Drone Forensics – How To Deal With The New Threat


Join the forum discussion here.

View the webinar on YouTube here.

Read a full transcript of the webinar here.
Lee Reiber: Hello, and good morning, good afternoon, and good evening to some. I really appreciate everybody attending. We’re going to talk about drone forensics.

I’m Lee Reiber. I’m the CEO at Oxygen Forensics [00:24]. And as we go through this slide show, talking a little bit about some of the issues that law enforcement, public sector … that, really, throughout the world are running into this. And we could talk about some of the things that we have brought forward, in doing that, trying to, obviously, assist law enforcement in going forward.

With that being said, talking a little bit about Oxygen Forensics, and just a little bit quick about us … in talking … founded in 2000, really as a [mobile PC in a] company. Been around for a long time, just specifically dealing with mobile devices, not in the network, not the cyber security, computer forensic type, but just really have always been laser focused on mobile forensics. Quite a few users all around the globe that … I have met with quite a few this year already, all around the world. And I found out in talking to those customers and future customers, really, the exciting part at Oxygen, really, the innovation that we are bringing forward, as well as really how we go in and bring things to market, the customer side of it.

In talking a little bit more really, and with mobile devices, we talk about what do we do. Again, like I said, primarily, we look at the mobile devices, smart devices, iOS, Android, that we are really focused on. Obviously, we support the feature phones as well as your Windows phone devices, as well as BlackBerry, that type. But primarily iOS and Android, because I’m sure all of you know, when we start looking at the market share of iOS and Android, we’re about 99% of the market share, with those others just kind of hanging around. So the majority of people in the lab are going to see those types of devices.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

Though we also have, and we’ll talk about, the cloud support, and how it relates to drones as well. But understanding that – I’m sure you guys are seeing as part of your investigations – the mobile device with encryption, some of the issues that we run into. Obviously, we’re going to have to start relying on some of this information from the cloud. And then we decided really, what are some issues that law enforcement is running into? And we decided to start branching into and looking at the data within drones as well as [03:16] IoT.

So, if we look at this – the tool that we’ll be talking about, because our drone support is only within our Oxygen Forensic Detective. And Detective is the tool that, obviously, you can … we have a couple of products, [obviously, Analyst] and Detective. But with Detective, being able to now bring into and being able to extract drone data, but also the cloud information. And then we start talking about the additional analysis tools that are built into it, including Oxygen Forensic Maps. And bringing all of that information in collectively, and doing the analysis … if it is one of the things and if you have utilized Detective, you find the many benefits of that within an all-inclusive solution.

Okay, so, if we start looking at some of these others that we look at this … we’re going to go in and start moving in. We’ll begin to … and talking about the other items that we have, and the issues that are posed when we start talking about drones. And I’m going to speak for the United States – the United States on itself is … there’s again over one million registered owners in the US that we start talking about, but it’s quite interesting. If you look at the holidays, people are given gifts, it is now today’s gift, is these drones. Particularly when you start talking about the DGI brand that’s out there, which is owning the markets on these recreational.

So, obviously, we can look at the simple numbers that we have here in the US, and the problems that this might pose. And we’ll talk about some of these problems, but we’ll see first, really, what issues can be caused. But here, we’re talking a million drones, and here in the US, when you start not only talking about recreational drones, but we’re talking about commercial drones now, right? And not only delivering me a package, but we start talking about some of those companies on a commercial side that are utilizing them for, say, field work. Like being able to go – instead of crop dusting any more, now they’re crop dusting with drones.

And some of the drones that have been tested, that have been going through on, say, the commercial side, you start thinking … right now, we have the recreational drones, we’re thinking, “Fantastic, I have this Phantom, Phantom 4, I’ll be able to carry a pretty good payload if I really wanted to.” It is a large [06:13] recreational drone.

But let’s start thinking about those drones that can carry 500 pounds. In the hands of someone, say, possibly for nefarious purposes … but what can those deliver? 500 pounds, that’s amazing, being able to go, especially distances that these are able to travel. So, we really start thinking, not only the issues of air traffic and the problems that that might pose, but what else can really come from these flying all over, that I can go and I can purchase one of these, be able to operate this the same day.

So, let’s talk. Let’s talk a little bit about some of the issues that we might face. These are just some things that have been put together about some of the other items that we have. Obviously, landing … someone flying a drone into the Whitehouse. We start talking about the other problems … so we’ll think about this. We’ve had, here in the US, several issues. One issue being prisons. We have prisons that these recreational drones are being flown over, flown into, dropping off contraband phones, drugs, other items within the prison system. Now we start talking about, say, at the US border. Being able to now transport drugs, being able to fly across the border … being able to fly, drop off drugs. They don’t plan on the drones necessarily coming back. Being able to go … no longer do you have to send these … tunnel through or be able to fly large airplanes across. Being able to go and do these short-sighted runs utilizing these drones.

But now, that’s kind of the big picture, now we start talking about these people … and there’s been the case, actually in the US, where an individual was selling drugs. So, typically, they would go and meet at a parking lot, do a hand-to-hand, “Here’s your drugs,” “Here’s your money,” great, gone. Well, actually, this group or this individual was now transporting it while sitting at the residence. Now, transporting that to the location, to now the parking lot, having the drugs, being able to go and transport that, put that within that area, and drop off the drugs, attach the money, and now bring that back. Think of that. Not only is it lazy, right? But think of the technology that they’re utilizing to now go and deliver the drugs, now pick up the money … and they continued to do that.

Eventually they were caught. You start seeing the same … this drone landing in these parking lots, you’re wondering what’s going on. Someone attaches something to something … obviously, that’s odd. But you kind of look at this, you’re like, “Hey, we have this kind of mechanism now that people are utilizing,” not just to fly … fly hobbyist recreation, just have a great time flying these drones. It always comes down to someone is going to do something illegal with these.

Now, that’s kind of delivery of the drugs – that’s illegal, right? But now, let’s start looking at it, because we’ve actually had terrorist activities. Start talking about terrorist activities and the delivery of these explosive devices, being able to deliver these. No one is around, being able to send these things three miles away, and what do you do now? So let’s talk, because obviously, there’s been several that have been in the news that I’m sure that wherever you guys are located, you know and you hear about some of these … not only just criminal activities, but the danger that some of these might pose.

So, let’s look at some of the things that might … obviously, we have drones. Drones can obviously be good. Be good for Amazon, delivering packages, although I don’t necessarily agree with that, being able to … flying these, dropping these things off. It gets a little crazy. But being able to … several countries that I’ve been in, they’ve used these for surveillance. They’re able to go in, put a GPS location, they can fly this here, do some surveillance on the individuals, might have a possible bomb, something going on, they can go in, they can take the drone. We have robots that are on the ground, but now we have these drones that are able to go in other places that, say, the robot might not be able to maneuver, being able to go a lot faster to get to certain locations.

But also, some other countries, for crowd control. I was in one country that they utilized these at sporting events. The drones are able to … they don’t have to have CCTV in these certain areas, they’re utilizing drones around all of these events for immediate intel. So, it’s quite interesting. I’m sure a lot of you guys, if you did watch any of the Olympics, the Winter Olympics, you saw the great display that Intel put together of all of these drones. Quite amazing, to be able to coordinate, to be able to use all the computer … the software, being able to roll that around.

But now we start looking at, really, what I have just been talking about. What kind of threats do these pose? And it’s really unending. Not only just carrying things into prisons, carrying things across borders, carrying things into your local parking lots. But we start talking about the bigger picture. These can be purchased for 300 USD, 600 USD, and get a nice, big one that can carry things for 1500 USD. So, we start talking about these package deliveries, terrorism, bombs. We start talking about threat to privacy.

A lot of the drones have facial recognition. These drones also can be able to go in and target individuals by simply going in on the controller, drawing a block around the individual that you want to follow, and you can now have it follow that individual and be filming that particular individual. You start thinking about what kind of cases that you really might be running into. The low-hanging fruit is, yeah, [13:03] flying too close to the airport, or pilots [seeing] drones. That was like the first incidents. And then, the criminals start getting their mind really working and thinking, “Wow, what else can I do, you know, in my current job that I can utilize this drone for?”

So, that really comes into, alright, what can we do as investigators? And that’s really got my mind spinning, of wow, this really could be a benefit to investigators, because of these recreational drones, these are landing here, they’re crashing, they’re delivering, they’re finding these at a crime scene. So, really, what could we have done? What is there? What is available for the user?

So, we start talking about it. Really, where can data be … you talk about a drone, we have that physical drone, right? We have that. Where can some of the data be? If we talk about just some of the easy things … the drone. So, the drone, we have a couple of pieces. We have the SD card on that device, which, a lot of the other tools, that’s what they support. But we also have the internal memory. We have the internal memory of the device and now we have the external or the SD card. Then, we also start talking about alright, how about a controller? We have the RC controller, the radio controller that we have that we could utilize. That’s … there’s data also stored on that. Some of the controllers that you have the DGI, about three gigs of space that you’re able to go in or have information.

Now, granted, not a lot of data that you’ll be able to find that’s going to be, say, stored on that device. But there is data. Data is available. We start talking about the others. How about mobile? The mobile apps. So, started just talking about iOS and Android, and we’ll talk about DGI. The different types, whether that type of information is stored within the mobile app itself, and we’ll talk about that a little later, because there’s a ton of information that’s stored within that mobile app that you might not really be thinking … it might not be relevant to you now, but you get the wheel spinning once we start talking about what type of information. And we talk about the cloud, because again, everything has to be hooked up to the cloud. We’ll talk about DGI cloud. Because on the cloud itself, you’re going to – and a user can now go boom, and back that right up directly from the application, be able to back it right through DGI cloud, all the information that is going to be stored, whether it be logs, images, videos, that type to be backed up into the cloud itself. And then we start talking about the desktop apps.

And again, I’m just going to talk about DGI, but there’s a lot of other … or there are some other drones that do also back it up, that sync software. DGI Assistant. DGI Assistant creates also a backup that you can make off of the device itself, that can contain those logs and the black box information. So, really, there’s a lot of sources, and you don’t want to be focused, tunnel vision, within “I have that drone”. Where else can it be stored? Because we want to think about what happens if the drone is just completely smashed, right? There’s always the availability of chip-off, to be able to go in and remove … especially if it’s destroyed. But we’re … the cloud, we start looking at the cloud. Were they using the RC controller, were they using RC Controller Plus, the mobile device, the iPad, to control that drone? What kind of other information can be stored?

So, really, there could be a lot of information that’s on the device itself, but there are other places that we always must be thinking about. So let’s talk about it. Really, what’s supported? What do we have and what’s supported within Oxygen Forensic Detective? Now, with the DGI devices, as well as some other non-DGI devices, support those. The actual being able to attach it to the device itself, being able to attach it to the SD cards. We also support the mobile apps. Being able to support the mobile apps gives you … Say, if you didn’t have the drone, you have the mobile app, you’re now, “Wow! Let’s go look for this, let’s go look for the drone, because within this mobile app that was parsed out, I have all this information that is given to me. So let’s just go find the drone.” Or maybe the drone has been destroyed. It might have some information, which brings again now the cloud storage.

Now, being able to have it within Oxygen Forensic Detective, how can I go now and extract that information from the cloud itself? Again, extremely important not to get so focused on “Alright, here’s the drone, and now I have to go in and do the analysis of the data.” There are some other places – just like doing a mobile device. Think about I have the UICC card, I have the mobile device, I have cloud storage, I have an SD card. There’s many pieces to the puzzle, so to speak. So, being able to bring that stuff in to Oxygen Forensic Detective collectively is extremely important. So, let’s talk about really the different types of storage – what do we support when we start talking about the drone itself?

Now, on the drone itself, we start thinking about already the external SD card. Now, whenever you’re processing this SD card, make sure that it’s a physical collection, not just a standard, say, MPT through the drone. Remove that – you can go in, you can create a physical image of that itself. Because obviously, [19:16] with the external SD storage flight box, and also, you’re going to get videos. You can get also images that can be stored within this device, [except for] the camera. So a lot of information from the SD card.
But what about internal? What do I do for internal? And we’re not talking obviously the removable SD card. Internal. So we’re going to look at this. Obviously, a chip-off – supported with in our tool. If you decide to do … you’re going to remove the chip, be able to read that data, obviously a binary file, you’re able to bring that into detective, we’re able to parse that information out of the file system itself.

But now we start talking about what we have releasing next week. Actually plugging into the USB port itself, and obtaining a physical image, a file system of that internal memory, which contains that black box data, which contains those flight logs, the raw data that we can go now and extract in our tool. So, not only supporting, obviously, the [removal] of the chip, but now the actual physical connection via USB to now extract that within and detect it, and bring that information in. So, quite amazing. So, if you’re not removing and you’re not having that type of storage … and I’m going to talk about the difference here shortly, the differences with the extraction and really what you have … because there are some differences that you need to be aware of with the extraction of that. But again, quite amazing.

So, we have those – that type of data within the drones. Now, what do we talk about when we have with app support? Obviously, we support a lot of different types of applications within our tool. But we’re going to just focus on with the drone applications, with the DGI, with that side, what are we talking about within these types? When we look at the drone applications that we have, it’s quite interesting. With the DGI, on the device itself, within that file system, obviously being able to pull that data and have the information within that – now what we’re getting, within iOS, Android, user information. So we’re getting user information that … email addresses that have been utilized, names that have been utilized. Because if I’m going to sign into or I’m going to purchase anything, utilized in the DGI or the DGI app, now I have additional information, maybe credit card information, maybe address information that I can now utilize for my case.

But now we start looking about some other information that might be in there too, especially if they’re using the DGI app. How about a password, username information? There might be token information. How about we start talking about, within the application, cache information. Information that they might have downloaded from DGI cloud, shared information or videos that they’ve had in the DGI cloud, collaborated with other people on DGI cloud, having all the information within the app itself, and not just thinking about videos, images – historical pictures that have been taken, historical videos that have been taken, saved into the gallery that they have. Or being able to go in when they manipulate images or … DGI does it automatically for you, puts music to it. So, being able to take that information – just from the app itself, you have a tremendous amount of information.

So, supporting both devices that have not been jailbroken as well as those that have been jailbroken, getting that full file system on iOS devices, getting the application data, again, is very important. And then talking about Android. Now, Android again – when we start talking about, say, physical extraction. Obviously, we have a root access, obtaining that file system from the Android device, to now obtain that DGI data is important. You must have that because it’s a standard – we start talking about [ADB] backup, or just a standard [agent] approach is not going to get you the information that you want with an Android.

But what’s great – obviously, in the latest release, that we just have had, with Oxygen Forensic Detective, adding additional support for 6X Android devices, and obtaining that, say, advanced [ADB], being able to obtain that file system information on a root of the device, obviously a [24:10] that we have, is now available, to be able to extract some of this information for you.

Now, let’s just look at some of the information that I just talked about. Obviously, with the drone app, what can I have? What is within the applications themselves? Some of the things that I mentioned – account information? How important is that to your investigation? Say you don’t have the drone. You have the app itself. Being able to have account information from, say, DGI cloud, being able to have the account information if you have to go back to DGI. We start talking about deleted data. Some of the items that have been removed – either shared, stored on the device. Being able to recover that information and display it to the user. As you’ll notice on the screen, we do display deleted data with the small trashcan. Being able to show that for you guys.

And then we start talking about log files – what information, what can we have, what can be stored within the application area in the DGI Go app itself? Again, within – if you only have the application, there’s still a tremendous amount of information that you can recover from this application itself. And we start talking about with the Android and iOS.

But we start talking about, alright, what happens if the app isn’t supported? That’s a problem, right? Because there’s 6.2 million applications that are available at one time, iOS, Android, and then the others. Being able to put that on my device – what do I do if I run into that? This example that you have here is Drone Deploy, which is an application that can be used for DGI.

And if you look at Drone Deploy, it’s quite interesting, because you’re able to go and put a geo-fence, map out, and be able to … [25:59] if you’re going to do commercial side of it … being able to go in and fly around a certain point.

So, there’s a lot of data. So, what do you do as you’re going in and bringing in this other item? We have built into it our SQLite Viewer. The SQLite Viewer isn’t just to view data. It’s able – and what you can do is drag and drop, match primary keys to foreign keys, being able to build on-the-fly SQL queries for any application that you have in exposed SQLite database, or multiple SQLite databases within an application. You’re able to now go and link all of those over in a drag-and-drop function. So, essentially, you have just supported the application.

So, the data is there and available for you, even if it’s an unsupported app from these drones. Because, I’m telling you, if a company says, “We support every app that’s out available,” they’re lying to you. There’s no way that you can go and employ enough people to go and support every app currently available. You will run into a drone application that is not support. Because DGI is not the only game out there. What if you run into another application utilized as a controller for a different drone and a different manufacturer?

Well, there you go. We’re able to support that, directly within Oxygen Forensic Detective and with the viewer to build your own [27:18], to build this item, and now create a report and have it available.

Now, let us know, so that we can build in the support, but you don’t have all day to wait, especially when the case in there does not [27:30] I need to have this information.

Okay, so we start talking about now clouds. If we look at with the cloud – because remember, we talked about we have the drone itself. Alright, great. We have the drone, we have the controller that they used for the applications. Now how about cloud? Or say if I didn’t have that information, how can I go … and we can talk about the cloud … obviously, we support a lot of cloud storage itself, as well as two-factor authentication on a lot of these. But we want to talk about, really, what do we do, and how, and why do we care to have any type or do, say, cloud forensics for or with our DGI.

So, this is why. You’re going to find a digital information that, say, even a physical acquisition of the device doesn’t yield. Because DGI does quite interesting things to log files on the device itself, once the drone itself obtains a home location. Once it obtains a home location, as soon as it’s turned on, GPS coordinates, DGI does some crazy stuff to the logs. So, it becomes a little bit more difficult. So, utilizing, say, the cloud store to get additional evidence, additional stuff that might not be available on the controller itself or on the drone physically.

But what happens if I crash the drone, or it burns up, or it goes and you can’t find it? So, you don’t have the drone available. It’s just not available. Not all is lost. You still have the cloud. So long as they’re utilizing DGI cloud – again, it has an asterisk on that – to back up the information, to back up the logs that they have. And then, obviously, in mobile devices, when you’re doing digital devices, what happens if it actually [29:28]? What do I do? What are some problems that we might run into?

So, how do we go in and how do we get this information from the cloud? Look at this – login and password. Some of this information, with the login and the password, being able to obtain that – so, even doing research on my own account itself, once I go in and add that information, I’m going to use DGI cloud through DGI Go, and if I use DGI Go, I enter that information, my username and password, that is now exposed. It is now exposed to the software, and I’m able to extract that within the application. I now have the login and password, I can now user our cloud extractor.

We are bringing on the ability to also do with the token … like our other support with our cloud … being able to go and utilize a token from a device itself, being able to go now and extract that information, and have it available, even if we don’t have the login and password. Because I’m sure that you guys understand, having a token is golden. Right? Obviously, temporary, right? Not permanence, with the token itself. But having that, we completely bypass any two-factor authentication. I’m sure that you guys are all aware of that. So, having that token is monumental.

Now, if we start talking about it, really, where can we find this? I just talked about it. We could go and we could get it from the mobile app itself. Obviously, during your interview, when you’re speaking to the alleged suspect, “Hey, you have this application …” But you know what, a lot of times, especially … they’re going to utilize obviously … you can go, if they have the email address that’s going to be associated with it, but they have not, say, gone to DGI cloud, you don’t know the password. They like to use the same passwords. We’re going to go and pull out all of those passwords from that device itself, being able to go and maybe utilize those for DGI cloud. Or, hey, because they always want to tell us exactly what their passwords are, you might have to work a little bit harder if you don’t have that.

Some of the things that I just alluded to is talking about the difference between passwords and tokens. I’m sure that you are all aware of this but understand that having username and password is great to be able to do that. We start talking about Google, we start talking about other items built into that, you’re immediately notified. A perfect example on a Google account, because of my travels, if you log into a computer that either the token hasn’t been stored or it’s not recognizable [32:10] IP address somewhere else in the world, you will get a notification on your phone, on your email address, if this is being accessed. [Is this okay?]

So understand that, that these, and the cloud accounts, especially [even after] two-factor authentication, we don’t have that, can be notified. But again, like if we start talking about tokens themselves … no, there’s the notification, you’re good to go, being able to have that. And that’s obviously one of the reasons we’re bringing in the token approach when we start talking about DGI cloud. Being able to now go in and extract that.

So, if we look at this, especially with our DGI cloud, being able to access … it’s extremely easy through our cloud extractor. You could utilize a cloud extractor which is built into Oxygen Forensic Detective, being able to select the DGI cloud, being able to enter the information directly through our cloud extractor, and now, be able to extract that directly into Oxygen Forensic Detective, or even into the … with the Cloud Expert.

So, what are some of the items if I’m going to go in and look at some of the cloud? I mean, account information … because obviously, you just utilize it, you’re going to go with the login and password, you have login and password, or additional account information. If they have multiple drones, being able to now … and show that drone, right? The extraction, from that itself, as well as now the flight history. So, that’s extremely important, because like I mentioned before, and like I’ll talk about with the physical extraction, that can be a little sketchy. That can be a little sketchy because of what happens when the drone is either started up … and even when the SD card, with the logs that are going on to that itself. So, having this information from the cloud, it’s not just, okay, it’s just going to … not just supplement, or it’s going to be the same data. This is new information, when you start talking about historical flights.

So, not only just one, but multiple devices that now can be shown within this DGI [account]. So, again, very important to be able to … and to support this. Now, when we start talking about logs. Logs, or, if we have this with the multiple or other users … logs themselves are a tremendous amount of information. The logs or the [DAT] format, when you start talking about DGI. So, with that being said, it’s going to record, and the flight … and they’re recorded. We will show every second. But the logs are very verbose. Verbose, with that … because we start talking about the drone, and [35:00] the movement on some of these is pretty amazing. So, the GPS is always, always, always, really always logging that information. So you have a lot of different areas and a lot of different points that you have.

So, not only are we getting – and how important is this? – the altitude. When you look at the altitude itself, you look at it, 2500 meters, that’s in the stratosphere. So what you need to understand is the altitude is recorded at the sea level, right? Above sea level. So you have to really take the delta. You have to know, obviously, GPS location – which you get within our maps – being able to go in and now put that, alright, here’s what the elevation is, if that’s [your point], and now have the delta, to get the actual height that the drone itself was flying. Because that might be your case, right? That you might be looking at how high was it flying. But not only that, you start looking at really how fast was it travelling? What direction of travel?

But what’s also important, and I’ve had discussions about this, is how accurate? How accurate is that point? So we look at how many satellites. The more satellites, obviously the more accurate that you have. And we’re talking about three satellites versus 15, I’m going to rely on that, that had … you know, the majority, if I had, of the satellites, of the [hits] that you’re going to look at. Because a lot of times it comes down to, okay, how accurate is this? What are we talking?

Well, you can couple it with not only accuracy of that – were videos taken? Were videos taken of the location? He’s saying, “Well, I didn’t fly it there.” Okay. Well, let’s take a look at these pictures and these videos. Explain to me this. This is the same time. [On the x] if I’m looking at this, this information [36:45] from here, what is … try to explain that.

So, the drone logs. Drone logs are … the other tools are able to go in and, obviously, parse it, and have some of these items, but built into, obviously with our Oxygen Forensic [maps], we’re now able to take multiple flights in, be able to go and overlay this all over a map, within the interface. So, multiple flights, historicals, where they … obviously, where it took off from, being able to research and grab some of that information, again, is very important.
If we start looking … obviously, some of these are with a different … the different formats. It’s important … let me talk just a little bit about this. When we start talking about physical acquisition, that we now support, as with a USB extraction physical, versus a chip-off extraction. There is a difference, because if we start looking … to do a USB extraction, just like a mobile device, I have to turn it on. I have to turn it on, so what happens on a mobile device?

Obviously, on a mobile device, system changes. I have different system changes. With a drone, it’s a tad bit different. Because if a GPS location is now [actualized] by the device itself, you have issues. Because … well, not necessarily issues, but what’s happened is a lot of the, say, previous … the previous flights are now stripped. The headers are stripped, and now finding and getting that information from that itself becomes more difficult, because of obviously the encryption that is on the device itself. And speaking of encryption, the cloud encryption is different than the device encryption versus the app …

So, there’s a lot of, obviously, R&D that we have. A chip-off – being able to go in, and if I remove that itself, being able to go in and dump that itself, you’re going to … recovery can get historical. You get the historical flight and say … because obviously I have not, say, got a new location upon turning that device on.

Now, I have had success in the extraction of always obtaining the previous flight on the physical extraction. Whether I turned it on or not, it’s still there. It doesn’t go and remove that and now give you a new point. I still have that historical flight. But previous to that, say multiple flights, that’s again, if you’re doing it via USB or a physical on that, that’s … just again, going to let you … I’ll be fully honest with you on that.

So, we have a few minutes left. I want to kind of show you the interface here before I go, and show you some of the different formats really quickly, and then hopefully you guys all are able to go in and give this a shot. If you do not have Oxygen Forensic Detective, we’d love for you to contact us and get a demo. We’d love to hand those out.

So, let me move on to this, and make sure that we’re good to go if I go in and escape from this … and we should be able to now see it … okay, perfect. Here is obviously our interface that we have here. I’d love to be able to show you obviously a physical extraction on that. You simply use our extractor, select Physical Acquisition and DGI, and you’re great, you’re good to go on that. Then I’m just going to talk a little bit about some of these other items right here, a physical extraction that I have here, of this spark.

I just want to point out a little bit of the file browser itself, which is tremendous, because if we start looking at the file browser, you guys will probably immediately notice – what type of file system are we talking about? If we simply look here, this kind of spells it out for you, right? User data, data, and that side of it. So now, the logs … so we’re going to get logs … there’s over 2000 files within here. It’s again tremendous amount of information that you have that is readily available, calibration information, being able to have a lot of the camera information that’s set up. But I want to point out, obviously, we have here with our black box and the black box area that’s listed out over here. And listed directly into here, we now have flight logs. We now have flight logs that are listed out into this area, [within] on the physical side of it. And that’s just a small part of this within, again, our physical side of it.

What does [it particularly here] look for? Obviously, with the images, it’s quite interesting, some of the images, the calibration images. But if we look at this, and we start talking about, alright … well, I want to look at or grab some information within the timeline, because in the timeline, I want to go in and gather within the geo side of it…

Show me some of the information. You’ll notice directly over here, in [41:52] information, it’s given me a ton of information. Ground speed, altitude, that I had talked about, the location of where it was and where it had flown. We want to go right here. We’re going to take a look at our maps and routes for all of these points. Again, this is just for the single drone or the physical image that we’re talking about that’s listed out over here.

So now we have this … it opens up within our map itself, and immediately, we now display the flight path that we have here in Singapore. Selecting any of these points themselves allows me to see exactly what was occurring at that particular point. Say that you had a crash, something going on that’s over here. Being able to go in and find not only the dates and times, the exact time that we have in there, but being able to go in and see, okay, how fast we were travelling, how many [42:48] what direction, the direction of travel that … listed out over here.

So, again, extremely important … again, this is just … we wind up looking at the different … or grabbing the different flights that you might have. Looking at the additional … or additional flights. There’s actually three flights that are listed out over here that I did. Three flights that are listed. I took that off, it got a new home location, and everything else. So, I could go and get rid of these, and we could simply look at these other items, right? Now I have this other. And I actually flew this, so I know that … what had occurred. I had the initial point that is listed out over here, that I have here with this. The initial point, when I’m getting ready to go for this, and it didn’t quite calibrate, and now I have that. I have this other point that’s listed out in … for this physical acquisition, for that particular date that I have listed.

Again, tremendous amount of information that you’re able to go in and show.
Same thing if we start looking about our applications. Here’s an iOS backup. Here’s all the application data that’s listed out over here. You’re able to now go and have all of the application information for this drone. Being able to show a lot of the information – the videos or any of the other items that you have here. Any cached media, any account information. It’s all listed for you. Even deleted data. Being able to parse through that information.

But what if you had multiple events that you have all this information within one case? I have additional flights that are listed here, additional flights that are listed here, the camera itself, being able to go in and actually watch videos, it’s great video that we have on here. I won’t show it to you, in the interests of time. But now, at the case level, being able to now formulate a timeline for all of this information, everything that’s listed out within our geo, for every one of these items. Again, extremely important to be able to collectively analyze a lot of this information. All into one area.

So, being able to take all of the information, all the data, and putting it on with the drone, with respect to being able to show your cloud information within one case. Being able to show the physical acquisition from it. Being able to show a chip-off if you did a chip-off. Being able to show an SD card. Being able to show the mobile applications, all within one interface. All within one area. It’s going to now go in and paint a better picture of your investigation.
I’ll leave you with this, because we’re running out of time. You need to understand that as part of your investigations, not to get so laser-focused or tunnel vision on simply just the drone. Simply looking at with the drone itself … there are lots of other types of information that you want to go in, and that you need to go in and look for.

Cloud, SD card, application. And now, collectively analyze that. Because you will run into drones, you will have … it will be in a case where they’re working for the federal government, the state government, the local government. Or even if you’re working the private side of it – someone bringing this to you for a civil suit. This drone ran into the car, caused an accident, that you might have. Some sort of civil suit. You will … you need to be prepared to not only just extract an SD card, but look at the applications for cloud, look at the availability of all of that additional data, from all these different sources that you might run into.

So, what I want to do is I know that some have asked … because what’s quite interesting, we had … I think almost 400 or 500 registrations. For some reason, only … I don’t think everyone was even allowed to get on. This … it has been recorded. It will be on Forensic Focus. You’ll be able to review this. If there are any questions that you guys have, we would love to hear from you. And you can go in and, obviously, if you’re looking for, “Hey, I really want to try this out,” not only just for drones – obviously we support, with the mobile device side of it, Android, iOS, your feature phones that you run into that.
There’s logical … all that great stuff. It gets you a full look. We would love to hear from you. We would love to send you out a demo, and for you to try it and for you to decide for yourself.

So, if you have any other questions, you can go ahead and send it to either support@oxygen-forensic.comsupport@oxygen-forensic.com, or you could also do into … you can send them to me as well, as lee.reiber@oxygen-forensic.comlee.reiber@oxygen-forensic.com. We’d love to hear from you. And I thank everyone for attending.

End of Transcript

Leave a Comment

Latest Videos

Digital Forensics News Round Up, March 27 2024 #dfir #digitalforensics

Forensic Focus 27th March 2024 6:06 pm

Digital Forensics News Round-Up, March 21 2024 #digitalforensics #dfir

Forensic Focus 21st March 2024 6:15 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles