Whether or not you agree with law enforcement being able to access data stored within an Amazon Echo Dot, they will try and will do it anyway regardless. The question i’ll be attempting to answer today is whether it’s possible or not at all.
The short and simple answer is yes but it’s kind of impractical on the latest devices. This is due to how the latest Echo Dot restricts physical access to ports or connections that could be useful to a forensic analyst.
Ideally from a forensic perspective we would want to access all the data that the device holds without changing any of it or damaging the original data source. Easier said than done I can assure you. The most straight forward way of getting this data is by removing the chip that stores all the data from the motherboard and using a chip-specific adapter to read the data. However, this can often destroy the data if done badly and in the least surprising turn of events ever will break the motherboard. Not to mention that the process requires a lot of knowledge and can be expensive.
We want a data extraction method that is preferably non-intrusive and reusable
This was achieved on the 2nd generation version of the Echo Dot by Jessica Hyde of Magnet Forensics in 2017 using a method know as In-System Programming or ISP and allowed for the full extraction of data from the flash storage of the device.
So, we have a method for older devices established but what about the latest 3rd generation one? Well, the answer is a little bit murky. After some digging around the internet I found no research into this topic so, I guess I had to take up the mantle. I tested every pin on the Echo Dot 3rd generation motherboard and this was the result.
The main conclusion to gather from this is that I personally couldn’t find any reliable method of data extraction with the latest Echo Dot. Technically, it’s possible to extract the storage of the Echo Dot but out of the scope of most investigations for the reasons outlined above.
With the help of some nice people at Birmingham City University I did find what looks like a RAM test pinout which we thought could be showing the processor writing to the RAM of the device. Here’s a closer look at that pinout.
When investigating this we weren’t 100% on it as as we didn’t get around to testing the theory but here’s something to demonstrate what I mean.
So most people are probably thinking what the implications of being able to read the stream of RAM of the device could be and while it’s not entirely known if it could be used for some data extraction in theory.
It’s much more likely that rather than extracting data from the physical device itself that a forensic investigator that they would pull data from the associated Amazon account on either the mobile app or a web interface. In 2017 there was a tool developed for extracting metadata stored in the cloud for Alexa called CIFT. In theory a forensic analyst could use such data to help establish a routine or see what queries had been made to the device over a period of time.
In summary, it’s entirely possible if someone was determined enough to extract data from the physical device but, would be used in a very specific scenario and may not contain data that would be of much use. However this does not make the device useless as the metadata that the device gathers could be used in an investigation in theory although i’m not certain whether there has been much investigation into the practicality of this for law enforcement.
- Alexa, are you Skynet?: https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1498230402.pdf
- For information on the specs refer to: https://technobabble.me/2019/06/25/amazon-echo-dot-3rd-generation-teardown/
- CIFT tool information: https://www.dfrws.org/sites/default/files/session-files/paper_digital_forensic_approaches_for_amazon_alexa_ecosystem.pdf