Drone (UAV) Forensics 101

9 December 2021

Unmanned Aerial Vehicles (UAVs), commonly known as drones, have become increasingly common over the last several years thanks to both hobbyists and professionals across a range of industries – producing stunning videography, intricate survey maps and an increasing tempo of interference with manned aircraft operations. However, coupled with this uptake in usage is the use of UAVs to conduct more heinous activities. Malicious criminals including organised crime gangs (OCG’s), drug cartels and local criminal organisations have also adopted these highly flexible and capable aircrafts for illicit purposes.

We sat down with Ahzim Mir, Senior Mobile Device Analyst at IntaForensics, to demystify this emerging specialist field and to find out how data can be extracted from UAVs for forensic analysis.

 

In what types of crime are drones commonly used?

“In relation to criminal activity, the drones tend to  turn up somewhere very secure, in which case they are often examined in-house by police forces or intelligence agencies. This is true for the majority of drone-related crimes we have seen in the media. The local police force and government intelligence will take it upon themselves to examine the drone as an exhibit because there’s the potential angle of it being terrorism-related.

“The most common example I hear of is when drones have been used to smuggle illicit items into prisons. Historically people would have thrown things over walls, but they have realised now that drones allow you to do this out-of-sight. The drone itself will be modified so that it will drop the item, or alternatively it will be flown in, and the drone will be discarded.

“Another angle is flying drones where you are not allowed to. Websites or manufacturers themselves tend to distribute literature detailing where you are allowed to fly a drone, however the number of places you are allowed to fly a drone is much smaller than many people expect. Quite a lot of airspace is restricted and you’re also not allowed to fly drones in restricted areas without the required ID’s.”

 

What are the strengths and limitations of drone evidence?

“In the laboratory we would treat drones similarly to Sat Nav devices, so you have similar strengths and weaknesses to this area of digital forensics. We treat them as such because they are also devices that heavily utilise GPS connectivity.

“Wet forensics would also apply here. Fingerprint and DNA analysis may be conducted on the physical device itself, because going back to drones, you’re unlikely to know who the owner or operator of the drone at the time was if you have recovered just the drone itself.

“This is where wet forensics becomes quite important because you’re trying to identify who was using the drone. When you have the device itself you can interrogate the storage of the device to see what kind of digital evidence you can retrieve.

“There are also other ways you could analyse the mechanics of the device. Some drone manufactures design the control units much like that of model airplanes or remote-control cars, with potential on-board storage capabilities. This can provide additional opportunities for obtaining evidence.”

 

How have drones evolved over time?

“A large volume of drones now have apps designed for mobile devices. Many of the control units will use your phone as the brains of the controller – the app will be the interface and the remote view for any sort of camera you might have on the drone and the base unit itself.

“Because of this, forensic software is now designed to identify and recover data from drone apps as well. The ability to decode data from drone-related apps is a huge development in the industry. It also shows that experts are switched on to the fact that phones can be the source of flight data for drones.

“For validation and testing for drone data in the laboratory, we use data on phones to corroborate what we find from the device itself.”

 

What are the main challenges associated with drone evidence?

“Because you tend to solely be dealing with the drone itself it probably doesn’t include any data that identifies who the user was. Some manufactures have fitted a black-box feature where the drones would record certain data to aid investigations. For example, they sometimes have a memory card which is inserted into the drone that isn’t easily accessible and would store a record for flight data. This feature is designed to help identify who the drone might have belonged to.

“Again, it’s still the limitation of you only knowing where the drone has been. It can be used to corroborate claims, but any sort of information about ownership is likely to be included in the app.

“The data that I have seen has really been limited to the flight logs and the flight data themselves, so I imagine you would have to dig around more in the operating system of the drone to see if there’s anything useful there.

“However, if the drone has a camera this can be prove more useful with investigations. There is potential for this to help identify who might have been flying the drone. I have seen instances where photographs have been recovered of a person’s socks and things like that when they have been flying a drone and testing it out, so that could prove useful for an unsuspecting person who might not realise they’ve been captured on camera.”

 

Does the accessibility of drones add to the problem?

“You can buy small drones fairly easily. You can also buy the hardware itself and build your own one, which is where you’re most likely to encounter drones that have been used illegally. This is because they won’t have the main safeguards that manufacturers implement.

“Manufacturers now are shifting towards putting restrictions on the drones themselves. Depending on where you are GPS-wise, the devices won’t fly. This means that if you’re in a restricted area you won’t be able to fly the drone. To be able to bypass this people tend to buy the hardware themselves – the motors involved, controller boards, antennas and whatever control units would be needed.

“Outside of recreational use there’s a large scene for competitive drone racing. I imagine the vast majority of drones used for this would also be custom-made.”

 

What sort of data do you look at in your drone investigations?

“Flight logs record quite a lot of data. Some of it is irrelevant for us and it would depend on the case type that is being investigated.

“As a standard though, the data would record the start and end point of the flight as well as the start and end time. It will also periodically pin where the drone has been, meaning that we’re often able to chart a flight path for a given drone. Cell site software can be used for this mapping function, because it works off GPS coordinates that you can feed into the software to map the flight journey for you.”

“Most drones require GPS to be able to fly in the first place. With drones sometimes you can power them on and they will hover, but without GPS signal they won’t fly. This again is a limit on the drone that has been put in place by the manufacturers so that if a drone has been recovered there’s at least a record of where that drone has been.”

“However, there are some drones that can be flown without the aid of GPS – known as ATTI mode”.

 

What are some of the common misconceptions about drone evidence/drone forensics?

“Understanding the limits of the data that you can acquire is something that clients are uninformed about. Data recovery is a key element of this.

“With memory cards it is quite straightforward because you would treat it like you would any data storage device such as a hard drive. In this case the forensic software is designed to be able to recover data that hasn’t been overwritten yet, so in a considerable number of cases you can get the data back.

“With the drone itself it’s likely to be more complicated with the on-board storage. Your chip-off procedures would be able to recover data because you’re essentially pulling the raw data off of the chip itself. Your only limits here really are how capable your decoding software is with a raw read.”

 

IntaForensics provides a comprehensive range of digital forensic services to support criminal investigations and civil litigation.

To find out more about our services Tel: 02477 717 780 to speak with a member of our team or fill-in our online contact form.

Talk to our consultation team today

Contact Us

I can honestly say that your excellent customer service and communication has made our forensic instructions to you exceptionally easy. I am very conscious of the amount of time I must have taken up with various queries, requests, and then changed requests but you have always been very patient, polite and extremely helpful.

Case Review Manager - Criminal Cases Review Commission