Netflix -Windows 10 Appstore Forensics

Along my hunt for useful forensic data stored within everyday Windows 10 store applications, I decided to take a look at the popular application “Netflix”. Although the locally stored data I found doesn’t necessarily have adequate standalone forensic use, some user-action related data does exist.



The Windows 10 store application ‘Netflix’ can be found under a variation of the path:


Like all other Windows store apps I have encountered so far, the default cluster of eight directories is found within the application’s package directory (figure 1). Only a handful have proven to populate with my testing and that was only when utilizing the “offline” download feature. My testing included downloading a few television and movie selections. 


The first relevant file can be found within the package directory at path:     “Netflix\localstate\appStorage”

When this file is opened with a text viewing application like notepad, you’ll find that there are records of local device downloads. In case you did not know, Netflix applications on laptops, tablets, and mobile devices offer the ability to download certain episodes and movies from its media collection for offline viewing. This “appStorage” file contains logged instances of these downloads. The Netflix user account ID, profile ID, and video ID can all be found within this file. It also contains video download metadata like the size/offset and time of download (creationdate). Although minimal, data like this could help aid other evidence through user interaction (much like the current interpretation of fitness tracker data to support claims). Figure 2 is an example of one of these log entries, showing that a video file was downloaded by a specific account and profile, while figure 3 shows a size example. 

Figure 1 (default cluster)


appStorage Log
Figure 2 (epoch download time)


Figure 3 (download size)

You can then directly observe the downloaded content with the “assets” directory. This directory combines thumbnails of the content a user has downloaded locally. It is important to know that these images were not directly downloaded by the user, but are  images that Netflix displays during the media preview and listing on their platform. Since one of the test examples I used was a show (The Office), I can review the assets directly with the sub-directory “episodes” at path: “Netflix\localstate\offlineinfo\assets\”

Within this directory you will find the asset images split into various embedded directories based on size and style. Through my research, I have found that deleted local downloads will have their assets remain on a system for a decent amount of time. Although they last more than a few days, I have yet to identify at what point they are removed. This data folder can give an insight into the media the user has downloaded, without having to identify the title match of the video ID.

The last location of relevance appeared to be: “Netflix\localstate\offlineinfo\downloads\”

In here you’ll find a collection of extension-less files that range in size significantly. Generally, the files with smaller sizes (around 100 KB) are XML files that contain the subtitles for the downloads (figure 4). The remaining files (almost all well above 1,000 KB in size) are splices of the actual media content the user has downloaded. With all subtitles being stored within this directory, I could see a potential problem with false positive hits on search terms that aren’t well focused. 

downloads subtitles.PNG
Figure 4

I found that there does not seem to be any locally stored information about streaming processes locally or on alternative devices. Overall, I feel that my current findings show that Netflix user data may not be an investigator’s “go-to” source. However, there is an adequate number of arguments I could make for when this data is useful in corroboration of other stories. 




One thought on “Netflix -Windows 10 Appstore Forensics

Add yours

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at

Up ↑

Create your website at
Get started
%d bloggers like this: