New "Media History" File Added to Chrome
There's a new database added in Chrome 86, dedicated to tracking media playback. Here's a first look at its contents!
New Media History Database
Chrome 86 was released last week, with its typical set of bug fixes, new feature trials, and security fixes. I did my normal routine of generating test user data for the new version. Chrome has been fairly stable from a forensic point of view for a while; most changes have been small with minor impact to the key artifacts DFIR tools tend to look at. So I was pleasantly surprised to find an entire new file: Media History.
This file is a SQLite database with multiple tables that look to be for tracking media played in Chrome (unsurprising, given the file's name). Below are the tables and columns from the database in the collapsible indented tree format I use in the Chrome Evolution visualization. There are quite a few columns; you can interact with the graphic to expand the tables and look around.
Testing Types of Media
After doing my standard test actions, I had the Media History
database file in the Chrome profile but it didn't have any entries. I decided to do another test run, this time focusing on "media" actions. One of my first thoughts on seeing this new database was, "what's considered media?" Videos seemed most likely, but what kinds? From what providers? Does format matter?
Here is a table showing what "media" actions I did in my second test run and when, along with why it might be relevant:
Time | Action | Comment |
---|---|---|
08:45 | Go to the dfir.blog post with the Unfurl DFIR Summit video and start watching | This is a YouTube video embedded in a page on my blog |
08:50 | Skip to 38 minutes into the video and continue watching | I wanted to see if skips were tracked or impacted play time |
08:52 | Video ends | |
08:53 | Click suggestion for Investigating WMI Attacks with Chad Tilbury; launches YouTube in a new tab | This is a video on YouTube proper (not just embedded) |
08:55 | Open a new tab, keep the YouTube video playing in the backgrounded tab | Does the video visibility matter? |
09:01 | Open twitter.com, view a tweet with an embedded video preview (gif) | Do animiated GIFs count as media? |
09:04 | Go to the "Life has no Ctrl+Alt+Del" episode on Unfurl | What about videos built into sites, rather than hosted on a major platform? |
09:06 | Keep video playing, and open new tab. Watch a video on Twitter from @StephenAtHome | This video was attached to a tweet; not just a GIF |
09:09 | Open dfir.blog and watch the same Unfurl video again | How is repeated viewing handled? |
09:13 | Close Chrome | |
13:23 | Open Chrome, go to tiktok.com, scroll for a bit (watching videos on the main page), then click into a video to watch it |
How is scrolling and viewing videos different than clicking on one? |
13:28 | Load news.google.com, click on a Washington Post story (with a video), and let the video play | Video embedded on in a news story page |
13:35 | Close the Washington Post tab. Open the dfir.blog Unfurl video again | More repeated viewing |
13:43 | Open a new tab, keeping the Unfurl video running in backgrounded tab | |
13:43 | Open twitch.tv, click a stream and watch | How about Twitch videos? |
13:45 | Close Chrome |
Results
After running through the above actions, I opened up the Media History
database and took a look. Three tables (origin
, playback
, and playbackSession
) had values of interest I wanted to examine further. The two image-related tables had a few values, but they look pretty straightforward and I'm not going to talk about them here.
origin Table
There are more columns in the origin
table than these (see the graphic above), but they were all null
after this test so I omitted them here for brevity.
id | origin | last_updated_time_s | aggregate_watchtime_audio_video_s |
---|---|---|---|
1 | / | 13246819766 | 393 |
3 | https://www.cellebrite.com | 13246819997 | 0 |
4 | https://www.youtube.com | 13246819997 | 0 |
5 | https://www.twitch.tv | 13246836223 | 3 |
This table tracks media plays per origin. The id
is used as a foreign key in other tables. Some notes on its content:
- The
origin
column lists four sites I visited with "media" items; it's interesting that the other sites I visited with forms of video (twitter.com, washingtonpost.com, and tiktok.com) don't appear here. - If you look at timestamps a lot, the
last_updated_time_s
values might look a bit off. The13
prefix (and that it's in Chrome) make me think a WebKit timestamp, but it's too short. The_s
at the end is a hint though; it looks like a WebKit timestamp in seconds, rather than microseconds (making it six digits shorter). This "WebKit-seconds" timestamp format also appears in other places in this database. - When compared to the table of actions above, the
last_updated_time_s
timestamp appears to show when the media stopped being played (at least in three of the four rows). The entry for dfir.blog doesn't quite line up, but that was a video I played repeatedly in different sessions; maybe it was cached somehow? - The
aggregate_watchtime_audio_video_s
counts look different from what I would expect. The 0s are interesting, because I did watch videos on those sites, and the other counts seem low (3 seconds for twitch.tv & about 6.5 minutes for dfir.blog). Some possibilities I can think of to explain this: this column tracks something different than total play time per origin; there's a bug in it; or there is some other criteria I'm not understanding to make the "watchtime" count. I wonder if this behavior will stabilize or otherwise become more clear in future versions.
playback Table
id | origin_id | url | watch_time_s | has_video | has_audio | last_updated_time_s |
---|---|---|---|---|---|---|
1 | 1 | /unfurl-video-at-sans-dfir-summit-2020/ | 393 | 1 | 1 | 13246819766 |
2 | 5 | https://www.twitch.tv/ | 3 | 1 | 1 | 13246836223 |
This table appears to track playback per URL (and links to the origin
table using origin_id
). Notes:
- The
last_updated_time_s
in this table matches the values for the same column inorigin
- There are only two entries here, compared to four in the
origin
table. Perhaps since the two missing rows had "watchtimes" of0
in the other table they didn't qualify for theplayback
table.
playbackSession Table
id | origin_id | url | duration_ms | position_ms | last_updated_time_s | title | artist | album | source_title |
---|---|---|---|---|---|---|---|---|---|
2 | 3 | https://www.cellebrite.com/en/series/how-to-extract-and-visualize-data-from-urls-using-unfurl/ | 1767600 | 496876 | 13246819997 | How to Extract and Visualize Data From URLs Using Unfurl - Cellebrite | cellebrite.com | ||
3 | 4 | https://www.youtube.com/watch?v=aBQ1vEjK6v4&feature=emb_rel_end | 3642421 | 1167350 | 13246819997 | Investigating WMI Attacks | SANS Digital Forensics and Incident Response | youtube.com | |
4 | 5 | https://www.twitch.tv/ | 1073741824000 | 3174 | 13246836222 | Twitch | twitch.tv | ||
5 | 1 | /unfurl-video-at-sans-dfir-summit-2020/ | 2476101 | 595280 | 13246836360 | Extract and Visualize Data from URLs using Unfurl w/ Ryan Benson - SANS DFIR Summit 2020 | SANS Digital Forensics and Incident Response | dfir.blog |
The playbackSession
table records more information about the actual media played than any other table, including things like title, artist, and length.
- The
last_updated_time_s
for the Cellebrite "Unfurl" and YouTube "WMI" videos is the same as in theorigin
table. - The
position_ms
value for twitch.tv (around 3 seconds) matches up with the two "watchtime" fields inorigin
andplayback
; I had the Twitch video open for more than 3 seconds, but Chrome has tracked it in multiple places as that value. Interesting; more digging required for sure. - The
duration_ms
field looks to be the total duration of the media item, not how long the user has watched it. - I would have thought there would be more than one entry in
playbackSession
for the Unfurl video on dfir.blog, as I opened and watched it three separate times.
Conclusion
My first look into the new Media History
database might have raised as many questions as it answered. Regardless, it's always nice to get new browsing artifacts are introduced. I plan on adding support for parsing these items in Hindsight soon. In the meantime, if you get to experimenting with this file and can explain more about the different behaviors, please let me know! Since Chromium is open source, the code for these Media History
-related tables is available here if you'd like to take a look.