YouTube is one of the most popular video-sharing websites on the Internet, allowing users to upload, view and share videos with other users all over the world. YouTube contains many different types of videos, from homemade sketches to instructional and educational tutorials, and therefore attracts a wide variety of users with different interests. The majority of YouTube visits are perfectly innocent, but there may be circumstances where YouTube video access is related to a digital investigation, e.g. viewing instructional videos on how to perform potentially unlawful actions or how to make unlawful articles. When a user accesses a YouTube video through their browser, certain digital artefacts relating to that video access may be left on their system in a number of different locations. However, there has been very little research published in the area of YouTube video artefacts. The paper discusses the identification of some of the artefacts that are left by the Internet Explorer web browser on a Windows system after accessing a YouTube video. The information that can be recovered from these artefacts can include the video ID, the video name and possibly a cached copy of the video itself. In addition to identifying the artefacts that are left, the paper also investigates how these artefacts can be brought together and analysed to infer specifics about the user’s interaction with the YouTube website, for example whether the video was searched for or visited as a result of a suggestion after viewing a previous video. The result of this research is a Python based prototype that will analyse a mounted disk image, automatically extract the artefacts related to YouTube visits and produce a report summarising the YouTube video accesses on a system.


1. Statistics, www.youtube.com/t/press_statistics (visited July 2011)

2. YouTube Community Guidelines, http://www.youtube.com/t/community_guidelines (visited July 2011)

3. Nikkel, B. (2006), The Role of Digital Forensics within a Corporate Organization, IBSA Conference, Vienna.

4. Shariff, S. (2008), Cyber-bullying: Issues and Solutions for the School, the Classroom and the Home. Routledge.

5. Casey E, Digital Evidence and Computer Crime. Elsevier 2004, ISBN 0- 12-163104-4

6. Rogers, M.K. and Goldman, J. and Mislan, R. and Wedge, T. and Debrota, S. (2006) Computer forensics field triage process model, Proceedings of the Conference on Digital Forensics Security and Law

7. ACPO (2007) Good Practice Guide for Computer-Based Electronic Evidence

8. Carrier (2002) Defining Digital Forensic Examination and Analysis Tools, Digital Forensics Research Workshop II

9. Sureka et al (2010).Mining YouTube to Discover Extremist Videos, Users and Hidden Communities, Lecture Notes in Computer Science. 6458, 13- 24.

10. Adelstein F, Joyce R (2007) File Marshal: Automatic extraction of peer-topeer data, Digital Investigation. 4, 43-48.

11. Hargreaves C, & Chivers H, (2010) A Virtualisation Based Computer Forensic Research Tool. Cybercrime Forensics Education and Training Conference Canterbury, UK.

12. Norris P. (2009) The Internal Structure of the Windows Registry, MSc Thesis, Cranfield University, http://amnesia.gtisc.gatech.edu/~moyix/suzibandit.ltd.uk/MSc/

13. Jones, K. (2003) Forensic Analysis of Internet Explorer Activity Files, http://www.mcafee.com/us/resources/white-papers/foundstone/wppasco.pdf

14. Hargreaves, (2010) Establishing Context When Investigating a Suspect’s Internet Usage. Proceedings from 3rd Cybercrime Forensics Education & Training. Canterbury Christ Church University, Canterbury, UK.





To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.