MSc System and Network Engineering

Computer Crime and Forensics

Digital forensics on a

DJI Phantom 2 Vision+ UAV

Authors:

Mike MaarseMike.Maarse@os3.nl

Loek SangersLoek.Sangers@os3.nl

Supervisors:

Jaap van GinkelJaap.vanGinkel@uva.nl

Mick PouwMick@os3.nl

Document version 1.1

April 29, 2016

Abstract

In this research we perform a forensic investigation on an Unmanned AircraftSystem, specifically the DJI Phantom 2 Vision Plus. In our investigation wefocus on retrieving positional data and sequence information from each com-ponent of the system in order to reconstruct the flight path of the UnmannedAerial Vehicle.

Two methods to precisely reconstruct the flight path have been found, oneusing the Ground Control Station memory running on a mobile device and oneusing EXIF data of recorded media files. Additionally, we retrieved informationrelated to the home point of the Unmanned Aerial Vehicle and foreign networkSSIDs.

Contents

1 Introduction 1

2 Related work 22.1 Relevance and challenges . . . . . . . . . . . . . . . . . . . . . . . 22.2 Component analysis . . . . . . . . . . . . . . . . . . . . . . . . . 2

3 Flight paths 3

4 Methodology 44.1 Equipment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44.2 Shell access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44.3 Acquisition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

4.3.1 DJI Vision application . . . . . . . . . . . . . . . . . . . . 54.3.2 UAV and range extender . . . . . . . . . . . . . . . . . . 54.3.3 Camera . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

4.4 Counter forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

5 Results 75.1 Flight plan data . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

5.1.1 Ground Station operation . . . . . . . . . . . . . . . . . . 75.1.2 Exfiltrating artefacts . . . . . . . . . . . . . . . . . . . . . 8

5.2 Recorded media . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95.2.1 Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95.2.2 Geotags . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95.2.3 Time stamps . . . . . . . . . . . . . . . . . . . . . . . . . 9

5.3 Home point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105.4 Foreign SSIDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

6 Counter forensics 126.1 Altering time stamps . . . . . . . . . . . . . . . . . . . . . . . . . 126.2 Blocking GPS signals . . . . . . . . . . . . . . . . . . . . . . . . . 12

7 Analysis 137.1 Flight plan artefacts . . . . . . . . . . . . . . . . . . . . . . . . . 137.2 EXIF data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137.3 Network SSIDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

8 Conclusion 14

9 Future work 15

A Sample EXIF data 18

1. Introduction

As the market for consumer and professional grade Unmanned Aerial Vehicles(UAVs) is growing, the frequency at which these devices occupy public airspacewill only increase [1, 2]. Unfortunately, existing research also suggests thatUnmanned Aerial Vehicle (UAV) technology is being abused [3]. Two notableincidents involving UAVs in recent years include a UAV landing near the Germanchancellor Merkel [4], and a UAV crashing at the White House grounds [5]. Withthe number of UAVs increasing, it is a safe assumption that these devices willappear more frequently in courts of law.

Conducting digital forensics on a UAV requires investigating all componentsrelated to operating such a device [6]. In general, this set of components isreferred to as an Unmanned Aircraft System (UAS) [7]. The UAS typicallycomprises an UAV, onboard systems (such as a camera), Ground Control Station(GCS), and remote controller.

In this research project we will focus on the acquisition of positional datafrom the UAS. Our ultimate goal is to combine positional data with sequenceinformation to reconstruct the UAV’s flight path. The resulting evidence willhelp investigators determine whether the UAV could have been involved in anact of interest.

The DJI Phantom 2 Vision Plus serves as our research subject [8]. A popularconsumer grade model also favoured by commercial operators [9].

Research question As stated before the main purpose of this research is toinvestigate the Phantom 2 Vision Plus UAS for artefacts related to the UAV’slocation and reconstruct a flight path. Formalised this produces the follow-ing research question: Can the flight path of an UAV be reconstructed usingpositional data gathered from an UAS?

Ethical considerations As with any forensic investigation, personal infor-mation should be handled with care. Even though an UAS might not containpersonal information, the implementation of components, such as a mobile de-vice running GCS software contains large amounts of personal data.

Document overview The remainder of this paper is structured as follows,first we will discuss related literature about forensics on UAVs, and about theDJI Phantom 2 Vision plus in specific in Section 2. In Section 3 we will explainwhat a flight path is and what information is needed to construct it, followed byour methodology for forensic analysis in Section 4. In this methodology we willdiscuss what components of the UAS we have investigated and how we performthe acquisition of data. After this we will present our findings in Section 5and discuss counter forensic methods in Section 6. In Section 7 we analyse ourfindings and discuss methods to reconstruct the flight path. Finally, we concludeour research in Section 8 and present some future extensions on our research inSection 9.

1

2. Related work

While searching for related work it became apparent we were dealing with anemerging technology due to the limited amount of publications. We found asingle article on the topic1 and a single SANS DFIR presentation.

2.1 Relevance and challenges

Earlier in 2016, Horsman identified the need for forensic analysis of UAVs. Theresearch shows that in cases where UAV technology is abused, a forensic analysisof these devices is necessary in order to establish the chain of events [3].

The research also includes an example forensic investigation of a ParrotBebop UAS. We can utilise this example investigation to identify locations ofpossible artefacts.

2.2 Component analysis

Presented at the SANS DFIR Summit 2015, the work on UAV forensics byKovar provides a good general introduction to the topic of performing forensicson a UAS [6]. Moreover, we were inspired by this research and our work extendsupon it.

In his research, Kovar identifies that all components necessary for operatingthe UAV could contain digital evidence. Part (if not all) of Kovar’s researchwas also conducted on a DJI Phantom 2 Vision Plus. Therefore, we can uselisted methods of accessing the UAS components to our advantage. Table 2.1summarises basic information on the network created by the UAS. Each of thesehosts is reachable using ssh and providing publicly available credentials the rootuser [6].

Component IP address Platform

Range extender 192.168.1.2 OpenWRT running BusyBoxUAV 192.168.1.1 OpenWRT running BusyBoxUAV camera 192.168.1.10 Ambarella A5s

Table 2.1: UAS network hosts

Additionally, our research will elaborate on two topics which were only brieflytouched upon during Kovar’s presentation. These include EXIF data in recordedmedia files and obtaining the UAV’s home point. Both can contain importantinformation on the UAS’s whereabouts.

1Based on multiple Google Scholar and University catalogue searches performed 17-02-2016.

2

3. Flight paths

To determine if acquired data contains flight path information we must firstestablish how this data is represented.

During a flight, the UAV moves along coordinates in 3D space. These coor-dinates are represented as latitude, longitude and altitude [10].

Latitude and longitude When combined, latitude and longitude point to aposition on an ellipsoid model of planet earth. There are multiple formats usedto display latitude and longitude, the most common are [11]:

Format Example

Decimal degrees N52.3548 W4.9567Degrees with decimal minutes N52◦21.288′ W4◦57.402′

Degrees minutes seconds N52◦21′17.3′′ W4◦57′24.1′′

Table 3.1: Coordinate representation

Altitude To fully represent the UAV’s position in 3D space also requires in-formation regarding its altitude (or elevation). Altitude information is usuallyshown as meters or feet above the earth’s surface [10].

Sequence In establishing a flight path, sequence information could be consid-ered essential as it allows identifying initial, intermediate and final coordinates.Acquired data from the UAS should therefore be investigated for either timestamps or ID’s related to locations.

3

4. Methodology

This section elaborates on the equipment utilised in our experiments and intro-duces the methods used to perform forensic analysis of the UAS.

4.1 Equipment

Our research is performed on a DJI Phantom 2 Vision Plus UAV version 2.0in default configuration (as sold by retailers). Additionally we used a rootedMotorola G (2nd generation) running Android version 5.0.2 in order to runthe DJI Vision application. A virtual machine running Windows 7 32-bit wascreated in VirtualBox to run the Assistant software.

Before conducting our experiments, all components of the UAS were verifiedto have the latest versions of available software/firmware installed as shown inTable 4.1.

Package Version Platform

DJI Assistant software 3.8 WindowsDJI Vision application 1.0.61 AndroidFC200 camera firmware 1.3.0g (Unknown) CameraFlight controller firmware 3.14 (Unknown) UAVP330CB main board firmware 1.0.2.10 (Unknown) UAV

Table 4.1: Installed UAS firmware/software

4.2 Shell access

The UAS comprises multiple devices requiring different methods of accessing itscontents.

Our primary method of interacting with the system is through the wirelessnetworks created by these devices. We obtain privileged shell access using thepublicly available root user passwords as described in Section 2.2. Furthermore,we can use the same wireless network for limited interaction with the FlightController aboard the UAV by means of the dji-phantom-vision commandline utility [12].

To interact with the Android device we installed the Android Debug Bridge(ADB), which is part of the Android SDK, on our forensic workstation.

4

4.3 Acquisition

In the acquisition phase we focus on obtaining forensic images of file systems andmemories of all components in the UAS. To be able to determine which data ismodified during a flight, we perform the acquisition in two separate conditions,pre-flight and post-flight.

The following subsections elaborate on the procedure for each component.

4.3.1 DJI Vision application

Due to the fact that the DJI Vision application is installed in the /data partitionof the Android OS (which contains many files not related to our research), wedecided to monitor file system changes instead of creating a forensic image ofthe entire partition. We used ADB pull commands to transfer the files to aforensic workstation for further analysis.

To acquire memory dumps of the DJI Vision app, we use the awesomememdumperutility1. Once installed on the Android device, this utility writes memory con-tents of a specified process ID to files it creates on the SD card.

4.3.2 UAV and range extender

While logged in on the UAV or range extender OS, we can combine the dd andssh commands to create and transfer device images as shown in Listing 4.1.

# dd if=/dev/mem | ssh investigator@192.168.1.106 "dd

of=/home/investigator/evidence/uav_mem.dd"

Listing 4.1: Creating and transferring a memory dump

The only requirement of this approach is that the openssh-server packageis installed on the forensic workstation.

4.3.3 Camera

As the camera is running its own OS, we investigate its mounted file systemand memory devices. To create and transfer the image we utilise the dd overssh approach as shown in the previous subsection.

Additionally we acquired recorded media files from the camera’s micro SDcard. The SD card is inserted into the slot of the camera controller’s housingmounted directly below the UAV’s shell.

1The awesomememdumper utility was developed by fellow students T. Does, D. Geist and F.Uijtewaal during a previous research project. The source code will be published on GitHubat a later date.

5

By design, there are multiple ways to retrieve the contents; next to ejectingthe SD card and using a suitable reader, the system also offers a micro-USBinterface which connects directly to the card. It is also possible for users to syn-chronise media files to their mobile device through the DJI Vision application.

Our preferred acquisition method was to eject the SD card, insert it intoa forensic workstation’s card reader and create a forensic image for furtheranalysis.

4.4 Counter forensics

In an effort to determine the integrity of acquired evidence, we will also inves-tigate available counter forensic methods and whether these can be detected.

6

5. Results

Using the methods described in the previous section, we found significant infor-mation on multiple components of the UAS. In this section, we introduce andelaborate upon our findings and show how to exfiltrate artefacts from acquireddata.

5.1 Flight plan data

We found several artefacts related to the location of the UAV in memory dumpsof the DJI Vision application running in Ground Station mode. The followingsubsections will elaborate on the Ground Station feature and our findings.

5.1.1 Ground Station operation

The system’s Ground Station feature enables autonomously flying the UAValong a user-defined flight plan. Users can access Ground Station functionalitythrough the DJI Vision application.

We found that the Ground Station feature is targeted at experienced usersand is not enabled by default [13]. Furthermore, certain conditions will have tobe met before the system offers full functionality to the user. First and foremostthe DJI Vision application requires a connection to mobile data or WiFi networkin order to load a map of the area intended for flying. Additionally, displayingthe UAV’s current location on the map and creating a flight plan is only availableif the UAV obtained a positive Global Positioning System (GPS) lock (receiving6 or more GPS signals). Once the GPS signal is locked the system will proceedto establish whether the UAV is located in restricted airspace, the system willprevent creating a flight plan in this case.

When the aforementioned conditions are met, the user can compose a flightplan by plotting waypoints onto the map. Several restrictions apply which areshown in Table 5.1. Properties marked with an asterisk show default valueswhich can be modified by the user.

Property Limit

Number of waypoints 16Flight altitude* 200 m.Distance from ground station* 500 m.Total distance 5000 m.

Table 5.1: Waypoint limitations

7

When the user finished plotting the waypoints, the flight plan can then beexecuted. This action can be performed while the UAV is in-flight or on theground (it will take-off automatically). When executing the flight plan, theapplication sequentially transfers all waypoints to the UAV’s flight controller.Subsequently, the UAV will then fly to each waypoint.

5.1.2 Exfiltrating artefacts

In our experiment we created a small flight circuit on University premises com-prising 3 waypoints as shown in Figure 5.1.

Figure 5.1: Ground Station interface with flight plan

We were able to exfiltrate waypoint information from process memory dumpsof the DJI Vision application which were created before and after executing theflight plan. Significant findings include:

1. Coordinates of the most recently added waypoint

2. Coordinates of the UAV’s home point

3. The UAV’s altitude

4. Messages of waypoints being uploaded

All artefacts are stored as plain text in 16-bit character strings. The infor-mation can be acquired using the strings utility while specifying UTF-16 littleendian encoding.

Please note that in our investigation into other UAS components we did notencounter any flight plan related information.

8

5.2 Recorded media

The camera attached to the UAV is capable of recording both images and video(5.2.1). We investigated the files created for significant EXchangeable ImageFile format (EXIF) data (5.2.2) and time stamps (5.2.3).

5.2.1 Storage

Recorded media files are stored in the /DCIM/100MEDIA folder on a FAT-formattedmicro SD card. Formats used for media are jpeg for images and mp4 for videofiles. The file names consist of a ”DJI” prefix followed by a 5 digit serial numberwhich increments each time a new file is created (e.g. DJI00140.JPG).

5.2.2 Geotags

During our investigation of EXIF data, we verified Kovar’s finding that recordedimages contain GPS attributes [6]. However, we also found these attributes invideo files. Given that the UAV is able to obtain a GPS lock, the camera willstore latitude and longitude coordinates1. If the UAV is unable to lock the GPSsignal, EXIF data simply does not contain GPS attributes. We did not observethat the camera tags files with ”last known” coordinates when a GPS signal is(temporarily) unavailable.

The EXIF data in image files is not stored in plain text. Therefore, weobtained the data using the renowned exiftool utility. In contrast to theimage files and somewhat surprising, video files stored latitude and longitude inplain text. Hence, this information can be viewed in a regular text editor.

Please see Appendix A for a full listing of EXIF data contained in an imagefile recorded by UAV’s camera.

Recorded media files did not contain any GPS altitude and/or time infor-mation in EXIF data. The latter appears to be a hardware limitation based onthe u-blox NEO-6Q specifications [14].

5.2.3 Time stamps

Upon their creation, the camera stores multiple time stamps in image and videofiles. We distinguish time stamps stored in EXIF data and file access, creationand modification time stamps. The system relies on the Android device toprovide a reference time (this is further elaborated upon in 6.1).

1Note that video files only contain one set of coordinates which are captured when recordingstarts.

9

5.3 Home point

The UAV obtains a reference to its current position through a u-blox NEO-6QGPS receiver. The receiver is connected to the DJI Naza-M v2 Flight Controllerthrough the UAV’s main board. If there are 6 or more GPS satellites available,and the UAV takes-off, the Flight Controller will automatically record its currentposition as the home point. However, as listed in [13], the system also allows auser to set the home point in the following ways:

• Flicking the S2 switch on the remote control 5 times, instructing the FlightController to record the UAV’s current position as the home point.

• Enabling the Dynamic Home Point functionality in the DJI Vision appli-cation, this will reset the home point to the current position of the mobiledevice.

The purpose of having the home point recorded is part of a fail-safe mecha-nism. If this mechanism is triggered (either by the user or by the system itself),the UAV will automatically return to the home point and attempt a landing.

In our experiments we were able to retrieve the home point from the FlightController. This was achieved by connecting our forensic workstation to thewireless network created by the UAS and running the dji-phantom-vision

utility. The utility is able to reproduce the ser2net packets flowing from the DJIVision application to the UAV and interpret packets sent from the UAV. Usingthis method we achieved similar results as stated by Kovar in [6]. The result ofinterrogating the Flight Controller for telemetry data is shown in Listing 5.1.

** Sent to port 0x0a, seq 51, cmd 0x49, subcmd 0x00,

error 0, payload len 0

...

** Rcv from port 0x0a, seq 51, cmd 0x49, subcmd 0x00,

error 0, payload len 52

...

[0x49]: Seq 51, GPS sats 9, home [+52.257929, +4.774034]

loc[+52.257931, +4.774035], accel xyz [+00, +00, +00],

ag +3.1 meter, compass roll/pitch/heading [180, 180, 021],

batt 11507mV (53%), unknown 6

Listing 5.1: Acquired telemetry

The nature of this data should be considered highly volatile. Moreover, wewere only able to acquire the data once the UAV was in-flight and had a positiveGPS lock.

Although the data gathered using this method is very useful to the investi-gation, we consider this method somewhat invasive and borderline offensive asboils down to putting a tap on wireless network traffic sent within the UAS’sprivate network. Nevertheless, we decided to include it in our work as it mightprove useful in certain cases.

10

5.4 Foreign SSIDs

As introduced in 2.2, the UAS generates a wireless network connecting multiplehosts. On system start-up, the range extender connects to a hidden network(SSID prefixed with ”FC200”) generated by the wireless network module aboardthe UAV. Once the link has been established the range extender serves as theaccess point to the UAS network with a ”Phantom” prefixed SSID.

Since the system is only able to create a network using aforementioned SSIDs,we expected to only find references to these SSIDs while investigating dataacquired from the UAS’ components. However, we encountered several foreignSSIDs unrelated to the UAS network in the memory of the UAV’s and rangeextender’s OpenWRT instances.

The SSIDs were found to be stored in plain text and can be obtained frommemory dumps using the strings utility. Note that the SSIDs are not groupedtogether and some SSIDs occur more than once. We observed at least 3 foreignnetwork SSIDs in memory dumps created on several occasions.

Unfortunately we were unable to determine if the SSIDs were stored in anyparticular order or when the networks were available to the wireless modules.

11

6. Counter forensics

The integrity of evidence described in previous sections should not be taken forgranted. In this section we will elaborate on methods of falsifying time stampsand blocking the GPS receiver.

6.1 Altering time stamps

To produce accurate time stamps, the UAV’s onboard camera needs a referencetime. We observed that when only powering on the UAV and recording imagesby using the button on the camera itself, image files stored on the SD card wouldshow a creation date of January 1st 2008 and time starting at 00:00. However,when connecting the range extender and Android device to the wireless network,files of recorded images showed a correct timestamp.

Further investigation revealed that it is possible to manipulate the timestampof recorded media files by altering the system time in the Android OS beforepowering on the UAV. Afterwards all files created by the camera show themodified timestamp.

Without access to the Android OS running the DJI Vision application orcamera logs, it will be impossible to ascertain if time stamps of media files storedon the SD card have been tampered with.

6.2 Blocking GPS signals

As discussed in previous sections, the UAV propagates geographic coordinatesfrom the receiver to the UAV’s camera and Flight Controller. It should beconsidered that a suspect might want to hide this information (e.g. to denyparticipation in illegal surveillance).

Initially we investigated the possibility to simply disconnect the GPS receiverby unplugging its cable from the UAV’s main board. However, this triggers amechanism which prevents starting the electric motors effectively denying theUAV to take-off.

Through further experimentation we observed that it is possible to blockGPS signal reception by attaching tin foil to the top of the UAV directly overthe GPS receiver. Consequently, with no source available, the camera no longerstores geographic coordinates in EXIF data. Additionally, the Flight Controllerno longer records a home point on take-off.

Please note that blocking the GPS receiver also allows users to fly the UAVin restricted airspace.

12

7. Analysis

Utilising our findings, we can describe two relatively precise methods of recreat-ing a flight path. First, we are able to retrieve flight plan artefacts from the DJIVision application memory. Second, we can combining GPS locations found inthe EXIF data recorded media. A less precise method is using the encounteredSSIDs found in the memory of the UAV.

7.1 Flight plan artefacts

To be able to reconstruct the flight path using flight plan artefacts, we onlyneed access to the memory of the DJI Vision application. This implies that themobile device needs to be investigated with the application still running.

The device running the application can be connected to a specific PhantomUAV, as the network that can be seen on both devices will have the same SSID.Another way of connecting the device running the application and the UAV isinvestigating the MAC address used to bind the two devices, which can be foundwithin the settings of the application.

7.2 EXIF data

Reconstructing the flight path using the EXIF data in recorded media files onlyrequires access to the SD card of the camera. This data is persistent and ispossibly still intact even after the UAV has crashed or is taken down.

As described in 5.2.2, when the UAV has a GPS lock, the camera will storelatitude and longitude information in the EXIF data of media files. Additionally,these media files are numbered sequentially allowing to determine the path fromone media file to the next.

The EXIF data also contains the system time. Even if this informationhas been tampered with (see 6.1), relative time in between media files recordedduring the same flight will remain correct, as the time is only set on systemstart-up.

7.3 Network SSIDs

It will be very hard to reconstruct a precise flight path using the foreign SSIDsfound in the memory of the UAV. If, however, the SSIDs can be linked togeographical location, i.e. the combination of SSIDs is unique to one locationor path, then a rough operational area of the UAV can be established.

This approach is the least precise, but only requires access to the memory ofthe OpenWRT instance of the UAV. Implying that even if the operator has notrecorded any media files or created a flight plan, a rough estimation of wherethe UAV was flown can be reconstructed.

13

8. Conclusion

When comparing the three methods described in the previous section. Obtainingflight plan artefacts will provide the most detailed information. It is, however,also the hardest to retrieve in most cases, as the operator needs to be caughtred handed while the application is still running.

The other two methods require access to the physical UAV. If the UAV ispowered on when the investigation starts it is important to first dump the mem-ory of the OpenWRT instance in order to get the SSIDs stored in it. Afterwardsthe investigator can check whether pictures or videos were created. Using theEXIF data of recorded media files is preferable as it is more precise, but thisrequires the operator to have taken multiple pictures or videos.

In situations where cold forensic analysis is the only option, the only infor-mation that can be retrieved from the UAS is EXIF data in recorded mediafiles.

When investigating a Phantom 2 Vision Plus that is committing an act ofinterest, the home point of the UAV might reveal the location of the operator.This information can be retrieved in real-time by requesting it from the UAV’sFlight Controller.

Summarising our findings, we can conclude that there are multiple methodswhich can be used to reconstruct a flight path using positional data gatheredfrom a Phantom 2 Vision Plus UAS. Some methods are more precise than othersand there are prerequisites to the system’s state that will not be met in all cases.

14

9. Future work

Reflecting on what could have been achieved during our research, a number ofsubjects come to mind that can be used in future research efforts.

Flight Controller Due to time constraints we were not able to delve into theoperation of the Naza-M v2 Flight Controller. Based on our experiments weexpect that this subsystem contains the coordinates of waypoints related to theflight plan created on the mobile device. Therefore, it might be worthwhile tothoroughly investigate this component and determine whether these waypointscan be retrieved somehow. Perhaps using yet undisclosed ser2net commands?

Hardware acquisition Because we lacked the necessary equipment we werenot able to perform chip-off procedures to acquire memory contents of all thecomponents. We do not expect to find more information this way, except for theinformation that can be retrieved from the Flight Controller. Should it provepossible to acquire significant data directly from the memory chips, then thiswould allow forensic analysis without having shell (or serial) access to the UAV.

Investigation of newer models At the time of writing, the DJI Phantom 3and Phantom 4 UAVs have superseded the model investigated in our research.Using our methods as a basis, it would be interesting to perform a similarforensic analysis on the new models.

DJI Vision on iOS As the DJI Vision (or the newer DJI GO) application isalso available for iOS, it would benefit future investigations to research appli-cations on this platform as well. As more and more features are added to theseapplications, they should be considered individual research subjects themselves.

Developer SDK Although several on-line sources hinted towards a manu-facturer SDK being available for the UAS researched in this paper, we wereunable to locate it. We assume it has been dropped in favour of supporting thenewer Phantom 3 and Phantom 4 model ranges. In any case, it might be verybeneficial to forensic investigations if an application could be developed using amanufacturer SDK as a basis for acquiring the data.

15

Bibliography

[1] Robotics Trends. Consumer Drone Market to Reach $4.6 billion in 2025.2016. url: http://www.roboticstrends.com/article/consumer_

drone_market_to_reach_46_in_2025/ (visited on 02/21/2016).

[2] Teal Group. UAV Production Will Total $93 Billion. 2015. url: http://www.tealgroup.com/index.php/about-teal-group-corporation/

press- releases/121- uav- production- will- total- 93- billion/

(visited on 02/21/2016).

[3] Graeme Horsman. “Unmanned aerial vehicles: A preliminary analysis offorensic challenges”. In: Digital Investigation 16 (2016), pp. 1–11. issn:1742-2876. doi: http://dx.doi.org/10.1016/j.diin.2015.11.

002. url: http://www.sciencedirect.com/science/article/pii/S1742287615001097.

[4] TorrentFreak. Pirate Party Crashes Spy Drone in Front of German Chan-cellor Angela Merkel. 2013. url: https://torrentfreak.com/pirate-party - crashes - spy - drone - in - front - of - german - chancellor -

angela-merkel-130917/ (visited on 03/18/2016).

[5] The New York Times. White House Drone Crash Described as a U.S.Workers Drunken Lark. 2015. url: http://www.nytimes.com/2015/01/28/us/white-house-drone.html (visited on 03/18/2016).

[6] David Kovar. UAV (aka drone) Forensics. Slides of a talk given at SANSDFIR summit in Austin, TX July 7 and 8. 2015. url: https://files.sans . org / summit / Digital _ Forensics _ and _ Incident _ Response _

Summit_2015/PDFs/ForensicAnalysisofsUASakaDronesDavidKovar.

pdf.

[7] Reg Austin. Unmanned aircraft systems: UAVS design, development anddeployment. Vol. 54. John Wiley & Sons, 2011.

[8] DJI. Phantom 2 Vision+. 2016. url: http://www.dji.com/product/phantom-2-vision-plus (visited on 02/20/2016).

[9] David Kovar. What are the most popular drones for commercial use? 2015.url: https://integriography.wordpress.com/2015/06/30/what-are-the-most- popular- drones- for-commercial- use- lets- ask-

the-section-333-data/ (visited on 02/20/2016).

[10] Wikipedia. Geographic coordinate system. url: https://en.wikipedia.org/wiki/Geographic_coordinate_system (visited on 03/28/2016).

[11] Wikipedia. Geographic coordinate conversion. url: https://en.wikipedia.org/wiki/Geographic_coordinate_conversion (visited on 03/28/2016).

16

[12] noahwilliamsson. Hijacking DJI Phantom 2 Vision and P2V+ (eventu-ally). 2014. url: https://github.com/noahwilliamsson/dji-phantom-vision (visited on 03/01/2016).

[13] DJI. Phantom 2 Vision+ User Manual. 2015. url: http://dl.djicdn.com/downloads/phantom_2_vision_plus/en/Phantom_2_Vision_

Plus_User_Manual_v1.8_en.pdf (visited on 02/20/2016).

[14] u-blox. NEO-6 series. 2016. url: https : / / www . u - blox . com / en /

product/neo-6-series (visited on 03/28/2016).

17

A. Sample EXIF data

The listing below shows EXIF data retrieved by exiftool from an image filerecorded by the UAV’s onboard camera. Please note that we did not use a writeblocker in this case (as is evident by the modified access times).

ExifTool Version Number : 10.13

File Name : DJI00140.JPG

Directory : C:/Evidence/Camera/DCIM/100MEDIA

File Size : 1810 kB

File Modification Date/Time : 2016:03:24 19:40:11+01:00

File Access Date/Time : 2016:03:24 19:40:11+01:00

File Creation Date/Time : 2016:03:24 19:40:11+01:00

File Permissions : rw-rw-rw-

File Type : JPEG

File Type Extension : jpg

MIME Type : image/jpeg

Exif Byte Order : Big-endian (Motorola, MM)

Image Description : DCIM\100MEDIA

Make : DJI

Camera Model Name : PHANTOM VISION FC200

Orientation : Horizontal (normal)

X Resolution : 72

Y Resolution : 72

Resolution Unit : inches

Software : Ver.1.0.000

Modify Date : 2016:03:11 15:58:32

Y Cb Cr Positioning : Centered

Exposure Time : 1/1769

F Number : 2.8

Exposure Program : Program AE

ISO : 100

Exif Version : 0221

Date/Time Original : 2016:03:11 15:58:32

Create Date : 2016:03:11 15:58:32

Components Configuration : Y, Cb, Cr, -

Compressed Bits Per Pixel : 1.296502507

Shutter Speed Value : 1/1769

Aperture Value : 2.8

Exposure Compensation : 0

Max Aperture Value : 2.8

Subject Distance : undef

Metering Mode : Center-weighted average

Light Source : Unknown

Flash : No flash function

Focal Length : 5.0 mm

18

Warning : [minor] Unrecognized MakerNotes

Flashpix Version : 0100

Color Space : sRGB

Exif Image Width : 4384

Exif Image Height : 2466

Interoperability Index : R98 - DCF basic file (sRGB)

Interoperability Version : 0100

Exposure Index : undef

Sensing Method : One-chip color area

File Source : Digital Camera

Scene Type : Directly photographed

Custom Rendered : Normal

Exposure Mode : Auto

White Balance : Auto

Digital Zoom Ratio : 1

Focal Length In 35mm Format : 30 mm

Scene Capture Type : Standard

Gain Control : None

Contrast : Normal

Saturation : Normal

Sharpness : Normal

Device Setting Description : (Binary data 4 bytes, use -b option to extract)

Subject Distance Range : Unknown

GPS Version ID : 2.2.0.0

GPS Latitude Ref : North

GPS Longitude Ref : East

Compression : JPEG (old-style)

Thumbnail Offset : 2048

Thumbnail Length : 5567

Preview Image : (Binary data 94296 bytes, use -b option to extract)

Image Width : 4384

Image Height : 2466

Encoding Process : Baseline DCT, Huffman coding

Bits Per Sample : 8

Color Components : 3

Y Cb Cr Sub Sampling : YCbCr4:2:2 (2 1)

Aperture : 2.8

GPS Latitude : 52 deg 21’ 13.00" N

GPS Longitude : 4 deg 57’ 21.00" E

GPS Position : 52 deg 21’ 13.00" N, 4 deg 57’ 21.00" E

Image Size : 4384x2466

Megapixels : 10.8

Scale Factor To 35 mm Equivalent: 6.0

Shutter Speed : 1/1769

Thumbnail Image : (Binary data 5567 bytes, use -b option to extract)

Circle Of Confusion : 0.005 mm

Field Of View : 61.9 deg

Focal Length : 5.0 mm (35 mm equivalent: 30.0 mm)

Hyperfocal Distance : 1.78 m

Light Value : 13.8

19