MMORPG Chat Forensics Update

Intro

The goal of our first round of data generation was to figure out the best ways to generate data and identify potential game files that might record commands or conversations. With the first round of data generation complete, we have shifted our focus towards analyzing game files.

Analysis of chat forensics progress

Since our last blog post, we performed a complete image of the hard drives using FTK Imager. To analyze the images, we then imported the RAW images into EnCase.

After imaging the hard drives, we reformatted the hard drives and reinstalled all of the games. This wipe was to ensure any logs or information stored by the games during the first round of testing would not appear in our second round of testing. We wanted a clean install of each game so that we could control which settings we enabled to produce command/chat logs. Once we analyze the images from our first round of testing, the drives will already be set to start round two of data generation.

Conclusion

Having just started analyzing the images, and only just beginning to get our feet wet with FTK and EnCase, our next steps in the process will be time consuming – though a tremendous learning experience. Through the small amount of investigating we have already done, we have found promising files that seem to indicate that with the modification of a setting or two we will be able to find full records of conversations held in the games. We hope to finish the investigations in the coming week and move on to the second round of data generation soon after.

 

More Research Projects
CyberRange Team: Creating The Perfect Sandbox Environment
The Internet of Things Team: An Inside Look
CyberTech: Creating a Safer Internet Through Education