by Lee Reiber, COO, Oxygen Forensics, Inc.
The proliferation of recreational drones and their impact on digital incident response has dramatically increased during the last several years. In January 2018, Nextgov stated the U.S. Federal Aviation Administration (FAA) reported over 1 million drone operators registered with the United States government. This number continues to grow each holiday season, when new unmanned aircraft systems (UAS) are introduced to market and users hit the streets armed with drones that can fly great distances, record crystal clear video, and carry a payload.
These systems are currently regulated by the FAA, and guidelines have been given to local law enforcement on how to handle drone incidents. However, these guidelines apply only to systems that have been registered in the United States. Those that have not been registered are currently allowed to fly and will continue to fly.
Types of Investigations
UAS investigations may involve simple infractions such as flying in a restricted area like a military installation or park, as well as intentional criminal activities such as flying within no-fly zones (e.g., airports, prisons, etc.), invasion of privacy and surveillance, or delivery of controlled substances. These violations or crimes represent limited risk, but what about the delivery of a weapon of mass destruction? Once inconceivable by an over-the-counter UAS, the ability to deliver and disperse liquid containers, aerosol containers, explosive devices, or other munitions is now a reality.
Additionally, outside the work of nefarious actors, how do we prevent unintended consequences resulting from thousands of law enforcement officers and commercial pilots operating UAS systems capable of carrying hundreds of pounds? If left unaddressed, these issues may result in massive setbacks for law enforcement, and forensic investigators must be prepared to handle the data.
First responders, investigators, and legal teams must be ready not only to combat this real threat but also to recover valuable data and identify those responsible.
At the Scene of Discovery: First Responders
When responding to an event that involves a UAS it is important to survey the device from a distance. A UAS can carry explosives or other harmful substances, and running into the scene could have disastrous results. Once the scene has been rendered safe, the first responder or investigators on scene should recover any wet evidence or package the device in such a way to preserve the device and any residual evidence.
Once the device has been rendered safe, remove the battery and transport to a safe location for processing. If the device is destroyed and in pieces, it is important to look for the main body of the device that contains the motherboard with the flash chip. Also, many drones have external memory cards that are inserted into a slot connected to the motherboard. If the card is missing look in the area and recover if found. Additional devices found with the UAS like mobile phones, controllers, VR goggles, or other components should also be seized and transported to a safe location.
In the Lab: Digital Investigators
UAS systems contain valuable information that can tell an investigator where an aircraft was at the time of an event. Furthermore, information such as altitude, velocity, direction, rotor speed, battery power, XYZ axis, user email, user account, and other valuable data can be contained within controllers, mobile device apps, VR goggles, external media cards, cloud sources, and, most importantly, the aircraft itself. However, precautions must be taken.
There are several methodologies and thoughts on processing the data from the physical UAS. Much like mobile devices, the UAS receives a signal from a controller to operate. So, if you are processing the UAS while ON, then isolate the device from any available cellular, radio, Wi-Fi, or Bluetooth network. Process any removable media card physically and obtain a bit-by-bit image to recover deleted images, log files, or other files that could be of importance. Connect the device via USB and obtain a physical collection of the internal eMMC to later analyze.
If the device is OFF when coming into the lab, process the external media card physically and, if possible, carefully dismantle the device and first attempt a non-invasive JTAG, ISP, or other extraction technique to obtain a physical image of the internal eMMC. If this method is not viable, there is an option to remove the flash and conduct a read of the chip using a programmer (chip-off). This data can then be ingested into digital forensic tools to parse and decode valuable data. Removing the chip from the device is destructive, and should only be utilized if there are no other options.
If a mobile device was used to control the UAS the information from the app can be extracted to provide important log files, images, videos, account information, and more. With iOS devices an iTunes backup can generally recover the information and databases, while Android devices generally will need to be rooted or a physical image obtained to gather the detailed flight logs and account information.
In the Courtroom: Prosecutors
Clearly documenting the process of not only the investigation but also the seizure is critical to the prosecution. The investigation of a UAS is not a trivial matter and if details are left undocumented (e.g., ON/OFF, non-invasive/invasive, media card/no media card) the case may be in peril. Unlike like the early “wild west” years of extracting and using cellphone data in cases, a UAS digital investigation should follow exact protocols.
Documentation, standard operating procedures (SOPs), and implementation of a forensic methodology will assist in successful investigation and prosecution. Failing to have a plan will often prove fruitless and create more work during an investigation. There is no better time to acquaint your team, investigators, and legal counsel on the critical information that can be gleaned from a UAS when part of an investigation.