There was recently a discussion about forensics on the PS3 game system on the HTCIA mailing list. I had put together a posting for the list regarding the encrypted drives on the PS3, that I thought I would share here as well. Despite these advancements in extracting decrypted data off of the system, the best way to do a forensics exam of the PS3 is still to create an image, then start back up the PS3 and take photos of the data you can access through the PS3 interface. Its not sexy, but it gets the job done as best possible right now.
Within the PS3 hacking community, the last couple weeks there has been a bit of a tift. One group is claiming to have found a way of decrypting the PS3 HD, while another is saying it is just a lie. Well, a tutorial recently came out with a walk through on how to "decrypt" the data. you can read it at http://streetskaterfu.blogspot.com/2009/03/hdd-decryption-tutorial.html.
I have not attempted this myself as of yet (as my PlayStation is currently into Sony for repairs), but will try to get a chance to do so soon. To summarize the process, all that is being done is first you make an image of the the PS3 HD. Afterward, place the HD back into the PS3, and copy a large file off of removable media, onto the the PS3 hard drive through the PS3 interface. Then remove the PS3 HD, and take another image. At that point, you take a diff of the two images, and you will see which data has changed between the images. This is now your known data, your scratch file.
You can then take some unknown encrypted data, and overwrite the scratch file with it. You then write the image to the PS3 HD, and place it back into the PS3. Then, through the PS3 interface you can access your "scratch file", and copy it off to removable media for examination. The contents of the scratch file will have changed to be a decrypted version of the data which was pasted into the scratch file previously. This process could then be repeated for the entire span of unknown data on the PS3 HD, giving you a decrypted version of all the data.
Again, I have not been able to verify this at all, but it does sound logical depending on how the internal structure of the PS3 filesystem is maintained. It will be about a week or more before my PS3 is going to be back, and then I will be leaving down for a couple weeks, so I have no idea when I will get a chance to work with this. If anyone else verifies this before I have a chance, I would be very interested in hearing back from you.
2 comments:
Jim,. did you have a chance to test this out? Did it work?
Dave
Edmonton, Alberta, Canada
I have not dug into this recently. But there has been a lot of interesting devs on this front. Google for ps3 decrypt EBOOT.bin and see what you get.
Let us know if you come up with anything good.
Post a Comment