Started Off Local, Now We’re in the Cloud: Forensic Examination of the Amazon Echo Show 15 Smart Display (2024)

\acsetup

single=true\DeclareAcronymFAUshort=FAU, long=Friedrich-Alexander-Universität Erlangen-Nürnberg\DeclareAcronymAPIshort=API,long=application programming interface,short-plural-form=APIs,long-plural-form=application programming interfaces\DeclareAcronymALSshort=ALS,long=ambient light sensor,short-plural-form=ALSs,long-plural-form=ambient light sensors\DeclareAcronymCPUshort=CPU,long=central processing unit,short-plural-form=CPUs,long-plural-form=central processing units\DeclareAcronymGPUshort=GPU,long=graphics processing unit,short-plural-form=GPUs,long-plural-form=graphics processing units\DeclareAcronymADBshort=ADB,long=Android Debug Bridge\DeclareAcronymAVDshort=AVD,long=Android Virtual Device,short-plural-form=AVDs,long-plural-form=Android Virtual Devices\DeclareAcronymAVSshort=AVS,long=Alexa Voice Service,short-plural-form=AVSs,long-plural-form=Alexa Voice Services\DeclareAcronymIVAshort=IVA,long=intelligent virtual assistant,short-plural-form=IVAs,long-plural-form=intelligent virtual assistants\DeclareAcronymIPAshort=IPA,long=Intelligent Personal Assistant,short-plural-form=IPAs,long-plural-form=Intelligent Personal Assistants\DeclareAcronymAWSshort=AWS,long=Amazon Web Services,\DeclareAcronymWLANshort=WLAN,long=wireless local area network,\DeclareAcronymJSONshort=JSON,long=JavaScript Object Notation,\DeclareAcronymDIALshort=DIAL,long=Discovery And Launch,\DeclareAcronymNSCAshort=NSCA,long=Nagios Service Check Acceptor,\DeclareAcronymHDMIshort=HDMI,long=High Definition Multimedia Interface,\DeclareAcronymTLSshort=TLS,long=Transport Layer Security,\DeclareAcronymSSDPshort=SSDP,long=Simple Service Discovery Protocol,\DeclareAcronymSSDP:NTshort=NT,long=Notification Type,long-plural-form=notification types,\DeclareAcronymUPnPshort=UPnP,long=Universal Plug and Play,\DeclareAcronymVMshort=VM,long=virtual machine,short-plural-form=VMs,long-plural-form=virtual machines\DeclareAcronymAPKshort=APK,long=Android Package,short-plural-form=APKs,long-plural-form=Android Packages\DeclareAcronymBLEshort=BLE,long=Bluetooth Low Energy,\DeclareAcronymMITMshort=MITM,long=man-in-the-middle,\DeclareAcronymPCBshort=PCB,long=printed circuit board,short-plural-form=PCBs,long-plural-form=printed circuit boards\DeclareAcronymEXIFshort=EXIF,long=Exchangeable Image File Format,\DeclareAcronymSoCshort=SoC,long=system on chip,short-plural-form=SoCs,long-plural-form=systems on chip,\DeclareAcronymPCB:FFCshort=FFC,long=flexible flat cable,short-plural-form=FFCs,long-plural-form=flexible flat cables,\DeclareAcronymBLOBshort=BLOB,long=binary large object,short-plural-form=BLOBs,long-plural-form=binary large objects,\DeclareAcronymOSshort=OS,long=operating system,short-plural-form=OSs,long-plural-form=operating systems,\DeclareAcronymCLIshort=CLI,long=command line interface,short-plural-form=CLIs,long-plural-form=command line interfaces,\DeclareAcronymSSIDshort=SSID,long=Service Set Identifier,short-plural-form=SSIDs,long-plural-form=Service Set Identifiers,\DeclareAcronymUUIDshort=UUID,long=universally unique identifier,short-plural-form=UUIDs,long-plural-form=universally unique identifiers,\DeclareAcronymUARTshort=UART,long=universal asynchronous receiver-transmitter,\DeclareAcronymJTAGshort=JTAG,long=Joint Test Action Group,\DeclareAcronymISPshort=ISP,long=in-system programming,\DeclareAcronymMMCshort=MMC,long=MultiMediaCard,short-plural-form=MMCs,long-plural-form=MultiMediaCards,\DeclareAcronymeMMCshort=eMMC,long=embedded MultiMediaCard,short-plural-form=eMMCs,long-plural-form=embedded MultiMediaCards,\DeclareAcronymFCCshort=FCC,long=Federal Communications Commission,\DeclareAcronymCIFTshort=CIFT,long=Cloud-based IoT Forensic Toolkit,\DeclareAcronymBGAshort=BGA,long=Ball Grid Array,\DeclareAcronymMLBshort=MLB,long=main logic board,short-plural-form=MLBs,long-plural-form=main logic boards,\DeclareAcronymCBCshort=CBC,long=cipher-block chaining,\DeclareAcronymTNRshort=TNR,long=temporal noise reduction,\DeclareAcronymTPshort=TP,long=test point,short-plural-form=TPs,long-plural-form=test points,

mode=titleStarted Off Local, Now We’re in the Cloud: Forensic Examination of the Amazon Echo Show 15 Smart Display

1]organization=Friedrich-Alexander-Universität Erlangen-Nürnberg (FAU), country=Germany

\cormark

[1]\cortext[1]corresponding author

\credit

Conceptualization, Data curation, Investigation, Methodology, Visualization, Software, Validation, Writing — original draft, Writing — review & editing

\credit

Conceptualization, Investigation, Methodology, Visualization, Resources, Project administration, Funding acquisition, Writing — review & editing

Jona Crasseltjona.crasselt@fau.de[  Gaston Pugliese

Abstract

Amazon Echo is one of the most popularproduct families of smart speakers and displays. Considering their growing presence in modern householdsas well as the digital tracesassociated with residents’ interactions with these devices,analyses of Echo products are likely to become more commonfor forensic investigators at “smart home” crime scenes. With this in mind, we present the first forensic examinationof the Echo Show15, Amazon’s largest smart displayrunning on Fire OS and the first Echo devicewith Visual ID, a face recognition feature. We unveil a non-invasive method for accessingthe unencrypted file system of the Echo Show15based on an undocumented pinoutfor the \acseMMC interfacewhich we discovered on the \aclMLB. On the device, we identify various local usage artifacts,such as searched products, streamed movies,visited websites, metadata of photos and videosas well as logged events of Visual IDabout movements and users detected by the built-in camera. Furthermore, we utilize an insecurely stored token on the Echo Show15to obtain access to remote user artifacts in Amazon’s cloud,including Alexa voice requests, calendars, contacts, conversations,photos, and videos. In this regard, we also identify new Amazon \acspAPIthrough network traffic analysis of two companion apps,namely Alexa and Photos. Overall, in terms of practical relevance,our findings demonstrate a non-destructive way of data acquisitionfor Echo Show 15 devicesas well as how to lift the scope of forensic tracesfrom local artifacts on the deviceto remote artifacts stored in the cloud.

keywords:

Amazon Echo Show \sepData Acquisition \sepLocal and Cloud Artifacts \sepCompanion App \sepSmart Home Forensics \sepHardware Forensics

{textblock*}

11cm(7.7cm,3.7cm)Accepted for publication at DFRWS USA 2024.
Original PDF available at conference website.
BibTeX entry available at GitHub.

1 Introduction

Smart home appliances often provide a low-threshold entryinto the smartification of domestic living environments. Especially smart speakers with their ability to play music,answer questions via \acpIVA, or control other connected devices,are a strikingly popular category of smart home products (Armstrong, 2022).Due to their display-less design,the interaction with smart speakers is primarily drivenby users’ voice requests which are answered by audio responses. For certain actions, or for receiving visual responses,however, a smartphone—usually in combination with acompanion app—is required. This interaction gap was closed bythe product category of smart displayswhose built-in screens and graphical user interfacesenable direct touch control in addition.

Amazon’s smart device family Echowas by far the most popular brandin Germany and the U.S. in 2022(Statista, 2023; Richter, 2023). The Echo series features the \acIVA Alexaand includes mainly smart speakers and displaysbut also earbuds and glasses. Since Amazon has launched its Echo product family in 2014,new devices have been released regularly. In 2021, a new wall- or stand-mounted smart display model was introducedand marketed as a dashboard for family organization,home automation, and streaming: The Echo Show15is Amazon’s largest smart display at the time of writingand the first model that shipped with Visual ID,a user recognition feature enabled by the built-in camera.

Due to their popularity and increasing presence in smart home environmentsas well asthe variety of traces resulting from active user interactionsand passive observations of the environment via microphone and camera,Echo devices are interesting objects of investigationfrom both a privacy and forensic perspective(Lau etal., 2018; Bouchaud etal., 2018). Prior work on previous Echo devices showed thatuser-related data is only partly stored locally,whereas the Amazon cloud is a more comprehensive source(Chung etal., 2017; Krueger and McKeown, 2020; Youn etal., 2021), which highlights the importance of obtaining both local and remote artifactsduring forensic investigations.

As for IoT devices (Gómez etal., 2021), however,and despite their similarities with desktop or mobile devices,the forensic analysis of non-conventional devices,like those of the Echo series,can be challenging and time-consuming. Practically speaking, unique hardware, custom firmware, and security measurescan hinder analyses in terms of success and economic efficiency. Using a hardware debug interface (e.g., UART, JTAG)or removing the flash memory chip (“chip-off”)is often the only option for data gathering;at least if an interface is available and the data is not encrypted. Besides, if no exploitable vulnerabilities exist,and if both the user and the vendor are unwilling to cooperate,obtaining credentials for bypassing authentication or encryption mechanismsis another obstacle for forensic investigators. Likewise, since acquisition methods vary in their invasiveness,it is crucial to assess and minimizethe risk of data damage and lossto ensure forensic soundness (Casey, 2007).

In light of the fact that smart devices become“invisible witnesses(Urquhart etal., 2022)at crime scenes in smart homes,this paper presents the first forensic examination of the Echo Show15to close a device-specific research gap in the forensic literature. As is typical for a device that has not been thoroughly studied yet,we began our research by asking the fundamental question: Which local and remote artifacts of forensic relevancecan be acquired from the Amazon Echo Show15, and how?

Contributions.

As we are not aware of any prior work on the Echo Show15,our main contributions are as follows:

  • To the best of our knowledge, we are the first toexamine Amazon’s smart display Echo Show15 forensically.

  • We identified an undocumented \acseMMC pinout on the \acMLB,resulting in non-invasive access to the unencrypted file system of the Echo Show15.

  • We discovered that the Echo Show15 logs events of detected movementsand recognized users locally. Besides identifying device-specific artifacts, we also confirmed the existence of artifactsknown from prior Echo devices.

  • We decrypted a token from a local database of the Echo Show15for accessing remote artifacts via cloud \acspAPI.

  • We encountered additional Amazon \acsAPI endpointsby analyzing the network traffic of two companion apps,namely Alexa and Photos,resulting in new and alternative sources for obtaining remote artifacts.

Artifacts.

Our paper artifacts are open source and available atgithub.com/jcrasselt/amazon-echo-show-15,including curated overviews on both local and remote artifacts of the Echo Show15as well as scripts to ease data acquisition.

Outline.

Initially, we provide background information on the Echo Show15 and related work (Section2). Our examination results of the Echo Show15 are divided into three sections,namely hardware findings (Section3),file system findings (Section4),and companion app and cloud findings (Section5). Finally, we discuss our results (Section6),and conclude the paper (Section7).

2 Background

In this section, we first provide technical and contextual informationabout the Echo Show15 smart display by addressing its hardware, software, user accounts,as well as its cloud connectivity and companion apps. Afterward, we give an overview on related work in the forensic literature.

2.1 Amazon Echo Show 15

Started Off Local, Now We’re in the Cloud: Forensic Examination of the Amazon Echo Show 15 Smart Display (1)
Started Off Local, Now We’re in the Cloud: Forensic Examination of the Amazon Echo Show 15 Smart Display (2)

The Echo Show15 is Amazon’s first wall- and stand-mountablesmart display and marketed for family organization andentertainment purposes, as well as for serving as a digital photo frameand smart home hub (Amazon, 2022). Since its release in 2021, the Echo Show15 has the largest screenamong all models and device generations within the Echo Show product family,as the other smart displays were primarily designed to be placed on a counter(e.g., Echo Show5, Echo Show8, or Echo Show10).

Hardware.

The Echo Show15 (cf. Figure1(a))has a housing dimension of 402x252x35mm (WxHxD)and features a 15.6-inch Full HD touchscreen (1080p)supporting both landscape and portrait mode(Amazon, 2022). The device specificationsfurther disclose an “Amlogic PopcornA (Pop1)” \acSoCwith four “Arm Cortex-A73” and four “Arm Cortex-A53” \acspCPU,an “Arm Mali-G52 MP8(8EE)” \acsGPU, as well as3GB of RAM and 16GB of flash memory (\acseMMC). The smart display has a 5MP front-facing camera,a 6-mic array, an \aclALS (\acsALS), and two speakers. Wireless communication is supportedvia Wi-Fi 802.11 (a/b/g/n/ac) and Bluetooth5.0. Apart from a power supply jack,there is only a Micro-USB portto connect a USB-to-Ethernet adapterfor wired Internet access. The casing frame contains a physical slider to cover the cameraand three analog buttons (cf. Figure1(b));two buttons to control the speaker volume, and one button to turn thedevice on and off and also to activate a privacy modewhich prevents the virtual assistant Alexafrom listening to voice prompts.

Software.

Like Amazon’s FireTV and FireTabletdevices (Amazon, 2017),the Echo Show 15 runs Fire OS7which is based on Android9 (Level28). The scope of functions, however, has beenreduced for Echo Show devices, as, for example,sideloading apps is no longer possible(ioBroker, 2022). The Echo Show15 can be used to, inter alia, engage with Alexa via voice commands,manage calendars or to-do and shopping lists,stream music and movies, make video calls, or browse the Web using the Silk browser. Also, users can be distinguished by their voice and faceusing the optional features Voice ID and Visual ID, respectively. While Voice ID has already been available for Echo smart speakers,Visual ID was introduced with the Echo Show15and enables face detection and recognitionto display user-dependent content (Amazon, 2021a). Meanwhile, VisualID has been rolled out to Echo Show8 (Gen. 2)and Echo Show10 (Gen. 3) devices as well(Amazon, 2021b).

User Accounts.

An Amazon account is mandatory for setting up the Echo Show15. For additional users in a multi-person household,so-called Alexa profilescan be created for both adults and kids (Amazon, 2024). Since there is no additional authentication,any individual with close spatial or immediate physical accessto the Echo Show15 may issue voice commandsor perform actions via touch gestures under an arbitrary profile. Therefore, even though enabled Voice ID or Visual ID may associateinteractions to a certain profile,attributions to individuals must be made with caution.

Cloud & Apps.

Generally, Echo and Echo Show devices strongly rely on the Alexa cloud,as voice commands are processed remotely by the \aclAVS (\acsAVS)(Chung etal., 2017; Krueger and McKeown, 2020; Youn etal., 2021). Likewise, the cloud connection is required to synchronizeuser data across devices, including large files like photoswhich are uploaded to Amazon’s online storage. For display-less Echo smart speakers, the companion app “Amazon Alexa”is essential to set up a network connection via Wi-Fi,while smart displays like the Echo Show15can be set up directly using the touchscreen. After the initial setup, the Alexa companion app can be further used to, inter alia,engage in text and video conversations with other users,control connected smart home devices,install additional Alexa Skills(i.e., add-on apps to enhance the capabilities of Alexa),or manage device settings and user datastored in the vendor’s cloud,such as calendars, contacts, to-do and shopping lists,or a history of past Alexa voice commands. Another companion app called “Amazon Photos”is available for managing the photos in Amazon’s online storage.

2.2 Related Work

Chung etal. (2017) proposed a general approach forexamining Alexa-powered smart devices forensicallyand suggested to organize the analysis based on thecomponents involved in the Alexa ecosystem, i.e.,Alexa-enabled devices,clients like companion apps or web browsers,the Alexa cloud,and the network communication within this ecosystem. Their analysis resulted in anunofficial Alexa \acsAPI description as well as CIFT,a proof-of-concept tool for cloud-based IoT forensics. Youn etal. (2021) performed a chip-off on an Echo Show (Gen. 2) deviceand extracted, inter alia, user credentials (i.e., Account ID, email address, and password)from the \acseMMC to access remote artifacts in the vendor cloud. Furthermore, they refined the unofficial \acAPI descriptionof Chung etal. (2017)by functionalities that are specific for smart displays.Krueger and McKeown (2020) investigated the Alexa \acAPI and thecloud artifacts of second- and third-generation Echo Dot devices,and found that certain information can be found in multipleplaces which facilitates the recognition of manipulation attempts.

Many previous work on Alexa forensicsfocused on detecting hardware debug interfacesfor obtaining file system access(Clinton etal., 2016; Hyde and Moran, 2017; Vasile etal., 2019; Vanderpot, 2017; Pawlaszczyk etal., 2019; ElFaramawi, 2020). Identifying such interfaces on \aclpPCB usually requires manual probingas available ports, pins, and \aclpTP are not necessarily annotatedand the board of each device has a different layout. In previous Echo models, different kinds of debug interfaces have been identifiedwhich led to file system access (e.g., JTAG, UART, eMMC, ISP). For more recent devices of Amazon’s Echo family, however, no debug interfaces werediscovered that allow reading the flash memory chip non-invasively,making a destructive chip-off procedure necessary.

The vendor’s cloud is of fundamental value for forensic investigations,as Echo devices store most of their user data remotely(Chung etal., 2017; Krueger and McKeown, 2020; Youn etal., 2021). Accessing this data, however, is not trivial, because nowadays credentials forthe Alexa \acAPI are only stored as encrypted tokens on the deviceand within companion apps (Hyde and Moran, 2017; Hutchinson etal., 2022). Although Olufohunsi and Agyekwena (2020) assumed that the encryption key is storedin the same database as the encrypted tokens, a decryption has not been reported yet,making investigators depend on either the cooperation of the user or Amazonduring data acquisition.

3 Hardware Examination

In July 2022 and February 2023, we purchased two Echo Show15 devicesthat had the same \aclMLB (\acsMLB) build number (“30-006507 REV01”). Below, we present our hardware-related findings wrt. the smart display’sMicro-USB port (Section3.1),\acpPCB (Section3.2),UART port (Section3.2.1),Micro-HDMI port (Section3.2.2),as well as a yet undocumented pinout for the eMMC interfacewhich we revealed (Section3.2.3).

3.1 Micro-USB Port

When connecting the Echo Show 15 to a computer via its Micro-USB portand running lsusb,it is not recognized as a USB device. For Echo Dot smart speakers,a button combination has been identified in prior work(micaksica, 2017; Vanderpot, 2017)that boots the device into fastboot mode and makes itavailable as fastboot device. Fastboot is a protocol for communicating with the Android bootloader. For the Echo Show15, we found a similar button combination:Pressing the volume down and power/privacy button concurrently while powered off,the screen shows the Amazon logo on a black background after about four seconds. However, pressing both the volume up and down buttonand then the power/privacy button leads to a factory reset. Booted into fastboot mode, the Echo Show15 isrecognized by lsusb, and the toolfastbootcan read the bootloader variableswhich reveal that the bootloader is locked,the bootloader’s version (“01.01.220125.215459”),the device’s serial number (16 alphanumeric characters)and internal product name (“hoya”),and an incomplete partition table(boot, system, vendor, odm, data;cf. Table3 in Section4.3).

3.2 Printed Circuit Boards

Since fastboot via Micro-USB port did not allow further access,we unscrewed and removed the backplate of the Echo Show15to take a look at the \acpPCB shown in Figure2:

  • Two \acpPCB, each with a microphone array.

  • A \acPCBon the top side of the Echo Show 15which containsa camera cover slider,a power/privacy button,two volume buttons (up/down),a microphone array.

  • A \acPCBfor power management and audio processing,including a Micro-USB port.

  • The \acMLBshown in Figure3 withAmlogic PopcornA/POP1-C \acsSoC (cf. Section2.1),2GB LPDDR4 RAM and 1GB LPDDR4x RAM from Samsung,an \acseMMC with 16GB (SDINBDG4-16G)by SanDisk as BGA 153 package,a dual-band Wi-Fi (802.11a/b/g/n/ac) andBluetooth 5.1 module by USI (WM-BAC-MT-63).

Started Off Local, Now We’re in the Cloud: Forensic Examination of the Amazon Echo Show 15 Smart Display (3)

For debugging and testing purposes, manufacturers often integrate\aclpTP (\acspTP) and portsfor serial communication into their \acpPCB. In earlier Echo models, such interfaces were availableand allowed to access a shell, to dump the firmware by reading the flashmemory, or to boot from an external SD card (Clinton etal., 2016). In later Echo models, however,those interfaces were either limitedor eliminated, whereby a chip-offremained the last option to access file system data(Pawlaszczyk etal., 2019; Youn etal., 2021).

3.2.1 UART Port

We compared the \acMLB of our Echo Show15 to internal photos of a pre-market versionsubmitted to the \acFCC (FCC, 2021)to identify missing components in the end productwhich may reveal debug ports. The front side of the pre-market\acMLB contained a 3-pin connector,while our board only had the contacts the connector was soldered to(cf. Figure3(a)). Considering the debug interfaces found in earlier Echo models,only \acsUART (\aclUART) uses three pins:Ground (GND), receive (RX), and transmit (TX).

Started Off Local, Now We’re in the Cloud: Forensic Examination of the Amazon Echo Show 15 Smart Display (4)
Started Off Local, Now We’re in the Cloud: Forensic Examination of the Amazon Echo Show 15 Smart Display (5)

Using a multimeter, the contact without \acTPwas identified as Ground, and both remaining contacts were measured around3.3V with a little fluctuation (TX) and constant 3.1V (RX), respectively. For establishing a serial connectionfrom the Echo Show15 to a computer via \acUART,we set an UART-to-USB adapter to 3.3Vand attached jump wires which weresoldered to the identified contacts on the \acMLB. We identified a baud rate of 921600 as fitting (8N1:8 data bits, no parity bit and 1 stop bit),while earlier Echo devices had baud rates of 115200 or 912000 (Vasile etal., 2019). Once the Echo Show15 was powered on,the command-line tool screen printed the boot logs,including the logs of the bootloader U-Boot(v2019.01, build ID “jenkins-fireos_main_pie-patch-build-193097”),which was already used as bootloader in previous Echo devices(Clinton etal., 2016; Vasile etal., 2019). The boot log was not followed by a login shell,as is sometimes the case for \acUART interfaces. In addition to the information that the firmware image is signedand the number of device starts (bootcount),the boot log indicated to “Hit Enter key to stop autoboot”,which led to a bootloader shell. Although available commands were revealed by tab completion,all of them were blocked.

3.2.2 Micro-HDMI

Another difference between the \acMLB of theEcho Show 15 device filed to the \acFCC and ourswas a missing Micro-HDMI port, of which only the solder pads marked inFigure3(a) were left on the board of the end product. Our attempt to solder a \acsHDMI breakout board to the padsand connecting both a display and a video sourceyielded no observable response of the Echo Show15. Therefore, the purpose of the Micro-HDMI portas well as its proper functioning in the end productremained unclear to us (cf. Section6.3).

3.2.3 eMMC Interface

During our search for further debug interfaces,we used a logic analyzer to check the signals of \acpTP on the \acMLB. Unlike the discovered asynchronous \acUART interface,other interfaces need a clock for synchronous communication(e.g., \acsJTAG, \acsISP, \acseMMC). Although we found a clock signal,we could not identify protocol-specific \acpTP systematically. Since we had not found a non-invasive way to read out the \aceMMC yet,we performed a chip-off. With the \aceMMC contacts being exposed after removing the chip,we were able to measure continuity between themand a group of \acpTP on the back of the \acMLB (cf. Figure3(b)),including the clock mentioned above. Figure4 shows thatall relevant \aceMMC channels (cf. Table1)can be accessed through undocumented \acpTP. For Ground, one of the grounded mounting holes can be used.

Started Off Local, Now We’re in the Cloud: Forensic Examination of the Amazon Echo Show 15 Smart Display (6)
ChannelDescription
CLKClock signal
CMDBidirectional command line
D0…D7Bidirectional data lines
VCCInput voltage for flash storage (3.3V)
VCCQInput voltage for controller (1.8V)
VSS(Q)Ground

As our first Echo Show15 no longer had an \aceMMC chip,we continued our examination with the second device. To read its \aceMMC chip, needle probes were placed on all identified \acpTP(cf. Table1 and Figure4). Although the \aceMMC protocol can operate with 1, 4, or 8 data channels,we only used the D0-channel in 1-bit mode due to space limitations. The probes were connected to an EasyJTAG Plus box,a tool for reading various types of flash memory chipswhich is equipped with a 20-pin connector that is compatible witha variety of sockets and extension cards. We connected the probes directly to the 20-pin connector according to the pin assignment provided by the EasyJTAG Classic Suitesoftware (cf. Figure5). With the pinout mode “EasyJTAG2/E-Socket”,a clock rate of 1MHz,an IO voltage of 1.8V, and a bus width of 1bit,all partitions could be dumped. Based on partial partition information found in the fastboot variables(cf. Section3.1), however,we recognized the absence of the data partition. As the remaining unmapped space was about the same size as the missingpartition, we dumped the unmapped space as well. Eventually, the ext4 data partition could be extractedfrom the unmapped space with binwalk.

Started Off Local, Now We’re in the Cloud: Forensic Examination of the Amazon Echo Show 15 Smart Display (7)

4 Local Artifacts of the Echo Show 15

Before reading the \acseMMC chip of our second device non-invasivelyusing the undocumented pinout for the \acseMMC interface (cf. Section3.2.3),we generated test data by using the smart display regularly. Below, we address how we generated the test data(Section4.1),the layout of the partition table(Section4.2),which artifacts known from previous Echo products(Section4.3)as well as such related to logs and interaction events(Section4.4)and Visual ID (Section4.5)were found on the Echo Show15,and how credential tokens for the Alexa cloud can be decrypted(Section4.6).

4.1 Test Data Generation

We installed the Echo Show 15 in a separate roomso that every stimulus to the camera and microphones could be documented. To correlate performed interactions and persisted artifacts,most interactions with the smart display were documented nearly to the second. The Echo Show15 was used between February and August 2023with Fire OS versions 7.5.0.1 (PS7501/4131) – 7.5.5.9 (PS7559/3534)as follows: Alexa was regularly asked for weather forecasts, news,and estimated travel times to work. Appointments have been created in the calendar,and a Google calendar was synchronized. The shopping and to-do lists were filled with itemsthat were occasionally ticked off. The built-in browser Silk was used to browse the Web via touchscreen,and to store credentials for certain websites. Movies were watched using Amazon’s Prime Videoas well as other services offered by Fire TV (e.g., YouTube). We created additional Alexa profiles and configured respective Voice IDs and Visual IDs. Since the Echo Show 15 responds to motion by waking up from a dimmed screen,we documented when a person was in the camera’s view and whether their face was visible to the camera. The camera was used to take pictures and videos,as well as for video calls via the Amazon Alexa companion app. Further, custom pictures were uploaded to the Echo Show15via the Amazon Photos companion app. Using the eponymous companion app,the capabilities of Alexa were extended by installing the Skill for Spotify. Finally, we linked a Wi-Fi smart camera to Alexavia the Skill “Yi Home Camera”for displaying the camera’s live image on the Echo Show15. A summary of artifacts generated by aforementioned activities is listed inTable2.

ArtifactsKnownFoundLocation
User data\acAPI, Echo (partial)
Settings\acAPI
Wi-Fi credentialsEcho
Voice requests/responses\acAPI, Echo (cache)
Video calls\acAPI (metadata)
Browser (history, cred., cookies)Echo
Lists (Shopping, To-Do)\acAPI
Calendars (Alexa, Google)\acAPI
Photos & videos (w/ metadata)\acAPI
Connected devices\acAPI
Songs played on Spotify\acAPI
Conversations w/ Alexa users\acAPI
Local notes for local users
Local users (Voice ID, Visual ID)\acAPI
Prime Video historyEcho
Visual IDEcho (logs*)
Privacy mode; close cameraEcho (logs*)
Use of Fire TV apps (e.g., YouTube)Echo (cache*)

4.2 Partition Table of Fire OS

Using the non-invasive method described in Section3.2.3,a file system dump with the partitions in Table3was obtained from the Echo Show15. A partition table found in the log filecache:/recovery/last_kmsghelped to label the partitions. User-related data is stored on the data partition.

4.3 Known Artifacts from Previous Works

Local artifacts of forensic relevance have been identified in prior workfor several previous Echo products (cf. Section2.2). Youn etal. (2021) compiled a comprehensive list ofuser-related data on the Echo Show (Gen. 2)based on which we found, for example,Wi-Fi credentials, log files indicating voice interactions and camera usage,metadata of taken photos and videos, and browser data on the Echo Show15. Most of the remaining artifacts (cf. Table2),such as user-related data, voice commands, lists, calendars,device information, or photos and videos,however, are stored in the cloud andsynchronized with the companion apps or other connected Echo devices(Chung etal., 2017; Krueger and McKeown, 2020). An extensive and detailed overview of all our local and remote artifact findingsfor the Echo Show15, including a comparison with related work,is given in Table6. In the following subsections, we will therefore focuson device-specific artifacts discovered on the Echo Show 15.

PartitionSizeOffsetSize (Bytes)
bootloader4 MB0x000000000x000400000
reserved8 MB0x024000000x000800000
nvcfg4 MB0x02d000000x000400000
tee8 MB0x032000000x000800000
boot*24 MB0x03b000000x001800000
recovery24 MB0x054000000x001800000
logo4 MB0x06d000000x000400000
misc1 MB0x072000000x000100000
cri_data2 MB0x074000000x000200000
vendor*300 MB0x077000000x012c00000
odm*8 MB0x1a4000000x000800000
system*3 GB0x1ad000000x0c2000000
product12 MB0xdce000000x000c00000
cache512 MB0xddb000000x020000000
data*10.7 GB0xfdc000000x2ad800000

4.4 Logs and Interaction Events

Fire OS uses Android’sDropBoxManager111developer.android.com/reference/android/os/DropBoxManager.htmlto write system logs on the data partition in/system/dropbox/ and /logd/ stored as ZIP archives named“Log.{category}@{unixtimestamp}.txt.zip” using the categoriescrash, events, kernel, main,metrics, system and vitals. Prior work showed that these logs allow to draw conclusions aboutuser interactions (Youn etal., 2021). Calling the wake word (i.e., voice command required to start interaction with Alexa)is logged in “Log.system.*” as WAKE_WORD event. Every button press is recorded as BUTTON_EVENT,and every touch on the screen as TOUCH_EVENT. On the Echo Show15, Alexa can be prevented from listening and watchingby pressing the power/privacy button,or by closing the camera slider(cf. Figure1(b)),resulting inPRIVACY_MODE_{ON,OFF} andCAMERA_{EN,DIS}ABLED eventsbeing logged in “Log.system.*”, respectively.

4.5 Visual ID Artifacts

Due to its face recognition feature,the Echo Show15 constantly observes the room via its camera,even when users are not actively interacting with the device. Interestingly, Visual ID does not identify userswhen the device was started without Internet connectionand stays offline. However, if the device is started while connectedto the Internet and then taken offline,Visual ID works. When the camera observes any movement,a MOTION event is loggedin “Log.main.*”,indicating whether the motion originatedfrom a person and whether that person is enrolled in Visual ID,as well as the reliability of the detectionvia a face quality score and the personId of the recognized face,which is also reported to the Alexa cloud. The database “/data/com.amazon.alexa.identity/databases/recognition”stores the personId of users enrolled in Visual ID in the tableFaceEnrolledProfilesRecognition. Note that values in the column lastRecognizedTimeMillisdo not indicate the last time a user was recognized,but—in our case—more likely the last time the device was started. The main user, whose Amazon account is loggedin, can be identified by searching for their personId in theaccount_data_key columnof the table account_data in the databasedata:“/data/com.amazon.imp/databases/map_data_storage_v2.db”to link it to their directedId from columnaccount_data_directed_id. The corresponding username of the directedIdcan be obtained via theAlexa \acAPI (cf. Section5.2.2).

4.6 Token Database

While Youn etal. (2021) couldretrieve user credentials from the Silk browser,this was no longer possible for the Echo Show15. Although the user is automatically logged in into the Amazon website,an explicit login was required to accesscloud \acpAPI (cf. Section5.2)and the Alexa webpage alexa.amazon.com;the latter allowed to view data stored in the cloud,but was taken offline during our tests. In earlier Echo models, the database “map_data_storage.db”contained access tokens for communicating with the Alexa \acAPI(Chung etal., 2017). Eventually, it was succeeded by “map_data_storage_v2.db”in data:“/data/com.amazon.imp/databases/”, whichstores all tokens in encrypted form andis also present in the Alexa app (cf. Section5.1.1). Olufohunsi and Agyekwena (2020)assumed that the Base64-encoded value forkey_encryption_secret in the tableencryption_data could be the encryption key,but did not determine the type of encryption in use. To identify the most likely encryption scheme,we searched for open-source projects from Amazonand found222github.com/aws/amazon-s3-encryption-client-javathat the values in “map_data_storage_v2.db” wereencrypted using AES with \acfCBC, PKCS#5 padding,and an initialization vector length of 16. Based on this information and the unprotected encryption key,the “refresh token” for the Alexa \acAPI could be decrypted,resulting in unrestricted access to cloud artifacts(cf. Section5.2, Table6).

5 Remote Artifacts of the Echo Show 15

As the network traffic of the Echo Show15 is encrypted,and Fire OS does not allow to set a proxy or to inject custom certificates,we analyzed the remaining sources for acquiring remote artifacts:the two companion apps Amazon Alexa and Amazon Photos(Section5.1),and the Amazon/Alexa cloud (Section5.2).

5.1 Storage of Companion Apps on Smartphone

We set up a rooted \acAVD (9.0) to access the local datastored by the two companion apps for the Echo Show15in the storage of an emulated smartphone via adb.

5.1.1 Alexa App

The private application storage of the Amazon Alexa companion app(version 2022.21; 2.2.487227.0)is located at /data/data/com.amazon.dee.app/and contains, inter alia, the following artifacts:

shared_prefs/service.identity.xml

Lists the user’s name, email address, user-specific IDs, andthe temporary \acAPI access token. Since the access token expires after one hour,it is unlikely that it will be still valid after retrieval.

databases/map_data_storage_v2.db

This database is equivalent to the one found on the Echo Show15(cf. Section4.6). It stores, inter alia, the access and refresh tokenused for authentication against the Alexa \acAPI in encrypted form.

app_webview/ApplicationCache/Cache/

Cached data from in-app Webviews (cf. Chung etal. (2017) for format).

shared_prefs/mobilytics.session-storage.xml

Reveals the start and end timestamps of when the app was last used.

5.1.2 Photos App

The private application storage of the Amazon Photos companion app(version 2.1.0.107.0-aosp-902005930g) is located at/data/data/com.amazon.clouddrive.photos/ and contains, inter alia,the following artifacts:

databases/discovery_database_*

Lists files that were uploaded in the app, incl.file size, resolution, time of upload, time when the photo was taken, and MD5 hash.

databases/map_data_storage.db

This database appears to be the predecessor of “map_data_storage_v2.db”from the Alexa app, as the access token and refresh token for the Alexa \acAPIwere still stored unencrypted during our tests.

cache/image_manager_disk_cache/

Directory containing cached images. While the pictures that were uploadedby the user kept their \acsEXIF metadata, the photos taken with theEcho Show15’s camera did not contain any information about when or with what device apicture was taken. Hidden pictures, as well as pictures which were deleted viathe app, remain in the cache.

databases/metadata_cache_database_*

The column data of the table cache_data contains\acsJSON-formatted metadata for cached images in“cache/image_manager_disk_cache/”, such as filename, size, MD5 hash,capture time, and whether the image was put in the trash. The value ofcreatedBy indicates whether a file was uploaded via thePhotos app (Prime Photos Android) or taken by the Echo Show(Knight Photos).For uploaded photos taken with a smartphone or camera,\acsEXIF metadata was retrievable.

5.2 Amazon and Alexa Cloud

Using an emulated smartphone (cf. Section5.1),the network traffic of the companion apps has been interceptedby installing a custom root certificate in Android. The remote artifacts identified for the Echo Show15,which are accessible through vendor \acpAPI,are summarized in Table6,including a scope-wise comparison with related workfor the individual local and remote artifacts.Below, we first focus on the insights that we gathered aboutthe different authorization methods (Section5.2.1)and kinds of user IDs (Section5.2.2)which are relevant for user identification when obtaining cloud artifacts. Afterward, we report on multimedia artifacts wrt.voice requests (Section5.2.3)as well as photos and videos (Section5.2.4),before we address a GraphQL \acAPI (Section5.2.5)that was not mentioned in the literature yet.

5.2.1 Authentication

The network analysis of the two companion appsshowed that the vendor’s \acAPI endpoints are distributedacross multiple hostnames and require distinct authentication methods(cf. Table4):(i) access token as Bearer in the Authorization header,(ii) access token in the X-Amz-Access-Token header, or(iii) session cookie.Both the access token and the session cookieswere also found in “map_data_storage_v2.db”(cf. Section4.6),but they are only valid for 1 and 24 hours, respectively.Their renewal requires the refresh tokenfound in “map_data_storage_v2.db” on the Echo Show15or within the companion apps’local data (cf. Section5.1).The refresh token appears to only expirewhen the user logs out of an app or device.

Authorization MethodHostname
Authorization headerapi.{amazon,amazonalexa}.com
Session cookies{alexa,skills-store,www}.amazon.{com,de,...};
alexa-comms-mobile-service.amazon.com
X-Amz-Access-Token header{cdws.eu-west-1,drive}.amazonaws.com

5.2.2 User IDs

Persons in the user’s contact list and users with a local profile are assigned an ID.The various user IDs listed in Table5,which are used by Amazon for different purposes,can be found not only in \acAPI responsesbut also in files on the Echo Show15 or within thecompanion apps (cf. Table6).While customerId and directedId are stored together withaccount-wide personal data, personId is used to distinguish localuser profiles.commsId and contactId are used in contact and conversationalcontexts. The \acAPI /alexa-privacy/apd/rvh/persons-in-household stores names oflocal user profiles, which may have configured a Voice ID or Visual ID,including their personId.

NameStructure
customerId{14-uppercase-alphanumerics}
directedIdamzn1.account.{28-uppercase-alphanumerics}
commsIdamzn1.comms.id.person.amzn1similar-to\sim{directedId}
contactId{uuid4}
personId1amzn1.actor.person.did.{72-uppercase-alphanumerics}
personIdV2amzn1.actor.person.oid.{13-or-14-uppercase-alphanumerics}
  • 1

    personId is also often used as alias fordirectedId or personIdV2

5.2.3 Voice Requests

All voice requests issued to the Echo Show15are stored by default for indefinite time in the Alexa cloud.Each record contains the device on which the request was received, a timestamp,and a transcript what Alexa understood.Also, the intent which was derived from the user’s requestas well as IDs of resources that may get updated as aconsequence of the voice command are logged.If Alexa was able to identify a person based on Voice ID,the associated personIdV2 is also saved (cf. Table5).Other user actions (e.g., via touch input),are not assigned to a user profile,even if the user was recognized by VisualID.As Alexa repeatedly assigned requests of a person without enabled Voice ID toanother user’s profile (with configured Voice ID) during our tests, althoughthose persons differed noticeably in their vocal pitch,any attribution by Alexa must be used with caution.If available, the recording of the request should be used for verification.While these recordings can contain background noise or be deleted by the user,the associated metadata may still be available(Krueger and McKeown, 2020), incl. a transcript of the user’s inquiry.

5.2.4 Photos and Videos

For a list of users’ photos and videos, including metadata,the \acAPI cdws.eu-west-1.amazonaws.com/drive/v1/searchcould be queried in our case.The individual unmodified files with preserved metadatacould be fetched fromcontent-eu.drive.amazonaws.com/v2/download/signed/{id}.

5.2.5 GraphQL

The Alexa app queries a GraphQL API at alexa.amazon.de/nexus/v1/graphql. All observed requests were device-related and contained informationabout our user’s Alexa-enabled devices (Echo Show 15)and the Wi-Fi smart camera that we connected to Alexa(cf. Section4.1). Further, we found indicators of GraphQL usage on the Echo Show15,as the path “api/profile/graphql” and a GraphQL query were locatedin the application system:/system/priv-app/com.amazon.alexa.identity/com.amazon.alexa.identity.apkusing the command-line tool strings. We manually replicated all REST and GraphQL \acAPI requestsof the companion apps(cf. Table6)using the tokensdiscovered on the Echo Show15 (cf. Section4.6),but not GraphQL \acAPI requests of the Echo Show15 itself,as the “csrf check failed”(cf. Section6.3).

6 Discussion

In this section, we discussthe relevance of our findings to practitioners (Section6.1),our artifacts coverage in light of related work (Section6.2),as well as limitations and future work (Section6.3).

6.1 Practical Relevance of Findings

Since data acquisition has become increasingly challengingfor even well-known devices like smartphones due to encryption,if not impossible without users’ cooperation,acquiring data from unconventional devices during real-world investigationsis unsurprisingly non-trivial.In many cases, as outlined methodically by Stachak etal. (2024),“manual acquisition” approaches via the user interfacenot only provide rather limited access to relevant artifacts, if any,but also jeopardize forensic soundness. While file system access via “OS-based” interfacesis often restricted or not available at all,“hardware-based” acquisition techniques, if applicable,require specific knowledge and experience;in the case of chip-off, as a last resort, a certain willingness to take risksis required due to the possibility of complete data loss.

All aforementioned obstacles to examining unconventional devicesin both single- and multi-source analysis contextsapply to the Echo Show15 and its extended ecosystem consisting of companion apps and vendor cloud. Combining our individual findings, however, results in a comprehensivedata acquisition strategy for Echo Show15 devices, covering both local and remote artifacts(cf. Figure6):

Started Off Local, Now We’re in the Cloud: Forensic Examination of the Amazon Echo Show 15 Smart Display (8)

Based on the undocumented pinout for the eMMC interfacethat we identified (cf. Section3.2.3),forensic investigators are now able to dump the file system non-invasively( , ). Knowing how to decrypt the refresh_token ( ; cf. Section4.6),which seems to be indefinitely valid and is storedin the credential database “map_data_storage_v2.db”on the device together with the corresponding encryption key,forensic investigators can now request a temporary access token or session cookie ( )to authenticate themselves against the vendor \acAPI,resulting in unrestricted access to user- and device-related remote artifactsstored in the vendor’s cloud ( ).

6.2 Artifacts in Light of Related Work

A detailed overview of all localand remote artifacts (cf. Section4, Section5)which we identified for the Echo Show15are summarized in Table6,including a comparison with related workregarding the coverage of individual artifacts.Additionally, we indicate which user IDs (cf. Table5)are obtainable from certain artifacts,as these IDs are relevant for querying certain \acpAPIand attributing found artifacts to user accounts.Except for two seemingly deprecated APIs for obtainingWi-Fi credentials and user interactions with Alexa,as well as the RKStorage1 artifact,we could either confirm the existence of known artifactsfrom previous work and earlier Echo devices(Chung etal., 2017; Hyde and Moran, 2017; Krueger and McKeown, 2020; Olufohunsi and Agyekwena, 2020; Youn etal., 2021),or report on yet unaddressed artifacts across the multi-source environment of our examinationconsisting of the Echo Show15, the two companion apps,and the Amazon cloud.

SourceArtifact(s)Location (directory/file path, or API path)[1][2][3][4][5]We
EchoWi-Fi credentials/misc/wifi/WifiConfigStore.xml
EchoCached images of searches/data/com.amazon.aria/cache/image_manager_disk_cache/
EchoRandom screenshots/system_ce/0/snapshots/
EchoRandom browser screenshots/data/com.amazon.cloud9/app_textures/
EchoPrime Video Watch History/data/com.amazon.avod/files/databases/dbplaybackhistory
EchoLast interaction by voice/data/amazon.speech.sim/shared_prefs/user_activity_prefs.xml
EchoKnown devices/data/com.amazon.alexahybridremoteskill/files/customerHomeRegistry.db;
/data/com.amazon.gloria.smarthome/shared_prefs/SmartHomeEntityCache.xml
EchoPicture of connected Wi-Fi camera/data/com.amazon.cardinal/cache/
EchoEncrypted API credentials/data/com.amazon.imp/databases/map_data_storage_v2.db
EchoUser data & internal IDs/securedStorageLocation/com.amazon.alta.h2clientservice/databases/alta.h2clientservice.db
EchoLog files/system/dropbox/
EchoLog files/logd/
EchoBrowser history, cookies, login data/data/com.amazon.cloud9/app_amazon_webview/amazon_webview/*
EchoTimestamp of last picture/data/com.amazon.zordon/shared_prefs/photobooth.xml
EchoPhoto & video metadata/data/com.amazon.zordon/databases/{directedId}.mixtape.db
EchoEncrypted Visual ID photos/data/com.amazon.edgecvs/files/album/*/
EchoEvent log/system/notification_log.db
EchoTimestamp of last boot/data/com.amazon.knight.calendar/shared_prefs/com.amazon.knight.calendar_preferences.xml
EchoLocal user IDs with Visual ID/data/com.amazon.alexa.identity/databases/recognition
Alexa appUser data & internal IDs{AApp}/shared_prefs/service.identity.xml
Alexa appTimestamp last app start{AApp}/shared_prefs/SHARED_PREFS.xml
Alexa appUser data & internal IDs{AApp}/shared_prefs/SHARED_PREFS_IDENTITY.xml
Alexa appTimestamps of last session{AApp}/shared_prefs/mobilytics.session-storage.xml
Alexa appSession cookies{AApp}/app_webview/Cookies
Alexa appCached files of webviews{AApp}/app_webview/ApplicationCache/Cache/
Alexa appCached files of webviews{AApp}/cache/org.chromium.android_webview/
Alexa appEncrypted API credentials{AApp}/databases/map_data_storage_v2.db
Alexa appShopping & To-do lists{AApp}/databases/DataStore.db
Alexa appUser data & internal IDs{AApp}/databases/comms-core-identity-database
Alexa appConversations (encrypted?){AApp}/databases/comms.db
Alexa appAlarms, timers, transcribed requests{AApp}/databases/RKStorage1
Photos appCached pictures{PApp}/cache/image_manager_disk_cache/
Photos appAPI credentials (unencrypted){PApp}/databases/map_data_storage.db
Photos appMetadata of uploaded pictures{PApp}/databases/discovery_database_*
Photos appMetadata (also EXIF) of pictures{PApp}/databases/metadata_cache_database_*
APIUser dataapi.amazon.com/user/profile
APIUser dataalexa.amazon.de/api/users/me
APIWi-Fi credentialsalexa.amazon.de/api/wifi/configs
APIUser interactions with Alexaalexa.amazon.de/api/activities
APIAlexa app landing screen contentalexa.amazon.de/api/content?personIdV2={personIdV2:did}
APIConfigured wake wordalexa.amazon.de/api/wake-word
APIAddress, device informationalexa.amazon.de/api/device-preferences
APIDevice list, capabilitiesalexa.amazon.de/api/devices-v2/device
APIDevice informationalexa.amazon.de/api/bluetooth
APIShopping & To-do listspitangui.amazon.com/api/todos?type={TASK,SHOPPING_ITEM}
APIShopping & To-do list propertiesalexa.amazon.de/api/namedLists
APIShopping & To-do list itemsalexa.amazon.de/api/namedLists/{listId}
APILiveview enabledalexa.amazon.de/api/v1/devices/{deviceAccountId}/settings/liveView
APIDevice information, online statecdws.eu-west-1.amazonaws.com/drive/v2/device-personalization/devices
APIMAC addressalexa.amazon.de/api/device-wifi-details
APIPersons in householdwww.amazon.de/alexa-privacy/apd/rvh/persons-in-household
APIUser dataalexa.amazon.de/api/household
APIAlexa enabled devicesalexa.amazon.de/api/phoenix
APIDetails of voice requestsalexa.amazon.de/api/home
APIDetails of voice requestswww.amazon.de/alexa-privacy/apd/rvh/customer-history-records?startTime={ts}&endTime={ts}
APIAudio files of voice requestswww.amazon.de/alexa-privacy/apd/rvh/audio?uid={utteranceId}
APIAvailable calendarsalexa.amazon.de/api/3PAccounts/accounts?includeLegacyCalendarAccounts=true
APICalendar eventsalexa.amazon.de/api/calendar/events/getEvents/{directedId}?startDateTime={ts}&endDateTime={ts}
APIList of local users (with IDs){comA}/accounts/({directedId})
APIContacts{comA}/users/{commsId}/paginatedContacts
APIList of conversations{comA}/users/{commsId}/conversations
APIConversation messages{comA}/users/{commsId}/conversations/{conversationId}/messages
APIRecent communication{comA}/contacts/users/{commsId}/recentCommunications
APIDevice inform. & communic. features{comA}/homegroups/{homegroupId}/devices
APIEnabled skillsskills-store.amazon.de/app/front-page/yourskills
APIPhoto & video metadatacdws.eu-west-1.amazonaws.com/drive/v1/search
APIDownload photos & videoscontent-eu.drive.amazonaws.com/v2/download/signed/{photoId}/content?ownerId={ownerId}
APIGraphQL; similar to /api/phoenixalexa.amazon.de/nexus/v1/graphql
  • [1]: Chung etal. (2017),[2]: Youn etal. (2021),[3]: Krueger and McKeown (2020),[4]: Olufohunsi and Agyekwena (2020),[5]: Hyde and Moran (2017)

  • Abbrev.: {AApp} = /data/data/com.amazon.dee.app/, {PApp} = /data/data/com.amazon.clouddrive.photos/, {comA} = alexa-comms-mobile-service.amazon.com,{ts}= timestamp

  • Kind of user ID revealed by artifact: = customerId, = directedId, = commsId, = contactId, = personId, = personIdV2

  • Coverage of artifact(s): = artifact found, = found similarly at another location, = not found,“” = appears to be deprecated

6.3 Limitations and Future Work

After our test data generation, we discovered that local logs on the Echo Show15are deleted after about three days, which resulted in certain performed actionsnot being detectable in log files. To strive for a more systematic mapping of performed actionsduring test data generation (cf. Section4.1)and corresponding persisted artifacts on the file system of the Echo Show15,differential forensic analysis (Garfinkel etal., 2012)could be performed based on more frequent and atomic file system images, as, for example,done by Eichhorn etal. (2024). Additional usage scenarios could be considered during test data generationto take further user interactions and behaviors into account.

The failed cross-site request forgery checkthat occurred while testing the GraphQL \acAPI(cf. Section5.2.5)could be solved by analyzing the codeof “com.amazon.alexa.identity.apk” found on the Echo Show15,albeit the legal situation for researchers in this regard may vary by country.

We identified unused pins for a Micro-HDMI port(cf. Section3.2.2)which we soldered to an HDMI breakout boardto test the Echo Show15 as both input and output device. Although all soldered connections were checked for continuity,our attempts failed, leaving it for future work to figure outwhat the purpose of the Micro-HDMI port is,whether it needs to be activated in Fire OS,or what we have missed.

The database “map_data_storage_v2.db” (cf. Section4.6),was also used by a dedicated app for the fitness tracker Amazon Halo(Hutchinson etal., 2022), which raises the questionwhether other smart devices by Amazon use the database as well,and whether the refresh tokens have the same scope of permission on all devices. Additionally, our database contained another token (adptoken)which is likely for the \acAPI of Audible, Amazon’s audiobook and podcast service,as well as further tokens with sensitive nameswhose particular purposes and contexts of use, however,have not been investigated yet(e.g., privatekey, encrypt.key).

At the time of writing, it became public that Amazon willdiscontinue to build their \aclOS upon Android(Roettgers, 2023; Welch, 2023).While it is yet unknownwhich devices will run the new \acsOS with the internal name Vega,the unveiled pinout for the eMMC interfaceon the Echo Show 15 (cf. Section3.2.3)could potentially become handy if Vega is rolled out on older devicesand its file system remains unencrypted. Moreover, as the pinout for the \aceMMC interfacecan be used for write access, it remains to be seen whethermanipulations of the firmware become feasible,despite it being signed (cf. Section3.2.1).

7 Conclusion

In this paper, we forensically examined Amazon’s smart displayEcho Show 15 for the first time. On the \aclMLB, we discovered a working but restricted \acUART portas well as undocumented \aclpTP for the \acseMMC interface,resulting in non-invasive access to the unencrypted file system contents of FireOS. Locally, we identified artifacts of forensic relevanceabout users’ presence and usage behavior,including logged events of Visual ID aboutmovements and users detected by the built-in camera. Moreover, by trivially decrypting a “refresh token”which was stored jointly with the corresponding encryption keyin the same database file,we were able to request a new “access token”for the Alexa \acAPI,granting us access to user-related remote artifacts stored in Amazon’s cloud,including Alexa voice requests, calendars, contacts, conversations, photos, and videos. Finally, we analyzed the network traffic of two companion apps,namely Alexa and Photos, and identified new Alexa \acAPI endpoints.In terms of practical relevance, our findings showhow forensic investigators can escalate their data acquisition procedurefrom local artifacts on a seized Echo Show 15 deviceto remote artifacts stored in the vendor’s cloudwithout needing the suspect’s or Amazon’s cooperationfor bypassing any security mechanism.

Acknowledgments

We thank Felix Freiling for his precious supportas well as the anonymous reviewers for their valuable comments. This work has been supported by the Bavarian Ministry of Science and Arts as part of the project “Security in Everyday Digitization” (ForDaySec).

References

  • Amazon (2017)Amazon, 2017.Fire OS Overview.URL: https://developer.amazon.com/docs/fire-tv/fire-os-overview.html.
  • Amazon (2021a)Amazon, 2021a.The science behind visual ID.URL: https://www.amazon.science/blog/the-science-behind-visual-id.
  • Amazon (2021b)Amazon, 2021b.What Is Visual ID on Echo Show?URL: https://www.amazon.com/gp/help/customer/display.html?nodeId=GVPZZGGU8N6A9QJK.
  • Amazon (2022)Amazon, 2022.Device Specifications: Echo Show.URL: https://www.developer.amazon.com/docs/fire-tv/device-specifications-echo-show.html.
  • Amazon (2024)Amazon, 2024.What Are Alexa Profiles?URL: https://us.amazon.com/gp/help/customer/display.html?nodeId=GLE4EVA2VLDRQDLC.
  • Armstrong (2022)Armstrong, M., 2022.Homes Are Only Getting Smarter.URL: https://www.statista.com/chart/27324/.
  • Bouchaud etal. (2018)Bouchaud, F., Grimaud, G., Vantroys, T., 2018.IoT Forensic: identification and classification of evidence in criminal investigations, in: Proceedings of the 13th International Conference on Availability, Reliability and Security, pp. 1–9.
  • Casey (2007)Casey, E., 2007.What does" forensically sound" really mean?Digital Investigation: The International Journal of Digital Forensics & Incident Response 4, 49–50.
  • Chung etal. (2017)Chung, H., Park, J., Lee, S., 2017.Digital forensic approaches for Amazon Alexa ecosystem.Digital Investigation 22, S15–S25.
  • Clinton etal. (2016)Clinton, I., Cook, L., Banik, S., 2016.A Survey of Various Methods for Analyzing the Amazon Echo.The Citadel, The Military College of South Carolina.
  • Eichhorn etal. (2024)Eichhorn, M., Schneider, J., Pugliese, G., 2024.Well Played, Suspect! — Forensic Examination of the Handheld Gaming Console “Steam Deck”.Forensic Science International: Digital Investigation 48, 301688.doi:10.1016/j.fsidi.2023.301688.
  • ElFaramawi (2020)ElFaramawi, K., 2020.Hardware Hacking 101: Identifying and Dumping eMMC Flash.URL: https://www.riverloopsecurity.com/blog/2020/03/hw-101-emmc/.
  • FCC (2021)FCC, 2021.FCC documents for 2AXFL-4269.URL: https://apps.fcc.gov/oetcf/eas/reports/GenericSearch.cfm.
  • Garfinkel etal. (2012)Garfinkel, S.L., Nelson, A.J., Young, J., 2012.A general strategy for differential forensic analysis.Digital Investigations 9, S50–S59.URL: https://doi.org/10.1016/j.diin.2012.05.003, doi:10.1016/j.diin.2012.05.003.
  • Gómez etal. (2021)Gómez, J.M.C., Mondéjar, J.C., Gómez, J.R., Martínez, J.M., 2021.Developing an iot forensic methodology. a concept proposal.Forensic Science International: Digital Investigation 36, 301114.
  • Hutchinson etal. (2022)Hutchinson, S., Mirza, M.M., West, N., Karabiyik, U., Rogers, M.K., Mukherjee, T., Aggarwal, S., Chung, H., Pettus-Davis, C., 2022.Investigating Wearable Fitness Applications: Data Privacy and Digital Forensics Analysis on Android.Applied Sciences 12, 9747.
  • Hyde and Moran (2017)Hyde, J., Moran, B., 2017.“Alexa, are you Skynet?”.SANS Digital Forensics and Incident Response Summit URL: http://www.osdfcon.org/presentations/2017/Moran_Hyde-Alexa-are-you-skynet.pdf.
  • ioBroker (2022)ioBroker, 2022.Thread: Echo Show 15 install almost all apps.URL: https://forum.iobroker.net/topic/60891/.
  • Krueger and McKeown (2020)Krueger, C., McKeown, S., 2020.Using Amazon Alexa APIs as a Source of Digital Evidence, in: 2020 International Conference on Cyber Security and Protection of Digital Services (Cyber Security), IEEE. pp. 1–8.
  • Lau etal. (2018)Lau, J., Zimmerman, B., Schaub, F., 2018.Alexa, Are You Listening? Privacy Perceptions, Concerns and Privacy-seeking Behaviors with Smart Speakers.Proc. ACM Hum. Comput. Interact. 2. CSCW, 102:1–102:31.
  • micaksica (2017)micaksica, 2017.Exploring the Amazon Echo Dot, Part 2: Into MediaTek utility hell.URL: https://medium.com/@micaksica/b452f62e5e87.
  • Olufohunsi and Agyekwena (2020)Olufohunsi, T., Agyekwena, C.A., 2020.Forensic Investigation of Artificial Intelligence Virtual/Personal Assistant: Amazon Alexa as a case study.doi:10.13140/RG.2.2.25523.37928.
  • Pawlaszczyk etal. (2019)Pawlaszczyk, D., Friese, J., Hummert, C., 2019.“Alexa, tell me…” – A forensic examination of the Amazon Echo Dot 3rd generation.International Journal of Computer Sciences and Engineering 7, 20–29.
  • Richter (2023)Richter, F., 2023.Amazon Dominates the U.S. Smart Speaker Market.URL: https://www.statista.com/chart/29167/.
  • Roettgers (2023)Roettgers, J., 2023.Scoop: Amazon is ditching Android for Fire TVs, smart displays.URL: https://www.lowpass.cc/p/amazon-vega-os-fire-tv-android.
  • Stachak etal. (2024)Stachak, M., Geus, J., Pugliese, G., Freiling, F., 2024.Nyon Unchained: Forensic Analysis of Bosch’s eBike Board Computers.Digital Forensics Research Conference Europe (DFRWS EU 2024) URL: https://dfrws.org/wp-content/uploads/2024/03/Nyon-Unchained-Forensic-Analysis-of-Boschs-eBike-Board-Computer_2024.pdf.
  • Statista (2023)Statista, 2023.Smart speaker ownership by brand in Germany (Sep’23).URL: https://www.statista.com/forecasts/998829/.
  • Urquhart etal. (2022)Urquhart, L., Miranda, D., Podoletz, L., 2022.Policing the smart home: The internet of things as ‘invisible witnesses’.Information Polity 27, 233–246.
  • Vanderpot (2017)Vanderpot, A., 2017.Echohacking Wiki.URL: https://github.com/echohacking/wiki/wiki.
  • Vasile etal. (2019)Vasile, S., Oswald, D., Chothia, T., 2019.Breaking All the Things—A Systematic Survey of Firmware Extraction Techniques for IoT Devices, in: Bilgin, BegülandFischer, J.B. (Ed.), Smart Card Research and Advanced Applications, Springer International Publishing, Cham. pp. 171–185.
  • Welch (2023)Welch, C., 2023.Amazon has begun replacing Android with its own software on some products.URL: https://www.theverge.com/2023/11/14/23954333/.
  • Youn etal. (2021)Youn, M.A., Lim, Y., Seo, K., Chung, H., Lee, S., 2021.Forensic analysis for AI speaker with display Echo Show 2nd generation as a case study.Forensic Science International: Digital Investigation 38, 301130.

\printcredits

Started Off Local, Now We’re in the Cloud: Forensic Examination of the Amazon Echo Show 15 Smart Display (2024)

FAQs

How do I change the weather location on my echo show? ›

After Moving, Update Device Location on Your Echo Show
  1. Swipe down from the top of your screen.
  2. Select Settings.
  3. Select Device Options.
  4. Select Device Location and enter your complete address.
  5. If you've moved to a different time zone, select Date & Time and make sure it reflects your correct time zone.
  6. Select Save.

How do you turn on Echo Show 15? ›

PLUG ECHO SHOW 15 INTO AN ELECTRICAL SOCKET Use the Included power adaptor. In about a minute, the display will turn on and Alexa will greet you.

Why am I getting Alexa weather alerts wrong location? ›

Your device's location is used for weather, time, and other features.
  • Open the Alexa app .
  • Select Devices .
  • Select your device.
  • Select Device Settings .
  • Select Device Location.
  • Enter your complete address, and then select Save.

How do I get the weather app to show the wrong location? ›

Enable Use location if it is disabled. Tap App location permissions and make sure the Google app has Allow all the time selected and Use precise location enabled. Although these aren't necessary for the weather app to work, it may help stop showing weather for a location you aren't in.

What is the Echo Show 15 used for? ›

The Echo Show 15 makes use of half its large screen with a panel of widgets for your calendar, sticky notes, the weather, and more. The calendar can sync with your Google, Microsoft, and Apple accounts so you don't need to separately add events to the Alexa device.

Can you FaceTime on Echo Show 15? ›

Can You FaceTime on Amazon Echo Show? No, you can't FaceTime on an Echo Show. FaceTime is Apple's proprietary video chat app which only runs on Apple devices. Echo Show devices can only place video calls to other Echo Show devices and the Alexa phone app, and only Apple devices can FaceTime.

How do I change my weather location? ›

How to change the displayed location
  1. Touch and hold the Weather widget, and then select Settings.
  2. Tap Change next to the currently selected location.
  3. Select a new location to display, and then tap Save.
  4. Once you have applied the changes, you will be able to view the weather for the new location you have selected.
Dec 7, 2023

How do I change my default location on the weather app? ›

Change my Weather location
  1. On your Android phone or tablet, touch and hold the Home button or say "OK Google."
  2. In the bottom right, tap .
  3. In the top right, tap your Profile picture or initial > Settings.
  4. Tap You > Your places.
Apr 2, 2020

How do I get local weather on Alexa? ›

Amazon.com: Weather : Alexa Skills. To get started, add your address in the Alexa app. Then, just ask Alexa "What's the weather?" or "What's the weather in [city, state or city, country]?" You can also ask about weather on a specific day or about inclement weather conditions.

How do I change my location on the weather Channel? ›

How Do I Change/ Update My Location?
  1. Launch The Weather Channel TV app.
  2. Go to the 'My Weather' tab and select the 'Change Location' option at the bottom right corner of the screen.
  3. Select 'Add Location' & you can search by ZIP Code or City name in the textbox.
Dec 1, 2022

Top Articles
New Jersey Eats: Top 10 Morris restaurants
10 Best Restaurants in Morristown NJ You Must Try
Ron Martin Realty Cam
Dew Acuity
Mychart Mercy Lutherville
Shorthand: The Write Way to Speed Up Communication
Northern Whooping Crane Festival highlights conservation and collaboration in Fort Smith, N.W.T. | CBC News
Konkurrenz für Kioske: 7-Eleven will Minisupermärkte in Deutschland etablieren
[2024] How to watch Sound of Freedom on Hulu
What Is Njvpdi
Ella Eats
What is the difference between a T-bill and a T note?
Busty Bruce Lee
10 Best Places to Go and Things to Know for a Trip to the Hickory M...
House Party 2023 Showtimes Near Marcus North Shore Cinema
Snow Rider 3D Unblocked Wtf
Locate At&T Store Near Me
Ess.compass Associate Login
라이키 유출
Forum Phun Extra
Craigslist Southern Oregon Coast
Parc Soleil Drowning
Dtlr Duke St
Egizi Funeral Home Turnersville Nj
What Time Does Walmart Auto Center Open
Troy Gamefarm Prices
Обзор Joxi: Что это такое? Отзывы, аналоги, сайт и инструкции | APS
How To Find Free Stuff On Craigslist San Diego | Tips, Popular Items, Safety Precautions | RoamBliss
Gilchrist Verband - Lumedis - Ihre Schulterspezialisten
Panolian Batesville Ms Obituaries 2022
Lbrands Login Aces
Speechwire Login
Obituaries, 2001 | El Paso County, TXGenWeb
Skepticalpickle Leak
A Plus Nails Stewartville Mn
Craigslist Dallastx
Dreamcargiveaways
Ixl Lausd Northwest
AP Microeconomics Score Calculator for 2023
KITCHENAID Tilt-Head Stand Mixer Set 4.8L (Blue) + Balmuda The Pot (White) 5KSM175PSEIC | 31.33% Off | Central Online
Woodman's Carpentersville Gas Price
Casamba Mobile Login
Fairbanks Auto Repair - University Chevron
Whitney Wisconsin 2022
Erica Mena Net Worth Forbes
CPM Homework Help
antelope valley for sale "lancaster ca" - craigslist
Poster & 1600 Autocollants créatifs | Activité facile et ludique | Poppik Stickers
Estes4Me Payroll
What Is The Gcf Of 44J5K4 And 121J2K6
Unity Webgl Extreme Race
Latest Posts
Article information

Author: Tuan Roob DDS

Last Updated:

Views: 6243

Rating: 4.1 / 5 (62 voted)

Reviews: 93% of readers found this page helpful

Author information

Name: Tuan Roob DDS

Birthday: 1999-11-20

Address: Suite 592 642 Pfannerstill Island, South Keila, LA 74970-3076

Phone: +9617721773649

Job: Marketing Producer

Hobby: Skydiving, Flag Football, Knitting, Running, Lego building, Hunting, Juggling

Introduction: My name is Tuan Roob DDS, I am a friendly, good, energetic, faithful, fantastic, gentle, enchanting person who loves writing and wants to share my knowledge and understanding with you.