This was achieved on the 2nd generation version of the Echo Dot by Jessica Hyde of Magnet Forensics in 2017 using a method know as In-System Programming or ISP and allowed for the full extraction of data from the flash storage of the device. So, we have a method for older devices established but what about the latest 3rd generation one? Well, the answer is a little bit murky. After some digging around the internet I found no research into this topic so, I guess I had to take up the mantle. I tested every pin on the Echo Dot 3rd generation motherboard and this was the result.
We want a data extraction method that is preferably non-intrusive and reusable
The main conclusion to gather from this is that I personally couldn’t find any reliable method of data extraction with the latest Echo Dot. Technically, it’s possible to extract the storage of the Echo Dot but out of the scope of most investigations for the reasons outlined above.With the help of some nice people at Birmingham City University I did find what looks like a RAM test pinout which we thought could be showing the processor writing to the RAM of the device. Here’s a closer look at that pinout.
When investigating this we weren’t 100% on it as as we didn’t get around to testing the theory but here’s something to demonstrate what I mean.
So most people are probably thinking what the implications of being able to read the stream of RAM of the device could be and while it’s not entirely known if it could be used for some data extraction in theory.It’s much more likely that rather than extracting data from the physical device itself that a forensic investigator that they would pull data from the associated Amazon account on either the mobile app or a web interface. In 2017 there was a tool developed for extracting metadata stored in the cloud for Alexa called CIFT. In theory a forensic analyst could use such data to help establish a routine or see what queries had been made to the device over a period of time.
In summary, it’s entirely possible if someone was determined enough to extract data from the physical device but, would be used in a very specific scenario and may not contain data that would be of much use. However this does not make the device useless as the metadata that the device gathers could be used in an investigation in theory although i’m not certain whether there has been much investigation into the practicality of this for law enforcement.