It is difficult to turn down the exciting prospect of having your very own robotic butler in your house! Soaring in popularity, there has been a recent increase in virtual assistant production from leading technology companies like Amazon, Google, and even Facebook. Incredible amounts of forensically-relevant data have already been found on the devices and their associated mobile applications. Accounting for the increased wide adoption, Amazon has particularly set out to allow full potential for customer’s new digital butler by releasing “Alexa” applications for numerous devices including Windows 10.
The following is an in-depth review of the “Alexa” application from the Windows 10 platform Store. In such, all forensically-relevant data will be highlighted and application file structure will be noted.
Application Data Location Breakdown
Contains a total of five directories related to Amazon’s Alexa with slightly varied titles of “AMZNMobileLLC.AmazonAlexa“, based on the purpose of the directory and which version you have downloaded. Four of these directories contain different scaled Asset files. Such items include application images like the Amazon logo in different colours, and some fonts used within the app. The fifth directory, 57540AMZNMobileLLC.AmazonAlexa_1.1.600.0x64_22t9g3sebte08, contains a bit more of the meat, holding numerous interface DLL files, config files, and an Alexa executable itself.
Holds four XML files that mention Alexa app version information and references to some of the asset directories. One layer deeper into “/Packages/” reveals five similar looking directories from the first path. Four of these directories contain package deployment (.PCKGDEP) files, named after the install user’s Windows SID. The fifth, includes the somewhat un-useful files “ActivationStore.dat”, “CustomCapability.can.xml” and another user SID package deployment file.
This is where the valuable forensic information starts to come into play. Under this user-specific directory, the standard Windows 10 Application Store directories (AC, RoamingState, SystemAppData, AppData, Settings,TempState, LocalCache, and LocalState) can be found.
“C:\Users\jbonc\AppData\Local\Packages\57540AMZNMobileLLC.AmazonAlexa_22t9g3sebte08\LocalCache\Local\Alexa\Logs” Contains valuable Alexa daily logging files, trce logging files, and debugging files.
“C:\Users\jbonc\AppData\Local\Packages\57540AMZNMobileLLC.AmazonAlexa_22t9g3sebte08\LocalState” Has the similar daily log/Debug files, but with much more action bakground data. There are also Settings.json and LocalCache.json files sitting within this directory. I highly recommend looking all both locations for all logging data.
The main take-back from my research was that this version of Alexa seemed to vary slightly from the same application on other platforms. Fortunately, these files do hold incredible amounts of relevant data for us, although not exactly what I was initially hoping for. Here are my findings:
- This application is set by default to launch immediately upon startup of the user’s machine, however this can be easily disabled. When the application is exited by the “X” in the top right, it will only minimize to the taskbar. Full app closure requires clicking the “X” on the item panel inside the application. Regardless of any user action or input, if this application starts up on the machine, log files will be created for that day.
- A ‘wakeword’ feature is included with this version of the app, however some devices (including my own desktop) did not have the feature available for some reason.
- I think it is important to note the complete absence of any user search phrases. Although I have tested numerous times and looked in every way I could think, these files are not stored for very long –if at all. All attempts for unallocated recovery and cache recovery were unsuccessful for me.
- The Date Modified of the ActivationStore.dat file at path “C:\ProgramData\Microsoft\Windows\AppRepository/Packages/“ is the date/time of the initial Alexa application install.
- If you’re like me, the inclusion of log files jumped right out at you! Logging in this app is categorized by date of app use. It resides in the form of logs, trace logs, and debug logs.
- Standard Alexa logs within the /LocalCache/ directory reveal basic information about the state of the application and its connections/transmission states.
- Alexa Trace logs reveal more verbose information about transmission status and user input actions.
- Debug logs show verbose information about the background application processes.
- The main generalized information that can be derived from the collection of all log files is the date/time the application was launched, the time a user asked Alexa a question, and when Alexa was prompted to shut down. I believe these recorded user actions could provide valuable insight into the user presence at the device.
- As you can see below, Figure 1 shows how the Alexa-trace log reports when the Alexa button is physically activated (clicked) by a user. I imagine a similar reporting method would be seen if the user used a voice command instead of clicking for a request. [Grabbed from Directory under LocalCache]
- Figure 2 signifies the time the application starts using the microphone to listen to the user’s request. [Grabbed from Directory under LocalState]
- Figure 3 shows how/when Alexa triggers the listening and recording process in the log file. [Grabbed from Directory under LocalCache]
- Figure 4 displays when the user prompts for the application to shut down.
- Figure 5 shows how the more in-depth version of these logs (under the LocalState directory) provide more insight into the step-by-step process Alexa takes to recording, transmitting, and understanding the user input. In figure 5, you can see that Alexa is using HTTP to transfer the encrypted user request as a binary attachment.
- alerts.db is another peculiar file I found that did not seem to populate. I imagine this database file is meant to hold user requests for alert items, but my attempts to create such were unsuccessful. (C:\Users\jbonc\AppData\Local\Packages\57540AMZNMobileLLC.AmazonAlexa_22t9g3sebte08\LocalState\Alexa)
I am very pleased that this application adds to the expanding list of forensic search locations for the Windows 10 platform . Although I would have wished to have found the locally stored user requests, the available timestamps do allow for some interpretation of previous events. These were the findings I believed to be relevant for forensic use. If you have found any additions to this data research or application in general, I encourage you to contact me with such and I will link it here! Together we will uncover more about what Alexa has to offer! Thanks for reading!