Next Article in Journal
Geometrical-Based Modeling for Aerial Intelligent Reflecting Surface-Based MIMO Channels
Next Article in Special Issue
HS-FP and SS-FP: Fine-Pruning-Based Backdoor Elimination for Spiking Neural Networks on Neuromorphic Event Data
Previous Article in Journal
TGCformer: A Transformer-Based Dual-Channel Fusion Framework for Power Load Anomaly Detection
Previous Article in Special Issue
Zero-Knowledge Proof Extensions for Digital Product Passports in Sustainability Claims Reporting and Verifications
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Electronics
Volume 15
Issue 4
10.3390/electronics15040876
electronics-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Roblox as a Playground for Digital Forensics Analysis

by
Khushi Gupta
1,
Phani Lanka
2 and
Cihan Varol
2,*
1
Department of Computer Science and Cybersecurity, University of North Georgia, Dahlonega, GA 30597, USA
2
Department of Computer Science, Sam Houston State University, Huntsville, TX 77340, USA
*
Author to whom correspondence should be addressed.
Electronics 2026, 15(4), 876; https://doi.org/10.3390/electronics15040876
Submission received: 5 December 2025 / Revised: 23 January 2026 / Accepted: 27 January 2026 / Published: 19 February 2026
(This article belongs to the Special Issue Innovative Architectures and Advanced Solutions for Network Security in the Era of Emerging Technologies)
Browse Figures
Versions Notes

Abstract

The digital world has witnessed an unparalleled surge in social online gaming platforms, with Roblox standing out as a prominent platform that predominantly attracts younger users. Unfortunately, these gaming platforms are also targeted by malicious criminals seeking to exploit them. Conducting digital forensic investigations into the various artifacts generated by Roblox can provide valuable insights into user activities, potentially uncovering evidence of user behavior, interactions, and digital footprints within the platform, thus aiding in the investigation of suspicious activities. This paper delves into digital forensic methodologies to examine and analyze digital artifacts from Roblox from memory, disk, and network perspectives. Our research reveals various retrieved artifacts, including user information, chat logs, user groups, gameplay details, and in-app purchases. Furthermore, we demonstrate that to thoroughly retrieve artifacts related to all possible user activities, it is crucial to investigate various focus areas such as memory, disk, and network. This approach enables us to successfully piece together and cross-reference almost the entire timeline of user activities.

Graphical Abstract

1. Introduction

The proliferation of the internet has not only increased connectivity and access to information for people of all ages but also has revolutionized entertainment, offering a vast array of options, including streaming services, online gaming platforms, and social media. Social gaming is significantly popular too, with many games offering a social dimension, allowing players to connect with friends and make new ones in virtual environments [1]. It has emerged as a particularly significant online phenomenon, enabling players to not only communicate and interact with one another but also participate in games. Social gaming has evolved beyond its mechanics, becoming increasingly popular and sophisticated over the past decade. What began as simply playing games with friends has transformed into a complex form of social life, blurring the lines between the virtual and physical worlds.
Online gaming environments now serve as social networks, allowing people with shared interests to interact and engage with each other. Roblox is one of the largest worldwide social gaming platforms [2]. It provides an environment where users can create their own games (known as experiences) and play a variety of mini-games. Additionally, players can run Roblox on different devices such as mobile phones, computers, game consoles, and VR helmets. On average, Roblox users spend approximately 2.6 h on the platform each day, exploring around 20 games per month. As of September 2022, Roblox boasted 70.2 million daily active users, with 60% of its users being under 16 [3].
The number of children using the internet is on the rise [4]. Studies suggest that five-year-old children spend approximately three hours online each day, with one hour of that time typically spent playing video games [5]. The primary users of Roblox are children. As of September 2020, Roblox had 36 million daily active users, more than half of whom were under 13 years old. By 2023, this number had grown to 78 million daily users [6]. According to Perez [7], Roblox is not just a place for playing games but a virtual space where children can hang out online. Roblox is designed to be an interactive and social environment, allowing players to explore user-generated worlds and interact with others, acting as a recreational space for children.
However, this popularity also makes it a prime target for child predators and cybercriminals seeking to exploit its user base. In 2023, Roblox reported 13,316 instances of child exploitation to the National Center for Missing & Exploited Children, marking a significant increase from 2973 cases in the prior year [8]. As a result, there is a risk that children may encounter inappropriate and violent content within the platform’s virtual world [9]. Some of the crimes conducted on the platform include sexual abuse, child abductions, luring children to share explicit pictures for Robux, using Roblox as an initial platform and moving conversations to other platforms, recruitment of children by extremists, and identity theft [8,10,11,12]. Most of these in-application crimes target unsuspecting users, many of whom are minors [13,14]. Today and in the future, identifying and safeguarding vulnerable individuals, particularly children, is a challenging task. As such, forensic investigation of Roblox becomes critical, enabling authorities to uncover and apprehend cyber criminals. By analyzing the digital artifacts left by users on Roblox, it becomes possible to track and address nefarious activities, safeguarding the well-being of its youthful audience.
Despite Roblox’s involvement in various criminal activities and its rapidly growing youth user base, to the best of our knowledge, no research has been conducted on digital forensics investigations of the platform. Consequently, this paper presents a comprehensive forensic examination of Roblox on the Windows operating system, focusing on disk, memory, and network analysis. The range of digital evidence potentially extractable from Roblox includes, but is not limited to, group chats, user information, geolocation, gameplay data, etc. These findings provide a valuable reference for researchers exploring social gaming forensics and for digital forensic analysts aiming to understand the extent of evidence that can be gathered from Roblox. In an era of constantly evolving online threats, the insights gained from Roblox forensics can be instrumental in the pursuit and prosecution of cybercriminals. During our study, we explored the following research questions:
  • Is it possible to retrieve artifacts from the Roblox application through the digital forensic analysis of the storage, memory, and network?
  • Do artifacts retrieved during the investigation hold substantial importance for digital forensic analysis?
  • What personally identifiable information can be retrieved?
  • What are the similarities and differences between the retrieved artifacts in the three-analysis focus covered in the research?
  • How can evidence obtained from storage, memory, and network analyses be effectively integrated and cross-referenced?
The rest of the paper is organized as follows. Section 2 provides some preliminary information on the Roblox application and its architecture. Section 3 provides information on the related work on the methodology for identifying and retrieving artifacts from social gaming applications. In Section 4 and Section 5, we detail the experimental setup and methodology followed in this study. In Section 6 and Section 7, we present the results of the examination for all three analysis focuses (storage, RAM, and network) and discuss our results. Lastly, we conclude our work and mention possible directions for future study in Section 8.

2. Preliminaries

Due to the limited research available on the digital forensic analysis of Roblox, we give a brief overview of the workings and architecture of Roblox in this section.
Roblox is a social gaming platform that allows users to create and play games, socialize, chat, and interact with other users. To begin using Roblox, users must create a free account and provide information such as birthdate, gender, phone number, and email. After setting up the account, users can optionally put links to their other social media accounts, like YouTube, Twitch, and Discord. After setting up the account, users can create their avatars by selecting hairstyles, clothing, and accessories. While many customization options are free, some premium cosmetic enhancements require Robux (Roblox’s in-app currency), which can be purchased. Once users have fully configured their profiles, they can explore and participate in a wide variety of games, known as ’experiences’.
In terms of gaming, users can create their own games or play games created by others. The games available span various genres, catering to the diverse interests of users. As users interact with various games, they can socialize in the process. Roblox’s multiplayer functionality enhances the experience by enabling players to collaborate or compete in games. This interaction is accomplished through the chatting feature (in-game chats or text chats) while playing games.
Roblox offers extensive social media functionalities, including friend requests, direct messaging, group chats, and the creation and joining of public groups. Users can join and create groups of their own and configure information such as the group name, description, and roles. Communication in the groups takes the form of either a “shout” or a “wall post”. Shouts are broadcast messages that can be used to post important updates to the group, while wall posts are used for regular communication in the group.

Architecture of the Application

Roblox is a client–server based social gaming platform composed of multiple interacting components, including the Roblox Player, web-based services, and embedded web rendering technologies. Roblox Player is a native Windows application that integrates browser rendering technologies to display web-based content within its interface.
On Windows systems, Roblox installs two primary components: Roblox Studio (used for game creation) and Roblox Player (used for gameplay). This research focuses on Roblox Player. The executable process RobloxPlayerBeta.exe is responsible for launching and managing gameplay sessions. Roblox Player utilizes Microsoft Edge WebView2 components, including processes such as msedgewebview2.exe and msedge.exe. WebView2 embeds Chromium-based browser functionality inside the native application, enabling Roblox to render HTML, CSS, and JavaScript-based user interfaces. This architecture allows the platform to display account management interfaces, chat modules, in-app purchase pages, and other web-driven features within the desktop application environment.
Disk analysis further confirmed the presence of Chromium-style storage mechanisms, including:
  • LevelDB-based Local Storage and Session Storage
  • Chromium Disk Cache structure (index file and data block files)
  • Web-based JSON artifacts stored within cache directories
Roblox Player incorporates web-rendered components through the Chromium Embedded Framework (CEF) or WebView2.
Roblox is a hybrid native–web application built on a client–server model. The Windows client consists of a native gameplay engine combined with embedded Chromium-based web rendering components. Platform services operate through cloud-hosted HTTPS APIs, while gameplay sessions are hosted on distributed Roblox servers. This architecture results in artifacts spanning disk storage, memory, registry, and encrypted network traffic, all of which are examined in subsequent sections of this study.

3. Background and Related Work

This section reviews prior research on the digital forensic analysis of gaming platforms, focusing on three key areas: disk, memory, and network analysis. The studies discussed provide a foundation for identifying gaps in the existing literature, summarized in Table 1. Specifically, we highlight three primary limitations consistently observed across these studies:
  • Absence of Binary (Low-Level) Parsing: Most prior research relies on high-level forensic analysis, neglecting the parsing of binary or low-level data structures. This limitation leaves gaps in identifying and interpreting critical artifacts.
  • Single Focus on Forensic Analysis: Many studies focus exclusively on one aspect of digital forensic analysis: disk, memory, or network, without integrating findings from multiple sources.
  • Exclusion of TLS-Based Communication Analysis: While network analysis is a common focus in forensic studies, many fail to address or thoroughly analyze encrypted communications, particularly those using Transport Layer Security (TLS).

3.1. Disk Storage Forensics

Various works have conducted digital forensics analysis on gaming consoles, applications, and platforms to extract artifacts from the disk. The authors in [19] examined Minecraft by extracting disk images from the server (Linux) and client (Windows) virtual machines. Storage was examined for artifacts like server logs, chat logs, cache files, and game data files using a hex editor. Within these files contain information like unique identifiers, usernames, emails, timestamps, and server information (name, IP address).
Moore et al. [15] conducted a digital forensic investigation on the Xbox One by simulating a variety of user activities, including engaging in single and multiplayer modes and installing and utilizing applications such as Skype, YouTube, and Twitch. Despite encryption limiting the quantity of retrievable artifacts, their analysis of the Master File Table (MFT) uncovered valuable information, including timestamps associated with console setup and system shutdown. Similarly, ref. [22] examined the forensic artifacts of the video game Counter-Strike Nexon Zombies on the Steam platform. Their analysis encompassed critical system locations such as the Windows registry, Prefetch files, jumplists, the MFT, dedicated Steam folders, and log files. This investigation revealed key artifacts, including the username, nickname, UserID, last accessed time, GameID, and details about logged users.
Furthermore, analyzing the Steam Deck Console, ref. [24] conducted a comprehensive analysis of the console’s architecture, the SteamOS operating system, and the Steam client. The examination revealed a range of forensically relevant artifacts, including Wi-Fi credentials, user account IDs and names, friend lists, game ownership and installation status, traces of funds redeemed via third-party providers in the Steam Wallet, timestamps of usage and gaming activities from log files, and search query artifacts within the Steam client.
Analyzing Pokémon Go, ref. [18] analyzed logical backups of the Android application. The primary storage artifacts, located in files like upsight.xml and upsight.db, included session metadata, geolocation data, and player statistics. In this research, the authors built a tool that can extract forensic artifacts from the application to create a timeline of events. The results revealed that artifacts such as the session information, user email address, and geolocation information can be recovered.
The research in [16,17] explored the digital forensic potential of the Sony PlayStation 4 (PS4), identifying multiple valuable sources of forensic evidence while also addressing key challenges in the investigative process. These challenges included the full encryption of the hard drive, the possibility of users modifying information stored on the PlayStation Network (PSN) through alternative accounts, and the use of cloud services as an additional repository for digital evidence. Due to the closed file system used by the PS4, which is not compatible with existing digital forensics tools, the authors suggested using the game console’s interface during the analysis stage, while using a write blocker to safeguard the evidence against alterations.
Analyzing retrievable artifacts from Nintendo 3DS, ref. [20] presents a forensically sound methodology to retrieve and analyze information from the NAND storage of a Nintendo device. Although the image was encrypted, the authors were able to decrypt it and extract valuable information such as deleted pictures, audio and videos, friendlists, and much more. Similarly, ref. [23] was able to recover artifacts such as personally identifiable information, screenshots and video captures, saved games, wifi networks, user accounts and gameplay logs.
In another study, ref. [21] established the groundwork for digital forensic investigations in web-based VR environments, using ‘Decentraland’ as the primary case study. The experiments were conducted on both Google Chrome and Microsoft Edge web browsers. The researchers obtained the majority of their artifacts from history and cache files. The results revealed information such as the blockchain wallet and avatar details, while user information, such as emails, were retrieved.
Lastly, Gupta et al. [25] conducted a comprehensive analysis of Discord on Windows and Linux systems. They conducted various simulated user activities on the platform, after which they were able to retrieve pertinent residual artifacts such as account information (username, userID), chats from the cache, and local storage.

3.2. Memory Forensics

Memory analysis has proven to be a valuable method in digital forensic investigations, providing critical insights into user activities and system processes. Multiple studies have demonstrated the effectiveness of analyzing memory dumps using tools like Volatility, FTK Imager, and HxD to recover key artifacts.
Studies focusing on Minecraft gameplay and the Counter-Strike Nexon Zombies video game emphasized the retrieval of network-related information from memory dumps. Researchers were able to recover artifacts such as active server connections, including IP addresses and port numbers, as well as chat messages and their contexts, such as locations within the game (e.g., lobby, in-game, or external platforms like YouTube) [19,22].
In contrast, digital forensics analysis on Decentraland and Discord memory dumps retrieved user-specific information. Both studies utilized Volatility plugins and HxD to extract artifacts such as usernames, user IDs, blockchain wallet addresses, email addresses, payment details (e.g., billing addresses), geolocation data, and server names [21,26].

3.3. Network Forensics

Taylor et al. [19] and Tabuyo et al. [22] both employed Wireshark to analyze unencrypted network traffic, leading to the recovery of significant artifacts. Taylor et al. focused on the interaction between the Minecraft client and server, capturing chats, IP addresses, port numbers, usernames, and operational commands. Similarly, Tabuyo et al. conducted a forensic analysis of Counter-Strike Nexon Zombies on the Steam platform and retrieved cookies used for user identification.
In contrast, encryption in network traffic presented challenges for several studies. Nnamonu et al. [21] examined Decentraland’s network traffic using Wireshark and Network Miner but were unable to retrieve packet payloads due to encryption. However, they did gather DNS traffic for Decentraland subdomains and inferred locations based on DNS requests. Moore et al. [15] encountered similar challenges while analyzing Skype on Xbox One, as no artifacts were retrieved due to encryption. Still, they successfully extracted timelines and operational details for other applications like Game DVR, including video content being watched. Gupta et al. [26] studied Discord traffic, revealing that its communication is encrypted using the TLS protocol. To overcome this, they utilized a proxy address to connect to Discord, retrieving artifacts such as IP addresses, chat messages, usernames, and passwords.
Further exploring network forensic techniques, Khanji et al. [17] and Davies et al. [16] used Network Miner to analyze traffic from gaming consoles. Khanji et al. identified IP addresses and timestamps for applications initiated on the PS4, while activity logs and IP addresses for Xbox One were retrieved. These findings align with Moore et al. [15], who focused on timelines and user activity on different applications, further emphasizing the utility of network analysis for tracking user interactions and application usage patterns.
From a practical digital forensics investigation perspective, these artifacts are often admitted as evidence in legal proceedings. Courts commonly assess digital evidence against criteria such as authenticity (whether the artifact is what it purports to be and can be linked to a particular device, account, or user), integrity (whether it has been preserved without alteration from acquisition to presentation), and reliability (whether the methods and tools used to collect and interpret it are transparent, repeatable, and forensically sound), alongside general requirements of relevance and compliance with applicable legal procedures. While the present work is conducted in a controlled laboratory setting rather than an operational case, the subsequent analysis in Section 6 and Section 7 discusses how the identified Roblox artifacts could support these admissibility requirements.
Roblox is uniquely positioned as a platform designed for children, and stands apart from other gaming platforms analyzed in prior research (e.g., Xbox and PS4) due to its focus on young audiences and its resulting safety challenges. This sets Roblox apart from other platforms by highlighting its dual role as a gaming environment and a social interaction space for children. To the best of our knowledge, no previous work has tackled the digital forensics analysis of Roblox, despite the attention it has gained from malicious users exploiting the application to target minors.

4. Experimental Setup

Our research methodology involves performing specific user activities on the Roblox platform and subsequently searching for the resulting artifacts. These artifacts, generated from the user activities, can be located in various locations of a computing device. This study focuses on identifying such artifacts within the storage (disk), volatile memory (RAM), and network traffic on a Windows 11 system.
We detail our experimental setup in Table 2, while Table 3 illustrates all the tools used for conducting the forensic analysis on each of the three focus areas in our research (storage, memory, and network). The consideration of the amount of RAM used for our setup was based on the standard amount of RAM an average desktop computer has [27]. Additionally, in our Windows system, we disabled the ability of paging to avoid any impact of it on the retrievable artifacts.

4.1. Software Setup

Roblox installation typically consists of two programs—Roblox Studio and Roblox Player. Roblox Studio allows a user to generate content across multiple platforms such as create games. On the other hand, Roblox Player allows the users to play the content on the machine. To prevent gaming fraud and banned software usage, Roblox prevents this software from being run on a virtual machine [28]. This requires the target analysis machines to be physical devices instead of virtual machines. To that end, the scope of this research includes examining artifacts generated by the Roblox Player on a Windows 11 machine.

4.2. Hardware Setup

4.2.1. Ubuntu Machine Settings

Configuring the settings to enable the Ubuntu node to function as a network gateway involves several critical steps, as shown in Figure 1. Firstly, we enable IP forwarding on the Ubuntu machine. Without IP forwarding enabled, the Ubuntu node would not act as a gateway, hindering the traffic flow. Once IP forwarding is enabled, we establish firewall rules to control the flow of traffic. By default, we set the policy for incoming (INPUT) and forwarded (FORWARD) traffic to DROP, meaning any packets not explicitly allowed will be discarded. This default policy ensures that the Ubuntu node only forwards authorized traffic. To maintain internal communication between processes on the Ubuntu machine itself, we allow traffic on the loopback interface (lo). This ensures that services running locally can communicate without interference.
Additionally, we permit traffic related to established connections. This rule ensures that responses to outgoing connections initiated by the Ubuntu machine or internal devices are allowed back in, facilitating two-way communication. Outbound traffic originating from the Ubuntu machine is explicitly allowed to ensure that it can reach external destinations without restriction. For traffic passing through the gateway from the LAN interface (e.g., eth0) to the WAN interface (e.g., eth1), we permit forwarding. This rule enables devices on the LAN to communicate with external networks through the gateway. This rule ensures that packets from internal devices are forwarded appropriately to external networks.
To perform Network Address Translation for outgoing traffic from the LAN to the WAN interface, we configure IPtables to masquerade the source IP addresses of outgoing packets. This process hides the internal IP addresses of devices on the LAN, substituting them with the IP address of the Ubuntu machine’s WAN interface. This NAT configuration ensures that responses from external servers are routed back to the Ubuntu machine, which then forwards them to the appropriate internal device. By following these detailed settings, the Ubuntu machine effectively serves as a network gateway, facilitating controlled communication.
To analyze the network traffic from the Roblox node, we used several tools on our Ubuntu node. To capture the HTTPS network traffic originating from Roblox, we used Fiddler proxy installed on the virtual machine. Fiddler Proxy can monitor and intercept all HTTPS traffic through a proxy listener. In configuring the proxy listener, Fiddler automates listening for incoming traffic and records the traffic originating from Windows processes into the Fiddler application. Generic non-HTTP traffic was analyzed using the Wireshark application installed on the Ubuntu node.

4.2.2. Windows Machine Settings

To configure the Windows machine to utilize the Ubuntu node as its gateway, we first access the network settings on the Windows system. Specifically, the IPv4 settings for the Windows System must use a static IP address in the same subnet as the Ubuntu eth0 port. We configured the Ubuntu machine’s eth0 port IP address as the gateway of the Windows machine. We also point the DNS servers for the Windows machine to the DNS forwarders implemented in the Ubuntu machine. Lastly, we configured the Windows firewall to allow all traffic inbound and outbound to prevent any restrictions imposed by the firewall on the Roblox traffic.
Furthermore, the proxy of the Windows machine was configured to use the Fiddler proxy. A CA (certificate authority) certificate of the Fiddler is installed as a trusted root certificate in the Windows machine. This configuration enables the Windows machine to route all its HTTP network traffic through Fiddler to the Ubuntu gateway.

5. Methodology

The research employs an experimental methodology to simulate a series of user activities over a span of two hours aimed at generating artifacts. The conducted activities align with typical user behavior and encompass the most prevalent actions on the Roblox application. Table 4 highlights the user activities simulated for the research.

5.1. Use Case Scenarios

The current research focuses on identifying user-generated data and artifacts from Roblox software (https://roblox.qq.com/ (accessed on 26 January 2026)). We attempt to define a model that helps analyze a social media gaming platform across various focus areas. The following are the main use cases identified for such a forensics analysis:
1.
Analyze local files created by Roblox (Storage forensics): Local files often contain critical evidence of a cyber incident or a crime. A lot of user behavior is persistent in the local files. We examined the various storage mechanisms that Roblox uses to store application data on disk. Analyzing these local application files can help identify artifacts and personally identifiable information that may be relevant to an investigation.
2.
Analyze registry changes (Storage forensics): The analysis of registry changes associated with Roblox will be analyzed to provide valuable insights into the platform’s footprint on Windows operating systems. The examination will focus on discerning the specific registry entries modified or created by Roblox. This is instrumental in understanding Roblox’s functionalities and interactions with the underlying operating system.
3.
Analyze application processes created (Memory forensics): We analyze the contents of a system’s volatile memory to identify and reconstruct the application processes that were running. This approach allows us to gain insights into the processes initiated by Roblox and the underlying mechanisms it uses to create these processes.
4.
Analyze memory dumps (Memory forensics): We capture a memory dump after conducting common user activities on Roblox. These dumps are then analyzed using memory forensics tools such as Volatility, as well as manual analysis using a hex editor to extract critical information, including running processes, open network connections, and user information.
5.
Analyze DNS requests from Roblox (Network forensics): For analyzing DNS requests, the methodology focuses on capturing the DNS traffic generated by the software. Network monitoring tools are employed to intercept and log DNS requests made by the application. DNS query patterns, domain resolutions, and response times are then analyzed.
6.
Analyze TLS-Based HTTP requests from Roblox (Network forensics): The analysis of TLS-based HTTP requests involves intercepting and capturing encrypted network traffic generated by Roblox. This is achieved by deploying a proxy or utilizing network packet capture tools. The captured traffic is decrypted, and the HTTP requests are extracted for analysis. The methodology focuses on inspecting the content, headers, and metadata of these requests.
7.
Analyze non-HTTP requests from Roblox (Network forensics): In situations where the software generates non-HTTP network requests, a similar approach as described for TLS-based HTTP requests can be adopted. The methodology involves capturing and decrypting the network traffic, identifying non-HTTP protocols, and analyzing the payloads. The goal is to understand the nature of these requests, identify their purposes, and assess whether they adhere to the expected behavior of the software.

5.2. Disk Storage Forensics

Storage forensics focuses on the investigation and analysis of storage devices to uncover evidence of digital crimes. The primary goal is to retrieve, examine, and interpret data stored on various types of storage media to support legal investigations. In our research, we investigate the existence of terrestrial artifacts produced by the Roblox application.
To achieve this objective, our experimental approach involves executing the Roblox application in a closely controlled environment, wherein we replicate common user activities. These activities are selected to mimic real-world interactions and behaviors that typically generate application-specific files or data within the disk. This comprised two main stages: application folder analysis and Windows registry analysis.
For the storage analysis, we acquired a bit-for-bit forensic image of the Windows system drive and computed cryptographic hash values (SHA-256) at the time of acquisition. The hash values were verified before examination, and all storage-related analyses in this study were performed on the digital forensic image rather than on the live system. In the pursuit of analyzing the disk, we examined the Roblox installation directory, where we identified numerous files and folders containing a lot of application data. To manually analyze the application data, we used tools such as ChromeCacheView (to analyze and export the cache files) and hex editor (HxD). Roblox is built on the Chromium Embedded Framework (CEF) for its desktop client, as seen by the folder structure of Roblox files during the disk analysis, as shown in Figure 2. CEF allows Roblox to leverage the capabilities of the Chromium browser within its applications. It also allows Roblox to embed web browser components into the application using WebView. WebView is a component of CEF that allows developers to embed web content (such as HTML pages, CSS styles, and JavaScript code) into their applications. Roblox uses this to display web-based content within the application’s user interface.
Regshot was used to compare snapshots of the Windows registry, allowing us to track changes made to the registry after installing and using the Roblox application. We utilized Regshot to compare created or modified registry entries. We started it off by taking an initial snapshot of the registry’s state before downloading the Roblox app. We then installed and used Roblox and captured a second snapshot to record the updated registry state.

5.3. Memory Forensics

Memory forensics is a specialized area within digital forensics focused on investigating and retrieving digital evidence stored in a computer’s volatile memory, known as RAM. This type of data encompasses a wide array of information, including program data, user-generated content, network-related details, and more [29]. Due to the wealth of user and system data stored in RAM, memory forensics is integral in uncovering crucial insights. It sheds light on an application’s behavior by revealing the processes it initiates and the data it generates and retains in memory. The forensic examination of memory typically involves two key phases: memory acquisition and subsequent memory analysis.

5.3.1. Memory Acquisition

To acquire a snapshot of the volatile memory of the Windows machine using the tool DumpIt by Magnet Forensics [30]. One of the advantages of DumpIt is that it is non-intrusive, meaning it acquires memory without altering the state of the system. This is crucial in maintaining the integrity of the data being collected. Additionally, immediately after acquisition, cryptographic hash values (SHA-256) of the memory image were computed and recorded, and these values were verified before any examination.

5.3.2. Memory Analysis

Volatility3 v2.27.0 [31] is an open-source utility framework for extracting volatile memory artifacts, implemented in Python. When provided with a memory image, Volatility can analyze the volatile memory to extract information on running processes, memory maps (detailed representation of the layout and usage of memory within a system), network connections, file handles, etc. For our experiment, we used Volatility to analyze the memory for residual artifacts from Roblox.
To gain a comprehensive understanding of Roblox’s functionality and the artifacts that can be retrieved, we conducted a memory analysis. Initially, we employed Volatility to examine the RAM, utilizing the ’windows.pstree.Pstree’ plugin to identify all processes running at the time the memory image was captured. The plugin presents processes in a hierarchical tree structure, revealing their parent–child relationships.
We also used the windows.strings.Strings plugin in Volatility. It scans the memory image to extract strings of text stored in various locations within the process address space. The output of this plugin is useful as these strings can include user input, file paths, API function names, and other textual evidence. By examining these strings found in memory, we can retrieve key insights into the activities ongoing at the time the memory dump was taken.
Additionally, we also used a hex editor to analyze the RAM images. Memory images contain a wealth of information, and a hex editor provides a granular view of this data. In our research, we used the HxD hex editor to analyze the memory dump at the binary level, searching for specific strings of information that allowed us to have a targeted approach to uncover evidence. The specific strings that we searched for during the experiment include Roblox, kimkarter (the name of the account user), username, email, and password. The results from these initial searches guided us to additional artifacts. For instance, searching for a user led us to their corresponding user ID. Subsequently, searching for the user ID revealed most of the related artifacts associated with that user.

5.4. Network Forensics

Network forensics is a field within digital forensics, with a primary focus on gathering, analyzing, and interpreting network activities. This entails a systematic investigation of network logs and packet captures aimed at reconstructing events and retrieving artifacts from network traffic [32,33].
During the network analysis, Roblox is executed in a controlled environment while its network interactions are closely monitored. DNS requests, HTTP requests, non-HTTP requests (if applicable), and other network traffic are captured and analyzed. We then aggregate and categorize the captured data to establish a network profile. This profile serves as a blueprint for the software’s typical network behavior. The Roblox gaming environment has been abused multiple times by tampering with the requests during gameplay. The software, for this reason, uses anti-tampering techniques that would prevent easy sniffing on the network or processing the network traffic. All network captures used in this study were obtained in this isolated setup, where the Windows node communicated exclusively through the configured Ubuntu gateway and proxies, ensuring that the recorded DNS, HTTP(S), and non-HTTP traffic can be directly attributed to the Roblox client and the scripted activities in Table 4. This constrained environment reduces background noise and supports a clear mapping between user actions and captured network traces, which is essential when such traces are later considered as digital evidence.
To analyze the network connections originating from the Roblox application, we created an isolated and controlled network environment, as shown in Figure 1. This is because isolating the network ensures that the evidence related to the forensic analysis remains intact and uncontaminated. Additionally, an isolated environment allows for controlled testing and experimentation. This is crucial for accurately understanding the behavior of Roblox under different user activities.
Due to the anti-tampering mechanisms implemented by Roblox, it was impossible to directly execute Roblox in a virtual environment. Roblox software executed in a virtual machine, or using emulators such as Wine, would just crash immediately upon opening. So, we had to resort to using physical machines for our test setup. In configuring our network setup, we employed a tandem of physical machines (nodes). The first node, operating on a Windows platform, housed the Roblox application, while the second node, a virtual machine running Ubuntu, serves as the dedicated platform for analyzing Roblox traffic. To ensure a controlled and confined networking environment, we created a private network (eth1). Both nodes exist within the confines of the same private network, establishing an environment where communication is restricted to the Windows node interacting exclusively with the Ubuntu node.
In this experimental setup, HTTPS traffic decryption relies on active TLS interception: the Windows machine is configured to trust a root certificate generated by the Fiddler proxy, and all Roblox HTTPS requests are routed through this proxy, which enables inspection of the decrypted HTTP payloads. This configuration assumes that the investigator has administrative control over the client environment and can lawfully install a trusted root certificate and proxy the traffic (for example, in a controlled lab reproduction, an enterprise endpoint monitoring setting, or under an appropriate court order). In many operational investigations, particularly when only passive network capture is feasible and the client cannot be modified, investigators would not be able to decrypt Roblox traffic in this manner and would instead be limited to metadata such as IP addresses, domains, timing information, and TLS handshake parameters, complemented by artifacts from storage and memory or provider-side logs. The decrypted network results presented in this paper should therefore be interpreted as characterizing the structure and content of Roblox’s client–server API interactions under an active interception scenario, rather than as evidence that plaintext application data will always be directly observable in real-world investigations.
As described above, our network analysis relies on active TLS interception. Roblox HTTPS traffic is proxied and decrypted using a trusted root certificate installed on the Windows client. This approach assumes that the investigator has administrative control over the endpoint and the legal authority to modify its trust store and route traffic through an interception proxy. In many operational investigations where only passive capture is feasible and the client cannot be modified, Roblox’s TLS-encrypted traffic would not be directly decryptable, and investigators would be limited to metadata (such as IP addresses, domains, and timing information), complemented by storage and memory artifacts or provider-side logs. Accordingly, the decrypted network results presented in this paper should be interpreted as characterizing Roblox’s client–server API interactions under an active interception scenario, rather than as evidence that plaintext application data will always be observable in real-world cases.

6. Results and Discussion

In the following sections, we outline and explore various Roblox artifacts retrieved from the storage, memory (RAM), and network analysis.

6.1. Storage Forensics

All the artifacts retrieved during disk analysis were extracted from three key storage mechanisms: local storage, session storage, and cache. Local storage and session storage utilize LevelDB data stores, an on-disk key-value storage system. Each LevelDB database occupies a folder in the file system, containing files named “CURRENT”, “LOCK”, “LOG”, “LOG.old”, “MANIFEST-xxxxxx”, “xxxxxx.log”, and “xxxxxx.ldb”, where xxxxxx represents a hexadecimal sequence number indicating the order of file creation (where higher numbers are more recent). The “.log” and “.ldb” files store the actual record data, while the other files contain metadata to facilitate efficient data reading. Initially, data written to a LevelDB database is added to a “.log” file. When a log file reaches a certain size (4 MB by default), its data is converted into a permanent table file (a “.ldb” file), and a new log file is created.
Most of the artifacts during disk storage analysis were retrieved from the cache. Roblox utilizes an implementation of Chromium’s Disk Cache, storing all cache files in a single folder named “Cache”. Chromium’s Disk Cache uses at least five files: one index file (“index”) and four data files (“data_0”, “data_1”, “data_2”, and “data_3”). The index file contains the main hash table used to locate entries in the cache, while the data files, also known as block files, store the actual data. These block files are optimized to store information in fixed-size “blocks”. If the size of a data piece exceeds the maximum block size (16 KB), it is stored in a separate file instead of a standard block file. These separate files, which contain only the data to be saved without special headers, are named in the format “f_xx”, where “xx” is a hexadecimal identifier.
The results of this research are based on user activities performed within the Roblox application, leading to the creation of numerous artifacts across various storage mechanisms. The artifacts highlighted in this section were evaluated for their forensic value. Significant artifacts are listed here, along with the corresponding user activity and the storage mechanism from which they were retrieved, as shown in Table 3.

6.1.1. Initial Setup

When users create an account in Roblox, they provide a significant amount of personal information, including their birthdate, phone number, gender, and age, all of which can be retrieved. Additional contextual artifacts from the account creation process include geolocation data (indicating where the account is being used) and age verification information. This information is crucial for establishing the user’s identity and tracing their activities. All artifacts retrieved from the initial setup process were found in the cache within JSON files such as “birthdate.json”, “gender.json”, “phone.json”, “verified-age.json”, and “account-country.json”. These files provide key details such as the user’s birthdate, gender, phone number, age verification status, and account country, respectively.

6.1.2. User Profile Configuration

A user profile is a digital representation of the user, composed of various data points. Most artifacts in this category were retrieved from cache files. However, artifacts such as ‘Username’ and ‘User ID’ could also be retrieved from local and storage. Within the cache, there is a JSON file named after each Roblox user’s unique ten-digit user ID. This file includes key information such as a description (a short text section providing information about the user), account creation timestamp, username, and display name, as illustrated in Figure 3.
In Roblox, users can further customize their accounts by adding social media links and adjusting various account settings, such as privacy and user interaction settings (whoCanMessageMe, whoCanChatWithMe). Artifacts related to these configurations can be found in the cache, specifically in the “promotion-channels.json” and “user-settings.json” files, respectively.
Retrieving these artifacts during a digital forensics investigation can provide significant insights. The ‘description’ section often contains personal information and interests, which can help profile the user. Social media links can connect the Roblox account to the user’s broader online presence, aiding in identifying their real-world identity and social networks. This is crucial for tracing communications or activities across multiple platforms. Additionally, examining account settings can reveal how the user interacts with the platform, including their privacy preferences and security measures, offering clues about potential attempts to hide or secure their activities.

6.1.3. Avatar Creation

An avatar in Roblox is a customizable digital representation of a user within the platform. Each user can personalize their avatar with various features and accessories to reflect their identity or preferences. In this research, artifacts related to the user avatar were also retrieved. These artifacts can serve as a form of identity verification, as users often configure their avatars based on their physical features. Avatar artifacts were retrieved from the cache in the JSON file “currently-wearing.json”, which contains the ‘asset IDs’ of the clothes and accessories the avatar is currently wearing. Additionally, the cache also includes pictures of the avatar.

6.1.4. Creating Friends

Artifacts related to friends in Roblox encompass various data points that offer valuable insights into a user’s social relationships within the platform’s community. These artifacts are crucial for understanding user engagement, social dynamics, and community interactions within Roblox. Friends lists provide a record of users with whom a player has established a social connection. Artifacts related to friends can be retrieved from local storage, session storage, and cache. While we could only retrieve the user ID and username from local and session storage, we were able to retrieve many more artifacts from the cache file “friends.json”. It contains crucial artifacts related to a user’s friends on Roblox.
Some of the key artifacts in each friend entry include details such as their online status (‘isOnline’), indicating whether they are currently active. Additionally, unique identifiers such as ‘id’, along with the friend’s username (‘name’) and display name (‘displayName’), are essential for identification. These artifacts collectively help build a comprehensive profile of the user’s social interactions on Roblox, identifying significant connections. In contrast, during the investigation, we also retrieved information on blocked users from the cache file “get-detailed-blocked-users.json”. This file details the ‘user ID’, ‘name’, and ‘displayName’ of the blocked user.
Additional information on friends can be found in individual user JSON files within the cache, as detailed in Section 6.1.2. Moreover, crucial artifacts related to friends, including User ID and name, can also be retrieved from both local and session storage.

6.1.5. Creating Groups

Groups on Roblox are communities that users can join based on shared interests. Group information can reveal which groups a user has joined. During the creation of the group, additional information, such as roles (group owners, administrators, or members), can indicate the level of influence a user has within a group, as well as potentially their involvement in any suspicious activities.
Throughout the research, we retrieved several artifacts related to the user activity of creating groups. As part of the experiment, we created a test group named ‘Roblox digital forensics’. When analyzing the creation of the Roblox group, several key artifacts can be retrieved from JSON files stored in the cache. These artifacts provide a detailed view of the group’s structure, roles, and member interactions, which are crucial for digital forensic investigations.
The cache consists of several JSON files named after the eight-digit group ID itself, such as “34210684.json” as shown in Figure 4. It contains comprehensive information about the group, such as the group’s name, description (“This is a group for experiments”), and ownership details, highlighting the owner’s user ID, username, and display name. The file also records shout messages (messages broadcast to all members of a group), providing timestamps (Unix Epoch Time) for creation and updates, which are essential for establishing the timeline of communications within the group. Most of these artifacts can be correlated with the screenshot of the group on the Roblox platform, as shown in Figure 5.
It is important to recognize that each Roblox group has its own group role names and corresponding role IDs. These artifacts can be extracted from the “roles.json” file, as illustrated in Figure 6. For example, the JSON snippet for group ID 33865601 (Roblox digital forensics) reveals roles such as ‘Guest’, ‘Member’, ‘Admin’, and ‘Owner’, each with a specific role ID and description. Additionally, the cache file also provides the member count for each role, showing how many users occupy each position.
In addition to various roles a group can have, we can also retrieve detailed artifacts about the user’s roles in various groups, listing the groups the user is part of, including key information such as the group ID, group name, description, owner details, and member count.

6.1.6. Socializing (Groups)

One of the most important artifacts that may be retrieved from Roblox is the group chat artifacts. The messages sent in groups can be vital to many digital forensics investigations. They can provide valuable insights into a user’s communication within a group. Following the experiment we conducted, we were able to retrieve wall posts (group messages) from the test group created as shown in Figure 7 from the cache file “cursor=&limit=50&sortOrder=Desc 5 ~ .json”. The name of the file indicates that it contains a maximum of 50 entries, listed starting from the most recent, which is significant when establishing a timeline of events or interactions.
The artifacts include detailed information about two wall posts within a group. Each post is identified by a unique ‘id’, the ‘poster’, and the ‘body’. The poster artifacts of each entry reveal information about the user who made the post, including their ‘user ID’, ‘username’, and ‘displayName’. For example, user ‘4155788451’, with the username ‘kimkarter074’, holds the ‘Owner’ role, which has a role ID of ‘107562009’ and a rank of 255. Each post also contains a ‘body’ field, which shows the content of the message and the timestamps for when each post was ‘created’ and ‘updated’. These timestamps are essential for establishing a timeline of interactions and communications within the group. Overall, these artifacts can help investigators understand user interactions and establish a timeline of events.

6.1.7. Game Play

One of the main user activities on Roblox is the creation of a game (also called an experience in Roblox). By analyzing a user’s creations, investigators can potentially identify any suspicious or illegal activities associated with their creations. Figure 8 depicts a cache file “games.json” that highlights artifacts related to games created by the user.
We were able to retrieve data about the game, including the game’s unique ID, name, and description, from the cache and local storage, as shown in Figure 8 and Figure 9, respectively. The artifacts retrieved include information about the creator, specifying their user ID. Additionally, the timestamps for the game’s creation and last update are also recorded, along with the total number of visits to the place. These artifacts are crucial for a digital forensics investigation as they establish the user’s activities in game creation, provide timestamps for the creation and modification of games, and offer insights into the engagement and usage patterns of the games created by the user.

6.1.8. Purchases

In Roblox, players have the option to make in-app purchases to acquire virtual currency, Robux, which is essential for purchasing in-game items, upgrades, and customizations. During the experiment, we bought 400 Robux for $4.99 using a credit card. We could thus retrieve key artifacts related to this user activity from the cache file “payment-profiles.json” as shown in Figure 10, such as card network, last 4 digits, and expiry month/year of the credit card used.
Additionally, we can also retrieve artifacts on the purchases made on Roblox from the cache. The cache file is usually named after the product ID. In the illustrated JSON file in Figure 11, the artifact details a purchase made within Roblox for ‘Roblox Premium 450’ with a monthly subscription duration. The transaction was priced at ‘$4.99’ USD and is set to renew automatically, with an expiration date of ‘22 May 2024’. Such artifacts are crucial in digital forensic analysis as they contain specific information about the product purchased, its cost, duration, and renewal settings. These details help forensic investigators reconstruct financial activities, verify account usage, and potentially identify patterns of spending or subscription management within the Roblox platform.

6.2. Windows Registry Forensics

In addition to the storage locations discussed earlier, there are other areas where valuable evidence may be concealed, such as the registry. The registry is an important source of artifacts in digital forensics analysis, offering critical insights into system configurations, user activities, and application interactions. Registry modifications provide a detailed record of changes made to a system’s settings and installed software. Through our research, it is evident that Roblox maintains a footprint in the registry. The software installs essential registry components into specific keys within the user hive, as detailed in Table 5.
Entries such as ‘InstallDate’ can establish timelines of software installations, aiding in reconstructing the sequence of events on a system. Moreover, other registry entries also give critical information such as ‘baseHost’, and ‘version’. These registry entries also include user interface settings ‘FriendlyAppName’, ‘DisplayName (in Unicode)’, and ‘ApplicationCompany’. Overall, these registry creations serve as critical digital footprints, enabling investigators to piece together user activities and software interactions.

6.3. Memory Forensics

Three key processes stood out in relation to Roblox’s operation: ‘msedgewebview2’, ‘msedge.exe’, and ‘RobloxPlayerBeta’, as shown in Figure 12 and Figure 13. ‘RobloxPlayerBeta’ is the main executable for the Roblox player, responsible for running the game itself. The ‘msedge’ and ‘msedgewebview’ processes are part of Microsoft Edge WebView, a technology that embeds web content within native applications, using the Chromium engine, the same engine that powers the Microsoft Edge browser to render web pages.
From the pstree plugin results, it was observed that the processes msedgewebview2 and msedge.exe employ a multi-process architecture. In this setup, a main process, often referred to as the master process or entry point, oversees the application’s operations. Beneath this main process, multiple renderer processes efficiently manage distinct tasks. In the following subsections, we present various categories of artifacts retrieved from memory within the Windows operating system. Moreover, Table 6 provides a comprehensive list of these artifact categories along with each specific artifact discovered.

6.3.1. Initial Setup

Significant personally identifiable information (PII) concerning the account holder can be extracted from the initial setup of the account, making it valuable in the context of a forensic investigation. Among the user account artifacts retrieved from the memory are the geolocation (where the account is created and being used) and the user password. The retrieval of the password, in particular, is crucial as it provides direct access to the user account, enabling investigators to further explore the user’s activities that cannot be retrieved from a digital forensic investigation.

6.3.2. User Profile and Creating Friends

User profile artifacts are essential to digital forensic investigations, providing information about the user on the platform. These artifacts, retrieved from memory, include the username, user ID, and account description. Such information is vital for verifying the identity of the user. Additionally, similar artifacts can be retrieved for all the user’s friends, allowing investigators to map out social connections and interactions.

6.3.3. Chat Messages

A crucial aspect of any social media platform involves the capability to exchange messages. In a forensic context, this information becomes a crucial resource for investigators, enabling them to construct a detailed narrative of communication patterns. Although we could not find any artifacts related to chats from the disk analysis, memory analysis uncovered a set of artifacts linked to chats in the Roblox platform, as shown in Figure 14. The image provides a glimpse into the artifacts retrieved from the chat logs in Roblox. These artifacts include details such as the request methods, URLs, conversation IDs, and the text message (in plaintext). For instance, the logs reveal that a message was sent in a conversation identified by the ID 19698176631. Additionally, the logs capture interactions with the Roblox chat server, indicated by URLs like ‘https://chat.roblox.com/v2/update-user-typing-status’ (accessed on 26 January 2026) and ‘https://chat.roblox.com/v2/send-message’ (accessed on 26 January 2026).
These chat artifacts are significant in digital forensics investigations as they help establish communication patterns by providing message contents. This can be crucial in understanding the context of interactions, identifying participants in a conversation, and reconstructing events.

6.3.4. Creating Groups

Part of the simulated activities for the experiment was to create a public group in Roblox. Groups can be created to serve as designated spaces for specific types of interaction. During our analysis, we could retrieve the group names, group IDs, and ‘shout’ of the group. These artifacts reveal crucial evidence on the communication channels utilized by the user. Furthermore, it may also provide insights into the subject of the communication going on in the channel based on its name.

6.3.5. Game Play

Gameplay is a central activity in Roblox, serving as the primary means through which users engage with the platform. As part of the memory analysis, we were able to uncover artifacts such as ‘GameID’ and ‘name of the game’. These artifacts are crucial for digital forensics investigations because they provide specific identifiers and context for the games that users interact with. The ‘GameID’ helps trace the exact game being played, which can be linked to user activities. The ‘name of the game’ gives context to the type of content the user is engaging with, which can be essential in cases involving inappropriate or illegal activities within the game environment.

6.4. Network Forensics

The network section of Roblox can be analyzed as two different implementations. The first implementation is intercepting HTTPS traffic and analyzing connections being made to the Roblox services, leveraging TLS. The second implementation is intercepting Roblox game traffic outside HTTPS content.
Figure 15 shows a sample HTTPS request issued by Roblox to authenticate the user “mars_cabbage”. The response to the request sets up the .ROBLOSECURITY cookie that contains the authentication token required for subsequent Roblox calls. The cookie is long-lived and is vital to identify and perform actions as a user in Roblox. It allows interacting with any user Roblox HTTPS API. This cookie is important for user security and has been the target for scammers.Based on our analysis, the cookie was not limited to an IP address. We were able to use the cookie from a completely different system where the cookie had not been generated.
The game traffic communication was not interceptable directly. We believe this is because Roblox was communicating over HTTPS API, from the game was using HTTPS cert pinning that would prevent someone malicious from injecting the proxy and intercepting the traffic in between. However, we have noticed communications to the domains such as auth.roblox.com, privatemessages.roblox.com, messages.roblox.com, economy.roblox.com, and titanium.roblox.com in the Wireshark messages. Without the client certificates, it is impossible to decipher the contents of the certificate. Since the objective of the current paper is to investigate the digital forensics of Roblox executed with normal user interactions, analysis of the game traffic specifically tamper-proofed has been considered out of the scope of the current analysis.

6.4.1. Initial Setup

The initial setup occurs over HTTPS and is primarily a browser-based operation. Because of this, it is possible to intercept the TLS traffic between the browser and the Roblox service, provided the TLS certificate is installed as one of the trusted root certificates within the machine. The parameters related to the user account are captured over the network and can be decrypted using man-in-the-middle attacks. The information captured includes parameters about the username, email, client IP address, account settings, blocked and allowed users, and details required to set up the account. Once the email address is accepted by Roblox, subsequent communications to Roblox only include a masked email address with an unmasked domain name (e.g., p******a@gmail.com). The initial login to Roblox also contains the username and password transferred over the TLS protocol, as shown in Figure 15, which was intercepted, provided a trusted root certificate is added to the computer.

6.4.2. Account Configuration

Upon login, the “.ROBLOSECURITY” cookie, as shown in Figure 16, can be used to interact with all the Roblox account API for account management operations. The token “.ROBLOSECURITY” acts as the primary authentication token for accessing the API. The format of the cookie, as of June 2024, appears to be a hex-based string of at least 388 bytes long. The common API for account operations includes fetching settings belonging to the user upon submission of the “.ROBLOSECURITY” cookie to the URL “https://www.roblox.com/my/settings/json”. This returns user-specific details from the API server. Furthermore, the domain “accountsettings.roblox.com” contains APIs that allow users to view the settings related to their Roblox accounts.

6.4.3. Avatar Creation

Avatar creation within Roblox includes communication with the Avatar API located at “avatar.roblox.com”. The avatar rules and avatar settings configured by the user are communicated to this domain. Authentication to this domain includes the same “.ROBLOSECURITY” cookie. The details of the avatar creation are communicated over TLS and were intercepted by a proxy, provided a trusted root certificate is installed on the client.

6.4.4. Creating Friends

The domain friends.roblox.com contains APIs for viewing and managing friends within the Roblox game. Upon logging in, some of the API requests from the browser fetch the friend request count and the list of friends of the user. The list of friends for a user ID can be retrieved using the API “/v1/users/userid/friends”. The cookie “.ROBLOSECURITY” is needed before any list of user friends is retrieved.

6.4.5. Chat Messages

Private messages are retrieved from the domain “privatemessages.roblox.com” using the “.ROBLOSECURITY” cookie. It is possible to send private messages to friends from the browser. This interaction can be captured, including the message contents, using the API at “privatemessages.roblox.com”. However, chat messages with friends during the game cannot be retrieved directly since the interaction happens in the game and not within a browser. Such communications cannot be intercepted because the client outside the browser implements a sort of validation that prevents loading of proxies into the gameplay.

6.4.6. Gameplay

Roblox games implement an active monitoring system that prevents user tampering with some of the internal settings. It is not possible to associate proxies in the game and intercept the communication. Client data is encrypted without exposing any protocol information to the Man-in-the-Middle (MITM) users. Any tampering with the client settings (e.g., running in a virtual machine) crashes the program. This is intended to prevent users of Roblox from cheating within the games.

6.4.7. Purchases

Purchases within Roblox are made through a platform called Robux. Credit card purchases are required to purchase Robux. Roblox uses Stripe as the payment processor. Since the transactions happen over the browser to purchase Robux, the credit card data was captured through MITM, provided again the TLS certificate is installed as a trusted root authority.

7. Discussion

In this research, we conducted digital forensic analysis of Roblox, which covered three distinct focus areas: disk, memory, and network. We retrieved various artifacts related to user activities from each analysis focus. However, as shown in Table 6, not all artifacts were retrieved from each focus area. For example, while most gameplay artifacts were found in local storage, none were retrieved from session storage, cache, or network analysis, with some artifacts being retrievable from memory. Additionally, user chats were exclusively retrieved through memory analysis.
A limitation of the network analysis is that in-game Roblox traffic could not be decrypted, even when routing traffic through the configured HTTPS interception proxies. This suggests the presence of certificate pinning and anti-tampering mechanisms designed to prevent man-in-the-middle inspection and request manipulation. From a digital forensic perspective, this means that fine-grained in-game interactions cannot be reconstructed directly from network payloads using standard proxy-based interception. However, our results show that many elements of in-game behavior still leave artifacts in storage and memory, and in-game chats can be recovered from memory, while higher-level events such as group creation, chats, and friend networks are reflected in cache and API calls. In operational Roblox investigations, detailed reconstruction of in-game actions will therefore often require combining artifacts from various perspectives.
An important aspect of this study is that the reported artifacts were not only retrieved, but were also validated and cross-referenced across multiple sources. All user activities were scripted as shown in Table 4, which provided ground-truth values for usernames, user IDs, group identifiers, game identifiers, timestamps, and purchase details. During analysis, artifacts recovered from storage, memory, and network were compared against these recorded actions and, where applicable, against the corresponding views in the Roblox interface (for example, profile and group pages). When the same logical information appeared in more than one location, such as a username observable in cache files, memory strings, and HTTPS API requests, we examined the consistency of these values across sources. In this study, timeline reconstruction was performed with reference to these scripted activities: for each action (e.g., account creation, sending and accepting friend requests, joining and posting in groups, joining games and chatting in-game, and performing purchases), we identified the corresponding artifacts across storage, memory, and network and linked them based on shared identifiers and closely aligned timestamps. The artifacts and event sequences discussed in Section 6 therefore represent information that is both technically recoverable and consistent with the observed user behavior, which strengthens their reliability and illustrates how multi-source corroboration can be used to support evidentiary robustness.
The storage analysis revealed that the majority of artifacts were retrieved from cache files, as local and session storage have a more limited scope for data storage, storing only certain data points. Memory analysis also provided valuable information; however, a significant challenge was that the artifacts were fragmented throughout the memory dump, requiring keyword searches to locate them. These research findings demonstrate that to thoroughly retrieve artifacts related to all possible user activities, it is crucial to investigate various focus areas. Together, these artifacts enable investigators to build a detailed profile of a user’s actions, interactions, and preferences within the platform.
Considering our research questions outlined in Section 1, we have found the following:
1.
Many crucial user artifacts can be retrieved through the digital forensic analysis of the disk, memory, and network.
2.
Artifacts retrieved, such as chats, account credentials, and PII, are crucial to digital forensics investigations because they provide comprehensive insights into user activities and identities.
3.
A lot of PII was retrieved, such as email, user ID, credit card information, etc.
4.
The retrieved artifacts are similar in that Roblox stores information in a consistent format across different storage types. Differences mainly arise in the type and completeness of the artifacts retrieved from each analysis focus.
5.
Since the stored information follows a similar format, evidence from different analysis focuses can be easily integrated and cross-referenced, facilitating a comprehensive digital forensic investigation.
In relation to prior digital forensic analyses of gaming consoles and platforms such as Xbox One, PlayStation 4, Minecraft, Pokémon Go, Nintendo 3DS/Switch, Decentraland, and Discord [15,16,17,18,19,20,21,22,23,24,25], the present study both confirms and extends existing methodologies and findings. Similarly to these works, we demonstrate that user identifiers, profile information, gameplay traces, and payment-related artifacts can be recovered from storage and memory and, where TLS interception is feasible, from network traffic. However, our approach differs from most earlier gaming studies, which typically concentrate on a single focus area (e.g., disk or network), by systematically integrating storage, memory, and network perspectives for a single platform and by analyzing how Roblox’s architecture and anti-tampering mechanisms affect the location and accessibility of artifacts.
This research lays the foundation for our future efforts to develop a framework and tool for automating the digital forensic investigation process for Electron-based social media applications, as illustrated in Figure 17. The proposed framework will begin by identifying and collecting data from various storage locations, including local storage, cache, and memory. It will then incorporate an advanced ETL (Extract, Transform, Load) pipeline specifically designed to handle the complexities of social media data, ensuring efficient standardization and processing across diverse storage formats. Additionally, it will integrate rule-based systems, pattern matching, and natural language processing (NLP) techniques such as Named Entity Recognition (NER), keyword matching, and near-duplicate detection to extract relevant forensic artifacts. Finally, the framework will generate comprehensive reports that present findings through user-based aggregation and timeline visualizations.

Ethical Considerations to Safeguard User Data for Minors

The digital forensics analysis of platforms like Roblox that cater primarily to a user base of minors presents a unique set of ethical challenges. While digital forensic investigations are critical for addressing issues such as cybercrime, exploitation, and inappropriate content within the platform, they must also prioritize protecting the privacy and rights of vulnerable users. Sensitive data, such as usernames, chat logs, gameplay interactions, and potentially identifiable information, may be exposed. This data, if mishandled, could lead to privacy violations or even harm to the users involved. This section explores key ethical considerations and provides guidance for safeguarding user data during digital forensic investigations.
1.
Minimizing data collection: During digital forensics investigations, investigators should adhere to the principle of data minimization by ensuring that any data collected is strictly relevant to the scope of the investigation.
2.
Adhering to legal and regulatory frameworks: Digital forensics investigations should adhere to legal and regulatory standards designed to protect the rights and privacy of children. Such standards include the following:
  • COPPA (Children’s Online Privacy Protection Act): U.S. law that governs the collection and use of personal data from children under the age of 13.
  • GDPR (General Data Protection Regulation): European regulation that includes specific provisions for protecting children’s data.
  • Any local privacy laws depending on the jurisdiction.
3.
Informed consent: When investigating Roblox accounts, investigators must follow strict legal procedures to obtain appropriate warrants or consent from guardians.
4.
Risk mitigation for artifact analysis: Digital forensics investigations should incorporate a safeguard for ensuring that sensitive artifacts, such as personal information and user-generated content, are analyzed with extreme care. Investigators are advised to segregate and protect these artifacts to prevent misuse or accidental disclosure.
All experiments described in this study were conducted using researcher-created dummy Roblox accounts in a controlled laboratory environment. Every account involved, including primary users, friends, group members, chat counterparts, and group participants, was created and exclusively controlled by the authors for the purpose of artifact generation. No data from real individuals was collected, accessed, intercepted, or analyzed. No interaction with real users, including minors, occurred at any point during the study. All social interactions, messages, group activities, and transactions were simulated solely to trigger application behavior and generate forensic artifacts.

8. Conclusions and Future Work

Roblox has become a popular platform for children to engage in online gaming, but this popularity has also attracted various online crimes. In our research, we conducted a comprehensive digital forensics analysis of Roblox on a Windows machine, covering memory, disk, and network to effectively address our research questions. Our findings indicate that a variety of artifacts can be retrieved, many of which include user PII, holding significant forensic value for investigators. We also identified the storage locations of each retrieved artifact, providing essential insights for forensic analysis. Additionally, our results highlight that while many artifacts can be retrieved from the disk, certain crucial artifacts, such as chats and passwords, can only be retrieved through memory and network analysis. Therefore, to obtain a comprehensive dataset of artifacts, a multifaceted digital forensics approach targeting various focal points is necessary.
Our results indicate a gap in the field, a need for a tool that can automate artifact retrieval while maintaining the thoroughness of manual analysis. Our future work aims to address this gap by developing a tool for Electron-based social media applications, capable of parsing through diverse data points (artifacts) and generating comprehensive reports or timelines of activities based on the retrieved artifacts. This initiative is crucial as, despite the availability of artifacts, piecing them together manually to draw conclusions requires substantial labor. By automating this process, we aim to streamline digital forensic investigations and enhance efficiency in uncovering and analyzing digital evidence within Roblox and other social media applications.

Author Contributions

Conceptualization, C.V.; Methodology, K.G. and P.L.; Validation, P.L.; Investigation, K.G.; Data curation, K.G.; Writing—original draft, K.G.; Writing—review & editing, P.L. and C.V.; Supervision, C.V.; Project administration, C.V. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Data Availability Statement

The raw data supporting the conclusions of this article will be made available by the authors on request.

Conflicts of Interest

None of the authors have any potential of conflicts with Roblox or relation with it.

References

  1. Bryan, L. How Online Gaming Has Become a Social Lifeline [December 2020]. 2020. Available online: https://www.bbc.com/worklife/article/20201215-how-online-gaming-has-become-a-social-lifeline (accessed on 29 November 2025).
  2. Exclusible. How Roblox Became the New Social Media for Gen Z and Alpha. 2024. Available online: https://www.exclusible.com/resources/how-roblox-became-the-new-social-media-for-gen-z-and-alpha-lrnv4 (accessed on 23 January 2025).
  3. Dean, B. Roblox User and Growth Stats You Need to Know in 2024. 2024. Available online: https://backlinko.com/roblox-users (accessed on 26 November 2025).
  4. Livingstone, S.; Carr, J.; Byrne, J. One in Three: Internet Governance and Children’s Rights. 2016. Available online: https://www.cigionline.org/publications/one-three-internet-governance-and-childrens-rights/ (accessed on 26 November 2025).
  5. James, C.; Weinstein, E.; Mendoza, K. Teaching Digital Citizens in Today’s World: Research and Insights Behind the Common Sense K–12 Digital Citizenship Curriculum; Common Sense Media: San Francisco, CA, USA, 2019. [Google Scholar]
  6. Roblox Corporation. Roblox Corporation—Quarterly Report—SEC Filing. 2023. Available online: https://d18rn0p25nwr6d.cloudfront.net/CIK-0001315098/20ba7901-06ee-4e96-a6ed-c50b06b3420e.pdf (accessed on 8 January 2025).
  7. Perez, S. Roblox Hits Milestone of 90m Monthly Active Users. 2019. Available online: https://techcrunch.com/2019/04/08/roblox-hits-milestone-of-90m-monthly-active-users/ (accessed on 26 November 2025).
  8. Bloomberg. Roblox’s Pedophile Problem. 2024. Available online: https://www.bloomberg.com/features/2024-roblox-pedophile-problem/ (accessed on 8 January 2025).
  9. Lanier, L. Roblox Launches Digital Civility Initiative in Push for Safety. 2019. Available online: https://variety.com/2019/gaming/news/roblox-launches-digital-civility-1203107649/ (accessed on 26 November 2025).
  10. Hindenburg Research. Roblox: Inflated Key Metrics for Wall Street and a Pedophile Hellscape for Kids. 2024. Available online: https://hindenburgresearch.com/roblox/ (accessed on 8 January 2025).
  11. Douling, T. Online Gaming Platforms Such as Roblox Used as Trojan Horse’ for Extremist Recruitment of Children. 2023. Available online: https://www.theguardian.com/australia-news/2023/dec/03/online-gaming-platforms-such-as-roblox-used-as-trojan-horse-for-extremist-recruitment-of-children-afp-warns (accessed on 9 January 2025).
  12. Smith, M. Roblox Expands Parental Controls in Wake of Predatory Crimes on Its App. 2024. Available online: https://www.themirror.com/tech/gaming/roblox-expands-parental-controls-wake-828961 (accessed on 9 January 2025).
  13. The Economic Times. Malware in 28 Games like Roblox, Minecraft Exploit Several Players’ Financial Data. 2022. Available online: https://economictimes.indiatimes.com/tech/technology/malware-in-28-games-like-roblox-minecraft-exploit-several-players-financial-data/articleshow/94224301.cms (accessed on 9 January 2025).
  14. Perez, S. Roblox Responds to the Hack That Allowed a Child’s Avatar to Be Raped in Its Game. 2018. Available online: https://techcrunch.com/2018/07/18/roblox-responds-to-the-hack-that-allowed-a-childs-avatar-to-be-raped-in-its-game/ (accessed on 26 November 2025).
  15. Moore, J.; Baggili, I.; Marrington, A.; Rodrigues, A. Preliminary forensic analysis of the Xbox One. Digit. Investig. 2014, 11, S57–S65. [Google Scholar] [CrossRef]
  16. Davies, M.; Read, H.; Xynos, K.; Sutherland, I. Forensic analysis of a Sony PlayStation 4: A first look. Digit. Investig. 2015, 12, S81–S89. [Google Scholar] [CrossRef]
  17. Khanji, S.; Jabir, R.; Iqbal, F.; Marrington, A. Forensic analysis of xbox one and playstation 4 gaming consoles. In Proceedings of the 2016 IEEE International Workshop on Information Forensics and Security (WIFS), Abu Dhabi, United Arab Emirates, 4–7 December 2016. [Google Scholar] [CrossRef]
  18. Sablatura, J.; Karabiyik, U. Pokémon go forensics: An android application analysis. Information 2017, 8, 71. [Google Scholar] [CrossRef]
  19. Taylor, D.P.J.; Mwiki, H.; Dehghantanha, A.; Akibini, A.; Choo, K.K.R.; Hammoudeh, M.; Parizi, R. Forensic investigation of cross platform massively multiplayer online games: Minecraft as a case study. Sci. Justice 2019, 59, 337–348. [Google Scholar] [CrossRef] [PubMed]
  20. Pessolano, G.; Read, H.O.; Sutherland, I.; Xynos, K. Forensic analysis of the Nintendo 3DS NAND. Digit. Investig. 2019, 29, S61–S70. [Google Scholar] [CrossRef]
  21. Nnamonu, O.; Hammoudeh, M.; Dargahi, T. Digital forensic investigation of web-based virtual reality worlds: Decentraland as a case study. IEEE Commun. Mag. 2023, 61, 72–78. [Google Scholar] [CrossRef]
  22. Tabuyo-Benito, R.; Bahsi, H.; Peris-Lopez, P. Forensics analysis of an on-line game over steam platform. In Proceedings of the Digital Forensics and Cyber Crime: 10th International EAI Conference, ICDF2C 2018, New Orleans, LA, USA, 10–12 September 2018. [Google Scholar]
  23. Barr-Smith, F.; Farrant, T.; Leonard-Lagarde, B.; Rigby, D.; Rigby, S.; Sibley-Calder, F. Dead man’s switch: Forensic autopsy of the Nintendo Switch. Forensic Sci. Int. Digit. Investig. 2021, 36, 301110. [Google Scholar] [CrossRef]
  24. Eichhorn, M.; Schneider, J.; Pugliese, G. Well Played, Suspect!–Forensic examination of the handheld gaming console “Steam Deck”. Forensic Sci. Int. Digit. Investig. 2024, 48, 301688. [Google Scholar] [CrossRef]
  25. Gupta, K.; Lanka, P.; Varol, C. A holistic digital forensic analysis of Discord–Storage, memory, and network perspectives. J. Forensic Sci. 2024, 69, 1320–1333. [Google Scholar] [CrossRef] [PubMed]
  26. Gupta, K.; Varol, C.; Zhou, B. Digital forensic analysis of discord on google chrome. Forensic Sci. Int. Digit. Investig. 2023, 44, 301479. [Google Scholar] [CrossRef]
  27. Witman, E. How Much Ram Do You Need? How to Tell and When You Should Upgrade Your Computer Storage. 2022. Available online: https://www.businessinsider.com/reference/how-much-ram-do-i-need (accessed on 26 November 2025).
  28. Rudra, S. Game Over for Roblox on Linux: The New Anti-Cheat Blocks Wine Usage. 2023. Available online: https://itsfoss.com/news/roblox-linux-end/ (accessed on 26 November 2025).
  29. Inoue, H.; Adelstein, F.; Joyce, R.A. Visualization in testing a volatile memory forensic tool. Digit. Investig. 2011, 8, S42–S51. [Google Scholar] [CrossRef]
  30. Magnet Forensics. 2024. Available online: https://www.magnetforensics.com (accessed on 26 November 2025).
  31. Volatilityfoundation. Volatilityfoundation/Volatility3. 2024. Available online: https://github.com/volatilityfoundation/volatility3/releases (accessed on 26 November 2025).
  32. Sikos, L.F. Packet analysis for network forensics: A comprehensive survey. Forensic Sci. Int. Digit. Investig. 2020, 32, 200892. [Google Scholar] [CrossRef]
  33. Montasari, R.; Hill, R.; Carpenter, V.; Montaseri, F. Digital forensic investigation of social media, acquisition and analysis of digital evidence. Int. J. Strateg. Eng. (IJoSE) 2019, 2, 52–60. [Google Scholar] [CrossRef]
Electronics 15 00876 g001
Figure 1. Network analysis experimental setup.
Figure 1. Network analysis experimental setup.
Electronics 15 00876 g001
Electronics 15 00876 g002
Figure 2. Folder hierarchy for Roblox storage files.
Figure 2. Folder hierarchy for Roblox storage files.
Electronics 15 00876 g002
Electronics 15 00876 g003
Figure 3. User profile artifacts from the cache.
Figure 3. User profile artifacts from the cache.
Electronics 15 00876 g003
Electronics 15 00876 g004
Figure 4. Group creation artifacts from the cache.
Figure 4. Group creation artifacts from the cache.
Electronics 15 00876 g004
Electronics 15 00876 g005
Figure 5. Roblox group on the platform.
Figure 5. Roblox group on the platform.
Electronics 15 00876 g005
Electronics 15 00876 g006
Figure 6. Artifacts related to group roles and IDs from the cache.
Figure 6. Artifacts related to group roles and IDs from the cache.
Electronics 15 00876 g006
Electronics 15 00876 g007
Figure 7. Group chat artifacts retrieved from the cache.
Figure 7. Group chat artifacts retrieved from the cache.
Electronics 15 00876 g007
Electronics 15 00876 g008
Figure 8. Artifacts on the game created as retrieved from the cache.
Figure 8. Artifacts on the game created as retrieved from the cache.
Electronics 15 00876 g008
Electronics 15 00876 g009
Figure 9. Gameplay artifacts as retrieved from local storage.
Figure 9. Gameplay artifacts as retrieved from local storage.
Electronics 15 00876 g009
Electronics 15 00876 g010
Figure 10. Payment profile artifacts retrieved from the cache.
Figure 10. Payment profile artifacts retrieved from the cache.
Electronics 15 00876 g010
Electronics 15 00876 g011
Figure 11. Artifacts on in-app purchases retrieved from the cache.
Figure 11. Artifacts on in-app purchases retrieved from the cache.
Electronics 15 00876 g011
Electronics 15 00876 g012
Figure 12. Pstree volatility plugin highlighting processes related to the execution of Roblox.
Figure 12. Pstree volatility plugin highlighting processes related to the execution of Roblox.
Electronics 15 00876 g012
Electronics 15 00876 g013
Figure 13. Pstree volatility plugin highlighting processes related to the execution of Roblox.
Figure 13. Pstree volatility plugin highlighting processes related to the execution of Roblox.
Electronics 15 00876 g013
Electronics 15 00876 g014
Figure 14. Chat artifacts retrieved from memory analysis.
Figure 14. Chat artifacts retrieved from memory analysis.
Electronics 15 00876 g014
Electronics 15 00876 g015
Figure 15. Roblox username and password transmitted over TLS protocol.
Figure 15. Roblox username and password transmitted over TLS protocol.
Electronics 15 00876 g015
Electronics 15 00876 g016
Figure 16. ROBLOSECURITY cookie that can be used to interact with the Roblox API.
Figure 16. ROBLOSECURITY cookie that can be used to interact with the Roblox API.
Electronics 15 00876 g016
Electronics 15 00876 g017
Figure 17. Architecture diagram of the automated tool.
Figure 17. Architecture diagram of the automated tool.
Electronics 15 00876 g017
Table 1. Summary of the literature for conducting forensic analysis on gaming and social media software across various platforms.
Table 1. Summary of the literature for conducting forensic analysis on gaming and social media software across various platforms.
YearPaperAnalysis TypeFocusLimitation
2014[15]Digital forensics analysis of Xbox OneXbox L 3
2015[16]Digital forensics analysis of Sony PlayStation 4PS4 L 2
2016[17]Comparison of evidence recovery in Xbox and PS4Xbox One, PS4 L 3
2017[18]Digital forensic analysis of Pokémon GoAndroid L 2 , L 3
2019[19]Analysis of Minecraft on Windows and LinuxWindows, Linux L 3
2019[20]Analysis of Nintendo NAND storage deviceNintendo L 2 , L 3
2019[21]Analysis of web-based VR environment (Decentraland)Chrome, Edge L 1
2019[22]Analysis of Counter Strike on WindowsWindows L 1 , L 2 , L 3
2021[23]Analysis of Nintendo NAND storage deviceNintendo L 2 , L 3
2024[24]Analysis of Steam Deck console and gaming platformSteam Deck L 2 , L 3
Limitation Legend: L 1 : No binary parsing. L 2 : Focused only on one forensic analysis area. L 3 : Does not include TLS-based communications.
Table 2. Experimental setup details.
Table 2. Experimental setup details.
Experimental SetupDetails
ApplicationRoblox (version 2.624.524)
Simulated usersAlphaben, Kimkarter, John Doe
Experiment machineWindows 11 23H2
Analysis machineWindows 10 22H2, Ubuntu 22.04.03
Storage capacity60 GB
RAM (Memory)8 GB
Table 3. Summary of tools used for performing digital forensics analysis on gaming and social media software.
Table 3. Summary of tools used for performing digital forensics analysis on gaming and social media software.
ToolVersionUsage
DumpItImaging the RAM (memory)
VolatilityVersion 3Analyzing the memory dump
HxD2.5.0.0Binary analysis of memory and local storage files
RegShotx64 1.8.3-beta1V5Analyzing registry changes after downloading Roblox
ChromeCacheView2.27Analyzing Roblox cache files
DB Browser for SQLite3.12.1Browsing application databases stored on disk
Wireshark4.2.2Analyzing Roblox network traffic
BurpSuite Pro2024.1.1.4Analyzing Roblox network traffic
Fiddler5.0.20243Analyzing Roblox network traffic
Table 4. Summary of actions performed during the forensic analysis experiment on gaming and social media software.
Table 4. Summary of actions performed during the forensic analysis experiment on gaming and social media software.
ActionDescription
Initial setupCreated a Roblox account using birthdate, gender, username, and password.
User profile configurationAdded additional user information, including social links (Facebook and Twitch), and completed the About section.
Avatar creationDesigned the user avatar using different clothing, hairstyles, and accessories.
Creating friendsSent and accepted friend requests with users Alphaben and JohnDoe.
Socializing (chats)Chatted with friends through one-on-one and group chat features.
Creating groupsCreated a group named “Roblox digital forensics,” configured its description, and set a profile picture.
Socializing (groups)Added members to the group, added “shouts” and “wall posts,” and joined public groups such as Sky Travels LTD and Official Puzzled Productions.
GameplayPlayed games including “Logo Quiz” and “Escape Room,” and chatted with Alphaben using the in-game chat system.
PurchasesBought 400 Robux using a credit card and purchased avatar accessories.
Table 5. Registry modifications triggered by the installation of Roblox.
Table 5. Registry modifications triggered by the installation of Roblox.
Registry Modifications
HKU\S-1-5-21-1031410677-96930514-1539438286-1001\Software\Microsoft\InternetExplorer\ProtocolExecute\roblox-player
HKU\S-1-5-21-1031410677-96930514-1539438286-1001\Software\Microsoft\InternetExplorer\ProtocolExecute\roblox-player\WarnOnOpen:0x00000000
HKU\S-1-5-21-1031410677-96930514-1539438286-1001\Software\Microsoft\Windows\CurrentVersion\CloudStore\Store\DefaultAccount\Cloud\{36fe7da1-d635-4257-838d-8bbb23304c10\$windows.data.apps.appmetadata\$appmetadatalist\windows.data.apps.appmetadata\$roblox-player\Data: 434201000A0026E58083B40600\}
HKU\S-1-5-21-1031410677-96930514-1539438286-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall\roblox-player\DisplayName:52006F0062006C006F007800200050006C006100790065007200200066006F00720020006B006800750073006800000020000000
HKU\S-1-5-21-1031410677-96930514-1539438286-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall\roblox-player\InstallDate: “2024-06-29”
HKU\S-1-5-21-1031410677-96930514-1539438286-1001\Software\Classes\LocalSettings\Software\Microsoft\Windows\Shell\MuiCache\C:\Users\khush\Downloads\RobloxPlayerInstaller.exe.FriendlyAppName: “Roblox”
HKU\S-1-5-21-1031410677-96930514-1539438286-1001\Software\Classes\LocalSettings\Software\Microsoft\Windows\Shell\MuiCache\C:\Users\khush\Downloads\RobloxPlayerInstaller.exe.ApplicationCompany: “RobloxCorporation”
HKU\S-1-5-21-1031410677-96930514-1539438286-1001\Software\ROBLOXCorporation\Environments\roblox-player\: “C:\Users\khush\AppData\Local\Roblox\Versions\version-1088f3c8e4a44cc7\RobloxPlayerInstaller.exe”
HKU\S-1-5-21-1031410677-96930514-1539438286-1001\Software\ROBLOXCorporation\Environments\roblox-player\baseHost: “www.roblox.com
HKU\S-1-5-21-1031410677-96930514-1539438286-1001\Software\ROBLOXCorporation\Environments\roblox-player\version: “version-1088f3c8e4a44cc7”
Table 6. Summary of user activities, associated artifacts, and their storage locations.
Table 6. Summary of user activities, associated artifacts, and their storage locations.
User ActivityArtifactsLocalSessionCacheMemoryNetwork
Initial setupBirthdate×××
Phone×××
Gender×××
Age verification×××
Geolocation××
Password×××
User profileUsername and ID
Description××
Created timestamp×××
Social links×××
Account settings×××
Avatar creationAsset ID×××
Creating friendsUser ID
Name
Description××
Created timestamp×××
Online status/timestamp××
Blocked users×××
Socializing (chats)××××
Creating groupsGroup ID××
Group name××
Description×××
Owner×××
Created timestamp×××
Group shouts××
Member count×××
Socializing (groups)User group memberships×××
Group wall messages××
Group shout messages××
GameplayUser games created××××
Name of the game×××
Game ID×××
Timestamps××××
PurchasesCard information×××
Product ID×××
Product name×××
Robux amount×××
Price×××
Description×××
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Gupta, K.; Lanka, P.; Varol, C. Roblox as a Playground for Digital Forensics Analysis. Electronics 2026, 15, 876. https://doi.org/10.3390/electronics15040876

AMA Style

Gupta K, Lanka P, Varol C. Roblox as a Playground for Digital Forensics Analysis. Electronics. 2026; 15(4):876. https://doi.org/10.3390/electronics15040876

Chicago/Turabian Style

Gupta, Khushi, Phani Lanka, and Cihan Varol. 2026. "Roblox as a Playground for Digital Forensics Analysis" Electronics 15, no. 4: 876. https://doi.org/10.3390/electronics15040876

APA Style

Gupta, K., Lanka, P., & Varol, C. (2026). Roblox as a Playground for Digital Forensics Analysis. Electronics, 15(4), 876. https://doi.org/10.3390/electronics15040876

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop