Vehicle Forensics: Extracting Digital Evidence from Smart Cars Post-Hack

To extract evidence from a vehicle, investigators must first understand its internal architecture. A car is not a single computer; it is a distributed network of specialized microcontrollers known as Electronic Control Units (ECUs).

A modern luxury vehicle can contain over 100 distinct ECUs, each responsible for a specific function—from engine timing and anti-lock brakes to the air conditioning and the radio. These ECUs communicate with each other continuously over internal networking protocols, the most ubiquitous being the Controller Area Network (CAN bus).

The CAN bus is the central nervous system of the vehicle. If the brake ECU detects a sudden stop, it blasts a message across the CAN bus. The seatbelt ECU receives this message and instantly tightens the belts, while the airbag ECU prepares for deployment. Because the CAN bus was designed decades ago for reliability rather than security, it lacks inherent encryption or authentication, making it a primary target for automotive hackers.

When conducting an investigation, forensic analysts target three primary subsystems within the vehicle, each yielding vastly different types of data.

1. The Event Data Recorder (EDR)

Often referred to as the car’s "Black Box," the EDR is primarily focused on safety and crash metrics. It is usually integrated into the Airbag Control Module. The EDR continuously monitors the vehicle's state in a temporary loop. When a "trigger event" occurs—such as a sudden deceleration indicative of a crash or the deployment of an airbag—the EDR permanently locks the data from the 5 seconds leading up to the crash and the immediate aftermath.

Forensic Value: The EDR provides irrefutable, hard data about the physical state of the car at the moment of impact. This includes vehicle speed, engine RPM, steering angle, brake pedal application (did the driver actually hit the brakes?), and whether the seatbelts were buckled. This data is critical for reconstructing accidents and proving or disproving driver negligence.

2. The Infotainment and Navigation System

The infotainment system (the large screen in the center console) is the goldmine for personal and behavioral data. Because these systems are essentially specialized computers (often running Linux, QNX, or Android Automotive), they store vast amounts of persistent data.

Forensic Value: When a driver connects their smartphone to the car via Bluetooth or USB (using Apple CarPlay or Android Auto), the car aggressively downloads and caches personal data to improve the user experience. Analysts can extract:

• Call logs, SMS messages, and contact lists.
• Precise GPS tracklogs (where the car has been, complete with timestamps).
• Paired device history (MAC addresses of phones connected to the car).
• Wi-Fi networks the car has connected to.
• Voice command recordings.

3. The Telematics Control Unit (TCU)

The TCU is the cellular modem of the vehicle. It handles all communication between the car and the outside world, connecting to the manufacturer's cloud infrastructure for over-the-air (OTA) updates, remote diagnostics, and companion smartphone apps (e.g., unlocking the car via an app).

Forensic Value: If a vehicle is hacked remotely, the TCU is almost always the initial entry point. Analyzing the TCU and the manufacturer's cloud logs can reveal unauthorized remote access attempts, anomalous API calls, or the unauthorized transmission of unlocking commands.

Extracting data from a vehicle is significantly more difficult than imaging a standard hard drive or a smartphone. Vehicles do not have standardized USB forensic ports. Analysts must employ a tiered approach based on the vehicle's condition and the type of data required.

Logical Extraction (The OBD-II Port)

The easiest method involves connecting a specialized forensic tool (like the Berla iVe system or a Bosch CDR tool) to the vehicle's On-Board Diagnostics (OBD-II) port, located under the steering wheel. This allows the tool to send specific diagnostic commands over the CAN bus to request data from the various ECUs. This is known as a logical extraction and is generally safe and non-destructive.

Physical Extraction (JTAG/ISP)

If the vehicle's electrical system is completely destroyed in a crash, or if the investigator needs to access deep, hidden partitions of the infotainment system that cannot be reached via the OBD-II port, physical extraction is required.

Analysts remove the specific ECU from the wreckage, open the casing, and solder microscopic wires directly to the diagnostic test points (JTAG) or the memory chips (In-System Programming - ISP) on the circuit board. This allows the investigator to bypass the damaged operating system entirely and read the raw binary data directly from the flash memory.

Chip-Off Forensics

In extreme cases, such as a severe fire where the circuit board is melted but the memory chip is intact, analysts perform a "Chip-Off." This highly delicate procedure involves using specialized heating equipment to physically desolder the NAND flash memory chip from the motherboard. The chip is then cleaned, placed in a specialized reader, and the raw binary data is extracted for analysis.

While vehicle forensics originated for accident reconstruction, it is now essential for investigating cyber attacks.

Relay Attacks: The most common automotive cybercrime is the theft of keyless-entry vehicles via relay attacks. Attackers use radio frequency devices to capture the signal from the owner's key fob (even if it's inside their house) and relay it to the car, unlocking and starting it. Forensics can analyze the vehicle's immobilizer and access logs to confirm that a relay attack occurred, rather than the owner simply losing their keys.

Remote Exploitation: If a vulnerability in the TCU or the infotainment system is exploited by a remote attacker (as famously demonstrated by researchers Charlie Miller and Chris Valasek on a Jeep Cherokee in 2015), forensic analysts must analyze the vehicle's internal network traffic logs. They look for anomalous CAN bus messages injected remotely that commanded the steering or braking systems.

Vehicle forensics faces significant hurdles. There is an extreme lack of standardization; every manufacturer uses proprietary operating systems, encrypted file formats, and unique hardware architectures. A forensic tool that can parse the data from a 2026 Tesla may be completely useless on a 2026 Ford.

Furthermore, as manufacturers move towards heavy encryption of data both at rest (within the ECUs) and in transit (across the CAN bus), forensic analysts face the same "Going Dark" challenges currently plaguing smartphone investigations.