EMERGING TECHNOLOGIES FOR CONNECTED AND SMART VEHICLES

Block4Forensic: An Integrated Lightweight

Blockchain Framework for Forensics
Applications of Connected Vehicles
Mumin Cebe, Enes Erdin, Kemal Akkaya, Hidayet Aksu, and Selcuk Uluagac

The authors propose a Abstract creation of autonomous vehicles, also known as

permissioned blockchain self-driving cars, which will revolutionize our lives.
framework among the Today’s vehicles are becoming cyber-physical The penetration of Internet of Things (IoT)
systems that not only communicate with other technologies in vehicles enables collection of
various elements involved
vehicles but also gather various information from enormous data from vehicles for various appli-
to manage the collected hundreds of sensors within them. These devel- cations. For instance, most vehicles that are
vehicle-related data. They opments help create smart and connected (e.g., manufactured in the last decade have onboard
first integrate VPKI into self-driving) vehicles that will introduce significant diagnostics (OBD) ports which are used for
the proposed blockchain information to drivers, manufacturers, insurance retrieving vehicle controller diagnostics. These
companies, and maintenance service providers ports are typically interfaced with a WiFi, Blue-
to provide membership
for various applications. One such application tooth, or serial connection to supply data outside.
establishment and that is becoming crucial with the introduction of Another major development is the deployment
privacy. They design a self-driving cars is forensic analysis of traffic acci- of event data recorders (EDRs) by leading man-
fragmented ledger that dents. The utilization of vehicle-related data can ufacturers including GM, Ford, and so on. EDRs
will store detailed data be instrumental in post-accident scenarios to dis- are meant to store incident data based on trigger-
cover the faulty party, particularly for self-driving ing events. Finally, future vehicles will be equipped
related to vehicle such as
vehicles. With the opportunity of being able to with OBUs to enable connectivity among vehicles
maintenance information/ access various information in cars, we propose a and roadside units (RSUs) to provide collision
history, car diagnosis permissioned blockchain framework among the avoidance and congestion control. Such safety fea-
reports, and so on. various elements involved to manage the collect- tures will be realized with wireless dedicated short-
ed vehicle-related data. Specifically, we first inte- range communications (DSRC), which will not
grate vehicular public key infrastructure (VPKI) only enable broadcasting of basic safety messages
to the proposed blockchain to provide member- (BSMs) [15] (i.e., vehicle-to-vehicle, V2V) but also
ship establishment and privacy. Next, we design provide the means to communicate with the infra-
a fragmented ledger that will store detailed data structure such as traffic lights and railroad cross-
related to vehicles such as maintenance informa- ings. (i.e., vehicle-to-infrastructure, V2I). Although
tion/history, car diagnosis reports, and so on. The BSM is the name of a special message in the DSRC
proposed forensic framework enables trustless, specification, here it is used as a generic name allo-
traceable, and privacy-aware post-accident analy- cated to all safety-related messages [1, 15].
sis with minimal storage and processing overhead. Capabilities such as collecting data within and
around vehicles can have a significant impact
Introduction on vehicular forensics, which aims to investigate
Today’s vehicles are becoming much smarter the reasons behind the accidents. This field will
with special-purpose sensors, control units, and become even more important with the prolifera-
wireless adapters to monitor their operations and tion of self-driving cars, which are prone to failures
communicate with their surroundings [1]. These and cyber attacks [3]. Typically, after an accident,
contemporary smart vehicles are now considered investigator specialists analyze the causes of the
as a comprehensive cyber-physical system (CPS) accident so that disputes among parties can be
with communication, control, and sensing com- resolved. The investigators look at many differ-
ponents [2]. For instance, electronic control units ent aspects including inspection of the accident
(ECUs) and onboard units (OBUs) can receive site and vehicles. Site inspection contains phys-
data from various onboard sensing devices to ical evidence including scrub marks, position of
take certain actions. The connections among the vehicles, tire conditions, and so on. In addition to
control units and sensor devices are made via physical evidence, digital data supplied from OBD
different types of networks, including a control- ports and EDRs introduce valuable complemen-
ler area network (CAN) bus, a local interconnect tary evidence for supporting dispute resolution.
network (LIN) bus, FlexRay, Bluetooth, and so Eventually, by enabling the capture, storage, and
on. Such developments along with capabilities transfer of the vehicle data, the puzzle including
to sense and communicate with the surroundings drivers, insurance companies, manufacturers, and
are enabling further developments such as the law enforcement authorities can be solved [3, 4].
Digital Object Identifier:
10.1109/MCOM.2018.1800137 The authors are with Florida International University.

50 0163-6804/18/$25.00 © 2018 IEEE IEEE Communications Magazine • October 2018

Authorized licensed use limited to: Cornell University Library. Downloaded on September 01,2020 at 04:11:28 UTC from IEEE Xplore. Restrictions apply.
 Even after utilizing EDR and OBD data, acci- Traditional vehicular
dent investigation lacks certain features that are Collection Examination
absolutely needed for comprehensive dispute res- forensics deals with the
olution. These can be listed as follows: physical evidence col-
• The obtained data does not include a com- Reporting Analysis
prehensive history of the vehicle due to lim- lected from an accident
ited storage (i.e., the data is overwritten after scene, including photo-
a while). Figure 1. Digital forensics process model [6].
graphs, measurements,
• The parties do not have direct control over
the extracted data; therefore, they should At the reporting phase, investigators prepare scrub marks, and so
trust third parties, which incurs questions a report, and testify and present the evidence. on. Usage of vehi-
about the integrity of data. Obviously, the most important factor in the admis-
• There is no system for integrating data from sibility of the report is to verify that the evidence cle-generated data has
all parties including other vehicles, road con- devices have not been altered during the inves- attracted the interest of
ditions, manufacturers, and maintenance tigation. This may be quite challenging as there researchers; hence, it is
centers. is no universal standard to collect, examine, and
• There is no vehicular forensics solution analyze data from digital devices on vehicles, driv- strengthening the hands
to resolve a hit and run case other than ers, and involved units. Therefore, a framework of the forensic investi-
third-party information such as surveillance that will enable convenient data collection and
cameras and eyewitnesses. analysis is needed. The framework should satisfy gators as they can find
Therefore, in this article, we address these privacy of the user, and the stored data content supporting evidence
points by proposing the Block4Forensic (B4F) should be clear to the user (i.e., the owner of the from the digital subsys-
framework, a blockchain-based vehicular foren- data).
sics system that will collect vehicles’ and related Event Data Recorders and Onboard Diag- tems of a vehicle.
business components under the same umbrella. In nosis: The event data recorder (EDR), informal-
particular, the proposed system: ly named the “black box,” is a device placed in
• Provides a lightweight privacy-aware block- vehicles in order to collect data related to crashes
chain by gathering all related parties such and accidents. In the case of a dispute, investiga-
as drivers, maintenance centers, car man- tors come up with the most probable setup. The
ufacturers, and law enforcement without digital data recorded by the EDR is widely used
requiring a trusted third party in case of an as supporting evidence in investigations for recon-
incident structing the accident scene. When a triggering
• Introduces a vehicular forensics investigation event occurs — two of those events are airbag
framework that harbors all necessary data deployment and sudden speed changes above a
for a comprehensive vehicular forensics solu- threshold — the EDR captures and stores the state
tion of the vehicle in tamper-proof storage. It is known
The rest of the article is organized as follows. that EDR data is extracted by the investigators
In the following section, we describe the prelimi- through the onboard diagnosis (OBD) port in an
naries related to all concepts and provide a sum- incident. Meanwhile, the ownership of EDR data
mary of the state of the art. Then we introduce and its integrity is discussed in [7] along with how
the B4F framework. Following that, we explain this data is used by the traffic safety administrator
BF4 with its components. The next section is ded- (TSA) and other third parties for post-accident
icated to future issues in this emerging research scenario reconstruction.
area. Finally, we conclude the article. DSRC and Basic Safety Messages: DSRC
specification defines the dedicated channels, stan-
Background dards, and protocols for communication between
Vehicular Forensics: Traditional vehicular foren- connected vehicles. Among many different mes-
sics deals with the physical evidence collected sages, the basic safety message (BSM) is one of
from an accident scene, such as photographs, the most important ones for safety-related aware-
measurements, and scrub marks. Usage of vehi- ness between vehicles. Part I of the BSM includes
cle-generated data has attracted the interest of high-priority information about a vehicle such as
researchers [5]; hence, it is strengthening the position, speed, size, brake status, and ID of the
hands of forensic investigators as they can find vehicle, and also medium-priority messages such
supporting evidence from the digital subsystems as positional accuracy and steering wheel angle.
of a vehicle. There are many controllers and This scheme brings additional value to the foren-
sensors in modern vehicles with different capa- sic investigation since the collected digital data
bilities. For a better driving experience, almost will not be related solely to the car itself but also
every capability of the vehicle is measured and to the participants surrounding it.
reported.
When an accident occurs, first responders Vehicular Public Key Infrastructure:
arrive at the scene to identify and secure the Vehicular Network Security
digital devices to keep them forensically sound In the networking layer of communication of con-
(preserving the integrity of evidence) by following nected vehicles, IEEE 1609.2 is utilized for mes-
the process shown in Fig. 1. After securing and sage integrity and authentication [8].
getting access to all related devices, further exam- The vehicular public key infrastructure (VPKI),
ination and analysis are performed. This basically a simplified version of which is shown in Fig. 2,
means finding incident-related data on the digital utilized in IEEE 1609.2 is a highly complicated
devices such as finding traces of a cyber attack infrastructure specially tailored to the needs of
and failure of a manufacturer component or the the transportation system. The main certifica-
mistake of a driver and so on. tion authority (CA) generates, distributes, and

IEEE Communications Magazine • October 2018 51

Authorized licensed use limited to: Cornell University Library. Downloaded on September 01,2020 at 04:11:28 UTC from IEEE Xplore. Restrictions apply.
 require computationally expensive hash puzzles.
Gradual certification authorities As a result, reaching a consensus is faster, which
providing keys and certificates to RSUs means higher transaction throughput. However,
and vehicles permissioned blockchains generally require more
than two-thirds of nodes to be trustworthy rather
Messages between than 51 percent. More details about consensus
RSUs and vehicles are algorithms can be found in [11].
Trusted certificates authenticated via valid
carrying pseudonym certificates. Current State of the Art in Vehicular Forensics
identities
The use of digital vehicular forensics is increasing-
RSUs ly being investigated. There are commercial prod-
ucts targeting comprehensive data collection from
the cars. The iVe project from Berla is a result of
that effort, where their product has access to EDR
Pseudonym identites of the vehicles are created and signed by the certification
authorities. Hence, messages are authenticated. and OBD port. They also retrieve data from the
infotainment and telematics systems. The data is
Figure 2. A simplified representation of VPKI. collected on cloud storage. Authors in [4] offer a
similar solution. EDR and OBD ports are accessi-
ble by design and the data is stored in the cloud.
revokes the digital certificates. The proposed Although the authors in [12] do not directly aim
VPKI structure also deals with privacy and secu- implementation for digital forensics, they offer a
rity issues. According to the safety pilot model, framework mainly discussing guidelines named
the certificates that constitute the pseudonym “forensic by design.” The idea of blockchain utili-
identity of the vehicle are valid for only five min- zation for vehicular security is offered in [13]. The
utes. That behavior provides anonymity for the authors sketch possible use cases for insurance
communicating parties and also makes the sys- companies or wireless software updates for smart
tem strong against targeted attacks against priva- cars; however, their discussion lacks practical
cy and spoofing. issues such as membership management and scal-
ability. For a proper investigation, non-repudiation
Blockchain is of great importance. There is an implicit con-
A blockchain is composed of blocks that are sensus in the research community that public key
linked to each other and secured cryptographi- cryptography produces reliable solutions for that
cally. This establishes a strong tie between blocks issue [14]. However, there is a need for a com-
that guarantees the order of blocks and provides prehensive applicable and scalable framework for
an implicit strong timestamp mechanism. Thus, vehicular forensics research.
a block is prevented from any alteration without
changing all of its successors. This blockchain data A Blockchain Framework for
structure can be shared to build a distributed data
structure called a shared ledger [9]. This working Vehicular Forensics
scheme of blockchain carries unique properties The ultimate aim of vehicular forensics is to
such as relieving central authority trust, immutabil- resolve disputes and determine the faulty parts
ity, and timestamping. in the case of an accident. Developments in con-
There are two types of blockchain structure: nected vehicles provide new opportunities for
public and permissioned. For instance, Bitcoin forensic analysis by taking advantage of the IoT
and Ethereum fall into public blockchain category and CPS features. Utilizing produced sensors’
where everyone is able to read and write the led- data with decision entities would allow build-
ger without any restriction (i.e., there is no mem- ing a comprehensive vehicular forensic analysis.
bership requirement). However, in permissioned Considering involving multiple parties, including
blockchains [10], the participants form a mem- manufacturers, drivers, insurance companies, law
bers-only club. enforcement, and so on, we first identify the key
The process of adding a new block to the features for an effective and trustworthy vehicular
chain is carried out via a protocol, which estab- forensics framework.
lishes consensus among participants to confirm
the new block. The implementation details of Desired Features of Envisioned Forensic Analysis
the consensus protocol (e.g., proof of work or The following key features are desired for Vehic-
POW) change a lot depending on the type of ular Forensics.
blockchain. For instance, in public blockchain, a Integrity: The integrity of forensic data is very
consensus is typically in the form of a hash puzzle important for resolving disputes.
which requires finding a predefined hash value. Non-Repudiation: The parties should be held
This consensus protocol brings a significant level responsible for their actions by providing proof
of security to the chain (withstanding up to 50 of integrity.
percent of nodes being malicious), but at the cost Relieve Single Point of Trust: The system
of computational power and time. For instance, should remove the assumption of trust reliance
Bitcoin’s maximum throughput is 7 transactions/s, solely on a single authority and provide account-
and reaching a final consensus can take an hour. able trustworthiness for each participant.
On the other hand, permissioned blockchains Comprehensive Forensic Analysis: The system
utilize some kind of Byzantine fault-tolerant vot- should provide a comprehensive mechanism for
ing-based algorithm as a consensus mechanism, accident analysis by providing access to histori-
such as Practical Byzantine Fault Tolerance (PBFT) cal data even before the accident. For example,
or Stellar Consensus Protocol (SCP), which do not the behavioral pattern of the vehicle after main-

52 IEEE Communications Magazine • October 2018

Authorized licensed use limited to: Cornell University Library. Downloaded on September 01,2020 at 04:11:28 UTC from IEEE Xplore. Restrictions apply.
 Stored data will be
SSD Outside used in post-accident
Personal communicating
backup devices scenarios by allowing
the parties to disclose
Law Traffic signals
Insurance enforcement their data selectively to
company BSM determine the faulty
B4F party. Law enforcement
authorities play an
BSM investigative role for
BSM post-accident scenarios
BSM while parties disclose
their data with proof of

Wi-Fi
Bluetooth

Bluetooth
DSRC
LTE RSU integrity.
Manufacturer Maintenance
service
provider

User
devices
Steering wheel
OBU
Lidar
Forensic
Daemon
Brakes
ECUs

CAN bus EDR

Stereo camera

Diagnosis reports

Seat belt etc.

Inside the vehicle

: Communication interfarces of the OBU

: Devices communicating outside the vehicle
: Sources of information within the vehicle

Figure 3. An overview of the forensic system model with its stakeholders.

tenance (e.g., steering ability, braking distance) or Bus. The forensic daemon periodically shares the
a previously reported malfunctioning component EDR and BSM data with the insurance company
of a vehicle can provide important clues to deter- through an encrypted channel. Note that only
mine the faulty party. related BSMs are shared when an EDR triggering
Lightweight: The system should have minimum event occurs. On the other hand, the car man-
overhead on endpoints since it includes multiple ufacturers collect regular car diagnostic reports.
parties that may have different capabilities and A cryptographic hash of these data is submitted
resources. to Blockchain for removing the single trust issue.
Privacy: The system should preserve the pri- Both insurance companies and manufacturers
vacy of the participants while also providing the collect those data for analysis. Moreover, main-
flexibility for the participants to selectively reveal tenance records are kept at the maintenance
their data as they wish. service providers, and a hash of each record is
submitted to Blockchain in the same manner. As
B4F Framework an optional extension to the framework, all of the
To enable the vehicular forensics vision, we intro- mentioned data can also be stored in personal
duce a novel blockchain forensic framework as cloud storage.
shown in Fig. 3. The framework connects the Stored data will be used in post-accident sce-
following stakeholders: vehicles, maintenance narios by allowing the parties to disclose their
service providers (e.g., mechanics), vehicle man- data selectively to determine the faulty party. Law
ufacturers, law enforcement, and insurance enforcement authorities play an investigative role
companies. The key features of the envisioned for post-accident scenarios while parties disclose
vehicular forensics system mentioned in the pre- their data with proof of integrity.
vious subsection guided us while building the
blockchain-based vehicular forensics system. Potential Accident Scene
At the heart of design, there is a special foren- An investigator working on an accident scene
sic daemon, which is stationed within the OBU needs to collect all pieces of clues to reconstruct
and constantly retrieves data from EDR, BSMs the accident scene. Once the accident scene is
(i.e., messages received from other vehicles), and reconstructed, the faulty party can be determined
onboard sensors/IoT devices through a CAN accordingly.

IEEE Communications Magazine • October 2018 53

Authorized licensed use limited to: Cornell University Library. Downloaded on September 01,2020 at 04:11:28 UTC from IEEE Xplore. Restrictions apply.
 In a modern vehi-
2 2
cle, many important 2
sub-structures like 1 1
steering wheel motor, 1 3 3

braking system, throttle, 1 1

tire pressure monitoring
system, seat belt buckle 1 1
status even windshield (a) (b) (c)
wipers are controlled
2 2 2
and monitored via the
CAN bus. Thus, the 1 1 1
CAN bus may deliver 3 3

invaluable data in terms 1 1 1

of vehicular forensics to
the OBU which can be 1 1 1
retrieved by the forensic
(d) (e) (f)
daemon.
Figure 4. A Hypothetical accident scene and possible reconstructions of the accident: a) reported accident
scene; b) faulty driver; c) hit and run; d) faulty signaling; e) faulty maintenance; f) faulty manufacturer.

Here, we discuss how digital data provided by Reconstructed Scene (f): In this scenario,
B4F assist an investigation. Assume that an acci- B4F data shows that V1 was on autopilot at the
dent scene where Vehicle 1 (V1) collided with accident time. Moreover, the diagnostic records
Vehicle 2 (V2) at an intersection with traffic lights report a failed sensor. Thus, V1 autopilot software
as illustrated in Fig. 4a. The data provided by with faulty input caused the accident, which sug-
B4F may enable various forensically sound scene gests the car manufacturer as the faulty party.
reconstructions as listed below. Various parties might be involved in an acci-
Reconstructed Scene (b): BSM messages dent as exemplified above. Forensic data provid-
include the traffic light status and cars’ last posi- ed by B4F provides a fast and efficient accident
tions. In this scenario, BSM messages reveal that scene reconstruction, which helps any investiga-
V1 started to turn left when the red light was on, tion significantly.
as shown in Fig. 4b. Lights’ statuses are being dis-
seminated by smart traffic lights; thus, when the B4F Components
accident happens, B4F would have stored the last In this section, we first describe the forensics ele-
BSM messages from the traffic lights. Here, data ments and data types, and then we move on to
clearly point out that V1 is the faulty party. elaborate on the specific elements of B4F that
Reconstructed Scene (c): Timestamped data relate to the blockchain structure, its membership
in B4F reveals the existence of another vehicle at management, and storage issues.
the accident scene. Drivers of V1 and V2 started
crossing the road when the light turned green. Forensic Daemon
At that time V3 did not stop at the red light and Here, we explain how the proposed forensic
caused V2 to lose control and hit V1. B4F data daemon interacts with different components of a
uncovers the existence of V3 and resolves such a vehicle. Note that our forensic daemon runs as an
hit case where the faulty party is a third car that application in an OBU thanks to existing software
runs out of the incident area. development kits (SDKs) for custom application
Reconstructed Scene (d): Similar to scene (c), development.
data reveals the existence of V3. However, this The OBU has read access to the vehicle network
time none of the cars violate the rules as the traf- infrastructure. The backbone of the vehicle network
fic light for V3 is also green. BSM data supplied is the CAN bus. In a modern vehicle, many import-
by smart traffic lights would reveal faulty signaling ant substructures like steering wheel motor, braking
as the cause of the accident. system, throttle, tire pressure monitoring system,
Reconstructed Scene (e): In this scenario, B4F seat belt buckle status, and even windshield wip-
data indicates that none of the drivers has violat- ers are controlled and monitored via the CAN bus.
ed the traffic rules. However, by investigating the Thus, the CAN bus may deliver invaluable data in
car diagnostic report history on B4F, the investiga- terms of vehicular forensics to the OBU that can be
tor finds out that after maintenance, the vehicle retrieved by the forensic daemon.
has a pulling problem while braking. Due to this Additionally, through WiFi or Bluetooth inter-
faulty operation in V1, the driver lost control of faces, the forensic daemon can receive data from
the car and hit V2. The history of previous vehicle the driver about his/her health status via wear-
maintenance records helps to resolve this com- ables. Similarly, road conditions and weather data
plicated scenario and suggests the maintenance can be retrieved from RSUs or a driver’s smart-
provider as the faulty party. phone that has applications related to such data.

54 IEEE Communications Magazine • October 2018

Authorized licensed use limited to: Cornell University Library. Downloaded on September 01,2020 at 04:11:28 UTC from IEEE Xplore. Restrictions apply.
 The forensic daemon will collect data on pre-
defined occasions based on basic or custom rules. Monitor
After adding a timestamp, it will sign the data unit
using the pseudonym certificate, which is readily Law enforcement
available in the OBU. In the case of an investiga- Client
tion, submitted data will be disclosed for investiga-
tion by the user.
Shared ledger
Forensic Data Types and B4F Process
In this subsection, we detail the interaction Validator
between the vehicle and the B4F framework.
There are three types of data in our framework.
Validator
The first one is event data, which are incurred
in the case of an incident triggered by the pre-
defined conditions in EDR. The second one is
the diagnosis data, which are produced by the
vehicle periodically or in the case of a failure.
Car manufacturer Maintenance
Finally, there are maintenance data, which con- service
tains information about the maintenance report provider
and is kept by both the maintenance service Validator
and the user. Maintenance data are signed by Leader is one of the
both the vehicle and the maintenance provider validator nodes chosen
among validators based
and hence are multi-signature data. We have on concensus
two data submission processes in the B4F. As
described below, the content of forensic data
Insurance companies
along with time and pseudonym vehicle ID is
signed by vehicle and submitted to the corre- Figure 5. Permitted blockchain participants.
sponding parties such as insurance companies,
manufacturers, and personal cloud storage.
While the content of the forensic data is kept This proposed framework is geared for increas-
between two parties, the hash of this data is ing the level of trust among network participants
stored in the shared ledger on blockchain. B4F and thus will eliminate the need for a trusted third
implements a gossip network where each vehi- party.
cle selects a random set of validators to gossip Due to the use of hashes, the overhead of
about the hash of data. To ensure that messag- the building and storing replicated shared led-
es are valid, every message is signed by the ger among parties is minimized. Note that the
pseudonym identity of the vehicle; validators integrity of data can be verified by comparing its
check that the signature is valid before relay- hash value with the corresponding hashes that are
ing it. The randomly chosen leader proposes a stored on the Blockchain.
block in submitted transactions and distributes
its block of pending transactions through the Integrated Membership Management and Privacy via
gossip protocol again. B4F establishes a Byzan- Pseudonym Certificates
tine agreement to reach the final conclusion. In a public blockchain, anyone can participate
as either a client or a validator (e.g., miners in
Blockchain Structure cryptocurrencies). However, in the case of a per-
To address the requirements above, we propose mitted blockchain, access permission is strictly
utilizing permissioned blockchain technology controlled by membership service, and only grant-
and implement shared and fragmented ledgers ed users are able to make transactions. The iden-
to securely and efficiently exchange information tities issued by membership service are unique
between the collaborating parties. and cannot be altered. Thus, there is no support
In our proposed blockchain, we have four dif- to protect privacy between interacting peers.
ferent types of nodes: leader, validator, monitor Leveraging permitted blockchain impedes the use
units, and client as shown in Fig. 5. of anonymous identities in contrast to identities
A leader is selected randomly every block time used in public Blockchains such as Bitcoin. This
among the validator nodes (i.e., manufacturers, is particularly important in our case since vehicle
maintenance centers, insurance companies). The owners would like to protect their privacy while
client (i.e., vehicle) provides signed transactions sharing data with their manufacturers and insur-
to the B4F to ensure that messages cannot be ance companies. On the other hand, the huge
forged. number of network participants (e.g., millions of
The randomly chosen leader proposes a block vehicles on the roads) expose membership man-
to the network based on the transactions it has agement as a challenge in the realization of a per-
received. To reach a consensus on a proposed mitted blockchain.
block, validators run Byzantine agreement proto- Thus, we use pseudonym identities from
cols such as PBFT. These protocols are resilient the VPKI model suggested in IEEE 1609.2 as a
to malicious actions of the leader and participants token for clients to satisfy anonymity (i.e., vehi-
[11]. Monitor units are law enforcement author- cles) in the proposed B4F. According to the VPKI
ities who do not directly participate in the vali- scheme, the vehicle has different pseudonym
dation process but keep a replica of the shared identities for different time intervals (i.e, every five
ledger to be able to participate in post-accident minutes); thus, every transaction will be submit-
disputes. ted with a different identity, which protects the

IEEE Communications Magazine • October 2018 55

Authorized licensed use limited to: Cornell University Library. Downloaded on September 01,2020 at 04:11:28 UTC from IEEE Xplore. Restrictions apply.
 Blockchain is a shared D#1
IC#2 D#2
ledger that maintains a C#1 C#2
growing list of blocks
that are chained to V2 •••
V1 V1
each other. Each par- V1 V2 •••
••• V2
V2 V1 SL FL V2
ticipant stores a copy
SL FL SL FL
of the entire history.
In our case, the data IC#1 V#2
Interaction of parties involved V2
are immense and thus V2
the shared ledger can V2
M#1 M#2
grow dramatically and V#1 C#: Cloud service
••• V1 M# Manufacturer
may cause both com- V1 V# Vehicle
V1
munication and storage V1 D# Maintenance provider
SL FL IC# Insurance company
overhead. ••• •••
V1 V2 V1 : Maintenance data
V1 : Insurance co. data
SL FL SL FL FL: Fragmented ledger V1 : Manufacturer data
SL: Shared ledger

Figure 6. An overview of the proposed ledger structure. SL: shared ledger; FL: fragmented ledger, which
can hold different data.

user privacy as defined in the attack model of not carry any information related to the forensic
IEEE 1609.2. However, regulations and policies content of EDR&BSM data, car diagnostic reports,
should be assessed for proper disclosure of the provided maintenance, and so on.
user data. In addition, exploiting the VPKI scheme Additionally, note that the user may want to
also addresses the above mentioned membership refuse to submit maintenance or manufacturer
management challenge. Any vehicle that has a data content. Instead, s/he keeps it in personal
valid pseudonym identity can make transactions cloud storage. However, based on regulations
on the proposed Blockchain since participants and policies, in the case of an incident, the
of B4F recognize valid certificates produced by authorities will require the user to disclose this
VPKI. Validator nodes check the validity of the data as needed, the integrity of which is satisfied
certificate and timestamp of the submitted data by the Blockchain.
(i.e., hash of the forensic data). If the timestamp
belongs to the certificate validity period (i.e., Future Research Issues
every five minutes), the transaction is confirmed. As there is growing research on various aspects
The consensus on valid transactions is achieved of connected vehicles, their applications will pro-
by a computationally inexpensive voting-based liferate in coming years, such as driverless cars
Byzantine agreement scheme among validators. and automated fleets. This may result in increased
disputes as a result of incidents. Therefore, we
Lightweight Fragmented Ledger for believe that there is a vast opportunity to pur-
Forensic Participants sue additional research with respect to vehicular
Blockchain is a shared ledger that maintains a grow- forensics in general and our framework in particu-
ing list of blocks which are chained to each other. lar. We list them below:
Each participant stores a copy of the entire histo- • There will be a need to analyze the storage and
ry. In our case, the data are immense, and thus the communication overhead of the B4F frame-
shared ledger can grow dramatically and may cause work by implementing it using an OBU SDK.
both communication and storage overhead. • A punishment/incentive/avoidance mech-
To address this issue, we utilize a fragment- anism should be investigated to prevent
ed ledger instead of storing all forensic data in a members becoming malicious actors. In this
shared ledger. The motivation comes from the regard, a detection mechanism should be
observation that each party has already stored a developed to discover malicious participants.
different fragment of required data. For instance, • The B4F provides a lightweight solution by
a maintenance provider may not be interested just keeping hash values. While this ensures
in the content of periodic EDR data, and thus integrity and immutability of forensic data,
there is no need to keep that content in a shared the availability of this data depends on the
ledger. On the contrary, as insurance compa- individual storage and shared counterparts.
nies keep EDR data in their fragmented ledger, There is no mechanism for ensuring avail-
keeping proof of that data in the shared ledger ability of critical forensic data on blockchain.
is sufficient. Therefore, in B4F, all participants of Therefore, this warrants further research.
the network will have a consensus on the shared • Due to increased availability of data and
ledger. However, each participant maintains blockchain technologies in various domains
just related information that differs from others, for forensic purposes, researchers would
as shown in Fig. 6. Specifically, the difference need to consider a forensic-by-design princi-
between the shared and fragmented ledgers will ple when proposing new systems and mech-
be in forensic data details. The shared ledger does anisms.

56 IEEE Communications Magazine • October 2018

Authorized licensed use limited to: Cornell University Library. Downloaded on September 01,2020 at 04:11:28 UTC from IEEE Xplore. Restrictions apply.
• Regulations for enforcing the participation of [11] S. Bano et al., “Consensus in the Age of Blockchains,” arXiv
preprint arXiv:1711.03936, 2017. To address the issues
various entities to forensic blockchains and [12] N. H. Ab Rahman et al., “Forensic-by-Design Framework for
development of policies to use such data in Cyber-Physical Cloud Systems,” IEEE Cloud Computing, vol. regarding the overhead
criminal cases are potential research issues. 3, no. 1, 2016, pp. 50–59. of storage and mem-
[13] A. Dorri et al., “Blockchain: A Distributed Solution to Auto-
Conclusion motive Security and Privacy,” IEEE Commun. Mag., vol. 55,
no. 12, Dec. 2017, pp. 119–25.
bership management
In this article, we propose constructing a block- [14] J. Li, H. Lu, and M. Guizani, “ACPN: A Novel Authentica- of blockchain, we
chain infrastructure to provide comprehensive tion Framework with Conditional Privacy-Preservation and
proposed using VPKI
forensic services for accident investigations. To Non-Repudiation for VANETs,” IEEE Trans. Parallel and Dis-
tributed Systems, vol. 26, no. 4, 2015, pp. 938–48. in permissioned block-
address the issues regarding the overhead of stor- [15] J. Cho et al., “Efficient Safety Message Forwarding Using
age and membership management of blockchain, Multi-Channels in Low Density VANETs, IEEE GLOBECOM, chain and a fragmented
we propose using VPKI in permitted blockchain Dec. 2014, pp. 70-75.
and a fragmented ledger, which enables storage ledger which enables
Biographies
of hashed data in the shared ledger while the storage of hashed data
Mumin Cebe is a Ph.D. student in the Department of Electrical
details are stored in fragmented ledgers as non- and Computer Engineering at Florida International University. in the shared ledger
hashed data. In addition, the use of pseudonyms He works at the Advanced Wireless and Security Lab (ADWISE).
for identities helps preserve the privacy of users. He conducts research in the areas of blockchain, wireless net- while the details are
working, and security/privacy that relates to the Internet of
Things and cyber-physical systems, particularly in smart grids and stored in fragmented
Acknowledgments vehicular networks.
This work is partially supported by the U.S. ledgers as non-hashed
National Science Foundation (Awards: NSF-CA- Enes Erdin is a Ph.D. student in the Department of Electrical and data.
REER-CNS-1453647, NSF-1663051). Computer Engineering at Florida International University and is
an NSF CyberCorps Fellow. He conducts research in the areas
of hardware security, blockchain technology, and cyber-physical
References systems.
[1] IEEE Standard for Wireless Access in Vehicular Environments
(WAVE), 2016. K emal A kkaya is a professor in the Department of Electrical
[2] C. Berger and B. Rumpe, “Autonomous Driving 5 Years after and Computer Engineering at Florida International University.
the Urban Challenge: The Anticipatory Vehicle as a Cyber-Phys- He leads the Advanced Wireless and Security Lab and is an
ical System,” arXiv preprint arXiv:1409.0413, 2014. Area Editor of the Elsevier Ad Hoc Network Journal. His current
[3] Z. A. Baig et al., “Future Challenges for Smart Cities: research interests include security and privacy, and protocol
Cyber-Security and Digital Forensics,” Digital Investigation, design. He has published over 120 papers in peer reviewed
vol. 22, 2017, pp. 313. journals and conferences. He received the “Top Cited” article
[4] H. Mansor et al., “Log Your Car: The Non-invasive Vehicle Foren- award from Elsevier in 2010.
sics,” Proc. IEEE Trustcom/BigDataSE/I SPA, 2016, pp. 974–82.
[5] D. K. Nilsson and U. E. Larson, “Conducting Forensic Hidayet Aksu received his Ph.D. degree from Bilkent University
Investigations of Cyber Attacks on Automobile In-Vehi- in 2014. He is currently a postdoctoral associate in the Depart-
cle Networks,” Proc. 1st Int’l. Conf. Forensic Applications ment of Electrical & Computer Engineering at Florida Interna-
and Techniques in Telecommun., Info., and Multimedia and tional University. Before that, he worked as an adjunct faculty
Wksp., ICST, 2008, p. 8. member in the Computer Engineering Department of Bilkent
[6] U. Karabiyik and K. Akkaya, “Digital Forensics in IoT and University. He conducted research as visiting scholar at IBM T.
WSNs,” The Philosophy of Mission-Oriented Wireless Sensor J. Watson Research Center, New York, in 2012–2013. He also
Networks, Springer, 2018. worked for the Scientific and Technological Research Council of
[7] N. Gabriel, A. Niedzicka, and C. Krysiuk, “The Use of Event Turkey (TUBITAK).
Data Recorder (EDR)-Black Box,” Advances in Science and
Technology Research J., vol. 8, no. 21, 2014. Selcuk Uluagac leads the Cyber-Physical Systems Security Lab
[8] IEEE Standard for Wireless Access in Vehicular Environments, at Florida International University, focusing on security and pri-
Security Services for Applications and Management Messag- vacy of the Internet of Things and cyber-physical systems. He
es WAVE 1609.2-2016, 2016. has Ph.D. and M.S. degrees from Georgia Institute of Technol-
[9] S. Nakamoto, “Bitcoin: A Peer-to-Peer Electronic Cash Sys- ogy, and an M.S. from Carnegie Mellon University. In 2015, he
tem,” 2008. received the U.S. National Science Foundation CAREER award
[10] C. Cachin, “Architecture of the Hyperledger Blockchain and the U.S. Air Force Office of Sponsored Research’s Summer
Fabric,” Proc. Wksp. Distributed Cryptocurrencies and Con- Faculty Fellowship, and in 2016, a Summer Faculty Fellowship
sensus Ledgers, 2016. from the University of Padova, Italy.

IEEE Communications Magazine • October 2018 57

Authorized licensed use limited to: Cornell University Library. Downloaded on September 01,2020 at 04:11:28 UTC from IEEE Xplore. Restrictions apply.