NIST builds drone forensics dataset
- By Matt Leonard
- Jun 14, 2018
When criminals take advantage of the technology to hide their tracks, law enforcement officials are left to try to extract evidence from their computers, phones or storage drives for investigations. Now that drones have been used to smuggle drugs into prisons or across the border, officials need a way to reliably pull data from these captured devices that ensures the evidence is preserved and usable in court.
To help law enforcement extract information from unmanned aerial systems, the National Institute of Standards and Technology has included forensics images of 14 popular makes and models of drones in its Computer Forensic Reference Datasets. The "forensic images" in CFReDS are not literal images but rather device specifications and sample digital evidence that investigators can download for free to learn what's inside the drone.
Drone forensics is a relatively new field. It showed up in a few research papers in 2016, and by 2017 law enforcement starting asking for the capability. Now, any conference on digital forensics is sure to have a panel on drones, according to Steve Watson, founder and CTO at VTO Labs, the company that developed the forensic images for NIST.
VTO Labs built the forensic images by purchasing three different drones for each of 14 models and flew them to collect baseline data. Each drone had the data extracted a different way. For one, VTO pulled the data while leaving the device intact; for a second, the drone was disassembled and data was extracted from its circuit board and onboard cameras. With the third, VTO removed all the chips and extracted data from them directly. The company also disassembled and extracted data from the pilot controls and other remotely connected devices.
“A forensic image is a bit-by-bit copy of data to a second instance,” Watson said.
Using a forensic image instead of the data directly on the device of interest allows investigators to keep the original data intact. “You keep the original pristine,” he said. “You keep it the same state it was as when it was received into evidence.”
The forensic images are saved in an industry-standard format that can be viewed with forensic software used for examining computers or mobile phones. The amount and type of information a forensic analyst can glean depends on the brand of drone. Accessible data could include photos and video, the route the aircraft took, the starting and ending location of flights, the routes of previous flights, altitude, velocity, pitch and yaw. Sometimes there is an email or physical address of the owner, and one of the drones even had credit card information accessible, Watson said.
“We don’t know why a manufacturer would put that there or what their intent was, we just simply report out what we see and what we find in the data,” he said of the credit card data.
The images not only help investigators train before accessing evidence, but also aid in the development and testing of drone forensic tools, according to Barbara Guttman, the manager of NIST's Software Quality Group. “People want to know if the tools they’re using for forensics, to take evidence into court, work correctly,” she said.
Investigators can use the images to practice recovering data, including deleted files. Universities and forensic labs can use them for training, proficiency testing and research. And application developers can use the images to test their software. “If you’re writing tools for drone forensics, you need a lot of drones to test them on,” Guttman said. “People want to know if the tools they’re using for forensics, to take evidence into court, work correctly.”
This research could also lead to the development of software that automates drone-specific forensic processes like finding the GPS coordinates or identification information within the file, Guttman said.
It’s important, according to Watson, that police not practice drone forensics on actual evidence. This dataset gives them another option.
“I have a personal philosophy that I strongly advocate in our discipline -- that you never practice on evidence, you practice on sample devices and test data,” Watson said.
Matt Leonard is a former reporter for GCN.