Peter Clemenko's Forensics presentation from BSides Delaware 2013 on forensic analysis of gaming software including steam

1. Playing the Forensics
Game: Forensic Analysis of
Gaming Applications For
Fun and Profit
Peter Clemenko III

2. Who am I?
● Student at Wilmington University in
Computer Network Security
● Member of the 2nd place Community
College team in the 2012 DC3 Digital
Forensics Challenge
● Open Source Enthusiast
● Gamer who has way too much time on his
hands

3. Why gaming applications?
● Gaming is popular
○ 54 million enthusiast and performance PC gamers in
2012
■ http://www.tomshardware.com/news/jpr-pc-gamers-numbers-pc-gaming-dead,15530.html
● Gaming applications leave a lot of artifacts
○ Web browser history
○ Stored usernames and passwords
■ Sometimes in Base64, or worse...
○ Chat logs
● How many people actually bother with these
artifacts?

4. Web Browsers
Some gaming applications include web
browsers
● Gaming apps with browsers include:
○ Steam
○ Raptr
○ Origin
○ Overwolf
○ Xfire
● This presentation will only cover Steam

5. Why should we care about game
web browsers?

6. ● Crucial evidence for the investigation might
be there.
● More attack vectors for pentests, social
engineering, and exploit development.
● You can use this evidence to build a profile
of the target.
○ What are their interests?
○ Were they somewhere they shouldn’t
have been?

7. Steam Web Browser
● Webkit based
○ Used to be Trident based, but switched to Webkit
before OSX release of Steam
● Limited functionality
○ No download, favorites, or history functionality.
● Artifacts on disk
○ localconfig files
■ Individual SQLite files
○ cookies
■ SQLite file Cookies
○ raw cache
■ raw file without the file extension

8. Image from mariokas123.deviantart.com

9. ● Two browser storage locations
○ Steam Client cache
○ In game overlay cache
○ The only difference between these two is where they
are stored and what part of Steam stores it’s
browser cache there.

10. Password Storage
● Over the years, logging in is more common
in gaming.
● These applications usually offer you an
opportunity to remember your credentials.
○ Some of them don’t even ask, they just do it.

12. ● Some games store their own credentials in
config files.
○ This is starting to go away as games are starting to
become more integrated with systems like Steam
and Origin.
● Some of these games however store
passwords in an insecure manner.
○ Some games store their passwords in Base64 or
even cleartext.
○ In the interest of being ethical and responsible, I will
not mention which programs are doing it.

13. It has to be asked however….

14. ● These passwords might be reused
elsewhere and provide new attack vectors
○ More things to add to your wordlist

15. There’s an XKCD for everything…
Comic is a shortened version of http://xkcd.com/792/

16. Chat logs
● A lot of gaming related apps have chat
functionality built in. Some of them can be
configured to store chat logs locally.
● There are some cases however where chat
logs might not be there, or the application
might not store them.
○ Steam doesn’t store chat logs locally.
○ Other apps need logging enabled manually.

17. ● Using config files to find weakly stored
passwords that might have been reused with
encrypted files of interest
● Building a targeted wordlist for password
cracking
How can both blue and red team
benefit?

18. ● Enhancing forensics tools to search for
these artifacts
● Using the logs and artifacts to find out more
about a suspect
How can forensics people benefit?

19. How can red team benefit?
● Social Engineering
○ Build a profile of your target, some of the info gained
might be useful
● Gathering weakly stored credentials in the
hopes of password reuse
○ Maybe in the form of a Metasploit module?
● Use your imagination

20. Questions? Concerns? Feedback?