School of Computer and Information Science, Edith Cowan University, Perth, Western Australia
Since June 2005, viewers in Belgium can get access digital TV or IPTV available via ADSL through Belgacom, the largest telecommunications provider in the country. The decoders used to enjoy these services are the Mood 300 series from Tilgin (formerly i3 Micro Technology). As of the Mood 337, the decoders contain a hard disk to enable the viewer to record and pause TV programs. Although it is publicly known that the Mood’s hard disk is used to save recorded and paused TV programs, it was still unknown if it contains any data that could be of interest during a forensic investigation. Interesting data ranges from which TV programs where watched, over discovery of unauthorized data storage, to criminal profiling and alibi verification. This paper will research the possibilities, especially with regards to which TV programs were watched and alternate data storage, as criminal profiling and alibi verification is not merely a task the forensic investigator can do alone. Just like game consoles that use a hard disk, the Mood 337 can easily be disassembled and attached to a PC for forensic analysis. The reason why analysis of this system is necessary is simply because it contains a hard disk. Anyone with a screwdriver can remove, replace or modify it not only for experimenting purposes but also for illegitimate uses. Analysis shows that most of the 80 Gb of disk space on the disk is not even in use, and can easily have data being written on it without interfering with the system’s primary function of providing IPTV services. It was also found that the Mood runs on a Linux base system with a 2.4 kernel, using XML file for the configuration of IPTV functions and services. Analysis reveals that even the (billable) ‘pause’ function is nothing more but a ‘yes’ or ‘no’ flag in an XML file. Other files that would be expected on a Linux system, such as /etc/fstab or /etc/passwd, were not found, while these might have been proven useful in this analysis. Further examination of the hard disk indicates the use of certificates for protection against piracy. However, it was proven to be a trivial task to simply copy recorded data to a PC and play it with a media player. The most important discovery of this research is that correctness of time and date appears to be of lesser value for the creators and/or distributors of the Mood 337. Throughout the system, various different time stamps and time zones were used, and more importantly time and date were changed several times. Even though two NTP servers are configured for time synchronisation, neither one of them seems to be correct. In order for data recovered from this hard disk to be acceptable before a court of law, fixing the time and date should be one of the highest priority changes that are needed.