Saturday, April 14, 2018

Was the video played? - Android video player apps

Was a particular video in an Android device viewed? At what time? How many times? Was the video not played at all? Where would such information reside within the Android file system? Since there are so many video player apps for Android this blog post will do a quick rundown on played video artifacts for five of the most popular players per the Google Play Store.

For this analysis the following tools were used:

  • Exemplar phone - Samsung Galaxy Prime phone - rooted - OS version 5.1.1
  • Magnet Acquire 2.2.6 - Full/Physical extraction.
  • FTK Imager 3.4.2.2 - View file system and export files.
  • SQLite Browser - View database contents.
Methodology:
  1. Record three videos with the exemplar's camera functionality.
  2. Download five popular video players from Google Play Store.
  3. Play two out of three videos with each player.
  4. Use Magnet Acquire to get a physical image of the exemplar's storage.
  5. Use FTK Imager to locate each applications' files/databases and export them for review.
  6. Use SQLite Browser to view the content of the exported files if needed.
All paths are located in the userdata folder,  identified in the rest of the blog post as [root].

VLC

One of the most popular video players with 100+ million downloads. 
Pertinent file location and name: [root]/data/org.videolan.vlc/app_db/vlc_media.db

The table named 'media' within the vlc_media.db database contains most of the information we are looking for.

Schema for the 'media' table.
Notice the 'play_count', 'filename', and 'duration' fields. As expected the video that was not played had a null value on the 'play_count' field as opposed to the value 1 for the played videos. The table named 'file' contains the location/storage of the played videos.

MX PLAYER

Another popular video player with 100+ million downloads.
Pertinent file location and name: [root]/data/com.mxtech.videoplayer.ad/databases/medias.db

The table named 'VideoFile' within the medias.db database has the following schema:

Schema for the 'VideoFile' table.

This table has more detail than the one found in VLC. Notice the 'LastWatchTime' and the 'FinishTime' fields. The two played videos had a Unix timestamp (see here for time conversion) in the 'LastWatchTime' field. One of the played videos I did not play all the way to the end. That one had no timestamp in the 'FinishTime' field. The video that was not played at all had null values on both fields. Another table named 'VideoStates' contained additional information like the location of the files but only for the files that were played.

ARCHOS

Unlike the previous apps, Archos does not identify native videos automatically. The user has to navigate to the folder where the videos are located in order to play them.
Pertinent file location:[root]/data/com.archos.mediacenter.videofree/databases/media.db

The table named 'files' within the media.db database has the following schema:

Schema for the 'files' table.

The table contained not only data about the video files but also contained data about files that are not playable media. At first impression it seemed to populate the table with the items it encountered as the user navigated to the desired video files location. More testing needs to be done to confirm this. In addition the videos, after played, did not create entries in fields like 'Archos_lastTimePlayed' where one would expect to encounter timestamps. Again, more testing is in order for this app.

PLEX

It is of notice that on the Google Play Store page for Plex it says that the app has a tendency to crash if selecting local and synced content.

Yup.
I found out that the warning was well warranted. None of the local videos would play since it crashed the app every single time. A log detailing the app's attempt at playing the videos was located at [root]/data/com.plexapp.android/Plex Media Server/Logs/Plex Media Server.5.log

Fail log.

No SQLite database was found containing additional information. Further testing with files that are neither local nor synced will need to be done to ascertain if a database is used to store any data about the played files.

LOCALCAST

This app is not a video player but a casting application for Chromecast and other Google devices. I selected two videos to play on my Google home. They did.
Pertinent file location:[root]/data/de.stefanpledl.localcast/databases/notes-db

The table named 'RECENT_ITEM' within the notes-db database has the following schema:

Schema for 'RECENT_ITEMS' table.
The table contained two entries, one for each video I had sent to my Google Home for playback. Not much historical data contained in this table or any other I could find. The table named 'QUEUE_ITEM' contained and entry for each of the three videos. Again no additional historical information was located.

As time permits I will try and fill in more details regarding the apps described here as well as look into new ones as they become popular. As always, for case work, one must do multiple rounds of testing and validation before arriving at a conclusion. Everything stated previously is just a guide for further testing.