Amazon Echo is one of the most popular product families of smart speakers and displays. Considering their growing presence in modern households as well as the digital traces associated with residents' interactions with these devices, analyses of Echo products are likely to become more common for forensic investigators at "smart home" crime scenes. With this in mind, we present the first forensic examination of the Echo Show 15, Amazon's largest smart display running on Fire OS and the first Echo device with Visual ID, a face recognition feature. We unveil a non-invasive method for accessing the unencrypted file system of the Echo Show 15 based on an undocumented pinout for the eMMC interface which we discovered on the main logic board. On the device, we identify various local usage artifacts, such as searched products, streamed movies, visited websites, metadata of photos and videos as well as logged events of Visual ID about movements and users detected by the built-in camera. Furthermore, we utilize an insecurely stored token on the Echo Show 15 to obtain access to remote user artifacts in Amazon's cloud, including Alexa voice requests, calendars, contacts, conversations, photos, and videos. In this regard, we also identify new Amazon APIs through network traffic analysis of two companion apps, namely Alexa and Photos. Overall, in terms of practical relevance, our findings demonstrate a non-destructive way of data acquisition for Echo Show 15 devices as well as how to lift the scope of forensic traces from local artifacts on the device to remote artifacts stored in the cloud.

翻译：亚马逊Echo是最受欢迎的智能音箱与显示屏产品系列之一。考虑到其在现代家庭中的日益普及，以及居民与这些设备交互时产生的数字痕迹，对Echo产品的分析很可能成为"智能家居"犯罪现场调查中更常见的取证环节。基于此，我们首次对Echo Show 15进行了取证检验——这是亚马逊基于Fire OS运行的最大尺寸智能显示屏，也是首款配备人脸识别功能Visual ID的Echo设备。我们提出了一种非侵入式方法，通过在主逻辑板上发现的eMMC接口未公开引脚定义，实现了对Echo Show 15未加密文件系统的访问。在设备中，我们识别出多种本地使用痕迹，包括搜索过的商品、流媒体电影记录、访问过的网站、照片视频元数据，以及通过内置摄像头检测到的移动与用户相关的Visual ID日志事件。此外，我们利用Echo Show 15上不安全存储的令牌，成功获取了亚马逊云端的远程用户数据，包括Alexa语音请求、日历、联系人、对话记录、照片和视频。在此过程中，我们还通过对两个配套应用（Alexa和Photos）的网络流量分析，发现了新的亚马逊API接口。总体而言，我们的研究成果在实践意义上展示了对Echo Show 15设备进行非破坏性数据采集的方法，并揭示了如何将取证范围从设备本地痕迹扩展至云端存储的远程数据。