Vehicle Systems Forensics

CEIC 2015 Student Session Series: Vehicle Systems Forensics

CEIC 2015

Students from Champlain College and the Leahy Center for Digital Investigation (LCDI) attended multiple training sessions while at the Computer Enterprise Investigation Conference (CEIC) 2015. Students Zachary Reichert, Hunter Gregal, and Daniel Puckowski present some highlights from the Vehicle Systems Forensics session.


In this blog, we’ll be discussing a talk given by Ben LeMere at CEIC 2015 that discussed the basics of vehicle system forensics for investigators. The Scientific Working Group on Digital Evidence (SWGDE) provides valuable information for best practices for digital evidence, mobile phones, vehicle systems, GPSs, and the cloud, and was passed along to us during the presentation. The website is a good place to start for guidelines on conducting any investigation.

Vehicle Forensics

LeMere discussed two main components to a vehicle that could possibly hold forensic artifacts: the infotainment system and the telematic system. The infotainment system is the system that the user or driver interacts with. This is normally the nice screen in the center stack where the passenger/driver connects their phone to the car via bluetooth, play music, etc.

The telematics system is not typically a visible part of the car. This is a separate system, normally comprised of a little box up front. For example, if a user wants to update Facebook or play music, the telematics system will go out and interact with Facebook or Pandora. Unlike mobile phones which can be unveiled every few months, a new telematics system comes out every three to four years.

Many people like the idea of having their phone accessible via their car for making phone calls or syncing contacts. Many cars hold information about a user’s mobile phone after it has been connected. When a user connects their phone to Bluetooth, phone calls, contacts, SMS messages all get synced to the car. When they connect over a cable file system, meta-data such as file names and timestamps get collected. This actually occurs with any mass storage device plugged into the car. A user can say no to the syncing of call logs or contacts, but often times the car will then go ahead and pull SMS messages or data that it did not ask about. Most people do not realize that this syncing also carries over to rental cars.

An example of how all of this might work more seamlessly in the future is seen in the promotional video produced by AT&T titled “Connected Car Vision 2014.” As noted in the presentation, the systems we interact with in our increasingly connected cars represent a collaborative effort between several different industries and industry leaders–from software giants like Apple and Google, to wireless providers such as AT&T and Verizon streaming all of our data in the car, to the actual car manufacturers vying for our interest.

With close to 70 electronic control units (ECUs) throughout the car, the car can log information such as the time and coordinates from when a car door is open. Airbags, seatbelts, and tail lights all are connected to an ECU. These ECUs are then connected to each other through a network within the car, which could be a viable attack vector for controlling a car remotely. This was actually done by a project funded by DARPA in the video “Watch DARPA Hackers Take Control Of A Toyota Prius.”   There is also a high speed network which controls the gas, brakes, and similar functions. In many new models, there are no longer wires connecting the pedal and the throttle body. Once you step on the pedal, the ECU essentially sends a “packet” to the throttle body over the CAN bus telling the car to accelerate. Most new vehicle models have 3 or so CAN bus networks, which are key networks.. Note that these CAN bus networks have been “standardized”–the implementations between cars are very similar–and these standards may be purchased from the International Organization for Standardization (ISO). Owning a copy of these standards may help in a forensic investigation involving a car.

The vendor of has gone from supporting 8 to 400 to now 4,000 different vehicles. These are some of the highlights from the session, but LeMere went into great depth on vehicle forensics, and we would highly recommend this Guidance Software session!


You can read more on the classes Champlain College students attended while at CEIC 2015 on the LCDI Blog Page.  To read about current LCDI information visit our website at

 LCDI TwitterLCDI Facebook



More Conferences & Events
Leahy Center Thrilled to be Celebrating Ten Year Anniversary!
Windows Store and Apps Analysis – MUS2019
Internet of Things at Magnet User Summit 2019