A Comprehensive Walkthrough Of Counter UAV Analysis

Unmanned aerial vehicles (UAVs), or drones, are as fraught as they are fascinating. For every hobbyist flying a drone around the neighborhood on a sunny weekend, there is a neighbor concerned with whether a system’s onboard camera is spying on their family.

UAVs also pose far more serious threats when it comes to commercial air travel, correctional facilities, and homeland security. Counter unmanned aerial systems (CUAS) have appeared in the market as a result. Just like the systems they’re designed to counteract, they can offer a wealth of data about their mission — as well as how well they work.

In a blog series at the Unmanned Robotics Systems Analysis (URSA) Inc. website, renowned UAS forensics expert David Kovar offers insights “relating to extracting, organizing and analyzing data from counter UAS systems,” based on experience from test and evaluation exercises relying on the URSA platform.

The series’ introductory post, Counter UAS Test and Evaluation Series, outlines its audiences: CUAS evaluators, system acquisition teams, investigators and attorneys, and government regulators. “Anyone using CUAS systems or data should understand how the data is generated and what external and internal factors affect the system’s results before they can effectively use any data produced by these systems,” Kovar wrote.

Digital forensics on a CUAS starts long before the forensic process starts: by first defining the system’s effectiveness. “… [E]ven if you can kill the inbound UAV,” Kovar explained, “detection range, false positive rates, and tracking accuracy in a variety of environments are all important characteristics to know before you trust your assets to the system.”


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

To that end, he offered some examples of why vendors, evaluators, and operators all need clear definitions of detection, classification, location, tracking, and mitigation:

If we say “The system detected a UAS” we likely expect everyone to understand what we mean. But where is that event presented – in a log file, on the user interface, or via an audible alert? What was detected – was it really a UAS, implying that some discrimination occurred prior to the alert? Is it friendly or malicious? Is the detection part of an existing track or a new track?

Another pre-analysis necessity: ground truth data. For a CUAS, this depends on a Time, Space, Position Information (TSPI) device, “a high end GPS tracker.” In CUAS: TSPI Devices and Ground Truth, Kovar describes how “[a]n accurate and reliable TSPI device is critical for accurate CUAS (and BVLOS, see-and-avoid, etc) data analysis.”

Fault tolerance, accuracy, size, weight, power, and situational awareness are all mission-critical aspects of a good TSPI device. URSA relied on these criteria to develop its own TSPI prototype, and is at work, wrote Kovar, on a production version with enhancements.

“The telemetry and CUAS systems data will tell one story,” wrote Kovar in CUAS: The Need for Human Observers, “and the humans will provide a different perspective.” Data validation requires this balance. “However,” he continued: “like digital data collection, errors or lack of standards and consistency in human data collection may create more confusion than it eliminates.”

Because CUAS data is so volatile, Kovar recommended coming up with a pre-event plan “to determine what data needs to be collected, implement and test the process,” among other steps.

Only at this point can the digital forensics process itself commence. CUAS: Data Sources and Their Strengths and Weaknesses outlines the four major methods for extracting CUAS data: vendor log files, vendor API, vendor user interface (UI), and standard or proprietary C2 or integration layer.

“Which one you choose will depend on your use cases as well as your technical ability and relationship with the vendor,” Kovar wrote, adding that log, API, and integration layer systems are valuable because of their responsibility for life safety decisions. At the same time, he added, “…the easier it is to obtain data, the further you are away from the unvarnished truth.”

Building on his points in “The Need for Human Observers,” Kovar, in CUAS Data: The Hardest Part – Collection, Organization, and Validation, wrote: “Similar to ediscovery projects and digital forensics investigations, investing time up front to collect, organize, normalize and validate your data will save significant time later, help the project stay on schedule, and produce more accurate results.”

Offering a diagram of an URSA data collection process, Kovar argued for collecting “as much data as you possibly can as soon as you can and preserve it in multiple locations” because it will likely not be possible later on. Because there’s so much data, organizing it is necessary; likewise validating it. Kovar offered an example of how this process might proceed.

To continue with analysis after collection, CUAS: Data Normalization becomes necessary. “To accurately compare data from different sources that all relate to a common event – a UAS flight in this case – we must use common frames of reference,” Kovar wrote. “At a bare minimum, all of your data should use the same timezone and reference model for the physical location of all participating systems.”

From there, CUAS: Data Visualization argues for a departure from Excel. “We are human, we need visual data, and quickly,” Kovar wrote, offering several depictions from URSA’s telemetry analysis platform. “Appropriate near real time visualization capability should dramatically improve test and evaluation effectiveness while also supporting deep dive analysis post-event.”

In what Kovar called an “evolving” post in need of additional contributions, Comparing CUAS Track Data outlines some of the complications in analyzing data from multiple CUAS vendors. Because these systems lack standards, the analyst must come up with a common frame of reference to compare data in a useful way.

Position information — various pieces of latitude, longitude, altitude, azimuth, elevation, and/or range — from hypothetical vendors is presented, along with what coordinate system to use, idiosyncrasies among vendors, and methods of comparison. “There are a number of steps that have to be taken to compare different vendors to ground truth and each other,” Kovar wrote, “but it can be done in an automated and defensible manner.”

The final post in the series, CUAS Test and Evaluation: URSA’s Journey, describes URSA’s efforts to develop its unmanned systems telemetry analysis platform. Having recently deployed the platform on CUAS testing and evaluation, Kovar wrote about applying its lessons learned to the product, including automation of some steps and improving data ingestion and analysis.

 In his introductory statement, Kovar concluded:

There is an enormous amount of work to be done on this topic, by URSA, by vendors, by standards committees, and by governments. We can collaboratively create an ecosystem where the effectiveness of CUAS systems against a variety of targets and in a variety of conditions is known in advance rather than after acquisition. But we need to talk, share data, conduct exercises where the results are made available to acquisitions teams and potential customers, and feed lessons learned back into the ecosystem for all to benefit from. This will meet some, perhaps significant, resistance but ultimately it is necessary for national security and the protection of life and property in general.

To that end, he wrote in his final post: “There is much work to be done to catch up with the current state of CUAS test and evaluation. And the work will never cease – as UAS and CUAS evolve, and their testing regimes, so will URSA’s platform.

“We look forward to this journey and to working with the community to ensure that UAS and CUAS are properly tested, evaluated, and audited.”

Christa Miller is a Content Manager at Forensic Focus. She specializes in writing about technology and criminal justice, with particular interest in issues related to digital evidence and cyber law.

Leave a Comment

Latest Videos

In this episode of the Forensic Focus podcast, Desi and Si discuss different online programming courses and what they think about the popular platform, Udemy. They also talk about Flipper, Dev boards, and Raspberry Pi, and delve into the fascinating phenomenon of running the classic game Doom on unlikely devices.

Throughout the episode, Desi and Si share their digital forensics expertise, referencing some of the cases they have been working on and highlighting particular methodologies and technologies that have an impact on cybersecurity.

Show Notes:

100 Days of Code: The Complete Python Pro Bootcamp for 2023 - https://www.udemy.com/course/100-days-of-code/

Domestika - https://www.domestika.org/en

MIT OpenCourseWare - https://www.youtube.com/@mitocw 

MasterClass - https://www.masterclass.com/

Raspberry Pi 400 Complete Kit - https://core-electronics.com.au/raspberry-pi-400-kit.html

Flipper Discord - https://discord.com/invite/flipper

Flipper Zero - https://flipperzero.one/

This Programmer Figured Out How to Play Doom on a Pregnancy Test - https://www.popularmechanics.com/science/a33957256/this-programmer-figured-out-how-to-play-doom-on-a-pregnancy-test/

Here’s a dude playing Doom Eternal on his fridge - https://www.polygon.com/2020/10/13/21514933/doom-eternal-refrigerator-door-samsung-smart-refrigerator-xbox-game-pass-richard-mallard

Doom hacker gets Doom running in Doom - https://www.pcgamer.com/doom-hacker-gets-doom-running-in-doom/

Doom Running On A Calculator Powered By Old Potatoes - https://kotaku.com/doom-running-on-a-calculator-powered-by-old-potatoes-1845374069

GoldenEra - https://www.imdb.com/title/tt11753760/

Racing the Beam - https://en.wikipedia.org/wiki/Racing_the_Beam

High Score (TV series) - https://en.wikipedia.org/wiki/High_Score_(TV_series)

Microcontroller Courses (Udemy) - https://www.udemy.com/topic/microcontroller/

The story of Final Fantasy XIV’s renegade do-good modders - https://www.pcgamesn.com/final-fantasy-xiv/ffxiv-modders-renegade-do-gooders

Logical fallacies - https://yourlogicalfallacyis.com/

In this episode of the Forensic Focus podcast, Desi and Si discuss different online programming courses and what they think about the popular platform, Udemy. They also talk about Flipper, Dev boards, and Raspberry Pi, and delve into the fascinating phenomenon of running the classic game Doom on unlikely devices.

Throughout the episode, Desi and Si share their digital forensics expertise, referencing some of the cases they have been working on and highlighting particular methodologies and technologies that have an impact on cybersecurity.

Show Notes:

100 Days of Code: The Complete Python Pro Bootcamp for 2023 - https://www.udemy.com/course/100-days-of-code/

Domestika - https://www.domestika.org/en

MIT OpenCourseWare - https://www.youtube.com/@mitocw

MasterClass - https://www.masterclass.com/

Raspberry Pi 400 Complete Kit - https://core-electronics.com.au/raspberry-pi-400-kit.html

Flipper Discord - https://discord.com/invite/flipper

Flipper Zero - https://flipperzero.one/

This Programmer Figured Out How to Play Doom on a Pregnancy Test - https://www.popularmechanics.com/science/a33957256/this-programmer-figured-out-how-to-play-doom-on-a-pregnancy-test/

Here’s a dude playing Doom Eternal on his fridge - https://www.polygon.com/2020/10/13/21514933/doom-eternal-refrigerator-door-samsung-smart-refrigerator-xbox-game-pass-richard-mallard

Doom hacker gets Doom running in Doom - https://www.pcgamer.com/doom-hacker-gets-doom-running-in-doom/

Doom Running On A Calculator Powered By Old Potatoes - https://kotaku.com/doom-running-on-a-calculator-powered-by-old-potatoes-1845374069

GoldenEra - https://www.imdb.com/title/tt11753760/

Racing the Beam - https://en.wikipedia.org/wiki/Racing_the_Beam

High Score (TV series) - https://en.wikipedia.org/wiki/High_Score_(TV_series)

Microcontroller Courses (Udemy) - https://www.udemy.com/topic/microcontroller/

The story of Final Fantasy XIV’s renegade do-good modders - https://www.pcgamesn.com/final-fantasy-xiv/ffxiv-modders-renegade-do-gooders

Logical fallacies - https://yourlogicalfallacyis.com/

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_5f72B6DD5wk

Programming Languages, Flipper And Gaming

Forensic Focus 66 views 24th May 2023 11:43 am

In this episode of the Forensic Focus podcast, Si and Desi talk to Mackenzie Jackson, Developer Advocate at Git Guardian. 

Mackenzie discusses the problem of hard-coded and leaked credentials in Git repositories, the task of scanning Git repositories for leaked credentials, and how that’s helped by the setup of GitHub and Git. 

He also looks at some public and private cases of security breaches through Git repositories and recommends tools you can use to combat attackers on Git. 

Show Notes:

Toyota Suffered a Data Breach by Accidentally Exposing A Secret Key Publicly On GitHub (GitGuardian) - https://blog.gitguardian.com/toyota-accidently-exposed-a-secret-key-publicly-on-github-for-five-years/

GitHub.com rotates its exposed private SSH key (Bleeping Computer) - https://www.bleepingcomputer.com/news/security/githubcom-rotates-its-exposed-private-ssh-key/

Conpago - https://www.conpago.com.au/

Source Code as a Vulnerability - A Deep Dive into the Real Security Threats From the Twitch Leak (GitGuardian) - https://blog.gitguardian.com/security-threats-from-the-twitch-leak/

Teenagers Leveraging Insider Threats: Lapsus$ Hacker Group (Forbes) - https://www.forbes.com/sites/emilsayegh/2023/03/15/teenagers-leveraging-insider-threats-lapsus-hacker-group

Lapsus$: Oxford teen accused of being multi-millionaire cyber-criminal (BBC) - https://www.bbc.co.uk/news/technology-60864283

Dynamic Secrets (HashiCorp) - https://developer.hashicorp.com/vault/tutorials/getting-started/getting-started-dynamic-secrets

Crappy code, crappy Copilot. GitHub Copilot is writing vulnerable code and it could be your fault (GitGuardian) - https://blog.gitguardian.com/crappy-code-crappy-copilot/

trufflesecurity/trufflehog (GitHub) - https://github.com/trufflesecurity/trufflehog

gitleaks/gitleaks (GitHub) - https://github.com/gitleaks/gitleaks

Git (Wikipedia) - https://en.wikipedia.org/wiki/Git

awslabs/git-secrets (GitHub) - https://github.com/awslabs/git-secrets

In this episode of the Forensic Focus podcast, Si and Desi talk to Mackenzie Jackson, Developer Advocate at Git Guardian.

Mackenzie discusses the problem of hard-coded and leaked credentials in Git repositories, the task of scanning Git repositories for leaked credentials, and how that’s helped by the setup of GitHub and Git.

He also looks at some public and private cases of security breaches through Git repositories and recommends tools you can use to combat attackers on Git.

Show Notes:

Toyota Suffered a Data Breach by Accidentally Exposing A Secret Key Publicly On GitHub (GitGuardian) - https://blog.gitguardian.com/toyota-accidently-exposed-a-secret-key-publicly-on-github-for-five-years/

GitHub.com rotates its exposed private SSH key (Bleeping Computer) - https://www.bleepingcomputer.com/news/security/githubcom-rotates-its-exposed-private-ssh-key/

Conpago - https://www.conpago.com.au/

Source Code as a Vulnerability - A Deep Dive into the Real Security Threats From the Twitch Leak (GitGuardian) - https://blog.gitguardian.com/security-threats-from-the-twitch-leak/

Teenagers Leveraging Insider Threats: Lapsus$ Hacker Group (Forbes) - https://www.forbes.com/sites/emilsayegh/2023/03/15/teenagers-leveraging-insider-threats-lapsus-hacker-group

Lapsus$: Oxford teen accused of being multi-millionaire cyber-criminal (BBC) - https://www.bbc.co.uk/news/technology-60864283

Dynamic Secrets (HashiCorp) - https://developer.hashicorp.com/vault/tutorials/getting-started/getting-started-dynamic-secrets

Crappy code, crappy Copilot. GitHub Copilot is writing vulnerable code and it could be your fault (GitGuardian) - https://blog.gitguardian.com/crappy-code-crappy-copilot/

trufflesecurity/trufflehog (GitHub) - https://github.com/trufflesecurity/trufflehog

gitleaks/gitleaks (GitHub) - https://github.com/gitleaks/gitleaks

Git (Wikipedia) - https://en.wikipedia.org/wiki/Git

awslabs/git-secrets (GitHub) - https://github.com/awslabs/git-secrets

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_BX15Z_xF8mA

Preventing Data Leaks With Git Guardian

Forensic Focus 72 views 3rd May 2023 11:07 am

Latest Articles

Share to...