Started Off Local, Now We're in the Cloud: Forensic Examination of the Amazon Echo Show 15 Smart Display
Jona Crasselt, Gaston Pugliese
TL;DR
The paper tackles the challenge of forensic analysis for a non-traditional IoT device, the Echo Show 15, by combining hardware-level access with cloud-side data to obtain a comprehensive artifact set. It demonstrates a non-invasive path to read the unencrypted Fire OS filesystem via an undocumented eMMC pinout, catalogs local artifacts including Visual ID events, and shows how decrypting a stored refresh token yields temporary access to the Alexa cloud for additional data such as voice requests, calendars, and photos. It further uncovers new Amazon API endpoints by analyzing traffic from the Alexa and Photos companion apps, and releases open-source tools to facilitate replication and data acquisition. The work provides a practical, multi-source forensic methodology that bridges local device traces and remote cloud data, highlighting both the potential and the limitations of current smart-display forensics in real-world investigations.
Abstract
Amazon Echo is one of the most popular product families of smart speakers and displays. Considering their growing presence in modern households as well as the digital traces associated with residents' interactions with these devices, analyses of Echo products are likely to become more common for forensic investigators at "smart home" crime scenes. With this in mind, we present the first forensic examination of the Echo Show 15, Amazon's largest smart display running on Fire OS and the first Echo device with Visual ID, a face recognition feature. We unveil a non-invasive method for accessing the unencrypted file system of the Echo Show 15 based on an undocumented pinout for the eMMC interface which we discovered on the main logic board. On the device, we identify various local usage artifacts, such as searched products, streamed movies, visited websites, metadata of photos and videos as well as logged events of Visual ID about movements and users detected by the built-in camera. Furthermore, we utilize an insecurely stored token on the Echo Show 15 to obtain access to remote user artifacts in Amazon's cloud, including Alexa voice requests, calendars, contacts, conversations, photos, and videos. In this regard, we also identify new Amazon APIs through network traffic analysis of two companion apps, namely Alexa and Photos. Overall, in terms of practical relevance, our findings demonstrate a non-destructive way of data acquisition for Echo Show 15 devices as well as how to lift the scope of forensic traces from local artifacts on the device to remote artifacts stored in the cloud.