SciScoop published a news item about a powerful forensics tool for investigating the contents of the XBox gaming console. The story was picked up widely by the media, featuring subsequently on Discover.com, ScienceDaily, TechRadar, Gizmag, Escapist Magazine, and countless blogs.

The ensuing discussion about the value of such a tool seems to have homed in on the fact that “hacker” tools have been available for many years allowing gamers to tweak and twiddle with the innards of their Xbox hard disk. One commentator went so far as to claim that the research into the Xbox forensics kit was a waste of research dollars. Of course, it isn’t. The following post from the tool’s developer David Collins, at the Department of Computer Science, Sam Houston State University, Texas, explains why not.

The defining difference between XFT and other “hacking” tools is that XFT is designed with the specific purpose of doing forensics on the Xbox; the other tools are not. This may seem to one who is not involved in computer forensics like an insignificant distinction, but is not. XFT is being developed as a fully functional forensic tool. This entails recovery of deleted files, support of hash databases, recovery of data from file and volume slack, robust searching, logging, etc.

Tools like 360Xplorer and other hacking or general purpose file browser tools do not support this functionality, i.e. they are not designed as forensic tools. This is not an attack on those tools or a denial that they exist, simply it is a fact that there is a very important difference, forensically speaking.

Another note: evidence obtained from a suspect hard drive must hold up in a court of law. Do we really want to be doing forensics and writing reports on findings based on evidence obtained with a tool downloaded from a hacker web site? XFT addresses the analysis and legal issues that go hand in hand with computer forensics.

I have received significant feedback from law enforcement about this tool. These guys deal with these issues every day, and the ones who have contacted me understand the need for this tool. These are the people I am concerned with and these are the people I listen to when developing forensic tools, not average gamer enthusiasts.

This work was inspired by and is supported by law enforcement across the US. I initially demonstrated XFT to a visiting group of law enforcement agents, who do computer forensics for a living, several years ago. It was received with much enthusiasm. As of today, I have received requests from the Texas State Attorney Generals Office, The FBI, The U.S. Defense Cybercrime Center, Texas state chapters of the HTCIA, and local and state law enforcement officers who are in the trenches doing forensics every day, and they see this tool as a valuable forensic resource.

I am pleased with the attention that this has received in that it has inspired some needed discussion and debate, but we need to set the record straight on the purpose of this tool and the need for this tool in forensics. This article has been “spun” on blog sites across the Internet in such a way that I think the intent is sometimes lost on the reader. This tool needs no spin; it is a necessary forensic application.

The Xbox ATA key can be easily retrieved without modding the Xbox and without removing the EEPROM chip. A simple ROM reader and a free utility (there are several) for unlocking the drive is all that is required. You can also let the Xbox boot and simply hot swap the write blocker onto the drive. I have used both of these methods succesfully, no mods and no chip removal or modification of the
console whatsoever.

One other thing to note; this is an issue for the original Xbox. If an investigator is examining an original Xbox he or she would need to first unlock the drive via one of the methods I described in my previous email. An Xbox 360 drive is not locked and this is a non-issue for those drives. Although the current version of XFT only works with the original Xbox, the release version will work with both.