The Emerging World of Drone Forensics

Article – Extracting Data from an Unmanned Aerial Vehicle

The Emerging World of Drone Forensics

Unmanned Aerial Vehicles — better known as drones — have become a new fixture on the global landscape. Their rate of adoption has been climbing steadily for the past three years — from roughly 32,800 in the U.S. in 2016 to 350,000 this year — and this rate is projected to ramp up even faster in the next two years. The Federal Aviation Administration estimates there will be more than 500,000 drones in use in the U.S. by 2020. These figures only reflect the hobbies market; if we factor in the commercial use of drones, we exceed 2 million UAVs globally. Globally, it is estimated the USA has 56% market adoption where China and Israel are the closest rivals at just 12% and 9% respectively.

This US trend should be monitored by federal government officials and law enforcement professionals at the federal, state and local levels because drones are being used for more than taking fun pictures and delivery of packages to doorsteps — unfortunately, they are also becoming an increasingly prevalent tool in the criminal world.

For example, in some prisons, drones have been spotted delivering cell phones and dropping other contraband over prison walls. Earlier this year, a U.S. citizen was sentenced to 12 years in prison for using a drone to smuggle methamphetamine from Mexico into San Diego.

Rob Attoe

Rob Attoe

Rob is a frequent presenter at esteemed international digital forensics conferences, including events hosted by the High Technology Crime Investigation Association, Department of Defense Cyber Crime, F3 Annual Workshops, and the Internet Crimes Against Children Taskforce. His expertise extends to contributing to digital forensic publications, and he acts as a subject matter expert for various courses within the ATA program managed by the State Department in the USA.

Where does it come from?

Drones have been used to conduct targeted attacks on Wi-Fi and mobile data networks in the U.S. Perhaps most disturbing, the risk of drones being used in terror attacks is real and ominous. In Europe, we saw huge media coverage of the Gatwick Airport incident in December 2018 where a security officer spotted two drones over the south perimeter of the airport.  The following days saw thousands of cancelled and delayed flights, and no successful outcome to the crime was ever made.

Digital forensics investigators have an important role to play in assisting law enforcement agencies when it comes to the emerging world of drone forensics. When a drone is captured, investigators need to extract data from these complex technological devices so they can develop a trail of clues that might lead them to a suspect.

For example, if a drone is found on the front yard of a penitentiary, investigators will spring into action to try to determine who owns it, how it got there, where it was before crashing, where it was going and what was its purpose. Forensics professionals may be their best hope for extracting and analyzing the crucial data inside the device that can help the investigation answer those kinds of questions.

As with other emergent devices that we’ve been forced to master for this purpose, there are many types of drones and a number of technical factors that can make data extraction very tricky.

The four key stages of drone forensics examination

Crime Scene Analysis

It is not necessary to have all aspects of the sUAS to perform a forensic analysis of the UAVs activities. The drone and the controlling application will both store data about flights as well as images and videos taken during flight.

  • When approaching a suspect UAV be mindful of camera view, any toxins on the device (depending on its use), state of the motors (are they turning?) and the operator’s ability to fly the aircraft away. Power down the device as soon as possible and remove any batteries, and where possible isolate from any radio waves.
  • When taking a mobile device into custody, the first responder should first place the device in airplane mode and make all attempts to obtain any passwords to unlock the device later when forensic extraction of the data is required.
  • Look for any additional hardware, i.e. batteries, spare UAV parts, etc. These may have additional serial numbers to link into flight data during the examination phase.

 

Data Collection Considerations

  • Extracting the data from the UAV will largely be dependent on the drone manufacturer. Since the DJI range of UAVs is the most popular we are fortunate to be able to use their DJI Assistant 2 application to pull the flight logs out of the internal memory without using any destructive processes.
  • The UAV will in most cases have an external memory card to store any images or videos taken with the drone; this should be removed and processed in the same manner as any storage device as well as being write protected to prevent your operating system from changing any data.
  • Extracting data from the controller will require more specialized tools however most hobbyist drones do not use smart controllers therefore we are more interested in the mobile device attached to the controller.
  • When extracting data from the mobile or tablet device, you will require a specialized application that can connect directly to the device and pull data from the internal memory storage. Most forensic labs will have professional tools at their disposal to extract data from mobile devices, however, there are also many free tools available to perform an extraction of the application data from the device. The biggest challenge for any forensic examiner will be any passwords protecting the device; some professional tools allow the bypassing of these, therefore, seek assistance from the forensic lab if possible.

For the analysis phase, the good news for forensics professionals is that most forensic software allows collections from mobile devices and storage media, so the basic collection tools should already be in your toolbox. When performing a full forensic analysis of any aspect of the Small Unmanned Aerial System (sUAS), the examiner does not require the purchase of expensive forensic tools, there are many solutions used within the forensic community to analyze any aspect of the hardware.

Once all the data has been collected from the drone, storage media and controller application, forensics professionals can begin their analysis. Reviewing the application data controlling the drone will provide detailed insights in the history of the aircraft.  This will include copies of flight logs, thumbnail images and videos stored in the application data’s folders. Using this data, we are able to replay the flight with tools such as Google Earth and other tools.  The mobile device application will also store details of the UAV, make, model, serial numbers as well as encoded files containing serial numbers of the battery and UAV name.  The UAV’s internal memory containing flight logs can be analyzed to identify launch sites, flight paths and even flight patterns to help determine the purpose of the flight such as payload drops, surveillance, etc.  Also stored on the internal memory will be logs files containing any custom settings for the drone such as maximum high and maximum distance the aircraft can fly. The external UAV memory card can be examined for images and videos taken during the drone flights; these will include geolocation data detailing where the image was taken, which can be used to link to flight logs. This information allows the examiner to work with the investigator to link locations to drop sites or surveillance operations. 

Lastly, any additional batteries associated with drones should be analyzed for DNA and serial number, as they may yield useful information about the devices the user has at their disposal. This will include any serial numbers we can link to the flight logs analyzed from the drone and mobile app and ultimately help trace the device to its origins.

Spyder Forensics – UAV (Drone) Forensics – Advanced Level Training Course

Leveraging the latest research and development from Spyder Forensics, this course offers a comprehensive introduction to the realm of sUAS (Unmanned Aircraft Systems). You will not only learn how a UAV operates but also discover the best practices for conducting forensically sound data extractions and analysis from the UAV, with the objective of using the findings as evidence or for intelligence gathering. The course covers techniques for collecting data from within the aircraft through non-destructive methods, employing industry-standard tools to create forensic collections of storage media, encompassing flight logs, aircraft data, as well as photo and video files, all without the need for disassembling the aircraft or its controller. Students will then delve into the acquisition of application data from the associated mobile device.