The XBOX 360 is available in several different retail packages that are categorized by the size or lack of a hard drive. Upon its initial release in November 2005, the XBOX 360 was available in two retail packages. The first model was called the Arcade or Core, as seen in Figure 2.1; it was provided with no removable hard disk drive and touted the ability to play the games locally, but if the end user wanted to go online with XBOX Live, then they needed to purchase a hard drive or a memory card. The Arcade version dropped off the market for a time and has reemerged as a retail option.

The next retail model was the Pro or Premium model. Initially included with this model was a detachable 20GB hard drive that was housed in its own custom case with its own custom interface to the XBOX 360 console. Later models of the Pro version included an upgrade in hard drive space to 60GB. Figure 2.2 and Figure 2.3 provide images of the Pro model and the detachable hard drive, respectively.

The hard drive is designed to be easily removed from the console and is also standardized so that it can be interchangeable between consoles; if, for instance, a user purchased a console with a 20GB unit, they could purchase an upgraded hard drive, available as a separate retail package, and connect it to their console, giving themselves more storage. It should be noted to avoid confusion that only one Microsoft XBOX 360 hard drive can be connected at a time. This interchangeability is for functionality purposes to enable a user to take game saves as well as Gamertag identification (a unique identifier on the XBOX Live Network) from one console to another. We shall see that there are digital artifacts that can provide indications that a console was not bundled with a hard drive or the subject of an investigation has used multiple hard drives on the system.

Over time, the XBOX 360 has undergone an evolution. Since its release, there have been many technical changes to the box, including a wide variety of motherboards and added functionality that comes with each revision. In part, the motherboard evolution was because of the “red ring of death,” which was caused because of excessive heat between the graphics processing unit (GPU) and the central processing unit (CPU) [1]. Table 2.1 provides a listing of the numerous motherboard variations and some associated notes and technical specifications.

Although an entire chapter could be devoted for discussing motherboard evolution, it is not of primary importance to the artifact analysis for the XBOX 360 console as it pertains to digital examinations. Some might argue that the ability to store information on the machine has increased with the addition on later models of the console with onboard storage chips of 256 MB and 512 MB, this storage location is not easy to manipulate and is believed to hold the console's operating system. Many organizations that are attempting to run Linux on the console are trying to access this onboard storage and have met with varied success.

Current guidelines for search and seizure of digital media include the capturing of volatile data, including network connections, running processes, and the system's RAM. Unfortunately, because of the security measures that have been put into place by Microsoft, the standard methods for capturing volatile data from the machine is not an option at this time. There are some features to determine the console Internet Protocol address and use that information to collect network connections by interrogating the associated router.

In addition to the hard drive options that are available with the retail console and for separate purchase, there is also a custom memory card available. The memory card is available in several different storage capacities including:

Figure 2.4 provides an image of the retail package of one of these memory cards. This is something that investigators and responders need to look for, when a console is believed to be involved in a case or is part of an investigation.

The console requires a memory device, either a hard drive or a memory card, before the end user can connect to the XBOX Live service and engage in cooperative play. It is this connection to the XBOX Live network that has been a major selling point to the end user and has drawn the attention of the high-tech investigations community.

Table 2.2 provides a good overview of the current and past XBOX 360 consoles with their associated storage capabilities.

The XBOX 360 has been described as an application-specific computer. What is meant by this is that the machine is designed to run one specific type of application: video games. However, this is somewhat of a misconception because the console was designed to incorporate the network component to allow for cooperative play since its inception. Although the technical specifications read like computer specifications, it is important to include them so that the high-tech investigator or forensic examiner may get a better understanding about why the system is important to such an examination. The machine is built for network communication and to transfer data – a lot of data – very fast. These characteristics make the XBOX 360 an ideal machine for a server. This hardware, if the security mechanisms can be overcome, would provide for a very inexpensive server platform. There is a large community that is attempting to accomplish this task and, in fact, there are applications available from this community that will be discussed or addressed in later chapters.

Figure 2.5 provides the technical specifications for the XBOX 360 gaming console. The information reads like a description of a high-end PC.

The inputs and outputs shown in Figure 2.6 for the console provide some interesting information. Of particular interest is the inclusion of the memory unit ports; these ports are the custom memory cartridges mentioned earlier. There is still support for these cards even though their capacity does not support a great deal of data. The ports are located at the front of the machine and covered with a spring loaded flap. The console's CPU is PowerPC based and its specifications are detailed in Figure 2.7.

The PowerPC-based CPU provides some guidance on deciphering the file system and the operating system. The CPU has undergone several iterations since the XBOX 360 was released. Table 2.2 provides an evolution of the different CPUs that have been or are currently available.

The console has an advanced ATI Graphics chip that has evolved in parallel with the CPU to meet the demands of the market. The evolution of the ATI chip was driven by the need for a more realistic game simulation engine. An examination of the ATI Graphics chip provides some details as to the extreme bandwidth the console was designed for.

On a purely hardware level, ATI's XBOX 360 Graphics Processing Unit (codenamed Xenos) is quite interesting. The part itself is made up of two physically distinct silicon integrated circuits (IC). One IC is the GPU itself, which houses all the shader hardware and most of the processing power. The second IC (which ATI refers to as the “daughter die”) is a 10MB block of embedded DRAM (eDRAM) combined with the hardware necessary for z and stencil operations, color and alpha processing, and antialiasing. This daughter die is connected to the GPU proper through a 32GBps interconnect. Data sent over this bus will be compressed, so usable bandwidth will be higher than 32GBps. Inside the daughter die, between the processing hardware and the eDRAM itself, bandwidth is 256GBps [2]. Figure 2.8 provides the technical specifications of the ATI Graphics card.

We have already discussed the different hard drive capacities that are available with the XBOX 360 console. To provide a brief review, the console is available with a “married” 20, 120, or 250GB hard drive. These hard drives appear to be from a limited number of manufacturers, such as Samsung and Western Digital. Deciphering some of the information on the drives and, in fact, getting access to certain portions of the drive itself are problematic; however, research indicates that the firmware of the drive is altered in some fashion to further add a level of complexity. If the data on the console are altered to any great extent in an attempt to inject code or otherwise change the information that is permitted, the XBOX Live server security checks may locate the alteration and ban the console from network play.

Drive disassembly is a straightforward process. The drives are all standard Serial Advanced Technology Attachment, or SATA laptop 2.5-in. hard drives that are housed in their own custom cases complete with custom interfaces to the console.

Because of the custom interface, it is necessary to remove the drive from the housing. This is a matter of eight screws that need to be removed before the drive can be extracted for forensic imaging.

Figure 2.9, Figure 2.10, Figure 2.11, Figure 2.12, Figure 2.13, Figure 2.14 and Figure 2.15 will provide more guidance on this process.

The hard drive for the XBOX 360 comes in its own customized case. If the console was purchased with the hard drive married to it, then the retail package will have the drive already attached to the console. However, there is also a retail package (an individual hard drive) for users who wished to have more storage or upgrade from the drive capacity they originally purchased.

Once the drive has been identified and obtained for imaging, it is a matter of removing one sticker and eight screws to isolate the drive.

Now that the drive is removed, it is ready to be imaged in accordance with standard forensic practices. The drive will be connected to several Wiebetech write blockers to ensure that no operating system data is being written to the target drive.

During the initial research, back in 2006, we had a 20GB hard drive to work with and used various forensic software tools to image the drive. The current research is no different in the procedures that are going to be utilized for imaging and artifact analysis. The details will be laid out in later chapters.

Within this chapter, we presented the various retail packages that have been and are currently available for the XBOX 360 gaming console. Storage for the console consists of either a hard drive in its own custom enclosure or a custom memory cartridge. Other external media can also be connected through the three USB 2.0 ports that are integrated into the console. Removing the hard drive from the custom enclosure is a simple enough task, which is accomplished by the removal of eight screws. Once removed from the custom case, the drive can be forensically imaged just as any other piece of digital media.