Smart TV Forensics
Smart TV evolves as a newer generation of hybrid televisions, integrated with Internet connectivity. It provides the ability for a user to communicate with the television using apps, on-demand media & various input devices such as; motion sensors, voice, video, etc. Moreover, Smart TVs also allow external storage devices such as; smartphones, USB devices, cameras, etc. Smart TVs usually come as a standalone product with pre-installed OS or even a normal television can be utilized by set-top boxes pre-built with Smart TV OS. Some of the popular platforms that Smart TVs incorporate:
- Android TV
- Web OS
- Samsung Tizen
- Firefox OS
- Google TV
- Ubuntu TV
Smart TVs offer pre-built stock apps or access to the store to download specific apps. Considering all the functionalities of Smart TV, information such as; channel information, application data, pictures, videos, external media footprints & device usage timeline data, can be utilized by an investigator. The primary step toward conducting Smart TV forensics is forensic data acquisition.
Performing SMART TV Forensics Data Acquisition
Depending on the manufacturer of the Smart TV, internal storage media can be the primary source to acquire remnant data or perform forensic imaging. Popular Smart TVs prefer flash-based memory as their primary storage media. Here are a few methods to acquire Smart TV remnant data:
Chip Off Forensics:
Preferred as the last resort, chip off forensics requires physical removal of the NAND or flash memory from the host device and accessing stored data using an external forensic Flash/NAND reader. Smart TVs incorporate eMMc chips, which require manual De-soldering to remove and then analyze the data. Chip Off / Flash-based memory forensic toolkit such as; the NFI Memory toolkit might serve as a suitable weapon for fulfilling the investigation purpose.
Data Acquisition Using Third-Party Apps:
Acquiring data using apps is a much easier and more reliable method than performing Chip Off forensics as it minimizes the risks of damaging the device while de-soldering the chip. According to forensic norms and ethics, the method is non-admissible as the app might leave behind traces or tamper with evidence unknowingly (depending on the behaviour). Usage of a Custom app is a viable alternative, as the app will write out the data to an external device attached to the Smart TV respectively.
Installing custom apps to transfer data, and rooting Smart TV OS is quite essential. Primarily the OS does not provide administrative privileges/superuser access which might hinder data acquisition. The rooting process varies amongst different device vendors, Investigator should re-calculate the risks involved and then proceed.
Forensic Analysis of SMART TV File Systems:
Upon analysis, Smart TV results in collaboration of multiple file systems such as; SQASH FS, eMMc proprietary file system & u-boot (For boot loader partitions).
Squash FS is a Linux based read-only file system, generally developed for embedded systems. The primary attribute of Squash FS is that it compresses directories, files & index nodes (structure to represent a file system object).
EMMc Oriented File System:
EMMc or Embedded MMc file system was developed exclusively for embedded systems using flash-based or NAND memory. This flash memory type utilizes block-based data input/output, which requires precise mapping, rearranging, and garbage collection. It is also compilable for Linux based operating systems. Usually, eMMc FS are customized/personalized by the TV manufacturer, which urges the investigators need to understand the specifications of the Smart TV & get well versed with the manufacturer details before analyzing the acquired data.
While acquiring images it was evident that few partitions were redundant or reappeared, having similar size & bitwise content. These partitions might be utilized as a factory reset backup to restore any unsuccessful firmware upgrade or failure. It is a potential source of system safe settings or information which is kept as a backup for previous version restoration.
Collecting Smart TV Artifacts:
Forensic analysis of smart TV images essential artefacts resurfaced gradually but a general pattern of artefact redundancy is clearly visible. Smart TVs usually store most of the data within XML files such as:
Device Information –
Information such as <manufacturer URL>, model description, name, number, model URL, serial number, etc., are available within the XML file. This information becomes quite crucial while investigating the device and affirming device information.
Network Information –
Smart TVs are built with Wi-Fi connectivity which allows users to access the internet and gather apps. Considering from an investigator’s point of view, acquiring network information becomes primarily important as this information might be useful while cross-referencing information while investigating. Network information artefacts include network information such as; device name on the network, port numbers, IP addresses, paired devices along with the MAC address of the connected Ethernet port.
Application Information –
Application activity and accumulated user data upon analysis can be categorized among the primary artefacts while investigating Smart TV. The first step in determining user activity is to examine the recent history manually; as the rooting process might leave minor footprints or distort the order of application access:
Usually My Apps > Home > Recent is the best place to determine the recently used applications by the user. The investigator should first record recent application history details, before jumping into the rooting and device data acquisition process.
Recent Application Activities
Recent holds the last 10 actions/applications used on the TV system, including images or videos viewed on external USB devices, recent channels, and from other sources. The list provides names and in some cases a thumbnail image of the video/images, providing an indication of what was viewed. These are retained in the ‘recent’ list if the TV is switched to standby, powered off, or even if the USB device has been removed, providing evidence that external content was displayed using the Smart TV.
Network Information / Status
To identify networks to which the device was connected, network information plays a crucial role while investigating the same. Information such as; system MAC address, IP address information, etc., information can be accessed by Settings > Network
Device Version & Serial Numbers
Irrespective of the Smart TV device manufacturer, Settings > Product / Service Info provides information such as; ESN (Electronic Serial Number), model number, browser version, etc. This will help confirm the device identity and other related information respectively.
Information about installed applications is available in a specific partition’s subdirectory named “Widgets”.
Widgets store the information within two subdirectories; NORMAL & USER respectively. The normal subdirectory consists of applications installed from the App store, whereas the User stores application information installed by the user manually. Following files and directories store relevant application information applicable universally for Smart TVs:
XML Document consists of information regarding all the installed and available apps on Smart TV
Stores information about the icon paths leading used by the installed application.
Consists of recently used application screenshots with a unique ID which gets cross-referenced in the history.xml file.
Smart TV although seems to collect minimal bits of user activity information, but can be a potential resource to relate a series of events. SMART TV forensics analysis methodology varies, depending on the device model and functionality. Due to the establishment of the vendor-specific OS, it becomes quite hard to set norms for forensic investigation. However, the above-defined methodology for device acquisition & evidence analysis prevails the same; as long as anomalies are not encountered.
The investigator should manually examine and conduct Smart TV forensics into its running state first, provided the OS isn’t modified to alter evidence in any manner as such. Upon proper examination and risk analysis, the investigator should perform data acquisition.
Disclaimer for Readers:
The author does not claim any rights for the information presented in the post as such, user discretion if requested prior to implementing the defined investigation methodology. Screenshots, Images, and Device Information presented in the post are purely intended for educational/informational purposes. In case of any issues/discrepancies, contact the administrator or author to take down content/propitiatory images.