An effective automotive forensic technique utilizing various logs of Android-based In-vehicle infotainment systems

Abstract

Android-based In-vehicle infotainment (IVI) systems generate log message containing valuable forensic artifacts from interactions with internal or external devices. These log messages can help in vehicle accidents or criminal investigations; however, there is limited knowledge of the stored information and the methods of accessing them. In addition, digital forensic analysis of the Android-based IVI systems is not supported by the popular forensic tool, Berla's iVe. To address this, we first acquire multiple types of logs from three Jellybean-based systems (2017-2019) and two KitKat-based IVI systems (2022-2023) using a practical and non-invasive method, and then perform a comprehensive and comparative analysis of the logging mechanisms in the IVI systems. We then examine volatile and nonvolatile log data acquired from the IVI systems from the perspective of vehicle forensics. Jellybean-based systems maintain seven ring buffers for volatile logs, while KitKat-based systems use five. Volatile logs are erased when the system is powered off. Both versions of the Android systems store nonvolatile log files of seven different types, with data retained for up to a year. We conducted a thorough analysis of the acquired logs, uncovering artifacts related to navigation use, radio listening, engine start/stop, door access, seat belt use, and Bluetooth connections, including phone calls and SMS messages. In addition, we compare the artifacts identified within those IVI systems. Finally, our analysis creates a timeline to track driver behavior, and provides critical insights into driver actions and vehicle events.