How do you extract forensic data from an aerial drone? Very carefully
Aerial drones might someday deliver online purchases to your home. But in some prisons, drone delivery is already a thing. Drones have been spotted flying drugs, cell phones and other contraband over prison walls, and in several cases, drug traffickers have used drones to ferry narcotics across the border.
June 6, 2018 By Rich Press
If those drones are captured, investigators will try to extract data from them that might point to a suspect. But there are many types of drones, each with its own quirks, and that can make data extraction tricky. It would help if investigators could instantly conjure another drone of the same type to practice on first, and while that may not be possible, they can now do the next best thing: download a “forensic image” of that type of drone.
A forensic image is a complete data extraction from a digital device, and the National Institute of Standards and Technology (NIST) in the United States maintains a repository of images made from personal computers, mobile phones, tablets, hard drives and other storage media. NIST was founded in 1901 and is now part of the U.S. Department of Commerce. NIST is one of the U.S.’s oldest physical science laboratories.
The images in NIST’s Computer Forensic Reference Datasets, or CFReDS, contain simulated digital evidence and are available to download for free. Recently, NIST opened a new section of CFReDS dedicated to drones, where forensic experts can find images of 14 popular makes and models, a number that is expected to grow to 30 by December 2018.
“The drone images will allow investigators to do a dry run before working on high-profile cases,” said Barbara Guttman, manager of digital forensic research at NIST. “You don’t want to practice on evidence.”
The drone images were created by VTO Labs, a Colorado-based digital forensics and cybersecurity firm. NIST added the images to CFReDS because that website is well-known within the digital forensics community. “Listing the drone images there is the fastest way to get them out to experts in the field,” Guttman said.
Work on the drone images began in May of last year, when VTO Labs received a contract from the Department of Homeland Security’s (DHS) Science and Technology Directorate.
“When we proposed this project, there was little existing research in this space,” said Steve Watson, chief technology officer at VTO. The drone research was needed not only to combat drug smuggling, but also to allow officials to respond more quickly should a drone ever be used as a weapon inside the United States.
For each make and model of drone he studied for this DHS-funded project, Watson purchased three and flew them until they accumulated a baseline of data. He then extracted data from one while leaving it intact. He disassembled a second and extracted data from its circuit board and onboard cameras. With the third, he removed all the chips and extracted data from them directly. He also disassembled and extracted data from the pilot controls and other remotely connected devices.
“The forensic images contain all the 1s and 0s we recovered from each model,” Watson said. The images were created using industry standard data formats so that investigators can connect to them using forensic software tools and inspect their contents. The images for each model also come with step-by-step, photo-illustrated teardown instructions.
Watson was able to retrieve serial numbers, flight paths, launch and landing locations, photos and videos. On one model, he found a database that stores a user’s credit card information.
Investigators can use the images to practice recovering data, including deleted files. Universities and forensic labs can use them for training, proficiency testing and research. And application developers can use the images to test their software. “If you’re writing tools for drone forensics, you need a lot of drones to test them on,” Guttman said.
A description of the drone images and instructions for accessing them are available on the new drones section of the CFReDS website.
(This article was originally published here.)
Rich Press is a science writer/public affairs specialist with the National Institute of Standards and Technology (NIST).
Print this page