Drone Forensics- An Introduction
UAV Forensics
What is a drone?
An unmanned aircraft that can fly autonomously
Why bother to study drones?
A huge global market is emerging, with some prediction sales to grow to $12 Billion
(http://uk.businessinsider.com/drone-industry-analysis-market-trends-growth-forecasts-2017-7?r=US&IR=T).
(http://uk.businessinsider.com/drone-industry-analysis-market-trends-growth-forecasts-2017-7?r=US&IR=T).
And with this comes the inevitable…
Illegal and inappropriate activity
Documented, are just some of the tasks drones can perform:
- Illegal drug smuggling
- Invasions of privacy (voyeurism, journalism)
- Criminal damage
- Bombs
Solutions?
Apart from a shotgun/dog there are the following:
Jamming
No fly zones
Tangle-drones
The DJI Phantom 2- an example UAV
Shown to have been hacked before (http://www.ibtimes.co.uk/drone-jailbreaking-russian-website-sells-dji-phantom-hack-remove-vital-safety-features-1627427)
The physical evidence available
This includes:
- The aircraft
- Camera
- Battery
- Mobile device
- Laptop
- Radio controller
- Wifi range extender
Which translates to the following evidence digitally, according to the SANS article:
- Linux (the aircraft, camera and wifi extender)
- Micro SD card
- Vendor app artefacts on both batterio and radio controller
- Phone forensics
However, this is not the limit. Fingerprints, social media, maintenance logs and other
avenues of evidence exist.
avenues of evidence exist.
Inside the UAV
The UAV contains Linuz, receivers, cameras, GPS, wifi modules, a main board, battery,
battery board and many other things as illustrated by the image below (courtesy of the
article):
battery board and many other things as illustrated by the image below (courtesy of the
article):
The UAV CPU
The flight controller is the core system, and it has many options for use, both open source and
commercial.
commercial.
Before Beginning the forensics
You must appreciate the complexity and customisation aspects
You must also determine what you are trying to solve/investigate
Guidance
Be aware it is not a new device, but a lot of different bits of hardware, running multiple
firmware and software.
firmware and software.
This will dictate the procedure, e.g. would approach it differently if knowing it is Windows
compared to an IOS device.
compared to an IOS device.
Example Scenario
A drone is found on the front yard of a local estate
The examiner wants to know; who owns it; how it got there; where it was pre-crash; where it
was going; what the purpose of it was.
was going; what the purpose of it was.
Examination
Note the 606… is under the barcode- this is the MAC address
Model number and serial number are both present
Typing in the serial number gave the following site;
http://www.aviationdb.com/Aviation/Aircraft/7/N7966K.shtm
http://www.aviationdb.com/Aviation/Aircraft/7/N7966K.shtm
which tells us it is a DJI Phantom Vision
Linux Systems on the DJI Phantom
The Phantom should be connect to an OpenWRT AP
Available on website
Using the Linux DD can gain the image of the drone
Note: most of the flight ata is in RAM
There is little data of use other than sensor data on removeable media
*Due to a current lack of knowledge by me (I’m working on it!), the focus now assumes you have the
data and can read it.
data and can read it.
Sensor Data
Will tell you a lot about the purpose of the flight
This will also tell you a lot about where the drone has been
Optical data
Most common sensors include gopro, DJI, Canon and Sony
Pro-sumer and professional are also available
Artefacts include
The image
EXIF data
Location
SD card
EXIF Data
Covered in previous post
Note: Altitude is not recorded
Cloud data-
Credentials
Uploads
Potential of finding launch points!
Look for other devices such as other UAV’s
Note; the DJI vision app records time and location of the Ground Conrol Station each time it starts up
This can be used to plot where the user was flying
Application config files
Contain interesting attributes such as emails
User flying with waypoints etc
Also; account information on DJI website
Home and office Evidence
Maintenance, logging and business systems
-often find logs of flights
-client and accounting data
Potential of CPU and RAM if not cloud based
A flying UAV, what can be done
Real time analysis with codes
Hijacking!
Done by identifying the SSID, deauthenticating the UAV, and then capturing its attempt to re-establish
link, which, once established, is under the hijackers control
link, which, once established, is under the hijackers control
Analysis of other UAV’s
PixHawk Flight Controller- can show crashes and maps
Closing it up
Focus on Ground Control Stations and post processing systems, with analysis of sensor data will give
the majority of whats needed
the majority of whats needed
Pairing means unique IDs, which makes tracking easier
The researcher notes that NO UAV analysis tools were used
Comments
Post a Comment