Along my hunt for useful forensic data stored within everyday Windows 10 store applications, I decided to take a look at the popular application “Netflix”. Although the locally stored data I found doesn’t necessarily have adequate standalone forensic use, some user-action related data does exist.
The Windows 10 store application ‘Netflix’ can be found under a variation of the path:
Like all other Windows store apps I have encountered so far, the default cluster of eight directories is found within the application’s package directory (figure 1). Only a handful have proven to populate with my testing and that was only when utilizing the “offline” download feature. My testing included downloading a few television and movie selections.
The first relevant file can be found within the package directory at path: “Netflix\localstate\appStorage”
When this file is opened with a text viewing application like notepad, you’ll find that there are records of local device downloads. In case you did not know, Netflix applications on laptops, tablets, and mobile devices offer the ability to download certain episodes and movies from its media collection for offline viewing. This “appStorage” file contains logged instances of these downloads. The Netflix user account ID, profile ID, and video ID can all be found within this file. It also contains video download metadata like the size/offset and time of download (creationdate). Although minimal, data like this could help aid other evidence through user interaction (much like the current interpretation of fitness tracker data to support claims). Figure 2 is an example of one of these log entries, showing that a video file was downloaded by a specific account and profile, while figure 3 shows a size example.
You can then directly observe the downloaded content with the “assets” directory. This directory combines thumbnails of the content a user has downloaded locally. It is important to know that these images were not directly downloaded by the user, but are images that Netflix displays during the media preview and listing on their platform. Since one of the test examples I used was a show (The Office), I can review the assets directly with the sub-directory “episodes” at path: “Netflix\localstate\offlineinfo\assets\”
Within this directory you will find the asset images split into various embedded directories based on size and style. Through my research, I have found that deleted local downloads will have their assets remain on a system for a decent amount of time. Although they last more than a few days, I have yet to identify at what point they are removed. This data folder can give an insight into the media the user has downloaded, without having to identify the title match of the video ID.
The last location of relevance appeared to be: “Netflix\localstate\offlineinfo\downloads\”
In here you’ll find a collection of extension-less files that range in size significantly. Generally, the files with smaller sizes (around 100 KB) are XML files that contain the subtitles for the downloads (figure 4). The remaining files (almost all well above 1,000 KB in size) are splices of the actual media content the user has downloaded. With all subtitles being stored within this directory, I could see a potential problem with false positive hits on search terms that aren’t well focused.
I found that there does not seem to be any locally stored information about streaming processes locally or on alternative devices. Overall, I feel that my current findings show that Netflix user data may not be an investigator’s “go-to” source. However, there is an adequate number of arguments I could make for when this data is useful in corroboration of other stories.