In an earlier post I wrote: “I think the search & rescue community should do a lot more work on designing and performing experiments with UAVs. Vendors and sales outlets keep touting their UAVs as being “good for search & rescue” without providing any data to support this claim, and often without really understanding SAR, SAR missions, and the challenges we face. (More on this in my upcoming presentation for NAASIC in Reno in September.)”
This is even more important when we consider what are appropriate missions for UAVs and how to deploy them.
I conducted two very quick experiments to illustrate two of the challenges we face. I intend to develop more formal experiments and welcome others who are interested in assisting with this effort.
I wanted to answer two questions:
- How effective is a UAV when searching an area with trees?
- How effective is a UAV when searching for clues in a soybean field?
Both of these are simple examples of SAR problems you can adapt to your own operational area.
tl;dr – You need to be down very low when searching near trees and finding an unresponsive subject in a soybean field with an optical sensor is very tough.
Searching Near Trees:
If this was your search area, and if you were searching for an uncooperative or unresponsive subject (someone who isn’t going to come investigate the noise of the UAV), how would you plan your mission? How would you execute it? How long would it take? How effective would you be? (This was taken at 200 feet by a Phantom Vision 2+. The subject is currently in the frame.)
Ok, if the subject were standing under a tree in this small area, what would you be able to see? (There are a lot of variables here – height of branches, folliage on or off, distance from subject, subject’s distance from the trunk, …. This is just an example.)
Distance from the UAV to the subject was less than 50 feet in all images.
At the subject’s altitude:
At about a 30 degree angle:
50 degrees. The subject’s legs are barely visible due to the contrast between his blue jeans and the green background. (And, if you were looking at this on a mobile device, what would you really be able to see?)
70 degrees or so. The subject is not visible.
Conclusion – you need to get under the level of the tree branches to search around trees for an unresponsive subject. This will increase your time required to search while diminishing your ability to control the UAV at long ranges.
I live, and search, in Illinois. Lots of corn, lots of soybeans. Searching for anyone in a corn field when the corn is above your head is tough. We’ll come back to that one later. Soybeans get to a few feet tall. Walking through soybean fields is … annoying … but you can certainly see a lot more. If the subject is standing up you can just walk to the edge of the field and say “Hey, there they are!” But, what if they are unresponsive and down?
Again, 50 feet up with a DJI Phantom Vision 2+. The subject dropped their high visibility orange shirt, a clue! We can see it easily on the edge of the field.
But, what if they dropped it in the field? Since you know it is in the frame, and since it is right next to the pilot, you can probably see it. If you were looking at images from 100 acres of soybeans how confident are you that you’d see this clue, particularly on a small screen?
If you are using a normal consumer UAV to search for an unresponsive subject in an area with significant vegetation your probability of detection may be rather low.
Most counter-UAV techniques are illegal or very closely regulated outside of a war zone. The proliferation of consumer and commercial UAVs is prompting people to consider ways to disable them or take them down outside war zones. So far, we have seen shotguns, brooms and even kangaroos. How about some more precise options?
What follows is a thought exercise. Jamming, firing weapons indiscriminately, and even taking down a UAV with a net are all likely to be illegal wherever you might be reading this.
Most UAVs are controlled by a pilot using a radio transmitter or by a ground control system that instructs the UAV to fly to a particular set of waypoints. It is possible to jam the control signal, monitor the data channel, and even hijack the UAV. (A subject for another post.) This activity is certainly illegal.
A simple physical approach:
Acquiring and targeting a small UAV in motion with the Mark 1 human eyeball is tough. Attempting to shoot it down with a normal firearm is harder still. Doing so would violate several fundamentals of firearm safety:
- Always keep the muzzle pointed in a safe direction
- Be sure of your target and what’s beyond it.
If you really want to physically take down a UAV using a projectile weapon, consider using a net gun or a paintball rifle. (More on that later.)
Let us put aside “how to bring down the UAV” for a moment and address UAV detection. There are commercial solutions in this space and interested parties should explore those options for definitive, professional solutions. For the sake of this exercise, lets consider something like the Bluetooth Sniper Rifle.
Many consumer UAVs use 2.4GHz for command & control or data links. Such a “rifle” should detect a UAV using 2.4GHz at long range. Mount such a device on a tripod with a gimbal driven by a system that can point the detector in the direction of maximum signal strength. (Exercise left to the reader, as my professors used to say.) This provides a bearing and elevation from your location to the device you are targeting. You’ll have to spray the air space with rounds as you don’t have range information to provide a precise targeting solution but you could have the paintball gun fire in a pattern to place shots around the target. A few paintballs in the rotors should do the trick.
Now, tie two or more of these targeting systems together and you’ll have bearing, elevation, and range to the target. If you know the ballistics of your paintball rifle, you could probably place some pretty precise shots rather than spraying the air. It has been awhile since I used a paintball rifle but I recall that figuring out the trajectory of a paintball round was quite difficult.
[If anyone wants to try building this, please let me know and I’ll help.]
TrackingPoint – a precision solution:
TrackingPoint has a commercial solution for calculating targeting solutions for rifles, what they call “precision guided firearms”. Their solution uses a human to acquire and mark the target and then fire the round. Once the human marks a target, a computer tied into the rifle calculates the appropriate solution and guides the human to make the precise shot.
So the system takes targeting information in electronic form and uses it to provide a targeting solution. Can’t we take the targeting data from something similar to what we postulated above and use it to guide the human? I imagine so. (I asked TrackingPoint about this possibility and received no response.)
Keep the human on the trigger and use frangible, rubber, or other non-lethal rounds. You may have a long distance, precise, counter-UAV solution.
[This is the first in a series of posts about the forensic analysis of drones leading up to presentations at BSides NOLO and SANS DFIR Summit in Austin.]
Drones (properly known as small unmanned aerial systems – sUAS) are all the rage. The market is roughly $600 million this year and is expected to be $5 billion by 2021. Drones will touch many aspects of your life, overtly and behind the scenes. They are already used commercially for mapping, precision agriculture, film making, and damage assessment. Illegal uses range from commercial services in violation of FAA regulations to surveillance and drug smuggling. And the hobby community is booming with drones as one of the hottest Christmas presents of the season.
With all of these drones in the air, the forensic analysis of drones is already important and making headlines. Who didn’t hear about the one that crashed on the White House lawn? The demand for analysis that will stand up in court is present and increasing. Tools will not solve the problem alone – we need forward thinking analysts who can work in a variety of disciplines, write their own tools, and go beyond existing techniques. Why? The key is in the final ‘S’ in uSAS. They are small unmanned aerial systems, these are entire networks with multiple operating systems in flight and spread across miles of terrain.
Let’s take a look at all the components of a popular consumer drone.
There are seven components in this unmanned aerial system:
- Radio controller
- Wifi range extender
- Mobile device
Each of these components potentially contains evidence relating to the incident you are investigating. The aircraft contains multiple sensors, a flight controller, radio links, a camera, motors, and more. The radio controller is pretty dumb but there are configuration settings stored in it that contribute to understanding the full environment. The laptop was probably used to maintain and configure many of the other components and will likely have artifacts relating to that work, along with the traditional Internet history, email, and messaging that might significant context. Even the battery stores digital artifacts about its history and health.
The analyst needs to physically collect and document all of these components, a potentially daunting process given that the components might be separated by time and distance. The type of motor, the custom labels on the radio controller, and the wear and tear on the propellers all tell their own piece of the story and must be correctly documented and analyzed.
Once the analyst obtains access to the physical components, they need to gain access to a variety of digital containers, and then analyze digital artifacts that range from firmware to EXIF data in photos to plists, registry settings, and /etc/mount files.
Here is a breakdown on some of the containers and artifacts associated with each physical component:
- Two Linux systems
- OneOpenWRT runningBusybox
- flight controller, media server
- Filesystem – squashfs, overlayfs, jffs2
- One Ambarella A5s IP Camera Reference Platform running Linux
- camera controller
- Filesystems – ubifs
- OneOpenWRT runningBusybox
- One micro SD card
- OpenWRT Linux system
- Wifi range extender
- squashfs, overlayfs, jffs2
- One USB port to configure the controller
- Queried via USB port on aircraft when attached to maintenance application on OS X or Windows
- IOS or OS X
- Many possible apps, including home-grown
A complete analysis of this system will be non-trivial, and a single tool will not give the analyst access to all the relevant information. There are several different flavors of Linux, at least one mobile operating system and at least one standard operating system. There are at least five different file systems, many of which are not recognized by commercial tools. Some artifacts are only accessible via USB and vendor defined protocols. Others require accessing the sUAS’s network and using ssh to connect to the systems. Some systems are running on flash media and maintain no state information after loss of power.
To further complicate the situation, each vendor will use a different collection of components, and those components will vary within their product line and new vendors will enter the market monthly. The open nature of the mission planning software and the flight controllers encourages customization. New sensors and new uses for drones will push both the application of drones as well as the legal and social borders around them.
The forensic analysis of drones, and the larger cybersecurity landscape around them, will be very complex, very fluid, and very exciting. Stay with us as we explore it in depth.