2. Who am I?
● Student at Wilmington University in
Computer Network Security
● Member of the 2nd place Community
College team in the 2012 DC3 Digital
Forensics Challenge
● Open Source Enthusiast
● Gamer who has way too much time on his
hands
3. Why gaming applications?
● Gaming is popular
○ 54 million enthusiast and performance PC gamers in
2012
■ http://www.tomshardware.com/news/jpr-pc-gamers-numbers-pc-gaming-dead,15530.html
● Gaming applications leave a lot of artifacts
○ Web browser history
○ Stored usernames and passwords
■ Sometimes in Base64, or worse...
○ Chat logs
● How many people actually bother with these
artifacts?
4. Web Browsers
Some gaming applications include web
browsers
● Gaming apps with browsers include:
○ Steam
○ Raptr
○ Origin
○ Overwolf
○ Xfire
● This presentation will only cover Steam
6. ● Crucial evidence for the investigation might
be there.
● More attack vectors for pentests, social
engineering, and exploit development.
● You can use this evidence to build a profile
of the target.
○ What are their interests?
○ Were they somewhere they shouldn’t
have been?
7. Steam Web Browser
● Webkit based
○ Used to be Trident based, but switched to Webkit
before OSX release of Steam
● Limited functionality
○ No download, favorites, or history functionality.
● Artifacts on disk
○ localconfig files
■ Individual SQLite files
○ cookies
■ SQLite file Cookies
○ raw cache
■ raw file without the file extension
9. ● Two browser storage locations
○ Steam Client cache
○ In game overlay cache
○ The only difference between these two is where they
are stored and what part of Steam stores it’s
browser cache there.
10. Password Storage
● Over the years, logging in is more common
in gaming.
● These applications usually offer you an
opportunity to remember your credentials.
○ Some of them don’t even ask, they just do it.
11.
12. ● Some games store their own credentials in
config files.
○ This is starting to go away as games are starting to
become more integrated with systems like Steam
and Origin.
● Some of these games however store
passwords in an insecure manner.
○ Some games store their passwords in Base64 or
even cleartext.
○ In the interest of being ethical and responsible, I will
not mention which programs are doing it.
14. ● These passwords might be reused
elsewhere and provide new attack vectors
○ More things to add to your wordlist
15. There’s an XKCD for everything…
Comic is a shortened version of http://xkcd.com/792/
16. Chat logs
● A lot of gaming related apps have chat
functionality built in. Some of them can be
configured to store chat logs locally.
● There are some cases however where chat
logs might not be there, or the application
might not store them.
○ Steam doesn’t store chat logs locally.
○ Other apps need logging enabled manually.
17. ● Using config files to find weakly stored
passwords that might have been reused with
encrypted files of interest
● Building a targeted wordlist for password
cracking
How can both blue and red team
benefit?
18. ● Enhancing forensics tools to search for
these artifacts
● Using the logs and artifacts to find out more
about a suspect
How can forensics people benefit?
19. How can red team benefit?
● Social Engineering
○ Build a profile of your target, some of the info gained
might be useful
● Gathering weakly stored credentials in the
hopes of password reuse
○ Maybe in the form of a Metasploit module?
● Use your imagination
Client cache stores: Stores cache and cookies of the Steam client application, including steam community, big picture, and things opened in the web browser through the client application
In game overlay cache stores: Stores cache and cookies of steam in game overlay
Mention DRM, digital distro, and multiplayer as places to log in.
Note that it’s not as simple as just base64 decode in most places, usually you are dealing with byte arrays.
http://xkcd.com/792/
Mention building a profile and social engineering if you have the chatlogs.