. This has probably already been known to the investigating team due to probably
having the main device (PS4) however it can be noted as important. Furthermore, both files hold
data about the actual phone and how long the application has been used for.
This information is found in XRY anyway, but the information that seemed relevant in the
circumstance that the user would be taken to court due to their malificent actions could be,
a.DaysSinceFirstUse, a.HourOfDay, a.DayOfWeek, a.DaysSinceLastUse. a.DaysSinceFirstUse
can be used to see when the suspect had first used this application and to start a timeline or sorts,
a.HourOfDay and a.DayOfWeek both correlate to each other, it shows in the plist that the day it
was used was 5, and the hour it was
used was 12, by elimination we can say
this would be Friday at 12 o’clock. The
issue is, it doesn’t give a week or
timestamp so this information could
wither away, however is still important
trying to piece together a timeline of Figure 31. Information about PlayStation application use
events.
Moving forward, XRY holds databases in a separate category which is more user friendly that
having to go through every file to determine the extension.
There are only 7 databases stored on the phone and the rest of the information would be obtained
physically as seems to be the norm with Sony devices. The extration process is the same as the
documents and the SQLite databases would be opened using a free database browser.
The following databases unfortunately held absolutely no data and was more of a way of sorting
any data that was imported through tables, this was unfortunately the last piece of data that was
stored on the iPhone which shows that there is little to no information pertaining to Sony or
PlayStation that could help the investigation progress.
21 | P a g e
LocalData.sqlite was assumed to hold some data about the device or the user but unfortunately
nothing was shown and resulted in the investigation moving onto the Android operating system
instead.
Android Investigation
The Android had both an external microSD card as well as internal storage, for this reason both
were involved in the investigation. Using the same method as used for the Apple operating system
and searching for “PlayStation” and “sonyentertainment” reduced the amount of time required
to sift through information. Using the filter method, the investigation brought back 2,011 files that
held anything to do with “PlayStation” and of the 2,011 files 1,119 were pictures. Through
scrolling it showed that these pictures were either from emails that were on the device, or from
the PlayStation applications such as image place holders, in the same case as was seen in the Apple
investigation, the pictures are irrelevant and can be ruled out.
There were 589 documents which initially seemed like a benefit to the investigation however
upon further investigation showed that they were simply just .xml or extensible markup language
files for designing the application, the likes of “new_message_thread_one_line_layout.xml”
would just be for layout of a
message. Unfortunately, this
meant that the 589 documents
could still be investigated but
would pose no real benefit to an
investigation.
In terms of databases there are 8
that can be extracted, the
databases that seemed to be of
the most importance would be
“Cookies” or “Web Data”. Figure 34. Unnecessary XML files
However, as seems to be the
standard for the files stored on the devices, there was little signicant information. While the
Cookies file did have some items in the databases, the data seemed irrelevant and had no sort of
22 | P a g e
usefulness.
The same can be said for Web Data as it holds no information and is essentially a blank database
with a lot of blank tables. The remaining 6 databases were the same databases that could be found
on the Apple phone and held no data once more.
Through the investigation of both phones, the only significant piece of information found is the
stored data that is used to login to the Sony Entertainment account, this is an autofill file simply
showing the email and password. This is incredibly useful in the investigation as it allows access
to the account, however if the autofill information is not correct then access would be denied.
Regardless, this is a huge benefit to the investigation.
There is no further investigating that can be found through the mobile phones using XRY thus
resulting in the physical extraction of data being done using the actual application on the phone.
This would obviously result in the phone being used and would require it to still be in the
investigator’s possession.
23 | P a g e
As previously stated, the PlayStation Companion Application
allows the user to seamlessly move to the PlayStation Messaging
Application as if it were the same application all together. The
physical extraction of data will be done on the iPhone as both the
iPhone and Android versions are the same and the information
obtained would be exactly the same.
The profile shows the name on the applciation that can be
changed on different platforms, as well as the online ID that is
seen by other players. The online ID cannot be changed, and will
only be changed in specific circumstances where the ID breaks the
PlayStation & Sony Entertainment terms of service (PlayStation,
2018).
Here, the user has the abilty to edit their profile.
24 | P a g e
While the obvious difference between the mobile
applications and the PlayStation 4 is that one is a device
and one is an application however in terms of what is
different, there is little change. The user can send
messages, talk in parties using the mobile’s microphone,
view and alter information amongst other things.
Following the investigation of the mobile applications and
the information that has been stored, it has come to light
that while some information such as the account login is
saved, that seems to be it.
It is interesting to see the difference in how much
information is stored in comparison between the Android
and iOS systems but unfortunately it shows that Sony have
made the decision to not store as much data as an
investigator would like.
There is one database that is encrypted (CLSUserDefaults)
but without the password or any knowledge of where to
find it, it is the end of the road.
25 | P a g e
After some more investigation, the device seems to hold a lot of incredibly important information.
Primarily, location services that allow the
location to be stored on the device and
items such as pictures taken using the on
board camera (front & back). The image
shown right is taken using the PlayStation
Vita’s camera with location data enabled.
The device uses a special device manager
called ‘Content Manager Assistant’
provided by Sony, this is requied to export
any data from the device and using
forensic tools such as FTK or EnCase
provide no benefit. However, using the
content manager to export the images
taken provided the investigation with Figure 42. Picture taken using PS Vita
some important information. Moving
forward to Exif Pilot an image exif viewer, it provided the investigation with GPS coordinates
based on the location that the image was taken from.
After further investigation, there seemed to be no option to alter the location of the device other
than going to a different location unless the user had a homebrew included in their device and
utilised a VPN. However, in terms of homebrew it is easy to determine if the device has been
altered. As the device used in the investigation doesn’t belong to the investigation team,
homebrewing was not an option as it could damage the device if done incorrectly, voids the
warranty and is against the Sony terms of service – this could result in the account associated
being closed.
26 | P a g e
In Exif Pilot, the make and model
show the the device used to take
the images was a Sony
PlayStation Vita. It also shows the
correct dates and times that the
images were taken with
information pertaining to the
flash. The device doesn’t have
flash so this is correct.
Additionally, it shows the
software version which could be
beneficial as the device itself still
frequently updates. The most
important piece of information to
take from this is the latitude &
longitude. According to Exif Pilot,
Figure 44. GPS data of PS Vita picture the north latitude and longitude is,
in a way that can be read in an
online map:
53°24'25.0"N 2°57'08.3"W
Using this, Google Maps was used to determine if the location was correct and it was.
Highlighted in red is the exact location the image was taken and as the image was taken by the
investigator, it can be verified. This is important as the location can be
used to determine if the devices linked to the account are all in this
location.
The PlayStation Vita allows the user to use external memory in the form
of a custom made PS Vita memory card. The issue with this memory card Figure 46. PS Vita SD card
27 | P a g e
is that it is difficult to read, and the only way the investigating team were able to read the data on
the card would be by using an adapter which online is called SD2VITA. As this was not available
to the team it was not an option. Unfortunately this option is only viable if the device is running
3.60 – in the instance of this device, it runs a higher version.
Additionally, with the SIM card it could provide some information to
the investigating team but as it isn’t used to send texts from the
device, nor does it provide any benefit other than online play using
3G, it seems irrelevant. However, the SIM card may have been
previously used in another device so existing data may still be
present on the SIM. Quantaq’s USIMDetective is highly
recommended by forensic intelligence for situations like this. Figure 47. SIM Card from PS Vita
However, this – again – was not accessible for the investigator.
In terms of data taken from the device, the investigating team used the Content Manager as
aformentioned. The steps taken were to connect the device to the PC using the cable provided to
charge the device – there is also an option to connect via WiFi if the cable is not readily available.
After this, the next step was to back up the device to see if anything was readable from this
position.
As of 16th April 2018, the size of the backup was 793 MB. The backup was saved on the computer
under the name 201804162003-01 (2018 04 16 is the date of the backup). It is saved under
C:\Users\USERNAME\Documents\PS Vita and offers the user a number of folders.
A previous backup had been done 20th March 2018 and had not updated the modifed times,
however in the folder SYSTEM a folder relating to the recent April update can be found.
28 | P a g e
The back up files (as shown above) are saved in the following extensions, ‘psvimg’, ‘psvinf’ &
‘psvmd’. The initial suggestion of a file being saved as ‘img’ lead the investigating team to use
some form of image reader however it would not be read using image hosting software.
Online PlayStation hacking forum PSXHAX had previously offered users a tools that allows the
extraction of PSVIMG files, however it is now unsupported due to version updates and is no longer
being maintained (PSXHAX, 2017).
As this option seemed no longer viable, the other option would be to follow the same steps as
taken in removing information from the PlayStation 4 by going through it using Table 1 and
gathering the data physically. This was the next step in the investigation to determine who the
device belonged to and to ensure that any information that could be of use to an investigation is
retrieved. The device itself is generally unusable until an account has been associated with it, in
this case it is associated to the same account as the PlayStation 4 which can be confirmed using
the SEN page or by checking the device itself in Settings > Account Management.
As seen in figure 50, the account links to ‘lxtrxi’ and the email address is the same associated with
the PS4 account. This confirms that the account is linked.
With the SIM card in, the system information page gives the IMEI number which can be beneficial
to the investigation, it doesn’t show a phone number as in this instance there is not a number
associated to the SIM card. Additionally, it gives the MAC address for the device. The ICCID or
29 | P a g e
integrated circuit card identifier has the same role as an IMEI number but it is stored on the device
as well as the SIM (EMnify, 2016). Using the first 6 numbers allows the user to determine who the
SIM circulates through, in this case is is ‘voda UK’ which was already known as the SIM holds the
Vodafone logo.
In terms of messaging it still provides the user with this function as well as cross platform party
chatting. With the ability to use the SIM card and game online, this could offer an offender an
opportunity to use a less obvious form of messaging without the use of WiFi.
Another feature that could be used to gain access to the PS4 remotely is the Remote Play function
– this connects the Vita to the PS4 in question using a WiFi connection or a hotspot. This is bad
for the console as it could be accessed from outside the connection. This was achieved by using
the ‘Personal Hotspot’ feature on the investigating team’s iPhone 7. After this connection was
esatblished, the remote play function first searched for the PlayStation on the same network, after
it could not be found it searched via internet; this worked, allowing access to the PlayStation 4
without being in the same room. There is no way of disconnecting the Vita from remote play
without having the device and disconnecting manually.
30 | P a g e
The Vita can be as important as the PlayStation 4. In this instance it has shown that while there is
no easy way that the investigating team can think of to retrieve information from the SD card, it
holds as much information as the PS4 does. In terms of security it is relatively the same, with one-
factor authentication with a password and with the password, the user has access to the account
all the same with the ability to alter information if they feel so inclined.
31 | P a g e
The user may have multiple connected devices; and ensure that the Sony Entertainment Network
page is thoroughly checked. This will allow an investigator to see the devices on the account.
Having just the one device (be it PS3 or PS4) may not be enough. Having access to a PS3 when a
PS4 is being investigated still allows the owner to manipulate data and cause issues when the
investigation is underway.
Additionally, as there are other handheld devices such as a PS Vita and PlayStation Companion
Applications, the investigation team may have to alter passwords to ensure integrity in the case,
however this may break ACPO guidelines as it is live data. However, with reasonable cause to
ensure the case still is secure, this may be the best course of action.
Furthermore, the user may have access to a device that has already been logged into the Sony
Entertainment Network account. It may be reasonable to gather the device (such as a laptop) to
prevent outside access. Other devices such as mobile phones and tablets can also access the page.
There may be an option of logging out all devices from the site and then changing the password.
The devices all allow the user to communicate cross-platform, to ensure that every message that
was sent is known it would make sense to note down the dates and times, as well as the recipient
of the message and the content of the message.
Messaging is the backbone of any sort of communication, be it on a mobile device, email, or face
to face talking. Very little can be done without it. Having access to the messages can show who is
involved and the circumstances surrounding their involvement. As the device can hold messages
from multiple users, the investigation team would have to go through each conversation to decide
what is being discussed, however this can be incredibly beneficial in instances where involvement
from many participants is noted.
In terms of the messages found on the three devices there were no messages that required further
investigation due to the nature of the conversations. Unfortunately, messages can be deleted
using devices other than the main PlayStation. For example, a message deleted using the mobile
application would delete it from the main device. For this reason, noting down the messages is
the most crucial step.
Oddly, the internet browser found on the PlayStation 4 and PlayStation Vita does not store any
times or dates of when websites were visited. The history will remain on the device unless deleted
but any aspects of obtaining dates of when webpages were visited remains hidden.
This is another challenge to the investigator as the websites may have been visited during the
investigation, but the suspect could argue that it was not them or it was done by the investigating
team to determine what the website was.
Regardless, the same steps taken with storing messages seems to be a good starting point to
ensure that no information is lost and all of the required internet browsing history remains an
important part of any investigation.
To conclude this report, Sony have obvious reason to want to ensure the security of their users is
not easily accessible, and whilst it is inaccessible for the most part, there are instances where the
security can be altered, and further issues can arise from that. Sony have an incredible mission in
ensuring the protection of their users, and the investigation proved to be a difficult task. The
lessons learnt and the tools used by the investigators were an incredible and well researched
form of learning.
32 | P a g e
References
1. Kharpal, A. (2017). Sony PlayStation 4 sales rise to 60.4 million as console wars with
Microsoft's Xbox heat up. CNBC. Retrieved 30 November 2017, from
https://www.cnbc.com/2017/06/13/playstation-4-sales-rise-to-60-point-4-
million.html
2. Conrad, S., Dorn, G., & Craiger, P. (2010). Forensic Analysis of a PlayStation 3
Console. Advances in Digital Forensics VI, 65-76. doi:10.1007/978-3-642-15506-2_5
3. Sakazaki, L. (2006). Seventh Generation Gaming Consoles: Thinking Outside the
Box. Seeking Alpha. Retrieved 30 November 2017, from
https://seekingalpha.com/article/22075-seventh-generation-gaming-consoles-
thinking-outside-the-box
4. Dachis, A (2011). Lifehacker.com. Retrieved 30 November 2017, from
https://lifehacker.com/5830367/how-to-hack-your-wii-for-homebrew-in-five-minutes
5. Hacking the Xbox. (2017). Hackingthexbox.com. Retrieved 30 November 2017, from
http://hackingthexbox.com/
6. Ridgewell, W (2011). Determination and Exploitation of potential security vulnerabilities
in networked game devices. Retrieved 30 November 2017, from
http://dtpr.lib.athabascau.ca/action/download.php?filename=scis-
07/open/walterridgewellProject.pdf
7. Shuman, S. (2013). PS4: The Ultimate FAQ – North America. PlayStation.Blog. Retrieved
17 January 2018, from https://blog.us.playstation.com/2013/10/30/ps4-the-ultimate-
faq-north-america/
8. CUH-1004A - PS4 Developer wiki. (2018). Psdevwiki.com. Retrieved 8 February 2018,
from http://www.psdevwiki.com/ps4/CUH-1004A
9. Dunn, B. (2018). Introducing My PlayStation, a new way to interact with key PSN features
from your PC or mobile. PlayStation.Blog. Europe. Retrieved 25 February 2018, from
https://blog.eu.playstation.com/2018/02/21/introducing-my-playstation-a-new-way-
to-interact-with-key-psn-features-from-your-pc-or-mobile/
10. Sony Launch My PlayStation, A New Way to Do Stuff You Can Already Do.
(2018). Thesixthaxis.com. Retrieved 25 February 2018, from
http://www.thesixthaxis.com/2018/02/22/sony-launch-my-playstation-a-new-way-to-
do-stuff-you-can-already-do/
11. Software Usage Terms. (2018). PlayStation. Retrieved 26 February 2018, from
https://www.playstation.com/en-gb/legal/software-usage-terms/
12. Director's Investigatory Powers | The Crown Prosecution Service. (2018). Cps.gov.uk.
Retrieved 26 February 2018, from https://www.cps.gov.uk/legal-guidance/directors-
investigatory-powers
13. Margaret Rouse, Stephen J. Bigalow. 2006. What is hypervisor? [ONLINE] Available
at: http://searchservervirtualization.techtarget.com/definition/hypervisor. [Accessed
14 March 2018].
14. PSVIMG Tools VPK Updates to Decrypt PS Vita Game Backups! (2018). PSXHAX - PSXHACKS.
Retrieved 16 April 2018, from https://www.psxhax.com/threads/psvimg-tools-vpk-updates-
to-decrypt-ps-vita-game-backups.1795/
15. EMnify 8988303 ICCID, IIN and SIM Serial Number Explained | EMnify. (2016). EMnify.
Retrieved 17 April 2018, from https://www.emnify.com/2016/05/06/emnify-8988303-
iccid-iin-and-sim-serial-number-explained/
33 | P a g e
16. Nakashima, E (2016). Apple vows to resist FBI demand to crack iPhone linked to San Bernardino
attacks. Washington Post. Retrieved 18 April 2018, from
https://www.washingtonpost.com/world/national-security/us-wants-apple-to-help-
unlock-iphone-used-by-san-bernardino-shooter/2016/02/16/69b903ee-d4d9-11e5-9823-
02b905009f99_story.html?noredirect=on&utm_term=.7edc1253e190
17. ACPO Guidelines | Publications | 7Safe . (2018). 7safe.com. Retrieved 24 April 2018, from
https://www.7safe.com/about-7Safe/downloads/acpo-guidelines
18. Whitwam, R. (2016). Why you should (or shouldn't) root your Android device -
ExtremeTech. ExtremeTech. Retrieved 25 April 2018, from
https://www.extremetech.com/mobile/211314-extremetech-explains-why-you-should-or-
shouldnt-root-your-android-device
19. Terms of Service and User Agreement | PlayStation. (2018). PlayStation. Retrieved 25 April
2018, from https://www.playstation.com/en-us/network/legal/terms-of-service/
PlayStation Vita Memory Card Guide - Vita Player - the one-stop resource for PS Vita owners. (2015). Vita
Player - the one-stop resource for PS Vita owners. Retrieved 26 April 2018, from
http://www.vitaplayer.co.uk/playstation-vita-memory-card-guide/
34 | P a g e