Abstract
This analysis steps through my process of performing a forensic analysis on the Nintendo Wii Console. This Nintendo Wii is fairly standalone – no SD Card or any peripherals, just the console itself. In order to obtain files from the Wii, we must install a software mod in order to gain root access. There are many ways of doing this, however upon flipping through the console to find basic information, I found that this system has already been modded. Therefore, the main problem that needs to be addressed is what programs need to be run on the Wii to pull all of the files. There were a few applications found that could address this issue.
After they are pulled, the files are analyzed with FTK Imager, specifically the hex viewer that is included in the program. Specific pieces of evidence were found, such as the console name, name of the user, what networks the system was connected to, and the network passwords. Other system information was also found, such as what games were played, what channels were installed onto the Wii, and then a full log of when the Wii was played and for how long. Using all of this information could potentially put a suspect at a time and place, or help corroborate/dispute a claim.
Steps of the Process
This is my forensic process to gathering information from a Nintendo Wii Console. This process highlights looking at the physical device, powering on the Wii and searching for information, pulling the file-system and data from the Flash Memory, and then the forensic analysis on these files. I will then comment on my findings with this specific Wii, what further research could be done in general, and discuss what could be handled in a better way.
The console that I will be running my tests on is seen below. It has no cables or peripherals attached. Also, looking in the removable media slot, there is no SD Card. If there were an SD Card present, I would remove it, image it separately from the device and do a separate analysis on it.
Looking at the physical console, there is a serial number and model number. The serial number is: LU100287011 and the model number is RVL-001(USA). The LU1 models are one of the first batches sold in North America.
http://www.nintendo.com/consumer/lookup/repairs/warrantyLookup.do
I also note that there seems to be no sign of entry into the device, such as pry marks on any of the access panels, the tri-screw did not appear to be touched, and opening the system, there was no additional chips normally seen in a hardware modification, such as a “WiiKey” (Wiikey, Wii-ModChips.com).
After noting these details, I connect the power cable to the Wii, connect an infrared signal bar, and then connect a component cable from the Wii to my television. Note that if a component cable does not produce a signal, a normal cable may be necessary to view any signal, due to the Wii’s last configuration. After powering on the machine, I note the following screen.
The Wii menu stated that it was 3:07 pm when it was actually 2:42 pm, and will be something to note for time stamp purposes. The date was correct, but I need to check the year in the system settings.
I see that there is no disk inserted into the device, and also see the stock channels installed on the home screen (Mii creator, Photo Channel, Wii Shop Channel, Forecast Channel, and News Channel). However, there is no Opera-based Internet Browser channel installed on this device, which is a regularly downloaded channel. On another note, I notice that “The Homebrew Channel” is installed on this device. The only way for this unofficial channel to be on the Wii is for the Wii to be at least software modded. Seeing before that there are no mod chips, we can assume that this is the main change in the Wii system. Using this channel, I will be able to gain root access to the files on the Wii by running user-created programs through this security exploit.
If the Wii was not already modded in some way, I would have to install this channel to forensically analyze the device on a deeper level. This process involves taking advantage of one of four exploits. Three of which involve corrupting save data. This can be accomplished in Zelda: Twilight Princess (Twilight Hack), Lego Indiana Jones (Indian Pwns), or Super Smash Bros. Brawl (Smash Stack). The final hack is the easiest, does not require a specific game, and works on all system menus, including the newest 4.3. This hack is called “BannerBomb” or “LetterBomb” and just requires an SD card (Wiibrew). This is the process I would use and it is found here: http://www.wiibrew.org/wiki/Homebrew_setup#Letterbomb
The next step I use is just “thumbing” through the system settings to grab low hanging fruit. I synched a Wiimote (Wii remote control) to the system by pressing the red button on the remote and hitting the synch button on the target system. When a blue light indicating the player’s number on the Wiimote turns on, this is an indication that the remote and the console is paired. Going through the Wii settings, and found a few items of interest:
First, we see that the Wii’s system menu is version 4.1U. Then, looking the console nickname, we find it to be “Burgatron”.
Looking at the date settings, I confirm that the year and date are correct in the Wii BIOS.
The next things to look at are connection settings. The default connection is a wireless connection to a router named “linksys”. It has WPA-PSK (TKIP) encryption, and a hidden password. The other two connections are on a wireless router(s) also named “Burgatron”.
Lastly, under console information, we find that the MAC Address of the device is 00-17-ab-3e-45-d1 and does not have a LAN Adapter connected to it. The standard network connection for a Wii system is a 802.11b/g wireless signal via its Broadcom 4318 chipset, however a USB-to-Ethernet adapter can be purchased directly from Nintendo (Nintendo).
Other items that can be checked include going through the other features of the system (Turnbull). These items include going into the Mii (Nintendo’s avatars) Channel, and seeing who is the default Mii, along with finding a list of all other users. On this particular Wii, we found the admin character to be “Michael”. Also note that the most used “favorite” characters will have a red crown next to their name.
On other channels you may be able to find information on locational data from the weather channel if it was ever used, along with messages to and from this device In the messages, one can also find a log of when certain games are played, which cannot be deleted by the user (Turnbull). However, my Wii only shows recent changes such as thumbing through the channels. This in particular is one reason that perusing through a system should not normally be done if other options are available. We risk changing information on the system. One idea from Turnbull is to wait at least 24 hours after securing a device before booting it. This allows for log files to not be accidentally written over if the user had booted the system earlier that day.
Data Collection
The next part of my analysis uses The Homebrew Channel in order to run user-made utilities. Once The Homebrew Channel is installed on the target Wii, as detailed above, we may run programs off of an SD Card as long as they are in the right format (.dol or .elf) and put into an /apps folder on the root. These programs must be kept in a separate folder in the apps directory, and must be titled “boot.dol” or “boot.elf”.
First, I take a 4GB SD card and reformat it with FAT32 to have a fresh working environment. I then populate an SD Card with an “apps” folder that is read by the Homebrew Channel.
I start by adding:
“FS Browser” utility, made by the author known as “Raven”. This application will allow me to pull the Wii’s File system to the SD Card, which will give me an idea of what I am working with.
“FSToolbox” allows me to dump the Wii’s flash memory (NAND) onto the SD card. This application was created by the author known as “nicksasa”.
“WiiXplorer” by Dimo is a more graphically enhanced file explorer that claims that it can export the files onto various formats, such as to a thumb drive via USB.
“RealWnD” by pcfree. gives a 1:1 Wii NAND Dumper based on YaWnD 0.3. Note that when downloading this file, I had to rename the program to “boot.dol” before it would load correctly.
“Uname” is a simple utility by Benjamin Randazzo. This prints the system information and can be very useful in forensic analysis for a quick overview of the system.
All of these are hosted off of wiibrew.org and links are included in the references section.
Once I put these programs on the card, I insert the SD Card into the Wii and then boot The Homebrew Channel. There, I find my programs, some with a graphical button:
Booting Uname, I find:
System Menu Version: 4.1 (449)
Device ID: 33678013
Boot2 version: 2
IOS version: 61 (rev 5405)
Founded titles: 94
Region: NTSC-U
CPU: Broadway IBM PowerPC @ 729MHz, byte order is big-endian
GPU: Hollywood v0x11 ATI graphics @ 243MHz
è Starlet NEC ARM9 @ 243 MHz
Flash Memory: NAND (512 MB)
Main memory: 88MB
– 24MB “internal” 1T-SRAM
– -64MB “external” GDDR3 SDRAM
Failed getting network data (was not connected to the network to prevent data loss)
IP address: 128.12.185.96
Netmask: 128.10.142.160
Gateway: 128.11.0.0
MAC address: 00:17:AB:3E:45:D1
This confirms many thoughts about the system, and gives a nice summary for both the hardware and software. See the screenshot here:
I then exit out of the program and boot into FS Browser (using the home key). I identify myself as SU rather than systemmenu, when prompted. Booting into systemmenu generated a system error for me, where I had to reboot the program.
Browsing, I see the following file structure (I also manually export every file that I see):
Tmp/
Meta/
00010002/
48414641/
Title.met
48414241/
Title.met
48414141/
Title.met
48414341/
Title.met
48414741/
Title.met
Import/
Shared2/
DWC_AUTHDATA
Ec/
Shopsetu.log
Sync/
Menu/
FaceLib/
FRL_DB.dat
Sys/
NANBOOTINFO
Flags.dat
SYSCONF
Net/
Dhcp.dat
02/
Config.dat
Test2/
Dvderror.dat
Nanderr.log
Succession/
Transfer.id
Shop.log
Wc24/
Misc.bin
Nwc24dl.bin
Nwc24fls.bin
Nwc24fl.bin
Nwc24msg.cbk
Nwc24msg.cfg
Mbox/
Wc24send.mbx
Wc24recv.mbx
Wc24recv.ctl
Wc24send.ctl
Test/
Testlog.txt
Shared1/
**Many files, copied one, but there was a file error trying to do the rest. Another program will be able to copy them all at once.
Title/
00010005/
735a4345/
Content/
Title.tmd
000001bb.app
000001ba.app*
0000020a.app*
Data/
735a4445/*
00010004/ *
00010000/ *
00010001/ *
00010008/ *
00010002/ *
00000001/ *
Ticket/
00010000/
48415a41.tik
00010005/
735a4545.tik
735a4445.tik
735a4345.tik
735a4245.tik
735a4145.tik
00010001/*
00010008/*
00010002/*
00000001/*
Sys/
Space.sys
Uid.sys
Cert.sys
All files or folders with * were not copied to the SD card due to time constraints. Another program used will be able to export all of them at once. I used this program to support my findings from the other programs. Since each file that was extracted match identically, I can say that these programs do the job they say very well.
Next, I take the SD Card out of the Wii and move the results from the last program into a research folder. I then reformat the card, and put the programs back onto it.
Maneuvering back into The Homebrew Channel, I boot FSToolbox. Using this program, I selected to load under IOS 36 (recommended). I can also access savedata by loading IOS 249 or a custom IOS, however IOS 36 should be able to pull all needed information.
This program allows me to dump the entire file system of the Wii onto the SD Card. I do this, exit the program and remove the SD Card and back up the files that I just collected.
I then try to run the other two programs, however I ran into some problems.
RealWnD
This program gave me an error, saying that it couldn’t read the NAND and that I was possibly running a new IOS. Therefore this program was not compatible.
WiiExplorer
This program on first boot froze trying to load IOS 58. I had to do a hard reset of the Wii. I tried a second time and I received the same error.
Luckily the previous three programs gave me a good working ground without RealWnD and WiiExplorer.
Data Analysis
The next step of my process is to take the files that we collected and analyze them with FTK Imager, specifically the Hex Viewer included in the program. Looking at both of the collection of files pulled by FS Browser and FSToolbox, they appear to be identical. I choose to analyze the files taken from FSToolbox since it pulled the entire file system, which preserved directories. I then go through every single file, browsing through the full hex code for each to find artifacts or anything of use to the investigation.
Title/00010005/735a4345/content/000001bb.app
Going through the files in FTK Imager, looking through the Hex, I found that the 000001bb.app file contains information on “Realworld” by The All American Rejects. This file contains the song information, including lyrics and other metadata.
“content.songs.realworld.realworld.bik.realworld.mid.realworld.pan.gen.realworld.milo_wii.realworld_weights.bin”
5041525420564F43414C53AC44900C62000E623C800C40000E4000FF01085B6D656C6C6F775D
PART VOCALS¬D.b..b<.@..@.ÿ..[mellow]
035468650090397F812180394065FF05047368612D0090417F81588041403EFF0504646F77730090417F81518041408177FF0504636F6D650090417F82298041408453FF05036275740090397F60803940811FFF05026E6F0090417F8229804140813BFF05036F6E650090417F817A8041408224FF05057365656D730090417F824480414067FF0502746F0090437F5980434078FF050463617265
.The..9..!.9@eÿ..sha-..A..X.A@>ÿ..dows..A..Q.A@.wÿ..come..A..).A@.Sÿ..but..9.`.9@..ÿ..no..A..).A@.;ÿ..one..A..z.A@.$ÿ..seems..A..D.A@gÿ..to..C.Y.C@xÿ..care
This continues throughout all the lyrics of the entire song, which led me to realize that this was from the game Rock Band.
Similarly, title/00010005/735a4445/
Contain song information on “The Taste of Ink” and “Pokerface”
These are all downloadable songs for the game Rock Band, which shows that a user downloaded these and installed them onto the system at one point.
/shared2/sys/net/02/Config.dat
000000000000000000000000427572676174726F6E0000000000000000000000000000000000
…………Burgatron……………..
(This was found twice in the file)
6C696E6B737973000000000000000000000000000000000000000000000000000007000000040000000A00006672317A62333363617400
linksys…………………………….
..fr1zb33cat.
Note that “fr1zb33cat” is the password for the Linksys wifi.
This file seems to save unencrypted passwords for the three networks that it saves in the system. Analyzing a Wii in this was could be a potential way of recovering saved wifi passwords if ever needed in an investigative setting, along with giving useful information about the networks that the Wii has connected to.
Shared2/Wc24/Nwc24dl.bin
http://ccs.cdn.shop.wii.com/ccs/download/0001000248414241/dynamicBanner_en_US
https://mariokartwii.race.gs.nintendowifi.net/raceservice/maindl_us_en.ashx
Shared2/Wc24/nwc24msg.cbk
https://mtw.wc24.wii.com/cgi-bin/send.cgi
The Wii made contact with these servers(among many others) at one point.
/shared2/menu/FaceLib/RFL_DB.dat
Contains information on all of the “Mii” users added to the Wii. The first entry is:
524E4F44AFC9004D00690063006800610065006C0000000000006222806FF7BAC25D2F3700C485E01938C893986CA640134CB04D008A1E8A2504004D0061006E006C0079
RNOD¯É.M.i.c.h.a.e.l……b”.o÷ºÂ]/7.Ä.à.8È..l¦@.L°M….%..M.a.n.l.y
The main user was “Michael B” – created by “manly”.
/shared2/sys/SYSCONF
4E696E74656E646F2052564C2D434E542D303100
Nintendo RVL-CNT-01
This is the model number of the Wii
Sys/Uid.sys
…………………………………123J……….Þ…………………………..121J……..122E……..0002… …..UPD…
….RAAE…….HAGA……HACA……HAAA……..HABA……..HAFA……..RZDE……..RSPE……..REXE……..REDE………………………………….HAKE………………..PAAE……..FAME……..MAFE……..RELE……..HAFE……..HADE…………… ….HAGE…!….RRBE…”….HALE…#….HAJE…$….RODE…%………..&………..’….JADE…(….JBIE…)….FBDE…*………..+………..,….HAWE…….FBIE………UPE…/………..0………..1….RM3E…2….R8PE…3…….”…4….NABE…5….FASE…6….RGHE…7….RZPE…8….HAPE…9…….#…:…….!…;….HAYA…<….HAZA…=….RMGE…>….NAKE…?….JAAE…@….RNHE…A….FCWE…B….FC3E…C………..D…….$…E….RSBE…F….HBLE…G….HBFE…H….HA8E…I….HBGE…J….HBBE…K…….%…L….HATE…M….RFNE…N….RGVE…O….HBAE…P….HBKE…Q….RLVE…R….ROWE…S……….T…….3…U….SXAE…V…….<…W………..X…….&…Y…….2…Z…….5…[…….7…\…….=…]…….þ…^….RM8E…_….HAXX…`….JODI…a….SMNE…b…….ù…c…….ú…d………..e….R9OE…f….RZTJ…g….RYBE…h….RMCE…i….RP2E…j…….8…k….SB4E…l….STWE…m….RQOE…n….SZAE…o…….Þ…p…….ß…q….SXEE…r….RKXE…s….sZAE…t….SXFE…u….SXCE…v….sZBE…w….sZDE…x….sZCE…y….¯.õ….z….DVDX…{….RVUE…|….R5TP…}…….:…~….SF8E……..R7PP……..RHOE……..SKJE……..R2TE……..STKE……..RUUE……..SNCE……..RZZE……..RBKE……..SOUE……..R9IJ……..R84E……..STXE……..R2UP……..SJXE……..SOJP……..RK5E……..SJDP……..R7PE……..SERE……..RHEP……..SEME……..R3MP
Wii games all have a four character ID code, e.g. RSBE = Super Smash Bros Brawl. I hypothesize that these are all games that have been played on this Wii, but will need further research to prove this. Also, a list of all of these codes could not be found.
Shared2/WC24/Mbox/Wc24recv.mbx
Date: Fri, 27 Aug 2010 07:35:04 +0000 (UTC)
From: w9999999900000000@wii.com
To: allusers@wii.com
Message-ID: <15717714.441282894504777.JavaMail.w9999999900000000@wii.com>
Subject:
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-16BE
Content-Transfer-Encoding: base64
X-Wii-AltName: AE4AaQBuAHQAZQBuAGQAbw==
X-Wii-MB-NoReply: 1
X-Wii-AppID: 3-48414541-3031
X-Wii-MB-UpdateSW: 1
X-Wii-Cmd:…
Date: Tue, 8 Mar 2011 08:15:09 +0000 (UTC)
From: w9999999900000000@wii.com
To: allusers@wii.com
Message-ID: <21480956.411299572109891.JavaMail.w9999999900000000@wii.com>
Subject:
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary=”—-=_Part_41_23473608.1299572109890″
X-Wii-AltName
Date: 19 Jan 2010 00:07:11 -0000
From: w0425021521504854@wii.com
To: w0425021521504854@wii.com
Message-Id: <000070001828E08CFAA56037330E7@wii.com>
X-Wii-AppId:
This information may not be of much use, however I believe that these dates synch with potential system update packs. More research on these messages are needed.
/meta/00010002/
All of these folders contain subfolders. Each of these have a “title.met” in them. These files contain information on the official channels installed on the Wii. These include: photo channel, Wii Shop Channel, Mii Channel, Forecast Channel, and News Channel. Other downloadable channels would probably show up here, but more research is needed for proof.
/title/00000001/00000002/data/cdb.vff
T.o.d.a.y.’.s. .A.c.c.o.m.p.l.i.s.h.m.e.n.t.s…T.o.d.a.y.’.s. .P.l.a.y. .H.i.s.t.o.r.y.
.
.H.o.m.e.b.r.e.w. .C.h.a.n.n.e.l.
. . . . . .0.1.:.1.0.
.
.H.o.m.e.b.r.e.w. .C.h.a.n.n.e.l.
. . . . . .0.0.:.2.9.
.
.T.o.t.a.l. .P.l.a.y. .T.i.m.e.
. . . . . .0.1.:.3.9…
W.i.i. .S.p.o.r.t.s. .R.e.s.o.r.t. 0Ë0å0ü0¹.
.2.0.1.0./.0.5./.1.6. ÿ.eåÿ . .2.3.:.4.2.
.
%Ï0¢0ü0Á0§0ê0ü.
.M.i.c.h.a.e.l0U0..
.
0J0.0g0h0F0T0V0D0~0Yÿ…¯È.M.i.c.h.a.e.l……b”.o÷ºÂ]/7.Ä.à.8È..l¦@.L°M….%..M.a.n.l.y………………………………….2010 …Ëy2<2<..Ëy2<……
This file acts as a potential log file. It shows activity of specific users, when, how long and which programs are being used. This is a larger file and should be combed through carefully, but its contents can be very useful. Note that when backup games are played via the homebrew channel, it registers as the “Homebrew Channel” rather than the game itself.
Title/00010000/
Each folder is a separate game. The first few are “Let’s Tap”, “Metroid Prime Trilogy”, and “Punch Out”. Some contain save games and game data, but they are encrypted.
Issues and Problems
I believe that the bulk of this examination was successful, however there are a few issues or problems that should be dealt with. Much of the files in the file system were encrypted with AES-128-CBC Wii encryption, which made my job a bit harder [Wiibrew]. If I was able to decrypt these files, I believe that I could have gained more information, such as email addresses and potentially credit card transactions.
Next, a better selection of tools would be appreciated. Although the tools I used worked especially well for the job they required, a full on forensic tool for the Wii would be interesting. Also, there were a couple of programs that would not work on this particular Wii.
For further research, I would like to pre-populate the system with known items, and see where they are stored on the Wii. On this Wii, there were no messages that were sent or received, no pictures added to the photo channel, no address book, nothing bought over the Wii-shop network, no forecast data, no news data, and no internet browser installed. Most importantly out of this list, I would like to research where history files are kept for the Wii’s default Opera-based browser.
Lastly, in order for me to be able to gain root access, the Wii must be modded. A forensic study would be nice to see what happens to certain files when the Wii is modded, and if it is forensically sound. I hypothesize that although it is installing a custom operating system, the bulk of the information of the user stays the same, however a study would be nice to show this. One other paper detailed a forensic analysis of a Wii, but was not able to pull any of the file system data, but rather “thumbed” through the device. This made the forensic analysis of this device difficult, since there was no other papers detailing a set process, and hence why I created this work.
Conclusions
Overall, this was a successful forensic analysis. Although I was not able to find much personal data, there still is a lot of useful information that can be taken from the system. I was able to find information on the hardware and software of the machine, networks that it has been connected to (including passwords used), names of the users, log files of when games were played and for how long, and other minor items. Potential other items that could be found on the system, would be items such as web history and messages sent/received from the device. Using all of this information and combining it with other pieces of information found at the scene could be extremely helpful in a case. Where this may fall apart could come down to how long it takes to gather this information compared to the usefulness. In certain cases, this would absolutely come in handy, where the bulk, probably not so much.
References
FS Browser [Computer software]. Raven. Retrieved October 8, 2103 from: http://wiibrew.org/wiki/FS_Browser
FS Toolbox (Version 0.4) [Computer software]. Nicksasa. Retrieved October 8, 2013 from: https://code.google.com/p/fstoolbox/
Nintendo Co. Ltd, Nintendo Customer Service – Wii LAN Adapter, 2007; http://www.nintendo.com/consumer/systems/wii/en_na/gi_system.jsp
RealWnD (Version 0.21) [Computer software]. Pcfree. Retrieved October 8, 2013 from: http://wiibrew.org/wiki/RealWnD
Turnbull, B. (2008). Forensic investigation of the Nintendo Wii: A first glance(Doctoral dissertation, Purdue University Cyber Forensic Lab).Uname (Version 0.3) [Computer software].
Uname by Benjamin Randazzo. Retrieved October 8, 2013 from: http://wiibrew.org/wiki/Uname
Wii Brew. (n.d.) Retrieved October 8, 2013 from the Wii Brew Wiki: http://wiibrew.org/
Wiikey, Wiikey Installation Manual, 2007; http://www.wiikey.cn/images/installWiiKey.pdf.
Wii-ModChips.com, Compare Wii ModChips: Nintendo Wii, 2007; http://www.wii-modchips.com/compare.htm
WiiXplorer (Version r259) [Computer software]. Dimok. Retrieved October 8, 2013 from: http://wiibrew.org/wiki/WiiXplorer
Images