Saturday, January 22, 2011

Xbox 360 Forensics: Part 3

I've been on a little bit of a hiatus but we're back for part 3 of the story.

Last we heard I had just (finally) succeeded in taking a dd image of an Xbox 360 hard drive for analysis. I had previously settled on x360 as a platform for analysis and I ran the following series of commands:

svn co x360-read-only
sudo apt-get install libfuse-dev
cd x360-read-only
mkdir /tmp/mnt
sudo ./x360 -o debug,uid=1000 /mnt/data/201010.bin /tmp/mnt

This seemed to work ok except that in large directories such as /Cache many of the files would not have any attributes and if I tried to read them I would get a file not found error, also reading other files would cause x360 to crash and to top it all off even when I mounted an image in read only mode one crash ended up damaging the image. I'm sad to say that these problems absorbed a large amount of my time because there were several related bugs that got in the way, including:

  • The type size_t was assumed to always be 64 bits though on my x86 platform it is only 32 bits 
  • An integer overflow cause roughly a quarter of the FAT to be mmaped instead of all of it (see size_t issue)
  • Multi-cluster directory support was implemented in directory listing code but not in the file reading code
  • The mmap call for reading the FAT did not respect read-only options
  • Some read operations caused the file system to crash (possibly due to a pread parameter typing issue)
Except for the last dot point I managed to fix them but without fixing all of the points above I didn't feel confident using x360 for forensics purposes. (Note to the author of x360: I do have some patches that I meant to submit but since I couldn't get everything in a working state I'm not sure if they'd be useful)

The debugging of x360 was useful as I learnt a lot about XTAF by trying to fix the code and my skills with gdb increased significantly as well. This process took almost all of the time available in my first research-sabbatical and the whole project was put on hold for a couple of months while I returned to my day job and contemplated solutions.

No comments:

Post a Comment