There's a new database added in Chrome 86, dedicated to tracking media playback. Here's a first look at its contents!
New Media History Database
Chrome 86 was released last week, with its typical set of bug fixes, new feature trials, and security fixes. I did my normal routine of generating test user data for the new version. Chrome has been fairly stable from a forensic point of view for a while; most changes have been small with minor impact to the key artifacts DFIR tools tend to look at. So I was pleasantly surprised to find an entire new file: Media History.
This file is a SQLite database with multiple tables that look to be for tracking media played in Chrome (unsurprising, given the file's name). Below are the tables and columns from the database in the collapsible indented tree format I use in the Chrome Evolution visualization. There are quite a few columns; you can interact with the graphic to expand the tables and look around.
Testing Types of Media
After doing my standard test actions, I had the Media History database file in the Chrome profile but it didn't have any entries. I decided to do another test run, this time focusing on "media" actions. One of my first thoughts on seeing this new database was, "what's considered media?" Videos seemed most likely, but what kinds? From what providers? Does format matter?
Here is a table showing what "media" actions I did in my second test run and when, along with why it might be relevant:
| Time | Action | Comment |
|---|---|---|
| 08:45 | Go to the dfir.blog post with the Unfurl DFIR Summit video and start watching | This is a YouTube video embedded in a page on my blog |
| 08:50 | Skip to 38 minutes into the video and continue watching | I wanted to see if skips were tracked or impacted play time |
| 08:52 | Video ends | |
| 08:53 | Click suggestion for Investigating WMI Attacks with Chad Tilbury; launches YouTube in a new tab | This is a video on YouTube proper (not just embedded) |
| 08:55 | Open a new tab, keep the YouTube video playing in the backgrounded tab | Does the video visibility matter? |
| 09:01 | Open twitter.com, view a tweet with an embedded video preview (gif) | Do animiated GIFs count as media? |
| 09:04 | Go to the "Life has no Ctrl+Alt+Del" episode on Unfurl | What about videos built into sites, rather than hosted on a major platform? |
| 09:06 | Keep video playing, and open new tab. Watch a video on Twitter from @StephenAtHome | This video was attached to a tweet; not just a GIF |
| 09:09 | Open dfir.blog and watch the same Unfurl video again | How is repeated viewing handled? |
| 09:13 | Close Chrome | |
| 13:23 | Open Chrome, go to tiktok.com, scroll for a bit (watching videos on the main page), then click into a video to watch it |
How is scrolling and viewing videos different than clicking on one? |
| 13:28 | Load news.google.com, click on a Washington Post story (with a video), and let the video play | Video embedded on in a news story page |
| 13:35 | Close the Washington Post tab. Open the dfir.blog Unfurl video again | More repeated viewing |
| 13:43 | Open a new tab, keeping the Unfurl video running in backgrounded tab | |
| 13:43 | Open twitch.tv, click a stream and watch | How about Twitch videos? |
| 13:45 | Close Chrome |
Results
After running through the above actions, I opened up the Media History database and took a look. Three tables (origin, playback, and playbackSession) had values of interest I wanted to examine further. The two image-related tables had a few values, but they look pretty straightforward and I'm not going to talk about them here.
origin Table
There are more columns in the origin table than these (see the graphic above), but they were all null after this test so I omitted them here for brevity.
| id | origin | last_updated_time_s | aggregate_watchtime_audio_video_s |
|---|---|---|---|
| 1 | / | 13246819766 | 393 |
| 3 | https://www.cellebrite.com | 13246819997 | 0 |
| 4 | https://www.youtube.com | 13246819997 | 0 |
| 5 | https://www.twitch.tv | 13246836223 | 3 |
This table tracks media plays per origin. The id is used as a foreign key in other tables. Some notes on its content:
- The
origincolumn lists four sites I visited with "media" items; it's interesting that the other sites I visited with forms of video (twitter.com, washingtonpost.com, and tiktok.com) don't appear here. - If you look at timestamps a lot, the
last_updated_time_svalues might look a bit off. The13prefix (and that it's in Chrome) make me think a WebKit timestamp, but it's too short. The_sat the end is a hint though; it looks like a WebKit timestamp in seconds, rather than microseconds (making it six digits shorter). This "WebKit-seconds" timestamp format also appears in other places in this database. - When compared to the table of actions above, the
last_updated_time_stimestamp appears to show when the media stopped being played (at least in three of the four rows). The entry for dfir.blog doesn't quite line up, but that was a video I played repeatedly in different sessions; maybe it was cached somehow? - The
aggregate_watchtime_audio_video_scounts look different from what I would expect. The 0s are interesting, because I did watch videos on those sites, and the other counts seem low (3 seconds for twitch.tv & about 6.5 minutes for dfir.blog). Some possibilities I can think of to explain this: this column tracks something different than total play time per origin; there's a bug in it; or there is some other criteria I'm not understanding to make the "watchtime" count. I wonder if this behavior will stabilize or otherwise become more clear in future versions.
playback Table
| id | origin_id | url | watch_time_s | has_video | has_audio | last_updated_time_s |
|---|---|---|---|---|---|---|
| 1 | 1 | /unfurl-video-at-sans-dfir-summit-2020/ | 393 | 1 | 1 | 13246819766 |
| 2 | 5 | https://www.twitch.tv/ | 3 | 1 | 1 | 13246836223 |
This table appears to track playback per URL (and links to the origin table using origin_id). Notes:
- The
last_updated_time_sin this table matches the values for the same column inorigin - There are only two entries here, compared to four in the
origintable. Perhaps since the two missing rows had "watchtimes" of0in the other table they didn't qualify for theplaybacktable.
playbackSession Table
| id | origin_id | url | duration_ms | position_ms | last_updated_time_s | title | artist | album | source_title |
|---|---|---|---|---|---|---|---|---|---|
| 2 | 3 | https://www.cellebrite.com/en/series/how-to-extract-and-visualize-data-from-urls-using-unfurl/ | 1767600 | 496876 | 13246819997 | How to Extract and Visualize Data From URLs Using Unfurl - Cellebrite | cellebrite.com | ||
| 3 | 4 | https://www.youtube.com/watch?v=aBQ1vEjK6v4&feature=emb_rel_end | 3642421 | 1167350 | 13246819997 | Investigating WMI Attacks | SANS Digital Forensics and Incident Response | youtube.com | |
| 4 | 5 | https://www.twitch.tv/ | 1073741824000 | 3174 | 13246836222 | Twitch | twitch.tv | ||
| 5 | 1 | /unfurl-video-at-sans-dfir-summit-2020/ | 2476101 | 595280 | 13246836360 | Extract and Visualize Data from URLs using Unfurl w/ Ryan Benson - SANS DFIR Summit 2020 | SANS Digital Forensics and Incident Response | dfir.blog |
The playbackSession table records more information about the actual media played than any other table, including things like title, artist, and length.
- The
last_updated_time_sfor the Cellebrite "Unfurl" and YouTube "WMI" videos is the same as in theorigintable. - The
position_msvalue for twitch.tv (around 3 seconds) matches up with the two "watchtime" fields inoriginandplayback; I had the Twitch video open for more than 3 seconds, but Chrome has tracked it in multiple places as that value. Interesting; more digging required for sure. - The
duration_msfield looks to be the total duration of the media item, not how long the user has watched it. - I would have thought there would be more than one entry in
playbackSessionfor the Unfurl video on dfir.blog, as I opened and watched it three separate times.
Conclusion
My first look into the new Media History database might have raised as many questions as it answered. Regardless, it's always nice to get new browsing artifacts are introduced. I plan on adding support for parsing these items in Hindsight soon. In the meantime, if you get to experimenting with this file and can explain more about the different behaviors, please let me know! Since Chromium is open source, the code for these Media History-related tables is available here if you'd like to take a look.
