UAV Forensics and Analysis, What You Do After You Detect and Neutralize a Malicious UAV - Use Case Session - Kovar David, Founder/CEO, Kovar & Associates

Transcript

1. UAV (aka drone) Forensics “Ok, you’ve shot it down, now

   what?”

2. Why is the Relevant?

3. Controlled Use Technologies • Counter UAS (CUAS) solutions beyond detection

   are currently illegal to use domestically with very limited exceptions • Lots of pressure to enable full CUAS use for prisons, critical infrastructure, major public events • “Ok, you’ve shot it down, now what?”

4. Growing Collections of Found UAVs • UAVs found on property

   in many sectors • Little understanding of inherent value • Little means to recognize value • You can start understanding the threat actors and their motivations even without CUAS

5. Drone Forensics – High Altitude View

6. UAV workflow Mission Planning Approval Execution Analysis Delivery ‣ Criteria

   ‣ Airframe ‣ Payload ‣ Operator ‣ Location ‣ Time frame ‣ Business ‣ Site logistics ‣ Safety ‣ Legal ‣ Risk ‣ Flight operations ‣ Logistics ‣ Flight crew ‣ Weather ‣ Flight operations ‣ Data validation ‣ Product generation ‣ Quality assurance ‣ Product delivery ‣ Product support ‣ Lessons learned ‣ Reporting ‣ Billing Each step, each component, leaves evidence and generates intelligence

7. UAV data flows GCS via data link to UAV FC

   Payload operator via data link to UAV mission payload GPS signals Data uplink to cloud PIC to UAV FC via radio controller Telemetry to corporate network Each link, each component, leaves evidence and generates intelligence

8. Evidence Collection

9. Connecting Evidence is Hard “There is no SN number for

   the entire product, however, there is SN number for different components. So you could use one component SN number as the unique identifier such as Flight Controller SN number.” - DJI

10. What Physical Evidence is Available?

11. Collection Steps • Be aware of possible fingerprint evidence •

    Photograph the scene and the drone in situ • Remove the battery if safe to do so – May still be writing data – Engines may turn on – Greater chance of fire • Photograph all components, labels, barcodes

12. UAV First Responder Safety • Some operators do not understand

    the law, or feel that ”the government” is infringing on their rights • Falling UAV can cause injury, prop strikes will cause injury. Remove props • LiPo batteries store lots of energy and can catch fire. Store in fire proof container

13. Evidence Analysis

14. Known Messages in DJI “black box” • Vision Positioning •

    Telemetry • Flight Controls • Gimbal • Motor Status • Flight Status • Position • Battery Status • Battery Serial Number • Battery Voltage • Message Console • Message Config • Message ID • Message Misc • Lots of unknowns still

15. Tactical Evidence Analysis Home Point: 43.005427, -70.987655 at -36.63 meters.

    First position: 43.005433, -70.987647 at 0.000 meters. Last position: 43.005418, -70.987621 at 0.000 meters. Battery barcode: 6171153330369 Battery internal serial number: 1446 Battery manufacture date: 2015-09-04 00:00:00 Battery name: ATL NVT DJ005 Battery version: v255.255.255.255 Device version: v2.4.14.5 GPS space vehicle number version: 9566 2 event messages found in the log: Time Latitude Longitude Height =============== ========== ========== ========= 04:07:43.678000 43.005427 -70.987655 0.000 Motor start time: REQ_RC_NORMAL 04:09:53.418000 43.005349 -70.987662 1.400 Motor stop time: ACT.landing

16. The Internals

17. Strategic Evidence Analysis • What are all the launch locations

    known for this aircraft? • Are any of the known locations for this aircraft at a residence or commercial facility? • How many aircraft have flown over our facility? • What types of aircraft have we seen? • Was the battery on this aircraft on any other aircraft? • Who else has seen this aircraft?

18. Strategic Evidence Analysis Show all aircraft in the database that

    were powered on between two points in time: { "_source" : ["deviceSerial", "timestamp"], "query": { "bool": { "must": { "exists": { "field": "eventData.MotorStart" } }, "filter": [ { "range" : { "timestamp": { "gte" : "1483246800000", "lte" : "1491624000000" } } } ] Show the location of an aircraft at a particular point in time: { "_source" : ["eventData.Gps.lat", "eventData.Gps.lon", "eventData.Pos.lat", "eventData.Pos.lon", "timestamp"], "size" : 10, "query" : { "bool" : { "must" : [ { "dis_max" : { "queries" : [ { "exists" : { "field": "eventData.Gps" } }, { "exists" : { "field": "eventData.Pos" } } ] } }, { "match" : { "timestamp" : "{{timestamp}}" } } ], "filter" : { "match" : { "deviceSerial" : "{{aircraft}}" } } } } }

19. Sensor and Sensor Data • The type of sensor will

    tell you a lot about the purpose of the flight  LIDAR  Optical  NVIR  Thermal  WiFi • The sensor data and metadata will tell you a lot about where it has been, particularly since GPS data is critical for most types of missions

20. Sensors – EXIF Data The purpose of a camera is

    to take a picture, and EXIF data tells a story about the camera and where it was taking pictures. • Image Description : DCIM\100MEDIA\DJI_0030.JPG • Make : DJI • Camera Model Name : FC300S • Date/Time Original : 2016:03:27 10:15:57 • Create Date : 2016:03:27 10:15:57 • GPS Version ID : 3.2.0.0 • GPS Latitude Ref : North • GPS Longitude Ref : West • GPS Altitude Ref : Above Sea Level • Aperture : 2.8 • GPS Altitude : 74.6 m Above Sea Level • GPS Latitude : 40 deg 32' 15.84" N • GPS Longitude : 89 deg 30' 50.63" W • GPS Position : 40 deg 32' 15.84" N, 89 deg 30' 50.63" W DJI Phantoms do not did not record altitude in the EXIF data unfortunately.

21. Sensor Data - Cloud • Consumer – YouTube – Facebook

    – Etc • Commercial – Data Mapper – Airware – Vendor specific Question: Where are the credentials for uploading the imagery data to the cloud?

22. Mobile/GCS Artifacts

23. UAS Exam – Launch Point Evidence Ground Control Station •

    Often a mobile device combined with a radio controller • Vendor applications and community developed • Looking for: – Default settings – Launch points, dates – Owner name, account Other Items • Spare removable media • Other UAVs • Laptops, cell phones, tablets

24. UAS Exam – Ground Control Station Using the data from

    the GCS, you can rapidly plot where the user was flying.

25. UAS Exam – Ground Control Station Application configuration files contain

    interesting information Drone Deploy: • ajs_user_id • %22dkovar%40kovarllc.com%22 Pix4D: • 2016-03-27 10:34:03 [V] [WaypointCustomMissionDJI3::87] create wp at (4x.xxx689,- 8x.xxx918) altitude: 50.000000 • displayBtnLogout(YES,username: [email protected]) • 2016-03-27 11:25:24 [D] [AppDelegate::38] DJI Pilot: • kUserDefaultKeyAircraftLocation – 4x.xxx448,-8x.xxx675,-1577 (My house) • com.facebook.sdk:serverConfiguration1383125992006153 - <62706c69 73743030 …>

26. Closing Thoughts

27. Closing Thoughts - Forensics The UAV is paired with controller

    & The UAV is also paired with ground control station Means unique IDs Means forensic evidence linking devices

28. Closing Thoughts • Cybersecurity: • The proper term for drones

    is sUAS – small unmanned aerial system. Take a system approach to security and investigations, do not treat the vehicle as a discreet or standalone element. • Law & Policy: • UAVehicle. Apply law and policy to the risk/threat posed by the sensors and services rather than by the delivery mechanism [email protected] - www.kovarllc.com