Guest Blogger: Ankit Bhardwaj

The proliferation of drones, once a novelty, has ushered in a new era across industries, from logistics and agriculture to cinematography and surveillance. However, this technological leap has a darker side: the increasing exploitation of Unmanned Aerial Vehicles (UAVs) in criminal activities. These aerial platforms, equipped with high-resolution cameras, advanced sensors, and sophisticated flight control systems, can be deployed for illicit surveillance, smuggling contraband, orchestrating acts of terrorism, and evading traditional law enforcement methods. In this evolving landscape, the discipline of drone forensics has emerged as a critical frontier in digital investigations, demanding a comprehensive understanding of data extraction, multi-source correlation, and the unique challenges presented by these airborne devices.

Our in-depth research delves into the intricate world of drone forensics, focusing on the meticulous process of extracting and analysing digital evidence from a DJI Matrix 600 Pro drone – a sophisticated platform often favoured for professional applications and, regrettably, potential criminal misuse. We explore a multi-pronged approach, dissecting data residing within the drone’s internal memory, its removable SD card, the mobile phone used for control, and the dedicated controller. By leveraging cutting-edge forensic tools like FTK Imager, Paraben E3, Magnet AXIOM Cyber, and Wireshark, we aim to illuminate the pathways to uncovering crucial digital traces that can definitively link drones to criminal acts, providing invaluable intelligence for law enforcement agencies striving to maintain security in our increasingly digitized world.

The Anatomy of a Drone Investigation: Beyond the Airframe

A successful drone forensic investigation transcends the physical examination of the aircraft. It requires a deep understanding of the interconnected digital ecosystem that governs its operation. We recognize that critical evidence can be scattered across multiple devices, each holding a piece of the puzzle:

• The Drone Itself (DJI Matrix 600 Pro): This sophisticated platform houses a wealth of digital information within its internal eMMC storage, the removable SD card that captures high-resolution imagery, the intricate flight control system that records operational parameters, a suite of sensors providing environmental data, and even the battery, whose voltage fluctuations can reveal flight dynamics.
• The Dedicated Controller: Serving as the primary human-machine interface, the controller stores communication logs, user settings, and potentially linked device information.
• The Mobile Phone Interface: Often paired with the controller, the mobile phone becomes an integral part of the drone’s operation, hosting dedicated applications that log flight data, manage media, and store user-specific configurations.

Our research posits that a comprehensive forensic picture can only be painted by meticulously extracting and correlating data from each of these interconnected sources, building a holistic timeline of events and identifying the individuals orchestrating the drone’s actions.

Paraben’s E3 Forensic Platform processing the DJI Smartphone App.

The Investigator’s Toolkit: Mastering the Digital Terrain

Navigating the complex digital landscape of drone forensics demands a specialized toolkit. Our research employed industry-standard and cutting-edge forensic software to effectively acquire, process, and analyse drone-related data:

• FTK Imager (Access Data): A foundational tool for creating forensically sound images (bit-for-bit copies) of various storage media, including SD cards and the internal eMMC chip. This ensures the preservation of evidentiary integrity, a cornerstone of digital forensics.
• Paraben E3 (Electronic Evidence Examiner): E3’s powerful mobile forensic functionality offers a robust set of functionalities designed to extract and analyze data from a wide array of mobile and connected devices, making it a highly versatile solution for digital investigators. The E3 mobile functionality includes support for all Apple iOS and Android smartphones, a variety of feature phones, GPS, and a wide array of IoT devices like smartwatches, home devices, drones (DJI Go app), information captured from DJI GO app includes, Video file list, Flight records, Images, Flight records list, User Last Location from the Google Maps app, Maps Bookmarks, and more.
• Magnet AXIOM Cyber (Magnet Forensics): A powerful commercial tool designed for comprehensive analysis of computer and mobile device data. AXIOM excels at parsing application-specific data, making it invaluable for extracting information from drone control apps on mobile phones.
• Wireshark (Open-Source): A network protocol analyser crucial for capturing and examining network traffic, particularly the Wi-Fi communication protocols exchanged between the drone and its controller or mobile device. This can reveal crucial information about command and control signals.
• DatCon (Specialized Drone Data Conversion): While not explicitly detailed in the provided abstract, tools like DatCon are often essential for decoding and converting proprietary data formats commonly used by drone manufacturers for storing flight logs and other operational data.

Unearthing the Secrets Within: Data Extraction Methodologies

Our research meticulously employed targeted data extraction techniques tailored to the specific storage mechanisms within the drone ecosystem:

• Chip-off Forensics (Internal eMMC): For the DJI Matrix 600 Pro’s internal eMMC chip, we explored chip-off analysis – a more invasive technique involving the physical removal of the chip to gain direct access to the raw data. This method is particularly crucial for recovering deleted data or bypassing potential software-level access restrictions.
• Forensic Imaging of Removable Media (SD Card): Utilizing write-blocking hardware and FTK Imager, we created forensically sound images of the drone’s internal microSD card. This process preserves all data, including photos, videos captured during flight, and crucial flight log files.
• Mobile Device Acquisition and Analysis: Employing Magnet AXIOM Cyber, we focused on extracting data from the mobile phone used to control the drone. This included user account information, application data from drone control apps (like DJI), connected Wi-Fi network details, communication logs, and any drone-related media stored on the device. In addition, we processed the same data through Paraben’s E3 Platform finding the same results to cross verify our process.

Mapping the Digital Flight Path: GPS Data and Log File Analysis

A cornerstone of drone investigations is the ability to reconstruct the drone’s flight path. By meticulously decoding .dat files and other proprietary log formats found within the drone’s storage, we can extract precise GPS coordinates (latitude, longitude, altitude), timestamps associated with each location point, and potentially even pre-programmed waypoints or mission parameters. Visualizing this extracted GPS data using Geographic Information Systems (GIS) software allows investigators to generate detailed maps of the drone’s trajectory, pinpointing key locations and correlating its movements with specific times and events relevant to a criminal investigation.

Furthermore, the analysis of comprehensive flight logs provides a deeper understanding of the drone’s operational parameters during flight, including motor speeds, gimbal movements, sensor readings, and system status indicators. This granular data can reveal critical insights into the drone’s behaviour and any anomalies that might suggest unusual or illicit activity.

The Unseen Connection: Leveraging Network Analysis and the Locard Principle

The foundational Locard Exchange Principle, stating that every contact leaves a trace, extends into the digital realm of drone operation. The Wi-Fi or radio signals exchanged between the drone and its controller or mobile device represent a form of digital contact. By capturing and analysing this network traffic using tools like Wireshark, investigators can potentially identify the devices involved in the communication, analyse command and control signals, and even trace the network infrastructure used to operate the drone. Correlating this network data with information extracted from the controller and mobile phone can further solidify the link between the drone and its operator.

Decoding the Secrets: Navigating the Challenge of Encryption

The increasing sophistication of drones includes the implementation of robust encryption mechanisms to protect sensitive data, such as flight logs, telemetry information, and real-time video feeds. Our research acknowledges this challenge, highlighting the various encryption methods employed by drone manufacturers, including industry standards like AES and RSA, as well as proprietary algorithms. Understanding these encryption techniques and the legal frameworks surrounding data decryption is paramount. In cases where lawful access is granted, leveraging Software Development Kits (SDKs) and manufacturer-specific tools may be necessary to decrypt protected data and unlock critical evidentiary information.

Conclusion: Charting a Course for Justice in the Drone Age

The findings of our research underscore the indispensable role of drone forensics in the contemporary landscape of criminal investigations. Drones, once perceived as mere gadgets, have emerged as powerful tools capable of facilitating a wide range of illicit activities. However, these aerial platforms and their associated devices inadvertently generate a wealth of digital evidence, waiting to be uncovered and analysed. By employing a comprehensive, multi-source approach, leveraging advanced forensic tools, and mastering the intricacies of data extraction and correlation, law enforcement agencies can effectively transform these silent witnesses in the sky into crucial instruments of justice. With all forensic processes you should rely on more than one tool and not be set with just one brand over another.

As drone technology continues its rapid evolution, the field of drone forensics must adapt and innovate in tandem, ensuring that investigators remain equipped to navigate this complex digital frontier and hold those who misuse these powerful tools accountable for their actions. The ability to meticulously piece together the digital flight path and operational history of a drone is not just about solving crimes; it’s about safeguarding our communities in an increasingly interconnected and technologically driven world.

Artifacts List

Common artifacts across ecosystems (for forensic triage)

For any FC, these are typically the most valuable items to collect and analyze:

1. GPS track (lat, lon, alt, timestamp) — reconstruct flight path.
2. Timestamps & time sync info — correlate to other evidence (video, CCTV).
3. IMU / attitude (roll/pitch/yaw) — helps with crash analysis.
4. RC/Controller inputs — pilot actions.
5. Battery telemetry — discharge, voltage, thermal events.
6. Camera metadata / EXIF — photo/video timestamps and camera settings.
7. Flight events — takeoff/landing, failsafe, geofence breach, firmware messages.
8. Device identifiers & firmware versions — aircraft/FC serials, firmware & param snapshots.
9. Ground-station/phone app logs — mission plans, waypoint lists, user account data, sync/cloud uploads.
10. SD card file system artifacts — deleted files, slack space, thumbnail caches.

Flight controller ecosystems — log formats & forensic artifacts

1) DJI (consumer/enterprise: Mavic, Phantom, Inspire, Air, FPV)

• Common log file types:
• Mobile app logs (encoded .txt, some CSV exports) and device logs sometimes called .DAT or .txt depending on model/app. Aircraft may also store .dat on internal storage/SD card. Mobile app often keeps decoded JSON/CSV exports.
• Where to look: aircraft internal storage / camera SD card, mobile device (DJI GO / DJI Fly / DJI Pilot) app folders, cloud (if user synced).
• Key artifacts to extract: flight start/stop timestamps, GPS tracks (lat/lon/alt), home point, flight mode changes, battery levels, compass/IMU data, RC inputs, geofence events, camera photo/video metadata (EXIF), crash/abnormal event entries, serial/firmware IDs.
• Parsers / tools: DatCon, DJI Flight Reader/CSV converters, PhantomHelp/Flight Log Viewer, Airdata (cloud service) — useful for decoding and exporting to CSV.

2) Autel (EVO / EVO II / Lite / Nano)

• Common log file types: vendor-specific logs accessible via Autel Explorer app; flight records often exportable via app (app JSON/CSV or files on SD card when copying logs). Some models provide camera logs and telemetry exports.
• Where to look: aircraft SD card, remote controller/storage, and Autel Explorer app (local or cloud sync).
• Key artifacts: GPS track, battery, flight times, flight distance, max altitude, camera file timestamps; device serial & firmware info.
• Parsers / tools: Autel app exports / Airdata integrations / community tools.

 3) Parrot (Anafi, Disco, other Parrot models)

• Common log file types: JSON flight logs (Anafi uses JSON exports), .pud or vendor-specific logs on older models, and droneFlight.txt for some SDKs
• Where to look: SD card, internal storage, FreeFlight (mobile app) export, MyFlights / DroneLogBook integrations.
• Key artifacts: GPS traces, IMU/optical-flow info, timestamps, flight event logs (takeoff/land), video/photo metadata.
• Parsers / tools: community “ShowAnafiLog” projects, Parrot developer tools, DroneLogbook exports.

4) Pixhawk family / ArduPilot (APM/Pixhawk running ArduPilot)

• Common log file types:
• DataFlash logs (binary .bin and parsed .log), and telemetry TLOG (MAVLink .tlog) recorded by ground station.
• Where to look: SD card on autopilot (dataflash), ground-station PC (Mission Planner tlogs), telemetry radios.
• Key artifacts: GPS position/time, EKF/estimator state, IMU (gyro/accel), barometer/altitude, RC inputs, servo/motor outputs, mission waypoints & commands, battery telemetry, parameter snapshots. DataFlash also contains higher-level events (mode changes, failsafes).
• Parsers / tools: Mission Planner log viewer, APM Planner, Mavlogdump.py, Mission Planner export to CSV/KML; ArduPilot docs describe fields.

5) PX4 (PX4 Autopilot ecosystem)

• Common log file types: ULog (.ulg) — self-describing binary log format used by PX4; QGroundControl may also produce .log/.tlog.
• Where to look: SD card on autopilot, ground station logs (QGroundControl), telemetry links.
• Key artifacts: uORB topic streams — sensor measurements (IMU/GPS/baro/mag), estimator states, actuator outputs, RC inputs, mission commands, timestamps. ULog contains type/format metadata making parsing reliable.
• Parsers / tools: PX4 ULog tools (px4tools), QGroundControl log viewer, Foxglove and other viewers.

 6) Betaflight / Cleanflight / iNav (FPV flight controllers)

• Common log file types: Blackbox logs (.bbl, .bfl, or exported CSV). Blackbox records high-rate loop data (gyro, PID, motor outputs, RC). iNav uses a similar Blackbox format.
• Where to look: FC internal flash (some FCs use SD/flash chips), separate blackbox recorder (e.g., OpenLager), or SD card if configured.
• Key artifacts: High-frequency IMU samples, PID loop outputs, stick/RC inputs, motor outputs, battery telemetry, GPS (if present) — useful for crash reconstruction and tuning analysis.
• Parsers / tools: Blackbox Explorer (desktop/web), blackbox-tools (convert to CSV), INAV/Betaflight viewers.

7) OpenPilot / LibrePilot

• Common log file types: Cap’n Proto logs and other vendor-specific formats; older OpenPilot logs are proprietary but community tools exist.
• Where to look: FC storage / SD / ground station exports.
• Key artifacts: Same as other autopilots — sensor data, attitude, GPS, events.
• Parsers / tools: OpenPilot / LibrePilot tools and community decoders.

 8) Yuneec, Hubsan, other consumer vendors

• Common log file types & storage: vendor-specific binary or text logs, often on aircraft/SD or mobile app cloud; many vendors provide app export or require special tools. (Autel/Parrot/DJI differences above are examples.)
• Key artifacts: GPS track, IMU, battery, camera metadata, timestamps, device IDs.
• Parsers / tools: vendor apps, community export tools, and forensic utilities (Airdata, CsvView) may support them.