Chip and Board Level Digital Forensics of Cummins Heavy Vehicle Event Data Recorders 2020-01-1326
Crashes involving Cummins powered heavy vehicles can damage the electronic control module (ECM) containing heavy vehicle event data recorder (HVEDR) records. When ECMs are broken and data cannot be extracted using vehicle diagnostics tools, more invasive and low-level techniques are needed to forensically preserve and decode HVEDR data. A technique for extracting non-volatile memory contents using non-destructive board level techniques through the available in-circuit debugging port is presented. Additional chip level data extraction techniques can also provide access to the HVEDR data. Once the data is obtained and preserved in a forensically sound manner, the binary record is decoded to reveal typical HVDER data like engine speed, vehicle speed, accelerator pedal position, and other status data. The memory contents from the ECM can be written to a surrogate and decoded with traditional maintenance and diagnostic software. The research also shows the diagnostic trouble codes from the ECM are preserved. In other words, the digital forensic technique of extracting memory contents through the in-circuit debugging port does not introduce any new fault codes. Cryptographic hashing of the forensic binary data provides a mechanism to verify the original digital forensic record. Finally, the decoding for the HVEDR binary record is presented so investigators can decode the forensic record without the need for a surrogate ECM. The techniques in this paper provide a new method for extracting data from heavy vehicle ECMs.