By: Navid Kagalwalla
August 11, 2020
UAV Forensics Analysis
By: Navid Kagalwalla
August 11, 2020
Digital Forensics’ Latest Challenge: UAVs
Unmanned Aerial Vehicles (UAVs), also referred to as drones, are aircraft piloted by remote control or on-board computer designed for use in several environments such as security, disaster response, construction monitoring, agricultural mapping, and even recreation. According to a Gartner forecast , drones' production and shipment for personal and commercial use is growing rapidly with global market revenue from drones expected to grow more than $11.2 billion in 2020. The increasing popularity and widespread usage of UAVs make it a valuable part of digital forensic investigation. While UAVs will soon be ubiquitous, the security and prevention of exploitation of vulnerabilities present in UAVs by hackers have not been given the needed importance. UAV Forensic Analysis is relatively less studied compared to other popular disruptive technologies, such as cloud computing or fog computing. This is a cause of concern since the number of skilled individuals who possess the expertise to perform UAV data analysis is limited. While many companies like Amazon or Uber claim that in the near future, products’ deliveries will be done by hi-tech drones, but in some prisons, drone delivery is already established. Drones with drugs, cell-phones, and other contraband have already been spotted flying over prison walls. Some drug dealers even use drones to ferry drugs over international borders. Drones that can shoot 4K videos with advanced sensors and processors to ensure everything is captured with more image detail are commonly available. This can lead to malicious actors invading individuals' privacy and used by robbers to case houses before robbing them. Although NIST has included forensic images of 14 popular drones in its Computer Forensic Reference Dataset, with sample digital evidence for investigators, there still aren’t any published guidelines for UAV forensics.
UAV Forensic Challenges
Until lately, UAV forensics and data analysis were conducted only by UAV enthusiasts, fan communities, and a few academics. The tools used for forensic analysis were open-source tools that provide limited data, weren’t forensically sound, and thus are not admissible in a court of law. UAVs have a ton of digital evidence available, but there is a myriad of drones available, each with its quirks. Forensic data is available from multiple sources while conducting a UAV Forensic analysis. A UAV contains a Ground Control Station, which is the drone's flight control portion and may include manual or automatic features. The Data Link is a radio system used to transmit data to and from the drone and is often used to transmit sensor and telemetry data. While conducting a UAV Forensic Analysis, both physical and digital evidence must be considered.
The physical evidence includes the drone itself and its camera, the battery, the radio controller with a Wifi range extender, and the mobile phone or laptop it connects to for data transfer. All of the above physical devices have digital evidence stored on them. The aircraft may have an embedded Linux system on it and a micro SD card. The camera may have another embedded Linux system on it. The Wifi range extender may have an OpenWrt system to route network traffic. The radio controller may have firmware on it, accessible via the vendor application, and could be running Windows or OS X. A mobile phone could also be the ground control station. The physical evidence to be analyzed would include the drone (flight controller and sensor), ground station (data link, ground controller, and radio controller), and support and post-processing systems (image and video processing). The digital evidence to be analyzed could include several operating systems, like the mobile OS, traditional OS, embedded Linux systems, a variety of file systems such as JFFS2, media storage, and firmware. In addition to the digital and physical forensic data, mission planning and maintenance logs, social media, and fingerprints must be considered . Thus the number of sources of UAV Forensic data to cover makes drone data analyses challenging.
Points to Consider while Conducting UAV Forensics
1. Problem The problem which the forensic investigation aims to solve must be defined. The forensic investigation could be about a deliberate crash, theft, privacy abuse, etc. The data gathered must be possible in a court of law to prosecute the malicious actor who caused the problem.
2. UAV Characteristics There are numerous types of drones, each having a different make and model with various features . It is crucial to identify the correct drone make and model to identify the various capabilities, storage options, peripheral devices, and ports. A UAV contains a lot of different hardware, each running its firmware and software. A UAV Forensic analyst must know which operating systems, software, file systems, and media storage are being used by the drone, which is to be investigated. This will enable the analyst to understand how to extract the drone's information in a forensically sound manner. The forensic analyst should know how to communicate with the drone, using Bluetooth, USB, Wifi, etc.
3. Evidence A UAV has many features, including obstacle detection, video transmission, 4K image capabilities, and long flight times. Most UAVs possess a ‘return to home’ capability, enabling the UAV to record the route as it flies, allowing it to return along the same route to avoid obstacles if the control signal is disconnected. These features enable the analyst to understand what evidence is needed to prosecute the accused properly. Return to home capabilities may provide the address of the drone owner. Video transmission capabilities have a certain range and occur at a certain frequency. The range would provide the analyst with an idea of where the owner is, and the frequency would help in retrieving data. Image capabilities provide the analyst with an idea of what the malicious actor intended to do. The analyst must understand and retrieve drone log and maintenance data, which form an important part of reporting. A sound evidence documentation and reporting process can have a significant influence on the likelihood of a conviction.
UAVs will play an important role in the future in many aspects of life. They will enable timely response and aid to people stuck in disaster zones, provide efficient delivery of goods and food to one and all, serve as a guard by monitoring activity over facilities, like prisons and banks, and survey environmental and agricultural conditions by providing real-time data to scientists. The widespread use of UAVs must be accompanied by an adequate forensic guideline that provides analysts with an idea of how to extract data that is permissible in court to convict those malicious users who use UAVs for anti-social, evil, or disruptive activities. Forensically sound tools must be developed, which parse through the data and provide human-readable output. The specifications of different drones must be understood, and the data on various operating systems and software used must be available. To ensure the safe use of drones without any untoward incidents, developing a robust UAV Forensic process is urgently important.
 - https://www.gartner.com/en/newsroom/press-releases/2017-02-09-gartner-says-almost-3-million-personal-and-commercial-drones-will-be-shipped-in-2017  - https://integriography.files.wordpress.com/2016/06/uav-forensics-ts16-final-distribution.pdf  - https://arxiv.org/pdf/1804.08649.pdf