A Comprehensive Approach to Countering Unmanned Aircraft Systems
Drone Forensics | Courtesy of Digital Forensics Magazine
This article has been originally published in the Digital Forensics Magazine, Issue 34, February 2018.
By David Kovar, US, Unmanned & Robotics Systems Analysis (URSA)
By Joel Bollö, SWE, Micro Systemation AB (MSAB)
David Kovar and Joel Bollö explain how the growing use of Unmanned Aerial Vehicles (UAVs) creates new forensic challenges and opportunities for investigators.
Introduction
The popularity of small UAVs (a.k.a. Drones) has been surging for several years now among both hobbyists and professionals in a range of industries, producing stunning videography, superb survey maps, and an increasing tempo of interference with manned aircraft operations.
But this growth has brought risks and threats as well. Malicious actors ranging from ISIS to drug cartels to local criminal organizations have also adopted these highly flexible and capable aircraft for their purposes. ISIS used off-the-shelf UAVs as early as 2014. A BBC article1 suggests that Her Majesty’s Prisons first saw drones overhead in 2013. A blog article2 states that Mexican drug cartels were researching home-built drones for drug deliveries in 2013 as well.
Her Majesty’s Prisons reportedly investigated more than 160 drone-related incidents in the last eighteen months and a heavy lift consumer drone delivered 13 kg of methamphetamines in California late last year. A weaponized DJI Mavic was captured from a Mexican drug cartel months later.
Drones are a component in a larger system, an Unmanned Aerial System (UAS). Information relating to UAS sourcing, construction, tactics, and operations are created, stored, and transmitted throughout the UAS environment. Information resides in sensors, ‘black box’ log files, cell phones used as Ground Control Stations (GCS), and in NVRAMi on flight controllers, GPS chips and other difficult to access hardware. This data, when correctly extracted and accurately analyzed, provides valuable tactical and strategic intelligence about launch locations, flight profiles, and logistical and operational linkages.
It is important to remember that drones are not some strange new technology for which we require completely new tools and ways of thinking. Innovation is certainly required but it rests on existing forensic principles and techniques. Any drone can be broken down into component parts. Considered in this light, they are simply an instance of the Internet of Things (IoT) or a Cyber-Physical Engineered System (CPES), a network of sensors, storage, CPUs, and actuators with network connections that enable them to share data and control information. All of these components are involved in a complex, often real-time, flow of telemetry, sensor, and environmental data in clear text, binary, and encrypted formats.
The art and science of UAV forensics is at the point where mobile device forensics was 10 years ago.
So, a single drone is an IoT/CPES instance unto itself, several CPUs, a network and sensors all on board talking to external systems via network links. In most cases those external systems are a remote controller and the GCS, often a standard mobile device. Extending outward, a swarm of drones is a collection of inter-operating IoT/CPES instances. To understand the entire environment we need to break all of these instances down into component parts, CPUs, networks, sensors etc., establishing a foundation, and building a complete picture from the component parts. Many of those component parts are familiar to us, particularly the mobile devices used to control the drones.