Forensic images help law enforcement catch drone criminals

As law enforcement agencies learn how to gather evidence from drones used to commit crimes, they’re finding that extracting useful forensic evidence is a challenge.

Drones are being used for such illegal purposes as delivering contraband into prisons and smuggling drugs into the U.S. While data from captured drones can lead to suspects and arrests, the sheer number and types of drones makes data extraction a tricky process.

To assist, the National Institute of Standards and Technology (NIST) has opened a forensic reference dataset dedicated to drones. This provides investigators with the ability to first practice on a drone to determine whether it’s possible to download its data. If not, the next best thing is to download a forensic image of that particular drone type.

The forensic image is a complete data extraction from a digital device. Researchers have retrieved serial numbers, flight paths, launch and landing locations, photos and videos. In one case, they even found a database that stores the user’s credit card information. Investigators can also use the forensic images to practice recovering deleted files.

NIST maintains a repository of images made from personal computers, mobile phones, tablets, hard drives and other storage media. The images in NIST’s Computer Forensic Reference Datasets (CFReDS) contain simulated digital evidence and are available to download for free. The agency recently opened a new section of CFReDS dedicated to drones. It enables forensic experts to find images of 14 popular done makes and models—a number expected to grow to 30 by December 2018.

“The drone images will allow investigators to do a dry run before working on high-profile cases,” said Barbara Guttman, manager of digital forensic research at NIST. “You don’t want to practice on evidence.”

The images were created by VTO Labs, a Colorado-based digital forensics and cybersecurity firm. NIST added the images to CFReDS because the website is well-known within the digital forensics community. “Listing the drone images there is the fastest way to get them out to experts in the field,” Guttman said.

Work on the drone images began last year in May when VTO Labs received a contract from the Department of Homeland Security’s (DHS) Science and Technology Directorate.

“When we proposed this project, there was little existing research in this space,” said Steve Watson, chief technology officer at VTO. The drone research was needed not only to combat drug smuggling, but also to allow officials to respond more quickly should a drone be used as a weapon inside the U.S.

For each make and model of drone he studied, Watson purchased three and flew them until they accumulated a baseline of data. He then extracted data from one while leaving it intact. He disassembled a second and extracted data from its circuit board and onboard cameras. With the third, he removed all the chips and extracted data from them directly. He also disassembled and extracted data from the pilot controls and other remotely connected devices.

“The forensic images contain all the 1s and 0s we recovered from each model,” Watson said. The images were created using industry standard data formats so that investigators can connect to them using forensic software tools and inspect their contents. The images for each model also come with step-by-step, photo-illustrated teardown instructions.

Universities and forensic labs can use the forensic images for training, proficiency testing and research. Application developers can use the images to test their software. “If you’re writing tools for drone forensics, you need a lot of drones to test them on,” Guttman said.

A description of the drone images and instructions for accessing them are available on the new drones section of the CFReDS website.