From Ground Zero to Sky's Hero: Analyzing Drone Logs from Smart Devices

Hello and welcome to this afternoon session. We are very honored to be speakers this year. So today we're going to talk about drone log analysis through mobile forensic acquisition. Drone industry will rise in the next few years with applications ranging from civilian uses like search and rescue and agriculture to military operations and possibly malicious acts. With great power comes great responsibility as Engelben quoted. So, my name is Nikos, I am a cyber agent responder at Deloitte Greece and at the same time I am a cyber security researcher with a focus on digital forensics and especially file system and memory. I am Evagelos, I am cyber security engineer at Infill Information Technologies and author of Gryphon: Drone Forensics in

Data Flush and Telemetry Logs, a research published last year in Tokyo. We are both peer instructors in the University of Piroj Cyber Security Team hoping to raise the next generation of students in cyber security. So, let's first talk about what a drone is. We have the key components: a body, the motors, propellers, battery, GPS, flight board, a radio receiver and the most important one, the flight controller. The flight controller is a small companion computer. It can be a simple board or a more advanced one like Arduino or Raspberry and it increases the drone's capabilities, allows autonomous execution of flight missions. But remember, a quadcopter with a flight controller is more advanced than a typical quadcopter where its

capabilities are limited to the pilot skills. Flight controllers can be open source like Ardupilot and PX4 or proprietary like DJI or Parrot. So, how can we use the smartphones to control the drones? The system of the flying vehicle and a mobile device is called unmanned aerial system, for short UAS. Drones, unlike many other electronic devices, require supporting devices to enhance their operational capability. We use applications to convert our smartphones into controllers. Today we're going to use Q-Ground control. Now, let's talk about R2 Pilot communication protocol. This protocol is called MAVLINK Micro AR Vehicle Communication Protocol and it communicates with all the flight components of the drone. MAVLINK follows a modern hybrid publish/subscribe and point-to-point design pattern. Data streams are published as topics and these

messages are recorded by the autopilot in the dataflash and telemetry logs. A MAVLINK network is made up of systems like vehicles, the ground control station, antenna trackers, which are themselves made up of other components like the autopilot, the camera systems, the ACS and many other. So let's have a look at the mavelink protocol. On the top picture we see the previous version which was mavelink version 1 and on the bottom picture we can see the mavelink version 2. We can see the noted differences and the signature package that can identify which device has sent the signal. Now that we have seen some introduction about the communication protocols, let's take a look about smartphone forensics. Since the

devices are going to be used to control the drone, it is very important to know the basics of how acquisition will proceed. and some information about smartphone forensics. So, the extraction takes places in five different levels. At the bottom we have the very basic and at the top we go deep down in physics level even. So, the first level is the manual examination. Basically it's all about recording all the information that is viewable on the screen. You can copy/paste the data and extract them to a device. Then we have the logical extraction. Using a variety of protocols to communicate with the device through serial commands, the logical extraction can be done. The device will be acquired using

a USB, the USB debugging mode and it provides a quick access to all accessible data from the file system. Although the unallocated space cannot be acquired. So, this is why we are going in step 3 to the physical extraction, which is a full physical acquisition of the phone with the bypass of the standard cryptography using special software, even JTAG or ISP. At level 4 we have the chip off, which is the removal of NAND and EMCC flash memory chips with the use of specialized software. So the acquired data will be interpreted and then analyzed with traditional forensic methods. At the top level we have the microread, which is the removal of top layers of silicon and reading all the logical dates one by one with electron microscopes.

So, regarding the best forensic practices. The standard procedure mandates that if the device is found on it should remain on during the acquisition and the examination. If the device is off then it should remain off. So what happens if we find the device on the ground? First of all the examiner should set it to airplane mode. Then all security mechanisms should be disabled including biometrics, touch ID, screen locks should set to never because you don't want to lock the screen during the acquisition and valuable data will be lost. And of course the USB debugging should be enabled. After the acquisition is done it should be isolated during a far a decades so electromagnetic field do not interfere with the device. This is done so that the whole

process is clean and no one can challenge the examiner and the acquisition process should the case goes to the court of law. And then of course to remain The device should remain on power so that's why the examiner or the first responder should connect the device to the power supply. If the device is off, the things are much more simpler. The phone is off, the examiner should acquire the security codes from the owner if it's possible, otherwise special forensic software should be used. Then, again, the packaging and the connection to the power supply. Now, remember, since we're talking about devices, it applies both to drones and smartphones. You should always check the integrity of the device. There might be cases that the battery is damaged and

you don't want ending up having physical harm, right? Also, since we're talking about interconnected devices, then some evidence may be stored in cloud services. Of course the examiner should always document all changes that makes to the device so no challenge will be possible. So let's take a look at the acquisition process. We're gonna see how to acquire a logical image of an Android device. First of all you should connect the phone to a computer and then using the ADB, the Android Debug Bridge, you should list the connected devices as indicated in the first command. Then after this command you will have a device ID like you can see in the screenshot but it's redacted for privacy reasons of course. So once you have the device list then

you can use the device ID to gain a cell and then you can have a series of Unix-like commands to interact with the device. There are two possible ways to examine specific logs. You can either take a full backup of the device with the command you can see on the screen, otherwise you can go and extract just the logs. Remember, some backup files wouldn't be possible to acquire because there would be encryption. So with standard ADB acquisition you may not be able to acquire this data. Some of the tools we recommend and we have used during our tests. Of course the Android debug bridge, then we suggest Undriller, it's a very nice application to examine the

backup files and every file you get from the mobile. Then if you want to interact with the applications that are installed, you can use APKtool or DextroJar so you can take a closer look to the code if it's not obfuscated. Then we recommend SQLite browser since most of the data is stored in SQLite form so you can get a clear picture of what is stored where. So without further delay let's go to the log analysis. Ok, now that we have the logs let's see how we proceed. First we have the dataflash logs. The autopilot automatically creates this file in .bin format when the pilot arms the drone. This means that the drone is ready to fly. This type of log contains all the maveling messages that were

recorded during the flight. Next one we have the telemetry logs. These logs are a real-time replay of the flight with the sensor data live as if the drone was flying in real time. In this screenshot we are using the Mission Planner application in Windows and we have replayed a log to see what happened. As you can see on the bottom left part of the screenshot we have information like the altitude which is approximately 43 meters and ground speed which is approximately 3 meters per second. We can also see in the red and yellow line the trajectory of the drone. Now, where can we find those logs? we can get them from the drone, the dataflash log is saved directly on the SD card or the

internal memory of the UAV. So, using the appropriate forensic techniques, we can get the SD card, clone it and then continue with our investigation. If we have a mobile device in our hands, then we can get both logs. Now remember, to download the dataflash logs we can use the existing connection on the ground control or connect through SSH. But this will work only if we have an existing working connection to the drone. The telemetry log is saved on the telemetry folder of the ground control application. In our example we can see that QGroundControl has also some other logs like the crash logs, missions, parameters, telemetry and video. In the crash logs they are automatically generated when an error is recorded. On the logs we

can find the data flash log, on the mission it is automatically stored when we want to replay or reuse a mission, on the parameters we can find the parameters of the drone which are also included inside the data flash log. On the telemetry as mentioned before we can find the telemetry logs and on video we can find the possible video images that we're recording during the flight. Now, let's have a look at valuable information that we can extract through the dataflash logs. First of all, the GPS position. Extracting the GPS position, latitude, longitude and altitude, we can have a visualization of the flight path. Now that we have the flight path, we can determine which places were affected by the drone flight. This is an important step because

we can also assess the damage and what happened during the flight. if some photos were taken or if also we can get a preview of what the mission of the drone was. Now, one important finding in the investigation is of course the take-off point because it can place the perpetrator in the area of interest and with the combination of local sources like cameras and witnesses we can identify the suspect. Of course, the firmware version provides information about the drone, the battery types and the verification about integrity. One really important thing is that if we can locate the batteries and those batteries have a serial number, this serial number will be recorded in some logs and then we can link those batteries to the drone and the drone to

the owner, thus finding the last piece of the puzzle, which is the user of the drone. Now, as mentioned before, the errors are also recorded. Those crash logs can provide the information of the error that led to the drone crash, if one happened. Now the media. Pictures and videos can also help understand what kind of mission was and also the area that the drone has been operating in. Here we have some screenshots from the Gryphon tool that we have used to analyze the drone logs. In the first left picture we can see the firmware verification and some voltage analysis. On the middle picture we can see the flight trajectory with colored flight modes. And on the third right picture we can

see that a battery failure led to the drone crash. Now, some limitations. There is currently no standardized procedure to conduct UES forensics. A forensic analysis becomes more complex due to the nature of the UAS because we have a flying vehicle, a mobile device, possibly we can have an antenna which makes the whole procedure much more complicated. Now let's talk about the tools. To analyze the R2 pilot logs we used the Gryphon DFT tool. We also use the mission planner to visualize the telemetry logs. This works stable on Windows so we recommend using it on Windows. And we use the QGRAN control to connect to the drone with our mobile device. Now some extra tools if

you are using some commercial drones is the DROP drone parser for DJI logs and FRAP which also conducts a log analysis for the DJI logs. Now, this is the end of our presentation and we will be happy to answer any questions. Thank you very much.