Wednesday, July 21, 2021

vLEAPP - Vehicle Logs Events And Properties Parser

 Short version:

Take logical extractions from cars, trucks, and infotainment systems and parse them for interesting artifacts.

vLEAPP is Python 3 code and can be downloaded here:
https://github.com/abrignoni/VLEAPP

Long Version:

The need to analyze cars for digital forensic artifacts has grown recently as vehicles have smart mobile features by default. From GPS coordinates, contact databases, call logs, and even automated driving, the forensic value of these items cannot be overstated. Sadly there are not many options regarding tools to parse these data sources. vLEAPP aspires to be an open source platform the community can use to aggregate forensic artifacts found on the most mobile of data sources, cars.

This project started from Geraldine Blay's idea of being able to easily parse any car data source in a way that easily enables the backtracking of report data to source data. We decided to use the xLEAPP code base to do so.

Challenges

Dealing with cars brings a host of challenges to the examiner. Some are:

  • Data extraction.
    • In order to pull data from infotainment systems special tooling is usually needed. Many times a chip-off is required. This can be a labor intensive process that requires extensive training.
    • vLEAPP plays no role in the data extraction process.

  • Lack of standardization.
    • Different brands will have different ways of developing their navigation, infotainment, and sensor data recording systems. Sometimes there are different ways of doing these within cars and models of the same brand. It goes without saying that the digital forensics process is has to be well executed. Artifact identification and parsing automation is needed in this field.
    • Hopefully with the arrival of Google's Android Auto and Apple's CarPlay there will a more unified data source type across vehicle brands.

  • Unfamiliar file systems
    • File systems in use by cars might not be recognized by many forensic tools. The QNX file system by Blackberry is one example. Some examiners resort to carving in the hopes of getting relevant data from these nono-supported file systems. Be aware that using branded forensic tools might not help where other more traditional computing processes might. For example QNX file systems can be accessed using a Linux Ubuntu distribution. After accessing the logical files in the QNX file system you can package them all up in a zip file for analysis in any tool or by hand. The following video is a step by step process on how to do so.

Solutions

vLEAPP provides a way to report on forensic artifacts using Python in a way that abstracts the generation of HTML, KML, TSV, and SQLite reports. The examiner focuses on where the data is located and what to pull from it. vLEAPP handles the rest. Here is a video showing how it works.



If you are not familiar with Python or how to run scripts check this short video out. It will guide you from installation to script usage. Really easy and straightforward.



Conclusions

New data sources that are case relevant will continue to surface. As digital forensic examiners we will be well served to learn some coding. Alex Caithness said it best: Learn to code because every artifact exists because of code.


If you would like to learn Python from a digital forensics examiner's perspective and contribute to this or any of the other xLEAPP projects check out the following DFIR Python Study Group playlist. It will take you from knowing no Python to parsing protobuf files and SQLite databases.


Any questions or any comments I can be reached on twitter @AlexisBrignoni and email 4n6[at]abrignoni[dot]com.

Be safe. Take care.

-Brigs