Document Type


Publication Date


Subject: LCSH

Electronic evidence, Digital forensic science


Computer Engineering | Computer Sciences | Electrical and Computer Engineering | Forensic Science and Technology | Information Security


The era of traditional cable Television (TV) is swiftly coming to an end. People today subscribe to a multitude of streaming services. Smart TVs have enabled a new generation of entertainment, not only limited to constant on-demand streaming as they now offer other features such as web browsing, communication, gaming etc. These functions have recently been embedded into a small IoT device that can connect to any TV with High Definition Multimedia Interface (HDMI) input known as Google Chromecast TV. Its wide adoption makes it a treasure trove for potential digital evidence. Our work is the primary source on forensically interrogating Chromecast TV devices. We found that the device is always unlocked, allowing extraction of application data through the backup feature of Android Debug Bridge (ADB) without device root access. We take advantage of this minimal access and demonstrate how a series of artifacts can stitch together a detailed timeline, and we automate the process by constructing Forensicast – a Chromecast TV forensic acquisition and timelining tool. Our work targeted (n=112) of the most popular Android TV applications including 69% (77/112) third party applications and 31% (35/112) system applications. 65% (50/77) third party applications allowed backup, and of those 90% (45/50) contained time-based identifiers, 40% (20/50) invoked some form of logs/activity monitoring, 50% (25/50) yielded some sort of token/cookie, 8% (4/50) resulted in a device ID, 26% (13/50) produced a user ID, and 24% (12/50) created other information. 26% (9/35) system applications provided meaningful artifacts, 78% (7/9) provided time based identifiers, 22% (2/9) involved some form of logs/activity monitoring, 22% (2/9) yielded some form of token/cookie data, 22% (2/9) resulted in a device ID, 44% (4/9) provided a user ID, and 33% (3/9) created other information. Our findings also illustrated common artifacts found in applications that are related to developer and advertising utilities, mainly WebView, Firebase, and Facebook Analytics. Future work and open research problems are shared.


This is the Author's Accepted Manuscript.

Article part of the International Conference Proceeding Series (ICPS), ARES 2021: The 16th International Conference on Availability, Reliability and Security, published by ACM.



Publisher Citation

Alex Sitterer, Nicholas Dubois, and Ibrahim Baggili. 2021. Forensicast: A Non-intrusive Approach & Tool For Logical Forensic Acquisition & Analysis of The Google Chromecast TV. In The 16th International Conference on Availability, Reliability and Security (ARES 2021). Association for Computing Machinery, New York, NY, USA, Article 50, 1–12. DOI:

Check your library