A forensic analysis of streaming platforms on Android OS

Abstract

This work builds on existing research in streamed video reconstruction on the Android OS, which previously demonstrated that caching occurs in most cases for the Chrome and Firefox Web browsers. Prior work also outlined that streaming application caching behaviour is dependent on both the implementation of the service, as well as the actions taken by the user, with contrasting results between replaying videos and viewing live content. We conduct a forensic investigation for the Twitch, Facebook, Reddit, Instagram and Periscope Android applications, with a focus on the application specific folders in the /data/data directory. Applications were populated with data by creating accounts and viewing a mixture of live and replay (recorded) video streams, with a focus on attempting to recover video fragments or identifiers for particular streams/videos. As users may take action to hinder forensic endeavours, additional videos were viewed to identify baseline caching and overwriting behaviour on each application. Additionally, An-droid's 'Cache clear' operation was evaluated for its anti-forensic potential. While Android seems to produce different behaviour for live and recorded streams, which is consistent with prior work, our findings suggest that An-droid applications typically retain few, or no, video artefacts, which contrasts with their browser based counterparts. Cache clearing also appears to be a powerful, and trivial, anti-forensics step for clearing locally cached media in each application. We suggest that, going forward, new applications should be tested on a variety of platforms, as it appears that they do not necessarily leave behind consistent forensic traces across versions.