Recovery of Partial Caterpillar Snapshot Event Data Resulting from Power Loss 2016-01-1493
Recovery of snapshot data recorded by Caterpillar engine control modules (ECMs) using Caterpillar Electronic Technician (CatET) software requires a complete snapshot record that contains information gathered both before and after an event. However, if an event is set and a crash ensues, or a crash creates an event, then it is possible for the ECM to lose power and not complete the recording. As such, the data may not be recoverable with CatET maintenance software. An examination of the J1708 network traffic reveals the snapshot data does exist and is recoverable. A motivational case study of a crash test between a Caterpillar powered school bus and a parked transit bus is presented to establish the hypothesis. Subsequently, a digital forensic recovery algorithm is detailed as it is implemented in the Synercon Technologies Forensic Link Adapter (FLA). A series of tests with different Caterpillar ECMs was conducted where simulated speeds were varied while disconnecting power to the ECM at specified times. The timing thresholds for complete event recordings were determined. A comparison of the results obtained from the FLA and CatET show the forensic data extraction process of the FLA is reliable even if an ECM suffers a power loss shortly after an event is triggered.