UAV (aka drone) Forensics - ursasecure.com · The proper term for drones is sUAS – small unmanned...
Transcript of UAV (aka drone) Forensics - ursasecure.com · The proper term for drones is sUAS – small unmanned...
![Page 1: UAV (aka drone) Forensics - ursasecure.com · The proper term for drones is sUAS – small unmanned aerial system. Take a system approach to security and invesgaons, do not treat](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7e284be7cd466191cf3e2/html5/thumbnails/1.jpg)
UAV(akadrone)Forensics
“Ok,you’veshotitdown,nowwhat?”
![Page 2: UAV (aka drone) Forensics - ursasecure.com · The proper term for drones is sUAS – small unmanned aerial system. Take a system approach to security and invesgaons, do not treat](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7e284be7cd466191cf3e2/html5/thumbnails/2.jpg)
WhyistheRelevant?
![Page 3: UAV (aka drone) Forensics - ursasecure.com · The proper term for drones is sUAS – small unmanned aerial system. Take a system approach to security and invesgaons, do not treat](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7e284be7cd466191cf3e2/html5/thumbnails/3.jpg)
ControlledUseTechnologies• CounterUAS(CUAS)soluEonsbeyonddetecEonarecurrentlyillegaltousedomesEcallywithverylimitedexcepEons
• LotsofpressuretoenablefullCUASuseforprisons,criEcalinfrastructure,majorpublicevents
• “Ok,you’veshotitdown,nowwhat?”
![Page 4: UAV (aka drone) Forensics - ursasecure.com · The proper term for drones is sUAS – small unmanned aerial system. Take a system approach to security and invesgaons, do not treat](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7e284be7cd466191cf3e2/html5/thumbnails/4.jpg)
GrowingCollecEonsofFoundUAVs• UAVsfoundonpropertyinmanysectors• LiNleunderstandingofinherentvalue• LiNlemeanstorecognizevalue• YoucanstartunderstandingthethreatactorsandtheirmoEvaEonsevenwithoutCUAS
![Page 5: UAV (aka drone) Forensics - ursasecure.com · The proper term for drones is sUAS – small unmanned aerial system. Take a system approach to security and invesgaons, do not treat](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7e284be7cd466191cf3e2/html5/thumbnails/5.jpg)
SourcesofUAVForensicArEfacts
![Page 6: UAV (aka drone) Forensics - ursasecure.com · The proper term for drones is sUAS – small unmanned aerial system. Take a system approach to security and invesgaons, do not treat](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7e284be7cd466191cf3e2/html5/thumbnails/6.jpg)
PotenEalSources–ThreeViewsTherearethreewaysofthinkingaboutUnmannedAerialSystemsthathelpaninvesEgatoridenEfyallofthepotenEalsourcesofforensicarEfacts.– Physical– Process– Flow
![Page 7: UAV (aka drone) Forensics - ursasecure.com · The proper term for drones is sUAS – small unmanned aerial system. Take a system approach to security and invesgaons, do not treat](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7e284be7cd466191cf3e2/html5/thumbnails/7.jpg)
WhatPhysicalEvidenceisAvailable?
![Page 8: UAV (aka drone) Forensics - ursasecure.com · The proper term for drones is sUAS – small unmanned aerial system. Take a system approach to security and invesgaons, do not treat](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7e284be7cd466191cf3e2/html5/thumbnails/8.jpg)
UAVOperaEonalProcessMissionPlanning Approval Execu4on Analysis Delivery
‣ Criteria
‣ Airframe
‣ Payload
‣ Operator
‣ LocaEon
‣ Timeframe
‣ Business
‣ SitelogisEcs
‣ Safety
‣ Legal
‣ Risk
‣ FlightoperaEons
‣ LogisEcs
‣ Flightcrew
‣ Weather
‣ FlightoperaEons
‣ DatavalidaEon
‣ ProductgeneraEon
‣ Qualityassurance
‣ Productdelivery
‣ Productsupport
‣ Lessonslearned
‣ ReporEng
‣ Billing
Eachstep,eachcomponent,leavesevidenceandgeneratesintelligence
![Page 9: UAV (aka drone) Forensics - ursasecure.com · The proper term for drones is sUAS – small unmanned aerial system. Take a system approach to security and invesgaons, do not treat](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7e284be7cd466191cf3e2/html5/thumbnails/9.jpg)
UAVdataflows
GCSviadatalinktoUAVFC
PayloadoperatorviadatalinktoUAVmissionpayload
GPSsignals Datauplinktocloud
PICtoUAVFCviaradiocontroller
Telemetrytocorporatenetwork
Eachlink,eachcomponent,leavesevidenceandgeneratesintelligence
![Page 10: UAV (aka drone) Forensics - ursasecure.com · The proper term for drones is sUAS – small unmanned aerial system. Take a system approach to security and invesgaons, do not treat](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7e284be7cd466191cf3e2/html5/thumbnails/10.jpg)
EvidenceCollecEon
![Page 11: UAV (aka drone) Forensics - ursasecure.com · The proper term for drones is sUAS – small unmanned aerial system. Take a system approach to security and invesgaons, do not treat](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7e284be7cd466191cf3e2/html5/thumbnails/11.jpg)
NormalvsForensicallySound
VendorsgenerallyprovidemechanismsforextracEngsomedatasourcesfrommobileapplicaEonsandaircraZ.ThesesoluEonsaresufficientinsomecircumstancesbutarenotcompleteorforensicallysound• Accessisnotprovidedtoalldatasources• SourcesmaybechangingduringcollecEon
![Page 12: UAV (aka drone) Forensics - ursasecure.com · The proper term for drones is sUAS – small unmanned aerial system. Take a system approach to security and invesgaons, do not treat](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7e284be7cd466191cf3e2/html5/thumbnails/12.jpg)
NormalDataCollecEon• Vendorsuppliedtools• SynchronizedatawithvendorsitesorthirdpartyapplicaEonssuchasiTunes
• Pulldigitalmediaandmountoncomputer• UseUSBconnecEon
![Page 13: UAV (aka drone) Forensics - ursasecure.com · The proper term for drones is sUAS – small unmanned aerial system. Take a system approach to security and invesgaons, do not treat](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7e284be7cd466191cf3e2/html5/thumbnails/13.jpg)
ForensicDataCollecEon• Opencase,extractdigitalmedia,usewriteblockers• MobiledeviceforensicanalysistoolsforGCS
![Page 14: UAV (aka drone) Forensics - ursasecure.com · The proper term for drones is sUAS – small unmanned aerial system. Take a system approach to security and invesgaons, do not treat](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7e284be7cd466191cf3e2/html5/thumbnails/14.jpg)
EvidenceAnalysis
![Page 15: UAV (aka drone) Forensics - ursasecure.com · The proper term for drones is sUAS – small unmanned aerial system. Take a system approach to security and invesgaons, do not treat](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7e284be7cd466191cf3e2/html5/thumbnails/15.jpg)
SensorandSensorData• Thetypeofsensorwilltellyoualotaboutthepurposeoftheflight
Ø LIDARØ OpEcalØ NVIRØ ThermalØ WiFi
• Thesensordataandmetadatawilltellyoualotaboutwhereithasbeen,parEcularlysinceGPSdataiscriEcalformosttypesofmissions
![Page 16: UAV (aka drone) Forensics - ursasecure.com · The proper term for drones is sUAS – small unmanned aerial system. Take a system approach to security and invesgaons, do not treat](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7e284be7cd466191cf3e2/html5/thumbnails/16.jpg)
Sensors–EXIFDataThepurposeofacameraistotakeapicture,andEXIFdatatellsastoryaboutthecameraandwhereitwastakingpictures.
• Image Description : DCIM\100MEDIA\DJI_0030.JPG !• Make : DJI !• Camera Model Name : FC300S !• Date/Time Original : 2016:03:27 10:15:57 !• Create Date : 2016:03:27 10:15:57 !• GPS Version ID : 3.2.0.0 !• GPS Latitude Ref : North!• GPS Longitude Ref : West !• GPS Altitude Ref : Above Sea Level!• Aperture : 2.8 !• GPS Altitude : 74.6 m Above Sea Level !• GPS Latitude : 40 deg 32' 15.84" N !• GPS Longitude : 89 deg 30' 50.63" W !• GPS Position : 40 deg 32' 15.84" N, 89 deg 30' 50.63" W !
DJI Phantoms do not did not record altitude in the EXIF data unfortunately.
![Page 17: UAV (aka drone) Forensics - ursasecure.com · The proper term for drones is sUAS – small unmanned aerial system. Take a system approach to security and invesgaons, do not treat](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7e284be7cd466191cf3e2/html5/thumbnails/17.jpg)
SensorData-Cloud• Consumer
– YouTube– Facebook– Etc
• Commercial– DataMapper– Airware– Vendorspecific
QuesEon:WherearethecredenEalsforuploadingtheimagerydatatothecloud?
![Page 18: UAV (aka drone) Forensics - ursasecure.com · The proper term for drones is sUAS – small unmanned aerial system. Take a system approach to security and invesgaons, do not treat](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7e284be7cd466191cf3e2/html5/thumbnails/18.jpg)
Mobile/GCSArEfacts
![Page 19: UAV (aka drone) Forensics - ursasecure.com · The proper term for drones is sUAS – small unmanned aerial system. Take a system approach to security and invesgaons, do not treat](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7e284be7cd466191cf3e2/html5/thumbnails/19.jpg)
UASExam–LaunchPointEvidenceGroundControlStaEon
• OZenamobiledevicecombinedwitharadiocontroller• VendorapplicaEonsandcommunitydeveloped• Lookingfor:
– Defaultsecngs– Launchpoints,dates– Ownername,account
OtherItems• Spareremovablemedia• OtherUAVs• Laptops,cellphones,tablets
![Page 20: UAV (aka drone) Forensics - ursasecure.com · The proper term for drones is sUAS – small unmanned aerial system. Take a system approach to security and invesgaons, do not treat](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7e284be7cd466191cf3e2/html5/thumbnails/20.jpg)
UASExam–GroundControlStaEonUsingthedatafromtheGCS,youcanrapidlyplotwheretheuserwasflying.
![Page 21: UAV (aka drone) Forensics - ursasecure.com · The proper term for drones is sUAS – small unmanned aerial system. Take a system approach to security and invesgaons, do not treat](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7e284be7cd466191cf3e2/html5/thumbnails/21.jpg)
UASExam–GroundControlStaEonApplicaEonconfiguraEonfilescontaininteresEnginformaEon
DroneDeploy:• ajs_user_id• %22dkovar%40kovarllc.com%22Pix4D:• 2016-03-2710:34:03[V][WaypointCustomMissionDJI3::87]createwpat
(4x.xxx689,-8x.xxx918)alEtude:50.000000• displayBtnLogout(YES,username:[email protected])• 2016-03-2711:25:24[D][AppDelegate::38]DJIPilot:• kUserDefaultKeyAircraZLocaEon–4x.xxx448,-8x.xxx675,-1577(Myhouse)• com.facebook.sdk:serverConfiguraEon1383125992006153-<62706c6973743030…>
![Page 22: UAV (aka drone) Forensics - ursasecure.com · The proper term for drones is sUAS – small unmanned aerial system. Take a system approach to security and invesgaons, do not treat](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7e284be7cd466191cf3e2/html5/thumbnails/22.jpg)
PhysicalAnalysis
![Page 23: UAV (aka drone) Forensics - ursasecure.com · The proper term for drones is sUAS – small unmanned aerial system. Take a system approach to security and invesgaons, do not treat](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7e284be7cd466191cf3e2/html5/thumbnails/23.jpg)
UAVFlightData–Onboard&GCS
![Page 24: UAV (aka drone) Forensics - ursasecure.com · The proper term for drones is sUAS – small unmanned aerial system. Take a system approach to security and invesgaons, do not treat](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7e284be7cd466191cf3e2/html5/thumbnails/24.jpg)
ConnecEngEvidenceisHard
“ThereisnoSNnumberfortheenEreproduct,however,thereisSNnumberfordifferentcomponents.SoyoucoulduseonecomponentSNnumberasthe
uniqueidenEfiersuchasFlightControllerSNnumber.”- DJI
![Page 25: UAV (aka drone) Forensics - ursasecure.com · The proper term for drones is sUAS – small unmanned aerial system. Take a system approach to security and invesgaons, do not treat](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7e284be7cd466191cf3e2/html5/thumbnails/25.jpg)
ConnecEngEvidenceis(NotToo)Hard"aircraft": { "camera_serial_number": "08TUE2LSE6023K", "app_type": 1, "name": "JHA1",
"serial_number": "08RDDCT00104UK", "device_activation": 0, "app_version": "4.1.3", "type": 13, "controller_serial_number": ”87D457711843", "battery_serial_number": ”7865E477111" },
![Page 26: UAV (aka drone) Forensics - ursasecure.com · The proper term for drones is sUAS – small unmanned aerial system. Take a system approach to security and invesgaons, do not treat](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7e284be7cd466191cf3e2/html5/thumbnails/26.jpg)
KnownMessagesinDJI“blackbox”• VisionPosiEoning• Telemetry• FlightControls• Gimbal• MotorStatus• FlightStatus• PosiEon
• BaNeryStatus• BaNerySerialNumber• BaNeryVoltage• MessageConsole• MessageConfig• MessageID• LotsofunknownssEll
ElementsfromdifferentmessagesinconjuncEontellimportantstories,suchaswhatwasinviewofthecameraatamomentinEme.
![Page 27: UAV (aka drone) Forensics - ursasecure.com · The proper term for drones is sUAS – small unmanned aerial system. Take a system approach to security and invesgaons, do not treat](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7e284be7cd466191cf3e2/html5/thumbnails/27.jpg)
TacEcalEvidenceAnalysisHome Point: 43.005427, -70.987655 at -36.63 meters. First position: 43.005433, -70.987647 at 0.000 meters. Last position: 43.005418, -70.987621 at 0.000 meters. Battery barcode: 6171153330369
Battery internal serial number: 1446 Battery manufacture date: 2015-09-04 00:00:00
Battery name: ATL NVT DJ005 Battery version: v255.255.255.255 Device version: v2.4.14.5
GPS space vehicle number version: 9566 2 event messages found in the log:
Time Latitude Longitude Height =============== ========== ========== ========= 04:07:43.678000 43.005427 -70.987655 0.000
Motor start time: REQ_RC_NORMAL 04:09:53.418000 43.005349 -70.987662 1.400 Motor stop time: ACT.landing
![Page 28: UAV (aka drone) Forensics - ursasecure.com · The proper term for drones is sUAS – small unmanned aerial system. Take a system approach to security and invesgaons, do not treat](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7e284be7cd466191cf3e2/html5/thumbnails/28.jpg)
StrategicEvidenceAnalysis• WhatareallthelaunchlocaEonsknownforthisaircraZ?• AreanyoftheknownlocaEonsforthisaircraZataresidence
orcommercialfacility?• HowmanyaircraZhaveflownoverourfacility?• WhattypesofaircraZhaveweseen?• WasthebaNeryonthisaircraZonanyotheraircraZ?• WhoelsehasseenthisaircraZ?
![Page 29: UAV (aka drone) Forensics - ursasecure.com · The proper term for drones is sUAS – small unmanned aerial system. Take a system approach to security and invesgaons, do not treat](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7e284be7cd466191cf3e2/html5/thumbnails/29.jpg)
StrategicEvidenceAnalysisShowallaircraZinthedatabasethatwerepoweredonbetweentwopointsinEme: { "_source" : ["deviceSerial", "timestamp"], "query": { "bool": { "must": { "exists": { "field": "eventData.MotorStart" } }, "filter": [ { "range" : { "timestamp": { "gte" : "1483246800000", "lte" : "1491624000000" } } } ]
ShowthelocaEonofanaircraZataparEcularpointinEme:{"_source":["eventData.Gps.lat","eventData.Gps.lon","eventData.Pos.lat","eventData.Pos.lon","Emestamp"],"size":10,"query":{"bool":{"must":[{"dis_max":{"queries":[{"exists":{"field":"eventData.Gps"}},{"exists":{"field":"eventData.Pos"}}]}},{"match":{"Emestamp":"{{Emestamp}}"}}],"filter":{"match":{"deviceSerial":"{{aircraZ}}"}}}}}
![Page 30: UAV (aka drone) Forensics - ursasecure.com · The proper term for drones is sUAS – small unmanned aerial system. Take a system approach to security and invesgaons, do not treat](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7e284be7cd466191cf3e2/html5/thumbnails/30.jpg)
StrategicEvidenceAnalysisShowaircraZthatsharedabaNery { "size" : 0, "aggs" : { "battery" : { "terms" : { "field" : "eventData.BatterySerial" }, "aggs": { "aircraft": { "terms" : { "field" : "eventData.DeviceSerial.keyword” } }
"key":"0DQADBN03100JS", "doc_count":69, "aircraft": { "doc_count_error_upper_bound": 0, "sum_other_doc_count": 0, "buckets": [ { "key":"07JDD9C001013H", "doc_count": 64 }, { "key": "07JDDC2001013R", "doc_count": 5 } ] }
![Page 31: UAV (aka drone) Forensics - ursasecure.com · The proper term for drones is sUAS – small unmanned aerial system. Take a system approach to security and invesgaons, do not treat](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7e284be7cd466191cf3e2/html5/thumbnails/31.jpg)
IntersecEonsShowmeintersecEonsof:• UASflightwithTFRs• UASflightwithcriEcalinfrastructure• UASlaunchsitewithprivateproperty• UAS“maintenance”sitewithknownsuspect’saddress• UASflightareawithfirescene• UASalEtudewithcontrolledairspace• ….
![Page 32: UAV (aka drone) Forensics - ursasecure.com · The proper term for drones is sUAS – small unmanned aerial system. Take a system approach to security and invesgaons, do not treat](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7e284be7cd466191cf3e2/html5/thumbnails/32.jpg)
ImprovingToolsandProcess
![Page 33: UAV (aka drone) Forensics - ursasecure.com · The proper term for drones is sUAS – small unmanned aerial system. Take a system approach to security and invesgaons, do not treat](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7e284be7cd466191cf3e2/html5/thumbnails/33.jpg)
ForensicProcess• Accessthedata• Convertthedataintoaformthatmachinesandhumanscanworkwith
• Analyzethedataaspresentedbythetool• PresentaEon
![Page 34: UAV (aka drone) Forensics - ursasecure.com · The proper term for drones is sUAS – small unmanned aerial system. Take a system approach to security and invesgaons, do not treat](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7e284be7cd466191cf3e2/html5/thumbnails/34.jpg)
OZenmissing• EffecEveintegraEonwithothertools–oZencopy/paste
• AlerEng–abilitytosettriggerstoperformacEonswhennewdataisaddedtothesystem
• Machinelearning-paNernsandconnecEons
![Page 35: UAV (aka drone) Forensics - ursasecure.com · The proper term for drones is sUAS – small unmanned aerial system. Take a system approach to security and invesgaons, do not treat](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7e284be7cd466191cf3e2/html5/thumbnails/35.jpg)
AProblemis”MomentinTime”• TradiEonalforensictoolstakeasnapshotofasystematamomentinEme
• UAVoperaEonanalysisrequiresunderstanding– WhatmulEpleinteracEngsystemsdidduringanenEreflight
– HowasingleUAVoperatedovermulEpleflights– ThelogisEcsandoperaEonsofanoperator’senEreUAVoperaEonoverlongperiodsofEme
![Page 36: UAV (aka drone) Forensics - ursasecure.com · The proper term for drones is sUAS – small unmanned aerial system. Take a system approach to security and invesgaons, do not treat](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7e284be7cd466191cf3e2/html5/thumbnails/36.jpg)
AllSources–CriEcalNoonearEfactsourcetellsthewholestory,noonesoluEonconnectsallofthedots.• IfaCUASsystembroughtdownaUAV,mobiledevice
forensicsisuselessbecauseyouonlyhavetheUAV• EvidencelinkingtheUAVtoanindividualisnotpresent
ontheUAV,itisontheGCS• IftheUAVisdamaged,JTAGanalysismaybetheonly
opEon
![Page 37: UAV (aka drone) Forensics - ursasecure.com · The proper term for drones is sUAS – small unmanned aerial system. Take a system approach to security and invesgaons, do not treat](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7e284be7cd466191cf3e2/html5/thumbnails/37.jpg)
IntegraEonwithCUAS/ObservaEons• Pointerrecords• Temporal,geographicboundingboxes• Fuzzymatching
• EvendetecEonrecordsareusefultolinkfuturephysicalarEfactstopastobservaEons
![Page 38: UAV (aka drone) Forensics - ursasecure.com · The proper term for drones is sUAS – small unmanned aerial system. Take a system approach to security and invesgaons, do not treat](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7e284be7cd466191cf3e2/html5/thumbnails/38.jpg)
ClosingThoughts
![Page 39: UAV (aka drone) Forensics - ursasecure.com · The proper term for drones is sUAS – small unmanned aerial system. Take a system approach to security and invesgaons, do not treat](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7e284be7cd466191cf3e2/html5/thumbnails/39.jpg)
ClosingThoughts-ConnecEonsTheUAVispairedwithcontroller
&TheUAVisalsopairedwithgroundcontrolstaEon
MeansuniqueIDs
Meansforensicevidencelinkingdevices
![Page 40: UAV (aka drone) Forensics - ursasecure.com · The proper term for drones is sUAS – small unmanned aerial system. Take a system approach to security and invesgaons, do not treat](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7e284be7cd466191cf3e2/html5/thumbnails/40.jpg)
ClosingThoughtsThepropertermfordronesissUAS–small
unmannedaerialsystem.Takeasystemapproachtosecurityandinves4ga4ons,donottreatthevehicleasadiscreteorstandaloneelement.