How to Collect Proof of Gaming Machine Manipulation Using Hardware Based Recording

Proof of gaming machine manipulation — evidence that an external signal was injected, that a bus device was attached, or that the machine’s data was altered — must be collected using hardware-based recording methods. Hardware-based recording captures the evidence at the physical layer (the electrical signals on the bus, the RF signals in the environment, or the physical condition of the connectors and cables). Software-based methods (reviewing the machine’s audit trail, checking revenue data) identify anomalies but do not collect proof of manipulation because the software data could have been generated by the machine itself. Hardware-based recording collects independent evidence that the manipulation occurred. This article describes the hardware-based recording methods for collecting proof of gaming machine manipulation.

Recording Method 1: Bus Monitor Raw Traffic Capture

A bus monitor connected to the machine’s communication port captures every bus message in raw format — the original electrical signals converted to digital message records, timestamped to microsecond precision, and saved to a file on the monitor’s storage. The raw capture includes every byte of every bus message, including the source address, the destination address, the command code, the data payload, and the checksum byte. The raw capture is proof because it records the exact content of every message that appeared on the bus, including messages from unrecognized addresses (external devices), messages that triggered credit or payout changes, and messages that occurred when no legitimate machine operation was active.

Evidence handling: export the raw capture file from the bus monitor. The export includes the monitor’s authentication metadata (the monitor’s serial number, the recording start and end timestamps, and if the monitor supports it, a cryptographic hash of the recording file that verifies the recording was not modified after export). Store the raw capture file on encrypted media. The raw capture is the strongest single piece of evidence because it records exactly what was on the bus — it cannot be disputed because the recorded data is independent of the machine’s own audit trail. For legal proceedings, the raw capture proves the existence of external control signals, their timing, and their content. Compared with the machine’s audit trail for the same period, the capture proves that the machine’s recorded data was caused by external signals, not by legitimate player activity.

Recording Method 2: SDR Spectrum Recording With Timestamped Events

A software-defined radio (SDR) receiver records the RF spectrum around the machine. The recording captures the frequency, signal strength, and timing of RF signals in the environment. When a bus monitor event (an injected message) occurs at a specific timestamp, the SDR recording for that timestamp shows whether any RF signal was present at the same frequency and moment. The correlation between the bus event and the RF signal provides proof that the bus event was caused by an external RF transmitter, not by a connected plug-in device.

Evidence handling: configure the SDR receiver to record a specific frequency range (covering the machine’s communication bus frequency band, typically 1-10 MHz for wired bus signals that radiate weakly). When a bus event is logged by the bus monitor, the SDR recording for the 1-second window around the bus event timestamp is extracted and saved as a spectrum image or a signal waterfall. The spectrum image shows the RF signal at the event timestamp. The combined bus monitor recording and the SDR spectrum image provide multi-layer proof: the bus monitor captured the injected message on the bus, and the SDR captured the RF signal that caused it. The two independent recording sources are stronger proof than either source alone.

Recording Method 3: Physical Evidence Photography With Time-Date Stamp

Physical evidence — a device attached to the communication port, a modified cable, a tampered connector, or a broken tamper seal — is recorded by photography. The photograph must include: the physical object in focus and well-lit, a visible time-date stamp (either embedded in the camera’s metadata or manually added), and if possible, a ruler or a coin in the frame to provide scale. Photograph before and after the removal of the unauthorized device. The before photograph shows the device in place. The after photograph shows the connector without the device, confirming that it was removed. Both photographs are evidence of the device’s presence and removal.

Evidence handling: photograph with a smartphone in high-resolution mode. Do not edit the photograph (cropping is acceptable; brightness adjustment is acceptable; any other edit may compromise the photograph’s admissibility as evidence). Transfer the photographs to encrypted storage immediately. Rename the photograph file with the machine identifier and the event ID (e.g., MACHINE-042_EVENT-381_BEFORE.jpg and MACHINE-042_EVENT-381_AFTER.jpg). Link the photograph files to the corresponding event entry in the security event log. The photographs provide visual proof of physical compromise evidence.

Recording Method 4: DVR CCTV Export With Correlated Timestamps

CCTV footage from the venue’s digital video recorder (DVR) captures visual evidence of the machine, the surrounding area, and any persons approaching the machine. Export the CCTV footage for the time periods corresponding to the recorded bus events. Include a 2-minute window before and after each event timestamp. The exported footage is proof that: no player was near the machine during the event (confirming that machine activity was externally triggered), a specific person approached the machine during the event window (identifying the suspected attacker), and the machine’s physical behavior (display, lights, sounds) changed during the event (visually confirming the anomaly was real, not a data recording error).

Evidence handling: export CCTV footage from the DVR in the original resolution and format. Do not compress or edit. Label each exported clip with the event ID and the timestamp range. Save the clips on encrypted media separate from the DVR (DVRs overwrite footage after 7-30 days — the exported clips preserve the evidence after the DVR overwrites the original footage). For legal proceedings, export the CCTV footage before the DVR overwrites it — the 7-30 day window is the time limit for evidence collection from CCTV.

Frequently Asked Questions

Q: Which recording method provides the strongest proof?
A: Method 1 (bus monitor raw capture) is the strongest because it captures the exact injected signals at the protocol level — it answers “what happened and when” with microsecond precision. Method 4 (CCTV) is the most compelling for non-technical audiences (law enforcement, insurance adjusters, court proceedings) because it visually demonstrates the event. The combination of Methods 1 and 4 provides protocol-level proof plus visual confirmation — the optimal evidence package.

Q: How long should the hardware recordings be retained?
A: Bus monitor captures (Method 1): 12-24 months. SDR recordings (Method 2): 12 months. Photographs (Method 3): permanently for the machine’s operational life. CCTV exports (Method 4): 12-24 months or until any related legal or insurance proceedings are concluded, whichever is longer. Retain evidence for the duration of potential legal action plus the applicable statute of limitations for fraud or theft in the venue’s jurisdiction.

Q: Can the hardware recording system be automated?
A: Methods 1 and 2 can be automated — the logging computer (as described in the automated logging system article) captures bus monitor data and SDR data continuously and automatically exports event-correlated recordings. Methods 3 and 4 require human collection because they involve physical items (photographing) and DVR access (exporting). The human collection time for Methods 3 and 4 is 10-15 minutes per incident.