Child predators have long used online games to scout for and then establish contact with their innocent targets.

Now researchers are trawling through forensic artifacts left behind by online gaming in order to detect, identify, and stop criminals.

Laura French tells us more about the effort to keep gaming platforms safe in this report from Forensic Magazine:

Cross-platform multiplayer gaming may mean more fun for the players—but it could potentially pose challenges for investigators when cybercrime cases arise. This is why a team of researchers from multiple organizations—including the University of Salford; Manchester Metropolitan University; University of Guelph Cyber Science Lab in Ontario; and University of Texas Department of Information Systems and Cyber Security in San Antonio—endeavored to study what digital artifacts could be mined from the servers, networks and devices used to play Minecraft, which could potentially help prosecutors craft a forensic case.

“We wanted to concentrate on the peer to peer information that was shared between a typical user and a typical server,” explained Detective Sergeant Paul Taylor, regional cyber crime coordinator of the North West Regional Organised Crime Unit in the U.K., who was part of the team conducting research out of the University of Salford. The researchers ran the game on a Windows client and connected to a Linux-based Minecraft server, all within a virtual machine. They then examined the memory and hard disks of the server and client, and used Wireshark 2.4.2 to collect the traffic data generated during the live gameplay.

The server directories contained some relevant information, such as the name of the Minecraft server, player username, timestamps of logins, and the IP address of the server. Some of the most significant artifacts were contained in the directory /home/taylor, “taylor” being the user account name. There, researchers found the server operator’s recent input commands (including commands associated with downloading Minecraft itself), and a plain text file called that contained time stamps, a port number, and the customizable “Message of the Day” that appears to players who access the server.


The researchers used the tool Volatility for live memory capture before, during and after running Minecraft. Memory harvested from the processes spawned during gameplay contained information including the server IP address, message of the day, and last chat communication from the client.

“If the Windows machine was in the possession of a victim, this information could assist in the identification of a server that hosted data relating to other users responsible for committing illicit acts against the victim,” write the researchers. “Similarly, if the Windows machine was in the hands of a suspect, then identification of the server it was connected to may provide investigators with opportunities to identify the server owner and establish the nature of the relationship to the suspect and assess further opportunities for victim safeguarding.”