How to Extract Forensic Images from Drones?

This post is also available in: עברית (Hebrew)

Law enforcement agencies in various countries are investigating drones used in crimes. These unmanned aerial vehicles deliver contraband, surveil military installations and sensitive institutions, deliver drugs to prisoners, spy on neighbors and stalk people, etc. The FBI revealed drones were even used to disrupt the monitoring of a hostage situation.

If drones used in crime do get captured, investigators will want to extract as much data from them as possible to help their cases.

Now, the National Institute of Standards and Technology (NIST) has developed a website to help authorities glean “forensic images” from drones. These images are available to download for free.

A forensic image is a copy of all the data from a hard drive or other digital media. According to insideunmannedsystems.com, NIST maintains a repository of forensic images from a variety of devices, such as personal computers, mobile phones and tablets. Investigators can use these images to practice recovering data, while software developers can use the images to test their forensic programs.

In 2017, the Department of Homeland Security’s Science and Technology Directorate’s Cyber Security Division awarded a research and development contract of more than $928,000 to VTO Labs to develop instructions on how to identify, collect and analyze digital evidence from drones.

“We seek to answer basic investigative questions from data stored within the drone or its connected devices,” said Steve Watson, CEO, VTO Labs. “Where did the drone take off from? Has the drone flown other routes? Can we identify who the drone is registered to? What devices or networks has the drone connected to?”

The researchers saw a gap emerging among law enforcement agencies in the knowledge and protocols for how to address these devices. Agencies were receiving devices as evidence without any guidance on if data existed on the device and how to get the data off, Watson explains.

When it comes to data extraction, there are many different kinds of drones on the market, each potentially requiring unique approaches. “The data from some drones can be retrieved while the drone is intact,” Watson noted. On the other hand, “some drones require disassembly of the aircraft; other drones require complete disassembly down to the chips. One of the premises of our research is identifying how to get the data of test devices so digital forensic practitioners have guidance when they receive devices as evidence.”

The researchers were able to retrieve serial numbers, flight paths, launch and landing locations, photos and videos from the drones. On one model, they even found a database that stores a user’s credit card information. One reason this might be is because a drone manufacturer sought to give users the ability to order spare parts from the apps connected with their drones, Watson said.

The images were created using industry standard data formats so investigators can analyze them using forensic software tools and inspect their contents. The images for each drone also come with step-by-step photo-illustrated teardown instructions.