U S L A W www.uslaw.org FALL/WINTER 2015

With rapid technological advancementin the connected vehicle realm, it is incred-ibly likely that investigators are missing outon digital evidence that could potentiallymake or break their cases. Vehicles havegone from simply a mode of transportationto essentially a computer on wheels. Storedwithin a vehicle’s infotainment and telem-atics systems is a substantial amount of userdata (generally from a paired smartphone),navigation data and recorded vehicleevents. A newer vehicle can potentially re-veal far more than a few seconds of crashdata. Depending on the system, days, weeks,or even months of data could be sitting,waiting to tell the story of what really hap-pened. Because the concept of vehicle sys-tem forensics is quite new, many are stillunaware of the capabilities, and importantdata often never sees the light of day. A vehicle has the potential to becomea star witness – if one understands how tocommunicate with it. Many people in the digital forensicsand accident investigation communities –including police officers, insurance adjus-tors, investigators, examiners, reconstruc-tionists and attorneys – are aware that thereare numerous modules within a vehicle,many of which are known data sources andmany others that could be capable of

recording data. The major roadblock is thatthey are unsure of what exactly that newdata is and how to find and extract it. Although infotainment and telematicssystems have been supplied in many passen-ger vehicles since about 2008, little attentionhas been given to them in the accident inves-tigation community until now. Why the sud-den attention? Word is getting out about theenormous amount of data that infotain-ment/telematics systems are capable of stor-ing. It is a common misconception thatinvestigators can get the full range of data offa system simply by calling a dealer or manu-facturer and using their proprietary tool.Certainly, some data might be retrieved, butthe most effective route is to perform aforensic “deep-dive” of the system when pos-sible. Before we review specific recoverabledata types, let’s answer a few questions.

WHAT IS AN INFOTAINMENT SYSTEM? The word “infotainment” is a combina-tion of the words “information” and “enter-tainment.” In short, the infotainmentsystem is what connects the operator totheir digital world and is the central hubwithin the vehicle. Through the infotain-ment system, the user can do things such as:sync their phone to take advantage of

hands-free calling and texting, listen to themusic stored on their phone, possibly accessweather information, satellite radio, or evensocial media apps directly. Examples of in-fotainment systems include Ford SYNC,Toyota Entune, Chrysler UConnect, BMWConnectedDrive, etc.

WHAT IS A TELEMATICS SYSTEM? Telematics is the integration oftelecommunication and information, and itis embedded into the vehicle. The system fa-cilitates requests to and from the infotain-ment system; the user does not directlyinterface with the telematics system.Telematics is used for vehicle to infrastruc-ture (V2I) communication, and vehicle tovehicle (V2V) communication. For exam-ple, in V2I communication, if the infotain-ment system receives an input to turn theseat heater on, that request is then passedon to the telematics system. For vehiclesthat incorporate V2V communication, sen-sors detect when a vehicle comes within acertain distance of another. The system willthen respond with an alert that gets the driv-ers attention; the alert could be in the formof a sound, a flashing light, a vibration ofthe steering wheel, etc. What data is stored on these systems?The data set is both system-and phone-de-

VEHICLE SYSTEM FORENSICS

Introducingyour new star

witness

Anthony D. Cornetto, III, P.E S-E-A, Ltd.Ben LeMere and Carly McGee Berla Corporation

U S L A W www.uslaw.org FALL/WINTER 2015

pendent, but here is a general list of infor-mation that can potentially be found:User Data:• Connected devices• Bluetooth connections• Wi-Fi connections• Call logs• Contact lists• SMS Messages• Emails• Pictures• Social media feeds

Navigation Data:• Recent destinations• Saved locations• Tracklogs• Trackpoints• Waypoints

Vehicle Event Data:• Headlights on/off• Door Open/Close• Gear changes• Connections to/disconnections from

Bluetooth and Wi-Fi• Connections and disconnections of mo-

bile devices and other media (USB drive,SD card, etc.).

If the system includes a navigation unit,many of these artifacts will include a time-stamp and geolocation data. Such data canbe especially helpful to investigators as theyare trying to assemble a detailed timeline ofevents. In order to retrieve this valuable data,specialized hardware and software is re-quired. Berla Corporation has developed aforensic tool kit solution called iVe that cur-rently supports 4,300 vehicles, and that listis growing quickly. Currently supportedmanufacturers include BMW, Buick,Cadillac, Chevrolet, Chrysler, Dodge, Fiat,Ford, GMC, Hummer, Jeep, Lincoln,Maserati, Mercury, Pontiac, Ram, SRT,Saturn, Toyota and Volkswagen. The method by which information isextracted varies by make. Some systems re-quire partial disassembly, some systems re-quire very little disassembly and somesystems require no disassembly at all. Thesoftware includes a detailed guide to iden-tifying, removing, and acquiring data fromspecific modules. Regardless of the methodneeded, the solution is completely non-de-structive. The vehicle can be put back to-gether easily and it will start and run exactlylike it did prior to the procedure. The soft-ware allows a computer to connect to the ve-hicle system and retrieve data usingforensically sound methods and best prac-tices. Essentially, the tool creates a copy of

the data (called a forensic image) and theexaminer works off of that copy. This way,there is no risk of alteration or damage tothe original data. The forensic image is au-tomatically parsed by the software andstored on a computer so it can be easilyviewed, searched, bookmarked, graphed,reported, etc. It is also important to notethat many vehicles can record data for days,weeks, or even months depending on fre-quency of use and the amount of memorywithin the system. This is in comparison tothe mere seconds of data recorded on mostEDR tools. There is obvious value in having thistype of data as part of an accident investiga-tion. Since the software is only about twoyears old, most of the cases in which it hasbeen used are still in progress and specificexamples are not available. However, thereare several success stories from investigatorsin the field who have agreed to share underthe condition that any identifying detailsare omitted. GPS data from vehicle navigation sys-tems have been used on numerous occa-sions to determine a vehicle’s pre-impactspeeds and positions. User data from the in-fotainment system was used by investigatorsto show that a driver sent a text message justbefore a vehicle collision, consistent withdistracted driving. Another case involvedthe wife of a prominent person in the com-munity claiming that she accidentally ranover her husband, but event logs were ableto show that her automatic transmission ve-hicle shifted into reverse and then intodrive again. Combined with a biomechani-cal analysis of the injuries, the data showedthe possibility that she ran over him twice,deliberately. A home invasion suspectclaimed that he was alone during the com-mission of a crime, but inspection of the in-fotainment system showed the passengerside door opened at the house’s GPS coor-dinates. Historically, headlights incorpo-rated incandescent light filaments, whichcan deform upon impact if in use. This al-lowed for post-accident analysis to deter-mine whether headlights were in use at thetime of impact. Today, most new vehicles in-corporate light emitting diodes (LED),which do not sustain the same type of defor-mation. However, data from a vehicle’stelematics system can be used to determinethe position of a vehicle’s headlight switchat the time of the accident. These are just a few scenarios in whichdata from the infotainment system couldmake or break a case. Often, this invaluabledata goes to waste because investigators arenot aware that it exists, or they suspect it ex-ists but are unsure of how to retrieve it.

Consumers demand more and more con-nectivity and capabilities within their vehi-cles, to the tune of an estimated 220 millionconnected cars on the road by the year2020. Vehicle system forensics is the way ofthe future, but is very relevant and very pos-sible right now for those who want to stayahead of the curve. Berla also offers hands-on training ses-sions in Vehicle System Forensics to fully un-derstand the capabilities of the systems,hardware and software necessary to obtainvehicle data. Several members of S-E-A’s en-gineering staff have attended Berla’s train-ing and have been certified in VehicleSystem Forensics. If you have any questionsregarding infotainment/telematics systemsand/or vehicle system forensics, please con-tact Mr. Cornetto at 410-766-2390 or Ms.McGee at cmcgee@berla.co / 443-333-9301.

Anthony D. Cornetto, III,P.E is a licensed, mechani-cal engineer at S-E-A, Ltd.where he is responsible formanaging and conductingthe investigation andanalysis of accidents in-volving vehicles, pedestri-

ans, industrial equipment, and mechanicalsystems and equipment failures. He received hisMaster of Science and his Bachelor of Sciencein Engineering Science and Mechanics fromVirginia Tech.

Ben LeMere is the CEOand co-founder of BerlaCorporation. He is a widelyrecognized subject matter ex-pert in digital forensics,GPS forensics and vehiclecybersecurity, with morethan 15 years of militaryand federal government

service. Under Ben’s leadership, Berla supportsthe DoD, Homeland Security and LawEnforcement communities while also beginningto establish roots in the commercial realm.

Carly McGee is a digitalforensic analyst and mar-keting coordinator at BerlaCorporation. She is an in-structor of iVe andBlackthorn, Berla’s vehiclesystem forensics and GPStools. She has been in the

digital forensics field for about four years andis also a life-long car enthusiast. She contributesto and edits blog content, technical reports andliterature.