Started Off Local, Now We're in the Cloud: Forensic Examination of the Amazon Echo Show 15 Smart Display

Amazon Echo is one of the most popular product families of smart speakers and displays. Considering their growing presence in modern households as well as the digital traces associated with residents' interactions with these devices, analyses of Echo products are likely to become more common for forensic investigators at "smart home" crime scenes. With this in mind, we present the first forensic examination of the Echo Show 15, Amazon's largest smart display running on Fire OS and the first Echo device with Visual ID, a face recognition feature. We unveil a non-invasive method for accessing the unencrypted file system of the Echo Show 15 based on an undocumented pinout for the eMMC interface which we discovered on the main logic board. On the device, we identify various local usage artifacts, such as searched products, streamed movies, visited websites, metadata of photos and videos as well as logged events of Visual ID about movements and users detected by the built-in camera. Furthermore, we utilize an insecurely stored token on the Echo Show 15 to obtain access to remote user artifacts in Amazon's cloud, including Alexa voice requests, calendars, contacts, conversations, photos, and videos. In this regard, we also identify new Amazon APIs through network traffic analysis of two companion apps, namely Alexa and Photos. Overall, in terms of practical relevance, our findings demonstrate a non-destructive way of data acquisition for Echo Show 15 devices as well as how to lift the scope of forensic traces from local artifacts on the device to remote artifacts stored in the cloud.