The Role of Vehicles in Digital Forensic Investigations: A Structured Synthesis of Digital Vehicle Forensic Characteristics
Pith reviewed 2026-06-30 05:06 UTC · model grok-4.3
The pith
Digital vehicle forensics investigations can be structured around eight characteristics derived from literature, standards, and practice.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
The paper claims that digital vehicle forensics can be understood, planned, and communicated through a conceptual framework built on eight characteristics of vehicle systems plus a triage procedure that accounts for an adversarial view and explicit documentation of constraints.
What carries the argument
The eight characteristics (multiple users, massively networked, cyber-physical system, dependencies between components, functional data, safety implications, accessibility, and limited abstraction) that structure the characteristic-driven triage procedure for evidence source selection and correlation.
If this is right
- Investigators gain a systematic way to prioritize evidence sources while respecting volatility, accessibility, safety, integrity, and authorization constraints.
- The framework supports explicit documentation of assumptions, limitations, and potential failure cases during triage.
- An adversarial perspective can be integrated into planning to anticipate challenges in evidence handling.
- The approach provides a shared structure for communicating DVF processes across technical, legal, and safety stakeholders.
Where Pith is reading between the lines
- The framework could be tested by applying it to a set of real-world vehicle incident cases and checking whether the eight characteristics consistently guide source selection without gaps.
- Similar characteristic sets might be derived for other cyber-physical domains such as medical devices or industrial control systems to see if the approach generalizes.
- The triage procedure could be implemented as a checklist or decision tree in forensic software tools to measure improvements in documentation completeness.
Load-bearing premise
The eight characteristics extracted from the reviewed academic literature, standards, and practitioner sources are sufficient to cover the essential constraints and features of digital vehicle forensics in practice.
What would settle it
A documented vehicle investigation or case study in which the triage procedure misses a critical evidence source because it falls outside the eight characteristics, resulting in incomplete or invalid forensic outcomes.
Figures
read the original abstract
Modern vehicles are cyber-physical, networked systems that may contain valuable digital traces for accident reconstruction, crime investigation, warranty analysis, and cybersecurity incident response. However, digital vehicle forensics (DVF) remains less mature than computer, mobile, and cloud forensics because relevant data is distributed across in-vehicle components, mobile devices, manufacturer back ends, third-party services, and physical evidence. This article addresses this gap through a structured synthesis of academic literature, standards, and practitioner-oriented sources. First, we define DVF as the identification, preservation, acquisition, verification, interpretation, and reporting of vehicle-related digital evidence under safety, legal, privacy, and forensic-soundness constraints. Second, we formalize the DVF triage problem as the selection and correlation of evidence sources subject to volatility, accessibility, safety, integrity, and authorization constraints. Third, we explain how eight characteristics were derived from the literature and case material: multiple users, massively networked, cyber-physical system, dependencies between components, functional data, safety implications, accessibility, and limited abstraction. Finally, we add an adversarial perspective and a characteristic-driven triage procedure that helps investigators prioritize evidence sources while documenting assumptions, limitations, and failure cases. The resulting contribution is not an algorithmic performance claim; it is a reproducible conceptual framework for understanding, planning, and communicating DVF investigations.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The manuscript presents a structured synthesis of digital vehicle forensics (DVF) literature, standards, and practitioner sources. It defines DVF as the identification, preservation, acquisition, verification, interpretation, and reporting of vehicle-related digital evidence under safety, legal, privacy, and forensic-soundness constraints; formalizes the DVF triage problem as selection and correlation of evidence sources subject to volatility, accessibility, safety, integrity, and authorization constraints; derives eight characteristics (multiple users, massively networked, cyber-physical system, dependencies between components, functional data, safety implications, accessibility, limited abstraction) from the reviewed material; and proposes a characteristic-driven triage procedure incorporating an adversarial perspective to prioritize evidence sources while documenting assumptions, limitations, and failure cases. The central contribution is framed as a reproducible conceptual framework rather than an algorithmic performance claim.
Significance. If the framework holds, it supplies a reproducible conceptual tool for understanding, planning, and communicating DVF investigations in a domain where relevant data is distributed across in-vehicle components, mobile devices, manufacturer back ends, and third-party services. The synthesis approach, explicit derivation of the eight characteristics, and emphasis on documenting assumptions and failure cases are strengths that support utility for investigators. The paper correctly positions its contribution as non-algorithmic, which aligns with the nature of the synthesis.
major comments (1)
- [Abstract] Abstract: the eight characteristics are described as derived from the reviewed academic literature, standards, and practitioner sources, yet the manuscript supplies no independent validation, cross-check against held-out cases, or demonstration that the set is complete or non-redundant. Because the utility of the characteristic-driven triage procedure for prioritizing evidence sources in practice rests on the sufficiency of this set, the assumption is load-bearing for the central claim and requires either additional support or an explicit limitations discussion.
minor comments (1)
- [Abstract] Abstract: the claim that the framework is 'reproducible' would be strengthened by a brief indication of how the derivation steps from sources to characteristics are made transparent and replicable.
Simulated Author's Rebuttal
We thank the referee for their constructive review and for recognizing the manuscript as a conceptual framework derived from synthesis. We address the single major comment below.
read point-by-point responses
-
Referee: [Abstract] Abstract: the eight characteristics are described as derived from the reviewed academic literature, standards, and practitioner sources, yet the manuscript supplies no independent validation, cross-check against held-out cases, or demonstration that the set is complete or non-redundant. Because the utility of the characteristic-driven triage procedure for prioritizing evidence sources in practice rests on the sufficiency of this set, the assumption is load-bearing for the central claim and requires either additional support or an explicit limitations discussion.
Authors: We agree that an explicit limitations discussion is needed. As a structured literature synthesis, the eight characteristics were derived directly from the reviewed academic literature, standards, and practitioner sources; the work does not include independent empirical validation, cross-checks against held-out cases, or formal completeness proofs, as these would require a separate empirical study outside the paper's scope. We will revise the manuscript to add a dedicated limitations subsection that (1) describes the derivation process and source selection criteria, (2) states that the set is not claimed to be exhaustive or non-redundant, and (3) notes that the framework's practical utility depends on the representativeness of the reviewed material. This addresses the load-bearing assumption without overstating the contribution. revision: yes
Circularity Check
No circularity; framework is external synthesis with no self-referential reductions
full rationale
The paper's derivation chain consists of defining DVF from external constraints, formalizing triage as a selection problem, extracting eight characteristics explicitly from reviewed academic literature/standards/practitioner sources, and adding an adversarial perspective plus procedure. No equations, fitted parameters, or self-citations appear; the eight characteristics are stated as derived from outside material rather than defined in terms of the framework itself. The central claim of a reproducible conceptual framework therefore rests on external synthesis and does not reduce by construction to its own inputs.
Axiom & Free-Parameter Ledger
Reference graph
Works this paper leans on
-
[1]
Durchschnittliches Alter von Personenkraft- wagen in Deutschland von 1960 bis 2023,
KBA, “Durchschnittliches Alter von Personenkraft- wagen in Deutschland von 1960 bis 2023,” 2023. [On- line]. Available:https://de.statista.com/statis tik/daten/studie/154506/umfrage/durchschnitt liches-alter-von-pkw-in-deutschland/
1960
-
[2]
Computer forensics in cyber-physical systems: Applying existing forensic knowledge and procedures from classical IT to automation and automotive,
R. Altschaffel, “Computer forensics in cyber-physical systems: Applying existing forensic knowledge and procedures from classical IT to automation and automotive,” Ph.D. dissertation, Otto-von- Guericke-Universität Magdeburg, 2020
2020
-
[3]
K. Strandberg, N. Nowdehi, and T. Olovsson, “A systematic literature review on automotive digital forensics: Challenges, technical solutions and data collection,”IEEE Transactions on Intelligent Ve- hicles, vol. 8, no. 2, pp. 1350–1367, 2023, doi: 10.1109/TIV.2022.3188340
-
[4]
The Automotive BlackBox: Towards a standardization of automotive digital forensics,
K. Strandberg, U. Arnljung, and T. Olovsson, “The Automotive BlackBox: Towards a standardization of automotive digital forensics,” inProc. IEEE In- ternational Workshop on Information Forensics and Security (WIFS), Nuremberg, Germany, 2023, pp. 1–6, doi: 10.1109/WIFS58808.2023.10375003
-
[5]
Technical Report NIST Special Publication 800-86
K. Kent, S. Chevalier, T. Grance, and H. Dang, “Guide to integrating forensic techniques into inci- dent response,” National Institute of Standards and 15 Technology, Special Publication 800-86, 2006, doi: 10.6028/NIST.SP.800-86
-
[6]
ISO/IEC 27037:2012, Information tech- nology - Security techniques - Guidelines for iden- tification, collection, acquisition and preservation of digital evidence,
ISO/IEC, “ISO/IEC 27037:2012, Information tech- nology - Security techniques - Guidelines for iden- tification, collection, acquisition and preservation of digital evidence,” International Organization for Standardization, 2012
2012
-
[7]
ISO/IEC 27043:2015, Information tech- nology - Security techniques - Incident investigation principles and processes,
ISO/IEC, “ISO/IEC 27043:2015, Information tech- nology - Security techniques - Incident investigation principles and processes,” International Organiza- tion for Standardization, 2015
2015
-
[8]
PRISMA extension for scop- ing reviews (PRISMA-ScR): Checklist and explana- tion,
A. C. Triccoet al., “PRISMA extension for scop- ing reviews (PRISMA-ScR): Checklist and explana- tion,”Annals of Internal Medicine, vol. 169, no. 7, pp. 467–473, 2018, doi: 10.7326/M18-0850
-
[9]
Evaluation of impacts of IT-incidents on automotive safety with regard to supporting reaction strategies for the driver,
S. Kuhlmann, R. Altschaffel, T. Hoppe, J. Dittmann, and C. Neubüser, “Evaluation of impacts of IT-incidents on automotive safety with regard to supporting reaction strategies for the driver,” in Traffic Safety through Integrated Technologies: 24th Enhanced Safety of Vehicle Conference, 2015, p. 9
2015
-
[10]
Security and privacy aspects of auto- motive systems,
H. Mansor, “Security and privacy aspects of auto- motive systems,” Ph.D. dissertation, Royal Hol- loway, University of London, 2017. [Online]. Avail- able:https://pure.royalholloway.ac.uk/porta l/files/28425623/2017mansorhphd.pdf
-
[11]
A survey on open automotive forensics,
R. Altschaffel, K. Lamshöft, S. Kiltz, and J. Dittmann, “A survey on open automotive forensics,” inInternational Conference on Emerging Security Information, Systems and Technologies, 2017, pp. 65–70
2017
-
[12]
A generalized approach to automotive forensics,
K. K. Gomez Buquerin, C. Corbett, and H.- J. Hof, “A generalized approach to automotive forensics,”Forensic Science International: Digi- tal Investigation, vol. 36, p. 301111, 2021, doi: 10.1016/j.fsidi.2021.301111
-
[13]
Foren- sische Datenarten und -analysen in automotiven Systemen,
S. Kiltz, M. Hildebrandt, and J. Dittmann, “Foren- sische Datenarten und -analysen in automotiven Systemen,” inDACH Security, 2009, pp. 141–152
2009
-
[14]
Experimental security analysis of a modern automobile,
K. Koscheret al., “Experimental security analysis of a modern automobile,” inProc. IEEE Symposium on Security and Privacy, 2010, pp. 447–462, doi: 10.1109/SP.2010.34
-
[15]
T. Hoppe, S. Kuhlmann, S. Kiltz, and J. Dittmann, “IT-forensic automotive investigations on the exam- ple of route reconstruction on automotive system and communication data,” inComputer Safety, Re- liability, and Security, F. Ortmeier and P. Daniel, Eds. Berlin, Germany: Springer, 2012, pp. 125–136, doi: 10.1007/978-3-642-33675-1_12
-
[16]
Volkswagen car entertain- ment system forensics,
D. Jacobs, K.-K. R. Choo, M.-T. Kechadi, and N.-A. Le-Khac, “Volkswagen car entertain- ment system forensics,” inProc. IEEE Trust- com/BigDataSE/ICESS, 2017, pp. 699–705, doi: 10.1109/Trustcom/BigDataSE/ICESS.2017.302
work page doi:10.1109/trustcom/bigdatase/icess.2017.302 2017
-
[17]
AnalysisofBerlaiVe acquisitions of vehicle speed data from Ford SYNC systems,
W.VandiverandR.Anderson, “AnalysisofBerlaiVe acquisitions of vehicle speed data from Ford SYNC systems,”SAE International Journal of Transporta- tion Safety, vol. 6, no. 2, pp. 257–274, 2018, doi: 10.4271/2018-01-1442
-
[18]
Smart vehicle forensics: Chal- lenges and case study,
N.-A. Le-Khac, D. Jacobs, J. Nijhoff, K. Bertens, and K.-K. R. Choo, “Smart vehicle forensics: Chal- lenges and case study,”Future Generation Com- puter Systems, vol. 109, pp. 500–510, 2020, doi: 10.1016/j.future.2018.05.081
-
[19]
Digital foren- sics investigation of the Tesla Autopilot file system,
K. Gomez Buquerin and H.-J. Hof, “Digital foren- sics investigation of the Tesla Autopilot file system,” inSECURWARE 2022, The Sixteenth International Conference on Emerging Security Information, Sys- tems and Technologies, 2022, pp. 82–87
2022
-
[20]
Evaluation of automotive event data recorder towards digital forensics,
R. Kurachi, T. Katayama, T. Sasaki, M. Saito, and Y. Ajioka, “Evaluation of automotive event data recorder towards digital forensics,” inProc. IEEE 95th Vehicular Technology Conference (VTC2022- Spring), 2022, pp. 1–7, doi: 10.1109/VTC2022- Spring54318.2022.9860722
-
[21]
Data sources for information ex- traction in automotive forensics,
A. Attenberger, “Data sources for information ex- traction in automotive forensics,” inComputer Aided Systems Theory - EUROCAST 2019. Cham, Switzerland: Springer, 2020, pp. 137–144, doi: 10.1007/978-3-030-45096-0_17
-
[22]
Grand theft app: Digital forensics of vehicle assis- tant apps,
S. Ebbers, F. Ising, C. Saatjohann, and S. Schinzel, “Grand theft app: Digital forensics of vehicle assis- tant apps,” inProc. 16th International Conference on Availability, Reliability and Security (ARES), 2021, pp. 1–6, doi: 10.1145/3465481.3465754. 16
-
[23]
Digital forensic anal- ysis of mobile automotive maintenance appli- cations,
F. Sumaila and H. Bahsi, “Digital forensic anal- ysis of mobile automotive maintenance appli- cations,”Forensic Science International: Digi- tal Investigation, vol. 43, p. 301440, 2022, doi: 10.1016/j.fsidi.2022.301440
-
[24]
Grand theft API: A forensic analysis of vehicle cloud data,
S. Ebbers, S. Gense, M. Bakkouch, F. Freiling, and S. Schinzel, “Grand theft API: A forensic analysis of vehicle cloud data,”Forensic Science International: Digital Investigation, vol. 48, p. 301691, 2024, doi: 10.1016/j.fsidi.2023.301691
-
[25]
A. R. Onik, T. T. Spinosa, A. M. Asad, and I. Bag- gili, “Hit and run: Forensic vehicle event reconstruc- tion through driver-based cloud data from Progres- sive’s Snapshot application,”Forensic Science Inter- national: Digital Investigation, vol. 49, p. 301762, 2024, doi: 10.1016/j.fsidi.2024.301762
-
[26]
In- vehicledigitalforensicsforconnectedandautomated vehicles with public auditing,
J. Li, Z. Song, Z. Zhang, Y. Li, and C. Cao, “In- vehicledigitalforensicsforconnectedandautomated vehicles with public auditing,”IEEE Internet of Things Journal, vol. 11, no. 4, pp. 6368–6383, 2024, doi: 10.1109/JIOT.2023.3310578
-
[27]
CAN-D: A modu- lar four-step pipeline for comprehensively decoding controllerareanetworkdata,
M. E. Verma, R. A. Bridges, J. J. Sosnowski, S. C. Hollifield, and M. D. Iannacone, “CAN-D: A modu- lar four-step pipeline for comprehensively decoding controllerareanetworkdata,”IEEE Transactions on Vehicular Technology, vol. 70, no. 10, pp. 9685–9700, 2021, doi: 10.1109/TVT.2021.3092354
-
[28]
Combining physi- cal and digital evidence in vehicle environments,
D. K. Nilsson and U. E. Larson, “Combining physi- cal and digital evidence in vehicle environments,” in Proc. Third International Workshop on Systematic Approaches to Digital Forensic Engineering, 2008, pp. 10–14, doi: 10.1109/SADFE.2008.11
-
[29]
Awesome Shodan search queries,
J. Jarvis, “Awesome Shodan search queries,” 2022. [Online]. Available:https://github.com/jakejar vis/awesome-shodan-queries
2022
-
[30]
The forensic aspects of event data recorders,
J. S. Daily, N. Singleton, E. Downing, and G. W. Manes, “The forensic aspects of event data recorders,”Journal of Digital Forensics, Security and Law, vol. 3, no. 3, pp. 29–42, 2008, doi: 10.15394/jdfsl.2008.1053
-
[31]
Practical data acquisition and analysis method for automobile event data recorders forensics,
Y. Lee and S. Woo, “Practical data acquisition and analysis method for automobile event data recorders forensics,”Journal of Internet Services and Infor- mation Security, vol. 12, no. 3, pp. 76–86, 2022, doi: 10.22667/JISIS.2022.08.31.076
-
[32]
Powertrain and chassis hardware-in-the- loop (HIL) simulation of autonomous vehicle plat- form,
A. Joshi, “Powertrain and chassis hardware-in-the- loop (HIL) simulation of autonomous vehicle plat- form,” inSAE Intelligent and Connected Vehicles Symposium, 2017, doi: 10.4271/2017-01-1991
-
[33]
ISO 26262:2018, Road vehicles - Functional safety,
ISO, “ISO 26262:2018, Road vehicles - Functional safety,” International Organization for Standardiza- tion, 2018
2018
-
[34]
UN Regulation No. 155 - Uniform provi- sions concerning the approval of vehicles with regard to cyber security and cyber security management system,
UNECE, “UN Regulation No. 155 - Uniform provi- sions concerning the approval of vehicles with regard to cyber security and cyber security management system,” United Nations Economic Commission for Europe, 2020
2020
-
[35]
ISO/SAE 21434:2021, Road vehicles - Cybersecurity engineering,
ISO/SAE, “ISO/SAE 21434:2021, Road vehicles - Cybersecurity engineering,” International Organiza- tion for Standardization, 2021
2021
-
[36]
Ontology-based model for automotive security ver- ification and validation,
A. M. Shaaban, C. Schmittner, T. Gruber, A. B. Mohamed, G. Quirchmayr, and E. Schikuta, “Ontology-based model for automotive security ver- ification and validation,” inProc. 21st International Conference on Information Integration and Web- based Applications & Services, 2019, pp. 73–82, doi: 10.1145/3366030.3366070
-
[37]
Vehicle forensics,
DIGITPOL, “Vehicle forensics,” 2023. [Online]. Available:https://digitpol.com/automotive-for ensics/
2023
-
[38]
Digital vehicle forensics training,
AB Forensics, “Digital vehicle forensics training,”
-
[39]
Available:https://abforensics
[Online]. Available:https://abforensics. com/digtial-vehicle-forensics-training/
-
[40]
Global sales of cars with embedded telematics from 2011 through 2019,
BloombergNEF and MarkLines, “Global sales of cars with embedded telematics from 2011 through 2019,”
2011
-
[41]
Available:https://www.statista.c om/statistics/301129/global-sales-of-cars-w ith-embedded-telematics/
[Online]. Available:https://www.statista.c om/statistics/301129/global-sales-of-cars-w ith-embedded-telematics/
-
[42]
Vehicle-centric connected services market potential in 2030, by key region,
PwC, Bertrandt, and Strategy&, “Vehicle-centric connected services market potential in 2030, by key region,” 2019. [Online]. Available:https://www.st atista.com/statistics/1033365/vehicle-centr ic-connected-services-market-potential-by-r egion/
-
[43]
Comprehensive experimental analyses of automotive attack surfaces,
S. Checkowayet al., “Comprehensive experimental analyses of automotive attack surfaces,” inProc. 20th USENIX Security Symposium, 2011, pp. 77–
2011
-
[44]
Available:https://www.usenix.org/c 17 onference/usenix-security-2011/comprehensiv e-experimental-analyses-automotive-attack-s urfaces
[Online]. Available:https://www.usenix.org/c 17 onference/usenix-security-2011/comprehensiv e-experimental-analyses-automotive-attack-s urfaces
2011
-
[45]
Remote exploitation of an unaltered passenger vehicle,
C. Miller and C. Valasek, “Remote exploitation of an unaltered passenger vehicle,” Black Hat USA, 2015. [Online]. Available:https://www.ioactive.com/w p-content/uploads/pdfs/IOActive_Remote_Car_ Hacking.pdf
2015
-
[46]
M. H. Shahriar, W. Lou, and Y. T. Hou, “CANtropy: Time series feature extraction-based intrusion de- tection systems for controller area networks,” in Proc. Symposium on Vehicle Security and Privacy (VehicleSec), 2023, pp. 1–8, doi: 10.14722/vehi- clesec.2023.23090
-
[47]
Number of car sharing vehicles in Germany from 2012 to 2023,
Bundesverband CarSharing, “Number of car sharing vehicles in Germany from 2012 to 2023,” 2023. [On- line]. Available:https://www.statista.com/stati stics/808220/car-sharing-number-of-vehicle s-germany/
2012
-
[48]
Number of car sharing users in Germany from 2014 to 2023, by type,
Bundesverband CarSharing, “Number of car sharing users in Germany from 2014 to 2023, by type,” 2023. [Online]. Available:https://www.statista.com/s tatistics/415644/car-sharing-number-of-use rs-by-type-in-germany/ 18
2014
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.