Network Security in Cloudcomputing with AWS as a case study

Can you do a full research work for Network Security in Cloudcomputing with AWS as a case study, under the umbrella of Cyberforensics. The case study has to be detailed and has to be done proper with detailed screenshots as well to show the entire process.

Practical part

Build a cyberforensic case from scratch, solve it, show all the artifacts and evidences and put everything into writing?

Okay, what artifacts do you plan to use? What tools do you intend to use? And can you describe the scenario you plan to use for the case study? What happened, the incident, the resolution, more like a very short description

What forensic tools do you intend to use though?

Also want to know if you would be making use of other tools like Autopsy, or HxD and if you would be using any image files for this work

IEEE INTERNET OF THINGS JOURNAL, VOL. 6, NO. 4, AUGUST 2019
6487
IoT Forensics: Amazon Echo as a Use Case
Shancang Li , Kim-Kwang Raymond Choo , Senior Member, IEEE, Qindong Sun ,
William J. Buchanan, and Jiuxin Cao
Abstract—Internet of Things (IoT) are increasingly common
in our society, and can be found in civilian settings as well as
sensitive applications, such as battlefields and national security.
Given the potential of these devices to be targeted by attackers,
they are a valuable source in digital forensic investigations. In
addition, incriminating evidence may be stored on an IoT device
(e.g., Amazon Echo in a home environment and Fitbit worn by
the victim or an accused person). In comparison to IoT security
and privacy literature, IoT forensics is relatively under-studied.
IoT forensics is also challenging in practice, particularly due
to the complexity, diversity, and heterogeneity of IoT devices
and ecosystems. In this paper, we present an IoT-based forensic
model that supports the identification, acquisition, analysis, and
presentation of potential artifacts of forensic interest from IoT
devices and the underpinning infrastructure. Specifically, we use
the popular Amazon Echo as a use case to demonstrate how our
proposed model can be used to guide forensics analysis of IoT
devices.
Index Terms—Amazon Echo forensics, digital forensics,
Internet of Things (IoT), IoT forensic model, IoT forensics.
I. I NTRODUCTION
N AN Internet of Things (IoT) setting, the number of smart
devices connected to the Internet can range from a few to
billions. Such devices are often able to sense their environment (e.g., temperature, humidity, and wind speed), as well as
interconnecting and communicating with each other [1]–[3].
According to Juniper research [4], more than 20.4 billion smart
devices will be connected to IoT by the year 2020, generating
approximately £134 billion annually by 2022 for the IoT cyber
security industry. This is telling of the IoT trend in our society,
which is also evident by IoT being extended to sectors, such
I
Manuscript received July 24, 2018; revised November 21, 2018 and
February 13, 2019; accepted March 10, 2019. Date of publication
March 22, 2019; date of current version July 31, 2019. This work was
supported in part by the National Natural Science Foundation under Grant
61571360, in part by the Shaanxi Science and Technology Co-Ordination
and Innovation Project under Grant 2016KTZDGY05-09, and in part by
the Innovation Project of Shaanxi Provincial Department of Education under
Grant 17JF023. (Corresponding author: Shancang Li.)
S. Li is with the School of Computer Science, Xi’an University of
Technology, Xi’an 710048, China, and also with the Department of Computer
Science and Creative Technologies, University of the West of England, Bristol
BS16 1QY, U.K. (e-mail: shancang.li@uwe.ac.uk).
K.-K. R. Choo is with the Department of Information Systems and Cyber
Security, University of Texas at San Antonio, San Antonio, TX 78249 USA
(e-mail: raymond.choo@fulbrightmail.org).
Q. Sun is with the School of Computer Science and Engineering, Xi’an
University of Technology, Xi’an 710048, China (e-mail: sqd@xaut.edu.cn).
W. J. Buchanan is with the School of Computing, Edinburgh Napier
University, Edinburgh EH10 5DT, U.K. (e-mail: w.buchanan@napier.ac.uk).
J. Cao is with the School of Computer Science and Engineering, Southeast
University, Nanjing 211189, China (e-mail: jx.cao@seu.edu.cn).
Digital Object Identifier 10.1109/JIOT.2019.2906946
as battlefields and military (e.g., Internet of Battlefield Things
and Internet of Military Things).1
In 2017, it was reported that users of Bose headphones
were being spied upon without their consent [5]. Specifically,
a plaintiff filed a complaint against Bose for their Bose connect application, which allegedly collected data on the music
and audio books their users listened to, and sent the collected information to a third-party data miner (Segment.io).
In the same year, Vizio [6], a Smart TV manufacturer, was
also allegedly monitoring over 11 million smart TVs, where
user data were being sent to other third parties without user
consent [6]. Specifically, it was alleged that the manufacturer monitored the pixels displayed on the TV screen and
matched these to movies stored on a database. This technique
is known as automatic content recognition (ACR). Vizio was
subsequently fined a total of $2.2 Million by the U.S. Federal
Trade Commission, and was also ordered not to track their
users [6]. In addition, the organization was ordered to delete
all their existing data relating to this incident (e.g., near-by
access point details, postal codes, and the Internet protocol
address (IP address) of the local network, and implement a
privacy policy [7].
In general, an IoT system consists of a (large) number
of IoT devices, IoT infrastructures, services and applications,
and interface to other applications or services, which can be
organized into four layers as shown in Fig. 1 [8].
1) Sensing layer, which includes sensing devices to sense
and acquire information, such as smart sensors, radiofrequency identification (RFID), and client components
of IoT.
2) Network layer, which is the infrastructure to support
connectivity to Internet and other devices.
3) Service layer, which provides and manages services to
users or other applications.
4) Application-interface layer, which provides interface to
users or other services.
It can be expected that the increasing popularity and pervasiveness of IoT devices will make such devices more attractive
to attackers, seeking to compromise our systems or exfiltrate
our data, and gain a competitive advantage. In other words,
any IoT device such as a 3-D printer, a smart switch, or a smart
bulb in a smart home environment can potentially be compromised to gain access to the smart devices or the user’s personal
data [1], [3], [9], [10]. In 2016, for example, distributed denial
of service (DDoS) attacks targeting the domain name system
1 [Online]. Available: https://www.arl.army.mil/www/default.cfm?page=3050
(last accessed February 12, 2019)
c 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
2327-4662 
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: UNIVERSITY OF SALFORD. Downloaded on September 23,2023 at 21:59:39 UTC from IEEE Xplore. Restrictions apply.
6488
Fig. 1.
IEEE INTERNET OF THINGS JOURNAL, VOL. 6, NO. 4, AUGUST 2019
General IoT architecture.
(DNS) provider, Dyn, was carried out by a botnet comprising
a large number of 2.5 million compromised IoT devices (e.g.,
IP camera, smart printers, and home WiFi gateway) [2], [11].
In the past two years, a large number of vulnerability scans targeting IoT devices have also been reported. For example in a
recent study Pour et al. [12] examined more than 1 TB of passive measurement data collected from a/8 network telescope
(of IoT devices), in correlation with 400 GB of information
from the Shodan service. Based on their findings, the authors
were able to classify the “inferred IoT devices based on their
hosting sector type (financial, education, manufacturing, etc.)
and most abused IoT manufacturers” [13]. They also identified more than 120 000 Internet-scale exploited IoT devices,
including in critical infrastructure sectors, as well as inferring
“140 large-scale IoT-centric probing campaigns; a sample of
which includes a worldwide distributed campaign where close
to 40% of its population includes video surveillance cameras from Dahua, and another very large inferred coordinated
campaign consisting of more than 50 000 IoT devices.” These
findings echoed findings such as those of [14], in the sense
that a large number of today’s IoT devices are insecure. This
is not surprising due to the challenges in designing efficient
security and privacy solutions. In other words, security and privacy solutions designed for IoT devices will have to take into
consideration the interoperability and complex ecosystems, as
well as the computational limitations in IoT devices.
Hence, IoT devices are likely to be sources of evidence in
a cyber security investigation (e.g., investigation of a DDoS
attack) [15]. Unlike conventional digital forensics (e.g., mobile
device forensics), the diversity in IoT devices (e.g., 3-D printers, roadside units in a smart transportation system, smart
healthcare devices in a hospital, and smart military uniforms),
and the different evidence and privacy regulations compound
the challenges of such investigations [16]. Some of these
challenges are as follows.
1) Identification: Identification of potential evidence in IoT
environment can be challenging, particularly if the investigators are not familiar with the types of IoT devices
present as well as the underpinning infrastructure.
2) Preservation: Once the potential source of evidence is
identified, then the question is how can we acquire
and preserve the evidence from the IoT devices, companion application, IoT services, networks in the IoT
infrastructure, and so on, in a forensically sound manner.
3) Analysis: Depending on the format that the evidence
is acquired, analysis of the acquired evidence may be
challenging. We also have to ensure that the analysis takes into consideration data provenance and the
interaction between IoT and cloud servers that facilitate
the aggregation and processing of data from the IoT.
The following major contributions are presented in this
paper.
1) We propose an IoT-based forensic analysis model, which
supports the identification, acquisition, analysis, and
presentation of potential artifacts of forensic interest
from IoT devices and the underpinning infrastructure.
2) We address IoT devices forensic investigation processes
from the forensic perspective, in which each IoT devices
are expected to provide important forensic artifacts.
3) We analyze forensic artifacts retrieved from the popular
Amazon Echo as a use case to demonstrate how our
proposed model can be used to guide forensics analysis
of IoT devices.
In this paper, we present an IoT forensic model (see
Section III) and demonstrate how it can be used to guide the
investigation of IoT devices, using Amazon Echo as a case
study in Section IV. In the next section, we will briefly discuss
related literature.
II. R ELATED L ITERATURE
In recent years, IoT forensic has attracted attention from
the forensic community [17]–[20], for example in wearable
devices [21], smart vehicles [22], smart home devices [23],
and so on. Approaches may vary between the nature and
type of digital forensic investigation. For example, at the IoT
network layer, network forensics tools or methods are generally applied. We refer interested readers to the work of
Caviglione et al. [24], who reviewed popular digital techniques in network forensics, reverse engineering, and so on,
as well as the prevalent data storage formats and files systems.
Key challenges were also briefly discussed. In another related
Authorized licensed use limited to: UNIVERSITY OF SALFORD. Downloaded on September 23,2023 at 21:59:39 UTC from IEEE Xplore. Restrictions apply.
LI et al.: IoT FORENSICS: AMAZON ECHO AS USE CASE
work Copos et al. [18] categorized IoT forensics into three
zones: 1) IoT zone; 2) network zone; and 3) cloud zone, where
each zone consists of different areas and forensics analysis
activities.
Oriwoh and Sant [25] presented an automated forensic
management system (FEMS) that was designed to collect
data from a three-layered architecture, namely: perception,
network, and application layers. However, in dynamic IoT
networks, it is difficult for FEMS to investigate all states
of the IoT devices. Zawoad and Hasan [14] proposed a
forensic-aware IoT (FAIoT) model, which allows the collected evidence to be stored in a secure evidence repository
server. Arias et al. [19] described the methods to investigate
the device’s hardware and the relevant system (e.g., operating
system, boot loader, remote installation, and communication
system). In addition, a detailed security measurement for IoT
devices was provided. In [26], a general IoT forensics framework was proposed, comprising a forensic state acquisition
(FSAIoT), and a centralized forensic state acquisition (FSAC)
to classify the evidence acquisition of IoT devices into three
modes (i.e., controller to IoT devices, controller to cloud, and
controller to controller) [27].
There have also been research efforts in smart home devices
and the forensic of such devices. For example, Amazon Echo is
increasingly used as the voice controller hub of smart sensors
and devices, which plays a centric role in bridging different smart home devices and the Amazon cloud server. The
Amazon Echo is activated by wake words like “Alexa,” but
must also constantly listen for the wake-up command, and
clearly this is a potential evidence source [20], [23], [28].
For example, Chung et al. [29] explained how companion
clients (i.e., devices used to send and capture commands and
responses from intelligent home assistants, such as Alexa) can
also be a source of evidence.
A number of device fingerprinting techniques have also
been developed, which can be used for the investigation of
IoT devices. For example, sensor pattern noise (SPN) can be
used to identify the source device that has acquired a digital
image or video, and this is relevant for the investigation of
IoT devices that have a image or video acquisition capability
(e.g., unmanned aerial vehicles). In SPN-based image forensic analysis, as the most dominant part of SPN the photograph
response nonuniformity (PRNU) noise can be extracted from
an image to build image fingerprint and camera fingerprint,
which has been widely used in image origin identification
and image forgery detection. Flicker forensics can also allow
an investigator to identify an IoT device by analyzing the
flicker signal and associate the parameters with some internal
characteristics of the particular device [30].
In the next section, we will address our IoT forensic model.
III. P ROPOSED I OT F ORENSIC M ODEL
When we conduct an IoT forensic investigation, we have
to consider the sources of evidence other than the actual
IoT devices, for example, the sensing, network, service, and
interface layers (see Fig. 1).
6489
Fig. 2.
Proposed IoT forensic model.
Similar to conventional digital forensics, IoT forensics
mainly consists of the following four stages: 1) identification;
2) preservation; 3) analysis; and 4) presentation [31].
1) In the identification stage, the focus should be on IoT
devices (e.g., sensors and intelligent home assistants
such as Amazon Echo), and any related infrastructure
(e.g., routers).
2) In the preservation stage, we may require specialized/customized tools to acquire data from (proprietary)
hardware and applications.
3) In the analysis stage, customized forensic tools may be
required to analyze data from certain devices, other than
the typical commercial forensic tools (e.g., EnCase and
FTK). Both EnCase and FTK are commonly used forensics tools that can be used in digital security, security
investigation, and e-discovery.
4) In the presentation stage, forensic investigators will need
to detail the findings and be able to articulate the analysis, findings and their implications in a court of law.
Meanwhile, the evidence items should be presented with
their original format.
Building on the typical four-stage digital forensic process,
we present an IoT forensic model (see Fig. 2). Specifically,
our model starts from an offense classification stage, where
the roles of IoT are classified into IoT as a target, IoT as
a tool, and IoT as a witness. Then, each related device and
the companion apps are examined using the above four-stage
process. In addition, all acquired forensic artifacts are stored
in an encrypted evidence repository.
A. Offense Classification
Due to the diversity of devices and heterogeneity of
networks in an IoT setting, it can be challenging to identify
Authorized licensed use limited to: UNIVERSITY OF SALFORD. Downloaded on September 23,2023 at 21:59:39 UTC from IEEE Xplore. Restrictions apply.
6490
Fig. 3.
IEEE INTERNET OF THINGS JOURNAL, VOL. 6, NO. 4, AUGUST 2019
IoT device identification procedure.
all sources of evidence and collect all relevant forensic artifacts in a timely fashion, especially if third parties or remote
servers (e.g., websites and cloud servers) are involved. First, to
effectively identify the devices for an investigation, it is important to consider the nature of the offense (e.g., a serious and
organized crime type will generally mean that more resources
should be spent on the case), data acquisition methods, and
relevant laws (e.g., what are the elements of proof) and regulations. In general, the IoT-related crimes can be group into
three classes [32].
1) IoT device as a target (e.g., cyberattacks where vulnerabilities in IoT devices are exploited). IoT devices,
particularly inexpensive devices, are likely to be resource
limited in terms of computation capabilities, storage
space, and power supply. Thus, it is challenging, or
impractical, to install security solutions/packages on
such devices, which make them an easy target for cyber
attacks.
2) IoT device as a tool, IoT devices can be used by forensic
investigators as tools to identify, collect, analyze, or even
present evidences in digital investigation. For example, a
compromised IoT device is been used to facilitate other
malicious activities such as a botnet attack.
3) IoT device as a witness (e.g., data stored in the IoT
device can directly implicate an individual accused of
a crime), in which IoT devices are able to identify,
collect, and preserve evidential data for forensic investigation. One prominent example involved the Amazon
Echo, where an Arkansas man was accused of killing his
friend. The prosecutor then sought recordings from the
defendant’s Amazon Echo to be used as evidence [33].
IoT as a witness will likely happen again in the future
frequently because IoT devices are now an integral part
of our daily life.
Fig. 3 shows the workflow of IoT device identification, in
which an IoT device will be examined using the appropriate
approach.
B. IoT Device Identification
In this stage, we seek to answer the following questions.
1) What was/were available at the event/crime scene or a
remote site?
Fig. 4.
IoT device identification.
2) Who and what was/were there when the event/crime
occurred?
3) What are the constraints in collecting the required
evidence?
4) What is the minimum set of evidence required to support
the elements of proof for this specific offense?
A six-step IoT device identification method is presented in
Fig. 4.
1) Define device space, to identify the devices relating to
the specific case.
2) Establish the device lifecycle, to identify the time span
for the device examination.
3) Establish access, to identify the accessibility of the
devices, including confidentiality, authentication, authorization, and so on.
4) Define data categories, to define the data category that
the device can provide.
5) Network access control, to identify the connectivity of
the networks relating to the device and isolate the device
from the connections.
6) Identify the access to devices, this stage summarizes
previous steps and establish the availability of the device
for investigators.
Despite the diversity of IoT device manufacturers, IoT
devices share some similar features and capability. In general, an IoT device consists of a processer or micro-controller,
read-only memory (ROM), random access memory (RAM),
communication module (Bluetooth, wireless, ZigBee, etc.),
and data input/output interfaces. To record the collected or
generated data, an IoT device may be equipped with built-in
secure digital (SD) memory to support removable memory.
Software features of an IoT device include operating systems
(some simple IoT devices may only run very simple code
Authorized licensed use limited to: UNIVERSITY OF SALFORD. Downloaded on September 23,2023 at 21:59:39 UTC from IEEE Xplore. Restrictions apply.
LI et al.: IoT FORENSICS: AMAZON ECHO AS USE CASE
TABLE I
E XAMPLE OF H ARDWARE C HARACTERIZATION FOR I OT D EVICES
TABLE II
E XAMPLE OF S OFTWARE C HARACTERIZATION FOR I OT D EVICES
6491
Live memory evidence extraction is another major issue
in IoT forensic preservation. In resource-constrained IoT
devices (e.g., limited computation, storage, energy supply,
etc.), volatile memory extraction can often be conducted
to extract key evidence stored in the RAM or an ongoing
communication session [35]. A number of memory acquisition tools have been developed in the literature, such as the
Android-based memory subsystem (ashmem) [36], Android
low memory killer [37], and memory grab [38].
However, there are still challenges in live memory acquisition. For example, the memory protect unit (MPU) technology
only allows specific instructions or code to access the memory.
This prevents the forensic investigator from accessing the
memory. In addition, anti-forensics (AF) techniques, including
activities to overwrite data and metadata compound the challenges of memory acquisition. For example, TimeStomp2 can
be used to overwrite NTFS create, modify, access,
and change timestamps [39].
Also, while a number of tools have been developed for live
memory acquisition from computers and laptops (e.g., Winen,
dd, dumpit.exe, winhex, nigilant32, memoryze, and readline),
there are limited tools designed for IoT devices.
D. IoT Forensic Analysis and Presentation
without an operating system), middleware, file system, and
applications. Many IoT devices do not have a specific file
system and in this case, the investigator may need undertake
further research, for example how to leverage the application
software development kit (SDK) to obtain more information.
Conventional digital forensic tools, such as DD, EnCase,
FTK Imager, and SIFT, may also be useful in some cases.
In IoT forensics, the data extraction tools/methods can be
classified into five levels, namely: manual, logical, hex dumping/JTAG, chip-off, and micro-read [34]. For IoT devices that
are not supported by existing forensic tools, the investigator could also consider seeking the cooperation of the device
owner, reviewing seized material, seeking the assistance of the
service provider (e.g., Amazon in the case of Amazon Echo),
and so on.
C. Evidence Preservation
Tables I and II show the potential avenues for data preservation, and in this paper, we will focus on memory forensics.
Specifically, we will focus on: 1) extracting data from the
memory of a target IoT device and 2) analyzing the physical
memory data (from RAM), page file (or SWAP space) data,
etc. Swap space denotes areas on disk used for interchanging
contents between main RAM and secondary memory, in Linux
swap is an actual disk partition and in windows machine, the
swap space is a pagefile. In digital forensics, Swap file is a rich
source of key evidence items, including passwords, sensitive
data, encryption keys, etc.
IoT forensic analysis can be scenario- and device-specific,
since IoT systems can have different configurations and settings. For example, in a smart home system as shown in Fig. 5,
the devices involved may differ from an Industry IoT (IIoT)
systems. The general approach can include attempts to reconstruct the IoT crime/event scenes. The findings of the analysis
also need to be documented and presented, for example to the
jury, prosecutors, and judges.
IV. A MAZON E CHO (P I ) F ORENSICS
Amazon Echo is a popular intelligent home assistant or
“smart home” IoT hub, which takes voice commands from the
users to control itself and other connected IoT devices/sensors
(e.g., smart lights, smart kettles, smart locks, smart thermostats, and smart doors) [40]. Using the voice recognition
technology (i.e., Alexa in the case of Amazon Echo), users
can interact with the connected IoT devices using their voice.
Clearly, the devices require some sort of Internet connection
(e.g., WiFi) [20].
In a prior work involving the analysis of Amazon Echo [29],
it was reported that the user’s history data and interactions with
Alexa are stored in the SQLite database and Web cache files.
The authors analyzed two Amazon Echo Dots, with Android
4.4.2 + Alexa app, iOS 10.1.1 + Alexa app, OS X 10.10.5
+ Chrome, and Windows 10 + Chrome. For the network
analysis, it was determined that most of the communications
were encrypted and the JSON format was used for passing parameters. The authors’ analysis of the communications
revealed undocumented API calls to RESTful Web services. In
other words, there are seven categories of data on the device,
namely: account, customer setting, Alexa-associated devices,
2 [Online].
Available:
https://www.offensive-security.com/metasploitunleashed/timestomp/ (last accessed June 20, 2018)
Authorized licensed use limited to: UNIVERSITY OF SALFORD. Downloaded on September 23,2023 at 21:59:39 UTC from IEEE Xplore. Restrictions apply.
6492
Fig. 5.
IEEE INTERNET OF THINGS JOURNAL, VOL. 6, NO. 4, AUGUST 2019
General IoT forensic analysis.
TABLE III
L OCATION OF C LIENT A RTIFACTS [29]
Fig. 6.
Alexa Pi firmware images created using EnCase 7.0.
skills and behaviors of user, user activity, etc. The researchers
found that most of the data contain UNIX timestamps, which
could be used to create timeline of activities within an investigation [29]. Within this applications, the utterance API could
be used to download voice files [41].
The location of the client artifacts depends on the access
method being used, such as for SQLite databases on iOS
and Android, and within Chrome caches for OS X and
Windows 10. A summary of these locations is presented in
Table III.
On Android device, the SQLite files are contained in
map_data_storage.db (token information for the current user,
and is deleted when the user signs out) and DataStore.db.
For iOS device, there is a single file named LocalData.sqlite.
While the Android analysis was fairly easy, the iTunes backup
protocol had to be used in iOS analysis. The chrome access
data was found stored in the data-block-files, which could be
possible to rebuild Alexa-related caches into the first HTTP
headers, and cached data. This could be useful for determining user behaviors as the stored things (e.g., user clicks) can
lead to calls to Alexa APIs [41], [42].
In IoT forensics, analyzing embedded files and data with
firmware images is an effective way. By connecting the universal asynchronous receiver/transmitter (UART) port in Echo,
the boot debug messages can be output to a terminal. In our
research, we determine that Echo uses u-boot as its boot
loader, which is a popular open source bootloader and a number of commands/tools can be used to extract information
in the firmware. In this paper, we use the Alexa Pi to
build an Echo over Raspberry Pi Version B, which uses
similar firmware with Amazon Echo. In our experiment, we
analyze the Alexa Pi over Ubuntu (16.04), the companion
app installed on an iPad 4 (iOS 12), and the Alexa voice
server (AVS).
We first use u-boot to output the firmware in Alexa Pi,
which results in three EnCase images (see Fig. 6).
A. Data Type
We then analyze the data type created, transmitted, processed, and stored on the IoT devices. For an Amazon Echo
and the AVS service, we determine that the following (see also
Fig. 7).
1) Device related data include device name, device group,
serial number, hardware data, timezone, region, etc.
2) Connectivity includes connection address, WiFi:
Gateway IP, IP, media access control address (MAC
address), Server address, Bluetooth address, etc.
3) User data include data related to the IoT device, such as
username/password, language, calenders, and email.
Authorized licensed use limited to: UNIVERSITY OF SALFORD. Downloaded on September 23,2023 at 21:59:39 UTC from IEEE Xplore. Restrictions apply.
LI et al.: IoT FORENSICS: AMAZON ECHO AS USE CASE
Fig. 7.
Data type related to Amazon Echo.
Fig. 8.
Data extracted from the companion app (partially).
6493
Fig. 9.
Alexa Pi firmware file system.
Fig. 10.
Alexa Pi configuration for AVS.
4) Application data include Host name, Client version,
ProductID, ClientID, ClientSecret, Device Reg name,
Bearer token, registered user, etc.
5) Other data include communication data, specific protocol type, etc.
B. Alexa Pi Data Acquisition
Data acquired from the companion app include device
related information, account, and network, as shown in Fig. 8.
For each IoT device, more detailed data can be extracted using
both logical and physical methods, including device name,
WiFi, device register, serial number, and MAC address. In
addition, information such as language and location can also
be extracted directly after further analyzing the app.
The bootloader’s command line interface allows raw access
to part of the memory areas and Flash integrated circuit (IC).
When processing the bootloader message via the UART
port, an investigator can obtain the location of the kernel image
and scout the firmware by using the u-boot command-line
interface (CLI). In further examination of the file system in
the firmware, Debian system information can also extracted as
shown in Fig. 9.
We use Zenmap to locate the IP address as:
192.168.0.10 and MAC address AC:63:BE:78:98:D6
of an Echo via a ping scan. In more complex investigations,
we can also use port pings to find all ports open on the
devices. By checking the IP address and MAC address, the
investigator can identify other IoT devices that need to be
examined.
Through the UART, we can dump the firmware to an image
file. In this investigation, it is very difficult to solder the UART
to the USB ports. Fortunately, in [44], an Echo image is provided that can be loaded via a Raspberry Pi, which works
fine as an Echo device. We investigate the images on the
Raspberry Pi, which contains the information that an Echo
has.
Some information to identify the device can be found by
investigating the firmware. Amazon requires each Amazon
Authorized licensed use limited to: UNIVERSITY OF SALFORD. Downloaded on September 23,2023 at 21:59:39 UTC from IEEE Xplore. Restrictions apply.
6494
Fig. 11.
IEEE INTERNET OF THINGS JOURNAL, VOL. 6, NO. 4, AUGUST 2019
Firmware analysis using autopsy.
Echo device to provide the productID (also known as
Device Type ID), ClientID, and ClientSecret in order to
use AVS, as shown in Fig. 10. The Echo firmware contains several files within the root folder, for example in the
automated_install.sh file.
C. Examination and Analysis
The two devices’ information are shown in Fig. 12. For
each device, information such as device name, wireless connections, device register, serial number, and MAC address
are located and analyzed. For example, the Setting section stored within the Alexa app contains information that
can be used to identify the IoT device. In other words, the
investigator can extract the device name, the Wi-Fi that the
IoT device had previously connected to, Bluetooth connection
information, and paired device. The “device is registered to”
information may also be used to identify the owner of the
Echo, for example in collaboration with Amazon. Meanwhile
both serial number and MAC address can be used to identify
the Echo and other connected devices.
Echo uses an address set in the Alexa companion app, where
the location information is used to provide weather forecasting
and location-based services. Analysis of location information
acquired from companion devices (e.g., Google Maps, Find
your device, and weather) can also be corroborated with other
analysis.
The location data extracted from settings shows the whereabouts of the user. It also provides the geolocation data
(e.g., address and postcode) that the user was searching for.
However, during the analysis, the investigator also needs to
check the history to get more context of the search request.
Amazon Echo is also capable of storing private conversations in the home, or other nonverbal indications that can
identify who is present in the home (e.g., based on audible
cues). However, in this stage we are only able to identify the
recordings streamed by Echo from the user’s home activated
by the wake words. The text-transferred recordings are stored
on both Amazon Alexa Server and Alexa companion app.
The device time zone is key to identifying data with
an associated timestamp. In our further examination of the
firmware, the device time zone can be used to validate the
access/modify/creation time of files like .wavtemp. The wake
word and language are also key to analyzing the history. Since
the default wake word is Alexa, the investigator can also find
the user-defined wake word, if any.
When examining the companion app and the firmware, we
also located 5163 audio files (e.g., stop.mp3 and error.mp3),
which can indicate the last operating time of the device (see
Fig. 11).
Fig. 11 also shows the keyword search results. In this example, keywords such as Amazon, Echo, and MAC were used
and 288, 206, and 144 results were found, respectively. There
are also 1584 potential email addresses located, which may
contain the user accounts or potential passwords for logging
to the AVS. In fact, we locate the login id with the corresponding password that can be used to login to the AVS, as shown
in Fig. 12. To further analyze the services that Echo provides,
network forensics tools can be used to scan the open ports
and potential services. In our examination, we use Zenmap
with command {nmap -T4 -A -v 192.168.0.10} to
scan the ports. We note that ports 80, 5200, 515, 427,
10001, 631, and 9100 are open. These open ports can
be useful in analyzing the connection behaviors of Echo and
Authorized licensed use limited to: UNIVERSITY OF SALFORD. Downloaded on September 23,2023 at 21:59:39 UTC from IEEE Xplore. Restrictions apply.
LI et al.: IoT FORENSICS: AMAZON ECHO AS USE CASE
Fig. 12.
Fig. 13.
6495
AVS website logged using the found login id and PWD from firmware.
Unrecognized services found in the images.
can be used to trace the behaviors of the user. Using command {nmap -sV -T4 -F 192.168.0.10}, we found
the services provided by Echo, including http, svrloc,
printer, ipp, jetdirect, et al. Two additional
services were also found using service fingerprints. One of
the findings is shown in Fig. 13.
Findings from the analysis of different devices, etc., are then
pieced together.
V. C ONCLUSION
IoT forensics will be increasingly important, as more
devices around us are connected to the Internet or some form
of networks (e.g., a private home or office network). In other
words, evidence can be collected from IoT devices, internal
network, applications, some external (cloud) server, and/or
other components of the IoT ecosystem. This complicates the
challenge in the timely identification of potential evidential
sources and acquisition of evidence. Thus, in this paper, we
presented an IoT forensic analysis model and demonstrated
how it can be used to guide the investigation of an Amazon
Echo.
We also identified a number of potential research opportunities in IoT forensics, such as the following.
1) Timely identification of potential evidential sources and
acquisition of evidence (as discussed above).
2) The data type/format and its lifespan may vary between
different IoT devices and systems, and the dynamic
nature of some IoT devices and systems may necessitate
live forensics. Hence, we have to ensure that the tools
and processed used in the acquisition of such data are
forensically sound.
3) As IoT applications may be delivered as services in
the cloud platform, evidence can be distributed across
different cloud servers that are probably in a foreign
jurisdiction. Hence, there is a need to design appropriate tools that could facilitate (remote) data acquisition,
as well as working with policy makers to draft legislation to facilitate such remote data acquisition to ensure
evidence admissibility.
4) We also need to design tools or techniques that allow us
to address the large storage requirement associated with
the search space.
5) We need to keep pace with emerging and new IoT
devices and other components in the IoT ecosystem,
for example in terms of our forensic capabilities and
to overcome anti-forensic measures.
6) The need to design forensically friendly/ready IoT
systems (a concept coined as forensic-by-design
in [43] and [45]–[49]), in order to facilitate the identification and secure storage of data of forensic interest
that will be made available for a forensic investigation.
Authorized licensed use limited to: UNIVERSITY OF SALFORD. Downloaded on September 23,2023 at 21:59:39 UTC from IEEE Xplore. Restrictions apply.
6496
IEEE INTERNET OF THINGS JOURNAL, VOL. 6, NO. 4, AUGUST 2019
R EFERENCES
[1] S. Li and L. Da Xu, “Security in enabling technologies,” in Securing the
Internet of Things. Cambridge, MA, USA: Syngress, 2017, pp. 23–109.
[2] M. Mangia, F. Pareschi, R. Rovatti, and G. Setti, “Low-cost security of IoT sensor nodes with rakeness-based compressed sensing:
Statistical and known-plaintext attacks,” IEEE Trans. Inf. Forensics
Security, vol. 13, no. 2, pp. 327–340, Feb. 2018.
[3] J. Pawlick and Q. Zhu, “Strategic trust in cloud-enabled cyber-physical
systems with an application to glucose control,” IEEE Trans. Inf.
Forensics Security, vol. 12, no. 12, pp. 2906–2919, Dec. 2017.
[4] A. Nieto, R. Roman, and J. Lopez, “Digital witness: Safeguarding digital
evidence by using secure architectures in personal devices,” IEEE Netw.,
vol. 30, no. 6, pp. 34–41, Nov./Dec. 2016.
[5] H. Tsukayama. (2017). Bose Headphones Have Been Spying
on Customers, Lawsuit Claims. [Online]. Available: https://
www.smh.com.au/technology/bose-20170420-gvo8pq.html
[6] J. Kastrenakes. (2017). Most Smart TVS Are Tracking You—Vizio
Just Got Caught. [Online]. Available: https://www.theverge.com/
2017/2/7/14527360/vizio-smart-tv-tracking-settlement-disable-settings
[7] Y. Ma, Y. Wu, J. Li, and J. Ge, “APCN: A scalable architecture for balancing accountability and privacy in large-scale
content-based networks,” Inf. Sci., Jan. 2019. [Online]. Available:
https://doi.org/10.1016/j.ins.2019.01.054
[8] L. Da Xu, W. He, and S. Li, “Internet of Things in industries: A survey,”
IEEE Trans. Ind. Informat., vol. 10, no. 4, pp. 2233–2243, Nov. 2014.
[9] Q. Do, B. Martini, and K.-K. R. Choo, “Cyber-physical systems
information gathering: A smart home case study,” Comput. Netw.,
vol. 138, pp. 1–12, Jun. 2018.
[10] Q. Do, B. Martini, and K.-K. R. Choo, “A data exfiltration and remote
exploitation attack on consumer 3D printers,” IEEE Trans. Inf. Forensics
Security, vol. 11, no. 10, pp. 2174–2186, Oct. 2016.
[11] K. P. Trommler. (2018). Know Your Enemy: What Happens
Behind the Scenes in a DDoS Attack. [Online]. Available:
https://blog.paessler.com/types-of-ddos-attacks
[12] M. S. Pour et al., “Comprehending the IoT cyber threat landscape:
A data dimensionality reduction technique to infer and characterize
Internet-scale IoT probing campaigns,” in Proc. Digit. Invest., 2019.
[13] S. Li, S. Zhao, Y. Yuan, Q. Sun, and K. Zhang, “Dynamic security risk evaluation via hybrid Bayesian risk graph in cyber-physical
social systems,” IEEE Trans. Comput. Social Syst., vol. 5, no. 4,
pp. 1133–1141, Dec. 2018.
[14] S. Zawoad and R. Hasan, “FAIoT: Towards building a forensics aware
eco system for the Internet of Things,” in Proc. IEEE Int. Conf. Services
Comput., Jun. 2015, pp. 279–284.
[15] S. Alabdulsalam, K. Schaefer, M. T. Kechadi, and N. Le-Khac,
“Internet of Things forensics: Challenges and case study,”
CoRR,
vol.
abs/1801.10391,
2018.
[Online].
Available:
http://arxiv.org/abs/1801.10391
[16] A. MacDermott, T. Baker, and Q. Shi, “IoT forensics: Challenges for the
IoA era,” in Proc. 9th IFIP Int. Conf. New Technol. Mobility Security
(NTMS), Feb. 2018, pp. 1–5.
[17] E. Oriwoh, D. Jazani, G. Epiphaniou, and P. Sant, “Internet of
Things forensics: Challenges and approaches,” in Proc. 9th Int. Conf.
Collaborative Comput. Netw. Appl. Worksharing (Collaboratecom),
2013, pp. 608–615.
[18] B. Copos, K. Levitt, M. Bishop, and J. Rowe, “Is anybody home?
Inferring activity from smart home network traffic,” in Proc. IEEE
Security Privacy Workshops (SPW), San Jose, CA, USA, 2016,
pp. 245–251.
[19] O. Arias, J. Wurm, K. Hoang, and Y. Jin, “Privacy and security in
Internet of Things and wearable devices,” IEEE Trans. Multi-Scale
Comput. Syst., vol. 1, no. 2, pp. 99–109, Apr./Jun. 2015.
[20] W. W. Gibbs, “Build your own Amazon Echo—Turn a PI into a voice
controlled gadget,” IEEE Spectr., vol. 54, no. 5, pp. 20–21, May 2017.
[21] Q. Do, B. Martini, and K.-K. R. Choo, “Is the data on your wearable
device secure? An Android Wear smartwatch case study,” Softw. Pract.
Exp., vol. 47, no. 3, pp. 391–403, 2017.
[22] N.-A. Le-Khac, D. Jacobs, J. Nijhoff, K. Bertens, and
K.-K. R. Choo, “Smart vehicle forensics: Challenges and case
study,” Future Gener. Comput. Syst., Jun. 2018. [Online]. Available:
https://doi.org/10.1016/j.future.2018.05.081
[23] A. Goudbeek, K.-K. R. Choo, and N.-A. Le-Khac, “A forensic investigation framework for smart home environment,” in Proc. 17th IEEE Int.
Conf. Trust Security Privacy Comput. Commun. (TrustCom), New York,
NY, USA, 2018, pp. 1446–1451.
[24] L. Caviglione, S. Wendzel, and W. Mazurczyk, “The future of digital forensics: Challenges and the road ahead,” IEEE Security Privacy,
vol. 15, no. 6, pp. 12–17, Nov./Dec. 2017.
[25] E. Oriwoh and P. Sant, “The forensics edge management system: A
concept and design,” in Proc. IEEE 10th Int. Conf. Ubiquitous Intell.
Comput. IEEE 10th Int. Conf. Auton. Trusted Comput., Dec. 2013,
pp. 544–550.
[26] C. Meffert, D. Clark, I. Baggili, and F. Breitinger, “Forensic state
acquisition from Internet of Things (FSAIoT): A general framework and practical approach for IoT forensics through IoT device
state acquisition,” in Proc. 12th Int. Conf. Avail. Rel. Security,
2017, p. 56.
[27] A. Nieto, R. Rios, and J. Lopez, “IoT-forensics meets privacy:
Towards cooperative digital investigations,” Sensors, vol. 18, no. 2,
p. 492, 2018.
[28] N. Chavez. (2017). Arkansas Judge Drops Murder Charge in
Amazon Echo Case. [Online]. Available: https://edition.cnn.com/2017/
11/30/us/amazon-echo-arkansas-murder-case-dismissed/index.html
[29] H. Chung, J. Park, and S. Lee, “Digital forensic approaches for
Amazon Alexa ecosystem,” Digit. Invest., vol. 22, pp. S15–S25,
Aug. 2017. [Online]. Available: http://www.sciencedirect.com/
science/article/pii/S1742287617301974
[30] Cyber Security Community. (2017). What Is IoT Forensics
and How Is It Different From Digital Forensics? [Online].
Available: https://securitycommunity.tcs.com/infosecsoapbox/articles/
2018/02/27/what-iot-forensics-and-how-it-different-digital-forensics
[31] R. C. Hegarty, D. J. Lamb, and A. Attwood, “Digital evidence challenges
in the Internet of Things,” in Proc. INC, 2014, pp. 163–172.
[32] U. Salama. (2017). Investigating IoT Crime in the Age of
Connected Devices. [Online]. Available: https://securityintelligence.com/
investigating-iot-crime-in-the-age-of-connected-devices/
[33] E. C. McLaughlin. (2017). Suspect OKs Amazon to Hand
Over Echo Recordings in Murder Case. [Online]. Available:
https://edition.cnn.com/2017/03/07/tech/amazon-echo-alexa-bentonvillearkansas-murder-case/index.html
[34] R. Ayers, S. Brothers, and B. W. Jansen, Guidelines on Mobile Device
Forensics, document SP 800-101, NIST, Gaithersburg, MD, USA, 2014.
[35] V. L. L. Thing, K.-Y. Ng, and E.-C. Chang, “Live memory forensics of
mobile phones,” Digit. Invest., vol. 7, pp. S74–S82, Aug. 2010.
[36] S. Smalley, “The case for SE Android,” in Proc. Linux Security Summit,
2011, pp. 1–10.
[37] H. T. Al-Rayes, “Studying main differences between Android & Linux
operating systems,” Int. J. Elect. Comput. Sci., vol. 12, no. 5, p. p46,
2012.
[38] H. Altuwaijri and S. Ghouzali, “Android data storage security: A
review,” J. King Saud Univ. Comput. Inf. Sci., 2018. [Online]. Available:
https://doi.org/10.1016/j.jksuci.2018.07.004
[39] D. Kirkpatrick. (2017). Gartner: Global Wearables Sales
to
Grow
17
Percent
This
Year.
[Online].
Available:
https://www.marketingdive.com/news/gartner-global-wearables-sales-togrow-17-this-year/503480/
[40] S. Li, L. Da Xu, and S. Zhao, “5G Internet of Things: A survey,” J. Ind.
Inf. Integr., vol. 10, pp. 1–9, Jun. 2018.
[41] B. Buchanan. (2017). The New Digital Investigator: Interrogating
Alexa. [Online]. Available: https://www.linkedin.com/pulse/new-digitialinvestigator-interogating-alexa-buchanan-obe-phd-fbcs/
[42] S. Li, G. Oikonomou, T. Tryfonas, T. M. Chen, and L. D. Xu,
“A distributed consensus algorithm for decision making in serviceoriented Internet of Things,” IEEE Trans. Ind. Informat., vol. 10, no. 2,
pp. 1461–1468, May 2014.
[43] W. Miao et al., “Stochastic performance analysis of network function
virtualization in future Internet,” IEEE J. Sel. Areas Commun., vol. 37,
no. 3, pp. 613–626, Mar. 2019.
[44] G. Bourne. (2016). I Built My Own Amazon Echo With a Raspberry
Pi: Alexaberry. [Online]. Available: https://dzone.com/articles/i-builtmy-own-amazon-echo-alexa-with-a-raspberry
[45] N. H. A. Rahman, W. B. Glisson, Y. Yang, and K.-R. Choo, “Forensicby-design framework for cyber-physical cloud systems,” IEEE Cloud
Comput., vol. 3, no. 1, pp. 50–59, Jan./Feb. 2016.
[46] N. H. A. Rahman, N. D. W. Cahyani, and K.-K. R. Choo, “Cloud incident handling and forensic-by-design: Cloud storage as a case study,”
Concurrency Comput. Pract. Exp., vol. 29, no. 14, pp. 1–16, 2017.
[47] G. Grispos, W. B. Glisson, and K.-K. R. Choo, “Medical cyberphysical systems development: A forensics-driven approach,” in Proc.
2nd IEEE/ACM Int. Conf. Connected Health Appl. Syst. Eng. Technol.
(CHASE), Philadelphia, PA, USA, Jul. 2017, pp. 108–113.
Authorized licensed use limited to: UNIVERSITY OF SALFORD. Downloaded on September 23,2023 at 21:59:39 UTC from IEEE Xplore. Restrictions apply.
LI et al.: IoT FORENSICS: AMAZON ECHO AS USE CASE
[48] S. Li, L. D. Xu, and X. Wang, “Compressed sensing signal
and data acquisition in wireless sensor networks and Internet of
Things,” IEEE Trans. Ind. Informat., vol. 9, no. 4, pp. 2177–2186,
Nov. 2013.
[49] S. Li et al., “Distributed consensus algorithm for events detection in cyber physical systems,” IEEE Internet Things J., to be
published.
Shancang Li received the B.Sc. and M.Sc. degrees
in mechanics engineering and the Ph.D. degree in
computer science from Xi’an Jiaotong University,
Xi’an, China, in 2001, 2004, and 2008, respectively.
He is currently a Senior Lecturer with the
Department of Computer Science and Creative
Technologies, University of the West of England,
Bristol, U.K. He has authored over 60 papers published in high profile journals and conferences. His
current research interests include digital forensics
for emerging technologies, cyber security, Internet
of Things (IoT) security, data privacy-preserving, IoT, blockchain technology,
and the lightweight cryptography in resource constrained devices.
Dr. Li is an Associate Editor of IEEE ACCESS and the Journal of Industrial
Information Integration. He is a member of the British Computer Society.
Kim-Kwang Raymond Choo (SM’15) received
the Ph.D. degree in information security from the
Queensland University of Technology, Brisbane,
QLD, Australia, in 2006.
He currently holds the Cloud Technology
Endowed Professorship with the University of Texas
at San Antonio (UTSA), San Antonio, TX, USA.
Dr. Choo was named the Cybersecurity Educator
of the Year APAC (Cybersecurity Excellence Awards
are produced in cooperation with the Information
Security Community on LinkedIn) in 2016, and
in 2015, he and his team won the Digital Forensics Research Challenge organized by Germany’s University of Erlangen–Nuremberg. He was a recipient of
the 2018 UTSA College of Business Col. Jean Piccione and the Lt. Col. Philip
Piccione Endowed Research Award for Tenured Faculty, the IEEE TrustCom
2018 and ESORICS 2015 Best Paper Awards, the 2014 Highly Commended
Award by the Australia New Zealand Policing Advisory Agency, the Fulbright
Scholarship in 2009, the 2008 Australia Day Achievement Medallion, and
the British Computer Society’s Wilkes Award in 2008. He is the Co-Chair
of IEEE Multimedia Communications Technical Committees Digital Rights
Management for Multimedia Interest Group. He is a Fellow of the Australian
Computer Society.
6497
Qindong Sun received the Ph.D. degree from the
School of Electronic and Information Engineering,
Xi’an Jiaotong University, Xi’an, China.
He is currently a Professor with the Department
of Computer Science and Engineering, Xi’an
University of Technology, Xi’an. His current
research interests include network security, online
social networks, digital forensics, cyber security, and
Internet of Things.
Dr. Sun is a member of the China Computer
Federation.
William J. Buchanan is a Professor with the
School of Computing, Edinburgh Napier University,
Edinburgh, U.K. He was appointed an Officer
of the Order of the British Empire in the 2017
Birthday Honors for services to cyber security.
One of his most recent achievements is the creation of a Blockchain Identify Lab, which is one
of the first of its type in the world, having significant industry funding. He currently leads the
Centre for Distributed Computing, Networks, and
Security, Edinburgh Napier University and the Cyber
Academy. This has led to several world-wide patents and in the highly successful spin-off companies: Zonefox and Symphonic Software. His current
research interests include information sharing, Internet of Things, e-health,
threat analysis, cryptography, and triage within digital forensics.
Prof. Buchanan was a recipient of the Outstanding Contribution to
Knowledge Exchange of the Scottish Knowledge Exchange Awards in 2018.
He is a Fellow of the BCS and IET.
Jiuxin Cao received the Ph.D. degree in computer science from Xi’an Jiaotong University, Xi’an,
China, in 2003.
He is currently a Professor with the School
of Cyber Science and Engineering, Southeast
University, Nanjing, China, where he currently
leads the Jiangsu Key Laboratory of Computer
Networking Technology as the Director. His current
research interests include cyber security, locationbased services, and online social networks.
Dr. Cao is a Senior Member of the China
Computer Federation.
Authorized licensed use limited to: UNIVERSITY OF SALFORD. Downloaded on September 23,2023 at 21:59:39 UTC from IEEE Xplore. Restrictions apply.
Task details and instructions
You are required to submit an essay and conduct a digital forensic analysis of Network
Security in AWS platform. Specifically, you are required to conduct a digital forensic
investigation and analysis of the AWS platform in an approach similar to the given base-paper.
You are required to follow the methodology of the given base paper; however, you need to
apply it to AWS accordingly.
You are required to follow the given base paper methodology and produce comparable
results and document your results in a similar format.
Formatting
Should be in single column, font 12 Times New Roman, IEEE referencing format (numbered),
single line spacing, left aligned and not less than 3,000 words. All figures should be focused
and very sharp! Figures and tables should be used only when necessary and inclusion of
irrelevant contents would be penalized! Please make sure all figures and tables are cited intext. Obviously, your paper should not have any writing or grammar issues!