Network Security in Cloudcomputing with AWS

Task details and instructions You are required to submit an essay and conduct a digital forensic analysis of Network Security in AWS platform. Specifically, you are required to conduct a digital forensic investigation and analysis of the AWS platform in an approach similar to the given base-paper. You are required to follow the methodology of the given base paper; however, you need to apply it to AWS accordingly. You are required to follow the given base paper methodology and produce comparable results and document your results in a similar format.

Formatting Should be in single column, font 12 Times New Roman, IEEE referencing format (numbered), single line spacing, left aligned and not less than 3,000 words. All figures should be focused and very sharp! Figures and tables should be used only when necessary and inclusion of irrelevant contents would be penalized! Please make sure all figures and tables are cited in- text. Obviously, your paper should not have any writing or grammar issues!

IEEE INTERNET OF THINGS JOURNAL, VOL. 6, NO. 4, AUGUST 2019 6487

IoT Forensics: Amazon Echo as a Use Case Shancang Li , Kim-Kwang Raymond Choo , Senior Member, IEEE, Qindong Sun ,

William J. Buchanan, and Jiuxin Cao

Abstract—Internet of Things (IoT) are increasingly common in our society, and can be found in civilian settings as well as sensitive applications, such as battlefields and national security. Given the potential of these devices to be targeted by attackers, they are a valuable source in digital forensic investigations. In addition, incriminating evidence may be stored on an IoT device (e.g., Amazon Echo in a home environment and Fitbit worn by the victim or an accused person). In comparison to IoT security and privacy literature, IoT forensics is relatively under-studied. IoT forensics is also challenging in practice, particularly due to the complexity, diversity, and heterogeneity of IoT devices and ecosystems. In this paper, we present an IoT-based forensic model that supports the identification, acquisition, analysis, and presentation of potential artifacts of forensic interest from IoT devices and the underpinning infrastructure. Specifically, we use the popular Amazon Echo as a use case to demonstrate how our proposed model can be used to guide forensics analysis of IoT devices.

Index Terms—Amazon Echo forensics, digital forensics, Internet of Things (IoT), IoT forensic model, IoT forensics.

I. INTRODUCTION

IN AN Internet of Things (IoT) setting, the number of smart devices connected to the Internet can range from a few to

billions. Such devices are often able to sense their environ- ment (e.g., temperature, humidity, and wind speed), as well as interconnecting and communicating with each other [1]–[3]. According to Juniper research [4], more than 20.4 billion smart devices will be connected to IoT by the year 2020, generating approximately £134 billion annually by 2022 for the IoT cyber security industry. This is telling of the IoT trend in our society, which is also evident by IoT being extended to sectors, such

Manuscript received July 24, 2018; revised November 21, 2018 and February 13, 2019; accepted March 10, 2019. Date of publication March 22, 2019; date of current version July 31, 2019. This work was supported in part by the National Natural Science Foundation under Grant 61571360, in part by the Shaanxi Science and Technology Co-Ordination and Innovation Project under Grant 2016KTZDGY05-09, and in part by the Innovation Project of Shaanxi Provincial Department of Education under Grant 17JF023. (Corresponding author: Shancang Li.)

S. Li is with the School of Computer Science, Xi’an University of Technology, Xi’an 710048, China, and also with the Department of Computer Science and Creative Technologies, University of the West of England, Bristol BS16 1QY, U.K. (e-mail: [email protected]).

K.-K. R. Choo is with the Department of Information Systems and Cyber Security, University of Texas at San Antonio, San Antonio, TX 78249 USA (e-mail: [email protected]).

Q. Sun is with the School of Computer Science and Engineering, Xi’an University of Technology, Xi’an 710048, China (e-mail: [email protected]).

W. J. Buchanan is with the School of Computing, Edinburgh Napier University, Edinburgh EH10 5DT, U.K. (e-mail: [email protected]).

J. Cao is with the School of Computer Science and Engineering, Southeast University, Nanjing 211189, China (e-mail: [email protected]).

Digital Object Identifier 10.1109/JIOT.2019.2906946

as battlefields and military (e.g., Internet of Battlefield Things and Internet of Military Things).1

In 2017, it was reported that users of Bose headphones were being spied upon without their consent [5]. Specifically, a plaintiff filed a complaint against Bose for their Bose con- nect application, which allegedly collected data on the music and audio books their users listened to, and sent the col- lected information to a third-party data miner (Segment.io). In the same year, Vizio [6], a Smart TV manufacturer, was also allegedly monitoring over 11 million smart TVs, where user data were being sent to other third parties without user consent [6]. Specifically, it was alleged that the manufac- turer monitored the pixels displayed on the TV screen and matched these to movies stored on a database. This technique is known as automatic content recognition (ACR). Vizio was subsequently fined a total of $2.2 Million by the U.S. Federal Trade Commission, and was also ordered not to track their users [6]. In addition, the organization was ordered to delete all their existing data relating to this incident (e.g., near-by access point details, postal codes, and the Internet protocol address (IP address) of the local network, and implement a privacy policy [7].

In general, an IoT system consists of a (large) number of IoT devices, IoT infrastructures, services and applications, and interface to other applications or services, which can be organized into four layers as shown in Fig. 1 [8].

1) Sensing layer, which includes sensing devices to sense and acquire information, such as smart sensors, radio- frequency identification (RFID), and client components of IoT.

2) Network layer, which is the infrastructure to support connectivity to Internet and other devices.

3) Service layer, which provides and manages services to users or other applications.

4) Application-interface layer, which provides interface to users or other services.

It can be expected that the increasing popularity and perva- siveness of IoT devices will make such devices more attractive to attackers, seeking to compromise our systems or exfiltrate our data, and gain a competitive advantage. In other words, any IoT device such as a 3-D printer, a smart switch, or a smart bulb in a smart home environment can potentially be compro- mised to gain access to the smart devices or the user’s personal data [1], [3], [9], [10]. In 2016, for example, distributed denial of service (DDoS) attacks targeting the domain name system

1[Online]. Available: https://www.arl.army.mil/www/default.cfm?page=3050 (last accessed February 12, 2019)

2327-4662 c© 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

Authorized licensed use limited to: UNIVERSITY OF SALFORD. Downloaded on September 23,2023 at 21:59:39 UTC from IEEE Xplore. Restrictions apply.

6488 IEEE INTERNET OF THINGS JOURNAL, VOL. 6, NO. 4, AUGUST 2019

Fig. 1. General IoT architecture.

(DNS) provider, Dyn, was carried out by a botnet comprising a large number of 2.5 million compromised IoT devices (e.g., IP camera, smart printers, and home WiFi gateway) [2], [11]. In the past two years, a large number of vulnerability scans tar- geting IoT devices have also been reported. For example in a recent study Pour et al. [12] examined more than 1 TB of pas- sive measurement data collected from a/8 network telescope (of IoT devices), in correlation with 400 GB of information from the Shodan service. Based on their findings, the authors were able to classify the “inferred IoT devices based on their hosting sector type (financial, education, manufacturing, etc.) and most abused IoT manufacturers” [13]. They also identi- fied more than 120 000 Internet-scale exploited IoT devices, including in critical infrastructure sectors, as well as inferring “140 large-scale IoT-centric probing campaigns; a sample of which includes a worldwide distributed campaign where close to 40% of its population includes video surveillance cam- eras from Dahua, and another very large inferred coordinated campaign consisting of more than 50 000 IoT devices.” These findings echoed findings such as those of [14], in the sense that a large number of today’s IoT devices are insecure. This is not surprising due to the challenges in designing efficient security and privacy solutions. In other words, security and pri- vacy solutions designed for IoT devices will have to take into consideration the interoperability and complex ecosystems, as well as the computational limitations in IoT devices.

Hence, IoT devices are likely to be sources of evidence in a cyber security investigation (e.g., investigation of a DDoS attack) [15]. Unlike conventional digital forensics (e.g., mobile device forensics), the diversity in IoT devices (e.g., 3-D print- ers, roadside units in a smart transportation system, smart healthcare devices in a hospital, and smart military uniforms), and the different evidence and privacy regulations compound the challenges of such investigations [16]. Some of these challenges are as follows.

1) Identification: Identification of potential evidence in IoT environment can be challenging, particularly if the inves- tigators are not familiar with the types of IoT devices present as well as the underpinning infrastructure.

2) Preservation: Once the potential source of evidence is identified, then the question is how can we acquire

and preserve the evidence from the IoT devices, com- panion application, IoT services, networks in the IoT infrastructure, and so on, in a forensically sound manner.

3) Analysis: Depending on the format that the evidence is acquired, analysis of the acquired evidence may be challenging. We also have to ensure that the analy- sis takes into consideration data provenance and the interaction between IoT and cloud servers that facilitate the aggregation and processing of data from the IoT.

The following major contributions are presented in this paper.

1) We propose an IoT-based forensic analysis model, which supports the identification, acquisition, analysis, and presentation of potential artifacts of forensic interest from IoT devices and the underpinning infrastructure.

2) We address IoT devices forensic investigation processes from the forensic perspective, in which each IoT devices are expected to provide important forensic artifacts.

3) We analyze forensic artifacts retrieved from the popular Amazon Echo as a use case to demonstrate how our proposed model can be used to guide forensics analysis of IoT devices.

In this paper, we present an IoT forensic model (see Section III) and demonstrate how it can be used to guide the investigation of IoT devices, using Amazon Echo as a case study in Section IV. In the next section, we will briefly discuss related literature.

II. RELATED LITERATURE

In recent years, IoT forensic has attracted attention from the forensic community [17]–[20], for example in wearable devices [21], smart vehicles [22], smart home devices [23], and so on. Approaches may vary between the nature and type of digital forensic investigation. For example, at the IoT network layer, network forensics tools or methods are gen- erally applied. We refer interested readers to the work of Caviglione et al. [24], who reviewed popular digital tech- niques in network forensics, reverse engineering, and so on, as well as the prevalent data storage formats and files systems. Key challenges were also briefly discussed. In another related

Authorized licensed use limited to: UNIVERSITY OF SALFORD. Downloaded on September 23,2023 at 21:59:39 UTC from IEEE Xplore. Restrictions apply.

LI et al.: IoT FORENSICS: AMAZON ECHO AS USE CASE 6489

work Copos et al. [18] categorized IoT forensics into three zones: 1) IoT zone; 2) network zone; and 3) cloud zone, where each zone consists of different areas and forensics analysis activities.

Oriwoh and Sant [25] presented an automated forensic management system (FEMS) that was designed to collect data from a three-layered architecture, namely: perception, network, and application layers. However, in dynamic IoT networks, it is difficult for FEMS to investigate all states of the IoT devices. Zawoad and Hasan [14] proposed a forensic-aware IoT (FAIoT) model, which allows the col- lected evidence to be stored in a secure evidence repository server. Arias et al. [19] described the methods to investigate the device’s hardware and the relevant system (e.g., operating system, boot loader, remote installation, and communication system). In addition, a detailed security measurement for IoT devices was provided. In [26], a general IoT forensics frame- work was proposed, comprising a forensic state acquisition (FSAIoT), and a centralized forensic state acquisition (FSAC) to classify the evidence acquisition of IoT devices into three modes (i.e., controller to IoT devices, controller to cloud, and controller to controller) [27].

There have also been research efforts in smart home devices and the forensic of such devices. For example, Amazon Echo is increasingly used as the voice controller hub of smart sensors and devices, which plays a centric role in bridging differ- ent smart home devices and the Amazon cloud server. The Amazon Echo is activated by wake words like “Alexa,” but must also constantly listen for the wake-up command, and clearly this is a potential evidence source [20], [23], [28]. For example, Chung et al. [29] explained how companion clients (i.e., devices used to send and capture commands and responses from intelligent home assistants, such as Alexa) can also be a source of evidence.

A number of device fingerprinting techniques have also been developed, which can be used for the investigation of IoT devices. For example, sensor pattern noise (SPN) can be used to identify the source device that has acquired a digital image or video, and this is relevant for the investigation of IoT devices that have a image or video acquisition capability (e.g., unmanned aerial vehicles). In SPN-based image foren- sic analysis, as the most dominant part of SPN the photograph response nonuniformity (PRNU) noise can be extracted from an image to build image fingerprint and camera fingerprint, which has been widely used in image origin identification and image forgery detection. Flicker forensics can also allow an investigator to identify an IoT device by analyzing the flicker signal and associate the parameters with some internal characteristics of the particular device [30].

In the next section, we will address our IoT forensic model.

III. PROPOSED IOT FORENSIC MODEL

When we conduct an IoT forensic investigation, we have to consider the sources of evidence other than the actual IoT devices, for example, the sensing, network, service, and interface layers (see Fig. 1).

Fig. 2. Proposed IoT forensic model.

Similar to conventional digital forensics, IoT forensics mainly consists of the following four stages: 1) identification; 2) preservation; 3) analysis; and 4) presentation [31].

1) In the identification stage, the focus should be on IoT devices (e.g., sensors and intelligent home assistants such as Amazon Echo), and any related infrastructure (e.g., routers).

2) In the preservation stage, we may require special- ized/customized tools to acquire data from (proprietary) hardware and applications.

3) In the analysis stage, customized forensic tools may be required to analyze data from certain devices, other than the typical commercial forensic tools (e.g., EnCase and FTK). Both EnCase and FTK are commonly used foren- sics tools that can be used in digital security, security investigation, and e-discovery.

4) In the presentation stage, forensic investigators will need to detail the findings and be able to articulate the anal- ysis, findings and their implications in a court of law. Meanwhile, the evidence items should be presented with their original format.

Building on the typical four-stage digital forensic process, we present an IoT forensic model (see Fig. 2). Specifically, our model starts from an offense classification stage, where the roles of IoT are classified into IoT as a target, IoT as a tool, and IoT as a witness. Then, each related device and the companion apps are examined using the above four-stage process. In addition, all acquired forensic artifacts are stored in an encrypted evidence repository.

A. Offense Classification

Due to the diversity of devices and heterogeneity of networks in an IoT setting, it can be challenging to identify

Authorized licensed use limited to: UNIVERSITY OF SALFORD. Downloaded on September 23,2023 at 21:59:39 UTC from IEEE Xplore. Restrictions apply.

6490 IEEE INTERNET OF THINGS JOURNAL, VOL. 6, NO. 4, AUGUST 2019

Fig. 3. IoT device identification procedure.

all sources of evidence and collect all relevant forensic arti- facts in a timely fashion, especially if third parties or remote servers (e.g., websites and cloud servers) are involved. First, to effectively identify the devices for an investigation, it is impor- tant to consider the nature of the offense (e.g., a serious and organized crime type will generally mean that more resources should be spent on the case), data acquisition methods, and relevant laws (e.g., what are the elements of proof) and reg- ulations. In general, the IoT-related crimes can be group into three classes [32].

1) IoT device as a target (e.g., cyberattacks where vul- nerabilities in IoT devices are exploited). IoT devices, particularly inexpensive devices, are likely to be resource limited in terms of computation capabilities, storage space, and power supply. Thus, it is challenging, or impractical, to install security solutions/packages on such devices, which make them an easy target for cyber attacks.

2) IoT device as a tool, IoT devices can be used by forensic investigators as tools to identify, collect, analyze, or even present evidences in digital investigation. For example, a compromised IoT device is been used to facilitate other malicious activities such as a botnet attack.

3) IoT device as a witness (e.g., data stored in the IoT device can directly implicate an individual accused of a crime), in which IoT devices are able to identify, collect, and preserve evidential data for forensic inves- tigation. One prominent example involved the Amazon Echo, where an Arkansas man was accused of killing his friend. The prosecutor then sought recordings from the defendant’s Amazon Echo to be used as evidence [33]. IoT as a witness will likely happen again in the future frequently because IoT devices are now an integral part of our daily life.

Fig. 3 shows the workflow of IoT device identification, in which an IoT device will be examined using the appropriate approach.

B. IoT Device Identification

In this stage, we seek to answer the following questions. 1) What was/were available at the event/crime scene or a

remote site?

Fig. 4. IoT device identification.

2) Who and what was/were there when the event/crime occurred?

3) What are the constraints in collecting the required evidence?

4) What is the minimum set of evidence required to support the elements of proof for this specific offense?

A six-step IoT device identification method is presented in Fig. 4.

1) Define device space, to identify the devices relating to the specific case.

2) Establish the device lifecycle, to identify the time span for the device examination.

3) Establish access, to identify the accessibility of the devices, including confidentiality, authentication, autho- rization, and so on.

4) Define data categories, to define the data category that the device can provide.

5) Network access control, to identify the connectivity of the networks relating to the device and isolate the device from the connections.

6) Identify the access to devices, this stage summarizes previous steps and establish the availability of the device for investigators.

Despite the diversity of IoT device manufacturers, IoT devices share some similar features and capability. In gen- eral, an IoT device consists of a processer or micro-controller, read-only memory (ROM), random access memory (RAM), communication module (Bluetooth, wireless, ZigBee, etc.), and data input/output interfaces. To record the collected or generated data, an IoT device may be equipped with built-in secure digital (SD) memory to support removable memory. Software features of an IoT device include operating systems (some simple IoT devices may only run very simple code

Authorized licensed use limited to: UNIVERSITY OF SALFORD. Downloaded on September 23,2023 at 21:59:39 UTC from IEEE Xplore. Restrictions apply.

LI et al.: IoT FORENSICS: AMAZON ECHO AS USE CASE 6491

TABLE I EXAMPLE OF HARDWARE CHARACTERIZATION FOR IOT DEVICES

TABLE II EXAMPLE OF SOFTWARE CHARACTERIZATION FOR IOT DEVICES

without an operating system), middleware, file system, and applications. Many IoT devices do not have a specific file system and in this case, the investigator may need undertake further research, for example how to leverage the application software development kit (SDK) to obtain more information.

Conventional digital forensic tools, such as DD, EnCase, FTK Imager, and SIFT, may also be useful in some cases. In IoT forensics, the data extraction tools/methods can be classified into five levels, namely: manual, logical, hex dump- ing/JTAG, chip-off, and micro-read [34]. For IoT devices that are not supported by existing forensic tools, the investiga- tor could also consider seeking the cooperation of the device owner, reviewing seized material, seeking the assistance of the service provider (e.g., Amazon in the case of Amazon Echo), and so on.

C. Evidence Preservation

Tables I and II show the potential avenues for data preser- vation, and in this paper, we will focus on memory forensics. Specifically, we will focus on: 1) extracting data from the memory of a target IoT device and 2) analyzing the physical memory data (from RAM), page file (or SWAP space) data, etc. Swap space denotes areas on disk used for interchanging contents between main RAM and secondary memory, in Linux swap is an actual disk partition and in windows machine, the swap space is a pagefile. In digital forensics, Swap file is a rich source of key evidence items, including passwords, sensitive data, encryption keys, etc.

Live memory evidence extraction is another major issue in IoT forensic preservation. In resource-constrained IoT devices (e.g., limited computation, storage, energy supply, etc.), volatile memory extraction can often be conducted to extract key evidence stored in the RAM or an ongoing communication session [35]. A number of memory acquisi- tion tools have been developed in the literature, such as the Android-based memory subsystem (ashmem) [36], Android low memory killer [37], and memory grab [38].

However, there are still challenges in live memory acquisi- tion. For example, the memory protect unit (MPU) technology only allows specific instructions or code to access the memory. This prevents the forensic investigator from accessing the memory. In addition, anti-forensics (AF) techniques, including activities to overwrite data and metadata compound the chal- lenges of memory acquisition. For example, TimeStomp2 can be used to overwrite NTFS create, modify, access, and change timestamps [39].

Also, while a number of tools have been developed for live memory acquisition from computers and laptops (e.g., Winen, dd, dumpit.exe, winhex, nigilant32, memoryze, and readline), there are limited tools designed for IoT devices.

D. IoT Forensic Analysis and Presentation

IoT forensic analysis can be scenario- and device-specific, since IoT systems can have different configurations and set- tings. For example, in a smart home system as shown in Fig. 5, the devices involved may differ from an Industry IoT (IIoT) systems. The general approach can include attempts to recon- struct the IoT crime/event scenes. The findings of the analysis also need to be documented and presented, for example to the jury, prosecutors, and judges.

IV. AMAZON ECHO (PI) FORENSICS

Amazon Echo is a popular intelligent home assistant or “smart home” IoT hub, which takes voice commands from the users to control itself and other connected IoT devices/sensors (e.g., smart lights, smart kettles, smart locks, smart ther- mostats, and smart doors) [40]. Using the voice recognition technology (i.e., Alexa in the case of Amazon Echo), users can interact with the connected IoT devices using their voice. Clearly, the devices require some sort of Internet connection (e.g., WiFi) [20].

In a prior work involving the analysis of Amazon Echo [29], it was reported that the user’s history data and interactions with Alexa are stored in the SQLite database and Web cache files. The authors analyzed two Amazon Echo Dots, with Android 4.4.2 + Alexa app, iOS 10.1.1 + Alexa app, OS X 10.10.5 + Chrome, and Windows 10 + Chrome. For the network analysis, it was determined that most of the communications were encrypted and the JSON format was used for pass- ing parameters. The authors’ analysis of the communications revealed undocumented API calls to RESTful Web services. In other words, there are seven categories of data on the device, namely: account, customer setting, Alexa-associated devices,

2[Online]. Available: https://www.offensive-security.com/metasploit- unleashed/timestomp/ (last accessed June 20, 2018)

Authorized licensed use limited to: UNIVERSITY OF SALFORD. Downloaded on September 23,2023 at 21:59:39 UTC from IEEE Xplore. Restrictions apply.

6492 IEEE INTERNET OF THINGS JOURNAL, VOL. 6, NO. 4, AUGUST 2019

Fig. 5. General IoT forensic analysis.

TABLE III LOCATION OF CLIENT ARTIFACTS [29]

Fig. 6. Alexa Pi firmware images created using EnCase 7.0.

skills and behaviors of user, user activity, etc. The researchers found that most of the data contain UNIX timestamps, which could be used to create timeline of activities within an investi- gation [29]. Within this applications, the utterance API could be used to download voice files [41].

The location of the client artifacts depends on the access method being used, such as for SQLite databases on iOS and Android, and within Chrome caches for OS X and Windows 10. A summary of these locations is presented in Table III.

On Android device, the SQLite files are contained in map_data_storage.db (token information for the current user, and is deleted when the user signs out) and DataStore.db. For iOS device, there is a single file named LocalData.sqlite. While the Android analysis was fairly easy, the iTunes backup protocol had to be used in iOS analysis. The chrome access data was found stored in the data-block-files, which could be possible to rebuild Alexa-related caches into the first HTTP headers, and cached data. This could be useful for determin- ing user behaviors as the stored things (e.g., user clicks) can lead to calls to Alexa APIs [41], [42].

In IoT forensics, analyzing embedded files and data with firmware images is an effective way. By connecting the uni- versal asynchronous receiver/transmitter (UART) port in Echo, the boot debug messages can be output to a terminal. In our

research, we determine that Echo uses u-boot as its boot loader, which is a popular open source bootloader and a num- ber of commands/tools can be used to extract information in the firmware. In this paper, we use the Alexa Pi to build an Echo over Raspberry Pi Version B, which uses similar firmware with Amazon Echo. In our experiment, we analyze the Alexa Pi over Ubuntu (16.04), the companion app installed on an iPad 4 (iOS 12), and the Alexa voice server (AVS).

We first use u-boot to output the firmware in Alexa Pi, which results in three EnCase images (see Fig. 6).

A. Data Type

We then analyze the data type created, transmitted, pro- cessed, and stored on the IoT devices. For an Amazon Echo and the AVS service, we determine that the following (see also Fig. 7).

1) Device related data include device name, device group, serial number, hardware data, timezone, region, etc.

2) Connectivity includes connection address, WiFi: Gateway IP, IP, media access control address (MAC address), Server address, Bluetooth address, etc.

3) User data include data related to the IoT device, such as username/password, language, calenders, and email.

Authorized licensed use limited to: UNIVERSITY OF SALFORD. Downloaded on September 23,2023 at 21:59:39 UTC from IEEE Xplore. Restrictions apply.

LI et al.: IoT FORENSICS: AMAZON ECHO AS USE CASE 6493

Fig. 7. Data type related to Amazon Echo.

Fig. 8. Data extracted from the companion app (partially).

4) Application data include Host name, Client version, ProductID, ClientID, ClientSecret, Device Reg name, Bearer token, registered user, etc.

5) Other data include communication data, specific proto- col type, etc.

B. Alexa Pi Data Acquisition

Data acquired from the companion app include device related information, account, and network, as shown in Fig. 8. For each IoT device, more detailed data can be extracted using both logical and physical methods, including device name, WiFi, device register, serial number, and MAC address. In addition, information such as language and location can also be extracted directly after further analyzing the app.

The bootloader’s command line interface allows raw access to part of the memory areas and Flash integrated circuit (IC). When processing the bootloader message via the UART port, an investigator can obtain the location of the kernel image and scout the firmware by using the u-boot command-line interface (CLI). In further examination of the file system in the firmware, Debian system information can also extracted as shown in Fig. 9.

We use Zenmap to locate the IP address as: 192.168.0.10 and MAC address AC:63:BE:78:98:D6 of an Echo via a ping scan. In more complex investigations, we can also use port pings to find all ports open on the devices. By checking the IP address and MAC address, the

Fig. 9. Alexa Pi firmware file system.

Fig. 10. Alexa Pi configuration for AVS.

investigator can identify other IoT devices that need to be examined.

Through the UART, we can dump the firmware to an image file. In this investigation, it is very difficult to solder the UART to the USB ports. Fortunately, in [44], an Echo image is pro- vided that can be loaded via a Raspberry Pi, which works fine as an Echo device. We investigate the images on the Raspberry Pi, which contains the information that an Echo has.

Some information to identify the device can be found by investigating the firmware. Amazon requires each Amazon

Authorized licensed use limited to: UNIVERSITY OF SALFORD. Downloaded on September 23,2023 at 21:59:39 UTC from IEEE Xplore. Restrictions apply.

6494 IEEE INTERNET OF THINGS JOURNAL, VOL. 6, NO. 4, AUGUST 2019

Fig. 11. Firmware analysis using autopsy.

Echo device to provide the productID (also known as Device Type ID), ClientID, and ClientSecret in order to use AVS, as shown in Fig. 10. The Echo firmware con- tains several files within the root folder, for example in the automated_install.sh file.

C. Examination and Analysis

The two devices’ information are shown in Fig. 12. For each device, information such as device name, wireless con- nections, device register, serial number, and MAC address are located and analyzed. For example, the Setting sec- tion stored within the Alexa app contains information that can be used to identify the IoT device. In other words, the investigator can extract the device name, the Wi-Fi that the IoT device had previously connected to, Bluetooth connection information, and paired device. The “device is registered to” information may also be used to identify the owner of the Echo, for example in collaboration with Amazon. Meanwhile both serial number and MAC address can be used to identify the Echo and other connected devices.

Echo uses an address set in the Alexa companion app, where the location information is used to provide weather forecasting and location-based services. Analysis of location information acquired from companion devices (e.g., Google Maps, Find your device, and weather) can also be corroborated with other analysis.

The location data extracted from settings shows the where- abouts of the user. It also provides the geolocation data (e.g., address and postcode) that the user was searching for. However, during the analysis, the investigator also needs to check the history to get more context of the search request.

Amazon Echo is also capable of storing private conver- sations in the home, or other nonverbal indications that can identify who is present in the home (e.g., based on audible cues). However, in this stage we are only able to identify the recordings streamed by Echo from the user’s home activated by the wake words. The text-transferred recordings are stored on both Amazon Alexa Server and Alexa companion app.

The device time zone is key to identifying data with an associated timestamp. In our further examination of the firmware, the device time zone can be used to validate the access/modify/creation time of files like .wavtemp. The wake word and language are also key to analyzing the history. Since the default wake word is Alexa, the investigator can also find the user-defined wake word, if any.

When examining the companion app and the firmware, we also located 5163 audio files (e.g., stop.mp3 and error.mp3), which can indicate the last operating time of the device (see Fig. 11).

Fig. 11 also shows the keyword search results. In this exam- ple, keywords such as Amazon, Echo, and MAC were used and 288, 206, and 144 results were found, respectively. There are also 1584 potential email addresses located, which may contain the user accounts or potential passwords for logging to the AVS. In fact, we locate the login id with the correspond- ing password that can be used to login to the AVS, as shown in Fig. 12. To further analyze the services that Echo provides, network forensics tools can be used to scan the open ports and potential services. In our examination, we use Zenmap with command {nmap -T4 -A -v 192.168.0.10} to scan the ports. We note that ports 80, 5200, 515, 427, 10001, 631, and 9100 are open. These open ports can be useful in analyzing the connection behaviors of Echo and

Authorized licensed use limited to: UNIVERSITY OF SALFORD. Downloaded on September 23,2023 at 21:59:39 UTC from IEEE Xplore. Restrictions apply.

LI et al.: IoT FORENSICS: AMAZON ECHO AS USE CASE 6495

Fig. 12. AVS website logged using the found login id and PWD from firmware.

Fig. 13. Unrecognized services found in the images.

can be used to trace the behaviors of the user. Using com- mand {nmap -sV -T4 -F 192.168.0.10}, we found the services provided by Echo, including http, svrloc, printer, ipp, jetdirect, et al. Two additional services were also found using service fingerprints. One of the findings is shown in Fig. 13.

Findings from the analysis of different devices, etc., are then pieced together.

V. CONCLUSION

IoT forensics will be increasingly important, as more devices around us are connected to the Internet or some form of networks (e.g., a private home or office network). In other words, evidence can be collected from IoT devices, internal network, applications, some external (cloud) server, and/or other components of the IoT ecosystem. This complicates the

challenge in the timely identification of potential evidential sources and acquisition of evidence. Thus, in this paper, we presented an IoT forensic analysis model and demonstrated how it can be used to guide the investigation of an Amazon Echo.

We also identified a number of potential research opportu- nities in IoT forensics, such as the following.

1) Timely identification of potential evidential sources and acquisition of evidence (as discussed above).

2) The data type/format and its lifespan may vary between different IoT devices and systems, and the dynamic nature of some IoT devices and systems may necessitate live forensics. Hence, we have to ensure that the tools and processed used in the acquisition of such data are forensically sound.

3) As IoT applications may be delivered as services in the cloud platform, evidence can be distributed across different cloud servers that are probably in a foreign jurisdiction. Hence, there is a need to design appropri- ate tools that could facilitate (remote) data acquisition, as well as working with policy makers to draft legisla- tion to facilitate such remote data acquisition to ensure evidence admissibility.

4) We also need to design tools or techniques that allow us to address the large storage requirement associated with the search space.

5) We need to keep pace with emerging and new IoT devices and other components in the IoT ecosystem, for example in terms of our forensic capabilities and to overcome anti-forensic measures.

6) The need to design forensically friendly/ready IoT systems (a concept coined as forensic-by-design in [43] and [45]–[49]), in order to facilitate the iden- tification and secure storage of data of forensic interest that will be made available for a forensic investigation.

Authorized licensed use limited to: UNIVERSITY OF SALFORD. Downloaded on September 23,2023 at 21:59:39 UTC from IEEE Xplore. Restrictions apply.

6496 IEEE INTERNET OF THINGS JOURNAL, VOL. 6, NO. 4, AUGUST 2019

REFERENCES

[1] S. Li and L. Da Xu, “Security in enabling technologies,” in Securing the Internet of Things. Cambridge, MA, USA: Syngress, 2017, pp. 23–109.

[2] M. Mangia, F. Pareschi, R. Rovatti, and G. Setti, “Low-cost secu- rity of IoT sensor nodes with rakeness-based compressed sensing: Statistical and known-plaintext attacks,” IEEE Trans. Inf. Forensics Security, vol. 13, no. 2, pp. 327–340, Feb. 2018.

[3] J. Pawlick and Q. Zhu, “Strategic trust in cloud-enabled cyber-physical systems with an application to glucose control,” IEEE Trans. Inf. Forensics Security, vol. 12, no. 12, pp. 2906–2919, Dec. 2017.

[4] A. Nieto, R. Roman, and J. Lopez, “Digital witness: Safeguarding digital evidence by using secure architectures in personal devices,” IEEE Netw., vol. 30, no. 6, pp. 34–41, Nov./Dec. 2016.

[5] H. Tsukayama. (2017). Bose Headphones Have Been Spying on Customers, Lawsuit Claims. [Online]. Available: https:// www.smh.com.au/technology/bose-20170420-gvo8pq.html

[6] J. Kastrenakes. (2017). Most Smart TVS Are Tracking You—Vizio Just Got Caught. [Online]. Available: https://www.theverge.com/ 2017/2/7/14527360/vizio-smart-tv-tracking-settlement-disable-settings

[7] Y. Ma, Y. Wu, J. Li, and J. Ge, “APCN: A scalable archi- tecture for balancing accountability and privacy in large-scale content-based networks,” Inf. Sci., Jan. 2019. [Online]. Available: https://doi.org/10.1016/j.ins.2019.01.054

[8] L. Da Xu, W. He, and S. Li, “Internet of Things in industries: A survey,” IEEE Trans. Ind. Informat., vol. 10, no. 4, pp. 2233–2243, Nov. 2014.

[9] Q. Do, B. Martini, and K.-K. R. Choo, “Cyber-physical systems information gathering: A smart home case study,” Comput. Netw., vol. 138, pp. 1–12, Jun. 2018.

[10] Q. Do, B. Martini, and K.-K. R. Choo, “A data exfiltration and remote exploitation attack on consumer 3D printers,” IEEE Trans. Inf. Forensics Security, vol. 11, no. 10, pp. 2174–2186, Oct. 2016.

[11] K. P. Trommler. (2018). Know Your Enemy: What Happens Behind the Scenes in a DDoS Attack. [Online]. Available: https://blog.paessler.com/types-of-ddos-attacks

[12] M. S. Pour et al., “Comprehending the IoT cyber threat landscape: A data dimensionality reduction technique to infer and characterize Internet-scale IoT probing campaigns,” in Proc. Digit. Invest., 2019.

[13] S. Li, S. Zhao, Y. Yuan, Q. Sun, and K. Zhang, “Dynamic secu- rity risk evaluation via hybrid Bayesian risk graph in cyber-physical social systems,” IEEE Trans. Comput. Social Syst., vol. 5, no. 4, pp. 1133–1141, Dec. 2018.

[14] S. Zawoad and R. Hasan, “FAIoT: Towards building a forensics aware eco system for the Internet of Things,” in Proc. IEEE Int. Conf. Services Comput., Jun. 2015, pp. 279–284.

[15] S. Alabdulsalam, K. Schaefer, M. T. Kechadi, and N. Le-Khac, “Internet of Things forensics: Challenges and case study,” CoRR, vol. abs/1801.10391, 2018. [Online]. Available: http://arxiv.org/abs/1801.10391

[16] A. MacDermott, T. Baker, and Q. Shi, “IoT forensics: Challenges for the IoA era,” in Proc. 9th IFIP Int. Conf. New Technol. Mobility Security (NTMS), Feb. 2018, pp. 1–5.

[17] E. Oriwoh, D. Jazani, G. Epiphaniou, and P. Sant, “Internet of Things forensics: Challenges and approaches,” in Proc. 9th Int. Conf. Collaborative Comput. Netw. Appl. Worksharing (Collaboratecom), 2013, pp. 608–615.

[18] B. Copos, K. Levitt, M. Bishop, and J. Rowe, “Is anybody home? Inferring activity from smart home network traffic,” in Proc. IEEE Security Privacy Workshops (SPW), San Jose, CA, USA, 2016, pp. 245–251.

[19] O. Arias, J. Wurm, K. Hoang, and Y. Jin, “Privacy and security in Internet of Things and wearable devices,” IEEE Trans. Multi-Scale Comput. Syst., vol. 1, no. 2, pp. 99–109, Apr./Jun. 2015.

[20] W. W. Gibbs, “Build your own Amazon Echo—Turn a PI into a voice controlled gadget,” IEEE Spectr., vol. 54, no. 5, pp. 20–21, May 2017.

[21] Q. Do, B. Martini, and K.-K. R. Choo, “Is the data on your wearable device secure? An Android Wear smartwatch case study,” Softw. Pract. Exp., vol. 47, no. 3, pp. 391–403, 2017.

[22] N.-A. Le-Khac, D. Jacobs, J. Nijhoff, K. Bertens, and K.-K. R. Choo, “Smart vehicle forensics: Challenges and case study,” Future Gener. Comput. Syst., Jun. 2018. [Online]. Available: https://doi.org/10.1016/j.future.2018.05.081

[23] A. Goudbeek, K.-K. R. Choo, and N.-A. Le-Khac, “A forensic investi- gation framework for smart home environment,” in Proc. 17th IEEE Int. Conf. Trust Security Privacy Comput. Commun. (TrustCom), New York, NY, USA, 2018, pp. 1446–1451.

[24] L. Caviglione, S. Wendzel, and W. Mazurczyk, “The future of digi- tal forensics: Challenges and the road ahead,” IEEE Security Privacy, vol. 15, no. 6, pp. 12–17, Nov./Dec. 2017.

[25] E. Oriwoh and P. Sant, “The forensics edge management system: A concept and design,” in Proc. IEEE 10th Int. Conf. Ubiquitous Intell. Comput. IEEE 10th Int. Conf. Auton. Trusted Comput., Dec. 2013, pp. 544–550.

[26] C. Meffert, D. Clark, I. Baggili, and F. Breitinger, “Forensic state acquisition from Internet of Things (FSAIoT): A general frame- work and practical approach for IoT forensics through IoT device state acquisition,” in Proc. 12th Int. Conf. Avail. Rel. Security, 2017, p. 56.

[27] A. Nieto, R. Rios, and J. Lopez, “IoT-forensics meets privacy: Towards cooperative digital investigations,” Sensors, vol. 18, no. 2, p. 492, 2018.

[28] N. Chavez. (2017). Arkansas Judge Drops Murder Charge in Amazon Echo Case. [Online]. Available: https://edition.cnn.com/2017/ 11/30/us/amazon-echo-arkansas-murder-case-dismissed/index.html

[29] H. Chung, J. Park, and S. Lee, “Digital forensic approaches for Amazon Alexa ecosystem,” Digit. Invest., vol. 22, pp. S15–S25, Aug. 2017. [Online]. Available: http://www.sciencedirect.com/ science/article/pii/S1742287617301974

[30] Cyber Security Community. (2017). What Is IoT Forensics and How Is It Different From Digital Forensics? [Online]. Available: https://securitycommunity.tcs.com/infosecsoapbox/articles/ 2018/02/27/what-iot-forensics-and-how-it-different-digital-forensics

[31] R. C. Hegarty, D. J. Lamb, and A. Attwood, “Digital evidence challenges in the Internet of Things,” in Proc. INC, 2014, pp. 163–172.

[32] U. Salama. (2017). Investigating IoT Crime in the Age of Connected Devices. [Online]. Available: https://securityintelligence.com/ investigating-iot-crime-in-the-age-of-connected-devices/

[33] E. C. McLaughlin. (2017). Suspect OKs Amazon to Hand Over Echo Recordings in Murder Case. [Online]. Available: https://edition.cnn.com/2017/03/07/tech/amazon-echo-alexa-bentonville- arkansas-murder-case/index.html

[34] R. Ayers, S. Brothers, and B. W. Jansen, Guidelines on Mobile Device Forensics, document SP 800-101, NIST, Gaithersburg, MD, USA, 2014.

[35] V. L. L. Thing, K.-Y. Ng, and E.-C. Chang, “Live memory forensics of mobile phones,” Digit. Invest., vol. 7, pp. S74–S82, Aug. 2010.

[36] S. Smalley, “The case for SE Android,” in Proc. Linux Security Summit, 2011, pp. 1–10.

[37] H. T. Al-Rayes, “Studying main differences between Android & Linux operating systems,” Int. J. Elect. Comput. Sci., vol. 12, no. 5, p. p46, 2012.

[38] H. Altuwaijri and S. Ghouzali, “Android data storage security: A review,” J. King Saud Univ. Comput. Inf. Sci., 2018. [Online]. Available: https://doi.org/10.1016/j.jksuci.2018.07.004

[39] D. Kirkpatrick. (2017). Gartner: Global Wearables Sales to Grow 17 Percent This Year. [Online]. Available: https://www.marketingdive.com/news/gartner-global-wearables-sales-to- grow-17-this-year/503480/

[40] S. Li, L. Da Xu, and S. Zhao, “5G Internet of Things: A survey,” J. Ind. Inf. Integr., vol. 10, pp. 1–9, Jun. 2018.

[41] B. Buchanan. (2017). The New Digital Investigator: Interrogating Alexa. [Online]. Available: https://www.linkedin.com/pulse/new-digitial- investigator-interogating-alexa-buchanan-obe-phd-fbcs/

[42] S. Li, G. Oikonomou, T. Tryfonas, T. M. Chen, and L. D. Xu, “A distributed consensus algorithm for decision making in service- oriented Internet of Things,” IEEE Trans. Ind. Informat., vol. 10, no. 2, pp. 1461–1468, May 2014.

[43] W. Miao et al., “Stochastic performance analysis of network function virtualization in future Internet,” IEEE J. Sel. Areas Commun., vol. 37, no. 3, pp. 613–626, Mar. 2019.

[44] G. Bourne. (2016). I Built My Own Amazon Echo With a Raspberry Pi: Alexaberry. [Online]. Available: https://dzone.com/articles/i-built- my-own-amazon-echo-alexa-with-a-raspberry

[45] N. H. A. Rahman, W. B. Glisson, Y. Yang, and K.-R. Choo, “Forensic- by-design framework for cyber-physical cloud systems,” IEEE Cloud Comput., vol. 3, no. 1, pp. 50–59, Jan./Feb. 2016.

[46] N. H. A. Rahman, N. D. W. Cahyani, and K.-K. R. Choo, “Cloud inci- dent handling and forensic-by-design: Cloud storage as a case study,” Concurrency Comput. Pract. Exp., vol. 29, no. 14, pp. 1–16, 2017.

[47] G. Grispos, W. B. Glisson, and K.-K. R. Choo, “Medical cyber- physical systems development: A forensics-driven approach,” in Proc. 2nd IEEE/ACM Int. Conf. Connected Health Appl. Syst. Eng. Technol. (CHASE), Philadelphia, PA, USA, Jul. 2017, pp. 108–113.

Authorized licensed use limited to: UNIVERSITY OF SALFORD. Downloaded on September 23,2023 at 21:59:39 UTC from IEEE Xplore. Restrictions apply.

LI et al.: IoT FORENSICS: AMAZON ECHO AS USE CASE 6497

[48] S. Li, L. D. Xu, and X. Wang, “Compressed sensing signal and data acquisition in wireless sensor networks and Internet of Things,” IEEE Trans. Ind. Informat., vol. 9, no. 4, pp. 2177–2186, Nov. 2013.

[49] S. Li et al., “Distributed consensus algorithm for events detec- tion in cyber physical systems,” IEEE Internet Things J., to be published.

Shancang Li received the B.Sc. and M.Sc. degrees in mechanics engineering and the Ph.D. degree in computer science from Xi’an Jiaotong University, Xi’an, China, in 2001, 2004, and 2008, respectively.

He is currently a Senior Lecturer with the Department of Computer Science and Creative Technologies, University of the West of England, Bristol, U.K. He has authored over 60 papers pub- lished in high profile journals and conferences. His current research interests include digital forensics for emerging technologies, cyber security, Internet

of Things (IoT) security, data privacy-preserving, IoT, blockchain technology, and the lightweight cryptography in resource constrained devices.

Dr. Li is an Associate Editor of IEEE ACCESS and the Journal of Industrial Information Integration. He is a member of the British Computer Society.

Kim-Kwang Raymond Choo (SM’15) received the Ph.D. degree in information security from the Queensland University of Technology, Brisbane, QLD, Australia, in 2006.

He currently holds the Cloud Technology Endowed Professorship with the University of Texas at San Antonio (UTSA), San Antonio, TX, USA.

Dr. Choo was named the Cybersecurity Educator of the Year APAC (Cybersecurity Excellence Awards are produced in cooperation with the Information Security Community on LinkedIn) in 2016, and

in 2015, he and his team won the Digital Forensics Research Challenge orga- nized by Germany’s University of Erlangen–Nuremberg. He was a recipient of the 2018 UTSA College of Business Col. Jean Piccione and the Lt. Col. Philip Piccione Endowed Research Award for Tenured Faculty, the IEEE TrustCom 2018 and ESORICS 2015 Best Paper Awards, the 2014 Highly Commended Award by the Australia New Zealand Policing Advisory Agency, the Fulbright Scholarship in 2009, the 2008 Australia Day Achievement Medallion, and the British Computer Society’s Wilkes Award in 2008. He is the Co-Chair of IEEE Multimedia Communications Technical Committees Digital Rights Management for Multimedia Interest Group. He is a Fellow of the Australian Computer Society.

Qindong Sun received the Ph.D. degree from the School of Electronic and Information Engineering, Xi’an Jiaotong University, Xi’an, China.

He is currently a Professor with the Department of Computer Science and Engineering, Xi’an University of Technology, Xi’an. His current research interests include network security, online social networks, digital forensics, cyber security, and Internet of Things.

Dr. Sun is a member of the China Computer Federation.

William J. Buchanan is a Professor with the School of Computing, Edinburgh Napier University, Edinburgh, U.K. He was appointed an Officer of the Order of the British Empire in the 2017 Birthday Honors for services to cyber security. One of his most recent achievements is the cre- ation of a Blockchain Identify Lab, which is one of the first of its type in the world, having sig- nificant industry funding. He currently leads the Centre for Distributed Computing, Networks, and Security, Edinburgh Napier University and the Cyber

Academy. This has led to several world-wide patents and in the highly suc- cessful spin-off companies: Zonefox and Symphonic Software. His current research interests include information sharing, Internet of Things, e-health, threat analysis, cryptography, and triage within digital forensics.

Prof. Buchanan was a recipient of the Outstanding Contribution to Knowledge Exchange of the Scottish Knowledge Exchange Awards in 2018. He is a Fellow of the BCS and IET.

Jiuxin Cao received the Ph.D. degree in com- puter science from Xi’an Jiaotong University, Xi’an, China, in 2003.

He is currently a Professor with the School of Cyber Science and Engineering, Southeast University, Nanjing, China, where he currently leads the Jiangsu Key Laboratory of Computer Networking Technology as the Director. His current research interests include cyber security, location- based services, and online social networks.

Dr. Cao is a Senior Member of the China Computer Federation.

Authorized licensed use limited to: UNIVERSITY OF SALFORD. Downloaded on September 23,2023 at 21:59:39 UTC from IEEE Xplore. Restrictions apply.

<< /ASCII85EncodePages false /AllowTransparency false /AutoPositionEPSFiles false /AutoRotatePages /None /Binding /Left /CalGrayProfile (Gray Gamma 2.2) /CalRGBProfile (sRGB IEC61966-2.1) /CalCMYKProfile (U.S. Web Coated 50SWOP51 v2) /sRGBProfile (sRGB IEC61966-2.1) /CannotEmbedFontPolicy /Warning /CompatibilityLevel 1.4 /CompressObjects /Off /CompressPages true /ConvertImagesToIndexed true /PassThroughJPEGImages true /CreateJobTicket false /DefaultRenderingIntent /Default /DetectBlends true /DetectCurves 0.0000 /ColorConversionStrategy /LeaveColorUnchanged /DoThumbnails false /EmbedAllFonts true /EmbedOpenType false /ParseICCProfilesInComments true /EmbedJobOptions true /DSCReportingLevel 0 /EmitDSCWarnings false /EndPage -1 /ImageMemory 1048576 /LockDistillerParams true /MaxSubsetPct 100 /Optimize true /OPM 0 /ParseDSCComments false /ParseDSCCommentsForDocInfo false /PreserveCopyPage true /PreserveDICMYKValues true /PreserveEPSInfo false /PreserveFlatness true /PreserveHalftoneInfo true /PreserveOPIComments false /PreserveOverprintSettings true /StartPage 1 /SubsetFonts false /TransferFunctionInfo /Remove /UCRandBGInfo /Preserve /UsePrologue false /ColorSettingsFile () /AlwaysEmbed [ true /Arial-Black /Arial-BoldItalicMT /Arial-BoldMT /Arial-ItalicMT /ArialMT /ArialNarrow /ArialNarrow-Bold /ArialNarrow-BoldItalic /ArialNarrow-Italic /ArialUnicodeMS /BookAntiqua /BookAntiqua-Bold /BookAntiqua-BoldItalic /BookAntiqua-Italic /BookmanOldStyle /BookmanOldStyle-Bold /BookmanOldStyle-BoldItalic /BookmanOldStyle-Italic /BookshelfSymbolSeven /Century /CenturyGothic /CenturyGothic-Bold /CenturyGothic-BoldItalic /CenturyGothic-Italic /CenturySchoolbook /CenturySchoolbook-Bold /CenturySchoolbook-BoldItalic /CenturySchoolbook-Italic /ComicSansMS /ComicSansMS-Bold /CourierNewPS-BoldItalicMT /CourierNewPS-BoldMT /CourierNewPS-ItalicMT /CourierNewPSMT /EstrangeloEdessa /FranklinGothic-Medium /FranklinGothic-MediumItalic /Garamond /Garamond-Bold /Garamond-Italic /Gautami /Georgia /Georgia-Bold /Georgia-BoldItalic /Georgia-Italic /Haettenschweiler /Helvetica /Helvetica-Bold /HelveticaBolditalic-BoldOblique /Helvetica-BoldOblique /Impact /Kartika /Latha /LetterGothicMT /LetterGothicMT-Bold /LetterGothicMT-BoldOblique /LetterGothicMT-Oblique /LucidaConsole /LucidaSans /LucidaSans-Demi /LucidaSans-DemiItalic /LucidaSans-Italic /LucidaSansUnicode /Mangal-Regular /MicrosoftSansSerif /MonotypeCorsiva /MSReferenceSansSerif /MSReferenceSpecialty /MVBoli /PalatinoLinotype-Bold /PalatinoLinotype-BoldItalic /PalatinoLinotype-Italic /PalatinoLinotype-Roman /Raavi /Shruti /Sylfaen /SymbolMT /Tahoma /Tahoma-Bold /Times-Bold /Times-BoldItalic /Times-Italic /TimesNewRomanMT-ExtraBold /TimesNewRomanPS-BoldItalicMT /TimesNewRomanPS-BoldMT /TimesNewRomanPS-ItalicMT /TimesNewRomanPSMT /Times-Roman /Trebuchet-BoldItalic /TrebuchetMS /TrebuchetMS-Bold /TrebuchetMS-Italic /Tunga-Regular /Verdana /Verdana-Bold /Verdana-BoldItalic /Verdana-Italic /Vrinda /Webdings /Wingdings2 /Wingdings3 /Wingdings-Regular /ZapfChanceryITCbyBT-MediumItal /ZWAdobeF ] /NeverEmbed [ true ] /AntiAliasColorImages false /CropColorImages true /ColorImageMinResolution 200 /ColorImageMinResolutionPolicy /OK /DownsampleColorImages false /ColorImageDownsampleType /Average /ColorImageResolution 300 /ColorImageDepth -1 /ColorImageMinDownsampleDepth 1 /ColorImageDownsampleThreshold 1.50000 /EncodeColorImages true /ColorImageFilter /DCTEncode /AutoFilterColorImages false /ColorImageAutoFilterStrategy /JPEG /ColorACSImageDict << /QFactor 0.76 /HSamples [2 1 1 2] /VSamples [2 1 1 2] >> /ColorImageDict << /QFactor 0.76 /HSamples [2 1 1 2] /VSamples [2 1 1 2] >> /JPEG2000ColorACSImageDict << /TileWidth 256 /TileHeight 256 /Quality 15 >> /JPEG2000ColorImageDict << /TileWidth 256 /TileHeight 256 /Quality 15 >> /AntiAliasGrayImages false /CropGrayImages true /GrayImageMinResolution 200 /GrayImageMinResolutionPolicy /OK /DownsampleGrayImages false /GrayImageDownsampleType /Average /GrayImageResolution 300 /GrayImageDepth -1 /GrayImageMinDownsampleDepth 2 /GrayImageDownsampleThreshold 1.50000 /EncodeGrayImages true /GrayImageFilter /DCTEncode /AutoFilterGrayImages false /GrayImageAutoFilterStrategy /JPEG /GrayACSImageDict << /QFactor 0.76 /HSamples [2 1 1 2] /VSamples [2 1 1 2] >> /GrayImageDict << /QFactor 0.76 /HSamples [2 1 1 2] /VSamples [2 1 1 2] >> /JPEG2000GrayACSImageDict << /TileWidth 256 /TileHeight 256 /Quality 15 >> /JPEG2000GrayImageDict << /TileWidth 256 /TileHeight 256 /Quality 15 >> /AntiAliasMonoImages false /CropMonoImages true /MonoImageMinResolution 400 /MonoImageMinResolutionPolicy /OK /DownsampleMonoImages false /MonoImageDownsampleType /Bicubic /MonoImageResolution 600 /MonoImageDepth -1 /MonoImageDownsampleThreshold 1.50000 /EncodeMonoImages true /MonoImageFilter /CCITTFaxEncode /MonoImageDict << /K -1 >> /AllowPSXObjects false /CheckCompliance [ /None ] /PDFX1aCheck false /PDFX3Check false /PDFXCompliantPDFOnly false /PDFXNoTrimBoxError true /PDFXTrimBoxToMediaBoxOffset [ 0.00000 0.00000 0.00000 0.00000 ] /PDFXSetBleedBoxToMediaBox true /PDFXBleedBoxToTrimBoxOffset [ 0.00000 0.00000 0.00000 0.00000 ] /PDFXOutputIntentProfile (None) /PDFXOutputConditionIdentifier () /PDFXOutputCondition () /PDFXRegistryName () /PDFXTrapped /False /CreateJDFFile false /Description << /CHS <FEFF4f7f75288fd94e9b8bbe5b9a521b5efa7684002000410064006f006200650020005000440046002065876863900275284e8e55464e1a65876863768467e5770b548c62535370300260a853ef4ee54f7f75280020004100630072006f0062006100740020548c002000410064006f00620065002000520065006100640065007200200035002e003000204ee553ca66f49ad87248672c676562535f00521b5efa768400200050004400460020658768633002> /CHT <FEFF4f7f752890194e9b8a2d7f6e5efa7acb7684002000410064006f006200650020005000440046002065874ef69069752865bc666e901a554652d965874ef6768467e5770b548c52175370300260a853ef4ee54f7f75280020004100630072006f0062006100740020548c002000410064006f00620065002000520065006100640065007200200035002e003000204ee553ca66f49ad87248672c4f86958b555f5df25efa7acb76840020005000440046002065874ef63002> /DAN <FEFF004200720075006700200069006e0064007300740069006c006c0069006e006700650072006e0065002000740069006c0020006100740020006f007000720065007400740065002000410064006f006200650020005000440046002d0064006f006b0075006d0065006e007400650072002c0020006400650072002000650067006e006500720020007300690067002000740069006c00200064006500740061006c006a006500720065007400200073006b00e60072006d007600690073006e0069006e00670020006f00670020007500640073006b007200690076006e0069006e006700200061006600200066006f0072007200650074006e0069006e006700730064006f006b0075006d0065006e007400650072002e0020004400650020006f007000720065007400740065006400650020005000440046002d0064006f006b0075006d0065006e0074006500720020006b0061006e002000e50062006e00650073002000690020004100630072006f00620061007400200065006c006c006500720020004100630072006f006200610074002000520065006100640065007200200035002e00300020006f00670020006e0079006500720065002e> /DEU <FEFF00560065007200770065006e00640065006e0020005300690065002000640069006500730065002000450069006e007300740065006c006c0075006e00670065006e0020007a0075006d002000450072007300740065006c006c0065006e00200076006f006e002000410064006f006200650020005000440046002d0044006f006b0075006d0065006e00740065006e002c00200075006d002000650069006e00650020007a0075007600650072006c00e40073007300690067006500200041006e007a006500690067006500200075006e00640020004100750073006700610062006500200076006f006e00200047006500730063006800e40066007400730064006f006b0075006d0065006e00740065006e0020007a0075002000650072007a00690065006c0065006e002e00200044006900650020005000440046002d0044006f006b0075006d0065006e007400650020006b00f6006e006e0065006e0020006d006900740020004100630072006f00620061007400200075006e0064002000520065006100640065007200200035002e003000200075006e00640020006800f600680065007200200067006500f600660066006e00650074002000770065007200640065006e002e> /ESP <FEFF005500740069006c0069006300650020006500730074006100200063006f006e0066006900670075007200610063006900f3006e0020007000610072006100200063007200650061007200200064006f00630075006d0065006e0074006f0073002000640065002000410064006f00620065002000500044004600200061006400650063007500610064006f007300200070006100720061002000760069007300750061006c0069007a00610063006900f3006e0020006500200069006d0070007200650073006900f3006e00200064006500200063006f006e006600690061006e007a006100200064006500200064006f00630075006d0065006e0074006f007300200063006f006d00650072006300690061006c00650073002e002000530065002000700075006500640065006e00200061006200720069007200200064006f00630075006d0065006e0074006f00730020005000440046002000630072006500610064006f007300200063006f006e0020004100630072006f006200610074002c002000410064006f00620065002000520065006100640065007200200035002e003000200079002000760065007200730069006f006e0065007300200070006f00730074006500720069006f007200650073002e> /FRA <FEFF005500740069006c006900730065007a00200063006500730020006f007000740069006f006e00730020006100660069006e00200064006500200063007200e900650072002000640065007300200064006f00630075006d0065006e00740073002000410064006f006200650020005000440046002000700072006f00660065007300730069006f006e006e0065006c007300200066006900610062006c0065007300200070006f007500720020006c0061002000760069007300750061006c00690073006100740069006f006e0020006500740020006c00270069006d007000720065007300730069006f006e002e0020004c0065007300200064006f00630075006d0065006e00740073002000500044004600200063007200e900e90073002000700065007500760065006e0074002000ea0074007200650020006f007500760065007200740073002000640061006e00730020004100630072006f006200610074002c002000610069006e00730069002000710075002700410064006f00620065002000520065006100640065007200200035002e0030002000650074002000760065007200730069006f006e007300200075006c007400e90072006900650075007200650073002e> /ITA (Utilizzare queste impostazioni per creare documenti Adobe PDF adatti per visualizzare e stampare documenti aziendali in modo affidabile. I documenti PDF creati possono essere aperti con Acrobat e Adobe Reader 5.0 e versioni successive.) /JPN <FEFF30d330b830cd30b9658766f8306e8868793a304a3088307353705237306b90693057305f002000410064006f0062006500200050004400460020658766f8306e4f5c6210306b4f7f75283057307e305930023053306e8a2d5b9a30674f5c62103055308c305f0020005000440046002030d530a130a430eb306f3001004100630072006f0062006100740020304a30883073002000410064006f00620065002000520065006100640065007200200035002e003000204ee5964d3067958b304f30533068304c3067304d307e305930023053306e8a2d5b9a3067306f30d530a930f330c8306e57cb30818fbc307f3092884c3044307e30593002> /KOR <FEFFc7740020c124c815c7440020c0acc6a9d558c5ec0020be44c988b2c8c2a40020bb38c11cb97c0020c548c815c801c73cb85c0020bcf4ace00020c778c1c4d558b2940020b3700020ac00c7a50020c801d569d55c002000410064006f0062006500200050004400460020bb38c11cb97c0020c791c131d569b2c8b2e4002e0020c774b807ac8c0020c791c131b41c00200050004400460020bb38c11cb2940020004100630072006f0062006100740020bc0f002000410064006f00620065002000520065006100640065007200200035002e00300020c774c0c1c5d0c11c0020c5f40020c2180020c788c2b5b2c8b2e4002e> /NLD (Gebruik deze instellingen om Adobe PDF-documenten te maken waarmee zakelijke documenten betrouwbaar kunnen worden weergegeven en afgedrukt. De gemaakte PDF-documenten kunnen worden geopend met Acrobat en Adobe Reader 5.0 en hoger.) /NOR <FEFF004200720075006b00200064006900730073006500200069006e006e007300740069006c006c0069006e00670065006e0065002000740069006c002000e50020006f0070007000720065007400740065002000410064006f006200650020005000440046002d0064006f006b0075006d0065006e00740065007200200073006f006d002000650072002000650067006e0065007400200066006f00720020007000e5006c006900740065006c006900670020007600690073006e0069006e00670020006f00670020007500740073006b007200690066007400200061007600200066006f0072007200650074006e0069006e006700730064006f006b0075006d0065006e007400650072002e0020005000440046002d0064006f006b0075006d0065006e00740065006e00650020006b0061006e002000e50070006e00650073002000690020004100630072006f00620061007400200065006c006c00650072002000410064006f00620065002000520065006100640065007200200035002e003000200065006c006c00650072002e> /PTB <FEFF005500740069006c0069007a006500200065007300730061007300200063006f006e00660069006700750072006100e700f50065007300200064006500200066006f0072006d00610020006100200063007200690061007200200064006f00630075006d0065006e0074006f0073002000410064006f00620065002000500044004600200061006400650071007500610064006f00730020007000610072006100200061002000760069007300750061006c0069007a006100e700e3006f002000650020006100200069006d0070007200650073007300e3006f00200063006f006e0066006900e1007600650069007300200064006500200064006f00630075006d0065006e0074006f007300200063006f006d0065007200630069006100690073002e0020004f007300200064006f00630075006d0065006e0074006f00730020005000440046002000630072006900610064006f007300200070006f00640065006d0020007300650072002000610062006500720074006f007300200063006f006d0020006f0020004100630072006f006200610074002000650020006f002000410064006f00620065002000520065006100640065007200200035002e0030002000650020007600650072007300f50065007300200070006f00730074006500720069006f007200650073002e> /SUO <FEFF004b00e40079007400e40020006e00e40069007400e4002000610073006500740075006b007300690061002c0020006b0075006e0020006c0075006f0074002000410064006f0062006500200050004400460020002d0064006f006b0075006d0065006e007400740065006a0061002c0020006a006f0074006b006100200073006f0070006900760061007400200079007200690074007900730061007300690061006b00690072006a006f006a0065006e0020006c0075006f00740065007400740061007600610061006e0020006e00e400790074007400e4006d0069007300650065006e0020006a0061002000740075006c006f007300740061006d0069007300650065006e002e0020004c0075006f0064007500740020005000440046002d0064006f006b0075006d0065006e00740069007400200076006f0069006400610061006e0020006100760061007400610020004100630072006f0062006100740069006c006c00610020006a0061002000410064006f00620065002000520065006100640065007200200035002e0030003a006c006c00610020006a006100200075007500640065006d006d0069006c006c0061002e> /SVE <FEFF0041006e007600e4006e00640020006400650020006800e4007200200069006e0073007400e4006c006c006e0069006e006700610072006e00610020006f006d002000640075002000760069006c006c00200073006b006100700061002000410064006f006200650020005000440046002d0064006f006b0075006d0065006e007400200073006f006d00200070006100730073006100720020006600f60072002000740069006c006c006600f60072006c00690074006c006900670020007600690073006e0069006e00670020006f006300680020007500740073006b007200690066007400650072002000610076002000610066006600e4007200730064006f006b0075006d0065006e0074002e002000200053006b006100700061006400650020005000440046002d0064006f006b0075006d0065006e00740020006b0061006e002000f600700070006e00610073002000690020004100630072006f0062006100740020006f00630068002000410064006f00620065002000520065006100640065007200200035002e00300020006f00630068002000730065006e006100720065002e> /ENU (Use these settings to create PDFs that match the "Recommended" settings for PDF Specification 4.01) >> >> setdistillerparams << /HWResolution [600 600] /PageSize [612.000 792.000] >> setpagedevice