fatcousin
// investigation guide

smart home compromise — methodology

smart home compromise is rarely one device blinking red. it is a cloud account reused across alexa, google home, ring, nest, august, and a samsung tv — guest codes added remotely, voice unlock commands, live camera views while the owner is away, and thermostat overrides that contradict vacation mode. your job is to correlate multi-vendor exports, identify who added access and when, and separate on-site presence from remote account abuse before rolling retention windows erase the overlap.

what evidence exists and how fast it dies

artifactvolatilitytime to loss
voice-assistant activity export (alexa / google)rolling at vendor18 months typical — varies by account settings
ring / nest event timeline csvrolling60–180 days unless manually saved
smart lock access log csvrolling30–90 days on consumer plans
thermostat mode historyrolling90 days to 2 years depending on vendor
homekit backup / accessory plistpersistent if imagedlost on ios restore without backup
smart tv viewing / account linkage jsonmixedapp history prunes quickly — account linkage persists longer
cloud account login / session audit (google / amazon)rolling180 days typical — lawful hold extends via counsel

the first 10 minutes

  1. confirm the owner is physically safe — smart-home abuse often pairs with stalking or domestic intrusion.
  2. revoke unknown household members and guest codes at the lock vendor and google/amazon home apps immediately.
  3. change passwords on google, amazon, ring, and nest accounts — enable mfa before pulling exports.
  4. request alexa voice history and google assistant my activity downloads for the incident window.
  5. export ring event history and nest camera activity for the same date range — save as csv/json, not screenshots.
  6. pull smart lock access logs — note every code slot name and unlock timestamp.
  7. export thermostat timeline for away/home/vacation transitions overlapping the reported window.
  8. capture homekit accessory plist or encrypted backup slice if ios controls locks or scenes.
  9. document smart tv account logins and any ring live-view launches from the tv app.
  10. begin the path below — correlate all exports to a single utc anchor before vendor retention prunes the overlap.

the path

  1. 1. alexa voice history forensic extractor

    alexa activity csv/json/zip export. categorizes voice commands, builds a timeline, and surfaces unlock queries or device-control phrases.why first: voice logs show whether someone spoke on-site or abused a shared cloud account remotely — the distinction drives your entire narrative.

  2. 2. google home artifact forensic analyzer

    assistant my activity json/html/zip. inventories cast targets, routines, guest-lock adds, and clip-view events tied to google/nest accounts.why second: google home bridges nest cameras, locks, and speakers — one export often holds the session that added a rogue guest code.

  3. 3. homekit accessory forensic analyzer

    home backup zip or accessory plists. surfaces scenes, automations, geofence lat/lon, and lock accessory metadata from ios-side control.why third: homekit automations and geofences persist even when cloud vendor logs are sparse — check the apple-side control plane.

  4. 4. ring camera artifact forensic extractor

    ring exported json/csv/zip timelines. classifies ding, motion, alarm, and on-demand live view events with utc occupancy heuristics.why fourth: live view while the owner is away is a stronger intrusion signal than motion alone — ring exports distinguish the two.

  5. 5. nest camera forensic analyzer

    nest/google takeout json/csv fragments. extracts postal_code, familiar-face labels, activity zones, and visitor classification.why fifth: nest familiar-face tags and zone hits corroborate ring motion — cross-vendor camera overlap tightens the timeline.

  6. 6. smart lock access forensic analyzer

    august/schlage csv exports. maps code slot names, unlock→lock sessions, late-night anomalies, and attributable keypad access.why sixth: the guest-code slot name and unlock timestamp are your attribution anchor — voice and camera logs should align to the same minute.

  7. 7. smart thermostat timeline analyzer

    nest json, ecobee csv, or generic mode csv. tracks away/home/vacation transitions and routine bands as corroborative occupancy cues.why seventh: away→home heat override during a declared vacation window is passive proof someone was inside — or remotely forced comfort mode.

  8. 8. smart tv artifact forensic extractor

    samsung/lg json walks — viewing history, installed apps, search trails, and account linkage cues with heuristic timeline bands.why last: rogue ott account logins and ring live-view launches on the tv often trail lock events — sequence account adds after physical access is established.

common false leads

  • one motion alert equals intrusion — delivery drivers and wind trigger ring constantly; live view while away is the stronger signal.
  • voice unlock means someone was inside — remote account sessions can trigger unlock via app or shared household membership.
  • the contractor code name proves the contractor did it — slot labels are user-assigned; verify creation timestamp and cloud session.
  • nest familiar face "unknown visitor" is a named suspect — it is a classification bucket, not biometric identification.
  • thermostat override means physical entry — remote eco→home changes happen from the mobile app without crossing the threshold.
  • single-vendor export is enough — alexa, google, ring, and nest desync; absence in one log does not clear another.

what we can tell you, what we can't

we can tell you:

  • voice-command timelines and device-control phrase clusters from alexa/google exports
  • guest-code slot names, unlock sessions, and late-night anomalies from lock csv logs
  • ring event classification (motion vs live view) and nest familiar-face / zone inventory
  • homekit geofence coordinates, scenes, and automation triggers from plist extracts
  • thermostat away/home/vacation bands as corroborative occupancy cues
  • smart tv account linkage and viewing/search trails relative to lock and camera events

we can't tell you:

  • live cloud session ip or device fingerprint — you need vendor lawful-access or account security exports
  • video frame content or facial recognition — we parse metadata and event logs, not video blobs
  • who physically crossed the threshold — lock and camera logs show access, not identity beyond code slot labels
  • attribution to a named individual without corroborating identity evidence outside the iot stack
  • real-time blocking of rogue devices — rotate credentials and revoke access in vendor apps; our tools analyze exports offline

handing it off

  • law enforcement: correlated utc timeline, guest-code creation window, live-view events while owner away, rogue account adds, and preserved vendor exports with chain-of-custody notes.
  • counsel / dv advocate: stalking-pattern summary if camera/live-view abuse overlaps with known threat — prioritize survivor safety over deep artifact mining.
  • insurance / property: lock access log, thermostat override proof, and camera event bundle for unauthorized-entry claims — include vendor ticket numbers for account-compromise reports.

further reading

reference investigation

synthetic fixture reed-smart-home-compromise — jordan reed travel-window intrusion with contractor temp guest code, alexa unlock commands, ring live view, nest unknown visitor, thermostat away→home override, and rogue samsung tv account, seed reed-smart-home-compromise:v1. compare output via npm run check:flagship.

fixture download: evidence zip · proof page: /forensics/proof/reed-smart-home-compromise · case playbook: case type tools

run the smart home kit →forensics home
ready