Alex Sitterer
ABSTRACT
The era of traditional cable Television (TV) is swiftly coming to an end. People today subscribe to a multitude of streaming services. Smart TVs have enabled a new generation of entertainment, not only limited to constant on-demand streaming as they now offer other features such as web browsing, communication, gaming etc. These functions have recently been embedded into a small IoT device that can connect to any TV with High Definition Multimedia Interface (HDMI) input known as Google Chromecast TV. Its wide adoption makes it a treasure trove for potential digital evidence. Our work is the primary source on forensically interrogating Chromecast TV devices. We found that the device is always unlocked, allowing extraction of application data through the backup feature of Android Debug Bridge (ADB) without device root access. We take advantage of this minimal access and demonstrate how a series of artifacts can stitch together a detailed timeline, and we automate the process by constructing Forensicast – a Chromecast TV forensic acquisition and timelining tool. Our work targeted (n=112) of the most popular Android TV applications including 69% (77/112) third party applications and 31% (35/112) system applications. 65% (50/77) third party applications allowed backup, and of those 90% (45/50) contained time-based identifiers, 40% (20/50) invoked some form of logs/activity monitoring, 50% (25/50) yielded some sort of token/cookie, 8% (4/50) resulted in a device ID, 26% (13/50) produced a user ID, and 24% (12/50) created other information. 26% (9/35) system applications provided meaningful artifacts, 78% (7/9) provided time based identifiers, 22% (2/9) involved some form of logs/activity monitoring, 22% (2/9) yielded some form of token/cookie data, 22% (2/9) resulted in a device ID, 44% (4/9) provided a user ID, and 33% (3/9) created other information. Our findings also illustrated common artifacts found in applications that are related to developer and advertising utilities, mainly WebView, Firebase, and Facebook Analytics. Future work and open research problems are shared.
- Shadi Al Awawdeh and Jason Moore. 2014. LiFE (Logical iOS Forensic Examiner): An Open Source iOS Backup Forensics Examination Tool. In Proceedings of the Conference on Digital Forensics, Security and Law. Association of Digital Forensics, Security and Law, 41.Google Scholar
- Noora Al Mutawa, Ibrahim Baggili, and Andrew Marrington. 2012. Forensic analysis of social networking applications on mobile devices. Digital Investigation 9 (Aug. 2012), S24–S33. https://doi.org/10.1016/j.diin.2012.05.007Google Scholar
- Somaya Ali, Sumaya AlHosani, Farah AlZarooni, and Ibrahim Baggili. 2012. iPad2 Logical Acquisition: Automated or Manual Examination?. In Proceedings of the Conference on Digital Forensics, Security and Law. Association of Digital Forensics, Security and Law, 113.Google Scholar
- Mona Bader and Ibrahim Baggili. 2010. iPhone 3GS Forensics: Logical Analysis Using Apple iTunes Backup Utility. Electrical & Computer Engineering and Computer Science Faculty Publications 4 (Sept. 2010), 16. https://digitalcommons.newhaven.edu/electricalcomputerengineering-facpubs/32Google Scholar
- A. Boztas, A. R. J. Riethoven, and M. Roeloffs. 2015. Smart TV forensics: Digital traces on televisions. Digital Investigation 12 (March 2015), S72–S80. https://doi.org/10.1016/j.diin.2015.01.012 Proceddings of DFRWS-EU 2015.Google Scholar
- Anthony Cuthbertson. 2018. Amazon ordered to give Alexa evidence in double murder case. https://www.independent.co.uk/life-style/gadgets-and-tech/news/amazon-echo-alexa-evidence-murder-case-a8633551.html Section: Lifestyle.Google Scholar
- Mousa Al Falayleh. 2013. A Review of Smart TV Forensics: Present State & Future Challenges. In The International Conference on Digital Information Processing, E-Business and Cloud Computing (DIPECC2013). The Society of Digital Information and Wireless Communication.Google Scholar
- Peijun Feng, Qingbao Li, Ping Zhang, and Zhifeng Chen. 2018. Logical acquisition method based on data migration for Android mobile devices. Digital Investigation 26 (Sept. 2018), 55–62. https://doi.org/10.1016/j.diin.2018.05.003Google Scholar
- ghostlulz. 2019. Hacking Google Chromcast. https://medium.com/@ghostlulzhacks/hacking-google-chromcast-dcdf98392f8fGoogle Scholar
- Cinthya Grajeda, Laura Sanchez, Ibrahim Baggili, Devon Clark, and Frank Breitinger. 2018. Experience constructing the Artifact Genome Project (AGP): Managing the domain’s knowledge one artifact at a time. Digital Investigation 26 (July 2018), S47–S58. https://doi.org/10.1016/j.diin.2018.04.021 Proceedings of DFRWS-USA 2018.Google Scholar
- M. Hadgkiss, S. Morris, and S. Paget. 2019. Sifting through the ashes: Amazon Fire TV stick acquisition and analysis. Digital Investigation 28 (March 2019), 112–118. https://doi.org/10.1016/j.diin.2019.01.003Google Scholar
- Mohammad Iftekhar Husain, Ibrahim Baggili, and Ramalingam Sridhar. 2010. A simple cost-effective framework for iPhone forensic analysis. In International Conference on Digital Forensics and Cyber Crime. Springer, 27–37.Google Scholar
- Harish Jonnalagadda. 2017. Google has sold 55 million Chromecasts around the world. https://web.archive.org/web/20171005101127/https://www.androidcentral.com/google-has-sold-55-million-chromecasts-around-worldGoogle Scholar
- Austin J. Marck. 2017. Abusing Android TV Box for Fun and Profit. Ph.D. Dissertation. University of Cincinnati. https://etd.ohiolink.edu/apexprod/rws_olink/r/1501/10?clear=10&p10_accession_num=ucin1504786962271509Google Scholar
- Andrew Marrington, Ibrahim Baggili, George Mohay, and Andrew Clark. 2011. CAT Detect (Computer Activity Timeline Detection): A tool for detecting inconsistency in computer activity timelines. Digital Investigation 8 (Aug. 2011), S52–S61. https://doi.org/10.1016/j.diin.2011.05.007Google Scholar
- Mohamed Al Marzougy, Ibrahim Baggili, and Andrew Marrington. 2013. BlackBerry PlayBook Backup Forensic Analysis. In Digital Forensics and Cyber Crime(Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering), Marcus Rogers and Kathryn C. Seigfried-Spellar (Eds.). Springer, Berlin, Heidelberg, 239–252. https://doi.org/10.1007/978-3-642-39891-9_15Google Scholar
- Logan Morrison, Huw Read, Konstantinos Xynos, and Iain Sutherland. 2017. Forensic Evaluation of an Amazon Fire TV Stick. 63–79. https://doi.org/10.1007/978-3-319-67208-3_4Google Scholar
- A. Tekeoglu and A. Ş Tosun. 2014. Blackbox security evaluation of chromecast network communications. In 2014 IEEE 33rd International Performance Computing and Communications Conference (IPCCC). 1–2. https://doi.org/10.1109/PCCC.2014.7017050 ISSN: 2374-9628.Google ScholarCross Ref
Comments