Xbox evidence is mainly stored in FATX file system clusters which contain STFS packages and XDBF databases inside.
- FATX partition image is a logical partition image of Xbox physical drive.
- STFS partition image. STFS (Secure Transacted File System) is a file format used to store packages created and downloaded by the Xbox 360 system. The packages may contain save files, content, games, pictures, etc. STFS packages include both the real files and the metadata like title, licenses and RSA signature which is used to verify the package.
- XDBF (XboxDataBaseFormat) storage is a database format which is used as a container for gamer profile data, such as information about the games played, the user's settings, achievements, and images. XDBF also contains SPA (Statistics, Presence and Achievements) files for each user.
To add new Xbox evidence to the case:
1. On the Evidence tab, in the Evidence group, click Add Evidence; or right-click the case node and select Add New Evidence; or click Add Evidence on the Welcome screen. (If you add evidence before creating or opening a new case, the case will be created automatically and saved to the default location. The name of the case file will be e3).
2. The Add New Evidence window opens.
3. In the Category list, select Game Console Data. In the Source Type list, select one of the following source types:
- Drive image
- FATX partition image
- STFS partition image
- XDBF storage
4. Navigate to the Evidence Source and select it.
5.Enter the Evidence name (by default, the name of the file to be added) and click OK.
6. The Xbox evidence of the selected type is added to the case.
7. Select the node/table in the Case Content pane to view its content.
The investigation of Xbox data evidence is possible with the following packages: