Damaged Device Forensics

Steve Watson discusses his research at DFRWS US 2018.

Steve: [ETL] was a recent technology startup, we’re a small team of engineers that are focused primarily on [embedded] technology. So, people say “You’re the drone guy, you’re the chip-off …” [some other …] it’s just embedded devices, that’s what we … the easiest way to remember us.
So, let’s just see if the video will play.

Steve: I feel like I can just sit down now.

I have a few other things maybe to tell you. That when we first proposed this project to DHS, it was about two, two-and-a-half years ago, and then, at that point in time, there was really little industry penetration with drone forensics at that time. There was a couple of … University of New Haven had done some research, [06:13] out of the UK had done some research on drones, but there wasn’t vendor support at that time, and we just saw a gap that needed to be filled. At the same time, drones were coming over the border, they were landing at sensitive government locations, and they were showing up in labs. And labs were needing to know, “How do we get the data off of these devices?”

Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.

Our approach for this project is to do a complete physical analysis on the consumer professional drones that were touching, and identification of all the available technical information that’s out there. So, if you go and pull our reports, as an example, that I’ll show you a cover image of, it has not only what we’ve found, but everything else we’ve found online about them. If somebody else has hacked them, if somebody else has done [teardowns], we want to make all of that available to you, so you can find it.

For data acquisition, one of the important things was to … if you’re trying to teach our industry how to deal with a new technology, if we can take the skills people already know and apply them to this new technology area, it helps us get to being able to deal with crisis faster. So, we wanted to take existing data acquisition methodologies and apply those against these devices. On each of the devices, we attempted a logical acquisition, and any type of way that we could interact with the circuit board – serial, JTAG, SPI, single-wire debug, serial peripheral interface. And then, we also pulled chips, we pulled flash, we pulled microcontroller, [ELMCs], SPI flash, trying to find firmware on these devices to make that available to you guys, so that you can build on this research.

This is an example of the largest one that we have, this is a DGI address, it’s aimed at the agriculture market, and if you … I mean, that’s me standing there, so that’s how tall it is. This is an example of it taking off.

[silence, video plays]

Steve: That is it with 10 liters of liquid, almost 35 pounds of weight attached to the bottom of it. It is fast and agile. And I tell friends and colleagues, “If you’re in an urban environment and ever see one of those flying, you need to get away, because there’s no reason an agriculture drone like that should be flying in an urban environment. A number of agencies around the world are concerned about that specific threat, and that’s why it’s included, to understand is there data on those devices that would be of evidentiary value to help us answer questions.

The goals of the project: establish base scientific research regarding the application of the existing digital forensic techniques against these devices. So, again, if you can image an SD card in a camera, can you apply that same technique to what’s coming from drones? The good news is yes, you can. The other … identifying procedures and practice that can be utilized by labs on how to get this data out. Everything that we do at DTO, we’re laser-focused on how does this work in a practitioner lab, how can we enable law enforcement to support what they need to. So, this is just the core to what we’re doing. And then, lastly, share the results with the community to support and strengthen law enforcement. Everything that you’re hearing, everything that you’ve seen, everything that you’ll hear me talk about, this information is available to the forensics community.

The scope – initially, it was 20 consumer and professional drones, we wanted to find ones that were available for anyone to purchase. We didn’t want this to require special approval or registration to get it. You can go online and buy these with a credit card. We wanted to identify, are there data artefacts of evidentiary value, identify methods and the process to extract the data, and then share those results with our community.

This is a list of the drones that we have addressed so far. I’m sorry, even on the big screen, it’s probably small for those of you in the back. One of the things that you’ll notice on there is there’s a heavy representation of DJI. The reason is because 80-90% of the market share worldwide, depending on who you read, is DGI drones. So, [a likelihood] one of those is going to show up in a case, it’s probably an 80-90% chance it’ll be DJI. You then also see representation of Yuneec and Parrot drones. Parrot’s commercial company is called senseFly. And those, depending on what you read, represent #2 and #3 of commercial penetration around the world.

Process we used: procure the device, [11:26] the devices with data, interrogate the devices in the lab, apply the normal digital forensic techniques we know, publish the results, and then support the digital forensics community as they’re dealing with these devices. Any time drones show up, the lab team feels like it’s Christmas day, because we have all these devices show up, we have to unpack them, get them ready to go fly, and it really is pretty incredible.

I mentioned in the video, there’s three devices of every model. One of the devices, it is kept in tact as an exemplar. We only do logical acquisitions on that. The second device is taken down to the circuit board for us to interrogate the boards and the [12:08] parts on the device. The third device is … we pull circuit boards and pull every chip off to [12:15] acquisitions against those chips.

All of the flights that we do are in a specific location of … the ranch owner you saw in the video has let us use his ranch, 1800-acre ranch in the middle of Colorado, to go fly drones. And if I hand you an unknown dataset, and say “I can’t tell you anything about it,” it makes it more challenging to start to figure out how to parse that. But if I can tell you when it flew, if I can tell you where it flew, if I can tell you details about that drone, as you start dealing unknown … the dataset, then it gives the people that are working and parsing it an advantage to help be able to understand what that data is.

I’m going to go quick, I’m running out of time, so talk about any of these more, but there’s a couple I want to hit for you. An imaging that we do in the lab, we can make all of that available to you. We identify where the devices store data, and we investigate every [pack], every chip that’s on those devices.

Again, mentioned just the application of the normal digital forensic techniques that we all know how to use, we publish the results – this is an important slide – droneforensics.com. If you got to droneforensics.com, you can get access to all of the data that we have released so far. Right now, there’s about 500 GB of data, there is about 1.2 TB that’ll be up in the next couple of weeks. And this is data that you can download and use to make your products better, use in your classes if you’re a vendor, if you are an academic institution … there’s universities that are building curriculums with the datasets. There’s iPhone, Android, drones, cloud data, server data that is there for you to use. Go and do good things with it.

[14:03] elected to add the datasets where they seemed to have [the CFReDS] database, so if you go to [the CFReDS] database on NIST, you’ll see links and pointers there that go to the droneforensics.com page I just showed you.
This is an example of the reports, there’s … I think there’s … I think it’s only three reports that are linked right now. The reports are between six and a hundred pages long. So, they’re incredibly exhaustive, taking you from somebody has just [set] it into your hands, to how do you go all the way to the end and pull the data out.

If you are in law enforcement or you are in the military, we have [slick] sheets that we have created for non-technical first responders. Somebody walks up as they’re patrolling, and finds a drone on the ground, what should they do? This walks them through those steps, technical first responder, and then the digital forensics lab team, when they get it back to the lab.

Interesting information so far. Let me take you to just one last one that I think this crowd will enjoy. This is the Parrot Skycontroller 2, this is the controller for several different models of the Parrot drone, and when we first pulled this out of the box, we always update the firmware before we go fly. Because we’re in the middle of nowhere, we don’t have internet access, so we want to handle it before we get to the ranch. So, if it says “download this file on a USB key, plug it into the controller, and plug an HDMI cable in it,” it’s … [pauses] What?

So, we [did it]. And the video that I’m going to show you here is just that. Pulled out of the box, downloaded the file, plugged it in, and plugged an HDMI cable into it, and we just powered it on …

As it boots, you’ll start to see … you can imagine it coming up through BIOS as you’re seeing lights that are blinking there. In just a moment, you’re going to see me turn to the screen that it’s plugged into. [silence] First thing that happens on the screen is we see the normal Android logo that we would expect to find. It then boots to the full Android operating system. It loads an application and [16:38] into kiosk mode, and you then have the same application that you would download from the Android store or the Apple store, to control this device.

We often hear, in our community, that Android is landing on lots of [headless] devices, that we would never see that there. This is one of the best examples I’ve seen so far, of Android sitting on a device that probably no one would ever plug into a monitor. You can put it in [ADB] mode, and you can pull a normal acquisition on this controller, just like you would any Android phone that you would touch.

Further research questions – more drones, different firmware versions, and drone swarms we’re starting to look at. Thank you for your time.


Host: [17:31] time for one or two questions.

Audience member: Have you ever seen any [17:47]?

Steve: Have you seen supply chain attacks? We’re getting lots of questions from that from different groups. That’s one of the reasons … one of the adds we’re just about to do to the droneforensics.com site, is we have located all of the firmware from DJI as a starting point, all the way back to the beginning, we’re starting to go do that for the other companies as well. So, if we know what normal looks like, it becomes easier to see abnormal. So, we’re [18:20] trying to help answer that question.

Host: Any other questions? If not, [18:31].


End of transcript

Leave a Comment

Latest Videos

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles