Vehicle Discovery – The Nuts and Bolts of Useful Data

DIGITAL MOUNTAIN’S GUEST CONTRIBUTORS BEN LEMERE AND CARLY MCGEE OF BERLA CORPORATION

The information stored within a vehicle’s infotainment system can be substantial enough to make or break a case. Unfortunately, many attorneys, litigation support staff members and investigators do not know that useful data is stored within a vehicle system, or perhaps they have a suspicion but have not been properly trained on how to acquire that data or know where to turn for expert assistance.

Newer vehicles are essentially computers on wheels. Vehicle manufacturers now team up with software development companies and communication companies to provide the occupants a seamless connection to their digital worlds. Also, similar to a computer, a vehicle records logs of events that happen on the vehicle’s system.

Both user data and vehicle event data can be extracted from vehicles. Examples of user data include call logs, contacts, text messages, navigation data, and names of connected devices, along with the Media Access Control (“MAC”) address of those devices. A MAC address is a series of unique numbers and letters that identifies hardware. This can be incredibly useful in discovery for tracking down a specific system.

Examples of vehicle event data include doors opening and closing, parking lights turning on and off, devices being connected or disconnected, and transmission shifts (park, neutral, drive, reverse, etc.). As an extremely helpful bonus, all of these types of data come accompanied by a time and date stamp, as well as geolocation data if the vehicle has a navigation system. The most frequently seen operating systems on vehicles are QNX (Blackberry), Microsoft Auto, or a proprietary Linux-based system. QNX already has over 50% market share in the automotive sector. Manufacturers make decisions regarding OS and infotainment system implementation, and that decision is pushed through to all of its brands. For example, Ford has MyFord Touch. Lincoln is a Ford brand, but Lincoln’s infotainment system is called MyLincoln Touch and has a different look to the user interface. Despite these differences, both infotainment systems have the same OS and same hardware.

The method to extract data varies depending on the vehicle, which is why proper training is crucial. Sometimes the process is invasive, and sometimes it isn’t. Such tools as Berla’s forensic tool iVe is designed so that all examinations are non-destructive. The vehicle will look and perform exactly how it did prior to the acquisition.

The term “black box” tends to come to mind for many folks when they think of vehicle forensics. The literal black box is what contains the infotainment or telematics module (black boxes can house many different types of modules depending on the vehicle). It’s generally an outdated term, but still a relevant concept. Modern vehicle forensics builds on the idea of a “black box” and extends to include infotainment systems, telematics systems, and vehicle network communication.

Ben LeMere is the CEO and Co-Founder of Berla Corporation. He is a widely-recognized subject matter expert in digital forensics, GPS forensics and vehicle cybersecurity, with more than 15 years of military and federal government service. Under Ben’s leadership, Berla supports the DoD, Homeland Security and Law Enforcement communities while also beginning to establish roots in the commercial realm.

Carly McGee is a Digital Forensic Analyst and Marketing Coordinator at Berla Corporation. She is an instructor of iVe and Blackthorn, Berla’s vehicle system forensics and GPS tools. She has been in the digital forensics field for about four years and is also a life-long car enthusiast. She authors, contributes to and edits blog content, technical reports and literature.