Vehicle Digital Forensics – Part 2
Posted on 14th August 2017, by Pete Deane
Earlier this year I wrote a blog on raising the awareness of Vehicle Digital Forensics for investigators of Serious and Complex Crime / Road Traffic Collisions. As one of a very few group of people that are currently looking at this area I thought I would follow up having now had some first hand experience in this field. This blog continues to raise awareness of this area for investigators rather than give technical information surrounding the methodologies used to extract the data and how the systems work.
Shortly after writing the first blog I attended some formal training from one of the global providers of specialist hardware and software capable of acquiring data from infotainment modules. The training was useful for several reasons. Not only did this training give me the tools I needed to use the provider’s equipment it also gave an insight into the different varieties of infotainment units and the technology behind them. It enabled me to learn a new areas of digital forensics and the elements of the vehicles systems as to how some of this data is being captured. It has also enabled me to understand what systems are potentially fitted to certain vehicles under the same manufactures umbrella and therefore identify supported modules that on the face of it may appear unsupported. This allows me to give people who enquire about this area as part of their investigations a) A more definitiveanswer on support and b) what data types are likely to be recovered from that particular unit and therefore whether it is a worthwhile option to carry out an examination. Successful completion of this training has also meant I have some credibility when dealing with people that may wish to consider its use and the courts if the data were to be used in evidence.
Following on from the training I was immediately asked if I could look at a vehicle by a UK police force which had been involved in a serious offence. As is the case with all what I am about to discuss the investigations are live so I am unable to provide any specifics. A Senior Investigating Officer wanted to be certain they had captured all available investigative data from the vehicle and had been told by the manufacturer that anything further to what he had was unavailable. This proved to be incorrect as we were able to examine the vehicle and its infotainment module and by using a variety of methods acquired useful investigative data that the SIO and investigation team were previously unaware of. The course came in useful here as identifying the module and its location within the vehicle and more importantly how to access it had been covered and made life a little simpler on this part of the job. The results yielded further lines of enquiry and intelligence to support other facets of the investigation. Some of this information could be corroborated by other sources which I feel is important at this stage as much of this data that is being extracted is un validated at present, something I will touch on later. I have always maintained and still do that this area of work requires a hybrid of skills and one of course is the digital forensic aspect. Together with the experts that support me in this field we compiled a report to evidence this process and that we feel is fit for purpose for the needs of this particular investigation.
Prior to doing this I sought advice from other professionals in this field across the country, some are still to answer me and others had not encountered the need for evidencing it yet. I am speaking to a number of national agencies in law enforcement to ensure there is a common approach to this type of work and subsequent reporting / presentation of evidence. Considering the lack of any known practices or formats I decided to formulate my own methods and write policy on this subject as to how this practice should be recorded and presented for any court cases. I am speaking with barristers for their take on it and trying to engage with other agencies such as CPS and senior police officers but there seems to belittle known knowledge of the subject or of cases that have weaved their way into the system to date. If anybody is reading this blog that has some take on this area then please feel free to contact me. I do not wish to be in contradiction of what others are doing equally if you are also scratching your head then I am open enough to discuss this with you.
The second case I was approached for was specifically to try and determine a wanted person’s whereabouts by his recovered vehicle. To see whether there were other known locations he may frequent in order to locate him and arrest him for serious offences as he was considered a risk. Despite the likelihood of this type of data not being available on the infotainment module subject to the enquiry there were some aspects of it that may have given the information indirectly by utilising one piece of data that was obtainable and then carrying out other investigations with that data. This is something investigators need to be mindful of, they see that sat nav data is unsupported but there may be other data sources that are available to identify locations, some people call this thinking outside the box and that is what youhave to do with vehicle digital forensics.
This acquisition of data was problematic to say the least and where we expected to find data to take us to the next step it was not present so other methods had to be adopted in order to work around the absence of required data to move to the next stage. This is down to vehicle manufacture’s protecting their brand and shall we say putting obstacles in our way. Eventually we managed to acquire data from the module but on this occasion, it did not yield the data required for the locations. This is where this area of investigation is problematic because the area is so new it is not known what can and cannot be extracted and ultimately when examining a device blind (as in you do not know what has happened to the device to say that data may even be there – such as if nobody has ever plugged a phone into the module then there will be no device attached even though it may be reasonable to expect it to have been connected) you do not know until you try. What we are doing though is building up a knowledge base of what we are seeing and this will enable us to provide abetter guide at the outset of an investigation to know whether it is worthwhile pursuing this option. In this case despite their being no location data to assist we were able to say the vehicle was moving on a particular date and time (with no location) which may be useful in some cases. We were also able to recover details of devices connected to the vehicle and a lot of call data with contacts which is information the investigation team did not have for the offences they are investigating in relation to why the person was wanted. This is available in spreadsheet format for easy analysis.
The third case we have recently completed has been very lucrative with different data types and we have seen track logs every second for some journeys the vehicle has been making. This provides us with GPS data along with speed and bearing. Linked to this data are other vehicle events such as harsh braking and acceleration, doors opening and closing and gear shifts. This is clearly a treasure trove of data for investigators and one I would have craved for in the past in some of my investigations. The speed data from the infotainment module is more than what you will see in crash data from a vehicle’s EDR in that it will show a more comprehensive picture of events before, during and after a collision and supplement that EDR data creating a stronger timeline of events giving a clearer picture than with EDR data alone. This case is ongoing and we are still working on the data acquisition so I cannot say too much more other than I know this is the most data types we have seen that is of use to serious crime and serious collision investigations.
What is a huge learning point for investigators that are dealing with these vehicles and is something I cannot stress enough is that we are seeing lots of activity on the vehicles when they are being examined and this is effectively writing new data to the module that could be overwriting event data from the time of the offences under investigation. There is a way around this and again it is a matter of writing policy which we have done in order to provide a robust mechanism for the court process if required.
What follows for me now is some testing and validating of the data we are extracting from modules and this will involve carrying out known operations with a vehicle and then downloading to ensure what is happening in the real world is happening on the device when we extract it so we have some form of validation. This is a difficult area with seized vehicles for live investigations as the data cannot / should not be altered pending examination by any defence.
The current problem within this field at the moment in addition to the validation is what do we do when we have a vehicle that is not supported by the commercial product? I have had a number of investigators come to me with vehicles and want the exact same data we have extracted for a different module for their vehicle subject to their investigation however the vehicle is not supported. This happens more often than not at present as such is the landscape in this field and perhaps why we have not seen such a huge take up from law enforcement in the investment of such products. I cannot deny that this is an issue and is nationally with people I speak to across the UK. Well there are a number of other methods that we can try and I am not going to list them all here as it is very much dependent upon the investigation needs and what is exactly required from the vehicle. However there are other ways to extract data from modules but the problem being is the sheer number of them on the market from different manufacturers and it is being able to understand each one and what can be obtained from these other methods. As part of ongoing research I am in the process of getting hold of modules from vehicles that are both supported and not supported by the commercial product in order to carry out other methods of extraction. If anybody is reading this and knows of anybody in a position to let me have some modules from cars that may be written off from collision damage etc then I would be grateful to hear from anybody as we are willing to take them and test research the modules in the lab.
I have had a number of police forces show an interest in this area and pleased to report that I am going in to speak at three forces in the north of England to do an overview in more detail than what is reported here with staff to again raise awareness and be the lynch pin between the investigators and the data extractions. If you are reading this and based within law enforcement and would like to learn more or have staff appraised then please get in touch on the usual channels.
So in summary and to close this brief update on the landscape as I see it at present; we have made a start, there is extremely useful data to be extracted from a vehicles infotainment module and some makes and models of vehicles that are involved in serious crime / collision investigation should not be ignored. There is limited support with the commercial product but more makes and models are being supported as time rolls by. There are other ways around unsupported vehicles and research is continuing from my perspective to develop this, however there are some other standard things we can do that are being overlooked in a lot of cases. Validating and robustly checking the extracted data is key to any successful use of it standalone in a court case, hence further work in this area to validate what we are seeing in the downloads.