In June 2009, a Massachusetts state trooper was gathering evidence in a case that involved a suspect having sex with an underage girl. He hoped to find one crucial piece of evidence—video of the encounter—on a digital device from the suspect's home. But the device wasn't a computer; it was the suspect's game console. The investigator was stumped as to how to sift the device for clues, and he turned to a digital forensics mailing list for help.

I am working on a case where it is believed that the suspect may have recorded himself having sex with a 14 year old girl using an Xbox 360. The Xbox was set up in his bedroom and had a webcam attached to it that was pointed directly at his bed. The suspect did record two other victims, and those videos were found on his PC in a different room. All of the victims say that they were not aware that they were being recorded and that his PC was not in the room at the time of the incidents. Does anyone know if it is possible to record video with an Xbox 360? I looked at the hard drive using Explorer360 and was able to locate a large file (460 MB) that was created on the same day as the incident but I am unable to extract any useful data from it.

That state trooper was not alone in his desire to crack open a console and look for evidence. Consoles today play an increasing part in even local police investigations across the country. Thanks to a recent Anonymous hack of a California cybercrime investigator's e-mail account, we can take a glimpse inside that world. The e-mail cache contains a huge array of mailing list traffic in which investigators ask other for help examining digital devices, from cell phones to computers to gaming consoles. We've spent the last few weeks plowing through the list to better understand how digital forensics are being used by local police across the US. What stands out is just how aware cops have become about the many uses of digital devices; the list includes numerous questions about the Xbox, the PS3, the Nintendo DS, cell phones, iPods, and even (once) a Zune.

In many cases, however, they've been frustrated in their attempts to find incriminating data. A September 2007 e-mail from the Wichita, Kansas Forensic Computer Crimes Unit asked for help with an Xbox 360, for instance, since standard PC forensic tools are of limited utility.

We are at the end of a large acquisition (2TB) human trafficking and exploitation case and the case goes to jury today, but there has been one question unanswered. We never found the movie file of a co-defendant and the 15 year old victim. The last place to look is a Xbox 360 that was seized with WMC Extender software. I have taken the SATA HD (Seagate 20GB) out and tried to image it, but nothing I have will recognize the HD. I tried hardware write blocks, software write blocks and connecting straight into a Linux box...[no] luck... So, any ideas left out there on checking to see if he did store any images or movie files on this HD?

In other cases, the Xbox itself contains no illicit material, but its usage logs can still shed light on a case, or undermine an alibi. In August 2011, for instance, an investigator at the Orange County (NY) District Attorney's Office asked the mailing list for help.

On the X-box 360 kinect does anyone know if the date/time is user set or it comes from the server? I have a picture of the screen which shows a folder with a date. This is a Rape case where the defense is trying to introduce pictures from the X-box 360 of the victim playing a day after the rape. I do not have the X-box but I'm attaching the defenses picture. Any help would be appreciated.

Gaming logs were also being searched for in a January 2011 case from Binghamton, New York.

I have a question for the nerds and nerdettes: we have an xbox coming in on a homicide, or I guess a babycide, and we need to find out if the thing was being played during certain hours... I’m assuming we will be looking at saved games, or checkpoints reached.

Consoles can also be burgled. A July 2008 case from Washington, DC involves the theft of an Xbox 360, after which the victim told police that "I received an e-mail from Microsoft indicating that a charge was placed on my credit card to purchase Xbox 360 points. This charge originated from my Xbox Live internet account that I registered on my Xbox before it was stolen."

In this case, the victim took to the Internet and was able to tell the investigator that "their own research has shown where stolen Xboxes were recovered by victims after service of a court order to Microsoft for the IP address where the Xbox is connecting." The investigator didn't quite know what to make of this—the level of technical knowledge on the mailing list varied widely—but to his credit, he was willing to do some legwork. And if what the victim told him turned out to be true, "it may assist me in solving a rash of burglaries that happened on a college campus."

Finally, console-related crime includes good old-fashioned weird behavior. As a detective from the Eugene, Oregon Financial Crimes Unit told the list in January 2010:

Got an inquiry from our admin aide. A caller at a local coffee shop reported something suspicious involving a male/female couple appearing in their store at the same time/day each week. Each time they had several visitors to their table, each bringing an Xbox. The couple did something to the Xbox, charged their "customer" $50, then sent them on their way. I've had no experience with gaming systems (other than playing them!), so other than the fact this seems very odd behavior, I'm not sure what might be going on here. Anyone have a possible explanation for this behavior? The only thing that came to mind was perhaps an on-the-fly repair operation.

Similar stories abound for other consoles, like the PS3, which can be the source of even more mischief than the Xbox due to its one-time ability to run Linux and function even more like a general purpose computer. From Longview, Texas:

I recently did a PS3 on a P2P [peer-to-peer file-sharing] case. The 'bad guy' had installed yellow dog linux at one point on the PS3. the hard drive was behind a flap on one end. I removed a couple of screws and pulled out the drive, hooked it to a write-blocker, and it imaged fine. He was storing a lot of cartoon porn.....

Consoles aren't just sources of forensic data; they can also be used as bait. A recent case from Fort Lauderdale, Florida shows how local police can use game consoles to nab suspects.

During the three-day trial, a Fort Lauderdale Police detective testified that he was undercover trying to make arrests for dealing in stolen property. He was dressed in disheveled clothing to pass as a drug addict. He carried around with him a brand new Xbox 360 videogame system and a car radio in a tattered garbage bag. He came into contact with [Edrawin] Canady at his place of work, a commercial garage, and tried to sell the Xbox and the radio. Canady was standing with another individual, Charles Hall, at the time. Canady initiated contact by calling out to the detective to ask what he had in the bag. The detective explained that he had a new Xbox which he got from a friend who worked at Walmart. Both Canady and Hall inspected the items in the bag and began to negotiate a price with the detective. Canady initially offered to pay sixty dollars in cash for both items. The detective testified that this amount was “way below market value for both items.” Eventually Hall offered to throw in forty dollars worth of crack cocaine, to which the detective agreed. Canady handed the detective sixty dollars in cash and Hall removed a bottle containing crack cocaine from a nearby car and handed it to the detective. Canady and Hall took the Xbox and the radio and the detective left. The detective signaled to nearby police officers, and both Canady and Hall were arrested on the spot.

(Seem a little unfair? An appeals court agreed, reversing Canady's conviction for trafficking in stolen property. The court noted that offering to sell a single Xbox and a radio was hardly "red flag" knowledge of stolen goods. But the court maintained Canady's conviction for cocaine delivery.)

Finally, consoles can also provide a way for investigators to find and even interact with their suspects. And when that interaction leads to voice chatting, cops have a whole new way to conduct undercover ops.

Building a "Frankenbox"

Do police actually hang out on Xbox Live, trying to strike up audio chats with criminal suspects, then recording the conversations as evidence for investigations in robberies, child porn cases, and more? Apparently they do. A Microsoft presentation to law enforcement, included in the leaked e-mails, makes clear that "investigators may participate in Xbox live in undercover operations." The company even sketches out diagrams for recording suspect conversations by building a special "Frankenbox."

Investigators have long wanted access to IP-based voice services like Skype and, more recently, those offered on game consoles. Thanks to laws like CALEA, they already possess potent wiretap capabilities on traditional phone networks. Internet communications can be tapped, but when they are also encrypted, things get difficult. (When communications are peer-to-peer, rather than passing through central servers, this can get even dicier.) In 2010, the FBI was pushing to extend CALEA to a much broader array of Internet applications, forcing the companies behind them to provide built-in, realtime backdoor access to encrypted communications. The agency backed off a bit in 2011, but it still has its sites on IP-based voice chatting of all kinds.

Microsoft may have an eventual answer. A company patent filing came to light in 2011 on ways to intercept Internet calls, which "may include audio messages transmitted via gaming systems, instant messaging protocols that transmit audio, Skype and Skype-like applications, meeting software, video conferencing software, and the like." (Emphasis added; remember that Microsoft now owns Skype.)

In the meantime, investigators may not be able to eavesdrop on others, but they can build their own investigative rigs to capture Xbox Live chats in which they participate.

The task is more complicated than just capturing the audio output from the Xbox, since game chat isn't routed through the speaker outputs. Instead, investigators need to build a small "Frankenbox" splitter that can send headset audio to a mixer and from there on to any standard audio/video recording device.

Microsoft can also provide IP addresses for Xbox Live logins, registration and billing information, titles of games accessed, etc, but the actual content of user communications does not appear to be logged by the company, nor is it stored on the Xbox hard drive or memory stick—to the chagrin of investigators in many cases, who report looking for logs and chat data on seized console hard drives, but coming up empty.

As consoles incorporate more features—voice chat, video cameras, Web browsers, online storefronts, Linux—they will prove increasingly common targets for police action. It took years for the general public to realize just how much a common computer could say about a person, what with search engine histories, Web browsing histories, deleted files, and stored e-mails. Game consoles aren't that revealing, but they're getting closer. What does your console say about you?

Update: The website consoleforensics.com posted a copy of the presentation gleaned from the mailing list in 2011. If you want a look at the complete presentation, it's available here.