It was not too long ago when drones were discussed we would often think of military use or large commercial type applications. However, today drones are now in the hands of hobbyists who frequently use the devices for taking aerial pictures and shooting unique video footage. Not to mention law enforcement use them to monitor traffic conditions, and some companies are even starting to deliver packages in busy cities.
Criminals have now set their sights on these easily purchased devices due to their many features, including carrying payloads, flying great distances, and their anonymity. Drones have even been used by criminals to commit stalking crimes by using them to spy on their victims. With more than 770,000 registered drones in the United States alone, the issue of drone misuse has become a part of regular news stories and is quickly getting out of control. Law enforcement is recognizing this need and are working feverishly to obtain digital evidence from recovered drones. This digital evidence is comprised of images and video footage captured by the drone; GPS logs and route information, to include the start and finish points of the most recent trips, as well as low-level information on the direction and speed of the drone.
While there are dozens of drone manufacturers and hundreds of different models, there is still no single standard on the way these drones store digital data. The data can be stored in several different formats, while GPS coordinates can also be encoded in multiple ways. Due to the sheer variety of data formats and the potentially overwhelming amount of available evidence, manual extraction and examination of this evidence can be extremely time and labor consuming. Since drone forensics is still relatively new, very few tools exist for experts that allow the automation of these procedures.
Oxygen Forensic Detective is one of these forensic tools that offers experts the ability to extract digital evidence from the drone’s internal storage or external SD card, parse and decode data, and present it to the investigator in a human-readable form.
The content of the drone’s internal storage or SD card is just the beginning. Since drones are controlled by their respective apps via Android or iOS-based smartphones and tablets, these apps may contain additional information received from the drones. Some of that data is transmitted and stored in the user’s online account or the drone manufacturer’s cloud. This additional data represents a separate challenge since manual extraction is usually either extremely complicated or simply not possible due to the lack of documented APIs.
Oxygen Forensic Detective can successfully extract information from many types of mobile devices, providing access to information collected by these control apps and stored on the user’s smartphone or tablet. In addition, Oxygen Forensic Detective can remotely obtain information from many different cloud services and online accounts, extracting all available evidence down to the last bit.
Evidence collected from all available sources is combined into a unified data set. Oxygen Forensic Detective automatically parses GPS locations and route data and decodes information representing the drone’s speed and direction to map visual routes in human-readable form. With Oxygen Forensic Detective, the examiner can see the track and related meta-data including the speed and direction of the drone. Not only that; the built-in mapping tool, Oxygen Forensic Maps, will automatically build and display a visual route complete with points of interest (points on the map where the drone was used to shoot pictures or capture video footage). By simply clicking on a point, the expert will gain immediate access to videos and images captured by the drone.
DJI drones routinely communicate with the cloud, storing some drone data in the user’s online account, the drone manufacturer’s cloud, or both. This additional data within the cloud represents a separate set of challenges for an expert both legally and technically, with manual extraction being extremely complicated or plain impossible.
Oxygen Forensic Detective can help extract the extra information from the cloud. For DJI accounts, all that’s needed to access the data is the user’s login and password. If the password is not available, the expert has an option to use an authentication token obtained from the user’s computer that was used to access the cloud. With no two-factor authentication supported or implemented by DJI, there are no extra challenges in extracting the data.
What exactly is stored in the user’s DJI cloud account? We’ve been able to extract information about the account, the drone model and serial number, its flight history and associated metadata.
What should you expect from a drone forensic tool? Because the number of drones is quickly growing, it should be understood that the number of drone-related criminal activities will also climb. It is essential to have automated extraction, parsing and decoding of the data, as well as convenient visualization of geo-data – as opposed to wasting time on investigating raw logs and copying the binary values representing coordinates, speed, and direction.
Drone forensics is still in its early stages. While Oxygen Forensic Detective is currently supporting only the few popular drone models including DJI Phantom 3, DJI Phantom 4, DJI Inspire 1, Mavic, and DJI Inspire 2, our direct support for dozens of additional models is right around the corner.