Alexa is the new target in Digital Forensics investigation
Voice Assistant Alexa can do more than just listening, it can bear witness to crimes.
Internet-of-Things (IoT) is steadily disrupting the world around us. Recently, voice assistants gained worldwide attention for their ability to respond to voice commands and integrate with smartphones, speakers and other devices. The number of IoT connected devices is projected to grow in the coming years as the industry witnesses an influx of products.
According to Statista, the voice assistants global market revenue was around 4.4 billion U.S. dollars in 2017 and expected to go beyond 17 billion in 2022. The two prominent leaders in the digital voice assistant market are Amazon Echo and Google Assistant, followed by Apple HomePod, Xiaomi and others.
According to Gartner, 25% of households using a virtual assistant will have two or more devices by 2020. As these IoT devices accumulate huge chunks of digital data, it presents an excellent opportunity for digital forensic experts to utilise them as sources of digital evidence in criminal cases.
Amazon’s Alexa steals the thunder following news headlines made over the year:
“Amazon ordered to give Alexa evidence in double murder case” -Independent
“Amazon handed over Alexa recordings to the police in a murder case” -Business Insider
“How much can police find out from a murderer’s Echo?” -The Verge
“Police think Alexa may have witnessed New Hampshire Double Homicide. Now they want Amazon to turn her over.” -The Washington Post
CASES:
Law enforcement officials, digital forensics experts and legal teams are now attempting to look at these IoT devices, as sources to extract potential evidence in criminal cases.
The first case involving an Amazon Echo was the November 2015 murder case in Arkansas. James Bates was charged with first-degree murder of Victor Collins found in his hot tub. Police had seized Alexa-enabled Echo from the crime scene as evidence.
Another case was a double murder in Farmington where two women Christine Sullivan and Jenna Pellegrini were stabbed by Timothy Verrill in 2017. The judge in New Hampshire ordered Amazon to provide recordings from the device as it may have captured audio, that could prove as key evidence in the case.
More recently, ministers in Germany have now proposed to allow collection and use of Alexa and Siri recordings as evidence in trials (Source: Deutsche Welle, 2019).
AMAZON ALEXA ECOSYSTEM
Voice assistants or Virtual assistants operate on Cloud. The key to extracting data from devices lies in the ecosystem in which they operate.
Alexa enabled on Amazon Echo gets triggered with its wake word and responds to queries and also interacts with other IoT devices and third-party applications compatible with it. This takes place over cloud that is accessed and controlled using companion client devices such as PC and Mobile (using iOS or Android).
Therefore, the ecosystem containing a complex network of interconnected IoT devices, third-party applications and companion devices is called the Amazon Alexa Ecosystem.
DIGITAL FORENSIC APPROACHES TO EXTRACT DATA FROM AMAZON ALEXA
In the Sans Digital Forensics and Incident Response Summit 2017, Jessica Hyde (Director of Magnet Forensics) and Brian Moran (Digital Strategy Consultant at BriMor Labs) presented their research on Amazon Alexa Ecosystem.
The focus of their research was to identify and recover the data across Amazon devices that could be useful to forensic analysts.
According to the document that summarises the results of their research, there are three pieces of information required to gain access to the cloud and acquire data:
· A userID that can be recovered from the Alexa app on the phone linked to the Amazon Echo device.
· URL that uses the userID.
· Log-in credentials of the associated Amazon Account upon accessing the URL.
Therefore, steps to extract the data involve obtaining the userID, building the URL and parsing detailed in the document.
Methods:
Previously, destructive methods such as disassembling the Amazon Echo device down to its components was a common attempt used by Forensic Investigators to extract information. This method was known as the Hardware analysis.
The analysis of hardware component parts gave leads on registration information and Wi-Fi connections enabled on the device. However, it posed a problem when law enforcement was asked to return the device in its original state.
Therefore, researchers looked for alternative methods. As a result, recently there has been a wealth of published research on other approaches.
For Example, researchers Hyunji Chung, Jungheum Park, Sangjin Lee in 2017 state four analysis approaches, illustrated in the figure below.
In their research, two Amazon Echo Dot devices were tested on Android, iOS and Windows applications.
Analysis of Network Communication protocols revealed the fact that most of the traffic was transferred over encrypted connections. In case, where the user credentials were unknown, additional APIs were identified to discover configuration and user activity on the cloud.
Analysis at the Client level recovered token information on the user that was signed onto Android, to-do lists and shopping lists on both Android and iOS systems.
Lastly, Analysis of Cloud involved creating a web session with Alexa using user ID and password to acquire data such as registered user accounts, saved Wi-Fi settings, Google calendars linked to Alexa and to-do lists with time stamps.
MOST RECENT TOOL
Oxygen Forensics has developed a tool called Cloud Extractor that can extract data from IoT devices such as Amazon Echo.
How it Works:
The tool gains access to the Amazon Alexa Cloud using login ID and password or a user token. Investigators first obtain the devices such as PCs or Mobiles that are paired to Amazon Echo and then extract the User Token using the Cloud Extractor.
In particular, to obtain a user token from web browser of a PC connected to Amazon Echo, investigators use Oxygen Forensic KeyScout utility. This is done to bypass the two-factor authentication set within the Amazon Alexa account.
This allows digital forensic investigators to acquire all the data or evidence linked to Alexa that is stored on the cloud.
What data is extracted from cloud?
The cloud extractor tool unlocks a world of information that includes the following:
· Account details: Information on account holder
· Information on all the connected devices
· Contact list
· User created lists such as Shopping list, Travel Itinerary etc
· User Activity
· Inbound and Outbound calls and messages
· Calendar
· Notifications
· Preferences
· Stored voice commands
· WiFi Configurations
Therefore, the tool allows investigators to gain an insight on the user’s schedule, everyday activity, calls and messages and voice commands that could serve as evidence in trials.
CONCLUSION
IoT devices such as Amazon Echo are becoming increasingly common in households and more recently they have been recovered from crime scenes. Law enforcement agencies are beginning to accept data from these digital devices as evidence in trials. Since, data from these devices can serve as breadcrumbs leading to suspects, as digital forensic investigators gain access to recent calls and message activity, plans/schedule, lists etc. As a result, a complete user profile and behaviour can be established based on the timeline of events prior to crime incidents.
Early investigation techniques used by digital forensic experts involved complete tear-down of device, to acquire data from its component parts. Sometimes irreversible, it proved to be challenging in cases where the device had to be returned in its original state.
Recently, researchers have discovered alternative ways to acquire data from the device that does not require breakdown to individual parts. Investigators can now conduct analysis at the software level by looking into the cloud and associated devices linked to the Amazon Echo device using apps that control Alexa. Additionally, the new tools and techniques reveal more information that can be used to pinpoint the suspects, as evidence in trials.
