Forensic Analysis of Xbox One and PlayStation 4 Gaming Consoles Salam Khanji 1 , Raja Jabir 2 , Farkhund Iqbal 2 , Andrew Marrington 2 1 Dept. of Information Security Engineering Technology, Abu Dhabi Polytechnic, UAE 2 College of Technological Innovation, Zayed University, Dubai, UAE Salam.Khanji@adpoly.ac.ae,{M80006379, Farkhund.Iqbal, Andrew.Marrington}@zu.ac.ae Abstract—This paper highlights the challenges faced due to non-availability of trusted specialized forensic tools for conducting investigation on gaming consoles. We have developed a framework to examine existing state-of-the-art forensic acquisition and analysis tools by exploring their applicability to eighth generation gaming consoles such as the Xbox One and PlayStation 4. The framework is used to validate the acquired images, compare the retrieved artifacts before and after restoring the console to the factory settings, and to conduct network forensics on both devices. The paper reveals the need of specialized forensic tools for forensic analysis of these devices. Keywords—gaming console forensics; PlayStation 4; Xbox One. I. INTRODUCTION Video game consoles have moved on from being specialized, single-purpose gaming platforms to Internet enabled multimedia entertainment and communication hubs, with comparable hardware to general-purpose personal computers. As such, they are prone to similar forms of misuse and abuse as personal computers. From a digital investigation perspective, it is imperative for investigators to be able to acquire and analyze digital evidence from such devices. Unfortunately, the field of gaming console forensics is still in infancy with relatively low support for the tools. This perhaps is, due to the lack of standardization and interoperability between different game console makes and models, propriety operating systems and different security measures. This paper proposes a framework to explore the current state of gaming console forensics. Experiments are conducted using two different platforms: the Sony PlayStation 4 (PS4), and the Microsoft Xbox One. Hard disk images are acquired from both devices, before and after restoring to factory settings, and examined using various analysis tools. Network forensics is performed on both devices, in the form of network traffic analysis. As a result of this study, we were able to identify tools that best fit for the forensic analysis of eighth generation game consoles. The rest of the paper is structured as follows: Section II discusses the specifications of the Xbox One and PS4, and surveys the literature of gaming console forensics. Our methodology is discussed in Section III, the recovered artifacts are discussed in Section IV, and in Section V, we discuss our observations, before concluding the paper in Section VI. II. BACKGROUND INFROMATION This section is dedicated to explain the technical specifications of the two major gaming consoles, PS4 and Xbox One, investigated in this paper, followed by literature review. A. Sony Playstation 4 According to Forbes, Sony has 50% of the worldwide console market. The PS4 has a semi-custom accelerated processing unit (APU) designed by AMD [1]. The APU combines a central processing unit, graphics processing unit, memory controller, and video decoder/encoder. Like its predecessor the PlayStation 3 (PS3), the PS4 uses a proprietary file system structure for its internal hard drive, but does support the FAT and exFAT formatted USB storage devices. The PS4 allows the user to play music, videos, and view photos as well using USB-attached devices. B. Microsoft Xbox One The Xbox One is developed by Microsoft and uses a Windows-based operating system designed for Xbox One. It includes a separate operating system for Xbox One games and any compatible applications. The OS resides on the internal hard drive and is backed-up in the console internal storage; to be recovered in case of corruption or factory resetting process. Xbox One has a Central Processing Unit, 8 GB DDR3 RAM, out of which 3GB is reserved for OS and the rest for games and applications [2]. III. LITERATURE REVIEW Gaming console forensics is a crucial topic about which there is comparatively little academic literature. Burke et al.[3] provided guidelines to forensically analyze the original Xbox by emphasizing on identifying if the Xbox console is being modified (another OS installed), and how to create a forensic duplicate of the storage media. Vaughan et al. [4] proposed techniques to overcome the ATA password protection utilized in Xbox hard drives. They suggested that forensic tools such as The Sleuth Kit can be modified to support recognizing the Xbox file system FATX, which does resemble the FAT entries. Xynos et al. [5] followed a forensic soundness process to acquire an image of the Microsoft Xbox 360 console’s hard disk. They mainly focused on analyzing the SATA hard drive artifacts when updating the console such as date and timestamp, usernames when Xbox Live is enabled, and Internet browsing history were collected and analyzed. 978-1-5090-1138-4/16/$31.00 ©2016 IEEE 2016 IEEE International Workshop on Information Forensics and Security (WIFS)