Characterizing client-side caches of audiovisual content sharing services: Findings and suggestions for forensics

In light of the advancements in computing technology, and an increase in the use of mobile devices, various forms of services have emerged in recent times. Particularly, audiovisual (AV) content-based services that stream broadcasts through personal channels or self-produced video content shared with friends has been gaining ground. It is evolving into a new platform category to share information or help people express themselves. Meanwhile, there have been instances across the globe where these services have been used to stream or share illegal content. So far, few systematic technical studies have been conducted to investigate crimes associated with online services. In the process of viewing, sharing, and distributing illegal videos, digital artifacts may be saved on digital devices such as a PC or smartphone. This paper explores the client-side caches generated as a consequence of ‘viewing’ visible content through AV content-based services, including Dailymotion, Instagram, LINE, Snapchat, Telegram, TikTok, and YouTube, in various platforms including Windows, Android and iOS. Through analyzing caching mechanisms, this study categorizes and characterizes various AV caches observed during repeated experiments. This work also proposes algorithms (in combination with a developed open-source tool) for obtaining playable (visible) contents, by identifying and reassembling fragmented AV pieces.