In our last blog post we discussed how during our second round of data generation we would be focusing on trying to create chat logs within the games. We have finished up the new data gen and are currently working on analysis of the new results.
We have previously mentioned that Planetside 2 has a command that logs user’s commands, and discussed its potential to log interactions through in-game conversations.. The command, /loglevel, creates a log on the user’s computer and modifying the log level (0 being the lowest level, 6 the highest), changes the amount of information that gets stored in these logs. During our most recent data generation, we tested the various log levels to see at what point /loglevel started recording in-game chat.
We discovered that at any log level, the window that records chat data (called the command queue in-game) is present. However, it is only particularly useful at log level 6, or full logging. When we set /loglevel to 6 we received timestamps from each message, the in-game character name and machine from which it was sent, and the recipient’s name if the message was designated as private. At level 6, we would also get the actual message itself; however, it is accompanied by an error where the game claims that chat commands are unrecognized. This error has no effect on the actual message process.
World of Warcraft
For WOW, we have confirmed that the chatlog works as intended. It will report the date, time, and name of the person speaking and what they said. It will also report any sort of in game gestures the user did as well. Unfortunately the chat log will also record the public actions of every account in the vicinity such as crafting actions, which makes it rather hard to follow one conversation through the log.
Guild Wars 2
Our last update on Guild Wars 2 involved finding a command that created any sort of game output file that could be used to recreate something that resembled a chat log. Unfortunately, we were unable to get any chat information out of Guild Wars 2, which is actually a well-known issue upon examining forums online that discussed the game.However, the command we did find (-diag) actually returns some interesting information about your machine at the time that it is run. –Diag works by modifying the game shortcut itself. Upon examination of the file, we noticed that the game runs ipconfig and netstat to retrieve network information, which is then saved and recorded into a text file.
One of the last things we looked into was the pagefile.sys and hiberfil.sys files. These files relate to information found within RAM, and our hope was that we would find artifacts that relate to our MMORPGs within them; however, analysing these files led us to conclude that there was nothing to be found in relation to the MMORPGs.
Having finished up our analysis, we have begun work on our final report. We hope that investigators who are exploring cyber-crimes involving MMOs such as Planetside 2 and World of Warcraft may obtain useful pieces of evidence with the methods we have discovered. We leave you with an excerpt of the final report, where we discuss the –diag command from Guild Wars 2.
If you have questions or comments about the project, you can leave a comment or contact the LCDI via Twitter @ChampForensics or via email at email@example.com.