Automotive forensics is an emerging science that includes the fast acquisition of data, and the in-depth analysis of vehicle components. It aims at finding answers to questions about a specific scenario involving vehicles, such as an accident or a crash site.
Image Credit: ESB Professional/Shutterstock.com
The purpose of automotive forensics is to assist with accident investigations or warranty claims analysis. Manufacturer defects or parts failure can sometimes be the cause of accidents, although some data suggest that in almost 80% of the cases, accidents arise from driver failure.
The ultimate goal of automotive forensics is to give information about the six W's: Who, why, where, when, what, and how. Until a few years ago, automotive forensics focused mainly on the analysis of the physical damage developed before and after an accident. By adopting an inverse engineering approach, forensic investigators can determine the causes by starting from the consequences of an accident.
The transition to digital data
The tremendous technological development of the car industry over the last few years translates into vehicles being equipped with software, connectivity devices, and backend services. Modern cars store a wealth of digital information, such as locations, routes, and personal data.
With the increase of computer- and software-based components in vehicles, automotive forensics has therefore transitioned to the digital world, and digital forensic investigation of vehicles is starting to play a relevant role in the resolution of security incidents.
Cars are equipped with buses, the internal communication network that connects components inside the vehicle. Typical electronic modules are Engine Control Unit (ECU), Transmission Control Unit (TCU), and Anti-lock Braking System (ABS).
There are two common types of automotive forensic analysis. One is “live forensics”, where data are acquired from a running system, such as an up and running vehicle. This approach allows the extraction of volatile data from the system. However, there is a risk of data loss or corruption of evidence.
With “post-mortem forensics” instead, all systems are shut down, and only persisted data is acquired. There is a reduced risk of forensic evidence corruption, although it is not possible to acquire volatile memory data.
What do we learn from automotive forensics?
A key prerequisite for any forensic analysis is data collection. There are different acquisition methods relevant to automotive forensics. Online acquisition utilizes software-based techniques for the fast acquisition of available data (i.e., log file analysis, volatile RAM memory).
With offline acquisition instead, the vehicle sub-components are switched off and it can include desoldering of logic boards. This method is more time-consuming due to the preparation and disassembly procedures.
Typically, there are five classes of data used in automotive forensics:
- Firmware – the software installed on an ECU. It incorporates the car’s operating system
- Communication data – all data transmitted both inside the vehicle and from the vehicle to any other receiver. It includes on-board entertainment services
- User data – any information related to the interaction of a user (driver or passenger) with the vehicle. This includes data transmitted from connected devices (smartphones) or the infotainment system, such as phone books and call logs
- Safety-related data – about the safety state of the vehicle and its components, such as seat belt status, airbag deployment, vehicle motion, and travel speed
- Security-related data – provides information regarding potential misuse or manipulation of the vehicle. Examples are the Diagnostic Trouble Code (DTC) entries or security monitoring like Intrusion Detection System (IDS).
The forensic process and its challenges
The automotive forensic process can be divided into four phases. The first one is “forensic readiness”, which evaluates if cost-efficient forensic investigations are feasible. This phase checks the availability of potential log sources, tools, and technologies to extract information.
Secondly, in the “data acquisition” phase, relevant data is collected by using the interfaces and communication methods identified in the first phase. This can be GPS data if the position of a car should be of interest, or the infotainment system and its related components if a leak of personal data is the subject of the investigation. Data is duplicated and original data gets stored in a tamper-proof way.
The third phase is “data analysis”. Reproducibility of the analysis results is a key factor. Finally, the “documentation” phase produces a report for the intended audience in a human-readable form.
On-board computer and infotainment systems are the main sources of digital evidence that can be used to support automotive forensics. Nevertheless, the mobile devices of the driver and the passengers in vehicles are also essential to investigators. Data from text messages, web search histories, and GPS data are essential for investigators.
However, very often first responders on an accident scene, for instance, a fatal vehicle crash, are not well prepared to identify or secure digital evidence. Similarly, it may not be clear to them how digital evidence should be used, nor do they have the right knowledge to recognize the need to seize digital evidence associated with vehicles.
More effort is therefore needed in training those who should ensure sources of evidence are identified and secured before the arrival of expert forensic investigators.
Another challenge is associated with the complexity and variety of systems in vehicles, thus complicating forensic investigations. In a modern car, there can be 20 or more electronic modules, with different configurations and their interactions.
Currently, automotive forensics is still a relatively niche sector, but there is an increasing number of specialized companies that are developing skills and expertise, and it is expected that automotive forensics will play a more significant role in the near future.
- Duboka, Č. (2012). Considerations in forensic examination of automotive systems. International Journal of Forensic Engineering, 1, 111.10.1504/ijfe.2012.050408
- Gomez Buquerin, K. K., Corbett, C. & Hof, H.-J. (2021). A generalized approach to automotive forensics. Forensic Science International: Digital Investigation, 36, 301111.10.1016/j.fsidi.2021.301111
- Holt, T. & Dolliver, D. S. (2021). Exploring digital evidence recognition among front-line law enforcement officers at fatal crash scenes. Forensic Science International: Digital Investigation, 37, 301167.10.1016/j.fsidi.2021.301167
- Le-Khac, N.-A., Jacobs, D., Nijhoff, J., Bertens, K. & Choo, K.-K. R. (2020). Smart vehicle forensics: Challenges and case study. Future Generation Computer Systems, 109, 500-510.10.1016/j.future.2018.05.081