Sunday, January 18, 2009

MMORPG - On Line Game Forensics

MMORPG - Massively Multiplayer Online Role Playing Game.

As you can see, that is a mouthful, so most people shorten the full moniker to the acronym, mmorpg. So, what about online game forensics?

Why is game forensics important and should not be overlooked? Online games have reached a level of popularity that means that you will more than likely encounter this type of evidence in a case a some point. World of Warcraft alone claims millions of subscribers. And that is just one game of literally dozens of online game titles.

A little background for those who don't play games online. MMORPGs are just one flavor of many types of online games. MMORPGs would include such games as World of Warcraft, Sims Online, Everquest, Everquest 2, Second Life, Age of Conan, Hello Kitty Adventure Island, and many many more.

However, that list does not include other types of on-line games such as Party Poker, Red Baron, Call of Duty, Enemy Territory, Quake and so many others, I cannot begin to list them all here.

My point is that most of these can be sources of valuable forensic evidence if you know to look and know where to look.

For the purpose of this blog, I am not going to go into the technical details of where to look. I will tell you what you can find however and how it can be useful from a evidentiary standpoint.

Most of these games keep logs of their activities. In addition to the automatic logs kept by the games, many times players will keep additional log files by setting in-game logging to occur.

Many logs are created automatically by the games. I will use Everquest 2 as my example. Everquest 2 keeps a log for every time it is started, when it updates, and makes notes when it closes a game session.

In addition, inside the files in the program directory you will find the names of the player's accounts and characters (avatars) that they play.

Everquest 2 also keeps a handy little file that captures the most recent commands sent to the game by the player. This is not something the player is aware of, since they have no control over it.

The majority of these automatically generated logs have date and time stamps in them, so even if the date and time of the file is changed by someone, the original time stamp may still be in the log for recovery.

Everquest 2 keeps a log of when the game was installed, when it was last logged in, and the session times. By analyzing the all of the logs, you can determine play session times and dates.

If the player has turned on in-game logging, you have a treasure trove of information. In-game logging records everything the player types into the game, with time stamps, as well as everything anyone else in the game types in a message to the player.

By analyzing in-game logging files, you can determine dates and times of play sessions along with the length of time for each session.

And of course you get all the conversations the person had while playing the game, if they are using the game interface for chatting via the keyboard.

However, bear in mind that many players also use voice chat to talk directly to other people in the game using a microphone and headset. Those conversations you won't get.

People are people and when they interact with others, online affairs and other relationships can bubble up. Some people get addicted to these games and play them many, many hours per week. Sometimes to the exclusion of all else in their lives.

And in online games, the only representation you get of the person is their game avator and chats, whether they are text or voice. Is it easy for a person to get attached to another's online persona. And that persona can be entirely made up to suit the person projecting that persona, for whatever reason they may have to do so.

Be aware that child predators also see these games as a place to groom potential victims.

Are you handling a case of child neglect? Could game logs show what the person was doing instead of caring for a child?

Could game logs reveal a connection to someone that will help solve a missing person case?

Can the presence of a game lead you to look for other information such as forum memberships and posts?

Data is everywhere. Not all of it is relevant. But the only way to know is to look. Don't overlook possible evidence just because it is a game.

No comments:

Post a Comment

I have moderated my comments due to spam.