Tallinn University of Technology

Authors: Andrew Roberts, TalTech Centre for Digital Forensics and Cyber Security analyst and Pavel Tšikul, TalTech Centre for Digital Forensics and Cyber Security early stage researcher

In 2014, 19.1 million crimes were committed in the U.S. Of this number 95% involved mobile phones and 80% involved vehicles. Due to the connected nature of modern vehicles, automotive digital forensics is a burgeoning source of evidence for criminal cases and accident investigation.

As drivers and passengers of vehicles, very few us consider how our behaviour and interactions are captured and recorded by our vehicle. Understanding how digital forensic investigation is conducted on vehicles is important both for your awareness and understanding how law enforcement use the digital properties of vehicles as a source of evidence.

What is Automotive Digital Forensics?

Automotive forensics is a branch of digital forensics relating to recovery of digital evidence or data stored in automotive modules, networks and messages sent across operating systems. The aim of automotive forensics is to provide evidence to support criminal cases, root-cause analysis and accident investigation.
In Estonia, the Estonian Forensic Sciences Institute (EKEI) provide automotive digital forensic services to the Estonian Police.

How does your vehicle store information?

The easiest way to understand how your vehicle transmits and stores information is to understand how you interact with your vehicle. When you start your vehicle with an electronic of physical key you interact with the on-board diagnostics (OBD-II) port. This port is the interface between the outside world or the vehicle as you see it (steering wheel, air conditioning) and the in-vehicle systems. The OBD-II port communicates using communication networks such as Local Interconnect Network (LIN), Controller Area Network (CAN) bus, FlexRay and Media Oriented Systems Transport (MOST). These networks connect with Electronic Control Units (ECU) which are microcontrollers that operate functions such as body control, engine control and telematics. The Event Data Recorder (EDR) and insurance black-box are two crucial automotive components for the forensic investigator. The EDR is continually recording information from the telematics and overwriting information about your journey. In case of accident or faults the recording is stored and the EDR data is able to be extracted. Some vehicles also have Video EDR’s which record footage from a camera on the dashboard.
A connected vehicles infotainment and telematics systems provides a wealth of information for digital forensic investigators. When you connect with your smart phone to your vehicle’s infotainment system, often using bluetooth, you enjoy the use of functionality from playing music through Spotify, using navigation apps, such as Waze, hands-free calling and playing or recording videos or images. You may also insert media players, USB drives and SD cards into the infotainment head unit. These connections transmit information such as phone related information (SMS messages, call logs and contacts), music files, image files, user voice profiles, car information, previously connected devices (through the Bluetooth MAC addresses of paired devices)) and wireless access points. The telematics system stores navigation data such as saved locations, previous destinations and track data. If navigation applications are built-in, then geolocation and timestamp data will be available. This information is stored, depending on the age and model of the infotainment system, either on a hard drive or a SD card contained within the infotainment system. Some newer model vehicles allow the ability to connect via applications such as Android Auto, Alexa Auto and Apple CarPlay.


Source: Skoda SmartLink

Self-driving, automated vehicles such as TalTech’s ISEAuto and Starship Technologies delivery robots are more advanced in that they use sensors and intelligent algorithms to assume the driving function of the vehicle. Machine vision creates 3D models of the environment from LiDAR sensors and cameras. The automated navigation of the vehicle is controlled within the logic contained in automotive software platforms such as Autoware through pre-programmed routes on maps or GNSS navigation and algorithmic constraints such as maximum speed levels and braking at a pre-determined distance before an identified obstacle. Communications through 4G/5G technology and wireless infrastructure are crucial for Vehicle to Vehicle (V2V) and Vehicle to Infrastructure (V2X) communication. V2V is the communication network of the automated, self-driving car to communicate with other automated vehicles to inform each other of information such as speed, location, direction of travel. V2X comprises the automated, self-driving vehicle communicating with smart city infrastructure such as connected traffic lights, stop signs, and parking meters. The data from self-driving, automated vehicles can be stored as logs in the cloud, local storage, and within each of the sensors and smart city platforms it interacts with.


Source: TalTech ISEAuto, Blog 3/4: Building the Bus

How do Law Enforcement Conduct Digital Forensic Investigation on Vehicles?

The aim of the forensic investigator is to retrieve data and develop an event timeline to provide an accurate picture of the criminal activity or accident to legal authorities. The first step will be to understand the evidence source. This includes the original equipment manufacturer (OEM), make, model, architecture, software and physical components. A strategy will then be developed to determine what techniques and tools can be used to retrieve the data from the vehicle and how to achieve this without contamination or destruction of the data or physical vehicle component. Considerations that a digital forensic specialist needs to weigh are the amount of resources (personnel, funding, time) willing to devote to the investigation based on the degree of the crime. In vehicular forensics this is especially important as data extraction of the EDR and ECUs will require physical dismantling of the vehicle. For small scale crimes this may not be worth the effort.
The infotainment and telematics systems often provide the best source of data retrieval based on this criterion. Law enforcement use commercial products and providers such as Berla iVe and Envista forensics to gain data from infotainment (phone and connected device data), telematics (navigation data) and GPS (location data). These commercial products structure the retrieved data in an event timeline for the convenience of forensic investigators.


Source: Backlight Forensic Application with Berla iVe, Event timeline

Law enforcement can also work with the OEM to gain access to the EDR and ECUs. An OEM, such as Mercedes or BMW, retains proprietary tools for maintenance and troubleshooting that can access these systems. EDR data is used in criminal proceedings to prove drivers were speeding or purposely took driving decisions that caused damage, injury or fatality.

For self-driving, automated vehicles, recent cases in the United States involving accidents with Tesla and Waymo self-driving vehicles have demonstrated the use of code reviews and reverse engineering of automation logic as crucial for root-cause analysis. In 2016, a Tesla Model S, automation assisted vehicle, (The driver is still required to take control of the wheel) crashed into a truck, killing the driver. Reverse engineering of automation logic and sensor’s provided the root-cause as inability of the Telsa camera’s to recognise the Trucks trailer, due to positioning and its white colour. This resulted in the Tesla not initialising the brakes. This forensic investigation led Tesla to improve the implementation of its radar system.


Automated transportation platforms are one of the five areas of focus for the Smart City Centre of Excellence in Tallinn. To safely and effectively use automated transportation, Estonia need to build capability in digital forensics and cyber security to secure these connected platforms. Opportunities to build these skills are already available in Estonia and include the TalTech Summer School 2020 which is focussed on cyber security for transportation, the Master of Cyber Security program at TalTech and University of Tartu that offers forensic courses in the areas of network, systems, mobile, IoT, secure software design, and legal aspects. Digital Forensic skills are also able to be obtained in scenario-driven training available from Estonian companies; RangeForce, Guardtime and CyberExer. The European Horizon 2020 Project ECHO will also provide the ability for users to develop their skills using cyber ranges that simulate digital forensic scenarios across multiple sectors: transportation, medical, energy. Possible future careers include in Estonian Police and Border Guard, Estonian Forensic Sciences Institute and innovative self-driving, automated vehicles manufacturers; MILREM Robotics, Starship Technologies and Cleveron.

The article was published in Edasi.org in January 2020.