Xbox One Forensics Not Playing Games with Evidence

Gaming console forensics is often overlooked by examiners, but times are changing where these gaming consoles are moving up to be the primary access point for some users. However, there are several obstacles to overcome when it comes to Xbox One forensics. First, you must find a tool that supports the modified NTFS (sometimes referred to as NTFSx) file system found on these consoles. Second, you must be able to acquire an image of the Xbox One hard drive. Last, you must be able to make sense of the data.

A few helpful hints to remember when it comes to any gaming console forensics:

  1. Once the console has been dismantled to be able to access the drive you have voided the warranty.
  2. Most consoles are not designed to go back together after being dismantled. We discovered this the hard way when working on one of the kids consoles.

When it comes to support you don’t need to look any further than P2C. P2C 4.x was designed to support the Xbox 360 and Xbox One file systems. This means that you simply need to pull the hard drive from the console and acquire it like any other drive. When it comes to analysis the data you can get is a little hit and miss. You can see partitions, MFT records, and lots of files. However, making sense of these files is restricted due to encryption. Although you can still get some useful data from an analysis, it is limited. We have found an excellent article detailing preliminary findings of Xbox One data: