Archive for March, 2015

Forensic collection form for UAVs/drones.

March 28, 2015 2 comments

Proper forensic analysis of anything starts with proper forensic collection of whatever it is that needs to be analyzed. UAVs are no different. As noted in an earlier post, there are a lot of components in a UAV system – radio controller, ground station, data/video link, and of course the aircraft itself.

We developed a UAS Acquisition Form to assist law enforcement and other interested parties in the collection process.

Read more…

Categories: UAVs

Cybersecurity and non-military UAVs (aka drones)

Consumer and commercial drones are hot – they are changing the way we farm, they are crashing on the White House lawn, they are leading to $50 million VC investments, and they are firing the imagination of Amazon, Google, and Facebook. And they’re not even legal for most people or companies to operate in the U.S.

They are also vehicles for malware, mischief, and cyber mayhem.

Let’s take a look at the cybersecurity landscape around non-military drones. And remember, a drone is really part of a sUAS – a small unmanned aerial system. (See my earlier post on this topic.)

First off, why might I want to launch a cyber attack against a drone?

  • I could steal the entire aircraft – a DJI Phantom can go for $1,000 on eBay. Or just sell it for parts – a DJI camera and gimbal goes for $650, some cameras used for film making go for $20,000 and a LIDAR sensor can go for $50,000.
  • I could steal the data, possibly without physically touching the aircraft and without the operator’s knowledge. Releasing film of a breaking news event would garner valuable attention while film of a private celebrity wedding would be worth tens of thousands of dollars. Crop data from a research farm would be valuable to competitors while data from a research track would be of great interest to a competing automobile manufacturer or race team. This data could be captured from another operator’s drone with little investment or risk on the part of the thief.
  • I could hijack the aircraft and use it as a weapon or use it in a way that would generate bad publicity for the vendor or operator.
  • I could disable, DDOS, the drone thus affecting the business operating it or the vendor. This could cause short and/or long term financial impact, even going so far as to put a competitor out of business.
  • I could use the drone to inject malware into the ecosystem supporting it.

All of these are potential cyberattacks on someone else’s drone to affect the operator, the vendor, or an unrelated third party. If you use, develop, or support drones, you should consider your flight operations program, your critical assets, the possible effects on your sUAS,  and very quickly start developing your risk management strategy.

There are some simple, classic, steps you can take:

  • Insure your equipment and operations. Hull and liability insurance is available for sUAS.
  • Physically secure your equipment. Someone with physical access can remove or compromise your sUAS.
  • Operate using Visual Line of Sight guidelines. If your sUAS starts going off course, have a response plan in place to track and recover it in a timely manner
  • Stay current on firmware updates. Unfortunately, the security measures implemented by the vendors are minimal or non-existent, but you should still try.
  • Lacking firewalls in the sUAS environment itself, construct firewalls or air gaps around it. Use dedicated hardware to support it rather than using your personal mobile device for flight operations, for example. Be aware of opportunities for an attacker to remotely access it. Do not connect sUAS components to your corporate network.
  • Configure your sUAS to fail safe. Ensure that the return to home feature is engaged and the home point is set for each flight.
  • Choose sUAS solutions with inherent security. One popular vendor uses wifi for the data and control link, exposing their system to a wide variety of attacks. Using something other than wifi or bluetooth for the data link would greatly reduce the attack surface.

There are also some long term solutions, some of which benefit the entire community:

  • Get involved with policy making. The US is on a road towards a very confusing patchwork of regulations at the state and federal level with respect to sUAS operations and cybersecurity in general. Advocate for clear, actionable regulation in both areas.
  • Develop an in house cybersecurity program and ensure that it takes sUAS operations into account.
  • Analyze the security of various sUAS offerings, share your findings, and encourage vendors to build security into their products.

sUAS, aka drones, are here to stay. We need to start securing them now, before they become embedded in our businesses, society, and lives.

Categories: UAVs

Mounting a JFFS2 dd image in Linux

March 16, 2015 3 comments

So there I was, holding a dd image of a JFFS2 filesystem dumped from a drone. Great, good to go! Let’s start our analysis! Not so fast, mounting one of these things is non-trivial. After much trial and error, and some Google-fu, I got the following to work in the SIFT3 forensics VM (Ubuntu).

First, test to see if the image is recognized:

khorog:dot2 kovar$ file root.dd
root.dd: data

Not a recognized filesystem and the most likely issue is big vs little endian. Let’s fix that:

apt-get install mtd-utils
jffs2dump -b -c -r -e dest_file.little src_file.big

Note: The ‘-r’ was critical and none of the Google hits I found on this topic included it. This option “recalc name and data crc on endian conversion”.

Now, check the file again:

khorog:dot2 kovar$ file root-swap.dd
root-swap.dd: Linux jffs2 filesystem data little endian

Then install a lot of kernel modules. (Some of these failed in Ubuntu 14 but the mount worked anyhow.)

modprobe mtdcore
modprobe jffs2
modprobe mtdram
modprobe mtdchar
modprobe mtdblock

Now, mount the image:

dd if=root-swap.dd of=/dev/mtdblock0
mount -t jffs2 /dev/mtdblock0 /mnt/jffs2

Et viola.

Categories: Computer forensics

Drone Forensics – An Overview

March 15, 2015 1 comment

[This is the first in a series of posts about the forensic analysis of drones leading up to presentations at BSides NOLO and SANS DFIR Summit in Austin.]

Drones (properly known as small unmanned aerial systems – sUAS) are all the rage. The market is roughly $600 million this year and is expected to be $5 billion by 2021. Drones will touch many aspects of your life, overtly and behind the scenes. They are already used commercially for mapping, precision agriculture, film making, and damage assessment. Illegal uses range from commercial services in violation of FAA regulations to surveillance and drug smuggling. And the hobby community is booming with drones as one of the hottest Christmas presents of the season.

With all of these drones in the air, the forensic analysis of drones is already important and making headlines. Who didn’t hear about the one that crashed on the White House lawn? The demand for analysis that will stand up in court is present and increasing. Tools will not solve the problem alone – we need forward thinking analysts who can work in a variety of disciplines, write their own tools, and go beyond existing techniques. Why? The key is in the final ‘S’ in uSAS. They are small unmanned aerial systems, these are entire networks with multiple operating systems in flight and spread across miles of terrain.

Let’s take a look at all the components of a popular consumer drone.

Physical components of DJI Phantom 2 Vision+

Physical components of DJI Phantom 2 Vision+

There are seven components in this unmanned aerial system:

  • Aircraft
  • Camera
  • Battery
  • Radio controller
  • Wifi range extender
  • Mobile device
  • Laptop

Each of these components potentially contains evidence relating to the incident you are investigating. The aircraft contains multiple sensors, a flight controller, radio links, a camera, motors, and more. The radio controller is pretty dumb but there are configuration settings stored in it that contribute to understanding the full environment. The laptop was probably used to maintain and configure many of the other components and will likely have artifacts relating to that work, along with the traditional Internet history, email, and messaging that might significant context. Even the battery stores digital artifacts about its history and health.

The analyst needs to physically collect and document all of these components, a potentially daunting process given that the components might be separated by time and distance. The type of motor, the custom labels on the radio controller, and the wear and tear on the propellers all tell their own piece of the story and must be correctly documented and analyzed.

Once the analyst obtains access to the physical components, they need to gain access to a variety of digital containers, and then analyze  digital artifacts that range from firmware to EXIF data in photos to plists, registry settings, and /etc/mount files.

sUAS - digital artifact locations

Here is a breakdown on some of the containers and artifacts associated with each physical component:


  • Two Linux systems
    • OneOpenWRT runningBusybox
      • flight controller, media server
      • Filesystem – squashfs, overlayfs, jffs2
    • One Ambarella A5s IP Camera Reference Platform running Linux
      • camera controller
      • Filesystems – ubifs
  • One micro SD card

Radio controller:

  • OpenWRT Linux system
    • Wifi range extender
    • squashfs, overlayfs, jffs2
  • One USB port to configure the controller


  • Queried via USB port on aircraft when attached to maintenance application on OS X or Windows

Mobile device

  • IOS or OS X
  • Many possible apps, including home-grown

A complete analysis of this system will be non-trivial, and a single tool will not give the analyst access to all the relevant information. There are several different flavors of Linux, at least one mobile operating system and at least one standard operating system. There are at least five different file systems, many of which are not recognized by commercial tools. Some artifacts are only accessible via USB and vendor defined protocols. Others require accessing the sUAS’s network and using ssh to connect to the systems. Some systems are running on flash media and maintain no state information after loss of power.

To further complicate the situation, each vendor will use a different collection of components, and those components will vary within their product line and new vendors will enter the market monthly. The open nature of the mission planning software and the flight controllers encourages customization. New sensors and new uses for drones will push both the application of drones as well as the legal and social borders around them.

The forensic analysis of drones, and the larger cybersecurity landscape around them, will be very complex, very fluid, and very exciting. Stay with us as we explore it in depth.

Categories: Computer forensics, UAVs Tags: , ,