Liverpool John Moore’s University

Department of Computer Science

Final Year Project

Project Title: Digital Forensic Analysis of a PlayStation 4

hard drive with links to XRY Mobile Forensics

Student Name: Luke Bargh

Student ID: 711862

Programme Name: Computer Forensics

Date: 27th April 2018

This project is submitted for the module 6001PROJ/6000PROJ and complies with all relevant LJMU
academic regulations, including plagiarism and collusion.
Table of Contents

Literature Review ............................................................................................................................... 2

Limitations ........................................................................................................................................... 3
Procedure of Analysis ........................................................................................................................ 4
Physical Extraction of PlayStation 4 Data ...................................................................................... 5
PlayStation Network (PSN) & Sony Entertainment Network (SEN) ...................................... 5
My PlayStation ................................................................................................................................. 8
PlayStation Network (PSN) ......................................................................................................... 10
Internet Browser ........................................................................................................................... 10
System Storage Management ...................................................................................................... 11
Physical Extraction of a PlayStation 4 Hard Drive.................................................................. 13
USB Download Test ....................................................................................................................... 17
Involvement of Mobile Forensics (XRY) ....................................................................................... 17
Apple iOS Investigation ................................................................................................................ 18
Android Investigation .................................................................................................................. 22
Involvement of PlayStation Vita ..................................................................................................... 25
Critical Analysis of the Results ....................................................................................................... 31
Conclusions and Further Work ...................................................................................................... 31
References .......................................................................................................................................... 33

1|Page
Literature Review
Prior to the release of the widely popular PlayStation 4, digital forensic analysts had attempted
to conquer the PlayStation 3 architecture to no avail. The PlayStation 3 system was the most
‘technically advanced system’ in the seventh generation of gaming consoles (Sazaki, 2006). Which
leads the investigating team to believe that the PlayStation 4 will surpass the PlayStation 3 and
be an extra challenge to achieve. Conrad et al. (2010) give acknowledgement to this in a chapter
on Advances in Digital Forensics VI with mention of nine different PlayStation 3 models since
the initial release in 2006 to 2009. The main addition to many iterations of the PlayStation 3 being
the increased hard drive size support. The most common model upon release was the original 60
GB with a thicker design, while the ‘Slim’ and ‘Super Slim’ allowed hard drive sizes upwards of
500 GB. This is the same with the PlayStation 4 devices with their frequent changes to remove the
use of touch sensitive buttons power and disc eject in their CUH-1000 models and adding physical
buttons because of consumer reviews. Additionally, the change in architecture in terms of
releasing the PlayStation 4 Slim which changed the size of the device dramatically while another,
far more powerful and 4K capable PlayStation 4 Pro was released.
The chapter by Conrad et al. (2010) also gives mention to how Sony engineers of the PlayStation
3 allowed users to have a separate partition on the hard drive with the intent on allowing a
secondary operating system to be installed alongside the ‘Unix-like (BSD)’ PlayStation operating
system. This was done to discourage users from modifying the PlayStation 3 console with the
intent of ‘hacking’ as was common in competitor consoles, Microsoft’s Xbox 360
(HackingTheXbox, 2017) and Nintendo’s Wii (Dachis, 2011). The same can be achieved in the
PlayStation 4. The way of ‘hacking’ the device however, has changed and is significantly harder
due to the constant updating of the PlayStation 4 firmware to thus preventing the practice of
‘jailbreaking’.
Ridgewell (2011) refers to the PlayStation 3’s encryption format which is AES 128 that has been
exploited using various methods to retrieve the cryptographic keys Sony have to decrypt the hard
drives. Hacking group fail0verflow obtained these keys through methods that the investigating
team were unable to recreate. The methods utilised included network forensic techniques as well
as using software tools to determine the security of the console and find any vulnerabilities that
were present. Additionally, through their network forensics, it came to light that the PlayStation
3 TCP and UDP communications were encrypted.
Conrad et al (2010) analysed the PlayStation 3 & 4 to establish a connection between the AES
encryption. The experiments performed by Conrad et al (2010) showed that evidence was not
easily obtained through the use of write blockers and forensic tools however the methodology
produced by the Conrad et al (2010) remains valid and other investigating teams managed to
repeat the steps taken in other devices. Ridgewell (2011) performed similar tasks on Microsoft’s
Xbox One and retrieved far more information due to the NTFS system type used. For this reason,
the methodology will be used again, altering it for the PlayStation 4 as the proposed method for
gathering data both physically and logically doesn’t seem to be different from previous
generations of the console as shown by Conrad et al. (2010).
Additionally, Sony introduced mobile applications that allow the user to access information about
their device(s) as well as messages from an external device. This prompted further investigation
into the PlayStation system to see what sort of information is held on the devices using the
forensic tool XRY; the investigation would take place on both Android and Apple iOS devices to
ensure that the information that is found and researched either corresponds on both operating
systems or, through rooting an Android, would it give more than the Apple iOS would. However,
knowing that Apple is unwilling to provide or help law enforcement with their devices in terms

2|Page
of providing data (Nakashima, 2016), it seemed plausible to assume that little information could
be found or the information that is found is encrypted. Regardless this still prompted the
investigation to further having the profile link through several means of connectivity.
Furthermore, the Sony handheld device PlayStation Vita links to the profile connecting as if it
were on the main device with the functionality of controlling the main device with a remote
connection like feature. As this is more of a gaming platform than the mobile applications it
seemed relevant to include as it may show more in terms of connecting with other users. Conrad
et al (2010) refer to the PlayStation Vita but do not go into a further investigation with it, allowing
this investigating team to follow the same methodology used for the PlayStation 4 and try to
obtain information. There is a struggle with the Vita however with the memory card used in the
device not being of a regular size (Vita Player, 2015); this could pose a problem trying to access
the memory card using a computer as no adapter exists to host the card but it may be easier to
access the data using the device and its content manager.

Limitations
Regarding the digital investigation of a PlayStation 4, the greatest challenge posed is that the
PlayStation 4 utilises a non-standard file system. This is different to the competitor console, the
Xbox One which allows NTFS metadata retrieval (Moore et al., 2014). The PlayStation 4 hard drive
appears to be encrypted, presenting a logical extraction barrier. With the use of a write blocker,
the hard drive can be imaged however being encrypted provides difficulty to do a full in-depth
analysis. The most appropriate way to obtain evidence in a forensic investigation would be
through the user interface which allows you to view several different artefacts.
Furthermore, the user obtains the ability to alter any information stored within the online service,
PlayStation Network (PSN). The user can access the PlayStation Network account using another
console, the PlayStation 4 Companion Application for mobile devices or the handheld PlayStation
Vita. Access through any of these alternative devices allows the user to modify or remove
potential evidence.
With the increasing use of internet on eighth generation consoles, user-generated content via
social media has become more of a norm (not only on PlayStation 4 consoles but this will be the
focused console). Sharing high scores, game achievements and recorded videos with other online
users requires a device to have an internet connection to use Sony’s online cloud storage service.
From the perspective of a forensic investigation, the hard drive may not be (in this circumstance)
the most important data source as it previously has been. User-generated content is likely to not
appear on the hard drive at all, and if it was to appear it may be encrypted and unusable in the
investigation. This is a limitation to obtaining potential evidence.
Knowing that the PlayStation 4 utilises encryption, it would make sense to do most of the
investigation physically by going onto the device itself and noting down the important findings
with screenshots. However, doing it physically would need the supposed timestamps of the
device to be altered such as the time data was last accessed and modified, when the user last
logged into the device and when messages were last accessed. There is no way of ensuring that
information such as access times and dates are stored on the device or if they exist at all which is
something that the investigating team will take into consideration when doing the preliminary
investigation.
An issue that could arise is the lack of tools that are needed by the investigator to obtain and
access the data. In the report is the use of FTK and XRY as well as using a write blocker. The
investigation team doesn’t own this software or hardware and would require to use resources
from the university, but if neither the software or hardware are available then it would result in

3|Page
the investigation being done purely physically. While this may or may not be a problem it would
still be interesting to see what can be obtained doing both physical and logical extractions of the
PlayStation 4 as well as the applications and the PlayStation Vita.

Procedure of Analysis
As all digital forensic investigations must be, the UK Association of Chief Police Officers (ACPO)
Good Practice Guide for Digital Evidence version 5 guideline will be followed for an investigation
of a digital device.
As the PlayStation 4 has been circulating for several years now, the study of available literature
online for a digital forensic investigator to find the main aspects of the console is expansive.
Director of SIEA (Sony Interactive Entertainment America) Social Media, Sid Shuman, posted in a
Frequently Asked Questions blog post (Shuman, 2013) a useful list of which areas could be
analysed. As expected from a physical extraction of data from a PlayStation (or any live console)
consists of having the device powered up and navigating through the number of different menus
on the system; while doing so it would be beneficial for the investigator to note areas that may
give added evidence to the investigation.
Concentrating on the areas that can find who was involved, what had occurred on the device,
when the incident occurred and where it occurred are usual aspects of any investigation, digital
or not, so these steps seemed most proper to follow. The PlayStation 4 can hold up to 16 user
profiles (Shuman, 2013) with 4 users allowed to be active at any given time – this answer the
“who” section of the investigation, however just as easily as it is for a user to create an account,
they can remove it all the same. It may result in further issues for a forensic investigator, however,
all accounts can be viewed online if the user ID is known.
The “what” question refers to the content that has been created on the device, including any
timestamps which indicate “when” the information was initially generated. In the case of “where”
the information is stored can be categorised into physical hardware such as the internal hard
drive disk of the PlayStation 4 or external media such as a USB drive. Additionally, the PlayStation
4 offers a cloud-based system which allows users to back up information such as images and game
save files amongst other things. There are many areas that could be of interest as found below in
Table 1.

Named feature Reason for further investigation

PlayStation Network (PSN) & Sony It has become clear that to utilise the full
Entertainment Network (SEN) PlayStation 4 experience, a PSN membership is
needed. SEN allows further investigation into the
account and can be viewed on the main device, or
external devices.
Internet Browser Incorporated internet browser doesn’t support
PDF files or Microsoft Office documents.
Thumbnails of recently viewed pages provide a
sign of users browsing habits. Stores Google
search terms, Google map searches, past 100 web
pages visited, 100 bookmark limits (Shuman,
2013) and 8 most recently visited web pages
Share Factory PlayStation Share Factory allows the user to use
USB/social media to share content recorded from
the PlayStation device or added PlayStation
camera. Users may alter footage and add voiceover
to the content

4|Page
 System Storage Management Allows the user to view storage information of the
system, saved data from applications, captures
(video and image) and any added disk space
Error History Logs any errors that the system has met during its
uptime. Includes an error code, time & date of the
incident, if it occurred during a game and then
what happened
What’s New Shows activity of the currently logged on user, as
well as those on friends list (achievements, new
friends, new games)
Trophies Unlocked in-game, allows you to compare between
friends, shows time and date of when the trophy
was unlocked
Profile Personal to the user can show real full name,
avatar
Friends Friend’s list can be linked to Facebook (social
media). Possible to see communication between
friends and those who are not yet friends. Can
request the user to see full name, can have up to
2000 friends
Party Messages Up to 8 participants in the party
Messages Between individual participants or multiple

Physical Extraction of PlayStation 4 Data

PlayStation Network (PSN) & Sony Entertainment Network (SEN)
Possibly one of the most important
aspects of a forensic investigation into a
PlayStation 4 and the owner of the said
device is having access to the Sony
Entertainment Network part of the
website. This, as shown in figures 1 to 5,
reveals valuable information about the
user such as the services they are
subscribed to, the devices they have
Figure 1 SEN Dashboard
connected to the account and
transaction history. Included in the transaction history is details of PayPal accounts that can be
used to make the purchases as well as card details; the last 4 digits of the card and expiry date.
This information is crucial to an investigator as it allows them to potentially find the owner of the
PlayStation and if the card corresponds to the name, use it as evidence.
Figure 1 shows the SEN dashboard, giving the user or a forensic investigator the ability to delve
into the account. From here, access to more detailed and advanced account settings including
editing the user account name, email, password and other valuable information can be visited.
Additionally, the devices associated with the account can be viewed. Figure 1 shows ‘My PS4’, the
main device associated with the account. This does not give any information about the PS4 such
as a MAC address, so it may be difficult to decide if this is the PS4 that is being investigated.
Furthermore, any earlier transactions can be viewed by following the links on the page. This will
be accessed later. This dashboard can be detrimental to the physical extraction of information
essential to investigation. While the actual device itself is important, the information here can be

5|Page
as easily accessed by the investigator or the user of the device. Isolating this web page to ensure
no outside users can gain access would be of top priority. To do this, you may have to alter the
password for the account which, in turn, could break the ACPO guidelines. However, with reason
to do so, this should not be an issue.

Figure 2. SEN Account Management

Figure 2 shows another incredibly important aspect of the SEN webpage. Here, the user could
change their ‘real name’. This – usually – would not be a feature used by many, unless the user
gets married or their legal name changes, the feature would be overlooked by a sizable percentage
of the online community. So, on the off chance this changes when the account is being checked, it
may be to hide the name of the user and take the scent off their name. To prevent any issues such
as this it may be useful too – as above – screenshot with relevant times and dates, and any changes
can be added if made, with the times and dates as proper.

Figure 3. Detailed Account Details

Figure 3 shows more in-depth account details, with information about how long the user has been
using the PlayStation Network service (PSN), their preferred gender, registered email address
and home address. This can all be edited if chosen so by the user, however, this can be used to
track the potential user of the device, as well as being used to decide if the user they believe to
own the device is the correct user. As aforementioned, however, if the user was to change the
details before proper action was taken to note the information shown here, it could create issues
for the investigation and cause inconsistencies within the expert report. For this instance – and

6|Page
instances beyond this – it would be proper to make note of the information shown here with
correct dates and times.

Figure 4. SEN Transaction History

Figure 4 above is the transaction history for the user account associated with
‘lukebargh106@hotmail.co.uk’. Useful information that can be used here is the date the purchase
was made, as well as the account bought from and the amount it was bought for. While the
investigating team may already have a solid amount of evidence to link the account to the console,
it may be worthwhile to take into consideration the transaction history also. Not only can this be
used to decide who the owner of the device is, the investigating team may want to utilise the
Regulation of Investigatory Powers Act 2000 (RIPA) to check the bank account of the person
linked to the account.
With this information, it allows the investigating team to view the supposed transactions between
a specified date and if the amount spent corresponds to that on the transaction history. While this
may not be a lot of valuable information, it gives more of a lead to the investigation by allowing
the team to potentially decide if the card used to buy the items belongs to the owner of the
console.
Additionally, if the card used does not belong to the owner of the console then this brings out
more charges that can be added to a court hearing. Another way of obtaining information about
the investigation could be through a disclosure notice. Investigatory Powers Under Sections 60-
70 Of the Serious Organised Crime and Police Act 2005 states that the authorised prosecutor may
need the person whom it is to give to do all or any of the following:
1.4 A disclosure notice is defined in Section 62(3) as a notice in writing needing the person to
whom it is given to do all or any of the following:
a. answer questions with respect to any matter relevant to the investigation;
b. provide information with respect to any such matter as is specified in the notice;
c. produces such documents, or documents of such descriptions, relevant to the investigation as
are specified in the notice.
Section C, ‘produce such documents, or documents of such descriptions, relevant to the
investigation as are specified in the notice’ could be used about this instance as we would need a
bank statement.

7|Page
Figure 5. SEN Devices

Finally, figure 5 of SEN shows the device associated with the account logged in. While it shows
very little, it does show that a PlayStation 4 is activated with the account. This may not be used in
an investigation, but it is worth noting that the account has one.

My PlayStation
As of February 21, 2018, a new feature website “My PlayStation” was introduced, allowing you to
‘interact with key PSN features from your PC or mobile’. Dunn (2018) claims “The website is
already up and running, so go check it out! Our goal is to bring you a compelling social experience
even when you’re away from your console. We’ll continue to enhance and add more features to
My PlayStation on a regular basis, so make sure to keep checking in.”, however, with regards to
forensic investigations, this poses more of a risk to information being altered during an
investigation into a profile.

Figure 6. My PlayStation dashboard

Immediately, this page is very similar to the SEN dashboard as prior mentioned. This has been
criticised on forum pages as being ‘a new way to do stuff you can already do’ by popular online
forum The Sixth Axis (2018).

8|Page
Figure 7. My PlayStation messaging

Figure 4 shows a feature not yet seen for PlayStation users. My PlayStation now offers online
messages which have been a positive addition. Prior to this addition, users would only be able to
message using the device itself or by using the PlayStation Companion Application for iOS and
Android devices.

Figure 8. My PlayStation 'edit account'

The ‘edit account’ section of the website offers you similar options to that of the SEN dashboard,
however, the main alteration users can achieve is changing their ‘real name’. While this may not
seem as important, having access to both websites at the same time and changing the name can
cause confusion to the case officer and investigating team. The rest of the website poses no real
use to an investigation, for this reason, there is no need to pursue any further evidence from My
PlayStation.

9|Page
PlayStation Network (PSN)

Figure 9. PlayStation Network Subscription

Continuing with the physical extraction of the PlayStation 4 device, this part is the PlayStation
plus subscription section. Here, it shows the user is currently in use of the paid service of PSN. It
shows the current title and length of service the user is subscribed for. In this instance, the user
“Luke Bargh” has a 12-month ongoing subscription which started in October 2017, due to finish
October 2018.
As mentioned previously with the transaction history, noting the time and date that the
subscription was bought with the intention of cross checking with a bank statement of this time
could be beneficial to help decide who owns the device. The only issue that may arise from this is
that you can buy a subscription separately and give it as a gift. Additionally, you can buy a gift
card and use this as a means of paying for the object.
The transaction history will show this as adding to the virtual ‘wallet’ which can also help
differentiate between a card buy and a top up.

Internet Browser

Figure 10. PlayStation browser

This is the on-device internet browser. While it is relatively basic in its features, it can be used to
potentially commit crime or illicit activities. The above figure shows an online repository of
television programs and movies that can be viewed for free by using streams. In the grand scale

10 | P a g e
of legal issues that can arise from using a PlayStation 4 illegally this is quite tame. Sony does let
the user know that any online behaviour is being checked however.
In the Software Usage Terms (2017), “we reserve the right in our sole discretion to check and
record any or all your Software activity and to remove any of your UGM at our sole discretion,
without further notice to you … This information may be passed to the police or other appropriate
authorities.”, in terms of illicit activity, it is being monitored and, in the instance, that Sony believe
it could become an issue, relevant law enforcement will be notified. By using the PlayStation
device, the user accepts to the Software Usage terms.
Additionally, the browser comes with a history detailing the websites browsed in a basic manner.
Unfortunately, this browsing history does not show when the website was accessed, and this
information cannot be found logically or physically which could be a barrier to forensic
investigators.

Figure 11. Internet Browser History

Furthermore, if the browser history is cut then the investigator cannot find it again as is possible
in a computer hard drive investigation. Another barrier if the internet browsing history was to be
viewed. For this reason, it would be important to make note of the websites currently on the
browser history in case of any being cut. It is not possible to cut the browser history from another
location, so if the device is physically had, then the browser history will also be had.

System Storage Management

Figure 12. System Storage Management

The system storage management

accurately checks the data that is
stored on the device. As per most
devices, the application section holds
most of the storage as this is for
games and save data, as well as
installed game data.
While it stores application data, it
also stores captures which can be video or image; right now, the device only has image captures

11 | P a g e
on it. As well as this it holds save game data which is relatively small in size when compared with
previous generations. The device also allows the user to install and have themes as a cosmetic
improvement to the original theme.
The free space shows how much more data the device can hold. While there is no ‘other’ or
‘miscellaneous’, it is not known where data such as the internet browser history or error logs are
stored. This information can be easily found on the device and usually doesn’t take up a lot of
space though.

Figure 13. Error History

An important feature of the PlayStation 4 is the in-depth error history. The error number is
unique to the issue that pertains, this could be in game or in application. Using this error number
on the internet through a search engine will give you an easier understanding of how and why
this happened.
Additionally, the device gives a day of when this happened and a time of when this happened in a
24-hour format. This could be potentially used to pinpoint when a user was on the device. This
doesn’t have a massive impact on an investigation however if the device were to suddenly break
or turn off, the device would provide the user with an error code. This can then be viewed on the
console and noted.
The error history usually doesn’t show much in the way of an investigation as it shows when the
console broke or has an issue that needed the device to give an error code, however suppose this
were to occur during the investigation then it would be easier to decide the cause of the problem
and ensure it does not reoccur.

Figure 14. What's New

12 | P a g e
The ‘What’s New’ feature was previously used on the PlayStation 3, however on the PlayStation
4 it was updated to have more of a social media aspect to them. This shows the times and dates
that ‘friends’ of the user were active, it also shows when the user was active and if they have
unlocked any trophies, added new friends or even posted a social update using the ‘What are you
up to?’ feature.
While it does show some information about who is using the device and the people the user
associates with, the only real benefit to viewing this would be to see any text updates. Figure 14
does show an exuberate amount of information but very little of it is of importance, the trophies
obtained by another player is irrelevant as it shows no benefit to the investigator. However, the
first section shows a player adding new friends, this may be beneficial as if it comes to light that
the user of the device has been communicating with another user who then adds more friends
who have no games or trophies it may show that they bought the PlayStation only for
communication. So, while the trophy earning is useless, the adding of inexperienced players and
being able to see what another player is doing shows some usefulness.

Physical Extraction of a PlayStation 4 Hard Drive

Before starting the extraction, it is recommended to make backups either on the device itself or
externally in the case of an issue where data has been lost and cannot be regained.
The model of device that will be forensically analysed is a CUH-1004A, the hard drive is a 1TB
Toshiba MQ01ABD100. This hard drive was bought and installed after the device was bought, as
the standard PlayStation 4 carries a 500GB hard drive.
To carry out the physical extraction of the hard drive contained within the PlayStation 4, a
forensic investigator would first have to ensure that the power cable found on the back side of
the PlayStation 4 was unplugged. Following this, there must be no power going in or out of the
PlayStation 4 as a precaution to prevent any static damage occurring to the hard drive or any

Figure 15. PlayStation 4 with case on Figure 16. PlayStation 4 with case off

equipment used by the task force.

Using a bit of force, push the left most side of the PlayStation 4 (jet black on older generations,
matte black on recent generations) to remove the casing and show the hard drive. Using a Philips
head screwdriver, unscrew the PlayStation branded screw holding the hard drive in place, and
remove it from the casing.
From here, the metal casing will have 4 added screws that are optional in removal when doing
forensic analysis of the hard drive. For the time being the screws were left in place. To prevent

13 | P a g e
any live data being damaged in the process, a Tableau Forensic SATA/IDE Bridge, Model T35e
write-blocker was used.
The write blocker is powered using a standard 3 prong UK plug, and connects to the computer
using a USB connection. Before turning on the device it is recommended to connect the write
blocker to the hard drive.

2
1

Figure 16. Tableau Forensic SATA/IDE Bridge write-

blocker, model T35e
Figure 15. PlayStation 4 hard drive connected via Tableau T35e
With every required device connected
and switched on, it was time to move to a hard drive investigation tool. In this instance, Forensic
Toolkit (FTK) by AccessData. With the case opened and all proper information about the
investigation team entered, it was time to begin.
In order to add evidence, select “Evidence” as shown in Figure 19.

Figure 19 Forensic Toolkit adding evidence

As the physical drive has been aquired, this section must be chosen when selecting the evidence
type as seen in Figure 19 .
Knowing the device that is being investigated, in this case it was the TOSHIBA MQ01ADB100
which is found on the hard drive itself could be beneficial in circumstances where a lot of drives

14 | P a g e
are connected or the investigator is unable to differentiate between two different hard drives. In
this instance, there are two hard drives on the device, however the PlayStation 4 hard drive is not
an SSD so for that reason the top Samsung device was not going to be used as this is the
computer’s storage.

Figure 20. Choosing the PlayStation hard drive

Figure 21. FTK with PlayStation HDD

Going into this investigation, it was made aware that

previous generations of PlayStation consoles such as the
PlayStation 3 and currently the PlayStation 4 have been
encrypted; hence the logical extraction being more
important. Ridgewell (2011) made note that hacking
group fail0verflow managed to decrypt the PlayStation
3 during boot loader mode as the Hypervisor, a function
that isolates operating systems and applications from
the hardware (Rouse, M, Bigalow, S, 2006). The boot
loader does not check for signed code, thus allowing
custom code to execute from the likes of a USB drive.
This has yet to be accomplished in later firmwares of
PlayStation 4.

Figure 22. FTK Decryption

15 | P a g e
Knowing this, FTK has its own inbuild decryption. This did not work and provided no benefit to
the investigation.
Figure 23 is the process of decryption, lasting 4 seconds and providing no evidence to the

Figure 23. FTK Decryption Process

investigator as the decrpyption in FTK didn’t manage to open anything on the hard drive. This is
dissappointing as no passwords are known to the investigating team and without the password
or encryption key, very little can be obtained.

Figure 24. PlayStation hard drive in FTK

Figure 24 is the overall investigation of the hard drive. Seen in the file content section, there are
a lot of hexadecimal characters. This cannot be read by human or computer and without
decryption would provide no signficance to the investigator.
This is useful to the investigator if the file content shown in the ‘hex’ section was readable,
unfortunately the investigator can’t read the hex portion thus resulting in no further investigation
occuring.

16 | P a g e
 USB Download Test
During the logical investigation, screenshots were taken using the
‘Share’ button on the Dualshock 4 Controller. Downloading these
to a USB drive allows an investigator to view some more important
data pertaining to the investigation.
To attempt to view this information, Exif Pilot was used. This
shows the make of the device (Sony Interactive Entertainment
Inc.), the model (PlayStation®4) and the current firmware in place
on the device (5.05).
Additionally, it shows the exact time and date the image was taken.
In instances where images are taken using the share function of the
PlayStation 4, it does unfortunately not show the GPS location of
where the device was when the image was taken. This is because
the PlayStation 4 does not carry a GPS chip.
This seemingly is the only information that could be important in
an investigation.
Figure 25. Image downloaded from
PS4 in Exif Pilot

Involvement of Mobile Forensics (XRY)

With the increasing involvement of mobile phones in regards to video game consoles, many
console developers have opted for a ‘companion application’ of sorts, allowing the user to view
information that may be of interest to their account. Sony’s PlayStation® companion application
also allows the user to seemlessly alternate between messages, the PlayStation store and their
profile settings.
For the portion of this investigation, the mobile devices being used will be an Apple iPhone 7,
128GB running 11.2.5 with an EE nano sim card inserted. This phone is a personal use phone
and will have information redacted to prevent personal information being reviewed. The second
phone is a Samsung Galaxy A5, 32GB micro-SD card running Lollipop (5.0) without a sim card
inserted. This phone was a formerly personal use phone and holds no personal information as it
was wiped for this experiment.
The reason for choosing two different operating systems is based on the security of Apple’s
operating system compared to the Android operating system. Android operating systems can be
rooted easily on every version and XRY offers this to the investigator full access to the operating
system (Whitwam, 2006). Theoretically, this will show far more information than the Apple
operating system however the assumption that Sony will encrypt their files just the same must
be considered.
To begin with, the application PlayStation® Companion Application was downloaded onto
both devices using the App Store on iOS and Google Play Store on Android OS. Additionally, PS
Messages was downloaded on their respective application stores. The investigating team logged
into the applications using the same account that has been used on the PlayStation 4 to ensure
integrity. Once logged in, both phones were connected to the computer running XRY and the
process began. The time it takes to finish is dependant on the amount of data that is on the phone
internally and externally (if a micro SD card is present) and the power of the investigating

17 | P a g e
computer. In terms of the computer used in this investigation, it was highly powered and reduced
the amount of time it took to retrieve the data dramatically.

Apple iOS Investigation

The first operating system that will be investigated is the Apple iPhone as it is the most used
phone of the two and it makes sense that it would hold more relevant data.
The easiest way of finding either “PlayStation” or “Sony Entertainment” was to filter the results
to search for these, reducing the time it takes to find and potentially miss information by going
through every individual piece of data on the phone. The amount of individual files on the device
is 102,689 so taking the time
to go through it all seems
wasteful. Out of the 102,689
files, only 205 had the word
‘PlayStation’ in. In terms of
“sonyentertainment”,
signficantly less information
was found which leads the
investigator to believe that a
lot of the information is
stored under “PlayStation”.
28 of the files were cookies Figure 26. Sony Entertainment files in XRY
from store.playstation.com,
92 pictures were saved either from emails sent regarding the store or through the ‘friends’ or
‘players met’ function in PlayStation systems that allows the user to add users they have played
with/against. There were 8 documents, most of which were tables for setting up data. 7 databases
were found in an SQLite format and 53 unrecognisable files that were stored as ‘Blob’. Of the 205
files that were found, only a select few seemed like they would hold any relevant data. The
pictures were irrelevant, as were the web searches and unrecognised blob files. Knowing that
Sony have a habit of encrypting their data with intent of discouraging users from finding data and
with Apple’s unwillingness to provide data to law enforcement (Nakashima, 2016) it seemed
reasonable to assume their data would follow some form of encryption to prevent a user
obtaining data.
The next step was to view the data itself using XRY Viewer. The investigator would also be
required to sift through a lot of information that could hold data either relevant – or not – to the
case. The first piece of information that was found and possibly the most important is a password
stored on the device to login to the account, it also gave the email address associated with the
account; to ensure integrity, the password has been removed.

18 | P a g e
Figure 27. XRY showing email and passwords to login

With the knowledge of where the information has been gathered from, it would be a good start to
note down where it had been retrieved from, and if used, why it has been and what it was used
for. In this circumstance, the investigating team would be accessing live data in terms of the
account which is an issue in relation to the ACPO guidelines, “Principle 2: In circumstances where
a person finds it necessary to access original data, that person must be competent to do so and be
able to give evidence explaining the relevance and the implications of their actions.” (7Safe, 2018).
The investigating team may decide that they are competent to access the data and the reasoning
behind accessing it is explained as access to the account is needed to follow the user
There were 8 documents that had the word
‘PlayStation’ in it that stored the files in a
PLIST file. This is a settings file used by
macOS applications, this is the iPhone so it
seems appropriate to use .plist. The .plist file
is readable using open-source software such
as plist Editor. Coming into the investigation,
it was made aware that information may be
stored in files such as SQL databases which is
what had been found in the documents. The
next step was to extract all 8 of these files and
Figure 28. PlayStation filtered documents in XRY use tools relevant to their extension, in some
cases a database browser was used.
Going through the list of documents became an issue from the offset as the investigating team are
aware of the encryption Sony have taken into consideration to either prevent the user finding
data, or to protect the user’s data. Initially, CLSUserDefaults.plist.xml was opened using DB
Browser and prompted the investigator to enter a password that was unknown; thus resulted in
moving on to the following files because no sort of key or passphrase was found in previous
investigations.

19 | P a g e
Figure 29. Encrypted file extracted from XRY

The next file, com.playstation.eu.mobilemessages.plist, was opened in PList Editor and provided
little to no information that could be of use in an investigation. It had reference to ‘keys’ but
nothing to suggest what the key would be relevant for. This was frustrating as the name
‘mobilemessages’ suggests that it would show the messages from the device, but this was not
the case. With some of the larger strings of data it occurred to the investigator that it may be some
sort of cipher even though this seems unlikely, regardless it was ran through different cipher
decryption tools available online and provided nothing.
There is an XML View in PList Editor as
well as a List View which is easier to
read with the information being listed
rather than in the XML View where it is
still listed, but in a way that makes it
difficult to interpret.
The figure on the right shows the listed
data with some mentions of time
stamps and dates, as well as other
information that seems irrelevant to
what the investigating team is trying to
search for. Unfortunately, this may be
the norm for these files with Sony Figure 30. XML data from extracted PlayStation file
having little intention of showing their
data, so this is something that is considered going forward.
The files “embedded_SQLite_table_Z_METADATA_row_0_column_Z_PLIST.plist” ranging from 1 to
4 are all empty in terms of data to retrieve, however “group.com.playstation.eu.mobilemessage”
and “com.playstation.eu.playstationadhoc” show the most information regarding the user. While
it may not be as important to the investigation as one would hope, it does shed some light on
where to begin. The first, “com.playstation.eu.playstationadhoc” shows a string
{“onlineID”:”lxtrxi” … which is the username that is associated with the account being

20 | P a g e
investigated. This has probably already been known to the investigating team due to probably
having the main device (PS4) however it can be noted as important. Furthermore, both files hold
data about the actual phone and how long the application has been used for.
This information is found in XRY anyway, but the information that seemed relevant in the
circumstance that the user would be taken to court due to their malificent actions could be,
a.DaysSinceFirstUse, a.HourOfDay, a.DayOfWeek, a.DaysSinceLastUse. a.DaysSinceFirstUse
can be used to see when the suspect had first used this application and to start a timeline or sorts,
a.HourOfDay and a.DayOfWeek both correlate to each other, it shows in the plist that the day it
was used was 5, and the hour it was
used was 12, by elimination we can say
this would be Friday at 12 o’clock. The
issue is, it doesn’t give a week or
timestamp so this information could
wither away, however is still important
trying to piece together a timeline of Figure 31. Information about PlayStation application use
events.
Moving forward, XRY holds databases in a separate category which is more user friendly that
having to go through every file to determine the extension.

Figure 32. PlayStation databases stored in SQLite

There are only 7 databases stored on the phone and the rest of the information would be obtained
physically as seems to be the norm with Sony devices. The extration process is the same as the
documents and the SQLite databases would be opened using a free database browser.
The following databases unfortunately held absolutely no data and was more of a way of sorting
any data that was imported through tables, this was unfortunately the last piece of data that was
stored on the iPhone which shows that there is little to no information pertaining to Sony or
PlayStation that could help the investigation progress.

Figure 33. Empty database extracted from XRY

21 | P a g e
LocalData.sqlite was assumed to hold some data about the device or the user but unfortunately
nothing was shown and resulted in the investigation moving onto the Android operating system
instead.

Android Investigation
The Android had both an external microSD card as well as internal storage, for this reason both
were involved in the investigation. Using the same method as used for the Apple operating system
and searching for “PlayStation” and “sonyentertainment” reduced the amount of time required
to sift through information. Using the filter method, the investigation brought back 2,011 files that
held anything to do with “PlayStation” and of the 2,011 files 1,119 were pictures. Through
scrolling it showed that these pictures were either from emails that were on the device, or from
the PlayStation applications such as image place holders, in the same case as was seen in the Apple
investigation, the pictures are irrelevant and can be ruled out.

Figure 33. Images in XRY

There were 589 documents which initially seemed like a benefit to the investigation however
upon further investigation showed that they were simply just .xml or extensible markup language
files for designing the application, the likes of “new_message_thread_one_line_layout.xml”
would just be for layout of a
message. Unfortunately, this
meant that the 589 documents
could still be investigated but
would pose no real benefit to an
investigation.
In terms of databases there are 8
that can be extracted, the
databases that seemed to be of
the most importance would be
“Cookies” or “Web Data”. Figure 34. Unnecessary XML files
However, as seems to be the
standard for the files stored on the devices, there was little signicant information. While the
Cookies file did have some items in the databases, the data seemed irrelevant and had no sort of

22 | P a g e
usefulness.

Figure 35. Cookies database

The same can be said for Web Data as it holds no information and is essentially a blank database
with a lot of blank tables. The remaining 6 databases were the same databases that could be found
on the Apple phone and held no data once more.

Figure 36. Empty database

Through the investigation of both phones, the only significant piece of information found is the
stored data that is used to login to the Sony Entertainment account, this is an autofill file simply
showing the email and password. This is incredibly useful in the investigation as it allows access
to the account, however if the autofill information is not correct then access would be denied.
Regardless, this is a huge benefit to the investigation.

Figure 37. Sony Entertainment Network logins

There is no further investigating that can be found through the mobile phones using XRY thus
resulting in the physical extraction of data being done using the actual application on the phone.
This would obviously result in the phone being used and would require it to still be in the
investigator’s possession.

23 | P a g e
As previously stated, the PlayStation Companion Application
allows the user to seamlessly move to the PlayStation Messaging
Application as if it were the same application all together. The
physical extraction of data will be done on the iPhone as both the
iPhone and Android versions are the same and the information
obtained would be exactly the same.
The profile shows the name on the applciation that can be
changed on different platforms, as well as the online ID that is
seen by other players. The online ID cannot be changed, and will
only be changed in specific circumstances where the ID breaks the
PlayStation & Sony Entertainment terms of service (PlayStation,
2018).
Here, the user has the abilty to edit their profile.

Choosing to edit the profile

takes the user to the Sony
Figure 38. Profile on iOS
Entertainment Network page
where the real name can be
changed.
This has been mentioned in the report before as the user and
investigator can view this page on every device that is
connected and can alter the information if they so desire. This
can be an issue if the account is being monitored and the user
is aware of this because they can change the account as easily
as they can view it.
The mobile application also allows the investigator to view the
same things that can be viewed on the main device such as the
friend list (who is online as well as offline), viewing messages
between individual persons and party messages and the ‘Whats
New’ section that allows a user to post updates as if it were a
social media.

Figure 39. SEN Profile on iOS

24 | P a g e
While the obvious difference between the mobile
applications and the PlayStation 4 is that one is a device
and one is an application however in terms of what is
different, there is little change. The user can send
messages, talk in parties using the mobile’s microphone,
view and alter information amongst other things.
Following the investigation of the mobile applications and
the information that has been stored, it has come to light
that while some information such as the account login is
saved, that seems to be it.
It is interesting to see the difference in how much
information is stored in comparison between the Android
and iOS systems but unfortunately it shows that Sony have
made the decision to not store as much data as an
investigator would like.
There is one database that is encrypted (CLSUserDefaults)
but without the password or any knowledge of where to
find it, it is the end of the road.

Involvement of PlayStation Vita

To determine the security of the user account linked
through the PlayStation 4® as well as PlayStation mobile Figure 40. Messaging application on iOS
applications such as PlayStation Messaging, it seemed
appropriate to include the handheld PlayStation Vita® during the investigation. The reason this
device seems so important is not only the fact that the operating system follows closely to that of
the PlayStation 4, but due to the fact that there is a slot for a standard 15x25mm SIM card to allow
a user to, if they so desire, play ‘on-the-go’.
Aside from this, the PlayStation Vita functions as though it is a console. It offers many of the same
features that standard consoles have such as VoIP in parties (where the user can connect from
the PlayStation Vita and speak to users on PlayStation 4), WiFi connectivity, use of an internet
browser and the gaming with access to online multiplayer. While the online multiplayer section
has dwindled in numbers since its release due to poor marketing, the device is still popular and
in terms of digital forensics, can be beneficial to a criminal even though it is not as important as
the main device.

Figure 41. SEN showing PS Vita linked

to account

According to the Sony

Entertainment account
management page, the PS Vita
System is connected and
activated to the user’s account.
The device requires the user
information in order to connect
to the account.

25 | P a g e
After some more investigation, the device seems to hold a lot of incredibly important information.
Primarily, location services that allow the
location to be stored on the device and
items such as pictures taken using the on
board camera (front & back). The image
shown right is taken using the PlayStation
Vita’s camera with location data enabled.
The device uses a special device manager
called ‘Content Manager Assistant’
provided by Sony, this is requied to export
any data from the device and using
forensic tools such as FTK or EnCase
provide no benefit. However, using the
content manager to export the images
taken provided the investigation with Figure 42. Picture taken using PS Vita
some important information. Moving
forward to Exif Pilot an image exif viewer, it provided the investigation with GPS coordinates
based on the location that the image was taken from.

Figure 43. Location data turned on PS Vita

After further investigation, there seemed to be no option to alter the location of the device other
than going to a different location unless the user had a homebrew included in their device and
utilised a VPN. However, in terms of homebrew it is easy to determine if the device has been
altered. As the device used in the investigation doesn’t belong to the investigation team,
homebrewing was not an option as it could damage the device if done incorrectly, voids the
warranty and is against the Sony terms of service – this could result in the account associated
being closed.

26 | P a g e
 In Exif Pilot, the make and model
show the the device used to take
the images was a Sony
PlayStation Vita. It also shows the
correct dates and times that the
images were taken with
information pertaining to the
flash. The device doesn’t have
flash so this is correct.
Additionally, it shows the
software version which could be
beneficial as the device itself still
frequently updates. The most
important piece of information to
take from this is the latitude &
longitude. According to Exif Pilot,
Figure 44. GPS data of PS Vita picture the north latitude and longitude is,
in a way that can be read in an
online map:
53°24'25.0"N 2°57'08.3"W
Using this, Google Maps was used to determine if the location was correct and it was.

Figure 45. Google Maps showing GPS location

Highlighted in red is the exact location the image was taken and as the image was taken by the
investigator, it can be verified. This is important as the location can be
used to determine if the devices linked to the account are all in this
location.
The PlayStation Vita allows the user to use external memory in the form
of a custom made PS Vita memory card. The issue with this memory card Figure 46. PS Vita SD card

27 | P a g e
is that it is difficult to read, and the only way the investigating team were able to read the data on
the card would be by using an adapter which online is called SD2VITA. As this was not available
to the team it was not an option. Unfortunately this option is only viable if the device is running
3.60 – in the instance of this device, it runs a higher version.
Additionally, with the SIM card it could provide some information to
the investigating team but as it isn’t used to send texts from the
device, nor does it provide any benefit other than online play using
3G, it seems irrelevant. However, the SIM card may have been
previously used in another device so existing data may still be
present on the SIM. Quantaq’s USIMDetective is highly
recommended by forensic intelligence for situations like this. Figure 47. SIM Card from PS Vita
However, this – again – was not accessible for the investigator.
In terms of data taken from the device, the investigating team used the Content Manager as
aformentioned. The steps taken were to connect the device to the PC using the cable provided to
charge the device – there is also an option to connect via WiFi if the cable is not readily available.
After this, the next step was to back up the device to see if anything was readable from this
position.
As of 16th April 2018, the size of the backup was 793 MB. The backup was saved on the computer
under the name 201804162003-01 (2018 04 16 is the date of the backup). It is saved under
C:\Users\USERNAME\Documents\PS Vita and offers the user a number of folders.

Figure 48. PS Vita documents stored on laptop

A previous backup had been done 20th March 2018 and had not updated the modifed times,
however in the folder SYSTEM a folder relating to the recent April update can be found.

Figure 49. PSVIMG file of interest

28 | P a g e
The back up files (as shown above) are saved in the following extensions, ‘psvimg’, ‘psvinf’ &
‘psvmd’. The initial suggestion of a file being saved as ‘img’ lead the investigating team to use
some form of image reader however it would not be read using image hosting software.
Online PlayStation hacking forum PSXHAX had previously offered users a tools that allows the
extraction of PSVIMG files, however it is now unsupported due to version updates and is no longer
being maintained (PSXHAX, 2017).
As this option seemed no longer viable, the other option would be to follow the same steps as
taken in removing information from the PlayStation 4 by going through it using Table 1 and
gathering the data physically. This was the next step in the investigation to determine who the
device belonged to and to ensure that any information that could be of use to an investigation is
retrieved. The device itself is generally unusable until an account has been associated with it, in
this case it is associated to the same account as the PlayStation 4 which can be confirmed using
the SEN page or by checking the device itself in Settings > Account Management.

Figure 50. PSN showing account logged in

As seen in figure 50, the account links to ‘lxtrxi’ and the email address is the same associated with
the PS4 account. This confirms that the account is linked.

Figure 51. PS Vita system information

With the SIM card in, the system information page gives the IMEI number which can be beneficial
to the investigation, it doesn’t show a phone number as in this instance there is not a number
associated to the SIM card. Additionally, it gives the MAC address for the device. The ICCID or

29 | P a g e
integrated circuit card identifier has the same role as an IMEI number but it is stored on the device
as well as the SIM (EMnify, 2016). Using the first 6 numbers allows the user to determine who the
SIM circulates through, in this case is is ‘voda UK’ which was already known as the SIM holds the
Vodafone logo.
In terms of messaging it still provides the user with this function as well as cross platform party
chatting. With the ability to use the SIM card and game online, this could offer an offender an
opportunity to use a less obvious form of messaging without the use of WiFi.

Figure 52. PS Vita messages

Another feature that could be used to gain access to the PS4 remotely is the Remote Play function
– this connects the Vita to the PS4 in question using a WiFi connection or a hotspot. This is bad
for the console as it could be accessed from outside the connection. This was achieved by using
the ‘Personal Hotspot’ feature on the investigating team’s iPhone 7. After this connection was
esatblished, the remote play function first searched for the PlayStation on the same network, after
it could not be found it searched via internet; this worked, allowing access to the PlayStation 4
without being in the same room. There is no way of disconnecting the Vita from remote play
without having the device and disconnecting manually.

Figure 53. PS Vita remote play

30 | P a g e
The Vita can be as important as the PlayStation 4. In this instance it has shown that while there is
no easy way that the investigating team can think of to retrieve information from the SD card, it
holds as much information as the PS4 does. In terms of security it is relatively the same, with one-
factor authentication with a password and with the password, the user has access to the account
all the same with the ability to alter information if they feel so inclined.

Critical Analysis of the Results

In this investigation there were walls that, going into, would be issues for any investigator trying
to make a case. Having brief knowledge that the PlayStation firmware is encrypted and has been
since the earlier generation (PS3), meant that a lot of the investigation would generally take place
on the device itself.
Other researchers (Conrad et al, 2009) have taken it upon themselves to use earlier firmware to
decide how well the actions they take will have an effect. However, this proved to show no real
significance to any form of investigation – thus, removing any requirements for it to be done in
this report. The firmware used during the investigation in this report did update and having done
thorough checks from the past and current firmware, nothing had changed.
In terms of the information that was retrieved from this investigation, there was a lot obtained
through physical extraction. Unfortunately, using the forensic tools such as Forensic Toolkit and
XRY provided little to no data or information. For this reason, it would make more sense to obtain
the devices as soon as possible, physically gather as much information and make copies of the
hard drive to ensure that no data can be changed if the user gets any of the devices back.
While the logical extraction of the PlayStation 4 hard drive was not pointless, it did not give any
information towards the investigation. This was more of a way of learning how to proceed in an
investigation. Given that the hard drive was encrypted and there was no way of obtaining the
decryption key, it would have been significantly easier to obtain information if it were the other
way round; additionally, the investigator believes that while they have the ability to perform an
in depth digital forensic analysis of a hard drive, they still lack the resources to decrypt or attempt
to gain the decryption keys.
Physical extraction still has some barriers, the main being that the investigator would require the
devices for the investigation as well as any information required to login. The report does show
how the investigator obtained the information to access the Sony Entertainment Network
however unless the suspect involved in the case gives up the information or the devices are
already logged in, it would be difficult to guess the password and even the email. There is no way
of determining what email address is linked to a user ID thus resulting in the use of XRY to find
out the content of auto fill stored on the phones.
Fortunately, in this instance all of the required information was accessible, and the devices being
monitored could be accessed just as easily, resulting in a seamless extraction of any data required
for the investigation.

Conclusions and Further Work

This report has been an incredibly eye-opening experience for the investigating team. The
research done beforehand led the investigator to believe that very little information could be
found through carrying out an investigation of the device. Fortunately, this was not the case as
the PlayStation 4, mobile applications and the hand-held PlayStation Vita all held data valuable to
the case.
There are steps that should be considered when doing the investigation:

31 | P a g e
The user may have multiple connected devices; and ensure that the Sony Entertainment Network
page is thoroughly checked. This will allow an investigator to see the devices on the account.
Having just the one device (be it PS3 or PS4) may not be enough. Having access to a PS3 when a
PS4 is being investigated still allows the owner to manipulate data and cause issues when the
investigation is underway.
Additionally, as there are other handheld devices such as a PS Vita and PlayStation Companion
Applications, the investigation team may have to alter passwords to ensure integrity in the case,
however this may break ACPO guidelines as it is live data. However, with reasonable cause to
ensure the case still is secure, this may be the best course of action.
Furthermore, the user may have access to a device that has already been logged into the Sony
Entertainment Network account. It may be reasonable to gather the device (such as a laptop) to
prevent outside access. Other devices such as mobile phones and tablets can also access the page.
There may be an option of logging out all devices from the site and then changing the password.
The devices all allow the user to communicate cross-platform, to ensure that every message that
was sent is known it would make sense to note down the dates and times, as well as the recipient
of the message and the content of the message.
Messaging is the backbone of any sort of communication, be it on a mobile device, email, or face
to face talking. Very little can be done without it. Having access to the messages can show who is
involved and the circumstances surrounding their involvement. As the device can hold messages
from multiple users, the investigation team would have to go through each conversation to decide
what is being discussed, however this can be incredibly beneficial in instances where involvement
from many participants is noted.
In terms of the messages found on the three devices there were no messages that required further
investigation due to the nature of the conversations. Unfortunately, messages can be deleted
using devices other than the main PlayStation. For example, a message deleted using the mobile
application would delete it from the main device. For this reason, noting down the messages is
the most crucial step.
Oddly, the internet browser found on the PlayStation 4 and PlayStation Vita does not store any
times or dates of when websites were visited. The history will remain on the device unless deleted
but any aspects of obtaining dates of when webpages were visited remains hidden.
This is another challenge to the investigator as the websites may have been visited during the
investigation, but the suspect could argue that it was not them or it was done by the investigating
team to determine what the website was.
Regardless, the same steps taken with storing messages seems to be a good starting point to
ensure that no information is lost and all of the required internet browsing history remains an
important part of any investigation.
To conclude this report, Sony have obvious reason to want to ensure the security of their users is
not easily accessible, and whilst it is inaccessible for the most part, there are instances where the
security can be altered, and further issues can arise from that. Sony have an incredible mission in
ensuring the protection of their users, and the investigation proved to be a difficult task. The
lessons learnt and the tools used by the investigators were an incredible and well researched
form of learning.

32 | P a g e
References
1. Kharpal, A. (2017). Sony PlayStation 4 sales rise to 60.4 million as console wars with
Microsoft's Xbox heat up. CNBC. Retrieved 30 November 2017, from
https://www.cnbc.com/2017/06/13/playstation-4-sales-rise-to-60-point-4-
million.html
2. Conrad, S., Dorn, G., & Craiger, P. (2010). Forensic Analysis of a PlayStation 3
Console. Advances in Digital Forensics VI, 65-76. doi:10.1007/978-3-642-15506-2_5
3. Sakazaki, L. (2006). Seventh Generation Gaming Consoles: Thinking Outside the
Box. Seeking Alpha. Retrieved 30 November 2017, from
https://seekingalpha.com/article/22075-seventh-generation-gaming-consoles-
thinking-outside-the-box
4. Dachis, A (2011). Lifehacker.com. Retrieved 30 November 2017, from
https://lifehacker.com/5830367/how-to-hack-your-wii-for-homebrew-in-five-minutes
5. Hacking the Xbox. (2017). Hackingthexbox.com. Retrieved 30 November 2017, from
http://hackingthexbox.com/
6. Ridgewell, W (2011). Determination and Exploitation of potential security vulnerabilities
in networked game devices. Retrieved 30 November 2017, from
http://dtpr.lib.athabascau.ca/action/download.php?filename=scis-
07/open/walterridgewellProject.pdf
7. Shuman, S. (2013). PS4: The Ultimate FAQ – North America. PlayStation.Blog. Retrieved
17 January 2018, from https://blog.us.playstation.com/2013/10/30/ps4-the-ultimate-
faq-north-america/
8. CUH-1004A - PS4 Developer wiki. (2018). Psdevwiki.com. Retrieved 8 February 2018,
from http://www.psdevwiki.com/ps4/CUH-1004A
9. Dunn, B. (2018). Introducing My PlayStation, a new way to interact with key PSN features
from your PC or mobile. PlayStation.Blog. Europe. Retrieved 25 February 2018, from
https://blog.eu.playstation.com/2018/02/21/introducing-my-playstation-a-new-way-
to-interact-with-key-psn-features-from-your-pc-or-mobile/
10. Sony Launch My PlayStation, A New Way to Do Stuff You Can Already Do.
(2018). Thesixthaxis.com. Retrieved 25 February 2018, from
http://www.thesixthaxis.com/2018/02/22/sony-launch-my-playstation-a-new-way-to-
do-stuff-you-can-already-do/
11. Software Usage Terms. (2018). PlayStation. Retrieved 26 February 2018, from
https://www.playstation.com/en-gb/legal/software-usage-terms/
12. Director's Investigatory Powers | The Crown Prosecution Service. (2018). Cps.gov.uk.
Retrieved 26 February 2018, from https://www.cps.gov.uk/legal-guidance/directors-
investigatory-powers
13. Margaret Rouse, Stephen J. Bigalow. 2006. What is hypervisor? [ONLINE] Available
at: http://searchservervirtualization.techtarget.com/definition/hypervisor. [Accessed
14 March 2018].

14. PSVIMG Tools VPK Updates to Decrypt PS Vita Game Backups! (2018). PSXHAX - PSXHACKS.
Retrieved 16 April 2018, from https://www.psxhax.com/threads/psvimg-tools-vpk-updates-
to-decrypt-ps-vita-game-backups.1795/
15. EMnify 8988303 ICCID, IIN and SIM Serial Number Explained | EMnify. (2016). EMnify.
Retrieved 17 April 2018, from https://www.emnify.com/2016/05/06/emnify-8988303-
iccid-iin-and-sim-serial-number-explained/

33 | P a g e
 16. Nakashima, E (2016). Apple vows to resist FBI demand to crack iPhone linked to San Bernardino
attacks. Washington Post. Retrieved 18 April 2018, from
https://www.washingtonpost.com/world/national-security/us-wants-apple-to-help-
unlock-iphone-used-by-san-bernardino-shooter/2016/02/16/69b903ee-d4d9-11e5-9823-
02b905009f99_story.html?noredirect=on&utm_term=.7edc1253e190
17. ACPO Guidelines | Publications | 7Safe . (2018). 7safe.com. Retrieved 24 April 2018, from
https://www.7safe.com/about-7Safe/downloads/acpo-guidelines
18. Whitwam, R. (2016). Why you should (or shouldn't) root your Android device -
ExtremeTech. ExtremeTech. Retrieved 25 April 2018, from
https://www.extremetech.com/mobile/211314-extremetech-explains-why-you-should-or-
shouldnt-root-your-android-device
19. Terms of Service and User Agreement | PlayStation. (2018). PlayStation. Retrieved 25 April
2018, from https://www.playstation.com/en-us/network/legal/terms-of-service/
PlayStation Vita Memory Card Guide - Vita Player - the one-stop resource for PS Vita owners. (2015). Vita
Player - the one-stop resource for PS Vita owners. Retrieved 26 April 2018, from
http://www.vitaplayer.co.uk/playstation-vita-memory-card-guide/

34 | P a g e