This is the seventh post of GDSN #2 review, if you haven't read our previous reviews it is a good time to check out the great talks!
Evangelos Mantas(Infili) - The Need for Drone Forensic Investigation Standardisation
So, I'd like to welcome you to my presentation on this year's virtual event. The title for the presentation is The Need for Drone Forensic Investigator Standardization. So, let's go for a quick background about me. I currently work as a cyber security engineer at Infili Information Technologies. I'm also the author of GRYPHON: drone forensics in dataflash and telemetry logs. This research was published last year in Tokyo in the international workshop on security. This research was also in the use of the general upper Staff of the Army cyber exercises on October 2019, where I go with chance to develop the drone forensics scenario. And in my free time, I serve as a peer instructor in the University of Rio cybersecurity team, where I hope to inspire the new generation of cybersecurity experts, and also do some security related stuff on my free time. So, let's have a look at the background of where political advancement enables easy communication via smartphones and other devices. So, we can fly small drones instead of using the big old remote controllers. So, for this, we need wireless communications, and that makes drones vulnerable to various attacks, if they are not properly secured. In the future, as more drones will occupy their space, they are probably bound to be engaged in more incidents, so we have to do something about it right. Let's have a look at what is a drone forensically: is it a PC? Is it a mobile or an IoT device? Well, it's a system, and hence the term Unmanned Aerial System. Let's have a look at the components of the system. Of course, we have the aircraft itself, the unmanned aircraft, the aircraft has some components. And the most important one of them is the autopilot. I don't know if you remember, Ulf mentioned before, some auto pilots can be as cheap as 50 bucks. So, they can be easily acquired. And this is the big difference between a drone and the quadcopter. The drone has the auto pilot, the quadcopter is just a flight board, and some propellers connected to each other. And they rely on the pilots to take control and they don't make any autonomous movement. And this is a very distinctive difference. Because the drone is the one that can actually have some forensic evidence from it. And if quadcopter for example crashes, we can do something about the flight board, because it doesn't store any data, just the RF signal that was sent to it and it was executed. Next to have the ground control station. This is some software dedicated to control the drone, it can be installed on laptops, mobile phones, tablets, anything that is mobile and can be used in the field. These also have information about the data that was going to let the drones store. And we should probably look them inside those devices. Last but not least, we'll have a Communication Datalink. So, all those components have to communicate with each other. And we should take into them into consideration. All those systems may contain information about the flight itself.
Let's have a look at the components of the unmanned aerial system. The center of it we have the vehicle. And we have also a GPS connection to it, since it has to know where it flies. Now the GPS connection is quite important because it is also most the most important information for a drone. It can direct it to some location and we can know where it has flown. Also we have to take into consideration that the drone has to take some commands. This can be done, but via RF or some mobile devices. As you can see on the bottom right on the picture, you can have the manual RF transmitter and mobile device that can actually serve as a transmitter itself if it has Wi Fi or Bluetooth enabled. That device will most probably be the ground control station. Since it can actually hold the telemetry data and connect to the drone as well. Now, in the future, we're going to see replication of 5G and 4G communication on the drones. So, we can use big towers and transmit data to drones we can actually fly inside our cities. We have also, it's beginning to become more and more important nowadays, the swarming technologies. It's all in sending communication, and other signals to other drones, as mentioned before, so they can form their actual network, where we can also find interesting data about the flight of that whole system.
Now, drones are going to become potential cyber-attack targets. So, let's have a look at what can happen. First of all, let's have a look at the existing threats and vulnerabilities. GPS spoofing. Since it has a really weak communication nature, mostly unencrypted, means that the information can be easily captured, modified, or exactly, giving the attacker the full control of the drone. So, this actually works as simple as someone transmits fake GPS coordinates from the ground control station, and the attacker has the full control of the drone before the user of the drone actually can understand what has happened. WiFi and GPS jamming can also be done to hijack the drone, sending the authentication progress process between the access point and the device, can disrupt the flight and also jam the GPS, rendering the drone useless. Now, we'll have to note here that most commercial drones have a failsafe option available, when they come when they cant use the GPS, they can fly back to the home orbit points they have taken off, some other drones have the option to continue flying. And they will do so until their battery is depleted. And also, some other drones have the ability to just land on the spot. This can be configured by the user himself, but this will be taken into consideration.
Now, Data Interference and Interception through telemetry. As telemetry feeds are used by the computer station to monitor the vehicle and transport data, they also use open and non-secure wireless protocols, which gives you the ability to perform man in the middle attacks, and gain control of the drone itself or upload some malware. Now what happens if malware is injected into the drone, like in every other computer, it can affect the operation and compromise the whole system.
Now let's have a look at what can be extracted and Where to Find Them. What is one of the most important finding in the forensic investigation is the GPS position of the drone. And using that we can use to visualize the flight path. Once we have visualized the flight path, we can determine the places that were possibly affected by their drone flight. Now imagine that you find the drone crashed near let's say, a factory or an oil rig or something like that. We don't know what happened. So, you have to find the flight path and trace back at the points that maybe were taken during the flight. This can also lead to finding out what the mission of the drone is because for example, a drone that had the spanish(?), let's say maybe it would stand for a long time above a potential target or if it dropped some ordnance, we could also find it because it has to hover about that target as well. One most one also really important finding the flight path is the take-off point, it will be the first load point and it will be that place where the drone has to take off. And if we locate that take-off point, then we can trace back to the perpetrator in area of interest and we can use local sources like cameras for witnesses to identify the suspect. Also have to think that the firmware version can tell if the drone has been tampered with. It's really important because if the drone crashes, you have to make sure that no malware was uploaded on the firmware or that the drone was flying the correct firmware and not an infected one. Using the firmware, we can also extract information about the type of the drone, and information to verify its integrity. Now, like the airplanes, and they have their own crash log, drones themselves actually have a crash log, so, we can get some information about what has happened during the flight if an error has occurred. Media, of course, pictures and videos are quite important findings on a drone, since we can determine what as well was the mission of the drone. And also find the perpetrator himself, because sometimes if they position the drones before the flight, and because of the camera, and this was actually one of the noted cases on the Islamic State drone operators, before they actually launched the attack, they place the camera before them, so, the camera took a picture of the of the face, so they can later be recognized. So, we can also take that into consideration, but who can find the pilot from that medium.
Now smart batteries. They contain, of course, information about voltage consumption, and battery life. Some drones also can log the serial of a battery so it can be done tied down to the owner of the drone. The autopilot logs the serial number of the drone when they are plugged in. So even though you can't find the drone, or if you find the drone with a battery, if you take a look at the logs, and you can place that specific battery at that specific location, then you can be sure that it was used at this drone, it's also quite important because those now these are becoming more and more and more advanced. So that type of information can also be helpful to join forensic investigation. Now, the vehicle serial number. Of course, this applies to market drones, since anyone can make a drone nowadays, this is to become more important. FAA section 336 actually, really states that you have to log your vehicle serial number before you take off and there's a full whole process for that. The vehicle serial number logging is currently not in use in most countries. From my knowledge, FAA has started to make the first step towards that. And I'm quite sure that more countries evolved from that specific thing. Now, we can also take into consideration that since someone is starting the drone to place it on the ground before taking off, we can find something interesting. Although it's also relevant with cyber forensics, law enforcement agents can be able to track down the pilot. So, finding from a drone that has crashed, but it's in a relatively good state can also help track down the suspect.
Now, where can we find all those information as I mentioned before. First of all, we have locate the removable storage. Drones nowadays use SD cards to log the flight, the flight logs. And of course, if we are using a mobile phone as a supporting device, we can find the device the logs themselves inside those SD cards. In the internal memory chip, we can also use the Chip-off technique which is quite difficult and quite dedicate because we don't have to damage the chip. This may not be really possible if the vehicle has been significantly damaged due to the crash. Now, we can I mentioned before the ground control station because right now we are using the support devices, mobiles, tablets, laptops, and every other portable device can be used as a as a ground control station. So, they can contain the data and the logs from the flight. We can use of course different acquisition techniques, since a mobile phone and a laptop, have to be treated accordingly. There's a whole procedure to that. I will try not to get into that because it might be really technical.
For us to again find information on Cloud Storage since drones are becoming IoT devices, it's also possible to find the some of the drone logs inside a cloud storage that can be also tracked down and find the suspect. One more interesting thing here is that drones are getting their own security measures. And then we can start seeing some light intrusion detection system used for drone. So, we can PCAP files from that network traffic and monitor irregular activity to find per se man in the middle attack or uploading some malware on the drone itself.
Now, let's have a look at the already existing frameworks and how they can be applied to UAS forensics. First of all, have ISO 27037. It provides some specific guidelines for activities in handling the digital evidence. Identification, collection, and acquisition and preservation. These are the four important aspects of forensic investigation. Of course, as the guide implicitly says, it applies to digital storage media, mobile phones, personal digital assistants, electronic devices, memory cards, mobile navigation systems, digital and video cameras, of course, computers with network connections, and network based on TCP/IP and other digital protocols. Of course, devices with similar functions above like drones can be listed as devices like that. So, this is a framework that we can actually use to conduct digital forensic investigation on drones, and it also has standards, so we have a pretty good way to start with.
Now, NIST SP 800-86 is a guide to integrate forensics techniques into incident response. This is a guide for computer security incidents, and IT troubleshooting. It presents forensics from an IT view and not in a law enforcement view. This is quite important because this cannot be used as an all-inclusive step by step guide. These are just guidelines, not a standard that can be used in the court to justify that this was the actions were actually taken into consideration during a forensic investigation. And it informs of various technologies to perform in response or troubleshooting.
So now with NIST SP 800-101. One is the guidelines for mobile device forensics. Since mobile forensics are evolving speciality in the field of data forensics, NIST has released a revised edition of this and attempts to bridge the gap between the evolving technology and forensically accepted procedures.
So, let's have a look at the tools that a drone forensic investigator has, actually right now. As there is no established standardized process right now, we mostly rely on scientific results, the public release of guidelines, private company research and development, and of course, on our already existing knowledge. We have lots of papers explicitly working on forensic investigation on different types of drones. We are mostly focused on promoting scientific advance and the proofs of concept. Some open source tools have been developed through this process that can facilitate the forensic investigation, such as DROP, which is the acronym for DRone Open-source Parser. We can use this tool to perform investigations on DJI logs, I think it goes up to Matrice 3000, I'm not so sure, but for sure, for forensics investigations. And GRYPHON, which was the research that I undertook and you can have a look at logs that were produced from an autopilot quadcopter or whatever, plane mostly drone. The important thing is that those research is mostly focus on a specific type or model. So, this means that the tool produced may not keep up with the continuous changes. This was one of the most important things that I found during my research, that since there is no standardized procedure, we keep on having papers on specific models, and so unknown unknown, until we reach the state-of-the-art drones that are current on the market.
We also have the reasonable guidelines as Mr. Church spoke on his own earlier presentation, Interpol has released an incident response guideline for drones last year. This is one of the first manual that covers the full spectrum of the investigation. From the law enforcement incident responder, which is the guy that will arrive to the crime scene and take care of the drone, to the forensic examiner back on the labs. These guidelines were quite interesting and I'm trying to establish a general framework that I can apply to different jobs that are currently available on the market. We have to take into consideration that the law enforcement incident response may have some procedures that are quite, let's say, that they have to be standardized is quite important, because they apply the chain of custody protocol. So, when a drone crime scene is taken into the responsibility of incident responder, he has to specific things. He has to make sure that, for example, the crime scene is not reachable to persons nearby, that is also safe for the incident responder and it does not have some hazardous material, or other radioactive probably material on the scene. So, this guideline covers really big spectrum of that investigation.
Now, of course, we have the private research and development. This mostly relies on the private initiative. And they also have done quite an advanced research. Video labs, for example, have provided you with a really good and big data set of almost every, every drone available on the market, with logs and memories and images from a drone itself so, we can do our investigation. And we can have, let's say, a playground and try different stuff, because they have made quite extensively a list of drones. Their expertise, of course, can help us guide the standardization because they have a lot of experience and lots of drones to play with, which is quite important. Of course, we rely on our already existing knowledge of it, we use the frameworks for computer or mobile forensics. Mostly, this means that the procedure will remain the same. What is important is that we need to integrate all the different knowledge that apply to the drone and connect the pieces of the puzzle to specifically apply for a drone investigation.
Now, let's have some thoughts before we conclude this presentation. As the world becomes more and more Internet of Things focused, the need for high-expertise professional becomes more highlighted. If drones are to be in our everyday lives, this means that they can also be engaged in more accidents. The role of a drone investigator, forensic investigator actually, will be something like the investigator on urban crisis, it's quite important because lives depend on this. So, have to create a standard best practice on conducting the forensic investigation. As I mentioned before, we'll have to connect the piece of the puzzle of all these knowledge and apply that to drone forensics standardization. I hope that with this presentation, we can have a kick start to a much broader and much more complicated discussion that can move the industry forward. And this is why I think that this conference actually gave a quite good ability to reach a broader audience that has much more knowledge and much more connection actually and take matter to the next level. So, I have concluded my presentation, you can reach me on my email or LinkedIn. And I will be happy to discuss everything you’ll like.