homepage
Open menu Go one level top
  • Train and Certify
    • Get Started in Cyber
    • Courses & Certifications
    • Training Roadmap
    • Search For Training
    • Online Training
    • OnDemand
    • Live Training
    • Summits
    • Cyber Ranges
    • College Degrees & Certificates
    • NICE Framework
    • DoDD 8140
    • Specials
  • Manage Your Team
    • Overview
    • Security Awareness Training
    • Voucher Program
    • Private Training
    • Workforce Development
    • Skill Assessments
    • Hiring Opportunities
  • Resources
    • Overview
    • Reading Room
    • Webcasts
    • Newsletters
    • Blog
    • Tip of The Day
    • Posters
    • Top 25 Programming Errors
    • The Critical Security Controls
    • Security Policy Project
    • Critical Vulnerability Recaps
    • Affiliate Directory
  • Focus Areas
    • Blue Team Operations
    • Cloud Security
    • Digital Forensics & Incident Response
    • Industrial Control Systems
    • Leadership
    • Offensive Operations
  • Get Involved
    • Overview
    • SANS Community
    • CyberTalent
    • Work Study
    • Instructor Development
    • Sponsorship Opportunities
    • COINS
  • About
    • About SANS
    • Why SANS?
    • Instructors
    • Cybersecurity Innovation Awards
    • Contact
    • Frequently Asked Questions
    • Customer Reviews
    • Press Room
    • PGP Key
  • Log In
  • Join
  • Contact Us
  • SANS Sites
    • GIAC Security Certifications
    • Internet Storm Center
    • SANS Technology Institute
    • Security Awareness Training
  • Search
  1. Home >
  2. Blog >
  3. Digital Forensics - Automotive Infotainment and Telematics Systems
Paul Henry

Digital Forensics - Automotive Infotainment and Telematics Systems

May 1, 2017

Powerful Features

There is a huge range of features now controlled / enabled by current generation automotive infotainment and telematics systems (Figure 1 — Source), including but not limited to:

  • Digital radio
  • Satellite (GPS) navigation
  • Bluetooth connectivity (the vehicle has its own phone number that SMS messages can be sent to and some systems will even read your SMS text messages to you)
  • Audio player — on CD, MP3, USB or Bluetooth
  • Internet access (Hotspot) — enables web browsing for multiple passengers via an in-built Wi-Fi connection, and can also provide real-time traffic updates for GPS navigation systems
  • Satellite TV tuners — for passengers or for everyone as long as the car is parked
  • Cameras — an array of cameras literally showing a bird's-eye view of the car, making maneuvering in tight spaces even easier then ever before
  • Screen mirroring — wirelessly connect mobile devices to the automobile and mirror its user interface on the car's larger touchscreen

Figure 1

As automotive infotainment and telematics systems evolve and become more powerful, the value of the historical data they contain from an evidence perspective grows as well.

Automotive Infotainment and Telematics Systems Are Not Crash Data Recorders

It is important to understand that automotive infotainment and telematics systems are not the same as crash data recorders (CDR), or event data recorders (EDR). In a CDR, safety sensor data such as brake position, speed, steering wheel position and airbag deployment is recorded at high frequency but only for a matter of seconds leading up to a crash. In an automotive infotainment and telematics system data is collected from primarily non-safety related components (i.e. speed and coordinates from GPS at a lower frequency but for a substantially longer time period). Hence while CDR systems can determine a point of impact an automotive infotainment and telematics system can perhaps show the longer term driving habits of the vehicle's driver.

Abundant Information but Difficult to Get To

While there is an abundance of available information, vendors of automotive infotainment and telematics systems have not made them easy to acquire. The forensic product vendor Berla (https://berla.co/) use various methods to extract the data. To get to the data, one must use Berla's iVe kit, which is composed of iVe software and hardware components for accessing numerous systems from various automakers (i.e. Ford, GM, FCA, BMW, Toyota, and Volkswagen to name a few). For some systems it is as simple as plugging a USB or on-board diagnostics (OBD-II) cable from the iVe kit into a system running the iVe desktop application and walking through the on-screen steps for performing an acquisition. For some other supported systems, an iVe device interface board (DIB) from the kit is attached to the infotainment/telematics module's PCB as outlined in the in-app instructions. The DIB is then connected to a computer running the iVe application, as well as the kit's power supply (for certain modules). Depending on the particular type of system being acquired, iVe will offer the option for either a physical image, logical image, or both. For certain modules, one must also remove the protective solder mask from certain pads on the module's PCB prior to connecting the DIB, though a scratch pen is included in the iVe kit, and instructions with photos showing the specific pads to scratch are included in the application.

It's the Wild Wild West All Over Again

It is also important to note that a CDR has a definitive government requirement (CFR-2011-title49-vol6-part563) that defines not only what data is to be stored but also the format in which that data is stored. In contrast, infotainment and telematics system vendors are all over the map regarding what data is stored and how and where it is stored. Furthermore, specifically what data is stored can vary from one vehicle model to another, even when the same system appears present in two different vehicles. This requires the forensic tool developer to have a deep understanding of the data structure for each vendor's product as well as for each car model in order to be effective. It reminds the author of the early days of mobile device forensics.

The following is a broad example of available data types for iVe-supported systems. Any given manufacturer's system will have a select subset based on features present for that particular system. The data stored may also vary based on the vehicle's use, actions of the occupant(s), which features were used, etc. The types of data stored can also change when a given manufacture updates the firmware of a system.

To see if a particular vehicle is supported, and what information may be available on the system, use the iVe supported vehicle lookup on Berla's website. The lookup is also included in the iVe application itself.

Vehicle / System Information

  • Serial Number
  • Part Number
  • Original VIN Number
  • Build Number

Installed Application Data

  • Weather
  • Traffic
  • Facebook
  • Twitter

Connected Devices

  • Phones
  • Media Players
  • USB Drives
  • SD Cards
  • Wireless Access Points

Navigation Data

  • Tracklogs and Trackpoints
  • Saved Locations
  • Previous Destinations
  • Active and Inactive Routes

Device Information

  • Device IDs
  • Calls
  • Contacts
  • SMS
  • Audio
  • Video
  • Images
  • Access Point Information

Events

  • Doors Opening/Closing
  • Lights On/Off
  • Bluetooth Connections
  • Wi-Fi Connections
  • USB Connections
  • System Reboots
  • GPS Time Syncs
  • Odometer Readings
  • Gear Indications

Oh My! Guess What I Found on eBay?

image003-300x225.jpg

Figure 2

An eBay seller was parting out a wrecked 2015 Silverado pickup truck (Figure 2) including its infotainment system, an NG 2.0 HMI module (Figure 3, 4, 5).

image005-300x225.jpg

Figure 3

image007-300x225.jpg

Figure 4

image009-300x225.jpg

Figure 5

Primary Components in the NG 2.0 HMI

  • Micron Technology N2M400JDB341A Flash - eMMC NAND, 32GB
  • Renesas uPD35003-LN6 SoC - Tri-Core ARM11, 400MHz, w/ 2D/3D Graphics Functions & Peripherals Support
  • Alps Electric UGKZ2-201A Bluetooth / WLAN Module - Bluetooth V2.1+EDR, IEEE 802.11b/g/n, Automotive
  • Micron Technology MT41J512M8RA-15E AIT:D SDRAM - DDR3-1333, 4Gb, 1.5V- (Qty: 2)
  • Epson AP-6110LR Inertial Sensor - 6-Dof, 3-Axis Gyroscope Plus 3-Axis Accelerometer, Analog Output
  • Spansion S29GL512S100DHA02 Flash - NOR, 512Mb, 100ns, 65nm
  • SMSC OS81092AM MOST Bus Controller - 50 Mbps, Automotive
  • Texas Instruments DS90UR905QSQ Serializer - FPD-Link II, 24-Bit Color, Up to 65MHz, Automotive

Lets acquire some data

Preparation for acquisition (Figure 6) involves scratching insulating material away from specific PCB pads, as specifically outlined in iVe's instructions, to permit connectivity with the PC board traces. The fiberglass scratch pen has strands that tend to come apart during the removal process, so gloves and safety glasses are highly recommended. The iVe DIB is then connected to the PCB. Proper alignment of the DIB pins on the PCB is critical.

image0111-225x300.jpg

Figure 6

The PCB is powered with the variable power supply (Figure 7) that is included in the iVe kit. It is important to ensure the voltage is adjusted to 12V prior to connecting the leads to the PCB power connector.

image053-225x300.jpg

Figure 7

The iVe application includes an acquisition wizard to walk the user through each step for setting up the acquisition.

The iVe DIB is connected to the computer running iVe, and power is applied. After successfully testing the hardware connections by clicking the ?Detect' and ?Test' buttons (Figure 8) in the software, the acquisition can be started. For the HMI module, iVe allows for a logical image to be acquired.

image057-300x212.jpg

Figure 8

Once extraction has completed, analysis can be performed, and reports can be generated. iVe's data export functionality supports .csv, tab-delimited, and .kml for GPS data, and reports can be exported in HTML or PDF format.

Below is some of the data collected by iVe for the HMI device in this test.

Attached Devices (Figure 9)

image029-300x221.jpg

Figure 9

SMS Messages (Figure 10)

sms-300x150.jpeg

Figure 10

Call Logs (Figure 11)

call-300x245.jpeg

Figure 11

contacts-300x148.jpeg

Figure 12

Device Events (Figure 13)

events-300x167.jpeg

Figure 13

Voice Recordings (Figure 14)

voice-300x131.jpeg

Figure 14

Carved Files (Figure 15)

carved-300x172.jpeg

Figure 15

Music (Figure 16)

music-300x300.jpeg

Figure 16

Summary of HMI Device

  • No crash data but good data to establish habits and patterns of the driver
  • Examples of available historical data included
    • Calls
    • SMS
    • Some GPS Information
    • Media (i.e. Music)
    • Connected Devices
    • More Can Possibly Be Parsed from Recovered DB Files

Another Visit to eBay

We already imaged an NG HMI so this time I was looking for an OnStar Gen 9 device to analyze (Figure 17).

image045-300x139.jpg

Figure 17

Primary Components of OnStar Gen 9

  • Micron Technology N2M400JDB341A Flash - eMMC NAND, 32GB
  • Renesas uPD35003-LN6 SoC - Tri-Core ARM11, 400MHz, w/ 2D/3D Graphics Functions & Peripherals Support
  • Alps Electric UGKZ2-201A Bluetooth / WLAN Module - Bluetooth V2.1+EDR, IEEE 802.11b/g/n, Automotive
  • Micron Technology MT41J512M8RA-15E AIT:D SDRAM - DDR3-1333, 4Gb, 1.5V- (2)
  • Epson AP-6110LR Inertial Sensor - 6-Dof, 3-Axis Gyroscope Plus 3-Axis Accelerometer, Analog Output
  • 6-Layer - FR4, Lead-Free
  • Spansion S29GL512S100DHA02 Flash - NOR, 512Mb, 100ns, 65nm
  • SMSC OS81092AM MOST Bus Controller - 50 Mbps, Automotive
  • Texas Instruments DS90UR905QSQ Serializer - FPD-Link II, 24-Bit Color, Up to 65MHz, Automotive

Lets acquire some data

As with the previous acquisition, the iVe DIB is attached to the PCB and the computer running iVe. The variable power supply is tested to ensure it is set at 12V before connecting it to the PCB power connector. The step-by-step acquisition wizard in the iVe software is followed to begin the data extraction (Figure 18). iVe allows for a physical extraction on the OnStar Gen 9.

Figure 18

Below is some of the data collected by iVe for the OnStar Gen 9 device.

Attached Devices (Figure 19)

attached1-300x69.jpeg

Figure 19

SMS Messages (Figure 20)

image061-300x41.jpg

Figure 20

Call Logs (Figure 21)

image063-300x54.jpg

Figure 21

Contacts (Figure 22)

image065-300x48.jpg

Figure 22

Locations (Figure 23)

image067-300x100.jpg

Figure 23

Power Events (Figure 24)

image069-300x89.jpg

Figure 24

GPS Tracking (over 5000 entries in one-second intervals — Figure 25)

image071-300x260.jpg

Figure 25

Summary of OnStar Gen 9 Device

  • No crash data but good data to establish habits and patterns of the driver
  • Tons of historical data
  • Calls
  • Tons of GPS information including over 5000 tracking entries in one-second intervals detailing speed, distance and GPS coordinates
  • Connected devices
  • More can possibly be parsed from recovered DB files

In Closing

  • No crash data but tons of historical data that can potentially show details of driver's habits prior to a crash
  • Your "mileage may vary" as to exactly what can be recovered, partially depending on how the vehicle was used and what features and actions the occupant(s) employed
  • Big difference between HMI and OnStar devices as far as available data goes, though that is by design, as the latter is intended primarily for telematics functions rather than infotainment
  • Also data recoverable may depend on specific implementation for a given car model
  • There is no clearly defined data standard for vehicle infotainment and telematics systems
  • Very much like the early days of mobile device forensics
  • Crash forensics using Bosch does use the US government standard CFR-2011-title49-vol6-part563 - more on that later in a future blog post
  • Though the above tests covered only GM systems, iVe supports numerous makes, including Ford, GM, FCA, BMW, Toyota, and Volkswagen
  • Support for more and more vehicle makes and models is constantly being added to iVe
  • Using the supported vehicle lookup on will help determine whether a specific vehicle is currently supported in iVe
Share:
TwitterLinkedInFacebook
Copy url Url was copied to clipboard
Subscribe to SANS Newsletters
Join the SANS Community to receive the latest curated cybersecurity news, vulnerabilities, and mitigations, training opportunities, plus our webcast schedule.
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kingdom of Saudi Arabia
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia (Slovak Republic)
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe

Tags:
  • Digital Forensics and Incident Response

Related Content

Blog
Digital Forensics and Incident Response
January 7, 2021
How You Can Start Learning Malware Analysis
Lenny Zeltser shares a roadmap for getting into malware analysis, with pointers to 10 hours of free recorded content and additional references.
370x370_Lenny-Zeltser.jpg
Lenny Zeltser
read more
Blog
Digital Forensics and Incident Response
September 26, 2019
The State of Malware Analysis: Advice from the Trenches
What malware analysis approaches work well? Which don’t? How are the tools and methodologies evolving? The following discussion–captured as an MP3 audio file–offers friendly advice from 5 malware analysts. These are some of the practitioners who teach the reverse-engineering malware course...
370x370_Lenny-Zeltser.jpg
Lenny Zeltser
read more
Blog
Digital Forensics and Incident Response
September 13, 2017
4 Cheat Sheets for Malware Analysis
What tools can assess a suspicious RTF file? How to deobfuscate a JavaScript attachment? Where to set breakpoints for unpacking a malicious executable? What utilities can intercept C2 traffic in the lab? How do the various reverse-engineering methods fit together? So much to remember! I created 4...
370x370_Lenny-Zeltser.jpg
Lenny Zeltser
read more
  • Register to Learn
  • Courses
  • Certifications
  • Degree Programs
  • Cyber Ranges
  • Job Tools
  • Security Policy Project
  • Posters
  • The Critical Security Controls
  • Focus Areas
  • Blue Team Operations
  • Cloud Security
  • Cybersecurity Leadership
  • Digital Forensics
  • Industrial Control Systems
  • Offensive Operations
Subscribe to SANS Newsletters
Join the SANS Community to receive the latest curated cybersecurity news, vulnerabilities, and mitigations, training opportunities, plus our webcast schedule.
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kingdom of Saudi Arabia
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia (Slovak Republic)
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe
  • © 2021 SANS™ Institute
  • Privacy Policy
  • Contact
  • Twitter
  • Facebook
  • Youtube
  • LinkedIn