Authors: Yeonghun Shin (Department of Computer Engineering, Ajou University), Hyungchan Kim (Department of Computer Engineering, Ajou University), Sungbum Kim (Department of Computer Engineering, Ajou University), Dongkyun Yoo (Department of Computer Engineering, Ajou University), Wooyeon Jo (Department of Computer Engineering, Ajou University), and Taeshik Shon (Department of Computer Engineering, Ajou University; Department of Cyber Security, Ajou University)



AI Speakers are typical cloud-based internet of things (IoT) devices that store a variety of information regarding users on the cloud. Although analyzing encrypted traffic between these devices and the cloud, as well as the artifacts stored there, is an important research topic from the perspective of cloud-based IoT forensics, studies on directly analyzing encrypted traffic between AI Speakers and the cloud remain insufficient. In this study, we propose a forensic model that can collect and analyze encrypted traffic between an AI Speaker and the cloud based on a certificate injection. The proposed model consists of porting AI Speaker image on Android device, porting AI Speaker image using QEMU (Quick EMUlator), running exploit using the AI Speaker app vulnerability, rewriting Flash memory using H/W interface, and reworking and updating Flash memory. These five forensic methods are used to inject the certificate into AI Speakers. The proposed model shows that we can analyze encrypted traffic against various AI Speakers such as an Amazon Echo Dot, Naver Clova, SKT NUGU Candle, SKT NUGU, and KT GiGA Genie, and obtain artifacts stored on the cloud. In addition, we develop a verification tool that collects artifacts stored on KT GiGA Genie cloud.