UAV(akadrone)Forensics

“Ok,you’veshotitdown,nowwhat?”

WhyistheRelevant?

ControlledUseTechnologies•  CounterUAS(CUAS)soluEonsbeyonddetecEonarecurrentlyillegaltousedomesEcallywithverylimitedexcepEons

•  LotsofpressuretoenablefullCUASuseforprisons,criEcalinfrastructure,majorpublicevents

•  “Ok,you’veshotitdown,nowwhat?”

GrowingCollecEonsofFoundUAVs•  UAVsfoundonpropertyinmanysectors•  LiNleunderstandingofinherentvalue•  LiNlemeanstorecognizevalue•  YoucanstartunderstandingthethreatactorsandtheirmoEvaEonsevenwithoutCUAS

SourcesofUAVForensicArEfacts

PotenEalSources–ThreeViewsTherearethreewaysofthinkingaboutUnmannedAerialSystemsthathelpaninvesEgatoridenEfyallofthepotenEalsourcesofforensicarEfacts.– Physical– Process– Flow

WhatPhysicalEvidenceisAvailable?

UAVOperaEonalProcessMissionPlanning Approval Execu4on Analysis Delivery

‣  Criteria

‣  Airframe

‣  Payload

‣  Operator

‣  LocaEon

‣  Timeframe

‣  Business

‣  SitelogisEcs

‣  Safety

‣  Legal

‣  Risk

‣  FlightoperaEons

‣  LogisEcs

‣  Flightcrew

‣  Weather

‣  FlightoperaEons

‣  DatavalidaEon

‣  ProductgeneraEon

‣  Qualityassurance

‣  Productdelivery

‣  Productsupport

‣  Lessonslearned

‣  ReporEng

‣  Billing

Eachstep,eachcomponent,leavesevidenceandgeneratesintelligence

UAVdataflows

GCSviadatalinktoUAVFC

PayloadoperatorviadatalinktoUAVmissionpayload

GPSsignals Datauplinktocloud

PICtoUAVFCviaradiocontroller

Telemetrytocorporatenetwork

Eachlink,eachcomponent,leavesevidenceandgeneratesintelligence

EvidenceCollecEon

NormalvsForensicallySound

VendorsgenerallyprovidemechanismsforextracEngsomedatasourcesfrommobileapplicaEonsandaircraZ.ThesesoluEonsaresufficientinsomecircumstancesbutarenotcompleteorforensicallysound•  Accessisnotprovidedtoalldatasources•  SourcesmaybechangingduringcollecEon

NormalDataCollecEon•  Vendorsuppliedtools•  SynchronizedatawithvendorsitesorthirdpartyapplicaEonssuchasiTunes

•  Pulldigitalmediaandmountoncomputer•  UseUSBconnecEon

ForensicDataCollecEon•  Opencase,extractdigitalmedia,usewriteblockers•  MobiledeviceforensicanalysistoolsforGCS

EvidenceAnalysis

SensorandSensorData•  Thetypeofsensorwilltellyoualotaboutthepurposeoftheflight

Ø LIDARØ OpEcalØ NVIRØ ThermalØ WiFi

•  Thesensordataandmetadatawilltellyoualotaboutwhereithasbeen,parEcularlysinceGPSdataiscriEcalformosttypesofmissions

Sensors–EXIFDataThepurposeofacameraistotakeapicture,andEXIFdatatellsastoryaboutthecameraandwhereitwastakingpictures.

•  Image Description : DCIM\100MEDIA\DJI_0030.JPG !•  Make : DJI !•  Camera Model Name : FC300S !•  Date/Time Original : 2016:03:27 10:15:57 !•  Create Date : 2016:03:27 10:15:57 !•  GPS Version ID : 3.2.0.0 !•  GPS Latitude Ref : North!•  GPS Longitude Ref : West !•  GPS Altitude Ref : Above Sea Level!•  Aperture : 2.8 !•  GPS Altitude : 74.6 m Above Sea Level !•  GPS Latitude : 40 deg 32' 15.84" N !•  GPS Longitude : 89 deg 30' 50.63" W !•  GPS Position : 40 deg 32' 15.84" N, 89 deg 30' 50.63" W !

DJI Phantoms do not did not record altitude in the EXIF data unfortunately.

SensorData-Cloud•  Consumer

–  YouTube–  Facebook–  Etc

•  Commercial–  DataMapper–  Airware–  Vendorspecific

QuesEon:WherearethecredenEalsforuploadingtheimagerydatatothecloud?

Mobile/GCSArEfacts

UASExam–LaunchPointEvidenceGroundControlStaEon

•  OZenamobiledevicecombinedwitharadiocontroller•  VendorapplicaEonsandcommunitydeveloped•  Lookingfor:

–  Defaultsecngs–  Launchpoints,dates–  Ownername,account

OtherItems•  Spareremovablemedia•  OtherUAVs•  Laptops,cellphones,tablets

UASExam–GroundControlStaEonUsingthedatafromtheGCS,youcanrapidlyplotwheretheuserwasflying.

UASExam–GroundControlStaEonApplicaEonconfiguraEonfilescontaininteresEnginformaEon

DroneDeploy:•  ajs_user_id•  %22dkovar%40kovarllc.com%22Pix4D:•  2016-03-2710:34:03[V][WaypointCustomMissionDJI3::87]createwpat

(4x.xxx689,-8x.xxx918)alEtude:50.000000•  displayBtnLogout(YES,username:dkovar@gmail.com)•  2016-03-2711:25:24[D][AppDelegate::38]DJIPilot:•  kUserDefaultKeyAircraZLocaEon–4x.xxx448,-8x.xxx675,-1577(Myhouse)•  com.facebook.sdk:serverConfiguraEon1383125992006153-<62706c6973743030…>

PhysicalAnalysis

UAVFlightData–Onboard&GCS

ConnecEngEvidenceisHard

“ThereisnoSNnumberfortheenEreproduct,however,thereisSNnumberfordifferentcomponents.SoyoucoulduseonecomponentSNnumberasthe

uniqueidenEfiersuchasFlightControllerSNnumber.”-  DJI

ConnecEngEvidenceis(NotToo)Hard"aircraft": { "camera_serial_number": "08TUE2LSE6023K", "app_type": 1, "name": "JHA1",

"serial_number": "08RDDCT00104UK", "device_activation": 0, "app_version": "4.1.3", "type": 13, "controller_serial_number": ”87D457711843", "battery_serial_number": ”7865E477111" },

KnownMessagesinDJI“blackbox”•  VisionPosiEoning•  Telemetry•  FlightControls•  Gimbal•  MotorStatus•  FlightStatus•  PosiEon

•  BaNeryStatus•  BaNerySerialNumber•  BaNeryVoltage•  MessageConsole•  MessageConfig•  MessageID•  LotsofunknownssEll

ElementsfromdifferentmessagesinconjuncEontellimportantstories,suchaswhatwasinviewofthecameraatamomentinEme.

TacEcalEvidenceAnalysisHome Point: 43.005427, -70.987655 at -36.63 meters. First position: 43.005433, -70.987647 at 0.000 meters. Last position: 43.005418, -70.987621 at 0.000 meters. Battery barcode: 6171153330369

Battery internal serial number: 1446 Battery manufacture date: 2015-09-04 00:00:00

Battery name: ATL NVT DJ005 Battery version: v255.255.255.255 Device version: v2.4.14.5

GPS space vehicle number version: 9566 2 event messages found in the log:

Time Latitude Longitude Height =============== ========== ========== ========= 04:07:43.678000 43.005427 -70.987655 0.000

Motor start time: REQ_RC_NORMAL 04:09:53.418000 43.005349 -70.987662 1.400 Motor stop time: ACT.landing

StrategicEvidenceAnalysis•  WhatareallthelaunchlocaEonsknownforthisaircraZ?•  AreanyoftheknownlocaEonsforthisaircraZataresidence

orcommercialfacility?•  HowmanyaircraZhaveflownoverourfacility?•  WhattypesofaircraZhaveweseen?•  WasthebaNeryonthisaircraZonanyotheraircraZ?•  WhoelsehasseenthisaircraZ?

StrategicEvidenceAnalysisShowallaircraZinthedatabasethatwerepoweredonbetweentwopointsinEme: { "_source" : ["deviceSerial", "timestamp"], "query": { "bool": { "must": { "exists": { "field": "eventData.MotorStart" } }, "filter": [ { "range" : { "timestamp": { "gte" : "1483246800000", "lte" : "1491624000000" } } } ]

ShowthelocaEonofanaircraZataparEcularpointinEme:{"_source":["eventData.Gps.lat","eventData.Gps.lon","eventData.Pos.lat","eventData.Pos.lon","Emestamp"],"size":10,"query":{"bool":{"must":[{"dis_max":{"queries":[{"exists":{"field":"eventData.Gps"}},{"exists":{"field":"eventData.Pos"}}]}},{"match":{"Emestamp":"{{Emestamp}}"}}],"filter":{"match":{"deviceSerial":"{{aircraZ}}"}}}}}

StrategicEvidenceAnalysisShowaircraZthatsharedabaNery { "size" : 0, "aggs" : { "battery" : { "terms" : { "field" : "eventData.BatterySerial" }, "aggs": { "aircraft": { "terms" : { "field" : "eventData.DeviceSerial.keyword” } }

"key":"0DQADBN03100JS", "doc_count":69, "aircraft": { "doc_count_error_upper_bound": 0, "sum_other_doc_count": 0, "buckets": [ { "key":"07JDD9C001013H", "doc_count": 64 }, { "key": "07JDDC2001013R", "doc_count": 5 } ] }

IntersecEonsShowmeintersecEonsof:•  UASflightwithTFRs•  UASflightwithcriEcalinfrastructure•  UASlaunchsitewithprivateproperty•  UAS“maintenance”sitewithknownsuspect’saddress•  UASflightareawithfirescene•  UASalEtudewithcontrolledairspace•  ….

ImprovingToolsandProcess

ForensicProcess•  Accessthedata•  Convertthedataintoaformthatmachinesandhumanscanworkwith

•  Analyzethedataaspresentedbythetool•  PresentaEon

OZenmissing•  EffecEveintegraEonwithothertools–oZencopy/paste

•  AlerEng–abilitytosettriggerstoperformacEonswhennewdataisaddedtothesystem

•  Machinelearning-paNernsandconnecEons

AProblemis”MomentinTime”•  TradiEonalforensictoolstakeasnapshotofasystematamomentinEme

•  UAVoperaEonanalysisrequiresunderstanding– WhatmulEpleinteracEngsystemsdidduringanenEreflight

–  HowasingleUAVoperatedovermulEpleflights–  ThelogisEcsandoperaEonsofanoperator’senEreUAVoperaEonoverlongperiodsofEme

AllSources–CriEcalNoonearEfactsourcetellsthewholestory,noonesoluEonconnectsallofthedots.•  IfaCUASsystembroughtdownaUAV,mobiledevice

forensicsisuselessbecauseyouonlyhavetheUAV•  EvidencelinkingtheUAVtoanindividualisnotpresent

ontheUAV,itisontheGCS•  IftheUAVisdamaged,JTAGanalysismaybetheonly

opEon

IntegraEonwithCUAS/ObservaEons•  Pointerrecords•  Temporal,geographicboundingboxes•  Fuzzymatching

•  EvendetecEonrecordsareusefultolinkfuturephysicalarEfactstopastobservaEons

ClosingThoughts

ClosingThoughts-ConnecEonsTheUAVispairedwithcontroller

&TheUAVisalsopairedwithgroundcontrolstaEon

MeansuniqueIDs

Meansforensicevidencelinkingdevices

ClosingThoughtsThepropertermfordronesissUAS–small

unmannedaerialsystem.Takeasystemapproachtosecurityandinves4ga4ons,donottreatthevehicleasadiscreteorstandaloneelement.

dkovar@kovarllc.com-www.kovarllc.com