See original article published on Paraben

UAV Forensics for First Responders

By David Kovar & Greg Dominguez

Unmanned Aerial Vehicles (UAVs), aka drones, continue to gain popularity with commercial and hobby operators domestically. Unfortunately, ISIS and other non-state actors are finding consumer UAVs to be extremely effective on the battlefield, malicious actors are using them domestically for surveillance and payload delivery, and civilians use them while violating long standing laws such as voyeurism and disturbing the peace.

UAV forensics was once an interesting theoretical exercise, now it is a legitimate discipline with law enforcement and private sector practitioners. This article is designed to bring public and private sector first responders up to speed on UAV forensics and provide them with a straightforward approach to responding to a UAV related incident.

Complex Systems

It is critical to remember that UAVs are complex systems, particularly when collecting evidence from them. The UAV has a number of onboard systems and a range of possible sensors and onboard media. More importantly, one or more devices that also contain a wealth of relevant data are used to control the UAV. Finally, the UAV and/or the associated devices may upload data to cloud providers in real time or at the conclusion of the mission, adding another facet to the collection process.

All of these components are involved in a complex, often real time, flow of telemetry, sensor, and environmental data in clear text, binary, and encrypted forms.

Schema

Complex Market

DJI has an estimated 75% share of the consumer/commercial market, but there are a variety of other vendors in the space including 3DR, Parrot, and Yuneec to name a few. DJI has multiple product lines of which Phantom, Inspire, and Mavic are the most common. Each model may utilize a different flight controller (essentially, the CPU), different media storage, different encryption formats, and different mobile device applications. The version of the onboard firmware and the application and version of the application used to control the UAV will change the behavior of the UAV and the nature of the data logged.

Well before DJI came on the scene there was an active home built community which thrives to this day. All of the physical and electronic components for building any type of UAV can be sourced individually and a completely custom aircraft, including 3D printed frames, can be built for under $500. The code for the flight controller firmware and for the applications used to control the UAV is available as open source. Home built or DIY (Do IT Yourself) UAV’s add an additional level of complexity because of the wide range of possible components.

Responding to a UAV Incident

Despite the complexities described previously, collecting evidence from a UAV is a relatively straightforward task that should be familiar to anyone who has collected digital evidence from typical computing systems. And, similar to collecting evidence from a laptop computer, a little preparation goes a long way.

 

Documentation

The “UAV Acquisition Form” available from http://goo.gl/b8yOLh guides the responder through the steps to document the collection of the following items:

  • The UAV
  • The ground control station. This is normally a traditional mobile device running vendor or third party applications to control the UAV
  • The radio controller, which generally looks like a large game controller with two joy sticks and one or more antennas
  • Any additional media cards or mobile devices associated with the operation of the UAV
  • Any data/video link equipment
  • Any related equipment such as batteries, cases, and SD cards

The form is intended as a guide and the reader should evaluate and adjust the form to align with his or her own policies, requirements, and workflow.

 

Collection

If possible, the UAV and all associated media and devices should be collected, tagged, and brought to a forensic laboratory for further collection and analysis efforts. The media onboard the UAV is often difficult to access via cables or via direct physical access. Extracting application data from mobile devices requires specialized forensic training and equipment.

If collection of digital evidence must be performed in the field, the responder must be well prepared with appropriate equipment and knowledge of evidence collection techniques relating to specific vendors and models of UAVs.

In general, the onboard flight controller, the UAV’s CPU, will provide access to the onboard flight logs if appropriately configured, similar to entering BIOS setup on a Windows PC. Once in this mode, logs may be collected by mounting the onboard file system via a USB cable and imaging the media or copying the files.

Obtaining access to data maintained by the wide variety of mobile device applications is, unfortunately, beyond the scope of this article. Responders should collect an image of the entire mobile device if possible.

 

Safety

There are two primary safety risks associated with UAVs – fire and blade or rotor impact.

The LiPo batteries used by UAVs provide high density energy storage. While generally safe, LiPo batteries may rapidly discharge stored energy if physically damaged, subjected to high heat, or otherwise mistreated. The best approach to collecting and storing LiPo batteries is to place them in fire resistant bags specifically designed for transporting and storing such batteries. If such bags are unavailable, transport and store UAV batteries as you would other potentially flammable materials.

UAV rotors and propellers are generally made from very strong materials with a relatively sharp leading edge. The rotors spin in excess of 2,000 RPM and often much higher. Starting the motors requires a specific command from the ground control station that is unlikely to occur accidentally, but it is best to stay away from the rotors until the power supply is removed from the UAV. If the power supply cannot be removed, then remove the rotors with great care.

Conclusion

In many ways, UAV forensics is where cell phone forensics was 15 years ago. As a community, we developed sound forensic tools and practices to address those new challenges. That experience, and the advancement of digital forensics in general over the last 15 years, provides a solid foundation for constructing the tools and practices to address this new frontier of UAV forensics.