A forensically sound method for evidence extraction from heavy truck ECMs

Since the early 1990s, heavy trucks' Engine Control Modules (ECMs) have recorded information valuable to accident reconstructionists. This information is extracted using the engine manufacturers' maintenance software in a manner that does not protect the evidence from alteration. This dissertation describes a novel method of extracting and replaying information from heavy truck engine control modules. This method preserves the integrity of the original evidence, is faithful to the original evidence source, and is cryptographically protected. The extraction/replay methodology combines a generic method with extensions specific to the manufacturer's proprietary protocols. A cryptosystem is also described that protects the information from modification, whether accidental or malicious. Experimental results and validation testing showed that the replay method generated the same report data as the ECM it recorded. It was also found that multiple extractions changed the source evidence, indicating the forensic superiority of the replay method. The replay method fulfills the criteria of forensic soundness and addresses some problems with current evidence handling procedures.