The UAV industry has been in popular demand for the past few years with the market expected to reach 60 billion by 2025 and the anticipated demand for UAV and drone-based applications across disparate job sectors to reach 100 billion in the future. Unfortunately, the rising demand for drone-based systems has been correlated with the rise of UAV-based illegal activities.

In recent years, the amount of illegal activities associated with UAV activity officially declared by the FAA (Federal Aviation Association) has been on the rise. Although previous research has been conducted on DJI drones in the past including the DJI Phantom series and the Spark series, recent research on DJI drones with a smaller form factor such as the DJI Mini 2 has been scarce.

Moreover, when drone-related crimes are committed investigators must follow a digital forensics process in order to garner relevant information about the crime committed and the actor that participated in it. However, the amount of open-source digital forensics tools specifically geared toward DJI drones is extremely limited and hard to find. Some online tools do exist, but they either come with an associated fee with the software, are unintuitive to use, do not contain a robust set of features, or do not contain a clear documentation outline with clear instructions on how the tool can be used to conduct relevant drone forensics research.

UAV and Drones

UAVs (Unmanned Aerial Vehicles) are a category of aircraft that can be controlled without any human pilots on board. The most ubiquitous UAV aircraft type are drones which are typically remotely piloted by a human operator or autonomously controlled by pre-programmed instructions. UAVs can come in a wide variety of form factors ranging from small consumer drones for recreational purposes to larger, more advanced implementations for commercial or military applications. They are used in a wide range of sectors for applications such as videography, monitoring, delivery, research, and disaster response due to their versatility and cost-effectiveness.

The drone brand I chose to conduct digital forensics research with is DJI. DJI is one of the leading global drone manufacturers, holding a significant market share in the UAV industry. The company was founded in China in 2006 and is recognized for its innovation, high-quality products, and advanced developments in the drone industry. Compared to other drone brands available on the market, the DJI brand provides the following advantages:

• Product Diversity and Capability: a varied drone collection with a wide range of capabilities including obstacle avoidance and intelligent flight modes

• Build Quality: DJI conducts rigorous testing and auditing on all of its products securing its reputation for delivering high-quality products

• Flight Performance: DJI drones are also well known for their flight capabilities including their upper-notch wind resistance, maneuverability, flight time, and range compared to other leading drone manufacturers

• Footage Quality: most drones created by DJI also have high-quality cameras including adjustable settings and features like stabilization

• User Experience: DJI’s software is also pristine including an intuitive user interface and dedicated programs for flight missions, camera control, and post-processing flight logs that is compatible cross-platform with a wide range of devices

• Product Value: DJI also provides drones at every price point ranging from affordable hobbyist drones to high-end professional drones with robust capabilities

Cybersecurity Threats within UAV Systems

As UAVs continue to rise in popularity and are adopted for more commercial or commercial applications, the risk of exploitation of those systems by malicious actors rises as well. With the emergence of new technologies in the field such as more autonomous flight features and the integration of artificial systems astray from human input, UAVs are ever more vulnerable to a slew of cyber attacks such as interception, spoofing, and hijacking.

The core factors contributing to the growing cyber vulnerabilities of UAVs include the integration of more advanced technologies within drone programs that bad actors can possibly exploit, their accessibility and relatively low cost compared to other systems and aircraft, lack of resources/education about the security design flaws of drones, and inadequate security measures to ensure the integrity of imperative security features like encryption. The repercussions of drone-based cyber attacks have severe implications as consequences can result in data theft, physical damage to property, and disruption of events and services. Additionally, bad actors can use drones to infiltrate sensitive data sets, interfere with vital communications systems, and cause massive property damage if the drone is equipped with hazardous materials like explosives or weapons.

Previous UAV Investigations

It may surprise you to hear that drones are used to conduct a wide range of crimes on a daily basis. However, criminals will utilize a wide set of tools to conduct criminal activity, and it is useful to look into real-world examples of crimes committed using UAVs to realize the extent criminals would use advanced technology to orchestrate their devious acts. Here are a few examples of real-life scenarios where a drone was used to commit unlawful activities:

• Drug Delivery to a Prison in Ohio
  In 2015, a drone was used by prison inmates to drop off a package containing drugs into a prison yard. The inmates strapped 7 grams of heroin, 57 grams of marijuana, and 142 grams of tobacco onto the drone and flew it into the Mansfield Correctional Institution in Ohio. Once the package was dropped off by the drone, a fight broke out amongst the prison inmates which required intervention action by the correctional officers to be conducted against 200 inmates in the prison.

• Spying and Voyeurism
  In early 2017, a drone was caught snooping into the homes of a town in Utah. The drone was noticed by John Henson recording sensitive footage of his home and was later reported to police officials who were able to examine the footage captured by the camera of the drone. The footage was, unsurprisingly, very disturbing, containing media collected by peeping through the windows of several different houses. Luckily, police officials were able to track down the criminals who were flying the drone by tracking down a revealed license plate number that was recorded when the owner filmed himself in front of his truck with the license plate details in full view.

Massacres during Warfare
When the Islamic State militant group’s (ISIS) Mosul bastion was defeated in 2017, Iraqi forces found scores of drone factories containing inexpensive, portable drones developed by ISIS to terrorize dozens of their enemies. ISIS manufactured two kinds of drones: one dropped a small explosive when it reached close proximity to its target and the other contained a camera alongside on-board explosions to take footage of the chaos that unfolded in the battlefields of Iraq and Syria. Subsequently, the tactile usage of drones to conduct militia damage was adopted by other groups such as Ahrar al-Sham and Jund al-Aqsa.

Digital Forensics

Digital forensics is a subfield within cybersecurity focused on the assessment and analysis of digital evidence in response to cybercrime scenes. The field involves the application of a wide variety of forensics techniques and tools to uncover and analyze digital artifacts derived from computers, networks, and in this case, drones. The typical phases of digital forensics scenarios include:

1. First Response: the set of actions conducted directly after the incident is referred to as the first response. What occurs during this phase is highly dependent on the crime scenario at hand
2. Search and Seizure: during this phase, investigators search for the devices affiliated with the crime scene in order to seize meaningful digital evidence
3. Evidence Collection: after the search and seizure step, the investigators sift through the available data on the confiscated devices using pre-established evidence-handling methodologies
4. Securing Evidence: during this step, investigators vet and consolidate the data they are able to acquire and place the data into a secure location
5. Data Acquisition: data acquisition is a term that describes the process of extracting Electronically Stored Information (ESI) from the available digital assets. This process helps investigators gain further insights into the crime without sacrificing the integrity of the evidence
6. Data Analysis: during the data analysis process, credible investigators scan and select the evidence that is going to be presented in court. This phase encompasses the processes of examining, identifying, separating, and converting data into insightful information
7. Evidence Investigation: this phase describes the processes of connecting the gathered evidence with the security incident
8. Documentation and Reporting: this phase is a post-investigation step taken to document and report all the relevant findings for the incident containing adequate evidence to be presentable in court
9. Testification as a Credible Witness: the final step of the sequence includes the investigators consulting another reliable witness to affirm the accuracy of the evidence collected. The witness is typically a professional who also investigates the crime in conjunction with the team to support the integrity of the data collection

Digital forensics and the techniques within it are often employed during drone crime analyses to investigate digital evidence related to the UAV associated with the crime. This encompasses a wide range of strategies all geared to interpret the data gathered from the drone for investigative purposes.

DJI Digital Forensics

During and after each flight, DJI drones log and tabulate a sequence of data using a combination of DUML, DAT, UART, TXT, GPX, and KML files. This information is vulnerable to extraction to retrieve meaningful information about the flight including an assortment of telemetry details such as GPS coordinates and altitude which can be utilized to perform reconnaissance. This can be used for a variety of meaningful use cases, the most prevalent being digital forensics investigations. By extracting the data stored within these file formats, researchers and crime investigators can track down details about the crime in order to analyze the background of the crime and reveal information about the bad actor. The process outline and relevant drone forensics techniques specific to the DJI drone series are outlined below:

Drone Forensics Sequence:

Compromise -> Data Extraction -> Enumeration -> Faceting -> Deciphering + Organization -> Data Analysis

Data Extraction

SD Card Data

Each DJI drone has an SD card input for a microSD card to store relevant flight information and media assets such as photos or any video image captured by the drone during flight.

Some of the data that can be extracted from the SD card data output include media files for both the drone’s image assets and videos and encrypted logs containing data monitored by the aircraft.

App-related Data

The DJI Go Fly apps can be used for a wide variety of digital forensics scenarios as it stores a lot of information about the relevant DJI aircraft and flights it has embarked upon. The data files stored by the DJI can be accessed by locating the /DJI/dji.go.v4/ file path for Android phones or by following the process below for iPhones:

Plug in your iPhone into a laptop using a USB-C to lightning cable -> open Finder -> click on the iPhone drive that is shown -> click the Files tab -> locate the DJI Fly app drop down -> expand the dropdown to reveal the files stored by the app

While the exact directory and files may vary across different drones and versions of the mobile application, here are the most common and useful available directories that can be extracted from the app:

• Flight Records (/DJI/dji.pilot/FlightRecord/): This directory contains flight records and logs with data such as flight paths, telemetry, and statistics
• Media Library (/DJI/dji.pilot/MediaCache/): Stores media files captured by the phone including photos and videos.
• Firmware Updates (/DJI/dji.pilot/Upgrade/): This folder contains recent firmware updates the DJI drone has had. When the DJi Fly app is connected to the internet, the app consistently checks for firmware updates and uploads them to the drone, and logs the updates to the files listed under this directory
• Flight Routes (/DJI/dji.pilot/Cache/): This folder contains the cache of flight routes, waypoints, and missions (flight planning feature within the app) created using the DJI Fly app.
• Map Tiles (/DJI/dji.pilot/MapCache/): This directory includes the stored map file information that is typically used when the app is in offline mode.
• User Configuration (/DJI/dji.pilot/Config/): Stores user-specific preferences such as hardware configuration settings and other personalizable settings within the app.
• App Reports (/DJI/dji.pilot/CrashLog/): Contains logs and crash reports generated by the mobile app.
• Application Updates (/DJI/dji.pilot/AppUpgrade/): Includes app update files installed from the DJI servers whenever a new version of the app is available online.

Physical Examination

Physical interrogation of drones during forensics events is crucial for a variety of reasons including data extraction, tampering detection, hardware analysis, identification, and data integrity. The process allows investigators to consolidate physical evidence while also verifying the authenticity of the drone. Physical acquisition of the drone could entail any of the following procedures to extract more information relevant to the crime:

• Removal and inspection of drone components (ie. props, chassis, propellers, etc)

• Extraction of external payloads (ie. added components like cameras)

• Photographing the drone’s airframe

• Inspection of the drone’s internal memory (ie. using a UFED Device Adapter and software for internal memory extraction)

Physical examination can also take place with the drone’s peripheral devices such as the flight controller, the mobile device running the DJI Fly App, sensors, recorders, etc. In these cases, more investigation can be conducted to possibly extract relevant data to be used in support of the case.

Overall, a physical examination of the drone should be used in conjunction with relevant digital data to create a sound outline of the processes and background behind the crime at hand.

Physical evidence such as wear and tear on the drone props can signal relevant slight information such as possible collisions, intrusions, or crashes the drone may have experienced en route which could be used as further evidence for digital forensics cases.

Make and Model of Drone

Identification of the make and model details for the particular DJI drone can be useful for possibly revealing information about the criminal who owned the drone and obtaining general background information of the specific drone model. In the US, the FAA (Federal Aviation Association) will issue a unique registration number beginning with either an ’N’ or ‘FA’. All registered drones must have a registration number sticker attached to the airframe in a configuration that is readily visible. The presence or lack of identification of a drone can signal information about the drone owner’s status. For example, a drone operator who states they own a registered UAV, but contains no visible indication of a registered drone number can signal an unauthorized drone operation scenario. If an aircraft is registered, information about the make and model can be discovered by searching for the N identification number on the FAA’s website at faa.gov.

Obtaining access to the make and model details of the drone reveals the following:

• Data stored within the UAV
• How the data is stored
• File format of the data files
• Intended use as specified by the manufacturer

After the investigator obtains this information, they can find more details about the aircraft by checking the manufacturer’s website and looking at the specific documentation surrounding the UAV such as equipment manufacturer design, components, storage capacity, etc.

DJI File Formats

DUML: a proprietary protocol used by DJI drones for serial communication. Every .DUML packet is sent using the identifier byte value of 0x55 in hexadecimal which is used to perform a variety of tasks with the drone such as initiating firmware updates and video transmission. Forensics of the DUML format is quite difficult due to the discrete nature of the protocol and the lack of documentation. The process involves byte analysis and low-level reverse engineering of the firmware to uncover.

DAT: a DAT file stands for a data file that stores information about the program used to create it. In the context of DJI files, the DJI DAT files store relevant flight data logs including the drone’s telemetry details such as GPS coordinates, sensor readings, etc.

The DAT files for DJI Drones can be extracted from the DJI app using the following method:

On Android, these will be under /DJI/dji.go.v4/FlightRecord/MCDatFlightRecords

For iOS, plug your iPhone or iPad into a laptop via a USB-C to lightning cable, then go to Finder -> iPhone -> Files -> DJI Go Fly -> FlightRecords -> MCDatFlightRecords. You should be able to save and view these files by moving them to your Desktop or your preferred path location.

KML: a KML (Keyhole Markup Language) is a file format that is meant to store information about geographical markers and data points which is typically used within mapping applications. In the case of DJI drones, the applications that run the drone such as the DJI Go, DJI Go, or DJI Fly allow users to export each of their flights using the KML format. The format is also commonly used within DJI’s flight planning applications where users can export their flight plan via the KML file format. The exported KML files contain geographical data about the drone’s waypoints, flight paths, and mission parameters for the specific flight.

EXIF: the EXIF (Exchangeable Image File Format) is a file format used to store metadata about images. EXIF metadata within DJI drone photos can provide useful data for forensics such as the drone’s GPS coordinates at the time the photo was taken, the camera serial number, and relevant file formats.

XMP: similar to the EXIF format, the XMP (Extensible Metadata Platform) is a file format also used to store and manage metadata about an image, although it can be used for a wide variety of file formats including documents, images, videos, and audio files. Unlike EXIF which is only specific to images, XMP serves as a more general-purpose metadata format. The XMP file format can be applied to drone media assets such as photos and video captures in order to extract meaningful data such as flight orientation, model, and location details.

TXT: the text file format (TXT) is a very common and popular format that can be used for a wide variety of purposes. In the case of DJI, flight logs are encrypted and stored within text files. This encrypted flight log stored within a text file contains a wide range of data about the drone’s flight such as the flight path and the orientation of the gimbal. Decoders and parsers for these encrypted text file formats are available such as the Phantom Decoder. Sometimes the file format presents itself as a .LOG file, but the functionality is still the same: both formats contain information about each flight the drone embarks on.

CSV: the CSV (comma-separated values) file format is used to store data for applications that require data exportation and analysis. The DJI Go Fly apps provide a feature that allows users to export their flight logs and telemetry data using the CSV file format.

DNG: the DNG (Digital Negative) file format is a non-proprietary file format designed to store raw image data from digital cameras in a standard format. DJI drones are capable of taking raw photos (meaning the photo is produced using all the raw data from the camera’s sensor) making it minimally processed and ideal for editing applications like Photoshop.

SRT: SRT (SubRip Subtitle) files are subtitle files that contain timing and text information about the videos captured by the DJI drone. The SRT files can be decoded to retrieve data such as speed, ISO, shutter, EV, and barometer measurements, amongst other fields.

GPX: GPX (GPS Exchange Format) files are used to store and exchange GPS (Global Positioning System) data. DJI drones use this file format to include geo-markers indicating the drone’s assumed geocoordinates and speed at a specific moment during its flight.

PCAP (Network Analysis): PCAP (Packet Capture) files are used to store individual data packets transmitted over a network. In the content of DJI drone forensics, PCAP files can reverse engineered to decode communication.

Applications for each Data Format

Photo and Video Analysis:

Analysis of DJI drone video like photo captures and videos help digital forensics investigators perform a wide range of reconnaissance techniques to collect evidence of the crime being researched such as compromising flight footage for evidence collection, identifying other personnel involved in the crime, geolocation, and situational awareness of the environment where the crime took place. For media analysis, forensically analyzing the SRT, DNG, XMP, and EXIF file formats extracted from the drone’s digital assets would reap the best results. From those file formats, investigators can retrieve the drone’s geographic locations it has visited, relevant time stamps, the orientation of the aircraft, and past telemetry the aircraft has assumed throughout its previous flights.

GPS Mapping and Location Dissection:

GPS and location history information about a DJI drone is useful because it allows investigators to analyze the flight path the drone has traveled in order to gauge the relative location of the crime, keep track of any violations or airspace intrusions, and find geolocation in conjunction with the time stamps. For this use case, the file formats of CSV, TXT, EXIF, DAT, and KML are the most useful as they all contain data associated with each flight the aircraft takes and the flight plans related to each of those missions.

Firmware Investigation and Reverse Engineering:

Firmware investigations and reverse engineering tactics are both useful for drone forensics because they provide modes of malicious modification detection, vulnerability analysis, and security auditing. Inspection of binary files adhering to the proprietary DJI DUML file format is the most accessible way to conduct reverse engineering techniques such as bit comparison on DJI drones.

Telemetry and Flight Path Investigation:

Flight path and inspecting the data collected by a drone during its operation aids the digital forensics process by allowing investigators to conduct incident analysis, investigations on mid-air damage and collisions, and evidence corroboration. A wide range of file formats can be used to gather the necessary data for flight path investigation including the DAT, KML, CSV, KML, and TXT formats.

DJI Drone Model Specifications

Considering the DJI drone model specifications for the DJI drone being investigated is crucial in the digital forensics process as the specifications directly impact the outcomes of those investigative strategies. Each DJI drone model has its own characteristics and capabilities including firmware details, hardware specifications, storage formats, communication protocols, and aircraft limitations. These specifications are important for investigators to consider because they influence the type and format of the digital data that can be extracted from the device and the tools required for the analysis of the digital evidence. In short, it is imperative to consider the specifications of the drone being investigated during drone digital forensics scenarios as establishes a baseline for identifying anomalies in the aircraft and aids examiners to determine the appropriate tools to extract relevant information from the drone.

Sequence of Forensics Analysis

During real-life crime scenarios, digital forensics and analysis are utilized to obtain more information about the crime by sifting through the available data on compromised devices. In the case of drone-based digital forensics scenarios, the challenge arises when the investigator is attempting to facet through the information they are able to obtain access to, as most of the data extracted is hidden discreetly within unfamiliar file formats, requires in-depth knowledge about how drone file systems work, and requires a hefty amount of time to extract any useful data. This fact coupled with the lack of research on the information that can be extracted from DJI drones, more specifically the DJI Mini 2, makes it a valuable starting point for further research and development.

The research and development conducted will utilize the DJI Mini in conjunction with the DJI Go Fly App. The forensics data will be extracted from personal flight data stored within the DJI Go Fly app. Alongside the data used from the Mini 2, I will also conduct research on other file formats included within other DJI-based drones such as DUML to make the implementation more robust and inclusive.

In addition to data analysis of logged flight files which are accessed via the DJI Go Fly app, other avenues of data inspection include physical hardware / condition analysis, data inspection on the SD card of the drone, local app data inspection, and firmware update information on the drone. A conjunction of all this information will help investigators narrow down the crime scenario.

Existing Open-Source Programs for Digital Forensics

DROP Parser
The DROP parser (DROne Parser) is an open-source forensics utility to extract data out of .DAT flight log files generated by DJI drones written in Python. The tool is able to decode and parse the content stored within the DAT files and even output the data within a CSV file format.

DatCon
DatCon is a free offline app that provides a platform to analyze log files produced by various DJI drones such as the Phantom 3, Phantom 4, Phantom 4 Pro, Inspire 1, Spark, and Mavic Pro along with the DAT files stored within the DJI Fly app. The data extracted from the DAT file can then be processed into more conventional file formats such as CSV containing relevant information about the aircraft.

Cellebrite
Cellebrite is a well-known organization providing digital intelligence solutions. The company also contains a data extraction and analysis tool to retrieve forensics information from the DJI Inspire 2, Phantom 3, Phantom 4, and Mavic alongside the DJI apps.

Autopsy
Autopsy is a DJI drone analyzer module that can process DAT files using DatCon, visualize geolocation data within the KML format, and analyze files obtained from the DJI Phantom 3, Phantom 4, Phantom 4 Pro, Inspire 1, Inspire 2, Mavic Pro, and Mavic Air.

CSV Viewer
Although this is not specific to DJI drone digital forensics, the CSV Viewer tool is a publicly available website that provides a platform to visualize CSV files. This website is really useful for analyzing the various CSV files generated by DJI drones.

ExifTool
ExifTool is a robust application for extracting image metadata in the EXIF file format. In the context of digital forensics, the tool can be used to reveal pertinent information about photos captured by the drone’s camera.

Airdata
Airdata is a full-fledged suite of tooling that extracts meaningful flight information from DJI drones in order to provide comprehensive reports outlining flight missions the drone has previously embarked on.

DUMLRacer
DUMLRacer is an open-source script written with Java in order to achieve a root exploit for DJI drones by exploiting DJI’s proprietary language called DUML.

Magnet Acquire
Magnet Acquire is a software platform that allows drone digital forensics investigators to quickly extract images from the DJI Fly apps on either iOS or Android devices.

XMetaParser
The XMetaParser is an open-source tool made using JavaScript that parses XMP metadata from DJI drone footage.

Phantom Decoder
Phantom Decoder is a Python-based open-source program that converts TXT flight log files generated by the DJI Go Fly app into a more useful CSV file configuration.

DroneObjectMapping
This Python script performs object detection on DJI drone footage and images to detect noticeable objects within assets collected by the drone and visualize those objects in a canvas output.

DJIParseText
DJI Parse Text is a small C++ program that parses the TXT file outputs generated by version 4 of the DJI Go Fly app.

Raw Batch Processing
This tool allows an investigator to batch process (process multiple files simultaneously rather than one at a time) raw image files (DNG) captured by a DJI drone to generate enhanced JPG images through gamma-correction and histogram equalization.

DJI SRT Parser
The DJI SRT parser is a tool written with JavaScript that interprets data sourced from SRT metadata files from the DJI Mavic Pro, Mavic 2 Zoom/Pro, Mavic 3, Mavic Mini, Mini 2, Mini SE, Air 2, Air 2s, DJI FPV, Phantom Pro, and Inspire series.

GRYPHON
Gryphon is a tool aimed to extract critical events that occurred during the flight of a UAV by analyzing its data flash and telemetry logs. The tool includes a six-step procedure for integrity verification: trajectory, execution, and error analysis to reach low-level hardware logs and then a concluding timeline analysis.

Outlined Crime Scenarios

Drones have been used to commit a variety of crimes in the past. Although drone-based activities to conduct malicious activities are ample and broad by nature, they can usually be categorized by the following set of scenarios:

Unauthorized Surveillance

This occurs when a criminal uses a drone with an equipped camera in order to conduct illicit surveillance activities such as spying on others, private property, or unauthorized locations. In these cases, digital forensics techniques such as analyzing the drone’s internal storage and flight logs can be employed to identify evidence of the criminal behavior by providing proof of where the drone was situated during the flight such as GPS data from the flight logs or an estimated location using footage.

Drug / Illegal Trafficking

Drug and illegal trafficking is when a criminal uses a drone to transport illegal substances such as drugs and other prohibited materials. This type of behavior exploits a drone’s ability for covert transportation and delivery in order to fly illegal substances over borders or to other locations within a local area. In this case, forensics data like logs obtained from the DJI Fly app can be used to identify suspicious flight patterns, flight paths, and landing points which provides useful information about the transportation of those substances.

Contraband Smuggling

Drones are also used to obtain and transport contraband items like weapons, illicit goods, and other prohibited goods. This type of illegal behavior can be detected by analyzing the drone’s flight path using the logs extracted to reveal suspicious routes and/or waypoints which may indicate smuggling.

Airspace Intrusion

DJI drone behavior also includes entry into prohibited airspaces which could compromise public safety, endanger the flight paths of other commercial aircraft, or disrupt air traffic. This type of crime can be detected by tracking down the locations the drone has accessed using either assets, GPS data, or flight logs.

Cyber-Attacks

Drone-based cyber attacks include interfering with wireless communications, launching network attacks, or spreading malware or other malicious data within a target area. This type of attack can be tracked down by investigating the drone’s firmware, software, and communication logs to identify malicious configurations and unauthorized network communications.

Privacy Violations

Criminals also use drones to disseminate private information to the public. This information could include photos of unauthorized locations of videos of sensitive subjects such as other people or private events. Acts of privacy violations with drones can be recognized during the forensics process by sifting through the compromised drone’s media files, flight logs, and communication logs.

Industrial Espionage

Industrial espionage occurs when a bad actor uses a drone to obtain confidential information about a private organization or targeted company in order to gain a competitive advantage. Forensics techniques such as the investigation of the drone’s videos, flight logs, and communication records can be used in cases like these to prove the unauthorized capture of confidential information.

Unauthorized Recording

Unauthorized recording of events occurs when a drone is used to record and distribute information about confidential events like concerts, popular sporting events, and private gatherings in a way that infringes copyright or privacy laws. In this case, digital forensics can be employed to uncover the drone’s media files, relevant timestamps, and/or flight logs to identify instances of copyright infringement or privacy violations.

Challenges in Drone Forensics

Although digital forensics has become an integral part of cybercrime investigations in recent years, there have been instances where the digital evidence extracted from those crime scenes has either been modified or deleted hindering the progress of examiners and investigators. These covert and malicious tactics are referred to as Anti-Forensics Techniques. There a number of different ways Anti-Forensics can be employed within a crime scene. Some modes of Anti-Forensics include the following:

• Artifact Deletion: Artifact deletion refers to the intentional or unintentional removal of digital information of artifacts relevant to a forensics investigation. Deletion of data from relevant systems in the investigations compromises the integrity of the collected evidence as it can hinder the ability of investigators to accurately recreate the sequence of events that occurred during the crime. For DJI drone forensics investigations, artifact deletion can include the removal of memory on the aircraft using software applications like BC Wipe or Eraser.

• Data Hiding: data hiding refers to the act of concealing digital data making it difficult to recover information during the forensics process. This can include various techniques such as hiding data files, modifying file metadata, or encrypting specific files located on the system being investigated. Data hiding techniques such as steganography, relocation of data files, and altercation of file metadata like the file extension are often used by criminals to conceal their malicious activities from digital forensics investigators.

• Trial Obfuscation: trial obfuscation is the deliberate distortion of digital information during a legal trial or court proceedings to mislead the court and the opposing counsel. The technique often involves misrepresenting the activities that took place during the crime scene like modification of relevant file metadata such as timestamps undermining the validity of data extracted during the forensics process.

• Attacking Computer Forensics Tools: forensics tools are often well-regarded and rigorously documented. Criminals can take advantage of the nature of digital forensics tools by obtaining a copy of the software to learn its flaws. Once the shortcomings of a specific forensics tool are uncovered, criminals can utilize that information to conduct attacks like Denial of Service (DoS).

Although the usage of anti-forensics techniques in a drone-related crime is uncommon, it can be implemented to modify some of the digital data before the aircraft is investigated by officials. For instance, encrypting all the files on the drone could result in the data on the device like relevant flight logs being unable to be extracted and analyzed by the investigations team when looking into the mobile app used to control the aircraft. This type of anti-forensics technique is highly plausible as there are schedulers available on Android devices that allow users to delete all the data collected by the drone once every few days. Although anti-forensics strategies are unlikely to be employed by computer-illiterate people, it could definitely be orchestrated by tech-savvy users.

Information Extraction

A wide range of data can be extracted from drones by employing digital forensics techniques. The process of extracting and auditing pertinent data from compromised drones can be consolidated into five broad categories: file parsing, steganography, firmware analysis and reverse engineering through communication dissection, telemetry mapping, and flight integrity validation.

File Parsing

DJI drones track and store lots of information about its flight. This stored information is contained within discrete file formats, each file format corresponds to different types of stored information making parsers a valuable tool for reliable and quick drone information extraction.

Flight Log TXT Parsing

Whenever a DJI drone is taken out for a flight, it actively collects information and stores it within a flight record file text file. Although these text log files are encrypted, you can decode these files using online services such as Airdata to extract flight data. Data that can be extracted from these files include the drone’s GPS coordinates, altitude, gimbal direction, voltage, sensor values, and much more. Online services for DJI flight log parsing include Airdata, Phatom Help, and FlightReader. It is also important to mention that DJI Flight Log parsing services offer options to export the log into a variety of different file formats. The file formats the services can export include the following:

CSV Files

CSV files derived from DJI flight logs essentially store a direct translation of the decoded output from the original flight log file in a concise comma-separated format. An example line in a CSV file would look like the following:

time(millisecond),datetime(utc),latitude,longitude,height_above_takeoff(feet),height_above_ground_at_drone_location(feet),ground_elevation_at_drone_location(feet),altitude_above_seaLevel(feet),height_sonar(feet),speed(mph),distance(feet),mileage(feet),satellites,gpslevel,voltage(v),max_altitude(feet),max_ascent(feet),max_speed(mph),max_distance(feet), xSpeed(mph), ySpeed(mph), zSpeed(mph), compass_heading(degrees), pitch(degrees), roll(degrees),isPhoto,isVideo,rc_elevator,rc_aileron,rc_throttle,rc_rudder,rc_elevator(percent),rc_aileron(percent),rc_throttle(percent),rc_rudder(percent),gimbal_heading(degrees),gimbal_pitch(degrees),gimbal_roll(degrees),battery_percent,voltageCell1,voltageCell2,voltageCell3,voltageCell4,voltageCell5,voltageCell6,current(A),battery_temperature(f),altitude(feet),ascent(feet),flycStateRaw,flycState,message
69000,2021-10-10 00:31:35,33.882353627688,-118.371087252864,0,Available with any HD 360 subscription,Available with any HD 360 subscription,81.532767700912,0.328084,0,0,0,13,5,0,81.532767700912,0,0,0,0,0,0,271.5, 3.1, -0.6,0,0,1024,1024,1024,1024,0,0,0,0,259.6,0,0,96,4.281,4.278,0,0,0,0,0,82.94,81.532767700912,0,41,Motors_Started,

GPX Files Flight services like Airdata also export to GPX file formats that can be used to plot the drone’s flight path. For example, you can import the GPX file of the drone’s flight into Google Maps to visualize the locations of the drone throughout its flight. A standard GPX output looks like the following:

<trkpt lon="-118.371087230394" lat="33.8823536761505">
    <ele>24.8511868</ele>
    <speed>0.00</speed>
    <time>2021-10-10T00:31:35.100Z</time>
</trkpt>

KML Files

Similarly to GPX files, KML also contains geocoordinates of the DJI drone’s flight. The only difference is that KML is more versatile for visualizing 2D and 3D environments while GPX’s primary function is to store GPS-related data. Outlined below is a sample of a KML output:

 <Point>
    <altitudeMode>absolute</altitudeMode>
    <coordinates>-118.371159747421,33.882275125387,24.8511868</coordinates>
 </Point>

Steganography

Is a technique that is used to obfuscate information and metadata inside files. It is often employed to hide or protect sensitive data from unauthorized access. Steganography can be applied to a wide range of media such as photos, videos, documents, and audio by making slight undetectable modifications that are hard to notice without the use of specialized tools. In the case of drone digital forensics, drones store tons of files that are saturated with hidden metadata which can be seen using tools such as EXIF analysis. The main file formats that can be analyzed using Steganography for DJI drones include the following:

SRT: SRT (SubRip Subtitle) files are subtitle files that include metadata of the video footage captured by the DJI drone. The following information can be parsed out of SRT files:

Timecode: the timecode represents a specific instance of time in DJI media assets. They adhere to the HH:MM:SS,FFF format. HH represents hours, MM represents minutes, SS represents seconds, and FFF represents milliseconds.

GPS: the SRT packet also includes precise geolocation information about the drone including the latitude, longitude, and altitude

Date: the packet includes a timestamp of the date in milliseconds (note that the time zone is not specified, so it could be local to where the drone was registered or flown in)

Barometer: the barometer represents the atmospheric pressure exerted by the weight of the air in the atmosphere and is more accurate than GPS altitude

Speed: the speed is also an included metric and is represented by the unit km/h

Duration: the duration in milliseconds for the respective packet

Distance: the distance, represented in meters, of the drone relative to its home point

ISO: ISO represents the camera’s sensitivity to light. A higher ISO means a greater light sensitivity improving footage performance in low-light environments

Shutter Speed: the shutter speed of the drone camera is measured in fractions of a second and represents how much time the lens is exposed to the light. A higher shutter speed is often used to obtain shaper images in bright light while lower speeds are employed for motion-blurred and long-exposure photography

EV: EV stands for exposure value and is the numerical representation of the exposure brightness of image capture. It is a measurement calculated by combining the camera’s aperture, shutter speed, and ISO settings

Although the SRT file format is pretty standardized amongst the available DJI drones, there are some file format differences that exist amongst the DJI series. Online parsing tools often take these variations into account and adjust their decoding strategies according to the DJI brand the file was derived from. Some online parsing tools specifically for DJI SRT files include Juan Irache’s DJI SRT Parser and DJI Telemetry Display’s Online SRT Viewer.

DNG:
Since the DNG file format is used for minimally processed image files, they are used by DJI drones to store RAW images on the SD card. DNG files can be analyzed to extract pertinent information about the image such as the location of where it was taken, characteristics of the camera that captured the image such as aperture and shutter speed, and configuration of the drone. Popular tools for extracting data out of DNG images captured by DJI drones areexif.tools and Adobe’s DNG tool.

XMP:
An XMP file in the context of DJI drones contains relevant metadata about any images captured by DJI drones. Popular interpreters of XMP files areFileProInfo and XnView. The following is an example preview of an XML file:

Absolute Altitude               : +170.42
Relative Altitude               : +100.10
Gps Latitude                    : -36.41144502
Gps Longtitude                  : 174.63075195
Gimbal Roll Degree              : +0.00
Gimbal Yaw Degree               : -1.30
Gimbal Pitch Degree             : -90.00

JPEG:

Most photos captured by DJI drones are stored in JPEG file format. The JPEG file format is a common picture format that can be opened by any picture viewer. JPEG is a compressed file format which makes it limited in updating post-production. DJI drone JPEG captured can be analyzed by a wide range of tools such as ExifTool, JPEGSnoop, and FotoForensics to derive relevant information about the location of the photo, camera features, and drone configuration.

MP4:

Videos for DJI drones are stored as an MP4 file. DJI MP4 videos can be analyzed to uncover meaningful metadata values such as the date and time of each capture and details like GPS geocoordinates. Commonly used tools for MP4 metadata analysis for FFmpeg and ExifTool.

Communication Dissection

Communication dissection refers to the process of analyzing the communication data that is exchanged between a drone and its ground control system (controller) and the protocols utilized for the transmission. Dissecting DJI communication has two main applications for drone forensics: firmware and binary analysis.

Firmware Analysis

Although DJI encodes its firmware within a proprietary file format encrypted using AES and signed with RSA, certain information about the firmware can be decrypted using leaked encryption keys published on the internet since DJI uses custom encryption keys for each of their files, modules, and use cases by intercepting communication between the DJI mobile application and DJI cloud infrastructure. Once communication is intercepted, a firmware package of the drone can be installed and distilled down into multiple components that construct the code base of the drone by sending a sequence of HTTP requests to the mydjiflight.dji.com host followed by a POST request containing an authentication signature as outlined in this fantastic article by Nozomi Networks.

Once the firmware package is successfully retrieved, its structure can be inspected using thedji_imah_fwsig.py script contained inside the dji-firmware-tools GitHub repository. The general structure of the firmware is as follows:

• Image Header: contains the number of chunks (size) of the payload in conjunction with checksums of the encrypted and decrypted data

• Chunk Header List: offset and size of each data chunk housed in the firmware image

• RSA Digital Signature: both image and chunk headers

• AES Encrypted Chunk List: data necessary for updating the firmware

Once the firmware image is unpacked using a valid key, the kernel, binaries, and configuration systems of the firmware operating system can be extrapolated to be reverse-engineered and the file system of the drone can be revealed.

Binary Analysis

Binary Analysis is another meaningful approach for revealing obfuscated DJI drone information. This technique can be employed whenever a binary program, structure, or data is intercepted between any one of the drone communication methods like DUML, UART, or USB. Binary analysis plays a crucial role in DJI reverse engineering which is a set of processes to deconstruct fundamental information about a specific DJI drone’s architecture and firmware functionality.

DUML

DUML is the property communication language used by DJI drones to send commands and data between internal models to alter flight parameters such as maximum altitude and maximum ascent / descent speed. DUML communication can be decoded by noting the specific pattern structure for all DUML binaries. Each DUML packet begins with the hexadecimal identifier of 0x55 included with two subsequent bytes containing the length of the data and version.

By noting the structure of DUML packets, we can reverse engineer communication and data that is being sent from one subsystem of a DJI drone to another. To learn more about this, I would suggest checking out this Swedish research paper which heavily attempted to reverse engineer the DJI Mavic 2 and this paper written by researchers at Ruhr University that implemented a fuzzer for DUML-based DJI drone communication. Available tools to conduct DUML analysis include dumlPrinter, DUMLRacer, DUMLdore, and pyDJI.

UART

Also known as Universal Asynchronous Receiver Transmitter, UART is primarily used in microcontrollers in DJI drones such as the Sparrow S1 Transmitter for wired communication. Although UART is intrinsically hidden, it can be inspected by reverse engineering the hardware pins. UART communication on DJI drones can be exploited to gain root access to the shell of the drone. This method gives direct access to the firmware code of the drone along with identified commands to perform memory adjustments and elevated privilege command executions.

USB

USB communication systems on DJI drones are generally used to download data like media files from the internal storage and flight logs from the flight recorder. The USB interface is also used to transmit DUML commands in order to control internal drone settings and initiate firmware upgrades. Moreover, a DJI drone’s boot process can also be initiated via USB packets, and USB interfaces located on the drone are used to communicate to the DJI Fly app and remote control.

Telemetry Mapping

Analyzing the telemetry and sensor values assumed by a DJI drone during its flight is useful for analyzing the main stages during a drone’s flight and detecting any malicious or criminal activity that could have been conducted. Telemetry mapping is executed after the data is extracted from the parsed DJI flight data log file. After the data is collected, it can be plotted and visualized for analytical purposes.

Telemetry and Sensor Visualization

Graphs and models can be generated for all the numerical telemetry and sensor values collected throughout the flight. This data can be used as useful metrics to analyze the drone’s flight. Values that can be visualized, derived, or calculated from the data set include the following:

Speedometer, GPS Path, Altitude, Distance, Slope, Dynamic Map, Bearing, Acceleration (GPS), Time & Date, Lap Timer, Pace, Vertical Speed, Elevation Gain, Coordinates, Altitude vs Distance, Orientation, Heading, Gimbal, Gimbal Heading, Thumbsticks, Battery %, Lean Angle, Lean Angle (2 wheel), Airspeed, Altimeter, Attitude Indicator, Heading Indicator, Turn Coordinator, Vertical Speed Indicator, Pitch Angle, Longitudinal Acceleration (GPS), Acceleration (speed-based), Lateral Acceleration (GPS), Zero to Speed, Distance Timer, GPS Path + Compass, Battery Volts, Distance Home, Sector Times, Corner Speeds, etc

Flight Path and GPS Verification

During a DJI drone’s flight, its GPS geocoordinates are logged and stored along with its GPS signal strength, timestamp, and altitude above sea level (absolute altitude). This is useful for investigation scenarios that involve precise location triangulation and reconnaissance. These extracted GPS coordinates can also be used to plot out the drone's flight path and key event markers throughout its flight timeline.

Flight and Integrity Analysis

After a flight is completed with a DJI drone, data can be exfiltrated from multiple file formats like CSV in order to keep a record of flight events to monitor the UAV flight behavior. Each event can be connected with a corresponding timestamp and data value. Once the data is obtained, it can be plotted and scanned for relevant influxes that could correspond to events such as contraband drop-off or stages of flight. This process of scanning through data flight logs and checking for unexpected variations is very useful for detecting anomalous occurrences.

Unexpected Telemetry Variation Detection

As mentioned previously, we can track multiple indicators a drone has assumed during its flight to check for any suspicious variations. For instance, during any flight, a drone is expected to cruise at a set altitude. A sudden variance in altitude within a short timeframe can indicate a loss of altitude from an unexpected cause such as a mid-air collision, propeller breakdown, etc. An altitude variation like this can be extracted by getting the relative altitude from the GPS to determine if an unexpected event has occurred.

Measurement Integrity Analysis

Message records including sensor information are housed within DJI data files. Investigators can utilize these measurements to make predictions about key occurrences during a flight. For instance, it is possible to predict a short circuit or a battery malfunction that may have resulted in a drone crash landing by analyzing the flight board current and voltage message records. By auditing the current and voltage values and checking if they ever exceeded the 10% maximum threshold of median current and voltage values, investigators can infer an electrical system malfunction.

Introducing DroneXtract

Throughout my journey of experimenting and researching drone digital forensics, I noticed the lack of cohesiveness among drone forensics tools. Moreover, I also recognized that most available open-source DJI drone forensics tools or programs often required cumbersome setup instructions and were hard to understand for beginners entering the field. In order to combat both of these problems and also satisfy my urge to develop open-source projects within the field of aerospace cybersecurity, I decided to create DroneXtract. DroneXtract is a DJI drone digital forensics suite written in Golang that analyses drone sensor values and telemetry data, visualizes drone flight maps, audits for criminal activity, and extracts pertinent data within multiple file formats. You can visit the repository for the project here.

Golang for Cybersecurity Development

I chose to use the Golang programming language to develop DroneXtract because of its concurrency support, fast performance, memory safety, and minimalism. These advantages provide Golang an edge for cybersecurity programs over other commonly used programming languages such as Python or C.

Features and Usage

DroneXtract features four main suites for drone forensics and auditing. They include the following:

DJI File Parsing:

The file parsing tool can visualize and extract information from DJI file formats such as CSV, KML, and GPX using the parsing tool. The parsed information can be saved into an alternative file format when inputted an output file path.

Steganography

The steganography suite allows you to extract telemetry and valuable data from image and video formats. Additionally, the extracted data can be exported to four different file formats.

Telemetry Visualization

The telemetry visualization suite contains a flight path mapping generator and a telemetry graph visualizer. The flight path mapping generator creates an image of a map indicating the locations the drone traveled to enroute and the path it took. The telemetry graph visualizer plots a graph for each of the relevant telemetry or sensor values to be used for auditing purposes.

Flight and Integrity Analysis

The flight and integrity analysis tool iterates through all the telemetry values the drone logged during its flight. Once the values are collected, it calculates the maximum variance assumed by the value and checks for suspicious data gaps. This tool can be used to check for anomalous data or any file corruption that may have taken place.

DroneXtract can be run by running the following set of commands in your terminal after cloning the code from the GitHub repository

$ export GO111MODULE=on
$ go get ./...
$ go run main.go

Relevant Applications

The following are anticipated applications for the DroneXtract suite and how it can be utilized in each one of the outlined use cases.

• Researching Case Scenarios for Insights

  DroneXtract utilities can be used to reveal insightful information for research purposes. This can include flight maps of specific areas, telemetry logs of sensor values, and flight log data extracted for specific digital forensics scenarios such as crime analysis or flight auditing.

• Conducting Post-Crime Analysis for Investigations

  The file parsing and integrity analysis tools in DroneXtract are useful for analyzing crimes committed with specific DJI drones by monitoring for variances in sensor values and investigating the flight path taken by the drone during its flight.

• Recreational Flight Analysis

  DroneXtract can also be used for recreational UAV purposes by providing a framework for avid drone pilots to visualize their flights and gain insightful information about their drones in a clear, cohesive manner.

Conclusion

Overall, the significance of drone-related cybersecurity especially digital forensics cannot be overstated in our increasingly connected and UAV-reliant world. Drones have revolutionized many industries, but their potential misuse if they are exploited by bad actors can materialize lots of chaos. In order to prevent cyber attacks against drones and research more into the strategies employed by drone cyber criminals, digital forensics is a key safeguard for spearheading investigations and extensive security research into the causes of these attacks. I hope that the development of DroneXtract and my personal research into the world of DJI digital forensics inspired you to learn more about or even pursue the fields of drone or aerospace cybersecurity. Aerospace cybersecurity is a widely growing field and we need more positive minds to help safeguard aeronautical and space-based cyber systems to ensure the cybersecurity of future space-based applications.

Thanks for Reading!

• View more of my work on GitHub: https://github.com/ANG13T
• Follow my account on Instagram: instagram.com/angelina_tsuboi
• See what I’m up to on Twitter: https://twitter.com/AngelinaTsuboi
• Support my work on Cash App: https://cash.app/$AngelinaTsuboi