UAV (aka drone) Forensics

“Ok, you’ve shot it down, now

what?”
Why is the Relevant?
 Controlled Use Technologies
• Counter UAS (CUAS) soluEons beyond
detecEon are currently illegal to use
domesEcally with very limited excepEons
• Lots of pressure to enable full CUAS use for
prisons, criEcal infrastructure, major public
events
• “Ok, you’ve shot it down, now what?”
Growing CollecEons of Found UAVs
• UAVs found on property in many sectors
• LiNle understanding of inherent value
• LiNle means to recognize value
• You can start understanding the threat actors
and their moEvaEons even without CUAS
Sources of UAV Forensic ArEfacts
 PotenEal Sources – Three Views
There are three ways of thinking about Unmanned
Aerial Systems that help an invesEgator idenEfy all of
the potenEal sources of forensic arEfacts.

– Physical
– Process
– Flow
What Physical Evidence is Available?
 UAV OperaEonal Process
Mission
Approval Execu4on Analysis Delivery
Planning

‣ Criteria ‣ Business ‣ LogisEcs ‣ Data validaEon ‣ Product delivery

‣ Airframe ‣ Site logisEcs ‣ Flight crew ‣ Product ‣ Product support

generaEon
‣ Payload ‣ Safety ‣ Weather ‣ Lessons learned
‣ Quality
‣ Operator ‣ Legal ‣ Flight ‣ ReporEng
assurance
operaEons
‣ LocaEon ‣ Risk ‣ Billing

‣ Time frame ‣ Flight

operaEons

Each step, each component, leaves evidence and generates intelligence

 UAV data flows
GPS signals Data uplink to cloud

PIC to UAV FC
via radio controller
Telemetry to corporate
network
Payload operator via data link
GCS via data link to UAV mission payload
to UAV FC
Each link, each component, leaves evidence and generates intelligence
Evidence CollecEon
 Normal vs Forensically Sound

Vendors generally provide mechanisms for extracEng some

data sources from mobile applicaEons and aircraZ. These
soluEons are sufficient in some circumstances but are not
complete or forensically sound
• Access is not provided to all data sources
• Sources may be changing during collecEon
 Normal Data CollecEon
• Vendor supplied tools
• Synchronize data with vendor sites or third party
applicaEons such as iTunes
• Pull digital media and mount on computer
• Use USB connecEon
 Forensic Data CollecEon
• Open case, extract digital media, use write blockers
• Mobile device forensic analysis tools for GCS
Evidence Analysis
 Sensor and Sensor Data
• The type of sensor will tell you a lot about the
purpose of the flight
Ø LIDAR
Ø OpEcal
Ø NVIR
Ø Thermal
Ø WiFi
• The sensor data and metadata will tell you a lot
about where it has been, parEcularly since GPS
data is criEcal for most types of missions
 Sensors – EXIF Data
The purpose of a camera is to take a picture, and EXIF data tells a story about the camera
and where it was taking pictures.
• Image Description : DCIM\100MEDIA\DJI_0030.JPG!
• Make : DJI!
• Camera Model Name : FC300S!
• Date/Time Original : 2016:03:27 10:15:57!
• Create Date : 2016:03:27 10:15:57!
• GPS Version ID : 3.2.0.0!
• GPS Latitude Ref : North!
• GPS Longitude Ref : West!
• GPS Altitude Ref : Above Sea Level!
• Aperture : 2.8!
• GPS Altitude : 74.6 m Above Sea Level!
• GPS Latitude : 40 deg 32' 15.84" N!
• GPS Longitude : 89 deg 30' 50.63" W!
• GPS Position : 40 deg 32' 15.84" N, 89 deg 30' 50.63" W!

DJI Phantoms do not did not record altitude in the EXIF data unfortunately.
 Sensor Data - Cloud
• Consumer
– YouTube
– Facebook
– Etc QuesEon: Where are the credenEals for
• Commercial uploading the imagery data to the
– Data Mapper cloud?
– Airware
– Vendor specific
Mobile/GCS ArEfacts
UAS Exam – Launch Point Evidence
Ground Control StaEon
• OZen a mobile device combined with a radio controller
• Vendor applicaEons and community developed
• Looking for:
– Default secngs
– Launch points, dates
– Owner name, account
Other Items
• Spare removable media
• Other UAVs
• Laptops, cell phones, tablets
 UAS Exam – Ground Control StaEon
Using the data from the GCS, you can rapidly plot where the user
was flying.
 UAS Exam – Ground Control StaEon
ApplicaEon configuraEon files contain interesEng informaEon
Drone Deploy:
• ajs_user_id
• %22dkovar%40kovarllc.com%22
Pix4D:
• 2016-03-27 10:34:03 [V] [WaypointCustomMissionDJI3::87] create wp at
(4x.xxx689,-8x.xxx918) alEtude: 50.000000
• displayBtnLogout(YES,username: dkovar@gmail.com)
• 2016-03-27 11:25:24 [D] [AppDelegate::38]
DJI Pilot:
• kUserDefaultKeyAircraZLocaEon – 4x.xxx448,-8x.xxx675,-1577 (My house)
• com.facebook.sdk:serverConfiguraEon1383125992006153 - <62706c69 73743030 …>
Physical Analysis
UAV Flight Data – Onboard & GCS
 ConnecEng Evidence is Hard

“There is no SN number for the enEre product,

however, there is SN number for different components.
So you could use one component SN number as the
unique idenEfier such as Flight Controller SN number.”
- DJI
ConnecEng Evidence is (Not Too) Hard
"aircraft": { "camera_serial_number":
"08TUE2LSE6023K", "app_type": 1,
"name": "JHA1",
"serial_number": "08RDDCT00104UK",
"device_activation": 0,
"app_version": "4.1.3",
"type": 13,
"controller_serial_number": ”87D457711843",
"battery_serial_number": ”7865E477111" },
Known Messages in DJI “black box”
• Vision PosiEoning • BaNery Status
• Telemetry • BaNery Serial Number
• Flight Controls • BaNery Voltage
• Gimbal • Message Console
• Motor Status • Message Config
• Flight Status • Message ID
• PosiEon • Lots of unknowns sEll

Elements from different messages in conjuncEon tell important stories, such as

what was in view of the camera at a moment in Eme.
 TacEcal Evidence Analysis
Home Point: 43.005427, -70.987655 at -36.63 meters.
First position: 43.005433, -70.987647 at 0.000 meters.
Last position: 43.005418, -70.987621 at 0.000 meters.
Battery barcode: 6171153330369
Battery internal serial number: 1446
Battery manufacture date: 2015-09-04 00:00:00
Battery name: ATL NVT DJ005
Battery version: v255.255.255.255
Device version: v2.4.14.5
GPS space vehicle number version: 9566
2 event messages found in the log:
Time Latitude Longitude Height
=============== ========== ========== =========
04:07:43.678000 43.005427 -70.987655 0.000
Motor start time: REQ_RC_NORMAL
04:09:53.418000 43.005349 -70.987662 1.400
Motor stop time: ACT.landing
 Strategic Evidence Analysis
• What are all the launch locaEons known for this aircraZ?
• Are any of the known locaEons for this aircraZ at a residence
or commercial facility?
• How many aircraZ have flown over our facility?
• What types of aircraZ have we seen?
• Was the baNery on this aircraZ on any other aircraZ?
• Who else has seen this aircraZ?
 Strategic Evidence Analysis
Show all aircraZ in the database that were Show the locaEon of an aircraZ at a parEcular
powered on between two points in Eme: point in Eme:
{
{ "_source" : ["deviceSerial", "timestamp"], "_source" : ["eventData.Gps.lat", "eventData.Gps.lon", "eventData.Pos.lat",
"eventData.Pos.lon", "Emestamp"],
"query": { "size" : 10,
"bool": { "query" : {
"must": { "exists": { "field": "bool" : {
"eventData.MotorStart" } }, "must" : [
{
"filter": [ "dis_max" : {
{ "range" : { "queries" : [
{ "exists" : { "field": "eventData.Gps" } },
"timestamp": { { "exists" : { "field": "eventData.Pos" } }
"gte" : "1483246800000", ]
"lte" : "1491624000000" } }
},
} {
} "match" : { "Emestamp" : "{{Emestamp}}" }
}
]
],
"filter" : { "match" : { "deviceSerial" : "{{aircraZ}}" } }
}
}
}
 Strategic Evidence Analysis
Show aircraZ that shared a baNery "key":"0DQADBN03100JS",
{ "doc_count":69,
"size" : 0, "aircraft": {
"aggs" : { "doc_count_error_upper_bound":
"battery" : { 0,
"terms" : {
"sum_other_doc_count": 0,
"field" : "eventData.BatterySerial" },
"aggs": { "buckets": [
"aircraft": {
"terms" : { { "key":"07JDD9C001013H", "doc_c
"field" : ount": 64 },
"eventData.DeviceSerial.keyword” { "key": "07JDDC2001013R",
} "doc_count": 5 }
}
]
}
 IntersecEons
Show me intersecEons of:
• UAS flight with TFRs
• UAS flight with criEcal infrastructure
• UAS launch site with private property
• UAS “maintenance” site with known suspect’s address
• UAS flight area with fire scene
• UAS alEtude with controlled airspace
• ….
Improving Tools and Process
 Forensic Process
• Access the data
• Convert the data into a form that machines and
humans can work with
• Analyze the data as presented by the tool
• PresentaEon
 OZen missing
• EffecEve integraEon with other tools – oZen copy/
paste
• AlerEng – ability to set triggers to perform acEons
when new data is added to the system
• Machine learning - paNerns and connecEons
 A Problem is ”Moment in Time”
• TradiEonal forensic tools take a snapshot of a system
at a moment in Eme
• UAV operaEon analysis requires understanding
– What mulEple interacEng systems did during an enEre
flight
– How a single UAV operated over mulEple flights
– The logisEcs and operaEons of an operator’s enEre UAV
operaEon over long periods of Eme
 All Sources – CriEcal
No one arEfact source tells the whole story, no one soluEon
connects all of the dots.
• If a CUAS system brought down a UAV, mobile device
forensics is useless because you only have the UAV
• Evidence linking the UAV to an individual is not present
on the UAV, it is on the GCS
• If the UAV is damaged, JTAG analysis may be the only
opEon
 IntegraEon with CUAS/ObservaEons
• Pointer records
• Temporal, geographic bounding boxes
• Fuzzy matching

• Even detecEon records are useful to link future

physical arEfacts to past observaEons
Closing Thoughts
Closing Thoughts - ConnecEons
The UAV is paired with controller
&
The UAV is also paired with ground control staEon

Means unique IDs

Means forensic evidence linking devices

 Closing Thoughts
The proper term for drones is sUAS – small
unmanned aerial system. Take a system approach
to security and inves4ga4ons, do not treat the
vehicle as a discrete or standalone element.

dkovar@kovarllc.com - www.kovarllc.com