Balancing Digital Forensic Investigation with Cybersecurity for Heavy Vehicle Traffic Crashes

Abstract

AbstractAfter a traffic crash event, traffic crash investigators collect evidence and data to assist in reconstructing the events to determine crash causation. Some of the data collected in a crash investigation is in the form of digital data from event data recorders built into the electronic control units in the vehicles. Occasionally, traffic crashes are severe enough to destroy the typical network‐based communications protocols to extract the digital forensic data. In these cases, more invasive techniques of gathering forensic data through in‐circuit programming ports or direct reading of data bearing memory chips is needed. While a digital forensic investigation satisfies a virtuous need for society in determining the truth of a traffic crash, the same techniques can be applied by nefarious actors interested in stealing intellectual property (IP) from the same data bearing chips. The exposure of the executable binary containing the IP of the manufacturer has prompted auto makers and suppliers to eliminate access to these sources of digital forensic data by disabling the Joint Task Action Group (JTAG) instrumentation and obfuscating or encrypting the binary data. Herein lies the purpose of this paper, which is to take a systems engineering approach to balance the needs and requirements for a manufacturer to provide sufficient forensic artifacts in the case of an investigation while improving their cybersecurity posture and limiting their exposure to the theft of intellectual property or cyberat‐tack.An activity diagram is presented to show a system model for responding to and investigating a crash event. These activities inform the needs of an improved event data recorder technologies that contain information necessary to reconstruct the crash. Some proposed top level system requirements are presented with a discussion of how they satisfy the needs of the manufacturer and the crash investigator. Specific requirements of recorded data give a notion of a minimal set of recorded data to help investigators. These requirements will improve both the availability and adequacy of forensic data needed for crash event reconstruction. In addition, a separate requirement governing the preservation of Original Equipment Manufacturer (OEM) proprietary software is made, such that their intellectual property is protected to encourage the requirement compliance. Finally, a discussion of how the proposed requirements help determine if a crash event was a result of a cyber‐attack demonstrates the important nature of addressing these needs in future systems.