There's a new database added in Chrome 86, dedicated to tracking media playback. Here's a first look at its contents!

New Media History Database

Chrome 86 was released last week, with its typical set of bug fixes, new feature trials, and security fixes. I did my normal routine of generating test user data for the new version. Chrome has been fairly stable from a forensic point of view for a while; most changes have been small with minor impact to the key artifacts DFIR tools tend to look at. So I was pleasantly surprised to find an entire new file: Media History.

This file is a SQLite database with multiple tables that look to be for tracking media played in Chrome (unsurprising, given the file's name). Below are the tables and columns from the database in the collapsible indented tree format I use in the Chrome Evolution visualization. There are quite a few columns; you can interact with the graphic to expand the tables and look around.

Media History  

Testing Types of Media

After doing my standard test actions, I had the Media History database file in the Chrome profile but it didn't have any entries. I decided to do another test run, this time focusing on "media" actions. One of my first thoughts on seeing this new database was, "what's considered media?" Videos seemed most likely, but what kinds? From what providers? Does format matter?

Here is a table showing what "media" actions I did in my second test run and when, along with why it might be relevant:

Time Action Comment
08:45 Go to the post with the Unfurl DFIR Summit video and start watching This is a YouTube video embedded in a page on my blog
08:50 Skip to 38 minutes into the video and continue watching I wanted to see if skips were tracked or impacted play time
08:52 Video ends
08:53 Click suggestion for Investigating WMI Attacks with Chad Tilbury; launches YouTube in a new tab This is a video on YouTube proper (not just embedded)
08:55 Open a new tab, keep the YouTube video playing in the backgrounded tab Does the video visibility matter?
09:01 Open, view a tweet with an embedded video preview (gif) Do animiated GIFs count as media?
09:04 Go to the "Life has no Ctrl+Alt+Del" episode on Unfurl What about videos built into sites, rather than
hosted on a major platform?
09:06 Keep video playing, and open new tab. Watch a video on Twitter from @StephenAtHome This video was attached to a tweet; not just a GIF
09:09 Open and watch the same Unfurl video again How is repeated viewing handled?
09:13 Close Chrome
13:23 Open Chrome, go to, scroll for a bit (watching videos on the main page),
then click into a video to watch it
How is scrolling and viewing videos different than
clicking on one?
13:28 Load, click on a Washington Post story (with a video), and let the video play Video embedded on in a news story page
13:35 Close the Washington Post tab. Open the Unfurl video again More repeated viewing
13:43 Open a new tab, keeping the Unfurl video running in backgrounded tab
13:43 Open, click a stream and watch How about Twitch videos?
13:45 Close Chrome


After running through the above actions, I opened up the Media History database and took a look. Three tables (origin, playback, and playbackSession) had values of interest I wanted to examine further. The two image-related tables had a few values, but they look pretty straightforward and I'm not going to talk about them here.

origin Table

There are more columns in the origin table than these (see the graphic above), but they were all null after this test so I omitted them here for brevity.

id origin last_updated_time_s aggregate_watchtime_audio_video_s
1 / 13246819766 393
3 13246819997 0
4 13246819997 0
5 13246836223 3

This table tracks media plays per origin. The id is used as a foreign key in other tables. Some notes on its content:

  • The origin column lists four sites I visited with "media" items; it's interesting that the other sites I visited with forms of video (,, and don't appear here.
  • If you look at timestamps a lot, the last_updated_time_s values might look a bit off. The 13 prefix (and that it's in Chrome) make me think a WebKit timestamp, but it's too short. The _s at the end is a hint though; it looks like a WebKit timestamp in seconds, rather than microseconds (making it six digits shorter). This "WebKit-seconds" timestamp format also appears in other places in this database.
  • When compared to the table of actions above, the last_updated_time_s timestamp appears to show when the media stopped being played (at least in three of the four rows). The entry for doesn't quite line up, but that was a video I played repeatedly in different sessions; maybe it was cached somehow?
  • The aggregate_watchtime_audio_video_s counts look different from what I would expect. The 0s are interesting, because I did watch videos on those sites, and the other counts seem low (3 seconds for & about 6.5 minutes for Some possibilities I can think of to explain this: this column tracks something different than total play time per origin; there's a bug in it; or there is some other criteria I'm not understanding to make the "watchtime" count. I wonder if this behavior will stabilize or otherwise become more clear in future versions.

playback Table

id origin_id url watch_time_s has_video has_audio last_updated_time_s
1 1 /unfurl-video-at-sans-dfir-summit-2020/ 393 1 1 13246819766
2 5 3 1 1 13246836223

This table appears to track playback per URL (and links to the origin table using origin_id). Notes:

  • The last_updated_time_s in this table matches the values for the same column in origin
  • There are only two entries here, compared to four in the origin table. Perhaps since the two missing rows had "watchtimes" of 0 in the other table they didn't qualify for the playback table.

playbackSession Table

id origin_id url duration_ms position_ms last_updated_time_s title artist album source_title
2 3 1767600 496876 13246819997 How to Extract and Visualize Data From URLs Using Unfurl - Cellebrite
3 4 3642421 1167350 13246819997 Investigating WMI Attacks SANS Digital Forensics and Incident Response
4 5 1073741824000 3174 13246836222 Twitch
5 1 /unfurl-video-at-sans-dfir-summit-2020/ 2476101 595280 13246836360 Extract and Visualize Data from URLs using Unfurl w/ Ryan Benson - SANS DFIR Summit 2020 SANS Digital Forensics and Incident Response

The playbackSession table records more information about the actual media played than any other table, including things like title, artist, and length.

  • The last_updated_time_s for the Cellebrite "Unfurl" and YouTube "WMI" videos is the same as in the origin table.
  • The position_ms value for (around 3 seconds) matches up with the two "watchtime" fields in origin and playback; I had the Twitch video open for more than 3 seconds, but Chrome has tracked it in multiple places as that value. Interesting; more digging required for sure.
  • The duration_ms field looks to be the total duration of the media item, not how long the user has watched it.
  • I would have thought there would be more than one entry in playbackSession for the Unfurl video on, as I opened and watched it three separate times.


My first look into the new Media History database might have raised as many questions as it answered. Regardless, it's always nice to get new browsing artifacts are introduced. I plan on adding support for parsing these items in Hindsight soon. In the meantime, if you get to experimenting with this file and can explain more about the different behaviors, please let me know! Since Chromium is open source, the code for these Media History-related tables is available here if you'd like to take a look.