Leonardo Musumeci

Massively Multiplayer Online Role Playing Game, that’s a mouthful, so most people shorten the full moniker to the acronym, MMORPG.

A little background for those who don’t play games online. MMORPGs are just one flavor of many types of online games. MMORPGs include such games as World of Warcraft, Sims Online, Everquest, Everquest II, Second Life, Age of Conan, Hello Kitty Adventure Island, Free Realms, and dozens more.

However, that list does not include other types of on-line games such as Party Poker, Red Baron, Call of Duty, Enemy Territory, Quake, and so many others; I cannot begin to list them all here.

Currently there are over one hundred and fifty of these games being played by millions of people throughout the world, and there are over one hundred new games currently in development for release over the next two years.¹

These games have target audiences including games just for children such as Free Realms, Hello Kitty Adventure Island, and others. They can be played on personal computers, Playstation, and X-Box consoles and even on phones.

Online games have reached a level of popularity that means that you will more than likely encounter this type of evidence in a case at some point. World of Warcraft alone claims millions of subscribers. And that is just one game of literally dozens of online game titles.

Anywhere people congregate and interact over time you will find crime or some form of bad behavior. A quick Google search will turn up dozens of news stories where people are accused of committing real-world crimes where one of these games has played a part. Here are excerpts from just a few of those published news stories:

“A Houston mom is accused of luring a then 15-year-old Canadian boy into a sexual relationship after “meeting” him through the online game World of Warcraft, according to a report from Fox.

Lauri Price, 42, apparently thought this through. She decided she’d fly to Canada to have relations with the boy when he turned 16—as a way to sidestep U.S. statutory rape laws. (In Canada, the age of consent is 16.)”²

“A South Korean couple whose three-month-old daughter died of malnutrition while they were raising a virtual child in an online game pleaded guilty to negligent homicide on Friday.”³

“A Portland woman who met a 14-year-old Tennessee boy while playing the online game ‘World of Warcraft’ is accused of engaging him in sexual chats and trading explicit photos.”⁴

“PORTLAND, Ore. – The Multnomah County Sheriff’s Office has launched an investigation into allegations that a local corrections deputy bragged about using a Taser gun on people in an Internet chat room.

“Lt. Jason Gates of the Multnomah County Sheriff’s Office said he is appalled at the alleged online comments of the county corrections officer.

“According to Gates, Thompson used a county work computer to play the online video game ‘City of Heroes’ while on the job and then boasted about the joy he gets from hurting people in jail in the chat room.

“Budnick said that according to Trafalgar’s online chat, the deputy has posted more than 1,700 messages on the ‘City of Heroes’ Web site since January. At one point, he allegedly posted 64 messages in 24 hours.”⁵

People are people, and when they interact with others, online affairs and other relationships can bubble up. Some people get addicted to these games and play them many, many hours per week; sometimes to the exclusion of all else in their lives.

And in online games, the only representation you get of the person is their game avatar and chats, whether they are text or voice. Is it easy for a person to get attached to another’s online persona. And that persona can be entirely made up to suit the person projecting that persona, for whatever reason they may have to do so.

Be aware that child predators also see these games as a place to groom potential victims.

Are you handling a case of child neglect? Could game logs show what the person was doing instead of caring for a child?

Could game logs reveal a connection to someone that will help solve a missing persons case?

Can the presence of a game lead you to look for other information such as forum memberships and posts?

Data is everywhere. Not all of it is relevant, but the only way to know is to look. Don’t overlook possible evidence just because it is a game.

A Forensic Analysis of Everquest II

Most of these games keep logs of their activities. In addition to the automatic logs kept by the games, many times players will keep additional log files by setting in-game logging to occur.

In addition, inside the files in the program directory you will find the names of the player’s accounts and characters (avatars) that they play.

Everquest II also keeps a handy little file that captures the most recent commands sent to the game by the player. This is not something the player is aware of, since they have no control over it.

The majority of these automatically generated logs have date and time stamps in them, so even if the date and time of the file is changed by someone, the original time stamp may still be in the log for recovery.

Everquest II keeps a log of when the game was installed, when it was last logged in, and the session times. By analyzing the all of the logs, you can determine play session times and dates.

If the player has turned on in-game logging, you have a treasure trove of information. In-game logging records everything the player types into the game, with time stamps, as well as everything anyone else in the game types in a message to the player.

By analyzing in-game logging files, you can determine dates and times of play sessions along with the length of time for each session.

And of course you get all the conversations the person had while playing the game, if they are using the game interface for chatting via the keyboard.

However, bear in mind that many players also use voice chat to talk directly to other people in the game using a microphone and headset. Those conversations are not logged unless you are a party to the conversation and have a method to record the audio.

All of the files analyzed in this article are located in the Everquest II directory or in the Station directory.

Finding Player Account Names and Characters

The Station Launcher Properties.ini file contains a list of all user accounts that have been accessed on the computer.

The install-location.xxxxxxxxxxx.eq2-live would have the player’s account name where you see the string of x’s. I have redacted the actual account names in this example. This is a player’s actual account name for logging into the game and not their character name.

Figure 1 – Station Launcher Properties.ini

Using the information from the file above, you can locate a particular account name and open the xxxxxxxxxxx_characters.ini file to see the character names that are active for that account. Remember that the xxxxxxxxxxx would actually be a name of an account.

Figure 2 – Account File That Contains Character Names

Inside the xxxxxxx_characters.ini file you will find the character name and the SONY server where that character is located. Note that character names are only unique by server and not for the entire game.

Figure 3 – Character Names for the Selected Account

In addition, the eq2_recent.ini file stores the last logged in account. In this case, I have redacted the account name and replaced it with x’s. Note that you also see the server name the player last logged into.

Figure 4 – The Last Logged In Account

Finding an Account’s Friends List

You can locate the friend’s list for a character by opening the Server_CharacterName_eq2_notes.txt file. CharacterName would be the name of the actual character.

Figure 5 – A Character’s Friend’s List

Daily Connection Logs

Every time a player logs into Everquest II, a daily connection log is created for that day. Only one log is created per day, so if the player has multiple sessions, they will be recorded in that day’s log. These files are located in the log’s subdirectory.

Figure 6 – Daily Connection Logs

The time stamp for the Daily Connection Log is the time of the first session for that day.

Figure 7 – Inside a Daily Connection Log

Inside the Daily Connection log, viewed here in WordPad, you can see the end of the play sessions for that day.

Parsing Log Files

If the user has logging turned on in the game, Everquest II will keep extensive detailed logs of everything the player interacts with, including all private chats. In the game, a private chat is initiated by the /tell command. To locate the log files for a particular character, you navigate to the logs subdirectory, then to the server subdirectory, and finally to the play log file.

Figure 8 – Server Log Folders

Once you are inside a server’s sub directory you will see a listing of all the log files for that server.

Figure 9 – Log Files in the Unrest Server Directory

These log files can get extremely large and contain a great deal of information you don’t care about from a forensic analysis standpoint.

Parsing Logs in Microsoft Access

In their raw format, the log files are difficult to read.

Figure 10 – Log File Viewed in WordPad

The easiest way to parse the log files to extract the information you would want in a forensic exam is to import the text file into an Access database. Here are the steps to import and then analyze the log files using Access queries.

Step 1: Open MS Access and select Get External Data – Import

Figure 11 – Step 1

Step 2: Locate the log file you want to import into Access

Figure 12 – Log Files

Step 3: Start the import process

Since the log can contain punctuation, the best method is to import the log as fixed width.

Figure 13 – The Text Wizard Import Dialog

Step 4: The lines with the arrows pointing up below are where the wizard thinks the fields should be divided. Double click on the leftmost arrow to remove that field break. That will keep the time stamp field whole with the year. See Figure 15 for the completed step.

Figure 14 – Import Text Wizard Field Breaks Dialog

Figure 15 – Import Text Wizard with the Field Break Removed

Step 6: Complete the import process by clicking Finish to import the log files into a new table.

Figure 16 – Import the Log File into a new table

Creating Queries to Parse the Log File

Step 1: In Access, select the Queries menu selection and then click on Create Query in Design View.

Step 2: Select the table you created earlier when you imported the log file and click Add.

Figure 17 – Select the Table Created from the Log File

Step 3: Drag the fields to the grid in the lower pane of the Design Query window.

Figure 18 – Drag the fields to the Query Grid

At this point, if you run the query, you would see the data in the view below:

Figure 19 – Initial Query View

Step 4: Add descriptive names to the column headers. To add the descriptive header, click in the field name and type in what you want to show as the column name. I.e. Time Stamp:. The colon is required to tell Access that you are putting a label in the field.

Figure 20 – Query with Descriptive Headers

Figure 21 – Query View after Adding Header Names

Step 5: Add the ID field by dragging it to the grid. The ID field is automatically created by MS Access and is an autonumber field.

Figure 22 – Add the ID Field to the Query

Figure 23 – Query View with the ID Field

The reason we want the ID field in the query is to add some forensic tracking to the query. Note that when you attempt to delete a record, the ID (3 in this case) would be deleted also. You cannot manually manipulate the auto-number field, so any deletions would be shown by the missing ID number.

Figure 24 – Deleting a record deletes the ID for that record.

Parsing the Log File by Using Criteria

To parse the information you want to see from the log file, you add selection criteria to the Log Text field. In this case, you need to add two criteria: One for tells sent by the user and one for tells received by the user. In MS Access, the Like keyword tells the database engine to find anything “like” the phrase you entered. The asterisks tell the engine to grab anything before and after the phrase.

Figure 25 – Criteria for Parsing Private Tells

Figure 26 – Parsed Query for Incoming and Outgoing Private Tells

To find the user log in and log out times, you add criteria that tell you when the character logs in and out. For Everquest II, the start of a session begins with the notice that logging is on and ends with the keyword “camp”.

Figure 27 – Criteria for Session Start and Stop

Figure 28 – Query View Showing Session Starts and Stops

Other Information Available

Everquest also maintains a file called eq2cmdhistory.txt. This file records the last thirty commands typed by the player. Since the /tell or a private chat is a command, this file records that activity. However, you can only get one side of a conversation this way.

Figure 29 – Location of the eq2cmdhistory.txt File

The figure below shows the content of the eq2cmdhistory.txt file. Note the /tell commands and the text following them. While the file does not record any date or time information internally, its modified date is updated for each gaming session.

Figure 30 – Content of the eq2cmdhistory.txt File.

Everquest II also has an in-game browser capability. You can find the in-game browser history in the Everquest II, ozilla folder.

Figure 31 – In Game Browser History

Getting Even More Information

Sony Online Entertainment keeps extensive server-side logs for each character and account. You should be able to get these via their custodian of records. Their corporate address is Sony Online Entertainment LLC, 8928 Terman Ct., San Diego, CA 92121.

References:

1. MMORPG.com – Your Headquarters for Online Multiplayer Games, RPG Online Games, Online Role Playing Free Games! Web. 15 May 2010. www.mmorpg.com.
2. “Houston Mom Accused of Luring Teen for Sex through Online Game? Moms At Work? Orlando Sentinel.” Orlando Sentinel Blogs – OrlandoSentinel.com. Web. 15 May 2010. blogs.orlandosentinel.com/features_momsatwork/2010/01/houston-mom-accused-of-luring-teen-for-sex-through-online-game.html.
3. “Couple: Internet Gaming Addiction Led to Baby’s Death – CNN.com.” CNN.com – Breaking News, U.S., World, Weather, Entertainment & Video News. Web. 15 May 2010. www.cnn.com/2010/WORLD/asiapcf/04/01/korea.parents.starved.baby/index.html.
4. “Portland Woman Accused of ‘World of Warcraft’ Chat with Boy That Turned Sexual | OregonLive.com.” Oregon Local News, Breaking News, Sports & Weather – OregonLive.com. Web. 15 May 2010. www.oregonlive.com/portland/index.ssf/2010/03/portland_woman_accused_of_worl.html.
5. “Officer Accused Of Bragging Online About Using Taser Gun – Portland News Story – KPTV Portland.” Portland News, Oregon News and Local Weather from KPTV FOX 12 News. Web. 15 May 2010. www.kptv.com/news/14065232/detail.html.

Larry E. Daniel is a computer and cell phone forensics consultant working with clients throughout the U.S. and handling all types of civil and criminal cases. He has testified as a qualified computer forensics expert witness in several cases, in multiple states. Larry is a member of the American College of Forensic Examiners and is Chairman of the Ethics Committee for the American Society of Digital Forensics and eDiscovery. Larry is the CEO of Guardian Digital Forensics, a Digital Forensics Certified Practitioner, author of the popular digital forensics blog Ex Forensis, and host of the Talk Forensics Internet radio show.

Some crimes, like the rape and torture of infants and toddlers, are so unspeakable the reaction of most people is to turn away and hope the problem vanishes.

Forensic analysts, however, must face this dark reality in the pursuit of prosecutions. The scope of the problem is immense.

The Internet enables instant access to child pornography. The National Center for Missing and Exploited Children (NCMEC) reports it has reviewed 23 million child pornography images and videos—8.6 million just in 2008.

As the problem spreads, the victims seem to get younger and younger. According to the 2008 Internet Watch Foundation (IWF) Annual Report, 69% of child victims are under ten years old, and 24% are six years old or younger. Some are babies.

Both IWF and NCMEC are active in helping forensic scientists build cases against those who produce, distribute, and consume child pornography. Two new software tools, one developed at Oak Ridge National Laboratory and the other in Sweden, appeared this summer to help them and others involved in this pursuit. Both packages are designed to automate some of the grim forensic tasks of fighting child pornography.

The Swedish system, called NetClean Analyze, is an investigative tool for individual law enforcement agencies working with images and videos of child sexual abuse.
Developed for the Swedish National Police, NetClean Analyze uses unique image recognition techniques to speed up the process of analyzing and classifying images and videos. The system, which is currently in use throughout the European law enforcement community, can rapidly catalog the hundreds of thousands of images and videos that are typically found during an investigation of computers confiscated from suspected child pornography traffickers.

Before NetClean Analyze, forensic examiners had to manually view and catalog each image or video, which significantly slowed down the forensic process.

NetClean Analyze focuses on three key issues. It minimizes the time investigators have to spend looking at old or duplicate images and videos, it eases collaboration between police units, and it enables more efficient reporting with an engine that allows easy creation of either customized or standardized reports.
Aside from automatic categorization, NetClean isolates duplicate files, which saves time.
“It’s not unusual for duplicates to reduce the number of images in a case from perhaps 350,000 to 80,000, saving a tremendous amount of analytical time,” said Christian Sjöberg, CEO of NetClean Technologies, Göteborg, Sweden.

The system can also find images similar to an image in question.

“Since child abuse images usually come in series, if you select an image and ask the system to show similar images, the system will find the whole series related to the first image with one click,” Sjöberg said. “This is useful to investigators who may have an image they are uncertain of. They can ask the system to find similar photos, one that may be clearly child abuse.”

After all files have been analyzed and catalogued, the investigator can then produce a detailed report formatted for prosecutorial purposes, along with sample images.

Global Technology Solutions (Hollywood, Florida) holds the North American rights to NetClean and has made the system available to law enforcement agencies at no cost, per agreement with the Swedish developer.
The initial NetClean installation in the U.S. was in Florida, in September, at the Broward County Sheriff’s Office, where it is currently being fine tuned for actual field work.
“We will then make it available to other law enforcement agencies,” said Chris Cavallo, president of Global Technology Solutions.

Any police department interested in obtaining a copy of the software can contact GTS headquarters in Hollywood, Florida, at 954-981-2600, or through the company website, www.gtsna.com.

One of the strengths of NetClean is the massive central database of child pornography material already known, making it possible, and quite simple, to match newly confiscated material against the database to identify new images or videos.
“The more agencies that have the system and use it, the more complete our image database will be, and that makes catching child pornographers and trying their cases easier,” Cavallo said.

Oak Ridge System
The Oak Ridge system also employs software to rapidly and thoroughly scan hard drives on confiscated computers, dramatically reducing the amount of time necessary to scan a computer, potentially reducing forensic analysis backlogs.
“We’re combining network text and image analysis tools to rapidly find the worst of the worst child pornography offenders,” said Tom Potok, of ORNL’s Computational and Engineering Science Division.

The worst of the worst in this case being the deviant predators that sexually rape, abuse, and torture children, many of whom are infants and toddlers.
Potok said with his system, as yet unnamed, there is a good chance that the number of prosecutions of these offenders could double.
Potok said the Oak Ridge system, which won a 2007 R&D 100 award, differs from NetClean in that his system works by analyzing both images, videos, and text, whereas NetClean analyzes images and videos only.

“Our work is also applicable to peer-to-peer file sharing networks, not just hard drives,” he said.
The idea is that by finding child pornography text and images on the same computer there is a higher likelihood of finding someone who is actually abusing a child and sharing the images or video, rather than perhaps being merely a consumer of the vile product.

A prototype of the Oak Ridge system was deployed in September for live beta testing at the Knoxville Internet Crimes Against Children Task Force. A second prototype has also been deployed at the same organization. The second one helps identify missing children by comparing faces in child pornography images to missing children databases.

Google
When it comes to searching text or images, no one is more adept than Google, which last year announced a partnership with NCMEC to provide software designed to automate the technical assistance NCMEC provides to police child pornography investigations.
It’s the latest iteration of the NCMEC offensive of fighting fire with fire.
“Criminals are using cutting edge technology to commit their crimes of child sexual exploitation, and in fighting to solve those crimes and keep children safe, we must do the same,” said Ernie Allen, president and CEO of NCMEC.

Analysts with NCMEC’s Child Victim Identification Program have reviewed more than 15 million child pornography images and videos in an attempt to identify and rescue children. NCMEC analysts typically review something like 200,000 images a week.
Now, with the automated Google system, colloquially called the Bedspread Detector, NCMEC analysts will be able to more quickly and easily search NCMEC’s systems to sort and identify files that contain images of child pornography victims.
The system is named ‘Bedspread Detector’ because one NCMEC analyst noticed the same bedspread in several different images with different victims.

“She was able to tie together the abuse of two little girls, one blonde, the other brunette, because the perpetrator was abusing them on the same distinctive bedspread,” Allen said.
Google’s ‘Bedspread Detector’ system now enables analysts to identify unique features, such as a distinctive bedspread, background photo, tattoo, or potted plant, then search against a vast database of other images containing that particular feature.
“This will help us identify more victims and link victims to particular perpetrators because most of them offend against multiple children,” Allen said.
Google encourages its employees to devote 20% of their work time to worthwhile social projects. In this case, four Google software engineers spent a year developing this new tool.
Details of exactly how the system works are not being disclosed, nor is how it specifically helps rescue children. What NCMEC will say is that what Google is doing is not just aiding prosecution, it is helping identify and rescue children.
“While there won’t be miraculous changes overnight, the bottom line is, because of these tools, we’re making headway,” Allen said.

Other Tools
Allen has other tactics that are paying off in the anti-child pornography campaign. In 2006, NCMEC was instrumental in forming the Financial Coalition Against Child Pornography (FCACP), a groundbreaking alliance between private industry and the public sector in the child porn battle.

Consumers of child pornography were once able to use traditional payment tools, such as credit cards, as well as new, alternative payment schemes like PayPal, to purchase child pornography on the Internet. The mission of the FCACP is to follow the flow of funds and shut down the payments accounts used by these illicit enterprises.
The alliance is composed of leading banks, credit card companies, electronic payment networks, third party payments companies, and Internet services providers, representing nearly 90% of the domestic payment industry.
“We’ve been doing this three years, and we’ve virtually eliminated the use of the credit card to purchase access to child pornography sites,” he said. The operators of these sites are being forced to develop other payment methods. Allen said some are establishing their own payment mechanisms or are using third parties. Most no longer accept U.S.- or UK-issued bank cards.
Another sign of progress is the price points of this perverse content have increased dramatically. In some cases, what once cost $29.95 a month for access to a child pornography site now costs $800 to $1,000, according to Allen.

Law enforcement reports that the number of operators of these illegal sites has decreased substantially to no more than a handful, most of which are believed to be operated by Eastern European organized crime syndicates.
“We’ve made it more expensive for these people to do business,” Allen said. “We’ve increased the risk.We’ve limited the payment options and virtually stopped the use of mainstream credit card usage.”
But, he’s realistic. He knows people who make money from the sexual exploitation of children will adapt.
“They’ll come up with other ways to collect, so we follow the money,” he said. “As they develop new mechanisms, we’ll try to attack those.”

Douglas Page writes about forensic science and medicine from Pine Mountain, California. He can be reached at douglaspage@earthlink.net.

Source: To Catch a Child Predator