By: Robert DeCicco
With the increase in drones in the sky beyond recreational use and delivery, and movement toward practical and business uses such as surveillance in hostile climates, servicing and message relaying, we have also seen an increase in the sophistication of the devices. Not unlike a mobile phone or GPS, the drone carries a significant amount of digital information that can be both extracted and used to corroborate other evidence in an investigation, provide alibis or in some instances be the smoking gun to solve an investigation.
Historically, law enforcement, intelligence agencies or law firms seeking to extract information from drones have either attempted to do so on their own or sent the devices back to their manufacturers with a subpoena. Not unlike with a hard drive or tablet or phone, if the appropriate tools and protocols are not used and followed, the information can become corrupted, there can be chain-of-custody issues or some interference can occur thus rendering the data unreliable or worse inadmissible.
Similar to a phone or any of the latest IoT devices, the exact information available to be reviewed from any given drone will depend on the model but items such as GPS position, altitude, direction, and other positioning data are usually stored, regardless of device and in many larger devices it is required (or in the midst of being required) to be stored elsewhere per FAA regulations. These are the bare minimum, but we have found that additional data is also stored on the owner/operator’s receiver, transceiver or phone. In the instance of denying owning or operating, it is a black and white issue but what information can also be extracted to help in an investigation? Our research on several devices revealed the following data points and metadata, including but not limited to:
- Registered owner operator name, email, phone number.
- Registered owner ‘home port’ (often home address).
- List of typed-in last 10 destinations via GPS coordinates.
- Flight time before charge, overall flight time, and distance(s) flown.
- Video (if embedded or attached mobile device).
- For larger drones, an operating system exists (typically Linux) on a hard drive. Forensics experts can perform the same analysis done on desktops in these instances.
How can investigators use this information in an investigation? Consider the drone to be the first generation of a mobile device with electronic data on it; however it is also storing much more video. Not only can the drone tie activity back to the owner in the instance where the owner is the suspect but it may also be necessary to be able to verify the video stored on the drone if the surveillance has captured an event or crime. The appropriate measures must be taken to secure the device and preserve the information. While still in early stages, best practices would indicate the following information be noted when ‘seizing’ a drone on a chain of custody form and worksheet in advance of analysis and submission or supplementation to a report:
- Make, model, serial number of drone
- Photos of condition found
- Known custodian, owner, operator
- Video unit make, model, serial number (if phone follow standard phone steps)
- Location obtained
- If hard drive present: make, model, serial number, OS
- Tools used to image hard drive
- Verification hash
- Technician name or person taking custody
- Backup of information
- GPS from technician phone versus drone GPS report
- Date/time of seizure
Drones, like street surveillance or digital phones with perpetual recordings, are a source to consider when trying to tie out all evidence in an investigation and leave no stone unturned. Information stored on drones will only become more detailed, and drones themselves will only become more pervasive as time passes. It’s a brave new world—be ready.
The views and opinions expressed in this article are those of the authors and do not necessarily reflect the opinions, position, or policy of Berkeley Research Group, LLC or its other employees and affiliates.