Review: Smart TV Forensics: Digital Traces on Televisions

/in ,

Emily C. Lennert

 

Category: Digital

Keywords: smart TV, television, USB, flash drive, internet, video, social networking, streaming

Article to be reviewed:

  1. Boztas, A.; Riethoven, A.R.J.; Roeloffs, M. Smart TV forensics: digital traces on televisions. Digital Investigation. 2015, 12, S72-S80.

Additional Reference(s):

  1. What is open source? https://opensource.com/resources/what-open-source (accessed Mar 29, 2017).

Disclaimer: The opinions expressed in this review are an interpretation of the research presented in the article. These opinions are those of the summation author and do not necessarily represent the position of the University of Central Florida or of the authors of the original article.

Summary:

Smart TVs, i.e. a TV with integrated internet capabilities, are common items found in consumers’ homes. These can include standalone smart TVs or set-top box devices that connect a standard TV, such as Roku® or Apple TV®. Smart TVs allow for streaming of internet content; users may log onto social networking sites as well as browse the internet or use applications to search for videos, photos, music, and other content. External hard drives, USB flash drives, digital cameras, and mobile phones may be connected to the TV as well. With the device’s wide range of capabilities, a smart TV may provide useful digital evidence to investigators. The authors of this study examined a method for recovering and analyzing digital evidence from a smart TV.

The authors selected a smart TV based on popular brands and models. A Samsung™ TV was selected for this study due to its popularity, built-in microphone and camera, and open source platform. Generally, an open source platform is an operating system in which the source code, which provides directives, is openly available and can be modified.2 The authors generated user data to ensure that most functions of the smart TV were used. The TV is capable of many functions, including voice and video communication, application installation, external device connection, internet browsing, etc. The actions that were performed to generate the data were not specified.

In the selected smart TV, data was stored on an internal flash memory eMMC chip. The authors explored three methods for acquiring the stored data.

  • eMMC five-wire method: This method is intended to read the eMMC chip and create a copy of the data in a standard USB SD-card reader. This method of data acquisition was unsuccessful. The authors theorized that the TV processor was attempting to access the eMMC chip data at the same time that the data acquisition was attempted; the authors were unable to prevent the processor from accessing the chip. Ultimately, the authors stated that they couldn’t copy the data from this particular TV, but they said that the method may work for other TVs.
  • NFI memory toolkit II (MTK II): This method is widely used in digital forensics to read memory chips and extract data from many devices, such as mobile phones or computers. The eMMC chip was removed from the TV, and a copy of the data was successfully made using MTK II.
  • Application: A software application to allow data to be copied to an external storage device was explored. The authors followed a method described in a forum of an internet “hacker” community to “root” a Samsung™ smart TV. After “rooting” to allow for access to the data, the code was modified to allow data to be copied to a USB flash drive, which was plugged directly into the TV. This method was successful until an automatic update to the TV’s firmware occurred, and the app was no longer compatible with the TV. The authors stated that an updated version of the “rooting” app may allow for data access again, but manufacturer updates could once again stop the app from functioning. The authors determined that, rather than a software based application method, hardware based methods like MTK II will likely be more useful for forensic purposes.

Following data acquisition, the data was analyzed to determine if smart TVs can provide useful information to investigators. The authors found that network information, such as IP address information or information about devices paired by Bluetooth, could be recovered. Application information could also be recovered, including information about what apps are installed, when the app was installed, and low resolution screenshots of the most recently used apps. Internet history, including search history, URL, title, date, etc., were also recovered. Media information recovered included music file name, artists, genre, etc. Video and photo file names could be recovered as well as information regarding what media files had been opened by the user, although the file itself could not be viewed. A detailed explanation of what was recovered and how the data was stored in the system can be found within the article.

Two successful methods of data acquisition were presented to facilitate the recovery of digital evidence from smart TVs, with MTK II being presented as the more viable option. Various types of data were recovered and analyzed. The authors concluded that the data recovered from smart TVs can be useful to investigators.

Scientific Highlights:

  • A variety of data was successfully recovered from the smart TV reported in this study.
  • Two successful methods of data recovery were used for this particular TV, although one was not successful after a firmware update to the TV. The authors suggest further study into the area of data recovery from various smart TVs.
  • Only one smart TV was analyzed in this study. The authors suggest that further studies be conducted on other types and brands of smart TVs.

Relevance:

Smart TVs are becoming common items among consumers. With the device’s wide range of capabilities, a smart TV may provide various types of valuable digital evidence to investigators.

Potential Conclusions:

  • Digital evidence may be recovered and subsequently analyzed from smart TVs.
  • Smart TV data recovery may be challenging, due to differences in each type and brand of TV that may affect which data recovery method may be used.