Scene Of The Crime: You’ve Found A Drone. What Do You Do?

by Lee Reiber, COO, Oxygen Forensics, Inc.

The proliferation of recreational drones and their impact on digital incident response has dramatically increased during the last several years. In January 2018, Nextgov stated the U.S. Federal Aviation Administration (FAA) reported over 1 million drone operators registered with the United States government. This number continues to grow each holiday season, when new unmanned aircraft systems (UAS) are introduced to market and users hit the streets armed with drones that can fly great distances, record crystal clear video, and carry a payload.

These systems are currently regulated by the FAA, and guidelines have been given to local law enforcement on how to handle drone incidents. However, these guidelines apply only to systems that have been registered in the United States. Those that have not been registered are currently allowed to fly and will continue to fly.

Types of Investigations

UAS investigations may involve simple infractions such as flying in a restricted area like a military installation or park, as well as intentional criminal activities such as flying within no-fly zones (e.g., airports, prisons, etc.), invasion of privacy and surveillance, or delivery of controlled substances. These violations or crimes represent limited risk, but what about the delivery of a weapon of mass destruction? Once inconceivable by an over-the-counter UAS, the ability to deliver and disperse liquid containers, aerosol containers, explosive devices, or other munitions is now a reality.

Drones can now carry sufficiently large items to potentially be considered a threat

Additionally, outside the work of nefarious actors, how do we prevent unintended consequences resulting from thousands of law enforcement officers and commercial pilots operating UAS systems capable of carrying hundreds of pounds? If left unaddressed, these issues may result in massive setbacks for law enforcement, and forensic investigators must be prepared to handle the data.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


First responders, investigators, and legal teams must be ready not only to combat this real threat but also to recover valuable data and identify those responsible.

At the Scene of Discovery: First Responders

When responding to an event that involves a UAS it is important to survey the device from a distance. A UAS can carry explosives or other harmful substances, and running into the scene could have disastrous results. Once the scene has been rendered safe, the first responder or investigators on scene should recover any wet evidence or package the device in such a way to preserve the device and any residual evidence.

Be sure to render the device safe at the scene

Once the device has been rendered safe, remove the battery and transport to a safe location for processing. If the device is destroyed and in pieces, it is important to look for the main body of the device that contains the motherboard with the flash chip. Also, many drones have external memory cards that are inserted into a slot connected to the motherboard. If the card is missing look in the area and recover if found. Additional devices found with the UAS like mobile phones, controllers, VR goggles, or other components should also be seized and transported to a safe location.

In the Lab: Digital Investigators

UAS systems contain valuable information that can tell an investigator where an aircraft was at the time of an event. Furthermore, information such as altitude, velocity, direction, rotor speed, battery power, XYZ axis, user email, user account, and other valuable data can be contained within controllers, mobile device apps, VR goggles, external media cards, cloud sources, and, most importantly, the aircraft itself. However, precautions must be taken.

There are several methodologies and thoughts on processing the data from the physical UAS. Much like mobile devices, the UAS receives a signal from a controller to operate. So, if you are processing the UAS while ON, then isolate the device from any available cellular, radio, Wi-Fi, or Bluetooth network. Process any removable media card physically and obtain a bit-by-bit image to recover deleted images, log files, or other files that could be of importance. Connect the device via USB and obtain a physical collection of the internal eMMC to later analyze.

An iTunes backup will generally be able to recover the required information and databases

If the device is OFF when coming into the lab, process the external media card physically and, if possible, carefully dismantle the device and first attempt a non-invasive JTAG, ISP, or other extraction technique to obtain a physical image of the internal eMMC. If this method is not viable, there is an option to remove the flash and conduct a read of the chip using a programmer (chip-off). This data can then be ingested into digital forensic tools to parse and decode valuable data. Removing the chip from the device is destructive, and should only be utilized if there are no other options.

If a mobile device was used to control the UAS the information from the app can be extracted to provide important log files, images, videos, account information, and more. With iOS devices an iTunes backup can generally recover the information and databases, while Android devices generally will need to be rooted or a physical image obtained to gather the detailed flight logs and account information.

In the Courtroom: Prosecutors

Clearly documenting the process of not only the investigation but also the seizure is critical to the prosecution. The investigation of a UAS is not a trivial matter and if details are left undocumented (e.g., ON/OFF, non-invasive/invasive, media card/no media card) the case may be in peril. Unlike like the early “wild west” years of extracting and using cellphone data in cases, a UAS digital investigation should follow exact protocols.

Documentation, standard operating procedures (SOPs), and implementation of a forensic methodology will assist in successful investigation and prosecution. Failing to have a plan will often prove fruitless and create more work during an investigation. There is no better time to acquaint your team, investigators, and legal counsel on the critical information that can be gleaned from a UAS when part of an investigation.

2 thoughts on “Scene Of The Crime: You’ve Found A Drone. What Do You Do?”

  1. Great article but there are other places in cloud storage that store data from drones.

    As a qualified drone pilot and Forensic Investigator I have taken a keen interest in what data can be obtained from a drone and its associated equipment and apps.

    While we can retrieve a huge amount of data from the actual drone itself, you can also recover a lot of data from the apps themselves, that’s if a mobile device has been used to monitor or control the drone. Many high end drones don’t use mobile devices or apps.

    There are many applications that do run on both android and iOS that report directly to the cloud. These are specific apps that record all the data associated with the device and its flights. If you locate the mobile device associated with the drone, you should forensically process it as usual and then look for apps such as ‘AirData’. This is a pay app that stores all data about a drones flight, as long as the user has user credentials.

    If the app is found and you have auto login or the login credentials you can recover all flights that have been completed while the app has been in use.

    If the app is accessed, it gives a general overview of the flights the aircraft has completed. This overview also includes the images and videos that the drone captured. It also covera plotted track of the flight path, speeds, altitude, flight time, Take off battery percentage, landing battery percentage and the DJI app that was used to control/monitor the flight. It also covers the total distance traveled for the flight, speed, battery temp etc,

    Further examination shows the sensor alerts that occured during the flight, the location of these alerts and also the telemetry of the aircraft at the time. It also produces the weather at the time of the flight. This includes visibilty, temperature, wind speed and humidity.

    The apps, in some cases produce more information about a flight, than forensic examinations.

    There is however one caveat and that is the drone user has to have these apps running. It is the combination of all the storage areas that relate to the subject drone, that will produce the best results. My advice is to get a drone that is not related to an incident and have a practice. It is very easy to damage the MicroSD cards when removing them and also the MicroSD card that resides on the main board. DJI have a manager app that can extract a lot of data that is very useful, but is does not produce the results that CellBrite, Oxygen and several other forensic apps produce.

    Mike Chappell
    New Zealand Forensics.

Leave a Comment