- Email: [email protected]
Reconstructing cached video stream content:- Part 2
Forensic Science International: Digital Investigation 31 (2019) 200893
Contents lists available at ScienceDirect
Forensic Science International: Digital Investigation journal homepage: www.elsevier.com/locate/fsidi
Reconstructing cached video stream content:- Part 2 Graeme Horsman Teesside University, Middlesbrough, Tees Valley, TS1 3BX, UK
a r t i c l e i n f o
a b s t r a c t
Article history: Received 7 July 2019 Received in revised form 6 September 2019 Accepted 30 October 2019 Available online xxx
In 2018, Horsman (2018a; 2018b) provided guidance for the reconstruction of cached stream remnants following use of the Periscope, Facebook Live and YouTube platforms. These works confirmed that video stream content can be cached to a local device when viewed via an Internet browser, and that following the provided methodology, video content can be rebuilt for subsequent viewing. This work provides an analysis of a further six platforms; Twitch, Youtube Live, Mixer, Ustream.tv, Smashcast.tv, and Younow. An analysis of localised stream caching is provided along with methodologies to view this content, ensuring support to those investigating offences where streaming may provide pertinent evidence of a criminal act or in fact be illegal per se. © 2019 Published by Elsevier Ltd.
Keywords: Digital forensics Video streaming Cache Internet Investigation
1. Introduction Whilst online video streaming platforms provide many with the ability to engage in legitimate and harmless tasks, there remains a subset of individuals who abuse these services. Such misuses are wide ranging, as noted by previously by Horsman (2018a; 2018b). One prominent offence involving streaming involves child abuse (BBC News, 2018d). In 2018, The Internet Watch Foundation's report into the ‘Trends in Online Child Sexual Exploitation’ notes the prominance of streams depicting child abuse not only as a primary source of abusive material, but also a secondary means for imagery to be harvested and subsequently redistributed. This work examines the impact that video streaming has on the local browser caches of Chrome (v75.0.3770.100) and Mozilla Firefox (v 67.0.4). The video streaming platforms Twitch, Youtube Live, Mixer, Ustream.tv, Smashcast.tv, Vimeo and Younow have been examined in order to determine the presence and structure of locally cached video content, and reconstruction methodologies (to allow cached stream fragments to be reviewed both in isolation, and chronologically as per the original stream-order) are offered where such a task is possible. 2. Methodology In
order
to
examine
cached
E-mail address: [email protected]. https://doi.org/10.1016/j.fsidi.2019.200893 1742-2876/© 2019 Published by Elsevier Ltd.
stream
content,
Nirsoft's
ChromeCacheView v 1.87 (Nirsoft, 2019a) and MozillaCacheView v 1.81 (Nirsoft, 2019b) tools were utilised to parse and display locally cached content. Both Chrome (v75.0.3770.100) and Mozilla Firefox (v 67.0.4) caches are examined, the two most popular browsers for Microsoft Windows (Statista, 2019). A test operating system platform of Windows 10 was used. For each of the streaming platforms examined both live broadcasts and recorded and stored broadcasts were examined for caching simulating those who engage in a live video stream and those who subsequently watch a saved broadcast at a later date. The presence of stream content in the browser cache was subsequently examined following the same methodology defined by Horsman (2018a). 2.1. Twitch Twitch has a reported 15 million daily users, arguably known for maintaining popularity with gaming communities (Influencer Marketing, 2019). Whilst the majority of Twitch content remains within stated usage terms and condition, there have been reports of the streaming of sexualised content (BBC News, 2017), terror events (Kenny, 2019) pirate media (BBC News, 2018a), assaults (2018c), covert filming (2018b), sexism content (2016b) and general abuse (2016a). 2.1.1. Live broadcasts The Twitch platform is designed for live streaming, allowing users to watch user generated content and engage with the channel via messaging facilities. When a user engages with a live broadcast,
2
G. Horsman / Forensic Science International: Digital Investigation 31 (2019) 200893
Fig. 1. Example cache content from live Twitch stream showing cached chat tile icons.
no caching of video stream content to the local machine's browser caches takes place. Whilst the caching of site contents and chat.gif tiles is stored, video content is not (see Fig. 1 for a snapshot of cached content occurring during a Twitch live video stream). This is surmised as due to a lack of buffering which takes place; a natural occurrence when content is transmitted live with no time delay/lag. Even when a stream is paused, content is not buffered locally as when the stream is resumed, a user is transported to a stream's current transmit position and missed content is lost to the user. This situation occurs in both the Chrome and Firefox browser caches.
2.1.2. Video playback Twitch users may choose to store their broadcasts on the platform so users can view content post-live broadcast. As videos are played back, cached video fragments are stored in the browser cache. Cached stream content follows the naming convention.ts, where the portion of the file name denotes the position in the video which was viewed. For example, Fig. 2 demonstrates cache behaviour when the first 50 s of a Twitch video having been viewed (0.ts - 8.ts), in comparison to Fig. 3 which demonstrates content part way through a video being viewed (1077.ts - 1084.ts).
Each.ts file contains approximately 9 s of video stream including audio. Whilst not an absolute marker of a videos position (testing highlighted the inclusion of small amounts of sporadic buffered content containing smaller amounts of video content), it can provide a positional estimate. For example, if files 500.ts - 550.ts are present in the cache, an estimate would place the user having viewed a target video from around the 75th minute, and for approximately the next 7.5 min. Finally, it is necessary to state that cached content is not necessarily an example of viewed content. What can be inferred is that the video must be playing in the browser window for caching to occur and a maximum of 9 s in advance of the current video position may have been buffered but not physically viewed (see Fig. 4). A typical Twitch stream URL is offered below where the red text (‘ninja’) indicates the user name of the streaming account, followed by a numeric string which identifies the stream. Therefore all stream chunks with the same numeric string belong to the same stream. Each stream chunk is in Video Transport Stream File format, a common format for video media storage (FileInfo, 2019). Each.ts file maintains a file header of 0x47 40 00, and the files have no obvious consistent traditionally positioned footer causing a challenge for file carving processes to recover deleted cached content from
Fig. 2. Twitch video playback from the start of a video.
Fig. 3. Twitch video playback from the middle of a video.
G. Horsman / Forensic Science International: Digital Investigation 31 (2019) 200893
3
Fig. 4. A breakdown of Twitch stream buffering.
Fig. 7. Ustream.tv live stream cached content.
Fig. 5. The YouTube Live icon active during a live stream.
unallocated. Following testing, both Firefox and Chrome caches behave the same. 2.2. YouTube live The Youtube Live platform is a competitor of Twitch offering a platform for live broadcasting (Perez, 2018). Whilst non-live YouTube stream reconstruction is covered in Horsman (2018a), here live broadcasts are considered. Live broadcasts are noted when the YouTube window's ‘Live’ icon is active (red), noted below in Fig. 5. Stream content is cached in.mp4 (video - header: 0x00 00 00 1C 66 74 79 70 64 61 73 68) and.m4a (audio - header: 0x00 00 00 18 66 74 79 70 64 61 73 68) formats and each chunk is individually playable in media players such as VLC. Stream chunks bear no filename metadata which distinguishes the order of the streamed content; this must be established by examining the last accessed time and data information of the cached chunks and reviewing them in chronological order (see Fig. 6). Performance is the same for both the Chrome and Firefox browsers. 2.3. Ustream.tv (now IBM video) Ustream.tv streams which are broadcast live are cached locally. Cache activity occurs in ‘chunks’ with a typical cache file naming convention shown in Fig. 7. The typical naming convention is
Fig. 8. An example of Ustream.tv stream chunk padding.
structured as chunk__.AUDIO/VIDEO.mp4. The value denotes the chunk's order in the stream. This is a chronological occurrence, so for example, chunk_0 would be the first cached chunk of stream. The value denotes the stream which data belongs to. All chunks with the same belong to the same stream. Finally, caching for each chunk occurs twice, one audio (m4a) and one video (m4v), therefore for each section of the stream, both video and audio content occur in separate files, similar to that witnessed with YouTube Live. Viewing of stream chunks is not straight forward. Ustream.tv stream chunks are padded with data which prevents them from being initially playable using VLC (shown in Fig. 8). In order to view this content, this padding needs to be removed. This can be done via applications such as FTKi and saving the remained of chunk content (everything minus the padding) into a separate file. The removal of the padding restores each chunk's original file header, rendering it playable. A user can also view recorded streams where the stream chunk structure and formatting occurs the same as when a live broadcast is viewed. To distinguish cache content which occurs from a live stream, typical example URL structures are provided below whereby the presence of the term ‘live’ distinguishes a live broadcast. Performance is the same for both the Chrome and Firefox browsers.
2.4. Mixer
Fig. 6. YouTube Live stream caching.
Caching of live stream content does occur in Mixer, with typical cache structures shown in Fig. 9. Live stream caching occurs in the same format as Twitch when used to view recorded videos. Stream
4
G. Horsman / Forensic Science International: Digital Investigation 31 (2019) 200893
Fig. 9. Mixer live stream caching.
2.6. YouNow (www.younow.com) YouNow live stream local caching does not occur. Similar to Twitch, no buffering appears to occur and users have no option to control any of the live streams that they are viewing (pause/stop etc.). As a result, no streamed video is present in Chrome or Firefox browser caches. It appears that YouNow is a live-only stream platform. 3. Conclusions
Fig. 10. Smashcast.tv live stream caching.
chunks are split into.ts files with file headers of is 0x47 40 00, and the files have no obvious traditionally positioned footer causing a challenge for file carving processes. Unlike the previous platforms tested, there were no available recorded videos on the platform to examine for caching. Mixer also operates a ‘clips’ function where historic broadcasts can be shown, and this function does not cache video content locally. Performance is the same for both the Chrome and Firefox browsers.
2.5. Smashcast.tv Smashcast.tv is a streaming platform with a focus on gaming and esport streaming. Live streams are cached in the same format and structure as noted with Mixer above (.ts which denotes the play order of the fragments - see Fig. 10). The structure remains consistent when recorded videos are viewed, however naming conventions change to index.ts. denotes the play order of the stream cache fragments (see Fig. 11).
Fig. 11. Smashcast.tv live stream caching.
This work provides a followup to work by Horsman (2018a), examining a further six streaming platforms which are accessible via desktop web browsers, completing coverage of most of the main stream providers for this tech-platform. As with previous work, it is possible to determine that localcised caching of stream content does occur in most cases. Whilst viewing recorded non-live streams results in local caching in all platforms where this function is available, live stream broadcasts are only cached in four of the six platforms examined (not in Twitch and YouNow). This work further emphasises the need to examine cached video content where Internet history indicates that a user has engaged with video streaming platforms in order to fully establish their actions within a given platform. Future work requires stream reconstruction analysis of popular mobile applications to take place where the intricacies of mobile forensics and implications of restricted data access may play an important role in the success of determining whether local caching occurs on mobile devices. Declaration of competing interest No conflicts. References BBC News, 2016a. Twitch unveils new tool to tackle abuse in gaming. Available at: http://www.bbc.co.uk/newsbeat/article/38301072/twitch-unveils-new-tool-totackle-abuse-in-gaming. (Accessed 28 June 2019). Accessed. BBC News, 2016b. Twitch: gaming needs to ‘invest’ to tackle sexism. Available at: http://www.bbc.co.uk/newsbeat/article/37506506/twitch-gaming-needs-toinvest-to-tackle-sexism. (Accessed 28 June 2019). Accessed. BBC News, 2017. Calls for Twitch to police 'sexual streaming. Available at: https:// www.bbc.co.uk/news/technology-42222939. (Accessed 28 June 2019). Accessed. BBC News, 2018a. KSI v Logan Paul: twitch pirates outnumbered YouTube payers. Available at: https://www.bbc.co.uk/news/technology-45321629. (Accessed 28 June 2019). Accessed. BBC News, 2018b. Uber driver streamed hidden camera videos on Twitch. Available at: https://www.bbc.co.uk/news/technology-44924814. (Accessed 28 June 2019). Accessed. BBC News, 2018c. Fortnite: gamer charged with assault during live stream. Available at: https://www.bbc.co.uk/news/world-australia-46504204. (Accessed 28 June 2019). Accessed. BBC News, 2018d. Children under 13 groomed on live streams. Available at: https:// www.bbc.co.uk/news/uk-44233544. (Accessed 28 June 2019). Accessed. FileInfo, 2019. TS file extension. Available at: https://fileinfo.com/extension/
G. Horsman / Forensic Science International: Digital Investigation 31 (2019) 200893 ts#Video_Transport_Stream_File. (Accessed 28 June 2019). Accessed. Horsman, G., 2018a. Reconstructing streamed video content: a case study on YouTube and Facebook Live stream content in the Chrome web browser cache. Digit. Invest. 26, S30eS37. Horsman, G., 2018b. A forensic examination of the technical and legal challenges surrounding the investigation of child abuse on live streaming platforms: a case study on Periscope. Journal of Information Security and Applications 42, 107e117. Kenny, Katie, 2019. Twitch broadcasts Christchurch terror attack video just after its parent company signs the Christchurch Call. Available at: https://www.stuff.co. nz/national/christchurch-shooting/113255887/twitch-broadcasts-christchurchterror-attack-video-just-after-its-parent-company-signs-the-christchurch-call. (Accessed 28 June 2019). Accessed. Marketing, Influencer, 2019. 25 useful twitch statistics for influencer marketing managers [infographic]. Available at: https://influencermarketinghub.com/25useful-twitch-statistics/. (Accessed 28 June 2019). Accessed. Nirsoft, 2019a. ChromeCacheView v1.87 - Cache Viewer for Google Chrome Web Browser. Available at:: https://www.nirsoft.net/utils/chrome_cache_view.html.
5
(Accessed 28 June 2019). Accessed. Nirsoft, 2019b. MZCacheView v1.81 - view the cache files of Mozilla/Firefox browsers. Available at: https://www.nirsoft.net/utils/mozilla_cache_viewer. html. (Accessed 28 June 2019). Accessed. Perez, Sarah, 2018. YouTube is closing the gap with Twitch on live streaming, report finds. Available at: https://techcrunch.com/2018/10/25/youtube-is-closing-thegap-with-twitch-on-live-streaming-report-finds/. (Accessed 28 June 2019). Accessed. Statista, 2019. Global market share held by leading internet browsers from January 2012 to March 2019. Available at: https://www.statista.com/statistics/268254/ market-share-of-internet-browsers-worldwide-since-2009/. (Accessed 28 June 2019). Accessed. The Internet Watch Foundation, 2018. Trends in online child sexual exploitation: examining the distribution of captures of live-streamed child sexual abuse. Available at: https://www.iwf.org.uk/sites/default/files/inline-files/Distribution %20of%20Captures%20of%20Live-streamed%20Child%20Sexual%20Abuse% 20FINAL.pdf. (Accessed 28 June 2019). Accessed.
Contents lists available at ScienceDirect
Forensic Science International: Digital Investigation journal homepage: www.elsevier.com/locate/fsidi
Reconstructing cached video stream content:- Part 2 Graeme Horsman Teesside University, Middlesbrough, Tees Valley, TS1 3BX, UK
a r t i c l e i n f o
a b s t r a c t
Article history: Received 7 July 2019 Received in revised form 6 September 2019 Accepted 30 October 2019 Available online xxx
In 2018, Horsman (2018a; 2018b) provided guidance for the reconstruction of cached stream remnants following use of the Periscope, Facebook Live and YouTube platforms. These works confirmed that video stream content can be cached to a local device when viewed via an Internet browser, and that following the provided methodology, video content can be rebuilt for subsequent viewing. This work provides an analysis of a further six platforms; Twitch, Youtube Live, Mixer, Ustream.tv, Smashcast.tv, and Younow. An analysis of localised stream caching is provided along with methodologies to view this content, ensuring support to those investigating offences where streaming may provide pertinent evidence of a criminal act or in fact be illegal per se. © 2019 Published by Elsevier Ltd.
Keywords: Digital forensics Video streaming Cache Internet Investigation
1. Introduction Whilst online video streaming platforms provide many with the ability to engage in legitimate and harmless tasks, there remains a subset of individuals who abuse these services. Such misuses are wide ranging, as noted by previously by Horsman (2018a; 2018b). One prominent offence involving streaming involves child abuse (BBC News, 2018d). In 2018, The Internet Watch Foundation's report into the ‘Trends in Online Child Sexual Exploitation’ notes the prominance of streams depicting child abuse not only as a primary source of abusive material, but also a secondary means for imagery to be harvested and subsequently redistributed. This work examines the impact that video streaming has on the local browser caches of Chrome (v75.0.3770.100) and Mozilla Firefox (v 67.0.4). The video streaming platforms Twitch, Youtube Live, Mixer, Ustream.tv, Smashcast.tv, Vimeo and Younow have been examined in order to determine the presence and structure of locally cached video content, and reconstruction methodologies (to allow cached stream fragments to be reviewed both in isolation, and chronologically as per the original stream-order) are offered where such a task is possible. 2. Methodology In
order
to
examine
cached
E-mail address: [email protected]. https://doi.org/10.1016/j.fsidi.2019.200893 1742-2876/© 2019 Published by Elsevier Ltd.
stream
content,
Nirsoft's
ChromeCacheView v 1.87 (Nirsoft, 2019a) and MozillaCacheView v 1.81 (Nirsoft, 2019b) tools were utilised to parse and display locally cached content. Both Chrome (v75.0.3770.100) and Mozilla Firefox (v 67.0.4) caches are examined, the two most popular browsers for Microsoft Windows (Statista, 2019). A test operating system platform of Windows 10 was used. For each of the streaming platforms examined both live broadcasts and recorded and stored broadcasts were examined for caching simulating those who engage in a live video stream and those who subsequently watch a saved broadcast at a later date. The presence of stream content in the browser cache was subsequently examined following the same methodology defined by Horsman (2018a). 2.1. Twitch Twitch has a reported 15 million daily users, arguably known for maintaining popularity with gaming communities (Influencer Marketing, 2019). Whilst the majority of Twitch content remains within stated usage terms and condition, there have been reports of the streaming of sexualised content (BBC News, 2017), terror events (Kenny, 2019) pirate media (BBC News, 2018a), assaults (2018c), covert filming (2018b), sexism content (2016b) and general abuse (2016a). 2.1.1. Live broadcasts The Twitch platform is designed for live streaming, allowing users to watch user generated content and engage with the channel via messaging facilities. When a user engages with a live broadcast,
2
G. Horsman / Forensic Science International: Digital Investigation 31 (2019) 200893
Fig. 1. Example cache content from live Twitch stream showing cached chat tile icons.
no caching of video stream content to the local machine's browser caches takes place. Whilst the caching of site contents and chat.gif tiles is stored, video content is not (see Fig. 1 for a snapshot of cached content occurring during a Twitch live video stream). This is surmised as due to a lack of buffering which takes place; a natural occurrence when content is transmitted live with no time delay/lag. Even when a stream is paused, content is not buffered locally as when the stream is resumed, a user is transported to a stream's current transmit position and missed content is lost to the user. This situation occurs in both the Chrome and Firefox browser caches.
2.1.2. Video playback Twitch users may choose to store their broadcasts on the platform so users can view content post-live broadcast. As videos are played back, cached video fragments are stored in the browser cache. Cached stream content follows the naming convention
Each.ts file contains approximately 9 s of video stream including audio. Whilst not an absolute marker of a videos position (testing highlighted the inclusion of small amounts of sporadic buffered content containing smaller amounts of video content), it can provide a positional estimate. For example, if files 500.ts - 550.ts are present in the cache, an estimate would place the user having viewed a target video from around the 75th minute, and for approximately the next 7.5 min. Finally, it is necessary to state that cached content is not necessarily an example of viewed content. What can be inferred is that the video must be playing in the browser window for caching to occur and a maximum of 9 s in advance of the current video position may have been buffered but not physically viewed (see Fig. 4). A typical Twitch stream URL is offered below where the red text (‘ninja’) indicates the user name of the streaming account, followed by a numeric string which identifies the stream. Therefore all stream chunks with the same numeric string belong to the same stream. Each stream chunk is in Video Transport Stream File format, a common format for video media storage (FileInfo, 2019). Each.ts file maintains a file header of 0x47 40 00, and the files have no obvious consistent traditionally positioned footer causing a challenge for file carving processes to recover deleted cached content from
Fig. 2. Twitch video playback from the start of a video.
Fig. 3. Twitch video playback from the middle of a video.
G. Horsman / Forensic Science International: Digital Investigation 31 (2019) 200893
3
Fig. 4. A breakdown of Twitch stream buffering.
Fig. 7. Ustream.tv live stream cached content.
Fig. 5. The YouTube Live icon active during a live stream.
unallocated. Following testing, both Firefox and Chrome caches behave the same. 2.2. YouTube live The Youtube Live platform is a competitor of Twitch offering a platform for live broadcasting (Perez, 2018). Whilst non-live YouTube stream reconstruction is covered in Horsman (2018a), here live broadcasts are considered. Live broadcasts are noted when the YouTube window's ‘Live’ icon is active (red), noted below in Fig. 5. Stream content is cached in.mp4 (video - header: 0x00 00 00 1C 66 74 79 70 64 61 73 68) and.m4a (audio - header: 0x00 00 00 18 66 74 79 70 64 61 73 68) formats and each chunk is individually playable in media players such as VLC. Stream chunks bear no filename metadata which distinguishes the order of the streamed content; this must be established by examining the last accessed time and data information of the cached chunks and reviewing them in chronological order (see Fig. 6). Performance is the same for both the Chrome and Firefox browsers. 2.3. Ustream.tv (now IBM video) Ustream.tv streams which are broadcast live are cached locally. Cache activity occurs in ‘chunks’ with a typical cache file naming convention shown in Fig. 7. The typical naming convention is
Fig. 8. An example of Ustream.tv stream chunk padding.
structured as chunk_
2.4. Mixer
Fig. 6. YouTube Live stream caching.
Caching of live stream content does occur in Mixer, with typical cache structures shown in Fig. 9. Live stream caching occurs in the same format as Twitch when used to view recorded videos. Stream
4
G. Horsman / Forensic Science International: Digital Investigation 31 (2019) 200893
Fig. 9. Mixer live stream caching.
2.6. YouNow (www.younow.com) YouNow live stream local caching does not occur. Similar to Twitch, no buffering appears to occur and users have no option to control any of the live streams that they are viewing (pause/stop etc.). As a result, no streamed video is present in Chrome or Firefox browser caches. It appears that YouNow is a live-only stream platform. 3. Conclusions
Fig. 10. Smashcast.tv live stream caching.
chunks are split into.ts files with file headers of is 0x47 40 00, and the files have no obvious traditionally positioned footer causing a challenge for file carving processes. Unlike the previous platforms tested, there were no available recorded videos on the platform to examine for caching. Mixer also operates a ‘clips’ function where historic broadcasts can be shown, and this function does not cache video content locally. Performance is the same for both the Chrome and Firefox browsers.
2.5. Smashcast.tv Smashcast.tv is a streaming platform with a focus on gaming and esport streaming. Live streams are cached in the same format and structure as noted with Mixer above (
Fig. 11. Smashcast.tv live stream caching.
This work provides a followup to work by Horsman (2018a), examining a further six streaming platforms which are accessible via desktop web browsers, completing coverage of most of the main stream providers for this tech-platform. As with previous work, it is possible to determine that localcised caching of stream content does occur in most cases. Whilst viewing recorded non-live streams results in local caching in all platforms where this function is available, live stream broadcasts are only cached in four of the six platforms examined (not in Twitch and YouNow). This work further emphasises the need to examine cached video content where Internet history indicates that a user has engaged with video streaming platforms in order to fully establish their actions within a given platform. Future work requires stream reconstruction analysis of popular mobile applications to take place where the intricacies of mobile forensics and implications of restricted data access may play an important role in the success of determining whether local caching occurs on mobile devices. Declaration of competing interest No conflicts. References BBC News, 2016a. Twitch unveils new tool to tackle abuse in gaming. Available at: http://www.bbc.co.uk/newsbeat/article/38301072/twitch-unveils-new-tool-totackle-abuse-in-gaming. (Accessed 28 June 2019). Accessed. BBC News, 2016b. Twitch: gaming needs to ‘invest’ to tackle sexism. Available at: http://www.bbc.co.uk/newsbeat/article/37506506/twitch-gaming-needs-toinvest-to-tackle-sexism. (Accessed 28 June 2019). Accessed. BBC News, 2017. Calls for Twitch to police 'sexual streaming. Available at: https:// www.bbc.co.uk/news/technology-42222939. (Accessed 28 June 2019). Accessed. BBC News, 2018a. KSI v Logan Paul: twitch pirates outnumbered YouTube payers. Available at: https://www.bbc.co.uk/news/technology-45321629. (Accessed 28 June 2019). Accessed. BBC News, 2018b. Uber driver streamed hidden camera videos on Twitch. Available at: https://www.bbc.co.uk/news/technology-44924814. (Accessed 28 June 2019). Accessed. BBC News, 2018c. Fortnite: gamer charged with assault during live stream. Available at: https://www.bbc.co.uk/news/world-australia-46504204. (Accessed 28 June 2019). Accessed. BBC News, 2018d. Children under 13 groomed on live streams. Available at: https:// www.bbc.co.uk/news/uk-44233544. (Accessed 28 June 2019). Accessed. FileInfo, 2019. TS file extension. Available at: https://fileinfo.com/extension/
G. Horsman / Forensic Science International: Digital Investigation 31 (2019) 200893 ts#Video_Transport_Stream_File. (Accessed 28 June 2019). Accessed. Horsman, G., 2018a. Reconstructing streamed video content: a case study on YouTube and Facebook Live stream content in the Chrome web browser cache. Digit. Invest. 26, S30eS37. Horsman, G., 2018b. A forensic examination of the technical and legal challenges surrounding the investigation of child abuse on live streaming platforms: a case study on Periscope. Journal of Information Security and Applications 42, 107e117. Kenny, Katie, 2019. Twitch broadcasts Christchurch terror attack video just after its parent company signs the Christchurch Call. Available at: https://www.stuff.co. nz/national/christchurch-shooting/113255887/twitch-broadcasts-christchurchterror-attack-video-just-after-its-parent-company-signs-the-christchurch-call. (Accessed 28 June 2019). Accessed. Marketing, Influencer, 2019. 25 useful twitch statistics for influencer marketing managers [infographic]. Available at: https://influencermarketinghub.com/25useful-twitch-statistics/. (Accessed 28 June 2019). Accessed. Nirsoft, 2019a. ChromeCacheView v1.87 - Cache Viewer for Google Chrome Web Browser. Available at:: https://www.nirsoft.net/utils/chrome_cache_view.html.
5
(Accessed 28 June 2019). Accessed. Nirsoft, 2019b. MZCacheView v1.81 - view the cache files of Mozilla/Firefox browsers. Available at: https://www.nirsoft.net/utils/mozilla_cache_viewer. html. (Accessed 28 June 2019). Accessed. Perez, Sarah, 2018. YouTube is closing the gap with Twitch on live streaming, report finds. Available at: https://techcrunch.com/2018/10/25/youtube-is-closing-thegap-with-twitch-on-live-streaming-report-finds/. (Accessed 28 June 2019). Accessed. Statista, 2019. Global market share held by leading internet browsers from January 2012 to March 2019. Available at: https://www.statista.com/statistics/268254/ market-share-of-internet-browsers-worldwide-since-2009/. (Accessed 28 June 2019). Accessed. The Internet Watch Foundation, 2018. Trends in online child sexual exploitation: examining the distribution of captures of live-streamed child sexual abuse. Available at: https://www.iwf.org.uk/sites/default/files/inline-files/Distribution %20of%20Captures%20of%20Live-streamed%20Child%20Sexual%20Abuse% 20FINAL.pdf. (Accessed 28 June 2019). Accessed.