This invention relates generally to systems, apparatuses and methods for retrieving data from an event data recorder (“EDR”) of a motor vehicle. More specifically, the invention relates to systems, apparatuses and methods for extracting the data and storing the extracted data in a forensically sound manner.
Modern vehicles often have event data recording capabilities built into different electronic control modules (“ECMs”) of the vehicle. Whether integrated into an existing ECM, or working as a standalone device, EDRs may contain information of importance to help answer legal questions. In these cases, the data must be extracted and preserved in a forensically sound manner. As of yet, data captured from these devices may not be preserved in a forensically sound way. Furthermore, a cumbersome process is needed to gather EDR information, especially from heavy trucks (see e.g., William Messerschmidt et al., Minimizing the Risk of Losing Valuable Forensic Data When Downloading the Electronic Control Modules (ECMs) of Heavy Commercial Vehicles (2011), available from Messerschmidt Safety Consultants; Timothy Austin and William Messerschmidt, Electronic Control Module Field Guide (January 2010 ed.), available from Harris Technical Services; Plant et al. Data Extraction Methods and their Effects on the Retention of Event Data Contained in the Electronic Control Modules of Detroit Diesel and Mercedes-Benz Engines, SAE Paper 2011-01-0808). The data extraction process uses original equipment manufacturer software designed for maintenance, not forensic use. The most common way to access the EDR and its data is through the vehicle network using a vehicle diagnostic adapter (“VDA”) interfacing a PC with the vehicle.
There are three main methods for downloading event data from ECMs when they cannot be accessed through the vehicle network: reprogramming harness, surrogate vehicle download, and a passive interface system (see e.g. Boggess et al., A New Passive Interface to Simulate On-Vehicle Systems for Direct-to-Module (DTM) Engine Control Module (ECM) Data Recovery, SAE Paper 2010-01-1994).
Use of a reprogramming harness involves disconnecting the vehicle harness and then connecting the reprogramming harness, which is powered by an external power source, directly to the ECM. The problem with this method is that it almost always creates new fault codes which are completely unrelated to the crash or event of interest. Depending on the ECM, these new fault codes can overwrite previous fault codes that may have had useful data.
A surrogate vehicle download requires that the ECM be removed from the subject vehicle; placed into an undamaged, substantially similar vehicle; and then downloaded using the in-cab diagnostic connector. This method is reliable but finding a suitable surrogate vehicle can be difficult and expensive. Further, this method is feasible only for large fleets of similar vehicles, but the opportunity cost of not having the surrogate vehicle in service can be considerable.
The passive interface system is a specialized custom-configured device built using either actual truck components, simulated truck components or both. The interface system simulates the normal connections between a vehicle and an ECM and does not create new fault codes when the ECM is being downloaded. This method is limited to the truck configuration which the box is designed to simulate and is expensive because of the cost of the truck components used to build the box.
Data from the ECM that is interpreted and stored by the original equipment manufacturer's software are usually stored on a general purpose host computer running a Windows operating system. These data file formats are not encrypted or hashed with a verifiable hash. As such, the data can be manipulated after it is obtained from the ECM without being detected. Furthermore, the ECM may be put back into service, which means the original digital record is no longer available. This means there is no rigorous method available to verify the authenticity and integrity of the ECM data, other than having agreements in place before the download occurs.
Original Equipment Manufacturer software contains provisions to reset data within an ECM, like the date and time stamps. Because the time record of an ECM is useful in correlating data to an event, resetting these data is detrimental to being able to verify the time of the recorded data. As such, some sort of command filtering mechanism is needed. International Publication No. WO 2013/144962 A1 (PCT/IL2013/050290) Security System and Method for Protecting a Vehicle Electronic System provides some overarching concepts regarding the idea of message filtering from a cyber-security perspective. That application and its references are hereby incorporated by reference.
Therefore, a need exists for a general purpose wheeled vehicle EDR forensic recovery and preservation system that is less expensive and more reliable (and, as a result, defensible in a court of law) than existing recovery methods.