Forensic question: What information is recoverable from the use of the Now Playing feature on Google Pixel phones?
OS: Android 10
Magnet Acquire 126.96.36.19936
Google implemented a baked in app/feature called Now Playing as part of the Pixel 2 and Pixel 2XL launch in 2017 and has been included in every Pixel phone release since. It gives you the option to allow Google to try and recognize song information of music that is playing around you. Per Google:
When music plays nearby, your phone compares a few seconds of music to its on-device library to try to recognize the song. This processing happens on your phone and is private to you. - Google Answers
So since this history information is stored locally, we get a nice little database full of information. To view what you can from the UI, you can go to:
Settings > Sound > Now Playing
You will see a screen similar to this:
There isn't many switches to play with here other than turning on song info on your lock screen or receiving notifications. From here we can click Now Playing History to view a list of song history from as far back as the beginning of when the app was initiated.
If you click on a single song, you get a list of apps that the song can be streamed from:
Now that we know what can be accessed from the UI, let's take a look what we have from a forensic perspective via an ADB backup. The file path where this app information can be located is:
The file is a sqlite database with only a few columns. Opening this in DB Browser we see two tables, only one of real significance, recognition_history:
Timestamp was easily parsed, it was in Unix Epoch format (Alexis Brignoni made a post on this).
History_entry is a Protobuf blob, which we can see some useful information just by looking at the hex:
But for further analysis we can export the blob out of DB Browser and parse using protoc.exe (thanks for the hint Joshua Hickman) and the following command:
protoc.exe --decode_raw < samplesong1
Here is the output we get:
As you can see from the markups, I was able to parse out some information of each track including song title, artist, and album information. We also see the URL paths to the streaming app locations from the UI. With a little help from Sarah Edwards, I was able to parse out the song duration in seconds, it is an 8-byte float stored in big-endian.
Track ID and album ID can be used to verify the song/album to some degree, they relate to Google Play Music store.
The most useful information tidbit from this may possibly be at the very top, the timezone of the device when the song was identified by the app. This could possibly put the owner of the device at a rough area during a specific timeframe.
All of the other information at this point I have yet to determine the usefulness.
You will see duplicate entries next to each other for songs. That is because Now Playing will listen for a small period of time every minute to conserve battery life, continually identifying what it can. If a song is 2+ minutes, you should see 2 entries for one song in a row, but each will have different timestamps associated.
Quick as always, Alexis Brignoni turned around a parser for ALEAPP in less than a day, so you can grab that now!
This paper provides insight into an artifact that has not been frequently discussed in the digital forensic community. Use cases would have been useful to show the potential significance of the artifact. The author provided a solid hypothesis which was tested. The tools and sources used are well documented. One point that could have been discussed in more detail is the track_id that is available in the column track_id of the database and in the blob, allowing more information about the song to be retrieved using the URL https://play.google.com/music/preview/[track_id], even if it may not be important information for criminal cases. Providing more information with screenshots regarding where the time zone information can be found would have added more value to the findings. It would be helpful to include a references section at the end of the document.
Additional research could be conducted to determine if the feature is the same on all OS versions for the Pixel or if it is available on other devices. It may be helpful to determine how to integrate this data with other datasets that may provide the specific location of the user at the time of detecting the played song. As the author indicated, further analysis would be beneficial to determine the benefit of this data for forensic applications. It may also be helpful to compare what is available when the app data is extracted using forensic tools or from a rooted device (if possible). Future work could also include finding similar SQLite database files on different platforms (such as iOS).
Addisu Afework Birhanu (Methodological Review and Verified Review using Author Provided Datasets)
Timothy Bollé (Methodological Review and Verified Review using Author Provided Datasets)
Yohannes Yemane Brhan (Methodological Review and Verified Review using Author Provided Datasets)
Anthony Knutson (Methodological Review)