When criminals take advantage of the technology to hide their tracks, law enforcement officials are left to try to extract evidence from their computers, phones or storage drives for investigations. Now that drones have been used to smuggle drugs into prisons or across the border, officials need a way to reliably pull data from these captured devices that ensures the evidence is preserved and usable in court.
To help law enforcement extract information from unmanned aerial systems, the National Institute of Standards and Technology has included forensics images of 14 popular makes and models of drones in its Computer Forensic Reference Datasets. The “forensic images” in CFReDS are not literal images but rather device specifications and sample digital evidence that investigators can download for free to learn what”s inside the drone.
Drone forensics is a relatively new field. It showed up in a few research papers in 2016, and by 2017 law enforcement starting asking for the capability. Now, any conference on digital forensics is sure to have a panel on drones, according to Steve Watson, founder and CTO at VTO Labs, the company that developed the forensic images for NIST.
VTO Labs built the forensic images by purchasing three different drones for each of 14 models and flew them to collect baseline data. Each drone had the data extracted a different way. For one, VTO pulled the data while leaving the device intact; for a second, the drone was disassembled and data was extracted from its circuit board and onboard cameras. With the third, VTO removed all the chips and extracted data from them directly. The company also disassembled and extracted data from the pilot controls and other remotely connected devices.
NIST Computer Forensic Reference Datasets (CFReDS)
NIST is developing Computer Forensic Reference Data Sets (CFReDS) for digital evidence. These reference data sets (CFReDS) provide to an investigator documented sets of simulated digital evidence for examination. Since CFReDS would have documented contents, such as target search strings seeded in known locations of CFReDS, investigators could compare the results of searches for the target strings with the known placement of the strings. Investigators could use CFReDS in several ways including validating the software tools used in their investigations, equipment check out, training investigators, and proficiency testing of investigators as part of laboratory accreditation. The CFReDS site is a repository of images. Some images are produced by NIST, often from the CFTT (tool testing) project, and some are contributed by other organizations. National Institute of Justice funded this work in part through an interagency agreement with the NIST Office of Law Enforcement Standards.
In addition to test images, the CFReDS site contains resources to aid in creating your own test images. These creation aids will be in the form of interesting data files, useful software tools and procedures for specific tasks.
NIST CFReDS Drone Data Set
Background – The drone images, research results and data on this page were produced as part of the VTO Inc. Drone Forensics Program, sponsored by the United States Department of Homeland Security Science and Technology Directorate, Cyber Security Division. The data set contains forensic images from 60 drones and associated controllers, connected mobile devices and computers.
How The Drone Data Set Was Created – For their Drone Forensics Program, VTO purchased sixty drones: twenty drone models, ~3 of each model. Each drone was setup and operated in a controlled, geofenced environment. Attempts were then made to acquire and image the data storage areas on each drone, the controller, connected mobile devices and computers. The drones were completely torn down and disassembled to identify data storage areas. Various acquisition methods were applied across each set of drones, e.g., logical, physical, chipoff, etc. Note: this research is ongoing. Images for the first 41 drones are available; images for the remaining drones will be linked to when they become available.
Drone Data Sets and Research Results Reports Available (note: all data sets are available, but some research report postings are pending):
DJI Agras MG-1S, Inspire 1, Inspire 2, Matrice 600, Mavic Pro,
Phontom 3 Standard, Phantom 4 Professional, Spark
Yuneec H520, Typhoon H, Typhoon Q500 4K
Parrot Bebop 2 with Skycontroller, Disco,
VTO Drone Forensics Program
The Drone Forensics program seeks to identify digital forensic data on consumer and professional drones to aid law enforcement and government in investigations. The program is run by VTO Inc. of Broomfield, Colorado, USA.
This effort is based on research sponsored by the United States Department of Homeland Security (DHS) Science and Technology Directorate, Cyber Security Division (DHS S&T/CSD) via contract number HHSP233201700017C.
For more information contact VTO at firstname.lastname@example.org.