Chapter 10: Digital Vehicle Forensics

Digitalization is pervading in all walks of the life and vehicle industry is no exception for
example the rise of complex driver assistance systems, Driver less cars etc. Vehicle with
all the digital implementations is becoming an important source of digital evidence in a
technical issue or a crime investigation. Today the digital forensics has become panacea
in case of the Digital Vehicle’s warranty claims analysis, Automobile accident
investigations, and Security based implementations and scrutiny etc. The crime
investigation is by far the most important application of digital forensics for vehicle
industry. Traditionally, the crime investigation when a vehicle was involved, fingerprints
and DNA material used to get collected and other evidences that are not usually digital in
nature. However, the today car is smart and stores huge digital information such as
routes, destinations, frequent locations, call logs, videos music etc. Hence, Digital
Vehicle Forensics is a newly emerged field which provide investigators to preserve wide
range of information that can serve as digital evidence from the motor vehicles.
Modern day vehicles are important source of digital evidence. Existing approaches for
vehicle forensics mostly focus on the acquisition and analysis phase only rather than
discussing the whole procedure [1]. There are different forensics challenges also that are
associated with the investigation process. This chapter throw light on the Digital Vehicle
Forensics process, the telematics system and the challenges that an investigator can face
during the forensics process.

1.1. Introduction to Digital Vehicle Forensics

Digital Vehicle forensics is the utilization of digital forensics practices and techniques on
automotive vehicle systems. It is an emerging area of research, because of the
introduction of smart and driverless vehicles and advancement in technology due to
Internet of Things (IoT). The forensics process answers the questions that arises from
stakeholders about some accident, forgery, fraud etc. the investigation process must
report 6WH’s i.e. when, what, who, where, when, and how the crime scene happened.
As any other forensics process, digital vehicle forensics involves the acquisition,
preservation and evidence analysis from the automobiles. The digital data evidences can
be collected from the following parts of a digital vehicle.
1. Telematics or Infotainment System
The is the most impactful source of digital evidence in the case of Motor vehicles.
Almost every vehicle manufacturer embeds telematics system into the designs of
 the vehicles. It is expected that by 2025, every vehicle would have this system.
The system helps to transfer data over a telecommunication channel.
2. Event Data Recorders (EDR):
EDR is also known as black box. It was first introduced in the last decade of
twentieth century in North America. EDR usually works when a car faces any type
of collision. It is a good source of evidence for accidents, vehicle theft, forgery or
fraud etc [2].
3. Front and Rear Dash Cameras
Front and Rear Dash cameras sometimes have data storage capabilities and hence
can help to provide data for forensics purpose.
4. Electronic Control Units (ECUs) in driverless cars
ECU is also known as Engine Control Module (ECM) and is small embedded
devices inside a vehicle that can control the electrical systems within the vehicle.
As microcontrollers are connected to these devices, therefore they also have data
storage capabilities.
5. Key Fobs:
Key Fobs is keyless entry to the vehicle. It has become a potential source of
evidence since it has become common. Almost every other car requires remote
entry or smart key entry and stores important information like Vehicle
Investigation Number (VIN), reading from odometer, time and date stamps etc
Key Fob forensic software is required to acquire data from these remote keys.
Another way is to acquire it through local vehicle dealership.
6. Controller Area Network (CAN) Bus:
CAN Bus is a protocol that is basically designed to let ECU and other devices to
communicate with each other. The communication is done in a priority driven
fashion.

1.2. Motor Vehicle telematics

Motor Vehicle Telematics system is a combination of informatics, telecommunication,
electronics, and softwares, that functions to collect and analyse data and as a result
improve the safety and efficiency standards of the overall driving experience. Global
Positioning System (GPS), vehicle diagnostic systems, wireless devices and black box
technologies combine for a Vehicle telematics to collect and transmit the vehicle data like
location, speed, service and maintenance etc. The information can be used to improve the
safety and performance by doing real-time analysis.
 Figure 10.1: Digital Evidence Sources
The telematics device collects location information and transmit using GPS while data
related to vehicle like speed, maintenance etc transmit using the General Packet Radio
Services (GPRS), other cellular networks, or satellite communication system to a
centralized cloud server. In the cloud the data gets optimized, interpreted and classified
for better data analysis.
Today, the general practice is to embed vehicle telematics directly into fleet vehicles.
Other telematics devices like GPS system are also available separately for aftermarket
installation.
Digital forensics depends on the data that can be retrieved from the crime site. The data
that can be acquired from telematics system involve idling time, location, fuel
consumption, maintenance and services, speed, vehicle faults, and braking. Hence,
analyzing data from telematics is of great importance because it helps to improve the
driving experience, productivity etc
Working of Telematics System:
A telematics system consists of three basic blocks that work together to provide
beneficial services. Figure 10.2 shows the working blocks of a telematics system. The
three basic blocks are as follow
1. Telematics Control unit (TCU)
TCU is the hardware module that is installed in digital vehicles. The module has
telecommunication interfaces like CAN Bus, GPRS etc. The TCU collects the data
and send them to telematics cloud server via a wireless network. The TCU mostly
use GPRS or other cellular systems like 3G, 4G, Edge, 5G, LTE etc.
 Figure 10.2: Working of Telematics system

2. Telematics Cloud Server

The data from TCU is transferred to the Cloud server via a wireless network like
GPRS, or other cellular networks. Before transmission, data packets are encrypted
for better security. At cloud, firstly data is extracted and then stored into a
database.
3. Web browser or Mobile App for data presentation.
The data can be accessed by the user using a web browser or mobile application
that supports the vehicle telematics system. The data in the server can be sent to a
third-party software or application for example a mapping software.

Applications of Vehicle Telematics:

Vehicle telematics system is a beneficial addition to the digital cars. There are following
some of the applications of it.
1. Telematics Vehicle Tracking:
GPS combined with GPRS is used for tracking purposes. GPRS modem is
installed with the user device. That collect and transmit data from the GPS.
2. Fleet Vehicle Telematics System Management:
Telematics system is usually embedded with the fleet vehicle to perform
management services like vehicle scheduling, maintenance, financing, diagnostics,
safety management, fuel consumption, engine health etc.
3. Standard Adherence by telematics system:
Standards by Association of Equipment Management Professionals are adhered
that deliver data in .xml format.
 4. Car Sharing:
The system helps to keep track of members who use the car or drive the car and
hence can help a digital investigator to figure out the user of the vehicle.
5. Wireless Vehicle Safety Communications:
Sensors are installed in the vehicle that can help to predict the traffic congestion,
signal lights etc. These sensors are connected to the telematics system and hence
can record this information too and optimize the routes.
6. Insurance:
The insurance companies record the driver vehicle and calculate the risk
assessments. This data from the insurance companies can also be helpful for the
forensics investigators.

1.3. Data acquisition from embedded telematics

Motor vehicle industry have seen a lot of evolution in past 30 years. Embedded
Telematics system or Infotainment system is one such example. Data Acquisition is the
important step for a digital forensics process, and in case of vehicle forensics the
worthiest source is telematics that can store data according to the manufacturer policy.
Telematics system ranges differently with different models of the car. The data can be
stored in many different types. The data basically tells a broad categorization of car by
following information:
 Vehicle information system (Serial Number, Engine Number, Part Number,
Vehicle identification number, build number)
 Navigation Data (saved locations, recent destinations, track logs, routes followed,
speed logs)
 Connected Devices (smart phones, media players, USB drivers, hard drives, SD
cards, Wireless Access Points (WAPs)
 Application Data (traffic apps, weather apps, Facebook, etc)
 Events (lights on/off, doors open or close, Wi-Fi connection, Bluetooth
connection, GPS data sync, odometer readings, braking, gear shifts, acceleration,
and other events)
 Device basic Information (call logs, contacts, media, Access Point Information,
Device IDs)

Till the year 2014, these telematics systems were useless for the forensics investigators as
the data collected remained inaccessible. Physical data acquisition of data can be done on
the telematics or infotainment system. This is the most beneficial process for the data
acquisition. Investigator can acquire all the information, bit by bit from the hard drive,
even the deleted files. The only drawback is that it takes much longer time as compared
to the logical extraction. Acquisition can also be done by de-mounting the memory chip,
which is known as chip-off method but this technique is a very difficult way to acquire
data without any damage. FTK imager and Sleuth kit autopsy can be best option
available. The physical acquisition is reliable source of data retrieval from a smartphone
but the method faces some issues in digital vehicle forensics due to lack of the forensics
tools that are specific for the vehicles.
US based company Berla corporation had released a forensic toolkit for digital vehicle
forensics in 2014. The name of the toolkit is iVe [3]. It is first of its kind, check the
database to determine if the vehicle is supported for data acquisition, instructions for the
data acquisition and data analysis algorithm. Depending on the type and model of the
vehicle, the data acquisition can be as long as 25 GB. The data acquired using the iVe is
time stamped. Time stamping is possible with GPS tracker, it records location as well as
the time stamps. The data acquired can have information from many last years, hence can
give the information of all the connected devices to the vehicle that are now connected or
some time in the life of vehicle they got connected. Consequently, these logs can provide
essential information to the investigator.
Forensic Types and Acquisition Methods:
For automobile/ vehicle forensic two types of forensics can do a good job.
1. Live forensics:
As the name suggests the data is collected in a run-time scenario. Live forensics is
mostly useful to collect data from the volatile memory. However, the drawback is
the corruption of data evidence.
2. Post-Mortem Forensics:
The traditional way of the digital forensics in which all the system is forced to stop
to acquire the data. A good thing about this method is that there very little risk of
data corruption is present. However, the disadvantage is, it does not acquire the
volatile data that can have a lot of useful information regarding the crime scene.

According to the forensics types discussed, data acquisition can also be done using the
following methods other than physical acquisition.
1. Online acquisition:
Software based techniques are used to acquire data. For example, using Volatility
to acquire the volatile RAM data. These methods are fast and reliable. The amount
of data collected depends on the digital vehicle parts memory capacity. The
 memory capacity for any vehicle is different from other and is decided by the
manufacturer.

Figure 10.3: Data Classes for Vehicle Forensics

2. Offline Acquisition:
The data acquisition takes place in a switched off mode. This can include a chip
off method in which desoldering of logical and embedded circuits takes place. The
process is not only more time consuming but also there is a high chance to corrupt
the data files due to careless desoldering process.

Classes of data available for automotive forensics:

To ease the data analysis process, Buquerin et al. divided the data evidence in five classes
namely Firmware, communication data, user data, safety-related data, and security-
related data [4].
Firmware is a software installed on ECU. It is important to analyse the firmware software
because it helps to identify any modification that has happened to the ECU.
Communication data is the data that is being transferred between the vehicle components
and the cloud server. User Data is the data that has been written or read or delete or
modified when a third party like USB etc connect with the vehicle components. Safety
related data is the data from EDR, it is the data of vehicle in its safety state. The last is
Security related data is the data that provide implicit information about the security of the
device.
 1.1. Forensic Process for Vehicles
The general forensic process involves data acquisition, preservation, data analysis and
reporting. The digital vehicle forensics is a very sophisticated procedure and is not been
studied by many researchers. Gomez Buquerin, however formulated a forensics method
specified for the digital vehicles [5].
The process involves following steps:
1. Forensics readiness:
It evaluates the feasibility of the forensics process. In this phase the potential data
sources are decided. Then interfaces and communication methods that are been used
by the vehicle is determined. And in the last step, available tools are identified that
can help in data acquisition as well as data analysis. All the information is been
documented that will be used in the final step.
2. Data Acquisition:
Data acquisition is the most important step of the forensics process. For the vehicle
forensics, this step involves the determination of the vehicle data like variant, model
etc. After that, sources of evidence are determined. For example, if the goal is to
check the position of the car than only GPS system will be taken as the data evidence
source. And if the information forgery is to be determined than telematics system
needs to be taken as a source of digital data evidence. Then data acquisition tools are
installed and acquisition is done. The data acquired is preserved for the further use.
 Figure 10.4: Forensics Process for the Digital Vehicles
3. Data Analysis:
The main step of any forensics process is data analysis step. This step involves the
setup of data analysis tools. Then the investigator filters out the data segments and
events that are relevant. Timeline is created and the event is re-created. The results are
documented for reporting purposes.
4. Documentation:
In this step the reports are collected from the forensics readiness, data acquisition and
data analysis step. A final report containing all the analysis and results is created to be
presented in court or any other authenticated platform.

1.4. Vehicle forensic challenges

As any other forensic process, digital vehicle forensics also face many challenges. The
data acquisition remained a major hectic process due to the large body of the vehicles.
Complexity is also another challenge that mostly forensics investigator face. Therefore,
there can be many such issues and challenges that need to be addressed. Following is
some of them
1. Complexity
There vehicle is itself a complex device and the components that are embedded are
also complex to understand and hence it can complex the data acquisition and analysis
process. Forensics process become expensive and time consuming when it is
performed on a complex system, because the quantity of data is large and is difficult
to acquired. A vehicle may have many ECUs resulting in making the forensics
process more complex and hectic. Also, mobile services for cars are also increasing
making it more intricate.

2. Diversity
The data acquired may be in different formats. The big volumes of data from the
vehicles can be divided into smaller sections, that can help to perform the digital
forensics process in less time.

3. Consistency and correlation

When forensics is performed, data sources need to be correlated to generate a
statistical analysis on the data. So, correlation remained a comprehensive part of the
forensics process. As a vehicle may have a large number of ECUs, consistency and
calculating correlation will become a great challenge of the forensic investigator.
4. Quantity and volume problems
The modern vehicle may have a lot of components that have memory embedded with
them. Large number of ECUs etc may lead to a large volume of data. Dealing with
such a large volume of data is critical. One way is to divide the data in smaller
sections, this can help to perform analysis efficiently and in less time. Another way is
precisely determining the sources of the data evidence. Sometimes it is not required to
collect the data from all data sources.

5. Unified time lining problem

Timestamps are important information for the forensic analysis. Time stamps can be
collected from different sub systems of the vehicle and these can also be calculated
using the GPS data. The time stamps collected usually shows different values leading
to a challenge for the investigator while correlating the timestamps. Hence unified
time lining problem remains a great challenge for the vehicle forensic investigators.

6. Data acquisition issues due to proprietary concerns

Data acquisition can be a challenge when the investigator needs to collect data from
the cloud server. As the telematics system and infotainment system transfer data to the
cloud server, so there is a need to acquire data from cloud too. Here the proprietary
concerns can be a challenge.
References
[1] Lacroix, J., El-Khatib, K., & Akalu, R. (2016, November). Vehicular digital forensics: What does
my vehicle know about me?. In Proceedings of the 6th ACM Symposium on Development and Analysis of
Intelligent Vehicular Networks and Applications (pp. 59-66).
[2] Daily, J.S., Singleton, N., Downing, B., Manes*, G.W. (2008). Light Vehicle Event Data
Recorder Forensics. In: Sobh, T. (eds) Advances in Computer and Information Sciences and Engineering.
Springer, Dordrecht. https://doi.org/10.1007/978-1-4020-8741-7_31
[3] “iVe – Berla.co.” [Online]. Available: https://berla.co/tag/ive/.
[4] Buquerin, K. K. G., Corbett, C., & Hof, H. J. (2021). A generalized approach to automotive
forensics. Forensic Science International: Digital Investigation, 36, 301111.
[5] K. Klaus Gomez Buquerin and M. Corbett, “Analysis of Digital Forensics Capabilities on State-
of-the-art Vehicles.”