Forensic Investigation of Cross Platform Massively Multiplayer Online Games: Minecraft as a Case Study

  • Paul J. Taylor
  • Henry Mwiki
  • Ali DehghantanhaEmail author
  • Alex Akinbi
  • Kim-Kwang Raymond Choo
  • Mohammad Hammoudeh
  • Reza M. Parizi


Minecraft, a Massively Multiplayer Online Game (MMOG), has reportedly millions of players from different age groups worldwide. With Minecraft being so popular, particularly with younger audiences, it is no surprise that the interactive nature of Minecraft has facilitated the commission of criminal activities such as denial of service attacks against gamers, cyberbullying, swatting, sexual communication, and online child grooming. In this research, we simulate the scenario of a typical Minecraft setting, using a Linux Ubuntu 16.04.3 machine, acting as the MMOG server, and client devices running Minecraft. Then, we forensically examine both server and client devices to reveal the type and extent of evidential artefacts that can be extracted.


Forensic science Massively multiplayer online games (MMOG) Minecraft forensics MMOG forensics Game forensics Online games forensics 



We would like to thank the editor and anonymous reviewers for their constructive comments. The information and views set out in this paper are those of the author(s) and do not necessarily reflect the official opinion of institutes they are working at.


  1. 1.
    L. Christopher, K.-K. R. Choo, and A. Dehghantanha, Honeypots for Employee Information Security Awareness and Education Training: A Conceptual EASY Training Model. 2016.Google Scholar
  2. 2.
    A. Azmoodeh, A. Dehghantanha, M. Conti, and K.-K. R. Choo, “Detecting crypto-ransomware in IoT networks based on energy consumption footprint,” J. Ambient Intell. Humaniz. Comput., pp. 1–12, Aug. 2017.Google Scholar
  3. 3.
    S. Walker-Roberts, M. Hammoudeh, and A. Dehghantanha, “A Systematic Review of the Availability and Efficacy of Countermeasures to Internal Threats in Healthcare Critical Infrastructure,” IEEE Access, 2018.Google Scholar
  4. 4.
    Y.-Y. Teing, D. Ali, K. Choo, M. T. Abdullah, and Z. Muda, “Greening Cloud-Enabled Big Data Storage Forensics: Syncany as a Case Study,” IEEE Trans. Sustain. Comput., pp. 1–1, 2017.Google Scholar
  5. 5.
    Y.-Y. Teing, A. Dehghantanha, and K.-K. R. Choo, “CloudMe forensics: A case of big data forensic investigation,” Concurr. Comput., 2017.Google Scholar
  6. 6.
    D. Kiwia, A. Dehghantanha, K.-K. R. Choo, and J. Slaughter, “A cyber kill chain based taxonomy of banking Trojans for evolutionary computational intelligence,” J. Comput. Sci., Nov. 2017.Google Scholar
  7. 7.
    M. Hopkins and A. Dehghantanha, “Exploit Kits: The production line of the Cybercrime economy?,” in 2015 Second International Conference on Information Security and Cyber Forensics (InfoSec), 2015, pp. 23–27.Google Scholar
  8. 8.
    A. Shalaginov, S. Banin, A. Dehghantanha, and K. Franke, “Machine Learning Aided Static Malware Analysis: A Survey and Tutorial,” 2018, pp. 7–45.Google Scholar
  9. 9.
    H. H. Pajouh, A. Dehghantanha, R. Khayami, and K.-K. R. Choo, “Intelligent OS X malware threat detection with code inspection,” J. Comput. Virol. Hacking Tech., 2017.Google Scholar
  10. 10.
    M. Petraityte, A. Dehghantanha, and G. Epiphaniou, A model for android and iOS applications risk calculation: CVSS analysis and enhancement using case-control studies, vol. 70. 2018.Google Scholar
  11. 11.
    Y.-Y. Teing, A. Dehghantanha, K.-K. R. Choo, and L. T. Yang, “Forensic investigation of P2P cloud storage services and backbone for IoT networks: BitTorrent Sync as a case study,” Comput. Electr. Eng., vol. 58, pp. 350–363, Feb. 2017.Google Scholar
  12. 12.
    H. HaddadPajouh, A. Dehghantanha, R. Khayami, and K.-K. R. Choo, “A deep Recurrent Neural Network based approach for Internet of Things malware threat hunting,” Futur. Gener. Comput. Syst., 2018.Google Scholar
  13. 13.
    M. Conti, A. Dehghantanha, K. Franke, and S. Watson, “Internet of Things security and forensics: Challenges and opportunities,” Futur. Gener. Comput. Syst., vol. 78, pp. 544–546, Jan. 2018.Google Scholar
  14. 14.
    G. Epiphaniou, P. Karadimas, D. K. Ben Ismail, H. Al-Khateeb, A. Dehghantanha, and K.-K. R. Choo, “Non-Reciprocity Compensation Combined with Turbo Codes for Secret Key Generation in Vehicular Ad Hoc Social IoT Networks,” IEEE Internet Things J., pp. 1–1, 2017.Google Scholar
  15. 15.
    O. Osanaiye, H. Cai, K.-K. R. Choo, A. Dehghantanha, Z. Xu, and M. Dlodlo, “Ensemble-based multi-filter feature selection method for DDoS detection in cloud computing,” EURASIP J. Wirel. Commun. Netw., vol. 2016, no. 1, p. 130, May 2016.Google Scholar
  16. 16.
    S. Homayoun, M. Ahmadzadeh, S. Hashemi, A. Dehghantanha, and R. Khayami, “BoTShark: A Deep Learning Approach for Botnet Traffic Detection,” 2018, pp. 137–153.Google Scholar
  17. 17.
    S. Homayoun, A. Dehghantanha, M. Ahmadzadeh, S. Hashemi, and R. Khayami, “Know Abnormal, Find Evil: Frequent Pattern Mining for Ransomware Threat Hunting and Intelligence,” {IEEE} Trans. Emerg. Top. Comput., p. 1, 2017.Google Scholar
  18. 18.
    A. Azmoodeh, A. Dehghantanha, and K.-K. R. Choo, “Robust Malware Detection for Internet Of (Battlefield) Things Devices Using Deep Eigenspace Learning,” IEEE Trans. Sustain. Comput., pp. 1–1, 2018.Google Scholar
  19. 19.
    K. R. Choo, “Online child grooming: a literature review on the misuse of social networking sites for grooming children for sexual offences,” Aust. Inst. Criminol., p. 132, 2009.Google Scholar
  20. 20.
    L.-K. Bernstein, “Investigating and Prosecuting Swatting Crimes,” United States Atty. Bull., vol. 64, no. 3, pp. 51–56, 2016.Google Scholar
  21. 21.
    A. Carpinteri, B. Bang, K. Klimley, R. A. Black, and V. B. Van Hasselt, “Commercial Sexual Exploitation of Children: an Assessment of Offender Characteristics,” J. Police Crim. Psychol., Aug. 2017.Google Scholar
  22. 22.
    H. Hillman, C. Hooper, and K.-K. R. Choo, “Online child exploitation: Challenges and future research directions,” Comput. Law Secur. Rev., vol. 30, no. 6, pp. 687–698, Dec. 2014.Google Scholar
  23. 23.
    L. Achternbosch, C. Miller, C. Turville, and P. Vamplew, “Griefers versus the Griefed - what motivates them to play Massively Multiplayer Online Role-Playing Games ?,” Comput. Games J. Ltd, vol. 3, no. 1, 2014.Google Scholar
  24. 24.
    E. M. Jaffe, “Article : Swatting : the New Cyberbullying Frontier After Elonis V. United States,” Drake Law Rev., pp. 455–483, 2016.Google Scholar
  25. 25.
    A. Choo and A. May, “Maintaining Long Distance Togetherness Synchronous Communication with Minecraft and Skype,” in Games Innovation Conference (IGIC), 2013 IEEE International, 2013.Google Scholar
  26. 26.
    A. Noroozian, M. Korczyński, C. H. Gañan, D. Makita, K. Yoshioka, and M. van Eeten, “Who Gets the Boot? Analyzing Victimization by DDoS-as-a-Service,” in Research in Attacks, Intrusions, and Defenses: 19th International Symposium, RAID 2016, Paris, France, September 19-21, 2016, Proceedings, F. Monrose, M. Dacier, G. Blanc, and J. Garcia-Alfaro, Eds. Cham: Springer International Publishing, 2016, pp. 368–389.Google Scholar
  27. 27.
    J. Taylor, “Online investigations: protection for child victims by raising awareness,” ERA Forum, vol. 16, no. 3, pp. 349–358, 2015.Google Scholar
  28. 28.
    S. Khanji, R. Jabir, F. Iqbal, and A. Marrington, “Forensic analysis of xbox one and playstation 4 gaming consoles,” 8th IEEE Int. Work. Inf. Forensics Secur. WIFS 2016, 2017.Google Scholar
  29. 29.
    M. Cheah, L. Wyndham-Birch, and B. Bird, “What artifacts of evidentiary value can be found when investigating multi-user virtual environments.” 2015.Google Scholar
  30. 30.
    “What OS for server? - Server Administration - Server Support - Support - Minecraft Forum - Minecraft Forum.” .Google Scholar
  31. 31.
    D. Quick and K.-K. R. Choo, “Google Drive: Forensic analysis of data remnants,” J. Netw. Comput. Appl., vol. 40, pp. 179–193, Apr. 2014.Google Scholar
  32. 32.
    D. Quick and K.-K. R. Choo, “Dropbox analysis: Data remnants on user machines,” Digit. Investig., vol. 10, no. 1, pp. 3–18, Jun. 2013.Google Scholar
  33. 33.
    L. C. for D. Investigation, “1/21/2016 175,” Leahy Center for Digital Investigation, no. 802. 2016.Google Scholar
  34. 34.
    A. Rutkin, “Your place or Minecraft?,” New Sci., vol. 230, no. 3071, pp. 22–23, 2016.Google Scholar
  35. 35.
    “Mojang - Minecon 2015 - Day Two - Twitch.” .Google Scholar
  36. 36.
    Z. Zhang, H. Anada, J. Kawamoto, and K. Sakurai, “Detection of illegal players in massively multiplayer online role playing game by classification algorithms,” Proc. - Int. Conf. Adv. Inf. Netw. Appl. AINA, vol. 2015–April, pp. 406–413, 2015.Google Scholar
  37. 37.
    Y. Ki, J. Woo, and H. K. Kim, “Identifying Spreaders of Malicious Behaviors in Online Games,” in Proceedings of the 23rd International Conference on World Wide Web, 2014, pp. 315–316.Google Scholar
  38. 38.
    J. Oh, Z. H. Borbora, and J. Srivastava, “Automatic Detection of Compromised Accounts in MMORPGs,” in 2012 International Conference on Social Informatics, 2012, pp. 222–227.Google Scholar
  39. 39.
    A. S. V Nair and B. A. S. Ajeena, “A Log Based Strategy for Fingerprinting and Forensic Investigation of Online Cyber Crimes,” in Proceedings of the 2014 International Conference on Interdisciplinary Advances in Applied Computing, 2014, p. 7:1--7:5.Google Scholar
  40. 40.
    M. Barni and B. Tondi, “Threat Models and Games for Adversarial Multimedia Forensics,” in Proceedings of the 2nd International Workshop on Multimedia Forensics and Security, 2017, pp. 11–15.Google Scholar
  41. 41.
    S. Rajendran and N. P. Gopalan, “Mobile Forensic Investigation (MFI) Life Cycle Process for Digital Data Discovery (DDD),” in Proceedings of the International Conference on Soft Computing Systems: ICSCS 2015, Volume 2, L. P. Suresh and B. K. Panigrahi, Eds. New Delhi: Springer India, 2016, pp. 393–403.Google Scholar
  42. 42.
    T. Dargahi, A. Dehghantanha, and M. Conti, “Chapter 2 - Forensics Analysis of Android Mobile VoIP Apps,” in Contemporary Digital Forensic Investigations of Cloud and Mobile Applications, K.-K. R. Choo and A. Dehghantanha, Eds. Syngress, 2017, pp. 7–20.Google Scholar
  43. 43.
    K. K. R. Choo and A. Dehghantanha, Contemporary Forensic Investigation of Cloud and Mobile Applications. 2017.Google Scholar
  44. 44.
    ACPO, “ACPO Good Practice Guide for Digital Evidence,” Association of Chief Police Officers, 2012.Google Scholar
  45. 45.
    N. C. J. U.S. Department of Justice, “Electronic Crime Scene Investigation: A Guide for First Responders,” NIJ Res. Rep., no. NCJ 187736, p. 96, 2001.Google Scholar
  46. 46.
    F. S. Regulator, “Codes of Practice and Conduct Issue 4,” 2017.Google Scholar
  47. 47.
    K. Kent, S. Chevalier, T. Grance, and H. Dang, “Guide to Integrating Forensic Techniques into Incident Response,” The National Institute of Standards and Technology, 2006.Google Scholar
  48. 48.
    A. Antwi-Boasiako and H. Venter, “A Model for Digital Evidence Admissibility Assessment,” in Advances in Digital Forensics XIII: 13th IFIP WG 11.9 International Conference, Orlando, FL, USA, January 30 - February 1, 2017, Revised Selected Papers, G. Peterson and S. Shenoi, Eds. Cham: Springer International Publishing, 2017, pp. 23–38.Google Scholar
  49. 49.
    B. Martini and K.-K. R. Choo, “An integrated conceptual digital forensic framework for cloud computing,” Digit. Investig., vol. 9, no. 2, pp. 71–80, Nov. 2012.Google Scholar
  50. 50.
    Y.-Y. Teing, D. Ali, K.-K. R. Choo, M. Conti, and T. Dargahi, “Forensic Investigation of Cooperative Storage Cloud Service: Symform as a Case Study,” J. Forensics Sci., vol. [In Press], 2016.Google Scholar
  51. 51.
    T. Alstad et al., “Minecraft computer game performance analysis and network traffic emulation by a custom bot,” Proc. 2015 Sci. Inf. Conf. SAI 2015, pp. 227–236, 2015.Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Paul J. Taylor
    • 1
  • Henry Mwiki
    • 1
  • Ali Dehghantanha
    • 2
    Email author
  • Alex Akinbi
    • 3
  • Kim-Kwang Raymond Choo
    • 4
  • Mohammad Hammoudeh
    • 5
  • Reza M. Parizi
    • 6
  1. 1.School of Computing, Science and Engineering, University of SalfordManchesterUK
  2. 2.Cyber Science Lab, School of Computer ScienceUniversity of GuelphGuelphCanada
  3. 3.School of Computer Science, Liverpool John Moores UniversityLiverpoolUK
  4. 4.Department of Information Systems and Cyber SecurityThe University of Texas at San AntonioSan AntonioUSA
  5. 5.School of Computing, Mathematics and Digital Technology, Manchester Metropolitan UniversityManchesterUK
  6. 6.Department of Software Engineering and Game DevelopmentKennesaw State UniversityMariettaUSA

Personalised recommendations