41.2 MMORPG Data as Evidence > 41.2.1 Timeline evidence - Pg. 304

304 CHAPTER 41 Multiplayer Online Games 41.2 MMORPG DATA AS EVIDENCE Multiplayer games can potentially provide four types of evidence that could be used in a case: 1. 2. 3. 4. Timeline Content General location Game subscriber information We will look at where to get each of these types of evidence and how to validate them as needed. 41.2.1 Timeline evidence Multiplayer games can provide timeline evidence from two primary sources, client- side evidence and server-side evidence. Timeline evidence is both in the form of when someone was playing one of these games, but in some cases, equally important is how much a person was playing. In the following sections we will show how it can be determined when someone was playing and how much total time they spent online. Client-side timeline evidence Client-side timeline evidence is data that is collected and stored by the game on the local computer hard drive in various log files that the game stores without the player's knowledge. Client-side evidence can be located and analyzed by a compu- ter forensic examiner. Timeline evidence from these games can be used to establish when and how much someone has been connected to the game. However, to make sure that connec- tion time is relevant and useful, analysis would need to be performed to make sure that you are looking at connection time and not just overall connection time. The rea- son for this is that these types of games do not typically have an auto-disconnection feature. In other words, you can log in to one of these games, leave for ten hours, and the log would reflect that you were connected to the game for that ten-hour period. For this reason, reviewing the logs to ensure that some type of user activity is present throughout the course of those ten hours would be required to validate that a person was playing the game, rather than the game sitting there unattended. In Fig. 41.1 you can see the overall timeline for play sessions. However, this will not give you any information as to whether or not the player was active at the keyboard. In order to establish active connection time from historical logs stored on the user's computer, the examiner would need to locate the game logs that store not just the connection time, but also in-game activities such as chatting, fighting, crafting, and so forth, and view them in detail. These log files can become extremely large depending on the game and how the logging is done by either the game software or a third-party logging software. Figure 41.2 is a screenshot of a player log from Everquest 2. The key words in the screenshot that indicate player activity are the words "you" and "your." These indicate