Damaged Device Forensics

Steve Watson discusses his research at DFRWS US 2018.

Steve: [ETL] was a recent technology startup, we’re a small team of engineers that are focused primarily on [embedded] technology. So, people say “You’re the drone guy, you’re the chip-off …” [some other …] it’s just embedded devices, that’s what we … the easiest way to remember us.
So, let’s just see if the video will play.

Steve: I feel like I can just sit down now.

Get The Latest DFIR News!

Top DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

I have a few other things maybe to tell you. That when we first proposed this project to DHS, it was about two, two-and-a-half years ago, and then, at that point in time, there was really little industry penetration with drone forensics at that time. There was a couple of … University of New Haven had done some research, [06:13] out of the UK had done some research on drones, but there wasn’t vendor support at that time, and we just saw a gap that needed to be filled. At the same time, drones were coming over the border, they were landing at sensitive government locations, and they were showing up in labs. And labs were needing to know, “How do we get the data off of these devices?”

Our approach for this project is to do a complete physical analysis on the consumer professional drones that were touching, and identification of all the available technical information that’s out there. So, if you go and pull our reports, as an example, that I’ll show you a cover image of, it has not only what we’ve found, but everything else we’ve found online about them. If somebody else has hacked them, if somebody else has done [teardowns], we want to make all of that available to you, so you can find it.

For data acquisition, one of the important things was to … if you’re trying to teach our industry how to deal with a new technology, if we can take the skills people already know and apply them to this new technology area, it helps us get to being able to deal with crisis faster. So, we wanted to take existing data acquisition methodologies and apply those against these devices. On each of the devices, we attempted a logical acquisition, and any type of way that we could interact with the circuit board – serial, JTAG, SPI, single-wire debug, serial peripheral interface. And then, we also pulled chips, we pulled flash, we pulled microcontroller, [ELMCs], SPI flash, trying to find firmware on these devices to make that available to you guys, so that you can build on this research.

This is an example of the largest one that we have, this is a DGI address, it’s aimed at the agriculture market, and if you … I mean, that’s me standing there, so that’s how tall it is. This is an example of it taking off.

[silence, video plays]

Steve: That is it with 10 liters of liquid, almost 35 pounds of weight attached to the bottom of it. It is fast and agile. And I tell friends and colleagues, “If you’re in an urban environment and ever see one of those flying, you need to get away, because there’s no reason an agriculture drone like that should be flying in an urban environment. A number of agencies around the world are concerned about that specific threat, and that’s why it’s included, to understand is there data on those devices that would be of evidentiary value to help us answer questions.

The goals of the project: establish base scientific research regarding the application of the existing digital forensic techniques against these devices. So, again, if you can image an SD card in a camera, can you apply that same technique to what’s coming from drones? The good news is yes, you can. The other … identifying procedures and practice that can be utilized by labs on how to get this data out. Everything that we do at DTO, we’re laser-focused on how does this work in a practitioner lab, how can we enable law enforcement to support what they need to. So, this is just the core to what we’re doing. And then, lastly, share the results with the community to support and strengthen law enforcement. Everything that you’re hearing, everything that you’ve seen, everything that you’ll hear me talk about, this information is available to the forensics community.

The scope – initially, it was 20 consumer and professional drones, we wanted to find ones that were available for anyone to purchase. We didn’t want this to require special approval or registration to get it. You can go online and buy these with a credit card. We wanted to identify, are there data artefacts of evidentiary value, identify methods and the process to extract the data, and then share those results with our community.

This is a list of the drones that we have addressed so far. I’m sorry, even on the big screen, it’s probably small for those of you in the back. One of the things that you’ll notice on there is there’s a heavy representation of DJI. The reason is because 80-90% of the market share worldwide, depending on who you read, is DGI drones. So, [a likelihood] one of those is going to show up in a case, it’s probably an 80-90% chance it’ll be DJI. You then also see representation of Yuneec and Parrot drones. Parrot’s commercial company is called senseFly. And those, depending on what you read, represent #2 and #3 of commercial penetration around the world.

Process we used: procure the device, [11:26] the devices with data, interrogate the devices in the lab, apply the normal digital forensic techniques we know, publish the results, and then support the digital forensics community as they’re dealing with these devices. Any time drones show up, the lab team feels like it’s Christmas day, because we have all these devices show up, we have to unpack them, get them ready to go fly, and it really is pretty incredible.

I mentioned in the video, there’s three devices of every model. One of the devices, it is kept in tact as an exemplar. We only do logical acquisitions on that. The second device is taken down to the circuit board for us to interrogate the boards and the [12:08] parts on the device. The third device is … we pull circuit boards and pull every chip off to [12:15] acquisitions against those chips.

All of the flights that we do are in a specific location of … the ranch owner you saw in the video has let us use his ranch, 1800-acre ranch in the middle of Colorado, to go fly drones. And if I hand you an unknown dataset, and say “I can’t tell you anything about it,” it makes it more challenging to start to figure out how to parse that. But if I can tell you when it flew, if I can tell you where it flew, if I can tell you details about that drone, as you start dealing unknown … the dataset, then it gives the people that are working and parsing it an advantage to help be able to understand what that data is.

I’m going to go quick, I’m running out of time, so talk about any of these more, but there’s a couple I want to hit for you. An imaging that we do in the lab, we can make all of that available to you. We identify where the devices store data, and we investigate every [pack], every chip that’s on those devices.

Again, mentioned just the application of the normal digital forensic techniques that we all know how to use, we publish the results – this is an important slide – droneforensics.com. If you got to droneforensics.com, you can get access to all of the data that we have released so far. Right now, there’s about 500 GB of data, there is about 1.2 TB that’ll be up in the next couple of weeks. And this is data that you can download and use to make your products better, use in your classes if you’re a vendor, if you are an academic institution … there’s universities that are building curriculums with the datasets. There’s iPhone, Android, drones, cloud data, server data that is there for you to use. Go and do good things with it.

[14:03] elected to add the datasets where they seemed to have [the CFReDS] database, so if you go to [the CFReDS] database on NIST, you’ll see links and pointers there that go to the droneforensics.com page I just showed you.
This is an example of the reports, there’s … I think there’s … I think it’s only three reports that are linked right now. The reports are between six and a hundred pages long. So, they’re incredibly exhaustive, taking you from somebody has just [set] it into your hands, to how do you go all the way to the end and pull the data out.

If you are in law enforcement or you are in the military, we have [slick] sheets that we have created for non-technical first responders. Somebody walks up as they’re patrolling, and finds a drone on the ground, what should they do? This walks them through those steps, technical first responder, and then the digital forensics lab team, when they get it back to the lab.

Interesting information so far. Let me take you to just one last one that I think this crowd will enjoy. This is the Parrot Skycontroller 2, this is the controller for several different models of the Parrot drone, and when we first pulled this out of the box, we always update the firmware before we go fly. Because we’re in the middle of nowhere, we don’t have internet access, so we want to handle it before we get to the ranch. So, if it says “download this file on a USB key, plug it into the controller, and plug an HDMI cable in it,” it’s … [pauses] What?

So, we [did it]. And the video that I’m going to show you here is just that. Pulled out of the box, downloaded the file, plugged it in, and plugged an HDMI cable into it, and we just powered it on …

As it boots, you’ll start to see … you can imagine it coming up through BIOS as you’re seeing lights that are blinking there. In just a moment, you’re going to see me turn to the screen that it’s plugged into. [silence] First thing that happens on the screen is we see the normal Android logo that we would expect to find. It then boots to the full Android operating system. It loads an application and [16:38] into kiosk mode, and you then have the same application that you would download from the Android store or the Apple store, to control this device.

We often hear, in our community, that Android is landing on lots of [headless] devices, that we would never see that there. This is one of the best examples I’ve seen so far, of Android sitting on a device that probably no one would ever plug into a monitor. You can put it in [ADB] mode, and you can pull a normal acquisition on this controller, just like you would any Android phone that you would touch.

Further research questions – more drones, different firmware versions, and drone swarms we’re starting to look at. Thank you for your time.

[applause]

Host: [17:31] time for one or two questions.

Audience member: Have you ever seen any [17:47]?

Steve: Have you seen supply chain attacks? We’re getting lots of questions from that from different groups. That’s one of the reasons … one of the adds we’re just about to do to the droneforensics.com site, is we have located all of the firmware from DJI as a starting point, all the way back to the beginning, we’re starting to go do that for the other companies as well. So, if we know what normal looks like, it becomes easier to see abnormal. So, we’re [18:20] trying to help answer that question.

Host: Any other questions? If not, [18:31].

[applause]

End of transcript

Leave a Comment

Latest Videos

Quantifying Data Volatility for IoT Forensics With Examples From Contiki OS

Forensic Focus 22nd June 2022 5:00 am

File timestamps are used by forensics practitioners as a fundamental artifact. For example, the creation of user files can show traces of user activity, while system files, like configuration and log files, typically reveal when a program was run. 

Despite timestamps being ubiquitous, the understanding of their exact meaning is mostly overlooked in favor of fully-automated, correlation-based approaches. Existing work for practitioners aims at understanding Windows and is not directly applicable to Unix-like systems. 

In this paper, we review how each layer of the software stack (kernel, file system, libraries, application) influences MACB timestamps on Unix systems such as Linux, OpenBSD, FreeBSD and macOS.

We examine how POSIX specifies the timestamp behavior and propose a framework for automatically profiling OS kernels, user mode libraries and applications, including compliance checks against POSIX.

Our implementation covers four different operating systems, the GIO and Qt library, as well as several user mode applications and is released as open-source.

Based on 187 compliance tests and automated profiling covering common file operations, we found multiple unexpected and non-compliant behaviors, both on common operations and in edge cases.

Furthermore, we provide tables summarizing timestamp behavior aimed to be used by practitioners as a quick-reference.

Learn more: https://dfrws.org/presentation/a-systematic-approach-to-understanding-macb-timestamps-on-unixlike-systems/

File timestamps are used by forensics practitioners as a fundamental artifact. For example, the creation of user files can show traces of user activity, while system files, like configuration and log files, typically reveal when a program was run.

Despite timestamps being ubiquitous, the understanding of their exact meaning is mostly overlooked in favor of fully-automated, correlation-based approaches. Existing work for practitioners aims at understanding Windows and is not directly applicable to Unix-like systems.

In this paper, we review how each layer of the software stack (kernel, file system, libraries, application) influences MACB timestamps on Unix systems such as Linux, OpenBSD, FreeBSD and macOS.

We examine how POSIX specifies the timestamp behavior and propose a framework for automatically profiling OS kernels, user mode libraries and applications, including compliance checks against POSIX.

Our implementation covers four different operating systems, the GIO and Qt library, as well as several user mode applications and is released as open-source.

Based on 187 compliance tests and automated profiling covering common file operations, we found multiple unexpected and non-compliant behaviors, both on common operations and in edge cases.

Furthermore, we provide tables summarizing timestamp behavior aimed to be used by practitioners as a quick-reference.

Learn more: https://dfrws.org/presentation/a-systematic-approach-to-understanding-macb-timestamps-on-unixlike-systems/

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_i0zd7HtluzY

A Systematic Approach to Understanding MACB Timestamps on Unixlike Systems

Forensic Focus 21st June 2022 5:00 am

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...