Forensic Analysis of sUAS aka Drones – SANS DFIR Summit 2015

thank you all very much for attending there's a lot of material here I'm going to scream through a lot of it however if you've got any questions that are relevant that you're going to forget before the end of the session ask otherwise hold till in this session um 15 years of search-and-rescue experience is part of the reason i'm passionate about UAVs i like mapping things i like knowing where things are and UAVs are also good for looking for people i'm also a fixed wing and rotor pilot I have flown helicopters I've flown fixed-wing aircraft I get really irked when people put other objects in the way of my flight path I don't like dying so that also informs a lot of stuff I am I work for instant young I am incredibly fortunate to work for them because after doing incident response and computer forensics and cyber security for them for three years they are actually letting me help lead our disruptive technology practice I am doing UAVs for a big for firm and I'm just incredibly fortunate in that regard this is a kind of informative joke there's a lot of perceptions about what UAV pilots do and don't do my wife when I started doing this stuff about five months ago said you're going to make a living flying plastic toys and the answer is essentially yes why is this relevant there's a lot of data out there on how big the UAV market is going to be over the next five years it's all wrong we don't know it's just such a disruptive technology right now it's such a hot market VCS or dumping money into it vendors are popping up all over the place we don't know some of the interesting things though our that we're most like it and create about 70,000 100,000 different jobs 10,000 DJI phantom quadcopter 'he's which are the ones you usually see in the news are being sold every week that's a lot of UAVs showing up in the US airspace and other air spaces there's a lot of illegal and inappropriate activity going on with the UAVs you've seen it in the news they've landed on the White House lawn they've delivered drugs and cell phones into prisons they have been on the flight path at DP actually I other things DF lovefield they've been seeing over Newark they have been crashing into crowds I say all these things I want to make a really clear point this is in the minority of all the pilots the vast majority of the people flying UAVs or people like you myself they are flying safely and legally this is a very very small percentage of all the people out there flying UAVs however there are a lot of UAVs out there and so that's still a significant percentage so this is relevant for you all because law enforcement is going to be investigating these now regulations and law about UAVs are all over the map and lacking FAA regulation that clearly says what you can and cannot do a lot of local jurisdictions are passing their own laws empowering local law enforcement to actually do something with these UAVs if you're in law enforcement is relevant if you're in agriculture if you're in media if you're in real estate all these industries can be touched by UAVs it will likely be relevant for you there are a lot of anti-drone solutions out there most of them are illegal in this country you cannot Jam them you can shoot them down with a shotgun in Northern California don't advise that because you can get charged for doing other things there but you know it's an option there's a whole other side of the conversation about this I want to make another thing really clear I am NOT anti-drone in any way shape or form I run a commercial UAV service company I fly these two things because I enjoy them I've got a lot of friends who fly them I am anti stupid behavior I'm anti illegal behavior if you put a UAV on my landing pattern if you drop a UAV and my wife's head I'm going to be very anti you I want to make sure that all the people that are investigating that sort of incident have the tools the techniques and the support they need to properly investigate that incident whether it's in the defense of a pilot or to prosecute that pilot we need to be able to gather accurate facts we all need to be able to do this that's why we're all here that's what I'm here for so quick terminology UAS this is there are RPAs military term UAS is the more common sort of us term it's an unmanned aerial system emphasis on system and we'll come back to that the UAV is the aerial component the aerial vehicle of that system it's a vehicle it's a vehicle for technology it is not a disruptive technology into itself it's empowering other disruptive technologies it's carrying sensors is carrying payloads it's kind of like the NASA program NASA empowered a lot of other things to happen but it was not exactly these are up to technology itself ground control stations data links drones first-person view all these are relevant I apologize for the bad joke but a high altitude you do DGI phantoms ten thousand a week they are very common platform there what most people will likely have to investigate they also a really good demonstration platform and that's why I'm using it it has all the components of every other system I fly and every other system that even upped all the way to military it's got all those components so what physical evidence is available and I apologize for the red on black I will redo this slide at some point there's coffee which is always important um there are there's the ercoupe throne button there's the aircraft itself the aircraft has a camera or some other payload sensor on it there's a battery system that the radio controller there's a Wi-Fi range extender there's a mobile device and there's a laptop all of these are relevant to what we are doing all of these have digital evidence on them that aircraft has a Linux embedded Linux system on it that camera has another embedded Linux system on it that Wi-Fi range extender has another linux embedded system well it's actually open wrt s not embedded the battery actually has an intelligent controller on it that you can talk to you that dumb radio controller it's as a standard RC radio controller actually has firmware on it that you can talk to the laptop is used for maintenance for bill for all the rest is sort of the business operations and that mobile device is my ground control station the trailers in Nevada that they're using for flying predators over a rock is a big ground control station that mobile device is my version of it even the commercial ones are oftentimes flying on Android tablets to very common mechanism for ground control stations what the physical evidence available is the drone itself with a flight controller sensor on it physical evidence there the ground control station is a data link component to that the radio controller there's a lot of post processing technology available also all these have digital artifacts the mobile operating system traditional operating systems a variety of file systems all that media storage ee prams and firmware i started looking at jtag that's something I gotta go learn a lot more about it's probably relevant I didn't get into that there's also a lot of other pieces to this and this starts getting into sort of commercial cyber security and commercial investigations there's mission planning it's still present in just in my own one-person operation their maintenance logs purchase records social media and fingerprints all of these are relevant when you're investigating crash or other misuse of UAVs what's on the UAV itself the main board has a CPU on it running Linux in most cases there's a bunch of esc s electronic speed controllers with it also drive the LEDs they drive the motors battery board and battery there's a GPS and compass which are used for flight control sensing there's a flight controller with its own receiver tied to it anti inference forward and then the gimbal board drives the camera so all this sort of stuff may be relevant to your investigation keeping it all online the UAV CPU and operating system the flight controller is essentially the CPU for a UAV it runs some form of software on their think of that as the operating system um there's a lot of open source solutions and I did this a couple months ago and they're more solutions out there now and they're a bunch of commercial solution um there are essentially open sort well it's not quite open source hardware but you can buy a flight controller for about 18 bucks now you can put that on all sorts of stuff that you build up yourself and you're ready to go air where is a company out in Northern California they are trying to be both the Microsoft and the IBM of the UAV world they want to sell you hardware the software that runs on it and all the other components to tie into that there's a lot of other people trying to do this as well including open-source efforts Linux is the predominant operating system that I'm seeing out there on the UAV all of the ground control stations stuff like that has traditional operating systems for the most part collection analysis workflow most of us are digital forensic Gators in some form or another this is highly relevant you need to gather a lot of information before you get started on it look at all the pieces you've got understand what they all are understand how you're going to approach them all some of these systems can be highly customized there's open source software out there and a lot of the ground control station software that's used for mission planning and things like that is written by third parties not by the vendors look at all those components determine the problem you're trying to solve are you doing an accident investigation is it because somebody used it for transporting illegal materials is it a privacy complaint all of these walls to help guide your investigation and what evidence you want to look at first and what evidence you want to look at later these should be fairly familiar to everybody in the room the guiding principles know what you're looking at as I said earlier it's a vehicle you see a UAV it's like oh okay I'm going to pick this up I'm good to go I got everything it's got a lot of other things inside of it you've got to be prepared to go look at all those know how to talk to all these components USB connections all over some of these things the DJI phantom you can use Wi-Fi or Bluetooth other things use mavs link if you actually start pulling the things open you may need to use jtag and other forms of sort of deeper dive forensics know what it's running make sure you've got the tools analyze what these things are running know what you're looking for most of the time you're looking for evidence of was this thing used for legal activity where'd it come from where'd it go so you're looking for waypoints you're looking for where it went to but you may be looking for evidence of illegal payload was this used to drop something does it have some mechanism for lifting grabbing releasing things like that you also may want to say hey you look this thing flew 20 miles to get here and you look at the battery it's only been used for ten percent it's only been in the air for five minutes there's no way it got here from wherever you thought it got to hear from document everything there's a form up in my blog site which is a friends at collection form for these things it walks you through all the steps for what you need to collect how to collect at things like that if you got changes that you want to see on it let me know um photograph everything I always get a whole stack index cards I put the date time case number all that I put it down in front of each element of what I'm doing I take a picture of it that's my photographic record take a picture of the scene take a picture of the UAV as it was when you found it take a picture the ground control station as you found it all these things are relevant if you're law enforcement obviously fingerprinted men only break all this stuff down in your component parts and make a plan for putting it all back together in terms of the forensic story you're trying to tell the most of the rest is presentations I'm going to be trying to tell a story we have a crash drone or something it's on the lawn and we don't know how it got there we want to know the whole story of how it got here why it was here and we want to work it through the whole process so I'm going to start us off with the crash drone it was found in the front yard we want to know who owns it we want to know how it got here where it was before it was crashed was it going someplace else or was it coming here and what was its purpose so this is the underside of a DJI phantom 2 vision happens being underside of my DJI phantom 2 vision on the upper part upside down I apologize I label everything so there's my user identified label on there that's probably relevant there's a model number on there that's pretty useful there's a serial number on there that's really reuse 'full I haven't done any law enforcement cases or civil cases where I've had a chance to file a subpoena against DGI I would really like an opportunity to find out how they respond to such things if anybody has a case involving DGI please let me know I'd love to help you there's also very other another and very interesting artifact underneath that QR code there's a series of letters and numbers who can tell me what those are five four three two one come on the mac address why is there a mac address on a UAV might it have a network on it it has a network on it that's relevant by the way if you look at that pre fax it comes back to DG I that QR code is also rather interesting that's what it expands out to it's all right there in the string it says it's made by DG I to phantom 2 gives you the mac address again if you use that Mac if you use that URL on your ground control station for the DG I actually for the maintence station it will go off and update your firmware and do a lot of other things for you imagine what you could do and I'm not recommending you do this because it's illegal if you fuzz that address what other information could you find out about the various people that are using their products there's a whole but there's three Linux systems that involved EG i found this is common to other platforms as well the Wi-Fi range extender the sitting on the back of the handheld transfer radio controller has an IP address it has a known root password it's running open wrt it's the connection point for the ground control station out to the Phantom ground control station talks it it talks to the Phantom you now have a long distance radio link out to your anthem you can replace that with any other wrt instance which means that if you want longer range you can do that you can also use it to hack into these things and I'll get to that later the camera has its own IP address and root password there's not a lot to look at there and then the general-purpose CPU on the Phantom is running another linux system and it remotely mounts I think via NFS that cameras file system so that's where all the images come from you can talk to that via cr2 net and we'll get to that as well the collection steps are in here you basically ssh in and you start using dumped pulled it back i use brians live response tools to pull our fax off of it as well they're a bunch of gotchas about this file system in this operating system first of all there to file systems on there once jffs2 and the other one it's sitting on top of mt v device which i had to go learn about I do not know everything I wanted to know um basically dumped the file system then you gotta bite swap it before you can do anything with it it's j ffs you got to go deal with that and to actually put together the whole file system for that whole cpu you got layer it back on top of the other file system all of these tool all the commercial tools sorry all the sort of consumer grade tools and many of the commercial tools have SDKs published for them they want to encourage people do cool things with these platforms that means that you can do cool things with these platforms such as getting at data they were not sharing all ready or not expecting to share be prepared to do your own development this is what I did I wanted to know where this UAV came from one of the things I pull back was the battery supply remaining battery power so they only you'd use twenty one percent of the battery capacity been flying for about eight minutes but the most important thing is it had six satellites six GPS satellite blocked and it tells me the home location DGI and all the other vendors strongly recommend and they even automate having the UAV know where it was launched from because when you lose contact with it or something else happens they wanted to fly back to where it was launched from if I find this thing sitting in my lawn and the power still on it and I can pull that information on it's like Oh plug that into Google oh he's about a quarter mile that way that's going to pick them up or at least go talk to him so very useful information the DJI naza flight controller doesn't have a lot of onboard data logging when you power the thing off a lot of the information goes away other flight controllers have a lot more onboard processing some of it sticks around some of it doesn't just keep that in mind as you're looking at these platforms the ground control stations have a lot more of that telemetry data and that's really where you're trying to get to oops sorry so the answer answer is often in the data we've got this home location we can walk over and find that home location let's go see what's over there actually I'm getting ahead of myself sorry on this platform there's also a sensor in the cases DGI it's usually a camera but I fly lidar for doing mapping purposes standard optical in dir actually mdv I is for doing crop health thermal for doing pipeline expections looking for missing persons and you can fly a Wi-Fi range extender over there if you want to go hat use it to remotely hack into some buildings Wi-Fi and extend their network out to where you are the sensor data will tell you a lot about the purpose of that aircraft and where it's been the most common optical sensors are the GoPros the DJI own camera i fly canon s110 s bunch of other people do that as well for more mapping purposes the artifacts that come off these things are very traditional these are all familiar to you it's the image and the XF data no rocket science here the location of where this thing has been is right there on that UAV just pop the SD card out and you've got it this is the exif data from event phantom the vision to as I said it's got the GPS latitude and longitude right in there it tells you where that picture was taken unfortunately a DTI does not record altitude so if you're trying to prove that this thing was flying into above 500 feet or something like that so will it you cannot do it with this data you can then just take this and plot it you now know every single place one of those pictures was taken you can plot them in sequence you know its entire flight path i can now defendant lee say that this camera was over this location at this point in time they could fudge the exif data I admit so you got to go look for that sort of evidence tampering there's a whole bunch of the sensor data that goes up in the cloud the whole purpose of consumer drones is to make yourself look cool on YouTube apparently other people do other things with it but that seems three where a lot of the evidence comes from check out youtube videos check out facebook check out all these other things we already do this from the mobile devices we already are catching the bad guys or at least saying hey look stop doing this bad behavior because people are posting this information this is not anything new use your traditional techniques you'll get a lot of results the commercial vendors are doing the same thing if I'm flying a UAV for two hours to go get crop health data the farmer standing next to me wants to know right now how healthiest crops are a lot of these things are uploading in real time to the cloud and doing processing and bite on my land they've got that data available for me so keep all those in mind when you're doing your investigation I did not stage these shots everybody who's flying these things wants to make sure the camera works or they launch it they leave the camera running and if you pull the SD card out you'll find these pictures that is my license plate you can go run my plate and find out where I came to where my car usually is where I who I am a lot sort of stuff that's a picture of me I've looked at a lot of other people's imagery all coming off their cameras they got pictures of themselves when they're launching or landing it right there so now we've got the launch point what's at the launch point there's a ground control station which is often a mobile device tablet phone something like that there are a lot of vendor applications and third party generated applications on that phone they the vendor applications are I won't say well written and I'll give you an example that a minute and the third party applications depending on who wrote them range everywhere from very well written to very poorly written in terms of security a lot of information in there what we're looking for the default settings how do they want to fly this thing where it was launched when it was launched owner's name account information a lot sort of stuff there's a bunch of other information that's at that launch point if you pull my vehicle part you'll find two laptops three UAV the whole bunch of batteries all sorts of other evidence that may be a potential use to you this is the standard DJI phantom application if you pull it apart you've got a table in there SQL light table that's got a bunch of ID's the flight time latitude and longitude the flight time is a little misleading and actually turns out to be the launch date of that the latitude and longitude are correct you plot those you now know every place where I turn on that application and connected it to a DJI phantom you now know where I've been some of those locations I probably should not have been and I picked that I moved from that data around so some of those places I definitely should not have been um I just made those up the other thing off that ground control station off that DJI phantom application is the path to this P list and my email account the email account like many other vendors they're using that as my username my passwords in there for that website that passwords in the clear you now have that information this is the vendors application this is not some third party developers just trying to put together something cool this is the vendor doing this stuff it also says I was running in ground control the ground station mode and I was not doing the first person view with that account information my own account I don't have a subpoena I don't need a subpoena I can pull my shipping address I can show how much I paid for it a bunch of other information people buy these things from amazon and lots of other places it's not always going to be this easy sometimes it is so we went from the crashed UAV to where it was launched from now we're at home or now we're at the office what information is there we have flight mains and maintenance logs did this person properly maintained their UAV if you are flying commercially and you FAA is voluntary compliance right now if you are complying with them there's a lot of stuff you need to do on a regular basis that information should be there they should will likely have in some form or another a lot of information about previous flights they will pull their own injury off from a flight they did three weeks ago that information is there they're gonna have client accounting data this is all the traditional stuff that we will find when investigating somebody with a laptop that was used illegally the UAVs just another example of a vehicle for illegal or malicious activity you can investigate it in a similar manner the data analysis system initially people doing a lot of data crunching on their own platforms it requires a lot of CPU and a lot of memory most of this is getting done the cloud now that said most of us still pull the data off of our UAVs and store it locally so that should be there they're also a whole bunch of other UAVs sitting at home spare parts and things like that we have a drone in flight it's hovering over you can we do anything about it you can shoot it down with a shotgun that's somewhat disruptive it's come on illegal doing some things like that we would like to know who's flying it we would like to know where it's going we'd like to know what it's collecting you can do real-time analysis on some of these platforms even this is illegal I'm doing it as my own how you use it up to you if you get into that open wrt system is sitting on the back of the radio controller you can now SSH out to the flight controller and using search and net you can talk to everything on there somebody else did all the work on this I'm just you know we using their material they figured out some of the commands you can issue you can ask it for a status most important you can ask it where home is so instead of having to develop that app that I did I can just go talk to this thing in flight and say where is your launch point so it's hovering over me it says I came from over there I walk over there there's a guy holding a flight controller that flight controllers paired to that phantom we're essentially good to go you can hijack these things in real time so I don't have to be standing next to the guy with the open wrt range extender I can cause that DJI phantom in flight to d off I can have my own wrt range extenders set up with a directional antenna so I've got the strongest singer strongest signal pointing out of that phantom and it will retry to re-authenticate it should we authenticate to me now I've got the real-time connection to it they still have the radio controller they should be able to go landed themselves by taking control over it my suspicion is that there's probably some way to send a command that thing to tell it to even to ignore the radio controller I haven't gone that far yet there is a tool out there called sky Jack and somebody wrote a couple years ago designed for parrot AR drones it will hijack them this sort of approach will likely work on a lot of other platforms as i said the Phantom's one of the more common platforms out there is actually the most common problem out there these techniques apply to a lot of other platforms and some of them are a lot easier the pics hawk flight controller is one of the more common flight controllers that are used in a lot of other platforms it works with most most often it works with an open source package called mission planner those three dr's coming out with some custom applications and a lot of other people are now talking to it more directly it downloads a lot of data as it goes to put together that map I showed you of all the images earlier took me about an hour and a half I had to go write some scripts a bunch of other stuff I can generate this plot of where that UAV was in about two minutes using mission planner the data is right there and it knows I want to plot it shows me altitude location all the rest of it overlays in the top of a Google much easier this is a lot allometry log of one of my flights in my fixed-wing UAV anybody in here a pilot so what's pitch pitch this is the record of the last 15 seconds of the pitch telemetry from a fixed-wing UAV prior landing I had it straight and level for a while I was trying to get lined up for my landing it's looking at I'm basically flying it and then it's coming back towards me I level everything out we're good to go we're just cruising right in about 10 feet off the ground life is good all of a sudden pitches down horribly and then it pitches right back up I ran into a chain-link fence I was completely focused on the aircraft and it's like completely missed as chain-link fence runs into it pitches way down hits the ground bounces back up it's now level that's what that is there's an enormous wealth of data in these aircraft these things were the original you consumer UAVs were put together by a bunch of hackers who are flying radio control aircraft and said hey let's see if we can automate this stuff to balance out the four props on a quadcopter takes a lot of computing power and if everything is not quite right they fall out of the sky they've instrumented the heck out of these things the data is in there you can tell a lot about why things happen by looking at the data and knowing what you're looking at you think this does not apply to a standard UAV investigation but it might why did it crash in the lawn did they intentionally crash it there or did something in the system fail which you can tell by looking at the logs and it accidentally crashed there it also sort of cords a lot of parameters much easier to find this is only a fraction of them you can tell a lot about how it was configured that tells you a lot about its purpose I'm not going to get done early I apologize um there are a lot of challenges and solutions going forward DJI phantom has been around for a while they've moved off a why why they're now going to bluetooth other people are going to LTE other cellular technology for controls this closes down some opportunities and create some other opportunities and I'll give you something of a if you can control a UAV via cell signal how easy will it be for you to track that UAV back to the original pilot person flying and how long range can that be if I'm getting all the telemetry back from a that says ok I'm now 20 miles that way that's all I need to know to hit fly it so the range of these things is to is phenomenal and people been hacking together long-range solutions but as we go into cellular controls and things like that and get much much longer range much more capable there are a lot of vendors a lot doing their own thing there are a lot of people doing custom work there's a wide range of operating systems out there the rot wide range of platforms it's not just windows linux and what's the third vendor oh wait Apple um there's a lot of other things out there focus on the ground control station the UAVs got a lot of cool stuff on it but a lot of them if you power it off you lose a lot of data some of it may require jtag and as I said I've got to get into doing that there is the the sensor data on that platform pull that look at it but a lot of your information about what was going on why was going on things like that is on the ground control station you do not need to do much different to go investigate those that are running on mobile devices we know how to investigate those they're running off of laptops running Linux OS X windows we know how to investigate those there is no rocket science at that point you all can go do this stuff right now some more forensic mostly law enforcement approach things the UAVs are paired with two different devices they're paired with that wireless range extender or some other data link component and they're paired with that radio controller if you need to go to court and say I know that this UAV believe with great degree of certainty that this UAV was operated by this person and you can show that that UAV was paired with this flight controller this radio controller that has my fingerprints on it it's going to help you make your case use traditional processes they should work for you I just said you all can do this you all can do it but there's no one tool that's going to help you get the job done this is not push button forensics you cannot plug the image into X ways or n case or anything else out there and get all of it done to go analyze this one platform and justice one platform I had to deal with three different versions of Linux two of which were unfamiliar to me I had to go look at iOS and Android which were relatively I mean I'm familiar with using them but analyzing was relatively new to me OS X and Windows one of the other usually six different file systems at last count I kind of did lose track I'd seen jffs2 before because playing with some android stuff MTD was relatively new to me layering one on top of the other was completely new to me how to go figure that one out cr2 net this is serial to network it's a very cool technology but it was began very new to me why there's also two blue a data link stuff that needs to be dealt with you gotta pay attend to that XF data I knew about GPS I knew about there's a lot of social media analysis you may need to do and their SDKs I strongly recommend if you need to get into this sort of stuff do your research on the net all this stuff the bits and pieces of this are all out there some of it I had to go create myself but a lot of it was based on research that other people are doing take your time be methodical work with people talk to me talk to each other and together we can all go solve some of these complex solutions UAVs do not exist in a vacuum if you want if you need to do or want to do UAV forensic analysis you're still not existing in a platform in a vacuum there's a lot of cybersecurity issues go around these things these are unmanned aerial systems if you want to plug these into your environment be you a solo operator orbit you a large commercial venture please think about the larger cybersecurity issues a lot of vendors are rushing these things to market the cyber security controls in them are immature in many cases that's a benefit to us as forensic investigators it's not a benefit to anybody trying to use these things commercially think about the intellectual property and where that intellectual property resides again that benefits you as a forensic investigator the intellectual property in that case is where the data is going to help me make a case from a cyber security perspective is where is the data that somebody is going to go try to steal from me I believe a lot of thats in the imagery and a lot of that imagery is up in the cloud if that UAV is flying around over your crops or your mind site or whatever it happens to be and we laying in real time nine injuries a cloud where are the credentials for logging into the cloud on the UAV if somebody can hack into that UAV in flight do you believe they can get your cloud credentials probably if they can hijack your UAV so they may hijacking you ate your UAV may get them one snapshot of the data if they can hijack your UAV and let you return it to home and you don't know it got modified they now have essentially persistent access into the data you're collecting here's another point are we flying UAVs to collect imagery over things that we do not find valuable what are we flying them over we're flying them over new construction sites we're flying them over test crops what we're trying to determine which one of these crops is most suitable to this environment we're flying them over the racetrack where we're doing the test of our new Ferrari or whatever it happens to be we're flying over all these things are of interest to us either as individuals or commercial entities we are self selecting that data and we are uploading that all into cloud solutions some of those cloud solutions are really well designed some of them are but if I wanted to go find out about all of the critical infrastructure gas pipelines high transmission lines and things like that and the current health of them and I know that this utility company is uploading their data to this particular cloud solution am I going to go break into their facility and pull their maps I can just go get the data they collected last week and this applies to crops that applies all sorts of other things if I want to go hack into sony pictures again they're flying UAVs to collect I mean you AV is a beautiful aerial platform for producing movies it's one of the groundbreaking things for a lot of those things where are they storing that I don't know the answer but if somebody's interested can go find that out the final thing I want to make a point of is again UAVs or a vehicle if you are involved in lawmaking your local jurisdiction or national stage if you're involved in policy or you're just talking to people let's keep something in mind if I fly a UAV over your yard and take a picture am I invading your privacy legally no why should you pass a law against a UAV flying over your property it's a UAV violating your product is it is making a law against that UAV flying over your property going to really fix a problem we need to address the policy in terms of the risk not in the technology that's demonstrating that risk I can fly a helicopter over your property and take the same imagery and if you wrote the law against if you wrote the policy or law against the UAV you haven't solved the problem they are a vehicle they may have all sorts of them payloads on it go solve the problem of the payload go solve the problem of the purpose go solve the problem of the societal issue that you're trying to raise don't write law or policy outlawing uavs look at the larger problem I think that yep this is me um you can reach me at my gmail account I'm also first name dot last name at ey com i'm also on twitter I'm happy to help you all out with anything it i'm literally very interested in abling other people i'm not trying to take make money off this thing i'm trying to make sure that if you are working on UAVs and law enforcement and private practice wherever that you've got the right tools and technologies that you need to be successful I'm also very interested in hearing from people who are running into these problems out there I know in my heart and I know from some private conversations I knows from some other sources that some of this bad stuff going on but the more information we can share and I'll keep it private or anonymous however you want the better off we all are in terms of this and a lot of the other things that we do any questions yes DGI phantoms runabout thousand dollars and that's fully capable you can get a lot of other things for about five hundred dollars what you want is something that has the ability to fly autonomously and has some sort of sensor platform on it DGI just happens to be very stable 3d are also make some really good stuff sir we are the law and policy going that the all the activity I see in that arena is based on fear uncertainty and doubt and that is being fed by that very small percentage of people who are doing stupid things they are flying over crowds or flying into the flight path of commercial airliners they are flying multiple times in two wire wildfires in Northern California shutting down air ops these things are happening and the way that our political system and international political systems respond to these things is let's just pass a law against it the best we can do is try that you know we can do grassroots stuff but the other thing we can do is try to get out there and influence that I believe that there is some hope that the FAA will say that everything below 400 feet is essentially no man not no man's land but consumers can fly in that air space as lawns are flying safely with it and they will not require a whole lot of regulation I believe that commercial air operations will require a new type of certification on a normal pilot's license recurring training things like that I believe that the FAA is going to do the right thing the question is whether local state and national privacy laws and things like that will be done right I have doubts I'm already seeing a lot of local laws that are badly written unfortunately it sucks to a couple reasons it sucks because you just bought one and you want to go do it but it's also really not helping the public think to the government's looking out for their best best interests because I'm part of the prongs we don't have a lot of good data we don't know I mean I know that the vast majority of people are flying safely but we don't have data to support that and the FAA has not put together any sort of process we have this for commercial in general aviation we have some idea of how many flights are executed how many crashes all that sort of stuff we don't have any of that data for uavs we will get there but we're going to get there because somebody can pass regulations requiring and those going to be draconian rather than hit let's start with the easy stuff and then see what else we need to fold into it so very good question and for asking a really good question boom sorry anything else um most of the imagery is almost always saved on the UAV and transmitted either down to the ground control station or out to the cloud that data link is not redundant by any stretch of imagination that ground control station is not redundant most of these are designed to fail somewhat safe so if they lose some piece of it they're supposed to return to home in Auto land yes that's where that data came from earlier and the challenge here is that they're making these SDKs available and so all sorts of people running all sorts of applications so there's a lot of information in there but you gotta go look at each application to figure out hey here's where the information may be but exactly and there that that's why i'm saying you know the UAVs got the exif data on there and things like that but the wealthy informations to be on those ground control stations because they want to monitor a lot of different variables for improving their product and a lot of these things are written very poorly so they just collecting everything and storing it there and that's I believe they're out there I know they're on the phone in many cases and I believe that for the data services there's a good chance that they are on the UAV in an insecure manner a lot of these things are embedded and they don't have a lot i'm so yeah I can't change them but the vendors have a challenge changing them because the the the DG I stuff has been out there for a couple years they still haven't changed it so it's a real problem I believe that the I don't think there's a lot of hoping the consumer side of things they want to get the cheapest possible product out there you know at the highest possible price point so they can make money off of it I think in the commercial space partly due to regulation but also partly due to educating taking the knowledge that we have about what good cybersecurity practices are for the enterprise and applying that to UAVs that they're going to get there all it's going to take a somebody hijacking you know some thirty thousand dollar UAB with a bunch of intellectual property on board for that sort of stuff to start getting out there I've already been talking to some companies they do get it whether the vendors are keeping up with them yet or not we're saying there's still this enormous amount of competition and I don't think anybody's really prioritizing cybersecurity as being a way of differentiating themselves yet they're more look at endurance reliability payloads and thing like that they'll get there um if they would start choosing some good existing technologies for like data links that would help a lot and so that's why going to cellular may help with some of those things anything else it depends a lot on the DG I as far as I can tell almost all the information goes away when you lose power as you move up in the ecosystem there's a lot more retention because they're looking for fault tolerance um the DJI doesn't have a lot of on-board storage except for that SD card the SD card is really for the imagery that SD card is really the persistence mechanism for that aircraft that that in that particular case that cards only wiped when you intentionally wipe it it's just I said it's a standard camera with an SD card in it and that's why we can use standard techniques on it with the pics Hawk flight controller um things are a little bit different I'm still working on figuring out exactly what persists after we lose power on that but a lot of that information if all you've got is that UAV your best bets that imagery if it's a DJ I fast and ur DJI phantom you're not gonna get a whole lot off of the dead the power down consistent on there as you move up that ecosystem if you run into something let me know but I believe that there are going to be better persistence mechanisms I got like two minutes anything else hey I got two mins extra cool thank you all very much for coming

David Kovar, @dckovar, Senior Manager, Ernst & Young’s Advisory Center of Excellence

Small Unmanned Aerial Systems (sUAS) aka “drones” are all the rage – they are invading your privacy, they are delivering your packages (and illegal drugs), they are even landing on the White House lawn. Where have they been? Where are they going? Who launched them? Let’s find out.

sUAS – emphasis on the final ‘S’ – are complex systems. The aerial platform alone often consists of a radio link, an autopilot, a photography sub-system, a GPS, and multiple other sensors. Each one of these components might contain a wealth of pieces to the answer to the above questions.

Add in the ground control stations, the radio controller, and the video downlink system and you have a very complex computing environment running a variety of commercial, closed source, open source, and home brew software. And yes, there is already malware specifically targeting drones.

During this presentation, we will walk through all of the components of a representative drone and discuss the forensic process and potential artifacts of each component, along with a presentation of the overall story told by the individual components.

David Kovar, @dckovar, Senior Manager, Ernst & Young
David Kovar is a senior manager in EY’s Cybersecurity practice. He’s also been an entrepreneur, ediscovery consultant, software engineer, SAR incident commander, executive protection agent, and lethal forensicator. He has collected images in China, rescued wayward Americans in Australia, and conducted disaster preparedness assessments in Tajikistan. Oh, and he flies sailplanes, fixed wings, helicopters, and drones.

Leave a Reply

Your email address will not be published. Required fields are marked *