Posts

37c3 talk I was able to share me insight on automotive digital forensics at the 37c3 in Hamburg. The video is coming soon. It will be published on media.ccc.de. Link to the slides Abstract The importance and relevance of vehicles in investigations are increasing. Their digital capabilities are rapidly growing due to the introduction of additional services and features in vehicles and their ecosystem. In this talk on automotive digital forensics, you will embark on a journey through the cutting-edge world of automotive technology and the critical role digital forensics plays in this domain. We will explore the state-of-the-art methods and tools to investigate modern vehicles, shedding light on forensic experts’ significant challenges. ...

Defense and detection in depth I have given a presentation at the Ninth EU MITRE ATT&CK® Community Workshop June 2, 2022 on this topic. Recordings are not available. However, you can find the presentation on the workshop website. The MITRE ATT&CK™ framework is used by SOCs (Security Operation Center), CERTs (Computer Emergency Response Team), and various other security teams in different organizations. It enables the description of tactics and techniques of various threats. The framework gives organizations the ability to determine an attacker’s current position in their attack and predict possible future moves. In addition, several tools use MITRE ATT&CK™ to provide a common vocabulary and naming of tactics and techniques. ...

Automotive Forensics - A Hands-on Showcase Abstract Modern vehicles are increasingly part of automotive forensics investigations. In addition, modern vehicles are getting more complex and connected at the same time. So there should be enough data that we can use in investigations right? Well, its not that easy! In this tutorial, I will present automotive, digital forensics, and automotive digital forensic fundamentals. We will require those to solve and actual case. Yes, we will conduct a forensic investigation together! In this case, we will go through all options while analysing evidence items that got handed to us as automotive forensic investigators. ...

Identification of Automotive Digital Forensics Stakeholders Abstract New technologies and features emerging in modern vehicles are widening the attack surface for malicious tampering. As a result, security incidents including vehicles are on the rise. Automotive digital forensics investigations allow resolving such security incidents. This paper presents a stakeholder-based reference model for automotive digital forensics. It is essential to focus on stakeholders to provide the best possible automotive digital forensics investigation for them. We identified twelve distinct stakeholders relevant to automotive digital forensics and assigned them to the vehicle life-cycle’s relevant phases. Furthermore, the stakeholders’ questions for forensics investigations and their resources get analyzed. We created a Venn diagram to highlight differences and similarities between the stakeholders. ...

Structured methodology and survey to evaluate data completeness in automotive digital forensics Abstract The collection and analysis of potential evidence in digital forensic investigations is a challenging task that made its arrival in the automotive domain. It is accompanied by increasingly complex in-vehicle components with high diversity in used technologies and a wide range of external interconnections — which raises the question of what sources of information in which formats are even available for any analysis. The main contribution of this paper is an answer to this question as well as a cross-domain methodology to validate the completeness of the results in a structured way. We introduce a three-step process. It starts with a brainstorming session to create an initial basis of knowledge in a specific area of research. In a second step, system archaeology analyses are employed to establish an advanced knowledge base stemming from design documents and similar resources. The second step widens and deepens the knowledge and provides means to evaluate the quality of the brainstorming session results. The third step establishes expert analyses. Relevant automotive digital forensics stakeholders (e.g., OEMs, suppliers, etc.) were interviewed to collect information from expert groups and evaluate both initial phases. Based on this analytical, syntactic, inductive, and systematic research method, we offer a complete perspective for a specific area of research. The presented methodology is implemented to identify a complete set of data formats in automotive digital forensics. We conducted an online survey to evaluate data formats and tools in digital forensics with 56 experts participating and identified a total of 60 different data formats used in this domain. ...