Introduction to Amazon Echo Forensics

Intro to amazon echo forensics

A new semester is upon us!  For a lucky group of five LCDI researchers, the next challenge is to examine and document everything there is to know about the Amazon Echo. The Echo, publicly released last June, is a wireless ‘smart speaker’ device that uses voice commands to play music, audiobooks and podcasts from a number of connected services as well as organize to-do lists, create reminders and keep up-to-date weather and traffic reports. When it comes to Amazon Echo forensics, the team is focused on exploring the Echo’s functionalities, and we have already found ourselves several pertinent questions to answer: how well does it interface with third-party applications and other devices? How does it manage several Amazon accounts? How does the Amazon Shopping List work from this device? Finally, and most importantly, how big of a part does security and privacy play in its operations?


To start this project, the Amazon Echo team had to first explore what the Amazon Echo is. What is the device designed to do? What are the internal components? How does it communicate over the Internet?

During this phase, our research found several websites, including’s help page that defines the Amazon Echo as a sort of a digital assistant that captures and recognizes voice commands, sends them to the cloud for processing, then provides responses to the user. This can come in the form of spoken content from the Echo’s speakers, or adjusting smart devices like lights and thermostats. The Echo can also be configured to work with music libraries, alarms, and shopping lists. The capabilities of the Amazon Echo is vast, and combined with the Internet of Things and voice activated Internet searches there are plenty of areas to explore!

Inherent to the enhancements that the Amazon Echo provides to networked products and services is the concern about information security. Part of our research is to determine to what degree the Amazon Echo could aid in investigating crime. Work has been started on determining how long voice commands are stored in the Echo’s memory. We would like to find out what kinds of data can be obtained from the Echo mobile app, the Echo management web page, or any residual data that may remain from the Echo’s automatic connection with other devices, accounts, and online services. Let the analysis begin!

Fun fact: did you know the Amazon Echo stores the last command played in the cache folder in a sound file called “sound”?  Drag the sound file to the VLC player and listen to it!


As we learn more and more about the technologies associated with the Amazon Echo, we realize that we may not get to explore everything in a single semester. There is a possibility that data exists in the Echo’s RAM that we may not be able to recover in a forensically sound manner, for example. We also know that some data will not be readily retrievable, like the content stored in Amazon’s cloud.

The Amazon Echo is a very interesting device and it seems that new capabilities are being developed on a daily basis. We are hoping that our research will benefit anyone interested in what the Amazon Echo is, what it does, and how the use of the data stored or created by it could be useful.

Our final report for this project will be posted in May of 2016. We intend to keep you updated on our progress. If you have questions or comments about the project, you can leave a comment or contact the LCDI via Twitter @ChampForensics or via email at

More Research Projects
The Leahy Center Inventory Project
Social Media Footprint Awareness
My Experience on The VPN Comparison Team