Professional Documents
Culture Documents
3-31-2018
Tasmina Islam
International Association of Engineers, tasmina.ukc@gmail.com
Part of the Computer Law Commons, and the Information Security Commons
Recommended Citation
Azhar, M A Hannan Bin; Barton, Thomas Edward Allen; and Islam, Tasmina (2018) "Drone Forensic
Analysis Using Open Source Tools," Journal of Digital Forensics, Security and Law: Vol. 13 : No. 1 , Article
6.
DOI: https://doi.org/10.15394/jdfsl.2018.1513
Available at: https://commons.erau.edu/jdfsl/vol13/iss1/6
This article is available in Journal of Digital Forensics, Security and Law: https://commons.erau.edu/jdfsl/vol13/iss1/
6
Drone Forensic Analysis Using Open Source Tools JDFSL V13Nl
ABSTRACT
Carrying capabilities of drones and their easy accessibility to the public have led to an increase in
crimes committed using drones in recent years. For this reason, the need for forensic analysis of
drones captured from the crime scenes and the devices used for these drones is also paramount.
This paper presents the extraction and identification of important artefacts from the recorded
flight data as well as the associated mobile devices using open source tools and some basic scripts
developed to aid the analysis of two popular drone systems- the DJI Phantom 3 Professional and
Parrot AR. Drone 2.0. Although different drones vary in their operations, this paper extends the
extraction and analysis of the data from the drones and associated devices using some generic
methods which are forensically sound adhering to the guidelines of the Association of Chief Police
Officers (ACPO).
Keywords: Digital forensics, Drone forensics, Open source tools, DJI Phantom, AR Drone 2.0.
l. INTRODUCTION
Drones, also known as unmanned aerial Mikelionis, 2018), such as dropping weapons,
vehicles (U AV) , are being increasingly popular phones, drugs into prisons or delivering drugs
amongst public due to their accessibility and or sometimes arms in and out of a country
affordability. This popularity is not only bypassing borders. As well as smuggling, the
helping in rapid growth of global commercial camera mounted onto a drone, either as a
market of UAVs (Majendie & Chia, 2018; static recording or a live streaming device,
Moskwa, 2016) but also inevitably increasing raises significant data privacy concerns for
drone crimes (Yeung, 2016). The carrying organisations and public. Also, the ability of
capabilities of drones over long distances drones capturing pictures or videos of
(UAV, 2018) and their remote operation make operations in designated no-fly-zone areas of
drones ideal for transport of contraband, also airspace (CAA, 2015), such as, airports,
known as smuggling (BBC, 2016; Yeung, military base and power stations, presents a
2016) , the most widely committed drone crime. significant security threat. Drone-mounted
This type of drone crime has become prolific in cameras are also being used for traditional
the UK and around the world (Dinan, 2017; crime such as burglary (Barrett, 2015;
Siddique, 2017). Furthermore, drones are being operation and their capabilities and some
utilised as deadly weapons m countries generic methods reported in (Barton & Azhar,
involved in conflict. Mostly hovering-type 2018) will be applied in this paper for the
drones such as the DJI Phantom or similar, are analysis and comparison of results between
used in these type of attacks (Rambling, 2017; the two drone models.
Waters, 2017).
The remainder of the paper is organised as
Due to the rise in criminal activities, the follows: Section 2 reviews the existing research
need for forensic analysis of the captured in relation to forensic analysis of drones,
drones has augmented immensely. After Section 3 discusses the methodology used to
capturing the drone, a forensic analysis can analyse the drones and accompanying mobile
provide a lot of information about the platform. In Section 4 results of the analysis
potential suspect of a crime based on the data are reported and finally Section 5 concludes
gathered from on-board sensors and other the paper.
electronics that assist with flight and
navigation, as well as the camera and digital
2. LITERATURE REVIEW
storage. This can also help in preventing A forensic analysis of U AV system using
further crime. Interpreting the flight data and Parrot Bebop UAV is reported in (Horsman,
tackling the multi-platform nature of drones 2016). The author highlighted some key areas
are the major challenges in forensic analysis of of analysis including acquisition of data,
drones. This paper presents the extraction and establishing flight data and the ownership,
interpretation of important artefacts found in these pose a variety of challenges to the digital
the recorded flight logs on both the internal forensic investigators. Firstly, the presence of
memory of the U AV and the controlling identifying artefacts such as name and address
application, as well as analysis of media logs is not essential for drone operation, it is
and other important files for identifying possible to operate a drone with little or no
artefacts with the use of open source tools as identifying artefacts left on it. Which is in
they are flexible and meet guidelines on the complete contrast to forensic investigation
admissibility of evidence (Carrier, 2002). involving mobile devices where an abundance
Additionally, some basic scripts will be used to of personal information is available in the
aid the forensic analysis of two commercially devices. Secondly, to re-create the actions
popular drone systems, demonstrating the taken by the drone, interpretation of the
potential for developing more robust forensic recorded flight data is essential, which is not a
tools applicable to other platforms. The chosen likely skillset of forensic investigator. At a
drones for analysis are -the DJI Phantom 3 minimum, the understanding of timestamped
Professional (DJI, 2018) and Parrot AR. Drone latitude, longitude and altitude measurements
2.0 Power Edition (Parrot, 2017), for ease of is required, as well as speed, battery level and
subsequent reference the drones are designated other data from a host of possible on-board
as DJI and A.R respectively throughout the sensors.
paper. The DJI is a quadcopter drone with a
Modern drone systems are comprised of a
variety of features and capabilities and
number of hardware platforms, which makes
dominating with 70% and Parrot A.R is in
drones a valuable source of forensic artefacts,
second with 7% of market share among
creating the need for forensic research into the
commercially available drones (Valentak,
area. Some of these component platforms
2017). These drones are different in their
contain physically identifiable artefacts such as
serial numbers printed on the casing, which The work reported in (Jain, Rogers, &
can later be matched up to artefacts recovered Matson, 2017) analysed the basic structure of
using digital forensics (Kovar, Dominguez , & five commercially available drones and
Murphy, 2015). Another work (Maarse, proposed some steps, that would aid the digital
Sangers, Ginkel, & Pouw, 2016) presented a investigation of drones. Some of the steps
forensic analysis of DJI Phantom 2 Vision+ , include, risk assessment , collection of data
where flight data related artefacts were from the crime scene, identification of drone
successfully recovered from various components category, weight, fingerprint available on the
of the UAV, including the controller, mobile drone, data signal in Wi-Fi or Bluetooth,
application and the U AV itself. . The recorded memory card, and lastly, documentation of
media of the Phantom 2 Vision+ was found to every steps.
possess Exchangeable Image Format (EXIF)
Another article (Pleban, Band, &
metadata including GPS (Global Positioning
Creutzburg, 2014) analysed the security
System) information. In the absence of flight
threats on A.R Drone 2.0, for example, attack
logs, for example if the images were copied to a
through the Telnet or FTP server or through
separate storage media or the U AV was
Wi-Fi by de-authenticating the real user and
damaged in some way, co-ordinates extracted
proposed encryption to secure the drone. A.R
from EXIF data can be used to recreate a
drones use an embedded Linux operating
flight.
system that governs the flight , camera and
An analysis of the DJI Phantom 3 network interfaces. The drone provides an
Standard edition (Trujano, Chan, Beams, & unsecured (by default) wireless access point.
Rivera, 2016) revealed that an IPv4 network is Once connected, root access to the operating
created between the components of the U AV system is granted via an anonymous telnet
system including the drone, controller, on- port. Root access presents a number of options
board camera and mobile devices. The for acquisition, including imaging internal
controller relays commands to the drone via storage partitions and logical-level copying
radio signal. The smartphone running the DJI (Horsman, 2016).
GO application connects to the controller via
In a recent work (Barton & Azhar, 2018)
Wi-Fi or by USB connection, which provides
utilised open source tools for forensic analysis
access to the network. De-compilation of the
of a multi-platform UAV system. Unlike
DJI GO application revealed the Service Set
commercial toolkits, open source and custom
Identifier (SSID) and password required to
forensics tools have the ability to be tested by
gain access to this network. The authors also
the open source community, meeting what are
discussed (Trujano et al., 2016) several
known as the "daubert" guidelines for the
security issues related to DJI Phantom 3
admissibility of evidence provided by expert
Standard edition.
witnesses (Carrier, 2002). The freedom of using
A detailed security analysis of the DJI open source tools is another advantage over
Phantom 3 Advanced edition is presented in the costly commercial (Zanero & Huebner,
(Luo, 2016). The author identified various 2010). Furthermore, successful custom tools
security issues and their countermeasures by created for one specific case, can be adapted in
several analyses including firmware analysis, other cases involving similar technology.
GPS analysis, radio signal analysis and However, the support available in the form of
Software Development Kit (SDK) updates, bug reporting and additional
authentication.
Table 1.
Drones
Specifications
Name Camera Range
Price Weight
Resolution
DJI Phantom 3 4K (12 5Km
£699.99 1280g
Professional Mega pixels)
380g / 720p (0.9 50m
A.R Drone 2.0 £299.99
420g Mega pixels)
Table 2.
Mobile Platforms
Name Model Android CyanogenMod Kernel Version Installed
Number Version Version Application
Motorola Moto G Moto G3 5.1.l(Lollipop 12.1 (Osprey) 3.10.49- DJI GO v3.1.4
3rd Generation ) g55f6ac8
Samsung Galaxy GT-I9195I 4.4.4 (KitKat) N/ A 3.10.28-5334500 DJI GO v3. l .4
S4 Mini
A scenario was created using the devices by and phone model, operating system etc. will be
simulating the use of the drones in a crime, to crucial m reducing a suspect pool in
generate the required data for acquisition and investigations.
analysis as this is a necessary and established
Another category of artefacts related to
part of forensic research ( Azhar & Barton,
drones is the interpretation of the flight data.
2016). Because of potential privacy and safety
These were collected via various sensors
concerns of using drones, as mentioned earlier,
present on the UAV systems. Some key data of
selection of the location and tests of the
interest were GPS readings, battery levels,
devices were conducted following legal
altitude, acceleration, speed. Analyses of these
guidelines on drone safety (CAA, 2015) . A
data can reveal the actions of the drone during
suitable remote area with tall building
flight . For example, GPS co-ordinate can
structures and open space was chosen to test
reveal from where the drone took off, or in the
the capabilities of the drones. Four waypoints
event of a crash, battery levels can reveal the
over about a 150m radius were established to
time when the drone failed as it can be
test both the manual and automatic function
correlated with time. These data can also be
of the drones.
used to re-construct the flight, which is
An artefact-driven analysis was performed especially important when the drone has been
on the UAVs and the mobile platforms and used in smuggling or other flight-related crime.
were divided into three categories. The first of
The category of artefacts related to drones
these is identification of suspects. In this case,
is the extraction of artefacts from recorded
a suspect is most likely to be the user of the
media which includes any photos or videos
drone, and therefore the main area of interest
taken by the device's camera. All of the drones
in identification is the method of control,
are fitted with at least one camera which is
especially via smartphone. Each drone included
controllable through the smart phone
in this project uses a slightly different method
application or controller. The use of drones as
of control, all with smartphones. The DJI
bombers by ISIS was all recorded via the
Phantom, for example, uses a physical
drone's on-board camera in order to produce
controller in conjunction with commands from
videos (Waters, 2017), and the capture and
the smartphone, transmitted to the drone
analysis of such a bombing drone would be
(DJI, 2018) whereas the A.R Drone 2.0 uses
able to reveal actual and potential targets and
direct connection from the smartphone to the
measures such as evacuation can take place.
drone via Wi-Fi and Bluetooth respectively.
The DJI is equipped with a high-end camera
Each of these methods will leave a different
capable of high resolution photos and videos,
footprint on the drone and identifying artefacts
such as MAC (Media Access Control) address
while the A.R is equipped with two fixed lower environments for forensics tools include
resolution cameras. scripting tools for the Linux operating system
such as Bash, Perl and Python, as well as
Because of the acquisition and the analysis
compiled programmmg · 1anguages sue h as "C"
.
of the artefacts performed on multi-platforms,
A forensic workstation running Kali, a
including the UAV systems, mobile devices,
distribution of Linux, with several forensics
and removable storage, a variety of file systems
and cybersecurity tools was used, as listed in
and interfaces were encountered. Development
Table 3.
Table 3.
Forensic uti ities.
Computer used Operating Utilities
system
However, upon attempting to mount the workstation using the "cat / proc/ filesystems"
image, the format was not recognised. command, it appeared that the "f2fs" file
Identifying this partition in the output of the system was not supported by Kali. To
"mount" command on the test platform overcome this, the "f2fs-tools" (f2fs-tools)
revealed that the "userdata" partition is package for debian was installed. However, on
formatt ed in the Flash Friendly Filesystem, or attempting to mount the image again, the
"f2fs," which is designed specifically for flash mount command returned errors, shown in the
storage devices (Lee et al., 2015). After output of the "dmesg" command in Figure 3.
checking compatible filesystems on the forensic
At a glance, it seemed that the file system work with "f2fs" file systems, was used on the
was corrupted, making the image unreadable. image. The "fsck" tool automatically scans for
To fix this, the image would have to be file system errors and corrects them. A portion
modified. A copy of the image was made in of the output is seen in Figure 4. After this
order to maintain forensic soundness if was completed, the image was successfully
modifications were later questioned in a court mounted on the forensic workstation and was
of law. Then, the tool "fsck.f2fs" from "f2fs- ready for analysis, as seen in Figure 5.
tools," a version of the "fsck" tool designed to
16-01 13)"
Info: superbloch. f,:,atur·'='s = l enc 1·,,pt
Info: supe i-b 1 oc h. <?nc r·ypt 1. "::v,:,, 1 sa 1 t = 00000000(}30 300000000000 3000013000 1 1
DJI GO Application
P,er:son Identifiable
Information
Flight Data Lo gs
(GPS, Sp,eed.,
I USB / 2.4GHz
Wi-Fi
Batte1y Level)
Capturn& Me<lia
Serial N u.mher
DJI Phantom 3 Profossional UAV
Acquisition method:
Mo bite forensics <!), ,<!) Controller Footprint
00
Capture& Media
Serial Number
Pairing Information
Flight Data (Temporal)
Serial Number Acquisition method.: Imaging
Acquisition method: acoess via r,emovable media and internal s.torage
network
Figure 6. DJI Phantom 3 Professional operation and potential artefacts
Once the flights had been performed, the Another area of interest is the UAV's
DJI was taken back to a forensics lab for internal mounted storage. This is a micro SD
analysis . The primary method of data storage card permanently attached to the main board
for the DJI Phantom is the removable micro of the UAV. To access this storage device, the
SD card slot. During the test flight, a 16GB U AV must be switched on and put into "Flight
micro SD card was inserted, which was Data Mode" through the DJI GO application.
provided with the UAV itself. To analyse this The U AV was then connected to the forensic
media, the card was mounted to the forensic workstation via USB and the drive, named
workstation and an image was created using "DJI FLY LOG," was mounted. Analysis of the
the "dd" command. This is a forensically sound file system using "fsstat" showed the drive was
method of acquisition as the device does not formatted in FA T32, and a forensic image of
need to be powered on. An initial check of the the drive was acquired using the "dd"
image using the Linux "file" command shows command. Upon examination, the drive
the card is formatted in the 32-bit File contained a number of "FLYXXX.DAT" files ,
Allocation Table (F AT32) file system. which were detailed flight logs, created by the
DJI's internal operating system and stored in a
The SD card's format is commonly found
proprietary format (Kovar et al., 2015). These
on many mass storage devices and it was
files were copied to a removable storage device
analysed using various Linux utilities. The
for further analysis. There are many online
recorded media produced by the DJI stores
services offering interpretation of these files,
some useful information, including GPS data,
however uploading evidence to a third-party
in the EXIF portion of the file. In order to
server is not appropriate for a forensic
interpret this data, the command line tool
investigation or intelligence purposes, so a tool
"exiftool" (exiftool) was used. Data extracted
designed to interpret and visualise these files,
from the UAV's mass storage devices were
"CsvView" was downloaded and installed to a
then correlated with artefacts extracted from
separate machine running Windows, connected
the DJI GO mobile application, to highlight
to the internet. The tool was established with
links between the controlling application and
a Google Maps API key, allowing it to
the UAV. The controller in this case does not
download imagery from the Google Maps
seem to have any digital storage capacity of
database.
interest and was excluded from the scope of
this investigation.
Table 4.
Fl'i_q.ht record.
Flight Start W aypoints End Description, Notes and Recorded Media
Time Time
1 13:57 Travelled a short distance north 13:18 Test flight for compass calibration
of the Home Point before
returning.
2 14:05 Waypoint 1: 14:06 14:15 Manual flight , GPS assisted, 1 photo and
Waypoint 2: 14:07 one short video taken at each waypoint.
Waypoint 3: 14:12
Waypoint 4: 14:14
3 14:17 Automatic Reconnaissance 14:22 Automatic Flight, GPS Assisted , Using
Flight DJI's built-in Point Of Interest (POI)
Auto Land (Return to home) function , which makes the drone rotate
14:22 around a specified point. Video was
recorded the entire flight.
4 14:34 (Same waypoints at Flight 2, 14:37 In this flight, foil was attached to the drone
time not recorded due to covering the GPS module. The drone was
operator concentrating on flight) operated completely manually independent
Manual Landing of GPS. This simulated the intentional
obfuscation of GPS signals as mentioned in
related work [15] [16].
2) A.R Drone 2.0: An operational diagram storage, meaning the only method of access
of the A.R Drone 2.0 with potential artefacts is was through the UAV's Wi-Fi network. This
shown in Figure 7. A single flight, with the method has been used by both digital forensics
aim of collecting photos and media from the and cyber security researchers to acquire data
UAV and generating data on the A.R free and investigate the drone (Horsman, 2016).
flight application, was performed according to When switched on, the A.R becomes a Wi-Fi
the procedure listed in section 3. Further flight hotspot with the SSID "ardrone2," without any
was decided against due to safety concerns form of authentication. This has become a hot
over wind levels. topic for security researchers and has even
allowed for the development of automated
The structure of the A.R Drone 2.0's
drone hacking tools which target the weak
system results in three areas of interest for
security of drones such as the A.R (Pleban et
forensic artefacts, including the artefacts
al., 2014). Connecting to this network and
generated by the A.R Freeflight application
interfacing with the UAV will invariably
and stored on the UAV's internal and
change digital data on the device. Therefore,
removable storage. The application data was
all actions taken should be in accordance with
acquired using the methods described m
the Association of Chief Police Officers
section 3.1, and the removable storage media,
(ACPO) good practice guidelines for handling
a 512Mb flash drive formatted in the FAT32
digital evidence (ACPO, 2012) principles 2;
file system, was connected to the forensic
the person acquiring the data must be
workstation and a forensic image created using
competent and give evidence for their actions,
the "dd" command for later analysis.
and 3; that an audit trail of processes should
The A.R Drone 2.0 does not have any be created and preserved. The lack of other
hardware ports allowing access to the internal
routes into the A.R's internal memory is complete log will be kept using the Linux
enough to fulfil principle 2 if actions taken are "script" tool, which records all terminal
later questioned, and for principle 3, a commands in a text file.
2 .4 GHz Wi-Fi
.. . .. . ...
@:ript star·ted on Sun 26 Mar· 2017 18:15:39 BST
A[]0;root@lab: -/dronesAGA[[01;3lmroot@labA[[00m:A[[01;34m-/dronesA[[00m# arp -a
gateway (192.168.1.1) at 90:03:b7:92:53:38 [ether] on ·wlan0
A[]0;root@lab: -/dronesAGA[[01;3lmroot@labA[[00m:A[[01;34m-/dronesA[[00m# nmap 192.168.1.1
Once connected to the A.R's access point, scan against this address using the "nmap"
querying the forensic workstations ' Address (nmap) tool reveals three open ports, 21, 23
Resolution Protocol (ARP) table using the and 5555. Service scans from the "nmap" tool
command "arp - a" shows that the U AV has showed they were File Transfer Protocol
the local address "192.168.1.1." Running a port (FTP) and telnet ports respectively, with port
M.:ae
idx
:i.dx -
s>38 _X_
I; _ a:
• •_n._vo
• r- or - , 1 f".i 1
ex 1ft oo1 ' -c " 0o.6f 0o.6f 0o.6f" egrep 'GPS Positionl(reate Date'
Figure 10. Script to retrieve GPS data from media EXIF information
111111 111,1 I·,', i 111°1 ,11MI 111 A# -/drones/d j i/sc ript .sh
Create Date 20 17 : 04 : 01 14 : 07 : 30
GPS Positio n 51. 000000 15 .000000 28 . 380300 N. 0 . 000000 36 . 000000 53 406800
Create Date 2017:04 :01 14 : 07 : 30
GPS Posit io n 51 . 000000 15 .000000 28 . 380800 N. 0 . 000000 36. 000000 53 . 412300 E
Create Date 20 17 : 04 : 01 14 : 07 : 46
Trach. Create Date 2017:04:01 14 : 07 : 46
Media Create Date 2017:04:01 14 : 07 : 46
GPS Positio n 51 . 000000 15 .000000 28 . 378800 N. 0 . 000000 36 . 000000 53 39 1600 E
Create Date 20 17 : 04:0 1 14 : 09 : 10
GPS Positio n 51 . 000000 15 .000000 27 . 342900 ~I. 0 . 000000 36 000000 54 332000
Create Date 2017:04:01 14 : 09 : 10
GPS Pos it io n 51 . 000000 15 .000000 27 . 347600 0 . 000000 36 . 000000 54 . 334400 E
Figure 11. Sample of output from EXIF GPS extractor script
The script executed "exiftool" on all files in those flights were recorded in one file,
the directory, formatting the GPS data to 6 "FLY012.DAT." After processing using
decimal places. The output was then filtered to "CsvView" tool, which converts the file from a
only contain the 'GPS Position' and 'Create .dat to a .csv format, the flights were
Date,' which denotes when the picture or video visualised using the "GeoPlayer" function,
was taken. The output of this script is shown which utilised the Google Maps API Key
in Figure 11. mentioned in section 3.2. A copy of this
visualisation is shown in Figure 12, with each
2) Internal Storage: The files extracted
flight, waypoints 1-4 and point of interest
from the internal storage of the DJI Phantom
(POI) highlighted. It is worth noting the
were analysed using "CsvView" tool (Csv,
supreme accuracy displayed by the automatic
2017). The DJI Phantom 3 operating system
flight function in flight 3, in comparison to the
began recording flight data from the moment
other manual flights . The DJI Phantom was
the U AV is switched on. This meant as flights
able to compensate for wind and other external
1-3 listed in Table 4 were performed in the
same session of drone activity, the data for
factors flying at a constant altitude with time (green), which remains constant under
minimal deviance from the set path. periods of non-activity, as well as the
barometric altitude (blue) and the total
Because it is constantly recorded , the GPS
voltage level of the battery (purple) of the
data alone is not enough to distinguish
UAV. When compared with each other, it can
between individual flights. The DJI Phantom
be deduced that there was three distinct
flight recorder produces a host of other
periods of movement and altitude changes by
artefacts . Plotting these artefacts against each
the drone, were interpreted as flights. The
other using the "CsvView" tool provides a
possible artefacts recoverable from these logs
comprehensive understanding the actions taken
are extremely detailed and are more than
by the drone. Figure 3.1.2.2 shows the flight
necessary to recreate a flight.
Flight 3
Flight 2
,....,
900,000
u
Q.) 95 '1 H
720.000 E
Ill
....., 16 ...
<i:
11.6 J!J
0
Q)
5,0,000 57 0
:...
8.7 ~
E ~
360,000
...
i=
.c
39 .c 5,9
~
8
180,000 19 2.8
.S?
::.:::::
0 0 II
-0 J70 no 1110
t~ tollf,' 1$ ~
Figure 13. Flight time, barometric altitude and total battery voltage plotted using CsvView.
The file "FLY014.DAT" file was identified obstructed simply by covering the module with
as being the log for flight 4, listed in Table 4. aluminium foil. It is quite likely that in a crime
The "GeoPlayer" visualisation for this flight scenario, this measure would be taken to
showed that the GPS data recorded was prevent later forensic analysis of the flight
mostly garbage data that had no relation to path, or to evade no fly zones. In this case,
the actual flight , as shown in Figure 14. investigators must instead rely on other data
According to the Operator's previous from the flight log. The DJI Phantom 3
experience, the recommended amount of GPS Professional is equipped with accelerometers,
signals was about 11, but with the foil which record the acceleration in an axis
obstructing the unit, the DJI struggled to relative to the UAV in metres/ second2 . Figure
receive enough GPS data to successfully 16 shows these readings when plotted against
triangulate a position. To confirm this was the the flight data shown in the previous figure.
case, the flight time and "numSats" (number of
These measurements can be used to
satellites) readings from the flight logs were
reconstruct a flight in 3D space, relative to an
compared, and showed that during flight , the
arbitrary home point. While it would be
"numsats" reading was 0, as shown in the time
possible to perform this analysis manually, the
period (X-Axis) of O to 370 in Figure 15. The
frequency of measurements taken by the
foil was removed after the flight due to fears of
Phantom make it unreasonable, and it would
overheating the drone through obstruction of
be better to develop a tool to do this
the cooling vents.
automatically.
This confirms findings from related work
(Maarse et al., 2016) that the GPS can be
,,...,,
17
u
(1.)
260,000
(/)
13.6 tJ E
.._,..
e
200,000
,ro
(1.)
111.2 1156,000
E
6.8 ::i
C Ul(OOO t;
.c.
3.4 52,000
-;;;:;:~
0 0
Figure 15. CPS health plotted against flight time for flight 4
,-..,
U 4,S 0.6 ,...._
,-.., ,-..,
260,000 N -II N
(/1 .c
...., O.~
208,000 e
.....,. 3·6
'ii
0.7 U'l
.......
U'l
....... -0.5
ti)
.......
0, 2
.._, 0.2 2
.._, :a
.._,
~
~
~ ===========t 156,000 2 ·7 I(/1
0.1
X -0 > -1
1-- - - - - - - - - --1 10 4,000
1 f 1 -8 a. 1j 1j
u -1.5
1j
52,000
.t:.
.!? 0.9
C)
-0.l ti(ti -0.1 u
c::i
8
~
•0.4 -2
. . . - -r--- - :-=--.- - : ~!,-,-------------
740 1110
0 ..:::, 0
3) DJI GO Application: Artefacts from the android test platform, which was acquired
DJI GO application were located in different using methods described in section 3.1. A list
locations within the "userdata" partition of the of these useful directories is shown in table 5.
Table 5
List of useful directories from DJI GO Application
T y pe of
P ath D escriptio n
Artefact
/ media/ 0/ DJI/ dji.pilot/ LOG/ Contains a number of logs relating to drone activity
F light Data
CACHE
This is a log of activity relating to the DJI's built -in no
/ media/ 0/ DJI/ dji.pilot/ LOG /
F light Data fly zone function and contains information such as GPS
CACHE/ NFZ
location.
/ media/ 0/ DJI/ dji.pilot/ LOG / An error log from the U AV containing information on
Flight Data
ERROR - POP - LOG satellite data not being available.
A number of videos taken during flight na med as a date
in the format "YYYY - MM - DD - hh - mm - ss" and
/ media/ 0 / DJI/ dji.pilot / DJI _
Media stored with the "mp4" file extension. For each video file,
RECORD
t here is also a corresponding text file. This contains GPS
data, manufacturing information and capture dates .
F light Data, This directory contains flight data relating to a number
Person of flights. A string search of these files revealed the
/ media/ 0/ DJI/ dji.pilot/ Flight Identifying presence of the "cccu phantom" string, which was the
Record Information, name assigned to the UAV during setup.
UAV Serial
Number
/ media/ 0/ DJI/ dji.pilot/ CAC Thumbnails of various images and videos taken during
Media
HE - IMAGE flight, seemingly random.
The flight record files extracted from the U AV were much larger, often several hundred
"FlightRecord" directory were analysed using Megabytes. Secondly, files were recorded per
the "CsvView" tool for comparison to the .DAT flight from take-off to landing rather than per
flight logs extracted from the Phantom's session of activity, meaning it was clearer when
internal storage. Upon inspection, the files distinguishing between flights. The .txt files
were confirmed to be flight data stored in a also had noticeably more metadata than the
similar format to the .DAT files, but with .DAT files - including serial numbers of the
notable differences. Firstly, the resolution of UAV and the DJI smart battery, application
the recorded data is much lower, with the DJI version information and the operating system
GO application flight records being between of the test platform, as shown in Figure 17.
l Kb and 1Mb, whereas the .DAT files from t he
droneType P3 Advanced
dateTime 2017/04/ 0 1 12:59 :44.964
app Version 3. 1.4
. ..
batterySN
appType
"'
1589
032 1013321
Android
As well as this metadata, several other While the GPS data for flight 4 was also
streams of flight data relating to use of the DJI destroyed by the foil covering the GPS
GO application were available. The "flyCState" receiver, it was also possible to extract the
attribute described whether the Phantom was GPS location of the controlling application.
in manual or automatic mode. Figure18 shows This is a crucial finding as it allows for the
the distance of the U AV from the home point location of the operator at the time of flight.
plotted against the "flyCState" attribute during Anti-forensics measures to counteract this may
flight 3. The automatic POI function generated include GPS spoofing on a software level on
a clearly visible sine wave in the distance the mobile platform, which is possible with free
measurements during the time when the U AV applications available on app markets such as
was in automatic flight mode. This may be a google play.
useful artefact in identifying when the POI
function has been used.
170 .-
E
136
QJ
102 u
C:
68 23
.!!l
34 -C
.;;....,,,,,,,~ ...1,,.------------~-----------__;::..-..a..O
868 930 992
fl)'CS~~ f~
GPS
_ .).
_ ~---~ dstance (m) eC.,
Figure 18. UAV Flight state plotted against distance from home point for flight 3
Table 6
List o.f files acquired from A. R Drone 2. 0 Internal Storage
Path Type Description
The amount of data present in the system "cat syslog.bin I grep UsbKey" and then further
log located at "/ dat a/ syslog.bin" meant scripts filtered. "UsbKeyMonitor" prints the serial
were used to analyse threads of output. For number when a new USB device is attached , so
example, the A.R drone's operating syst em filtering using the word "Serial" produced a
uses a set of processes to access the external history of all the USB keys attached to the
storage with the prefix "UsbKey," including UAV , as shown m Figure 19. Other
"UsbKeyMonitor," "UsbKeyWriter" and information such as the vendor and product ID
"UsbKeyRepairer." The logs from these was also available through this method.
methods were retrieved using the command
:'1!1 ,,·1•·•,:'[ 1 ,1r I• I ··.,, ,1,1i•.i1 :,,11 11 (c1l ·~,-'..,10,;1.t,111 I grc.p "U•_,t,~ey I 9•ep •·seri;_il"
llc,r.~:o'l'r-'r.-nj ~n ,- G 90r, IISB Mc1c;c; St(Hcl(]" Sorial '137r,r,JlRJ('1B,\C'
2.4614 s UsDK9y1-'onitor 6 912 USB Mass Storag9 Serial '2GS205GlA5Bcr703 ·
:,,1 • ll(Jt~~I ~-) UstKn;·i'-'c•n i ~ c r (:i 91':i USH Maass Stor-aqi:, SPriul ·=.. 0::::i)r..:i:,0]11.!A:V~~lf.')J'
1
Filtering the system log for all a log of the use of both the UAV's internal
"UsbKeyWriter" outputs gave a history of all cameras, which video codec is being used and
files created on the removable storage, with other details including resolution. Examination
syst em times in the Linux log epoch format of of the "syslog. bin" file give a comprehensive
seconds. Filtering for the "Video" outputs gives overview of actions carried out by the UAV's
operating system. Values found also reflected 2) Removable Storage: Based on artefacts
values in the "config.ini" files examined in from the system logs, the removable storage
Table 6. Future work should identify whether media only serves the purpose of storing media
modification of the "config.ini" files would files captured from the UAV. A list of all files
change data in the system log, for anti- in the partition using the "tree" command
forensics purposes. confirms this to be the case.
11 de
7~ ~ - ~ - ~ - - ~ - ~ - - ~ - ~ - ~ - - ~ - ~
"albtw e.cw +
6,2
6 . _ _......_ _ _ _ _ _ _ _ _ _ _ _.....__ _ _ _ _ _ __,
All the files were videos, stored with the increments. Also deduced was that the last
"mp4" file extension. Photos were taken during floating point was the altitude of the UAV
the flight; however, none were present on any during flight, as the values steadily changed,
of the UAV's storage media. This is likely due and matched the approximate value of the
to the photos being stored on the mobile flight. The telemetry data was dumped to a
device, and videos being too large to transmit file for analysis with the command "exiftool - b
over the network. Examination of the video - ARDroneTelemetry
files using "exiftool" revealed a number of media20170401 _ 150213 / vide
artefacts, including creation time, the device o _ 20170401 _ 150249.mp4> - / drones/ parrot/ gn
name "Parrot AR.Drone." The uplot / telemetry." A basic script was created to
"ARDroneTelemetry" tag was extracted from convert the data to a comma-separated value
one of the videos using the "-b" option. This file , which could then be visualised using the
appeared as a set of floating point numbers "gnuplot" tool for Linux (gnuplot , 2017). The
and integers, with no labels or column headers. altitude was plotted over the period of the
Using heuristics based on knowledge of the whole video, as shown in Figure 20. Further
phantom system and known flight data, it was work should be carried out to confirm these
deduced that the first of the floating points hypotheses regarding the telemetry data for
was a timestamp, as it increased in regular the A.R Drone 2.0.
3) A.R Freeflight Application: The 2.0 Power edition, have been investigated in
"userdata/ data/ com. parrot.freeflight" this paper. Although, there is operational
directory contained several ."xml" files, with difference between the drones, a number of
names in the format of "< MAC Address of common methods were utilised to recover data
mobile platform> < Timestamp > ." These from drones and controlling devices using open
appear to correlate with sessions of activity on source tools. In comparison to the A.R, the
the UAV. Each file contains a number of flight DJI phantom was found to have an
and application session records, with each extraordinarily large number of artefacts
XML (eXtendable Markup Language) block associated with it, because having more sensors
being named accordingly. The and a higher resolution of data capture, which
"FLIGHT_DRONE _SERIAL" tag displays a comes from its status as a professional device.
matching serial number to the one listed in In both cases, it was necessary to interpret
section 2, meaning these artefacts both exist on flight data collected by the U AVs. At its most
the UAV and the mobile platform and can be simple, this involved interpreting the
used to connect the two during an movements of the U AVs in three-dimensional
investigation. Another XML file, located in space. This was simpler with the DJI as it
"userdata/ com. parrot .freeflight / shared records GPS automatically and work had
_prefs/ Preferences.xml" held a number of already been done in that area to develop a
important artefacts, including the GPS co- tool for easy interpretation of the flight data.
ordinates of the last flight, the email address of Most of the potential artefacts listed in Section
the google account used to download the 3 were found on the U AVs or their controlling
application, and when the application was last systems, and were successfully extracted to
opened. This is the first artefact found that identify a suspect, recreate a flight and capture
directly links the use of a drone to a user media from the devices. Some anti-forensics
account, which can later be used to trace a methods were also successfully tested. Future
user. work should look at the automation of drone
forensics, and explore methods discussed in
The A.R Freeflight application has a media
this paper to other drone models such as DJI
storage location m the platform's
Phantom 4 Pro, DJI Mavic Pro or Parrot
"userdata/ media/ 0/ DCIM" (Digital Camera
Bebop and different mobile platforms such as
!Mage) directory, which contains all the media
Windows and iOS and especially, integration
captured by the UAV's cameras. EXIF data
of the methods discussed here into commercial
for these files varies, some containing GPS
forensic tool-kits.
information which matches the operator
location during the flight, and some only
containing a few details such as the creation
date - it is unclear whether this is due to file
corruption. Again, all GPS readings most likely
originated from the mobile platform as the
UAV does not natively possess a GPS
capability.
5. CONCLUSION
Two multi-platform UAV systems - the DJI
Phantom 3 Professional and Parrot A.R Drone
REFERENCES
ACPO. (2012). ACPO Good Practice Guide Csv. (2017). CsvView Downloads. Retrieved 24
ACPO Good Practice Guide for Digital March 2018 , from
Evidence for Digital Evidence. https: / / datfile.net / CsvView / downloads.ht
ml
Android. (2017). Android Debug Bridge (adb)
I Android Studio. Retrieved 24 March CyanogenMod. (2017). CyanogenMod android
2018, from operating system. Retrieved 24 March
https: //developer.android.com/ studio/ com 2018 , from
mand-line/ adb .html https: / / github.com/ CyanogenMod
Azhar, M. A. H. Bin, & Barton, T. E. A. Dinan, S. (2017). Mexican drug cartels using
(2016). Forensic Analysis of Secure drones to smuggle heroin, meth, cocaine
Ephemeral Messaging Applications on into U.S. - Washington Times. Retrieved
Android Platforms (pp. 27-41). Springer, 23 March 2018, from
Cham. https: //doi.org/ 10.1007/ 978-3-319- https: //www.washingtontimes.com/ news/ 2
51064-4 3 017 / aug/ 20 / mexican-drug-cartels-using-
drones-to-smuggle-heroi /
Barrett, D. (2015). Burglars use drone
helicopters to target homes - Telegraph. DJI. (2018). Phantom 3 Professional - Specs,
Retrieved 23 March 2018, from FAQ, Tutorials, Downloads and DJI GO -
https: //www.telegraph.co.uk/ news/ uknews DJI. Retrieved 23 March 2018, from
/ crime/ 11613568 / Burglars-use-drone- https: //www.dji.com/ phantom-3-
helicopters-to-identify-targe-homes. html pro/ info# specs
Barton, T. E. A., & Azhar, M. A. H. Bin. Gartner. (2018). Gartner Says Worldwide Sales
(2018). Open Source Forensics for a Multi- of Smartphones Recorded First Ever
platform Drone System (pp. 83-96). Decline During the Fourth Quarter of 2017.
Springer, Cham. Retrieved 24 March 2018, from
https: //doi.org/ 10.1007/ 978-3-319-73697- https: //www.gartner.com/ newsroom/ id/ 38
6 6 59963
BBC. (2016). Big rise in drone jail smuggling gnu plot. (2017). gnu plot tool. Retrieved 24
incidents - BBC News. Retrieved 23 March March 2018, from
2018 , from http: //www.gnuplot.info/ download.html
http: //www.bbc.co.uk/ news/ uk-35641453
Rambling, D. (2017). Islamic State Now Using
CAA. (2015). Airspace restrictions for Off-the-Shelf Drones I Defense content
unmanned aircraft and drones I UK Civil from Aviation Week. Retrieved 23 March
Aviation Authority. Retrieved 23 March 2018 , from
2018 , from http: //aviationweek.com/ defense/ islamic-
https: //www.caa.co.uk/ Consumers/ Unman state-s-new-weapon-choice-shelf-drones
ned-aircraft / Our-role/ Airspace-restrictions-
Horsman, G. (2016). Unmanned aerial vehicles:
for-unmanned-aircraft-and-drones/
A preliminary analysis of forensic
Carrier, B. (2002). Open Source Digital challenges. Digital Investigation, 16, 1-11.
Forensics Tools: The Legal Argument. https: / / doi.org/ 10.1016/ J.DIIN .2015.11.002
Moskwa, W. (2016). World Drone Market Seen Waters, N. (2017). belling cat - Death From
Nearing $127 Billion in 2020, PwC Says - Above: The Drone Bombs of the Caliphate
Bloomberg. Retrieved 16 March 2018, from - bellingcat. Retrieved 23 March 2018, from
https: //www.bloomberg.com/ news/ articles