UAV (aka drone) Forensics - Kovar & · PDF filePIC to UAV FC via radio controller Telemetry to...
40
UAV (aka drone) Forensics “Ok, you’ve shot it down, now what?”
Transcript of UAV (aka drone) Forensics - Kovar & · PDF filePIC to UAV FC via radio controller Telemetry to...
UAV(akadrone)Forensics
“Ok,you’veshotitdown,nowwhat?”
WhyistheRelevant?
ControlledUseTechnologies• CounterUAS(CUAS)soluEonsbeyonddetecEonarecurrentlyillegaltousedomesEcallywithverylimitedexcepEons
• LotsofpressuretoenablefullCUASuseforprisons,criEcalinfrastructure,majorpublicevents
• “Ok,you’veshotitdown,nowwhat?”
GrowingCollecEonsofFoundUAVs• UAVsfoundonpropertyinmanysectors• LiNleunderstandingofinherentvalue• LiNlemeanstorecognizevalue• YoucanstartunderstandingthethreatactorsandtheirmoEvaEonsevenwithoutCUAS
SourcesofUAVForensicArEfacts
PotenEalSources–ThreeViewsTherearethreewaysofthinkingaboutUnmannedAerialSystemsthathelpaninvesEgatoridenEfyallofthepotenEalsourcesofforensicarEfacts.– Physical– Process– Flow
WhatPhysicalEvidenceisAvailable?
UAVOperaEonalProcessMissionPlanning Approval Execu4on Analysis Delivery
‣ Criteria
‣ Airframe
‣ Payload
‣ Operator
‣ LocaEon
‣ Timeframe
‣ Business
‣ SitelogisEcs
‣ Safety
‣ Legal
‣ Risk
‣ FlightoperaEons
‣ LogisEcs
‣ Flightcrew
‣ Weather
‣ FlightoperaEons
‣ DatavalidaEon
‣ ProductgeneraEon
‣ Qualityassurance
‣ Productdelivery
‣ Productsupport
‣ Lessonslearned
‣ ReporEng
‣ Billing
Eachstep,eachcomponent,leavesevidenceandgeneratesintelligence
UAVdataflows
GCSviadatalinktoUAVFC
PayloadoperatorviadatalinktoUAVmissionpayload
GPSsignals Datauplinktocloud
PICtoUAVFCviaradiocontroller
Telemetrytocorporatenetwork
Eachlink,eachcomponent,leavesevidenceandgeneratesintelligence
EvidenceCollecEon
NormalvsForensicallySound
VendorsgenerallyprovidemechanismsforextracEngsomedatasourcesfrommobileapplicaEonsandaircraZ.ThesesoluEonsaresufficientinsomecircumstancesbutarenotcompleteorforensicallysound• Accessisnotprovidedtoalldatasources• SourcesmaybechangingduringcollecEon
NormalDataCollecEon• Vendorsuppliedtools• SynchronizedatawithvendorsitesorthirdpartyapplicaEonssuchasiTunes
• Pulldigitalmediaandmountoncomputer• UseUSBconnecEon
ForensicDataCollecEon• Opencase,extractdigitalmedia,usewriteblockers• MobiledeviceforensicanalysistoolsforGCS
EvidenceAnalysis
SensorandSensorData• Thetypeofsensorwilltellyoualotaboutthepurposeoftheflight
Ø LIDARØ OpEcalØ NVIRØ ThermalØ WiFi
• Thesensordataandmetadatawilltellyoualotaboutwhereithasbeen,parEcularlysinceGPSdataiscriEcalformosttypesofmissions
Sensors–EXIFDataThepurposeofacameraistotakeapicture,andEXIFdatatellsastoryaboutthecameraandwhereitwastakingpictures.
• Image Description : DCIM\100MEDIA\DJI_0030.JPG !• Make : DJI !• Camera Model Name : FC300S !• Date/Time Original : 2016:03:27 10:15:57 !• Create Date : 2016:03:27 10:15:57 !• GPS Version ID : 3.2.0.0 !• GPS Latitude Ref : North!• GPS Longitude Ref : West !• GPS Altitude Ref : Above Sea Level!• Aperture : 2.8 !• GPS Altitude : 74.6 m Above Sea Level !• GPS Latitude : 40 deg 32' 15.84" N !• GPS Longitude : 89 deg 30' 50.63" W !• GPS Position : 40 deg 32' 15.84" N, 89 deg 30' 50.63" W !
DJI Phantoms do not did not record altitude in the EXIF data unfortunately.
SensorData-Cloud• Consumer
– YouTube– Facebook– Etc
• Commercial– DataMapper– Airware– Vendorspecific
QuesEon:WherearethecredenEalsforuploadingtheimagerydatatothecloud?
Mobile/GCSArEfacts
UASExam–LaunchPointEvidenceGroundControlStaEon
• OZenamobiledevicecombinedwitharadiocontroller• VendorapplicaEonsandcommunitydeveloped• Lookingfor:
– Defaultsecngs– Launchpoints,dates– Ownername,account
OtherItems• Spareremovablemedia• OtherUAVs• Laptops,cellphones,tablets
UASExam–GroundControlStaEonUsingthedatafromtheGCS,youcanrapidlyplotwheretheuserwasflying.
UASExam–GroundControlStaEonApplicaEonconfiguraEonfilescontaininteresEnginformaEon
DroneDeploy:• ajs_user_id• %22dkovar%40kovarllc.com%22Pix4D:• 2016-03-2710:34:03[V][WaypointCustomMissionDJI3::87]createwpat
(4x.xxx689,-8x.xxx918)alEtude:50.000000• displayBtnLogout(YES,username:[email protected])• 2016-03-2711:25:24[D][AppDelegate::38]DJIPilot:• kUserDefaultKeyAircraZLocaEon–4x.xxx448,-8x.xxx675,-1577(Myhouse)• com.facebook.sdk:serverConfiguraEon1383125992006153-<62706c6973743030…>
PhysicalAnalysis
UAVFlightData–Onboard&GCS
ConnecEngEvidenceisHard
“ThereisnoSNnumberfortheenEreproduct,however,thereisSNnumberfordifferentcomponents.SoyoucoulduseonecomponentSNnumberasthe
uniqueidenEfiersuchasFlightControllerSNnumber.”- DJI
ConnecEngEvidenceis(NotToo)Hard"aircraft": { "camera_serial_number": "08TUE2LSE6023K", "app_type": 1, "name": "JHA1",
"serial_number": "08RDDCT00104UK", "device_activation": 0, "app_version": "4.1.3", "type": 13, "controller_serial_number": ”87D457711843", "battery_serial_number": ”7865E477111" },
KnownMessagesinDJI“blackbox”• VisionPosiEoning• Telemetry• FlightControls• Gimbal• MotorStatus• FlightStatus• PosiEon
• BaNeryStatus• BaNerySerialNumber• BaNeryVoltage• MessageConsole• MessageConfig• MessageID• LotsofunknownssEll
ElementsfromdifferentmessagesinconjuncEontellimportantstories,suchaswhatwasinviewofthecameraatamomentinEme.
TacEcalEvidenceAnalysisHome Point: 43.005427, -70.987655 at -36.63 meters. First position: 43.005433, -70.987647 at 0.000 meters. Last position: 43.005418, -70.987621 at 0.000 meters. Battery barcode: 6171153330369
Battery internal serial number: 1446 Battery manufacture date: 2015-09-04 00:00:00
Battery name: ATL NVT DJ005 Battery version: v255.255.255.255 Device version: v2.4.14.5
GPS space vehicle number version: 9566 2 event messages found in the log:
Time Latitude Longitude Height =============== ========== ========== ========= 04:07:43.678000 43.005427 -70.987655 0.000
Motor start time: REQ_RC_NORMAL 04:09:53.418000 43.005349 -70.987662 1.400 Motor stop time: ACT.landing
StrategicEvidenceAnalysis• WhatareallthelaunchlocaEonsknownforthisaircraZ?• AreanyoftheknownlocaEonsforthisaircraZataresidence
orcommercialfacility?• HowmanyaircraZhaveflownoverourfacility?• WhattypesofaircraZhaveweseen?• WasthebaNeryonthisaircraZonanyotheraircraZ?• WhoelsehasseenthisaircraZ?
StrategicEvidenceAnalysisShowallaircraZinthedatabasethatwerepoweredonbetweentwopointsinEme: { "_source" : ["deviceSerial", "timestamp"], "query": { "bool": { "must": { "exists": { "field": "eventData.MotorStart" } }, "filter": [ { "range" : { "timestamp": { "gte" : "1483246800000", "lte" : "1491624000000" } } } ]
ShowthelocaEonofanaircraZataparEcularpointinEme:{"_source":["eventData.Gps.lat","eventData.Gps.lon","eventData.Pos.lat","eventData.Pos.lon","Emestamp"],"size":10,"query":{"bool":{"must":[{"dis_max":{"queries":[{"exists":{"field":"eventData.Gps"}},{"exists":{"field":"eventData.Pos"}}]}},{"match":{"Emestamp":"{{Emestamp}}"}}],"filter":{"match":{"deviceSerial":"{{aircraZ}}"}}}}}
StrategicEvidenceAnalysisShowaircraZthatsharedabaNery { "size" : 0, "aggs" : { "battery" : { "terms" : { "field" : "eventData.BatterySerial" }, "aggs": { "aircraft": { "terms" : { "field" : "eventData.DeviceSerial.keyword” } }
"key":"0DQADBN03100JS", "doc_count":69, "aircraft": { "doc_count_error_upper_bound": 0, "sum_other_doc_count": 0, "buckets": [ { "key":"07JDD9C001013H", "doc_count": 64 }, { "key": "07JDDC2001013R", "doc_count": 5 } ] }
IntersecEonsShowmeintersecEonsof:• UASflightwithTFRs• UASflightwithcriEcalinfrastructure• UASlaunchsitewithprivateproperty• UAS“maintenance”sitewithknownsuspect’saddress• UASflightareawithfirescene• UASalEtudewithcontrolledairspace• ….
ImprovingToolsandProcess
ForensicProcess• Accessthedata• Convertthedataintoaformthatmachinesandhumanscanworkwith
• Analyzethedataaspresentedbythetool• PresentaEon
OZenmissing• EffecEveintegraEonwithothertools–oZencopy/paste
• AlerEng–abilitytosettriggerstoperformacEonswhennewdataisaddedtothesystem
• Machinelearning-paNernsandconnecEons
AProblemis”MomentinTime”• TradiEonalforensictoolstakeasnapshotofasystematamomentinEme
• UAVoperaEonanalysisrequiresunderstanding– WhatmulEpleinteracEngsystemsdidduringanenEreflight
– HowasingleUAVoperatedovermulEpleflights– ThelogisEcsandoperaEonsofanoperator’senEreUAVoperaEonoverlongperiodsofEme
AllSources–CriEcalNoonearEfactsourcetellsthewholestory,noonesoluEonconnectsallofthedots.• IfaCUASsystembroughtdownaUAV,mobiledevice
forensicsisuselessbecauseyouonlyhavetheUAV• EvidencelinkingtheUAVtoanindividualisnotpresent
ontheUAV,itisontheGCS• IftheUAVisdamaged,JTAGanalysismaybetheonly
opEon
IntegraEonwithCUAS/ObservaEons• Pointerrecords• Temporal,geographicboundingboxes• Fuzzymatching
• EvendetecEonrecordsareusefultolinkfuturephysicalarEfactstopastobservaEons
ClosingThoughts
ClosingThoughts-ConnecEonsTheUAVispairedwithcontroller
&TheUAVisalsopairedwithgroundcontrolstaEon
MeansuniqueIDs
Meansforensicevidencelinkingdevices
ClosingThoughtsThepropertermfordronesissUAS–small
unmannedaerialsystem.Takeasystemapproachtosecurityandinves4ga4ons,donottreatthevehicleasadiscreteorstandaloneelement.
