Disk Forensics of VxWorks File Systems for Aircraft Security

Modern avionics systems exhibit numerous networked electronic components ranging from sensors and actuators to dedicated subsystems, resulting in aircraft capable of processing and responding to information accurately, reliably, and in a timely fashion. Assuring the cyber security of these systems is a continual challenge and an active area of research; in the case where an aircraft has been compromised by a malicious actor, digital forensics can be utilized to investigate what and how the incident occurred. This research answers a simple, yet fundamental question on the security of aircraft: whether useful digital forensic artifacts be obtained from embedded real-time systems on aircraft. The highly reliable file system (HRFS) utilized by VxWorks was analyzed and described to align with the generalized descriptions of file system formats accepted in academia. The Sleuth Kit (TSK), an open-source forensic toolkit, was analyzed and extended to include functionality to support this file system, and a proof-of-concept implementation to obtain digital forensic artifacts from real-time operating systems on aircraft was developed. This research finds that the proposed implementation can perform file analysis and recovery from a VxWorks generated HRFS-formatted file system and can be generalized to show that embedded real-time systems can provide useful digital forensic artifacts.