Transcription
Drone ForensicsAn update on a U.S. Department of Homeland Security R&D ProjectSteve Watson, Principal Investigator
Acknowledgement & DisclaimerThis material is based on research sponsored by the United StatesDepartment of Homeland Security (DHS) Science and TechnologyDirectorate, Cyber Security Division (DHS S&T/CSD) via contract numberHHSP233201700017C.The views and conclusions contained herein are those of the authors andshould not be interpreted as necessarily representing the official policiesor endorsements, either expressed or implied, of the Department ofHomeland Security.
Team Profile VTO is a recent technology startup focused digital forensics, datarecovery, and cyber security. Small team of industry veterans with deep experience in hardwareanalysis and hardware deconstruction to access data. Principal Investigator chairs SWGDE Forensic Committee and NISTOSAC Working group on Mobile and Embedded Device Forensics.
Drone Forensics
Customer Need At the time of project proposal, no industry tools existed to retrievedata from consumer and professional drones. Limited research focused on logical data acquisition. Drones continue to fly and land in places they should not with noprocesses to identify evidentiary data.
ApproachDevice Analysis Complete physical analysis of interrogated consumer and professionaldrones including teardown. Identification and consolidation of existing technical informationonline.
ApproachData Acquisition Identification of data acquisition methodologies availableagainst interrogated devices. Logical acquisition methods. Serial/JTAG/debugacquisition. Chip-off acquisition against flash storage andmicrocontrollers on devices. Acquisition methods and sample data will be madeavailable to community for further research.
Goals1. Establish base scientific research regarding the application ofexisting digital forensics techniques against consumer andprofessional level drones.2. Identify procedures and practices that can be utilized bydigital forensics service providers (gvt/le/mil/pvt) for thesuccessful extraction of data from drone/suas systems.3. Share results with the community to support and strengthenlaw enforcement efforts against these devices.
ScopeTwenty 30 consumer andprofessional drones.Available to anyone for purchase.Identify data artifacts ofevidentiary value.Identify methods andprocess to extract data.Share results with digforcommunity.
1DJIPhantom 32DJIPhantom 43DJISpark4DJIInspire 15YuneecTyphoon6ParrotDisco7DJIMavic Pro8ParrotBebop 29DJIInspire 210YuneecQ500 4K11YuneecH52012DJIMatrice 60013DJIAgras avic Air18RyzeTelo19DJIPhantom 4 Pro V. 2.020Aion RobotsR1 Rover21SkydioR122HandbuiltArdupilot23SkyviperV2450 GPS
Process1.Procure devices2.Salt devices with data3.Interrogate devices in lab4.Apply digital forensicstechniques against devices5.Publish results6.Support DigFor community
Process - Procure Devices Identify industry penetration ofconsumer and professional leveldrones. Procure devices. Twenty (20) Thirty (30) devicemodels in scope for program. Three (3) devices of each model Sixty (60) Ninety (90)drones total
Process - Salt DevicesControl the variables All 60 devices are flown at same location 1,800 acre ranch in the mountains ofColorado Geofenced location Time/date identified Geolocation/time/date variables criticalfor parsing unknown data systems.
Process - Lab Interrogation1.Documented teardown ofeach device. DSLR and microscopephotographs2.Identification of datastorage areas on device.3.Investigation of everyintegrated circuit package.
Process - Application ofDigital Forensic TechniquesLogical and physical acquisitionsattempted against every drone.1. Logical acquisitions of file systems2. Physical acquisitions of intact mediaand integrated circuit packages3. Serial attempts against devices fordata acquisition and devicecompromise.
Process - Publish Results1.Results published atwww.droneforensics.com.2.Publication of papers tojournals to establish baselinescientific research.
Process - Publish ResultsNIST CFReDS ProjectCFReDS – computer forensicreference data setsDrone datasets added as anofficial reference set by NIST.
Process - ReportsComplete reports will beavailable on each model.Three reports completed.Eight more to drop soon.
Slick Sheets1. Non-Technical First Responder2. Technical First Responder3. Digital Forensics Lab Team
Interesting Information So FarSuccessful data acquisitions on all devices attempted so far 23 models, 69 drones Over 1.3TB of data acquired so far.Interesting data on drones, controllers, connected mobile devices.1 security vulnerability discovered.
microSD CardsGlued onto Circuit Board DJI Models typically have an internal microSD card glued onto thecircuit board Carefully remove the glue to loosen the microSD card Image the microSD per normal physical acquisitions processes
Conformal Coatings Immature conformalcoatings identified ondrones manufactured bychinese companies Obfuscates and complicateschip removal Industry standard - IPC7711/7721 .
Custom Asics Custom integrated circuit packagesdesigned specifically for themanufacturer for this purpose. Difficult to identify adapters to readdata. Will be challenges to parseunknown structures.
Surprises in Plain ViewParrot SkyController 2
Further Research Questions More drones. Different firmware versions – future and historical. Drone swarms.
www.droneforensics.com
stevewatson@vtolabs.com
existing digital forensics techniques against consumer and professional level drones. 2. Identify procedures and practices that can be utilized by digital forensics service providers (gvt/le/mil/pvt) for the successful extraction of data from drone/suas systems. 3. S
