Amazon Echo Forensics Update 1

Introduction to Amazon Echo Update

Welcome back!  The Amazon Echo team is already in week five of the semester and a month into our research adventure.  In our initial post, we posed a few questions regarding some of the Echo’s features we’d like to explore.  Now that we’ve learned more about the device and its related technologies, we are focusing on creating and executing a plan that will allow us to learn the most we can about the Echo in an organized and deliberate manner.


Since our last blog, we have come to understand the Amazon Echo as a sort of personal digital assistant, capable of receiving voice commands and providing responses in the form of spoken answers, playing music, adjusting lights, and communicating with other smart home devices through the Internet of Things (IoT).  Amazon is constantly adding new features, like ordering pizza and calling a cab.

To better comprehend the functions of the Echo, our team performed a full physical and logical acquisition of a Nexus tablet that was used specifically to run the Amazon Echo application.  We used XRY, Cellebrite, and a SQLite Browser to do this analysis, and our initial findings show that there’s not much in the terms of “low hanging fruit” that can be found through the Echo app for Android.  There are command histories that exist, but more work is going to be done in this area before we can confirm our observations.

Another area we explored was data in transit over the network. We used Wireshark to capture network data related to the use of the Echo to see how it communicates with the Internet. Upon inspection, we found that the Echo communicates with Google and Amazon Web Services (AWS) in general.  A protocol of interest is Simple Service Discovery Protocol (SSDP) via a Unicast/Multicast IP address, but there may be more…

Our work in the coming weeks will involve running an isolated data generation, which will include a packet capture of the entire process with network scanning tools.  Along with studying the network activity, we’d like to see if we can identify a network signature for the Echo’s presence on a network.  We are also exploring how to successfully conduct a “chip-off” data extraction from the Echo itself!


We have determined that the Amazon Echo acts like a conduit that connects the user’s voice commands to the Internet.  It appears that a majority of data processing occurs in the cloud, not directly through the Echo.  We are still very interested in what digital artifacts remain when using a mobile device or a PC’s browser to work with the Amazon Echo, as well as learning more about the behind-the-scenes networking that allows the Echo to work with other devices and systems. Lastly, like we mentioned in our first blog, we are still hoping to shed some light on the security aspects related to using the Amazon Echo to communicate with so many products and services.  We anticipate that our work in the coming weeks will satisfy our curiosity, and yours!

We welcome any form of feedback. Feel free to comment below or email us at You can also follow us on Twitter and Facebook for the most current updates!

More Research Projects
The Leahy Center Inventory Project
Social Media Footprint Awareness
My Experience on The VPN Comparison Team