Months ago, we put out the first forensic impacts on the Amazon Echo device and the new virtual assistant Alexa. Since that time, there have been a grouping of different cases that have happened where Alexa has been pivotal. With this shift, IoT evidence is coming to the forefront of what we are looking for in digital evidence. Paraben has been spending a lot of time over the last few years focusing its efforts on IoT data, starting from the support of DJI Drone data back in June 2016.
So, this is what has been percolating in the field of IoT forensics in regards to the Amazon Echo device. There have been multiple versions of the device released to the public. Each version has one more feature than the last to help you get a greater dependence on Alexa to answer all of your questions.
The common issue with each of the devices is the data they store. If you ask Alexa about her storage, she comments how great it is to work in the cloud; but is it great for your data? With the new devices giving us cameras and open microphones, it was well worth a deep dive into how they are working.
With Paraben’s E3 Platform 1.4 release, we added support for Amazon Echo with our cloud forensics capabilities as well as support for the Alexa App that exists on the phone. With basic testing, this supports everything except the Echo Look, which has a separate App than the other devices.
This is what you can expect with the devices. The mobile App has the same data based on either Android or iOS. The Alexa mobile application allows the users to view their history, voice Records in text form, and requests to the device. However, the big pending question, of course, is: what can you see when it comes to looking at it forensically?
Below is a screen shot of the Alexa data associated with one of our test devices.
As you can see the account data and the basics on the device are all part of the App. What really makes a difference is what we can see with the cloud data. Since the Amazon Echo device lives in the cloud, knowing if you can gain access to the cloud recordings was a big part of our investigation. The process is similar to how we deal with all cloud-based data, where we gather Authentication Data from the smartphone device the IoT device is paired with and use that to authenticate into the cloud account. The Amazon Echo device doesn’t keep the data forever, so you have a limited access window of 1 hour from the last command to be able to capture the data. This puts a new priority on the triage option in the field when it comes to maintaining this information.
In conclusion, we know the data is split between the paired device App and the cloud. There is always legal consideration that you need to keep in mind when accessing any data associated with a cloud account, so please consult your local authority to determine the proper steps you must take. To make the breakdown easier, we have a chart that shows common data and the type of information.
|User Name||Customer Name|
|User ID||Customer Id|
|User Email||Customer Email|
|Access to Prime Music Content||Yes or No|
|Recording Time||Date and time when the voice activity was recorded (in the <YYYY-MM-DD HH:MM:SS> format)|
|Summary||How Alexa has recognized the user’s question.|
|Audio||Link to the corresponding recording of the user’s question to Alexa in the Audio Files folder.|
|Device Type||Type of Alexa device synced with Amazon (in the same format as received from the server).|
Remember, with more devices pairing to our smartphones, the evidence of tomorrow is definitely moving to more locations, so make sure you stay on top of where you should be looking.