Amazon Echo Forensics Update 2

Introduction to Amazon Echo Update

Hello, readers!  This is our third post regarding the LCDI’s Amazon Echo project.  If you haven’t already, I recommend taking a moment to read our prior posts for a full understanding of how this project is evolving.  In the past, we talked about our initial research goals and where we’d like to take our efforts over the course of the semester.  Recently we were preparing to do data generation, which has since been completed.  Now it’s time to get deep into our data!


We now have a network packet sniffer that captures crucial moments of the Amazon Echo’s operations, like when it’s turned on and when it associates with new devices. We even have voice recordings of the entire 30-minute data generation process.  Also, we have log files from our router and from the device we used to interact with the webpage.  Our test was conducted using a datagen script to record times and what was said; we created the script to ensure that we tested as much functionality as was possible at the time of the test.

Our analysis thus far confirms our early suspicions about the Echo.  We see lots of traffic to Amazon and Google servers, and a lot of content over HTTPS and SSDP.  There were very few files that we could completely identify in the packet capture alone, besides a few unexciting images of webpage content and a lot of extra network traffic generated by the Windows laptop we used.  As far as monitoring network traffic, we hope to identify how the Amazon Echo communicates over its associated Wi-Fi signal to ascertain whether or not any data of forensic importance can be found on connected devices. The multicast technologies continue to be a cool point of interest.

In the coming weeks we will be perusing a forensic image of the Android device used during the data generation.  We hope to explore the device’s recorded voice history and the contents of the application package (.apk) associated with the Amazon Echo app. We may be able to find things such as speech recorded by the Echo while dormant, or before it is awoken by its wake word, “Alexa”.  We also intend to see what evidence can be found on a forensic image of the laptop that was used in testing by searching browser artifacts and caches.


We hope that our meticulous planning of the test and logs and images and recording and packet captures can help corroborate any findings.  Now that data generation is complete, there is a lot of content to review.  We may not learn exactly how the Amazon Echo works, but we hope to show you what digital footprints the Echo leaves after use.

We welcome any form of feedback. Feel free to comment below or email us at You can also follow us on Twitter and Facebook for the most current updates!

More Research Projects
The Leahy Center Inventory Project
Social Media Footprint Awareness
My Experience on The VPN Comparison Team