When music plays nearby, your phone compares a few seconds of music to its on-device library to try to recognize the song. This processing happens on your phone and is private to you. - Google AnswersSo since this history information is stored locally, we get a nice little database full of information. To view what you can from the UI, you can go to:
Settings > Sound > Now Playing
You will see a screen similar to this:
There isn't many switches to play with here other than turning on song info on your lock screen or receiving notifications. From here we can click Now Playing History to view a list of song history from as far back as the beginning of when the app was initiated.
If you click on a single song, you get a list of apps that the song can be streamed from:
Now that we know what can be accessed from the UI, let's take a look what we have from a forensic perspective via an ADB backup. The file path where this app information can be located is:
The file is a sqlite database with only a few columns. Opening this in DB Browser we see two tables, only one of real significance, recognition_history:
Timestamp was easily parsed, it was was in Unix Epoch format (Alexis Brignoni made a post on this).
History_entry is a Protobuf blob, which we can see some useful information just by looking at the hex:
But for further analysis we can export the blob out of DB Browser and parse using protoc.exe (thanks for the hint Joshua Hickman) and the following command:
protoc.exe --decode_raw < samplesong1
Here is the output we get:
As you can see from the markups, I was able to parse out some information of each track including song title, artist, and album information. We also see the URL paths to the streaming app locations from the UI. With a little help from Sarah Edwards, I was able to parse out the song duration in seconds, it is an 8-byte float stored in big-endian.
Track ID and album ID can be used to verify the song/album to some degree, they relate to Google Play Music store.
The most useful information tidbit from this may possibly be at the very top, the timezone of the device when the song was identified by the app. This could possibly put the owner of the device at a rough area during a specific timeframe.
All of the other information at this point I have yet to determine the usefulness.
You will see duplicate entries next to each other for songs. That is because Now Playing will listen for a small period of time every minute to conserve battery life, continually identifying what it can. If a song is 2+ minutes, you should see 2 entries for one song in a row, but each will have different timestamps associated.
Quick as always, Alexis Brignoni turned around a parser for ALEAPP in less than a day, so you can grab that now!