The modern vehicle is incredibly sophisticated, with many gadgets and features designed to support drivers. This, however, also means that there is now a significant amount of data stored in, and available from, the vehicle. So how could this information be of any use to a digital forensics practitioner?
Many Kinds of Data
The volume and variety of data in the car has increased manifold within the last ten years. In addition to the normal messages that control the vehicle, we now also have information from and about multiple sensors. Data can be streamed from personal devices such as mobile phones using Wi-Fi or Bluetooth; phonebooks and location or journey details are stored on-board; payment systems for fuel and other services are about to be deployed, etc. In the event of a crash, the event data recorder (or EDR) might kick in, recording factors such as whether the brakes were applied. Aftermarket devices, such as self-diagnostic kits or black-box insurance telematics kits, could also potentially hold, send or transmit data.
The Value of Data
We’ve got the easy ones, for example, contact names, phone numbers and paired devices (including device machine addresses) stored in the infotainment unit. Logged journeys, usual routes to home, work and other frequently visited places can be found either on the in-built navigation system or are sometimes stored on SD cards. USB sticks containing music, photos or vehicle updates are sometimes permanently plugged into the vehicle.
Other information that might not be so straightforward and are not as ubiquitous could include data such as how many keys the car is programmed to recognize. This could be useful in the case of a recovered vehicle after theft. Other potential evidence could be gained from smaller pockets of data such as electric seat memory.
Finally, looking deeper into the vehicle, PINs and other identifying information for connected devices (such as a Bluetooth phones) could potentially be found in the vehicle’s operating systems, with the two market leaders being Research in Motion’s QNX and Microsoft’s Windows Auto. The EDR (as mentioned above) also holds much data that could be used to reconstruct an event.
Standard Operating Procedure
The kinds of data described above could be of value to a forensics examiner. However, the next problem is how we extract the data in a forensically sound manner. Currently, there is no standard operating procedure.
What makes it digital forensics? The conventional digital forensics principles in the UK state that no data should be changed on the target system, or that if system changes are unavoidable, that a qualified and experienced practitioner performs the investigation in order to record and minimize their footprint. We can imagine how difficult this might be, as the interactions between the internal computers on a vehicle are largely invisible, and there might not even be stored information on various operations on a vehicle as the system is so constrained.
Data on a vehicle could also be very volatile. For example, turning on the ignition (if the vehicle is off) could wipe the EDR. Some car key hacks mean that keys are no longer synchronized to the vehicle (there might be a slight delay in response) – but the evidence for this disappears once the key fob button is pressed.
The problem will only get larger and broader with the advent of self-driving cars and the amount of software that will be present on the vehicle. The current research points to the fact that more is needed to make the vehicle forensics-ready, and that digital forensics practitioners (especially for automotive specific fields) are in short supply. Consideration on how these two factors might be achieved by industry and government is required, not just to address crimes such as car theft, but when the vehicle is so connected and so sophisticated that it can be used to cause mass sabotage, terror or damage.