research-article

Forensicast: A Non-intrusive Approach & Tool For Logical Forensic Acquisition & Analysis of The Google Chromecast TV

Authors:

Alex Sitterer,

Nicholas Dubois,

Ibrahim BaggiliAuthors Info & Claims

ARES '21: Proceedings of the 16th International Conference on Availability, Reliability and Security

Article No.: 50, Pages 1 - 12

https://doi.org/10.1145/3465481.3470060

Published: 17 August 2021 Publication History

Get Access

Abstract

The era of traditional cable Television (TV) is swiftly coming to an end. People today subscribe to a multitude of streaming services. Smart TVs have enabled a new generation of entertainment, not only limited to constant on-demand streaming as they now offer other features such as web browsing, communication, gaming etc. These functions have recently been embedded into a small IoT device that can connect to any TV with High Definition Multimedia Interface (HDMI) input known as Google Chromecast TV. Its wide adoption makes it a treasure trove for potential digital evidence. Our work is the primary source on forensically interrogating Chromecast TV devices. We found that the device is always unlocked, allowing extraction of application data through the backup feature of Android Debug Bridge (ADB) without device root access. We take advantage of this minimal access and demonstrate how a series of artifacts can stitch together a detailed timeline, and we automate the process by constructing Forensicast – a Chromecast TV forensic acquisition and timelining tool. Our work targeted (n=112) of the most popular Android TV applications including 69% (77/112) third party applications and 31% (35/112) system applications. 65% (50/77) third party applications allowed backup, and of those 90% (45/50) contained time-based identifiers, 40% (20/50) invoked some form of logs/activity monitoring, 50% (25/50) yielded some sort of token/cookie, 8% (4/50) resulted in a device ID, 26% (13/50) produced a user ID, and 24% (12/50) created other information. 26% (9/35) system applications provided meaningful artifacts, 78% (7/9) provided time based identifiers, 22% (2/9) involved some form of logs/activity monitoring, 22% (2/9) yielded some form of token/cookie data, 22% (2/9) resulted in a device ID, 44% (4/9) provided a user ID, and 33% (3/9) created other information. Our findings also illustrated common artifacts found in applications that are related to developer and advertising utilities, mainly WebView, Firebase, and Facebook Analytics. Future work and open research problems are shared.

References

[1]

Shadi Al Awawdeh and Jason Moore. 2014. LiFE (Logical iOS Forensic Examiner): An Open Source iOS Backup Forensics Examination Tool. In Proceedings of the Conference on Digital Forensics, Security and Law. Association of Digital Forensics, Security and Law, 41.

Abstract

References

Cited By

Recommendations

Chromecast Device: Ultimate Guide on How to Set Up and Use a Chromecast Device - Chromecast Device Book, chromecast user guide, chromecast setup

Chromecast Device: Hands-On Guide for Setting Up and Using a Chromecast Device - Chromecast, Chromecast Device, Google Chromecast

Chromecast Users Manual: Stream Video, Music, and Everything Else You Love to Your TV

Comments

Information

Published In

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

Get Access

Login options

Full Access

View options

PDF

eReader

HTML Format

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations