UAS Forensics for First Responders. June 4-7, 2017 ½ Myrtle Beach, SC USA

Transcription

1 UAS Forensics for First Responders

2 Who We Are David Kovar Designer and developer of URSA Unmanned and Robotics Systems Analysis Commercial UAV owner/pilot Ex Big 4 - Cyber security investigator, Incident response consultant Greg Dominguez Personal UAV owner/pilot Retired Air Force Computer Crime Investigator, Ex-Big 4 Investigator, former COO of forensic hardware firm

3 Why Is This Relevant By all accounts, explosive market growth Illegal and inappropriate operations Effective use of weaponized consumer UAVs in theatre Regulatory environment slowly stabilizing

4 Controlled Use Technologies Counter UAS (CUAS) solutions beyond detection are currently illegal to use with very limited exceptions Lots of pressure to enable full CUAS use for prisons, critical infrastructure, major public events Ok, you ve shot it down, now what?

5 Terminology UAS Unmanned Aerial System Emphasis on system UAV Unmanned Aerial Vehicle The aircraft portion of the system GCS Ground Control Station The flight control portion of the system. May include manual and automatic control features. Often a mobile device. Data link radio system to transmit data to and from the UAV. Often used for telemetry, sensor data, and FPV operation Drone Common term for any UAV but most often used to describe quads and other multirotor UAVs FPV First Person View technology that enables the operator to fly the UAV from the perspective of the UAV

6 Drone Forensics Complex Systems

7 UAV Workflow Mission Planning Approval Execution Analysis Delivery Criteria Airframe Payload Operator Location Time frame Business Site logistics Safety Legal Risk Flight operations Logistics Flight crew Weather Flight operations Data validation Product generation Quality assurance Product delivery Product support Lessons learned Reporting Billing

8 UAV data flows GPS signals Data uplink to cloud Telemetry to corporate network GCS via data link to UAV FC Payload operator via data link to UAV mission payload PIC to UAV FC via radio controller

9 Known Messages in DJI black box Vision Positioning Telemetry Flight Controls Gimbal Motor Status Flight Status Position Battery Status Battery Serial Number Battery Voltage Message Console Message Config Message ID Message Misc Lots of unknowns still

10 Responding to a UAV Incident

11 UAV Collection Form

12 Equipment Large evidence container Fire proof container for battery Mobile device collection kit

13 Potential Evidence

14 Collecting Evidence

15 Collection Steps - Overview Remember, a UAV is similar to a flying computer with CPU, memory, storage, connectivity, etc. Processing one is not unlike processing a computer.

16 Collection Steps Be aware of possible fingerprint evidence Photograph the scene and the drone in situ Remove the battery if safe to do so May still be writing data Engines may turn on Greater chance of fire Photograph all components, labels, barcodes

17 Collection Steps GCS Process ground control station (mobile device) as normal If integrated into controller, treat entire object as mobile device

18 UAV Secured Research Research make and model of UAV Vendor web site do you have all components? Tear down sites if you need to open it up, how? Us Working on documentation covering available evidence per model and how to access

19 UAV Secured Data Extraction Many UAVs store flight logs on board DJI microsd card on system board Can access via USB by powering up system Can remove microsd card by opening shell PixHawk on the flight controller Can access by powering up flight controller Can remove microsd card on some models

20 UAV Secured Create images Image the extracted card as normal If via USB, take screenshots to preserve file system metadata and image as attached drive Image all other media as well camera, spares Image mobile devices, laptops

21 Processing Mobile Device Look for UAV related apps DJI Go, DroneDeploy, Litchi Look for account information, geolocation, images, evidence of current and past behavior Normal processing tie UAV evidence to owner and to other activities

22 DJI Log File Analysis Onboard flight logs FLYxxx.DAT DatCon/CsvView - Cloud based, convert and visualize AirData - Cloud, commercial, mobile device logs only

23 DJI Log File Analysis - URSA Temporal UAV related data and metadata Multi-source data and metadata collected, documented, and preserved Parsers Integration / Correlation Visualization / Analysis Reporting Raw data converted to standard structured format, preserving source and metadata All sources related to a flight or system integrated Visualization, analytical, and machine learning tools support human tactical and strategic analysis Stock reporting tools plus data extraction capabilities to support custom reporting

24 URSA - Tactical Home Point: , at meters. First position: , at meters. Last position: , at meters. Battery barcode: Battery internal serial number: 1446 Battery manufacture date: :00:00 Battery name: ATL NVT DJ005 Battery version: v Device version: v GPS space vehicle number version: event messages found in the log: Time Latitude Longitude Height =============== ========== ========== ========= 04:07: Motor start time: REQ_RC_NORMAL 04:09: Motor stop time: ACT.landing

25 URSA - Strategic Show all aircraft in the database that were powered on between two points in time: { "_source" : ["deviceserial", "timestamp"], "query": { "bool": { "must": { "exists": { "field": "eventdata.motorstart" } }, "filter": [ { "range" : { ] } "timestamp": { "gte" : " ", "lte" : " " } }

26 URSA API queries Show all aircraft in the database that were powered on between two points in time: { "_source" : ["deviceserial", "timestamp"], "query": { "bool": { "must": { "exists": { "field": "eventdata.motorstart" } }, "filter": [ { "range" : { "timestamp": { "gte" : " ", "lte" : " " } } } ] Show the location of an aircraft at a particular point in time: { "_source" : ["eventdata.gps.lat", "eventdata.gps.lon", "eventdata.pos.lat", "eventdata.pos.lon", "timestamp"], "size" : 10, "query" : { "bool" : { "must" : [ { "dis_max" : { "queries" : [ { "exists" : { "field": "eventdata.gps" } }, { "exists" : { "field": "eventdata.pos" } } ] } }, { "match" : { "timestamp" : "{{timestamp}}" } } ], "filter" : { "match" : { "deviceserial" : "{{aircraft}}" } } } } }

27 URSA Client via API

28 URSA Integration Very interested in integrating parser into traditional forensic tools

29 Safety

30 UAV First Responder Safety Some operators do not understand the law, or feel that the government is infringing on their rights Falling UAV can cause injury, prop strikes will cause injury. Remove props Li-Ion batteries store lots of energy and can catch fire. Store in fire proof container

31 Challenge

32 Challenge Prospective UAV Forensic Investigators to spend time researching various drones and to become familiar with the tools and data types.