Digital Forensics is ready for its latest challenge: Drones
Crime Scenes these days contain Drones instead of Phones, paving way for Drone Forensics.
Drones are termed as ‘Unmanned Aerial Vehicles’ (UAV). In the recent years, owning a drone became as trendy as owning Fidget Spinners. However, the latter was easily affordable, harmless and didn’t support sinister activities.
According to Statista, the retail consumer drone market is expected to grow up to 3.3 billion U.S. dollars globally. The U.S Federal Aviation Administration (FAA) reported more than 1 million Drone operators registered with the government last year (Source: Forensic Focus).
As manufacturers offer affordable and mobile app supported drones, the retail consumer market is growing enormously.
SZ DJI Technology Co. Ltd, A Chinese company emerged as the biggest drone manufacturer and continues to dominate the consumer market. Last year, it released two series of enterprise products, Phantom 4 RTK and Mavic 2, aimed at industrial users.
Drones became popular as people used them to take aerial pictures and record videos of breath-taking views or cover events. Law enforcement agencies used them to span massive geographic locations and monitor traffic conditions. Moreover, companies like Amazon and UPS expected to use drones for deliveries.
However, the increase in popularity and easy access led to an increase in the number of drone incidents as criminals leveraged these devices to conduct sinister activities.
According to The National Institute of Standards and Technology (NIST), drones have been spotted delivering cell phones, dropping contraband over prison walls. In other cases, drug traffickers have used drones to supply drugs across border (Source: NBCS).
Drones also pose a threat to security and raise privacy concerns. There have been incidences where UAVs were used to spy on neighbours, stalk people and surveil military installations and sensitive institutions (Source: inside unmanned systems).
Recently, the Gatwick drone incident where a drone caused major travel disruption affecting 1000 flights and 140000 passengers in London, between 19 and 21 December 2018, has sparked urgent need for stricter laws, counter-drone technologies and Drone Forensics.
Dedrone provides a list and account of drone incidences across the globe:
Therefore, Digital Forensic Investigators play an important role in the emerging field of Drone Forensics. They can extract data from these complex devices and develop digital footprints leading to suspects of crimes.
Extraction of Data
A Drone recovered from a scene of crime contains information on its owner, flight paths, launch location and landing destination, photos and videos that enables investigators to pinpoint suspect.
This leads to our first question: Where is the data located?
Investigators gather evidence from the physical device: drone, its batteries, sensors, remote controller, ground control stations (GCS) like cell phones or tablets and computers used to process data related to drone.
Secondly, What kind of data is accessed?
David Kovar and Joel Bollo listed the following data sources in Digital Forensics Magazine:
· Serial number that can be used to trace the owner
· Version numbers for firmware
· Software supporting the system and its logs
· Information on change of state: launch/land, manual/waypoint operation and GPS available/unavailable
· Geo-location information for launch, land and home point locations
· Flight track data
Lastly, what is the process?
There are various types of drones with different technical elements, making the data extraction process tricky. According to Forensic Focus, there is no single standard method to store digital data on drones.
Investigators sometimes get more drones of the same type, as that of subject drone, and practice before conducting the extraction process. Since the extraction process can differ from drone to drone.
Some drones allow data extraction while being intact. Other drones require disassembly of complete device down to its chips. Whereas, the rest require disassembly of only the aircraft components.
The best approach is to obtain a Forensic image containing complete data extraction of the drone. NIST maintains a repository of forensic images from mobiles, tablets, PCs, hard drives and other storage media.
In particular, Computer Forensic Reference Datasets (CFReDs) is the repository that provides investigators documented sets of digital evidence (forensic images) to work with, for their cases.
Forensic Images
A section of CFReDS is dedicated to drones containing popular drone models and makes (Source: NIST). The forensic images within CFReDS were contributed by VTO Labs, renowned cybersecurity and digital forensics firm.
“The forensic images contain all the 1s and 0s we recovered from each model,” -Steve Watson, CTO at VTO Labs.
Watson worked with three drones of each model and conducted data extraction using all three methods: keeping one intact, disassembling camera and circuit board of another and complete disassembly down to chips of the other.
Data was also extracted from pilot controls and other devices remotely connected to the drones.
He created industry standard forensic images with step-by-step photo instructions for each model.
These data sets not only set standards for investigators, but help universities and forensic labs conduct research, training and testing.
Therefore, Investigators use CFReDS to practice recovering data, validate tools, analyse images using forensic software tools and train others. Moreover, software developers use it for testing forensic programs.
Drone Forensic Technologies
When a drone is found on a crime scene, how does investigation take place?
Initial examination of suspect drone involves three steps, as below:
Following the above procedures, the extraction then, takes place using forensic software to obtain complete data acquisition of file systems and media.
Investigators in digital forensics first look for data storage areas on drones such as SD card to image the media and conduct a review of its content.
Experts then use software such as Forensic Toolkit FTK by Access Data to extract data from drones and perform comprehensive investigation.
For example, Investigators have successfully found images, videos, flight logs and information on the operating system used for the device.
These days, physical acquisition of device isn’t enough. Especially, in cases where a drone is damaged and extraction fails.
Also, as drones get manufactured with app support on Android and iOS smartphones and tablets, some of the data is stored on online user accounts and drone manufacturer’s cloud.
Therefore, drone forensics employs cloud forensics to find evidence and information on suspects in cases where physical acquisition of device isn't enough.
Oxygen Forensic Detective is a tool that not only extracts digital evidence from drone’s storage but allows decoding, parsing and presenting it in a readable form.
When there is App support, it enables extraction of user information such as address, log-in credentials, password. Also, cache info, user files, deleted data and other information collected by control apps on user’s smartphone/tablet (Ground Control Station GCS).
When there is No App support, investigators use DROP (DRone Open source Parser) SQLite Viewer to convert data to readable formats, build queries, link databases and search through them. Also, to export data to a report manually.
Currently, Oxygen Forensic Detective supports 46 cloud services, 2FA (Two-factor Authentication) support and its manufacturer Oxygen Forensics provides exclusive support for Samsung, Huawei, Mi cloud, WhatsApp servers etc.
Example:
According to Forensic Focus, the Oxygen Forensic Detective tool has cracked a method to extract information from DJI drones that store data on user’s online account.
The tool can access data with user’s login and password. In cases, where the password is not available, experts use authentication token obtained from user’s device that accessed the cloud. Another method is to use cloud extractor that enables login without a username and password.
Conclusion
Drone Forensics is an emerging field in Digital Forensics. With the rise of drone incidences across the globe, it is crucial for law enforcement across the globe to have counter drone plans ready.
Forensic images contributed by VTO Labs on NIST provide scope for development and testing of drone forensic tools. Tools such as Oxygen Forensic Detective and Access Data software currently aid in investigation. Today, Investigators are able to image the media from a drone and extract flight logs, photos and videos and key data that can be used to trace back its user/owner and pinpoint suspects of drone related crimes.
However, Digital forensic techniques for retrieving data from drones aren’t enough for investigations. With advanced drone models hitting the market, digital forensic software tools and techniques must undergo extensive upgrades alongside.