Forensic Examination of Drones
In September, 2019, Iran was alleged to have launched a 25 drone attack on Saudi Aramco that shut down approximately half of Saudi Arabia’s oil production. This was described by CNBC as a “wake-up call” to major world powers, but it is also a wake-up call to forensics specialists who are called upon to investigate drones.
The drone forensics field is still in nascent stages of development.
“We seek to answer basic investigative questions from data stored within the drone or its connected devices,” said Steve Watson, chief executive officer of data recovery and digital forensics firm VTO Labs. “Where did the drone take off from? Has the drone flown other routes? Can we identify who the drone is registered to? What devices or networks has the drone connected to?”
These are great questions—but a majority of forensics experts lack extensive experience with drones and the technology that drones are equipped with. They don’t know all of the information that is potentially available to them, or how they can use this data in their work.
Drones are most often deployed to capture and relay geo-location information that they provide as they are taking photo and video images at specific locations. For example, at the scene of a major traffic accident on a busy Interstate highway, drone-captured photo documentation can dramatically reduce the amount of time that lanes need to be shut down and an area cordoned off for forensics investigations of the accident scene. This reduces traffic jams and congestion.
However, digital forensics experts like Lee Reiber, who has spent decades in law enforcement and is COO at Oxygen Forensics, says there is much more data on a drone that the forensics specialists could exploit.
“Drones have black boxes on them that contain an extraordinary number of data points that can be used to deduce information,” said Reiber. “An example would be a drone that flies into the White House. The operator of the drone says he didn’t mean to fly into the White House, but then when you drill down into the black box data that is stored on the drone, you discover that the drone suddenly accelerated as it neared the wall of the White House for impact.”
There is other onboard data that a drone contains. For instance, the military can tell whether a drone is or has hovered at certain locations for certain periods of time, or if there is a battery drain which could reflect the dropping of a payload at a certain location and point in time—or a change of rotor speed on one of the drone’s propellers that might indicate the drop of an explosive or other payload.
“You can also capture the serial numbers of drone batteries,” said Reiber. “This is possible because the internal controller or the operating system on the drone automatically records the drone’s battery serial number. If you have a terrorist group that is launching multiple drones, it’s not uncommon for the group to swap out batteries. One month later, you might capture information from a second drone and find the same battery serial number on that drone. This would suggest that a specific group was responsible for multiple drone attacks.”
What recommendations does Reiber have for forensics specialists who want to improve the amount and the quality of information that they collect from drones?
- Treat the drone as a piece of evidence. “For any incident involving a drone, there is always a first responder to the incident,” said Reiber. “First responders should be trained so they treat drones as pieces of evidence, instead of just discarding the destroyed drone. Also, when you are transporting the drone from the scene of the incident to a forensics lab, you shouldn’t just place the drone in the trunk of your vehicle. Handle the drone carefully. It could contain evidence of fingerprints or blood.”
- Preserve the drone and its controller. There are chips onboard the drone, even if it is largely destroyed, that can be extracted and mined for information.
- Extract data from the drone’s controller, chip and solid state memory. Even if a drone is largely destroyed, data can still be extracted from onboard chips, controllers or solid state memory cards. In some cases this is as easy as connecting to these objects through a USB port.
For professional land surveyors and geospatial professionals who might discover a lost or crashed drone in a remote location, the cautions about protecting the potential evidence the drone might contain are good advice. At the very least, it might help to locate the owner. There are also implications if your own drone is lost or stolen. This can include recovering the drone, but it may also lead to discovering how the drone was used while it was missing. Commercial drone users may also find some of the “forensic” tools useful in examining the performance of their UAVs. And, perhaps not the last word, the drone or its components may still be traceable back to you even after you have sold it.