digital forensics on a dji phantom 2 vision+ uav · abstract in this research we perform a forensic...
TRANSCRIPT
MSc System and Network Engineering
Computer Crime and Forensics
Digital forensics on a
DJI Phantom 2 Vision+ UAV
Authors:
Mike [email protected]
Loek [email protected]
Supervisors:
Jaap van [email protected]
Mick [email protected]
Document version 1.1
April 29, 2016
Abstract
In this research we perform a forensic investigation on an Unmanned AircraftSystem, specifically the DJI Phantom 2 Vision Plus. In our investigation wefocus on retrieving positional data and sequence information from each com-ponent of the system in order to reconstruct the flight path of the UnmannedAerial Vehicle.
Two methods to precisely reconstruct the flight path have been found, oneusing the Ground Control Station memory running on a mobile device and oneusing EXIF data of recorded media files. Additionally, we retrieved informationrelated to the home point of the Unmanned Aerial Vehicle and foreign networkSSIDs.
Contents
1 Introduction 1
2 Related work 22.1 Relevance and challenges . . . . . . . . . . . . . . . . . . . . . . . 22.2 Component analysis . . . . . . . . . . . . . . . . . . . . . . . . . 2
3 Flight paths 3
4 Methodology 44.1 Equipment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44.2 Shell access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44.3 Acquisition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
4.3.1 DJI Vision application . . . . . . . . . . . . . . . . . . . . 54.3.2 UAV and range extender . . . . . . . . . . . . . . . . . . 54.3.3 Camera . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
4.4 Counter forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
5 Results 75.1 Flight plan data . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
5.1.1 Ground Station operation . . . . . . . . . . . . . . . . . . 75.1.2 Exfiltrating artefacts . . . . . . . . . . . . . . . . . . . . . 8
5.2 Recorded media . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95.2.1 Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95.2.2 Geotags . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95.2.3 Time stamps . . . . . . . . . . . . . . . . . . . . . . . . . 9
5.3 Home point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105.4 Foreign SSIDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
6 Counter forensics 126.1 Altering time stamps . . . . . . . . . . . . . . . . . . . . . . . . . 126.2 Blocking GPS signals . . . . . . . . . . . . . . . . . . . . . . . . . 12
7 Analysis 137.1 Flight plan artefacts . . . . . . . . . . . . . . . . . . . . . . . . . 137.2 EXIF data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137.3 Network SSIDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
8 Conclusion 14
9 Future work 15
A Sample EXIF data 18
1. Introduction
As the market for consumer and professional grade Unmanned Aerial Vehicles(UAVs) is growing, the frequency at which these devices occupy public airspacewill only increase [1, 2]. Unfortunately, existing research also suggests thatUnmanned Aerial Vehicle (UAV) technology is being abused [3]. Two notableincidents involving UAVs in recent years include a UAV landing near the Germanchancellor Merkel [4], and a UAV crashing at the White House grounds [5]. Withthe number of UAVs increasing, it is a safe assumption that these devices willappear more frequently in courts of law.
Conducting digital forensics on a UAV requires investigating all componentsrelated to operating such a device [6]. In general, this set of components isreferred to as an Unmanned Aircraft System (UAS) [7]. The UAS typicallycomprises an UAV, onboard systems (such as a camera), Ground Control Station(GCS), and remote controller.
In this research project we will focus on the acquisition of positional datafrom the UAS. Our ultimate goal is to combine positional data with sequenceinformation to reconstruct the UAV’s flight path. The resulting evidence willhelp investigators determine whether the UAV could have been involved in anact of interest.
The DJI Phantom 2 Vision Plus serves as our research subject [8]. A popularconsumer grade model also favoured by commercial operators [9].
Research question As stated before the main purpose of this research is toinvestigate the Phantom 2 Vision Plus UAS for artefacts related to the UAV’slocation and reconstruct a flight path. Formalised this produces the follow-ing research question: Can the flight path of an UAV be reconstructed usingpositional data gathered from an UAS?
Ethical considerations As with any forensic investigation, personal infor-mation should be handled with care. Even though an UAS might not containpersonal information, the implementation of components, such as a mobile de-vice running GCS software contains large amounts of personal data.
Document overview The remainder of this paper is structured as follows,first we will discuss related literature about forensics on UAVs, and about theDJI Phantom 2 Vision plus in specific in Section 2. In Section 3 we will explainwhat a flight path is and what information is needed to construct it, followed byour methodology for forensic analysis in Section 4. In this methodology we willdiscuss what components of the UAS we have investigated and how we performthe acquisition of data. After this we will present our findings in Section 5and discuss counter forensic methods in Section 6. In Section 7 we analyse ourfindings and discuss methods to reconstruct the flight path. Finally, we concludeour research in Section 8 and present some future extensions on our research inSection 9.
1
2. Related work
While searching for related work it became apparent we were dealing with anemerging technology due to the limited amount of publications. We found asingle article on the topic1 and a single SANS DFIR presentation.
2.1 Relevance and challenges
Earlier in 2016, Horsman identified the need for forensic analysis of UAVs. Theresearch shows that in cases where UAV technology is abused, a forensic analysisof these devices is necessary in order to establish the chain of events [3].
The research also includes an example forensic investigation of a ParrotBebop UAS. We can utilise this example investigation to identify locations ofpossible artefacts.
2.2 Component analysis
Presented at the SANS DFIR Summit 2015, the work on UAV forensics byKovar provides a good general introduction to the topic of performing forensicson a UAS [6]. Moreover, we were inspired by this research and our work extendsupon it.
In his research, Kovar identifies that all components necessary for operatingthe UAV could contain digital evidence. Part (if not all) of Kovar’s researchwas also conducted on a DJI Phantom 2 Vision Plus. Therefore, we can uselisted methods of accessing the UAS components to our advantage. Table 2.1summarises basic information on the network created by the UAS. Each of thesehosts is reachable using ssh and providing publicly available credentials the rootuser [6].
Component IP address Platform
Range extender 192.168.1.2 OpenWRT running BusyBoxUAV 192.168.1.1 OpenWRT running BusyBoxUAV camera 192.168.1.10 Ambarella A5s
Table 2.1: UAS network hosts
Additionally, our research will elaborate on two topics which were only brieflytouched upon during Kovar’s presentation. These include EXIF data in recordedmedia files and obtaining the UAV’s home point. Both can contain importantinformation on the UAS’s whereabouts.
1Based on multiple Google Scholar and University catalogue searches performed 17-02-2016.
2
3. Flight paths
To determine if acquired data contains flight path information we must firstestablish how this data is represented.
During a flight, the UAV moves along coordinates in 3D space. These coor-dinates are represented as latitude, longitude and altitude [10].
Latitude and longitude When combined, latitude and longitude point to aposition on an ellipsoid model of planet earth. There are multiple formats usedto display latitude and longitude, the most common are [11]:
Format Example
Decimal degrees N52.3548 W4.9567Degrees with decimal minutes N52◦21.288′ W4◦57.402′
Degrees minutes seconds N52◦21′17.3′′ W4◦57′24.1′′
Table 3.1: Coordinate representation
Altitude To fully represent the UAV’s position in 3D space also requires in-formation regarding its altitude (or elevation). Altitude information is usuallyshown as meters or feet above the earth’s surface [10].
Sequence In establishing a flight path, sequence information could be consid-ered essential as it allows identifying initial, intermediate and final coordinates.Acquired data from the UAS should therefore be investigated for either timestamps or ID’s related to locations.
3
4. Methodology
This section elaborates on the equipment utilised in our experiments and intro-duces the methods used to perform forensic analysis of the UAS.
4.1 Equipment
Our research is performed on a DJI Phantom 2 Vision Plus UAV version 2.0in default configuration (as sold by retailers). Additionally we used a rootedMotorola G (2nd generation) running Android version 5.0.2 in order to runthe DJI Vision application. A virtual machine running Windows 7 32-bit wascreated in VirtualBox to run the Assistant software.
Before conducting our experiments, all components of the UAS were verifiedto have the latest versions of available software/firmware installed as shown inTable 4.1.
Package Version Platform
DJI Assistant software 3.8 WindowsDJI Vision application 1.0.61 AndroidFC200 camera firmware 1.3.0g (Unknown) CameraFlight controller firmware 3.14 (Unknown) UAVP330CB main board firmware 1.0.2.10 (Unknown) UAV
Table 4.1: Installed UAS firmware/software
4.2 Shell access
The UAS comprises multiple devices requiring different methods of accessing itscontents.
Our primary method of interacting with the system is through the wirelessnetworks created by these devices. We obtain privileged shell access using thepublicly available root user passwords as described in Section 2.2. Furthermore,we can use the same wireless network for limited interaction with the FlightController aboard the UAV by means of the dji-phantom-vision commandline utility [12].
To interact with the Android device we installed the Android Debug Bridge(ADB), which is part of the Android SDK, on our forensic workstation.
4
4.3 Acquisition
In the acquisition phase we focus on obtaining forensic images of file systems andmemories of all components in the UAS. To be able to determine which data ismodified during a flight, we perform the acquisition in two separate conditions,pre-flight and post-flight.
The following subsections elaborate on the procedure for each component.
4.3.1 DJI Vision application
Due to the fact that the DJI Vision application is installed in the /data partitionof the Android OS (which contains many files not related to our research), wedecided to monitor file system changes instead of creating a forensic image ofthe entire partition. We used ADB pull commands to transfer the files to aforensic workstation for further analysis.
To acquire memory dumps of the DJI Vision app, we use the awesomememdumperutility1. Once installed on the Android device, this utility writes memory con-tents of a specified process ID to files it creates on the SD card.
4.3.2 UAV and range extender
While logged in on the UAV or range extender OS, we can combine the dd andssh commands to create and transfer device images as shown in Listing 4.1.
# dd if=/dev/mem | ssh [email protected] "dd
of=/home/investigator/evidence/uav_mem.dd"
Listing 4.1: Creating and transferring a memory dump
The only requirement of this approach is that the openssh-server packageis installed on the forensic workstation.
4.3.3 Camera
As the camera is running its own OS, we investigate its mounted file systemand memory devices. To create and transfer the image we utilise the dd overssh approach as shown in the previous subsection.
Additionally we acquired recorded media files from the camera’s micro SDcard. The SD card is inserted into the slot of the camera controller’s housingmounted directly below the UAV’s shell.
1The awesomememdumper utility was developed by fellow students T. Does, D. Geist and F.Uijtewaal during a previous research project. The source code will be published on GitHubat a later date.
5
By design, there are multiple ways to retrieve the contents; next to ejectingthe SD card and using a suitable reader, the system also offers a micro-USBinterface which connects directly to the card. It is also possible for users to syn-chronise media files to their mobile device through the DJI Vision application.
Our preferred acquisition method was to eject the SD card, insert it intoa forensic workstation’s card reader and create a forensic image for furtheranalysis.
4.4 Counter forensics
In an effort to determine the integrity of acquired evidence, we will also inves-tigate available counter forensic methods and whether these can be detected.
6
5. Results
Using the methods described in the previous section, we found significant infor-mation on multiple components of the UAS. In this section, we introduce andelaborate upon our findings and show how to exfiltrate artefacts from acquireddata.
5.1 Flight plan data
We found several artefacts related to the location of the UAV in memory dumpsof the DJI Vision application running in Ground Station mode. The followingsubsections will elaborate on the Ground Station feature and our findings.
5.1.1 Ground Station operation
The system’s Ground Station feature enables autonomously flying the UAValong a user-defined flight plan. Users can access Ground Station functionalitythrough the DJI Vision application.
We found that the Ground Station feature is targeted at experienced usersand is not enabled by default [13]. Furthermore, certain conditions will have tobe met before the system offers full functionality to the user. First and foremostthe DJI Vision application requires a connection to mobile data or WiFi networkin order to load a map of the area intended for flying. Additionally, displayingthe UAV’s current location on the map and creating a flight plan is only availableif the UAV obtained a positive Global Positioning System (GPS) lock (receiving6 or more GPS signals). Once the GPS signal is locked the system will proceedto establish whether the UAV is located in restricted airspace, the system willprevent creating a flight plan in this case.
When the aforementioned conditions are met, the user can compose a flightplan by plotting waypoints onto the map. Several restrictions apply which areshown in Table 5.1. Properties marked with an asterisk show default valueswhich can be modified by the user.
Property Limit
Number of waypoints 16Flight altitude* 200 m.Distance from ground station* 500 m.Total distance 5000 m.
Table 5.1: Waypoint limitations
7
When the user finished plotting the waypoints, the flight plan can then beexecuted. This action can be performed while the UAV is in-flight or on theground (it will take-off automatically). When executing the flight plan, theapplication sequentially transfers all waypoints to the UAV’s flight controller.Subsequently, the UAV will then fly to each waypoint.
5.1.2 Exfiltrating artefacts
In our experiment we created a small flight circuit on University premises com-prising 3 waypoints as shown in Figure 5.1.
Figure 5.1: Ground Station interface with flight plan
We were able to exfiltrate waypoint information from process memory dumpsof the DJI Vision application which were created before and after executing theflight plan. Significant findings include:
1. Coordinates of the most recently added waypoint
2. Coordinates of the UAV’s home point
3. The UAV’s altitude
4. Messages of waypoints being uploaded
All artefacts are stored as plain text in 16-bit character strings. The infor-mation can be acquired using the strings utility while specifying UTF-16 littleendian encoding.
Please note that in our investigation into other UAS components we did notencounter any flight plan related information.
8
5.2 Recorded media
The camera attached to the UAV is capable of recording both images and video(5.2.1). We investigated the files created for significant EXchangeable ImageFile format (EXIF) data (5.2.2) and time stamps (5.2.3).
5.2.1 Storage
Recorded media files are stored in the /DCIM/100MEDIA folder on a FAT-formattedmicro SD card. Formats used for media are jpeg for images and mp4 for videofiles. The file names consist of a ”DJI” prefix followed by a 5 digit serial numberwhich increments each time a new file is created (e.g. DJI00140.JPG).
5.2.2 Geotags
During our investigation of EXIF data, we verified Kovar’s finding that recordedimages contain GPS attributes [6]. However, we also found these attributes invideo files. Given that the UAV is able to obtain a GPS lock, the camera willstore latitude and longitude coordinates1. If the UAV is unable to lock the GPSsignal, EXIF data simply does not contain GPS attributes. We did not observethat the camera tags files with ”last known” coordinates when a GPS signal is(temporarily) unavailable.
The EXIF data in image files is not stored in plain text. Therefore, weobtained the data using the renowned exiftool utility. In contrast to theimage files and somewhat surprising, video files stored latitude and longitude inplain text. Hence, this information can be viewed in a regular text editor.
Please see Appendix A for a full listing of EXIF data contained in an imagefile recorded by UAV’s camera.
Recorded media files did not contain any GPS altitude and/or time infor-mation in EXIF data. The latter appears to be a hardware limitation based onthe u-blox NEO-6Q specifications [14].
5.2.3 Time stamps
Upon their creation, the camera stores multiple time stamps in image and videofiles. We distinguish time stamps stored in EXIF data and file access, creationand modification time stamps. The system relies on the Android device toprovide a reference time (this is further elaborated upon in 6.1).
1Note that video files only contain one set of coordinates which are captured when recordingstarts.
9
5.3 Home point
The UAV obtains a reference to its current position through a u-blox NEO-6QGPS receiver. The receiver is connected to the DJI Naza-M v2 Flight Controllerthrough the UAV’s main board. If there are 6 or more GPS satellites available,and the UAV takes-off, the Flight Controller will automatically record its currentposition as the home point. However, as listed in [13], the system also allows auser to set the home point in the following ways:
• Flicking the S2 switch on the remote control 5 times, instructing the FlightController to record the UAV’s current position as the home point.
• Enabling the Dynamic Home Point functionality in the DJI Vision appli-cation, this will reset the home point to the current position of the mobiledevice.
The purpose of having the home point recorded is part of a fail-safe mecha-nism. If this mechanism is triggered (either by the user or by the system itself),the UAV will automatically return to the home point and attempt a landing.
In our experiments we were able to retrieve the home point from the FlightController. This was achieved by connecting our forensic workstation to thewireless network created by the UAS and running the dji-phantom-vision
utility. The utility is able to reproduce the ser2net packets flowing from the DJIVision application to the UAV and interpret packets sent from the UAV. Usingthis method we achieved similar results as stated by Kovar in [6]. The result ofinterrogating the Flight Controller for telemetry data is shown in Listing 5.1.
** Sent to port 0x0a, seq 51, cmd 0x49, subcmd 0x00,
error 0, payload len 0
...
** Rcv from port 0x0a, seq 51, cmd 0x49, subcmd 0x00,
error 0, payload len 52
...
[0x49]: Seq 51, GPS sats 9, home [+52.257929, +4.774034]
loc[+52.257931, +4.774035], accel xyz [+00, +00, +00],
ag +3.1 meter, compass roll/pitch/heading [180, 180, 021],
batt 11507mV (53%), unknown 6
Listing 5.1: Acquired telemetry
The nature of this data should be considered highly volatile. Moreover, wewere only able to acquire the data once the UAV was in-flight and had a positiveGPS lock.
Although the data gathered using this method is very useful to the investi-gation, we consider this method somewhat invasive and borderline offensive asboils down to putting a tap on wireless network traffic sent within the UAS’sprivate network. Nevertheless, we decided to include it in our work as it mightprove useful in certain cases.
10
5.4 Foreign SSIDs
As introduced in 2.2, the UAS generates a wireless network connecting multiplehosts. On system start-up, the range extender connects to a hidden network(SSID prefixed with ”FC200”) generated by the wireless network module aboardthe UAV. Once the link has been established the range extender serves as theaccess point to the UAS network with a ”Phantom” prefixed SSID.
Since the system is only able to create a network using aforementioned SSIDs,we expected to only find references to these SSIDs while investigating dataacquired from the UAS’ components. However, we encountered several foreignSSIDs unrelated to the UAS network in the memory of the UAV’s and rangeextender’s OpenWRT instances.
The SSIDs were found to be stored in plain text and can be obtained frommemory dumps using the strings utility. Note that the SSIDs are not groupedtogether and some SSIDs occur more than once. We observed at least 3 foreignnetwork SSIDs in memory dumps created on several occasions.
Unfortunately we were unable to determine if the SSIDs were stored in anyparticular order or when the networks were available to the wireless modules.
11
6. Counter forensics
The integrity of evidence described in previous sections should not be taken forgranted. In this section we will elaborate on methods of falsifying time stampsand blocking the GPS receiver.
6.1 Altering time stamps
To produce accurate time stamps, the UAV’s onboard camera needs a referencetime. We observed that when only powering on the UAV and recording imagesby using the button on the camera itself, image files stored on the SD card wouldshow a creation date of January 1st 2008 and time starting at 00:00. However,when connecting the range extender and Android device to the wireless network,files of recorded images showed a correct timestamp.
Further investigation revealed that it is possible to manipulate the timestampof recorded media files by altering the system time in the Android OS beforepowering on the UAV. Afterwards all files created by the camera show themodified timestamp.
Without access to the Android OS running the DJI Vision application orcamera logs, it will be impossible to ascertain if time stamps of media files storedon the SD card have been tampered with.
6.2 Blocking GPS signals
As discussed in previous sections, the UAV propagates geographic coordinatesfrom the receiver to the UAV’s camera and Flight Controller. It should beconsidered that a suspect might want to hide this information (e.g. to denyparticipation in illegal surveillance).
Initially we investigated the possibility to simply disconnect the GPS receiverby unplugging its cable from the UAV’s main board. However, this triggers amechanism which prevents starting the electric motors effectively denying theUAV to take-off.
Through further experimentation we observed that it is possible to blockGPS signal reception by attaching tin foil to the top of the UAV directly overthe GPS receiver. Consequently, with no source available, the camera no longerstores geographic coordinates in EXIF data. Additionally, the Flight Controllerno longer records a home point on take-off.
Please note that blocking the GPS receiver also allows users to fly the UAVin restricted airspace.
12
7. Analysis
Utilising our findings, we can describe two relatively precise methods of recreat-ing a flight path. First, we are able to retrieve flight plan artefacts from the DJIVision application memory. Second, we can combining GPS locations found inthe EXIF data recorded media. A less precise method is using the encounteredSSIDs found in the memory of the UAV.
7.1 Flight plan artefacts
To be able to reconstruct the flight path using flight plan artefacts, we onlyneed access to the memory of the DJI Vision application. This implies that themobile device needs to be investigated with the application still running.
The device running the application can be connected to a specific PhantomUAV, as the network that can be seen on both devices will have the same SSID.Another way of connecting the device running the application and the UAV isinvestigating the MAC address used to bind the two devices, which can be foundwithin the settings of the application.
7.2 EXIF data
Reconstructing the flight path using the EXIF data in recorded media files onlyrequires access to the SD card of the camera. This data is persistent and ispossibly still intact even after the UAV has crashed or is taken down.
As described in 5.2.2, when the UAV has a GPS lock, the camera will storelatitude and longitude information in the EXIF data of media files. Additionally,these media files are numbered sequentially allowing to determine the path fromone media file to the next.
The EXIF data also contains the system time. Even if this informationhas been tampered with (see 6.1), relative time in between media files recordedduring the same flight will remain correct, as the time is only set on systemstart-up.
7.3 Network SSIDs
It will be very hard to reconstruct a precise flight path using the foreign SSIDsfound in the memory of the UAV. If, however, the SSIDs can be linked togeographical location, i.e. the combination of SSIDs is unique to one locationor path, then a rough operational area of the UAV can be established.
This approach is the least precise, but only requires access to the memory ofthe OpenWRT instance of the UAV. Implying that even if the operator has notrecorded any media files or created a flight plan, a rough estimation of wherethe UAV was flown can be reconstructed.
13
8. Conclusion
When comparing the three methods described in the previous section. Obtainingflight plan artefacts will provide the most detailed information. It is, however,also the hardest to retrieve in most cases, as the operator needs to be caughtred handed while the application is still running.
The other two methods require access to the physical UAV. If the UAV ispowered on when the investigation starts it is important to first dump the mem-ory of the OpenWRT instance in order to get the SSIDs stored in it. Afterwardsthe investigator can check whether pictures or videos were created. Using theEXIF data of recorded media files is preferable as it is more precise, but thisrequires the operator to have taken multiple pictures or videos.
In situations where cold forensic analysis is the only option, the only infor-mation that can be retrieved from the UAS is EXIF data in recorded mediafiles.
When investigating a Phantom 2 Vision Plus that is committing an act ofinterest, the home point of the UAV might reveal the location of the operator.This information can be retrieved in real-time by requesting it from the UAV’sFlight Controller.
Summarising our findings, we can conclude that there are multiple methodswhich can be used to reconstruct a flight path using positional data gatheredfrom a Phantom 2 Vision Plus UAS. Some methods are more precise than othersand there are prerequisites to the system’s state that will not be met in all cases.
14
9. Future work
Reflecting on what could have been achieved during our research, a number ofsubjects come to mind that can be used in future research efforts.
Flight Controller Due to time constraints we were not able to delve into theoperation of the Naza-M v2 Flight Controller. Based on our experiments weexpect that this subsystem contains the coordinates of waypoints related to theflight plan created on the mobile device. Therefore, it might be worthwhile tothoroughly investigate this component and determine whether these waypointscan be retrieved somehow. Perhaps using yet undisclosed ser2net commands?
Hardware acquisition Because we lacked the necessary equipment we werenot able to perform chip-off procedures to acquire memory contents of all thecomponents. We do not expect to find more information this way, except for theinformation that can be retrieved from the Flight Controller. Should it provepossible to acquire significant data directly from the memory chips, then thiswould allow forensic analysis without having shell (or serial) access to the UAV.
Investigation of newer models At the time of writing, the DJI Phantom 3and Phantom 4 UAVs have superseded the model investigated in our research.Using our methods as a basis, it would be interesting to perform a similarforensic analysis on the new models.
DJI Vision on iOS As the DJI Vision (or the newer DJI GO) application isalso available for iOS, it would benefit future investigations to research appli-cations on this platform as well. As more and more features are added to theseapplications, they should be considered individual research subjects themselves.
Developer SDK Although several on-line sources hinted towards a manu-facturer SDK being available for the UAS researched in this paper, we wereunable to locate it. We assume it has been dropped in favour of supporting thenewer Phantom 3 and Phantom 4 model ranges. In any case, it might be verybeneficial to forensic investigations if an application could be developed using amanufacturer SDK as a basis for acquiring the data.
15
Bibliography
[1] Robotics Trends. Consumer Drone Market to Reach $4.6 billion in 2025.2016. url: http://www.roboticstrends.com/article/consumer_
drone_market_to_reach_46_in_2025/ (visited on 02/21/2016).
[2] Teal Group. UAV Production Will Total $93 Billion. 2015. url: http://www.tealgroup.com/index.php/about-teal-group-corporation/
press- releases/121- uav- production- will- total- 93- billion/
(visited on 02/21/2016).
[3] Graeme Horsman. “Unmanned aerial vehicles: A preliminary analysis offorensic challenges”. In: Digital Investigation 16 (2016), pp. 1–11. issn:1742-2876. doi: http://dx.doi.org/10.1016/j.diin.2015.11.
002. url: http://www.sciencedirect.com/science/article/pii/S1742287615001097.
[4] TorrentFreak. Pirate Party Crashes Spy Drone in Front of German Chan-cellor Angela Merkel. 2013. url: https://torrentfreak.com/pirate-party - crashes - spy - drone - in - front - of - german - chancellor -
angela-merkel-130917/ (visited on 03/18/2016).
[5] The New York Times. White House Drone Crash Described as a U.S.Workers Drunken Lark. 2015. url: http://www.nytimes.com/2015/01/28/us/white-house-drone.html (visited on 03/18/2016).
[6] David Kovar. UAV (aka drone) Forensics. Slides of a talk given at SANSDFIR summit in Austin, TX July 7 and 8. 2015. url: https://files.sans . org / summit / Digital _ Forensics _ and _ Incident _ Response _
Summit_2015/PDFs/ForensicAnalysisofsUASakaDronesDavidKovar.
pdf.
[7] Reg Austin. Unmanned aircraft systems: UAVS design, development anddeployment. Vol. 54. John Wiley & Sons, 2011.
[8] DJI. Phantom 2 Vision+. 2016. url: http://www.dji.com/product/phantom-2-vision-plus (visited on 02/20/2016).
[9] David Kovar. What are the most popular drones for commercial use? 2015.url: https://integriography.wordpress.com/2015/06/30/what-are-the-most- popular- drones- for-commercial- use- lets- ask-
the-section-333-data/ (visited on 02/20/2016).
[10] Wikipedia. Geographic coordinate system. url: https://en.wikipedia.org/wiki/Geographic_coordinate_system (visited on 03/28/2016).
[11] Wikipedia. Geographic coordinate conversion. url: https://en.wikipedia.org/wiki/Geographic_coordinate_conversion (visited on 03/28/2016).
16
[12] noahwilliamsson. Hijacking DJI Phantom 2 Vision and P2V+ (eventu-ally). 2014. url: https://github.com/noahwilliamsson/dji-phantom-vision (visited on 03/01/2016).
[13] DJI. Phantom 2 Vision+ User Manual. 2015. url: http://dl.djicdn.com/downloads/phantom_2_vision_plus/en/Phantom_2_Vision_
Plus_User_Manual_v1.8_en.pdf (visited on 02/20/2016).
[14] u-blox. NEO-6 series. 2016. url: https : / / www . u - blox . com / en /
product/neo-6-series (visited on 03/28/2016).
17
A. Sample EXIF data
The listing below shows EXIF data retrieved by exiftool from an image filerecorded by the UAV’s onboard camera. Please note that we did not use a writeblocker in this case (as is evident by the modified access times).
ExifTool Version Number : 10.13
File Name : DJI00140.JPG
Directory : C:/Evidence/Camera/DCIM/100MEDIA
File Size : 1810 kB
File Modification Date/Time : 2016:03:24 19:40:11+01:00
File Access Date/Time : 2016:03:24 19:40:11+01:00
File Creation Date/Time : 2016:03:24 19:40:11+01:00
File Permissions : rw-rw-rw-
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
Exif Byte Order : Big-endian (Motorola, MM)
Image Description : DCIM\100MEDIA
Make : DJI
Camera Model Name : PHANTOM VISION FC200
Orientation : Horizontal (normal)
X Resolution : 72
Y Resolution : 72
Resolution Unit : inches
Software : Ver.1.0.000
Modify Date : 2016:03:11 15:58:32
Y Cb Cr Positioning : Centered
Exposure Time : 1/1769
F Number : 2.8
Exposure Program : Program AE
ISO : 100
Exif Version : 0221
Date/Time Original : 2016:03:11 15:58:32
Create Date : 2016:03:11 15:58:32
Components Configuration : Y, Cb, Cr, -
Compressed Bits Per Pixel : 1.296502507
Shutter Speed Value : 1/1769
Aperture Value : 2.8
Exposure Compensation : 0
Max Aperture Value : 2.8
Subject Distance : undef
Metering Mode : Center-weighted average
Light Source : Unknown
Flash : No flash function
Focal Length : 5.0 mm
18
Warning : [minor] Unrecognized MakerNotes
Flashpix Version : 0100
Color Space : sRGB
Exif Image Width : 4384
Exif Image Height : 2466
Interoperability Index : R98 - DCF basic file (sRGB)
Interoperability Version : 0100
Exposure Index : undef
Sensing Method : One-chip color area
File Source : Digital Camera
Scene Type : Directly photographed
Custom Rendered : Normal
Exposure Mode : Auto
White Balance : Auto
Digital Zoom Ratio : 1
Focal Length In 35mm Format : 30 mm
Scene Capture Type : Standard
Gain Control : None
Contrast : Normal
Saturation : Normal
Sharpness : Normal
Device Setting Description : (Binary data 4 bytes, use -b option to extract)
Subject Distance Range : Unknown
GPS Version ID : 2.2.0.0
GPS Latitude Ref : North
GPS Longitude Ref : East
Compression : JPEG (old-style)
Thumbnail Offset : 2048
Thumbnail Length : 5567
Preview Image : (Binary data 94296 bytes, use -b option to extract)
Image Width : 4384
Image Height : 2466
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:2 (2 1)
Aperture : 2.8
GPS Latitude : 52 deg 21’ 13.00" N
GPS Longitude : 4 deg 57’ 21.00" E
GPS Position : 52 deg 21’ 13.00" N, 4 deg 57’ 21.00" E
Image Size : 4384x2466
Megapixels : 10.8
Scale Factor To 35 mm Equivalent: 6.0
Shutter Speed : 1/1769
Thumbnail Image : (Binary data 5567 bytes, use -b option to extract)
Circle Of Confusion : 0.005 mm
Field Of View : 61.9 deg
Focal Length : 5.0 mm (35 mm equivalent: 30.0 mm)
Hyperfocal Distance : 1.78 m
Light Value : 13.8
19