2. Drone Forensic Models and Frameworks
The literature on drone forensics has been loaded with different models and frameworks proposed by various scholars. They consider four perspectives in common: forensic analysis, non-forensic analysis, forensic framework, and application in the forensic analysis
[16]. For instance, in
[8][9][8,9], the researchers focused on the ways to improve the evidence needed in cases where a drone is examined under digital forensics conditions. They concentrated upon the wireless forensics aspects. On the other hand, in
[19], the authors discussed all components of a drone. They all emphasized the use of the Linux operating system and its potential to gather evidence on the Linux file system. Note that to work properly, drones need to use an OS. The researchers in
[20] attempted to build a tool using Java-FX to visualize the real-time flight control. Their designed tool is not directly applicable to the DF field; however, it can create efficient connections between a drone and its controller to transfer data. In addition, this tool can display sensor parameters, including GPS, IMU, and altitude for pilots, providing a great level of flight safety
[21][22][21,22]. In the same way, the researchers in
[23] forensically examined the DJI Phantom 2 Vision Plus to find out whether the flight path of a UAV can be reconstructed using positional data collected from the UAV. They also carried out a brief examination of counter-forensic methods to discover whether the record of a flight path can be detected. In
[24], the authors conducted a preliminary forensic analysis on the Parrot Bebop, known as the only UAV similar to the Parrot AR Drone 2.0. In
[14], the most important challenges in UAV forensic analyses were addressed; then, two separate parts, i.e., UAV and flight controller, were investigated. In that study, the author retrieved the flight-related data from the device in the form of “.pud” files and then created a novel “.pud” file at each session between the UAV and the controller. In the case of each “.pud” file, at the opening point of the file, a set of metadata was found, comprising the UAV’s serial number, the date and time of the flight, the flight controller model, and the flight controlling application. After that, the author attempted to determine the images and videos recorded by the UAV’s onboard camera. In the images, there were the EXIF data showing information about the latitude and longitude coordinates of the sites from which the images had been taken. However, the owner of the device could be identified only if the UAV and controller are seized by determining the serial number of the device.
In
[19], a general review was performed on drone forensics using the DJI Phantom 2. The breakdown analyses of the drone’s software and hardware components were conducted; then, the way the components could be used when implementing drone forensics was examined. The results obtained in that study established a belief in the persistence and scope of drone forensics. In addition, the study findings could facilitate having deeper insight into this concept and enhance its quality. Furthermore, in
[25], working on the Parrot AR Drone 2.0, the authors attempted to integrate the visualizing data recovered from drones with a non-forensic approach. They designed an application to visualize the log parameters from flight data. However, only a small number of drones were evaluated in their study. The researchers in
[26] analyzed the drones’ vulnerabilities and applications and their relationships with issues that generally arise in the cybersecurity domain. They asserted that if a drone is hacked and abused by opponents, serious risks or consequences may arise. That study primarily focused on identifying the benefits of using drones in numerous conditions, from employing these devices as children’s toys to using them as mass destruction weapons.
The authors in
[27] proposed a 12-phase forensic framework to offer an innovative approach to the systematic investigation of UAVs. Wide-ranging tests were carried out on five commercial UAVs, for instance, the Parrot AR Drone 2.0, to identify the relationships amongst various components. They also executed an experiment to validate their developed framework. All the UAVs tested in the study were modified by adding and removing some parts. These modifications were done to check whether the framework involved all of the various elements in any basic commercial UAV and to examine whether it could be applied to a comprehensive UAV analysis. They found out that an important issue that does not allow for mitigating the attacks effectively is the deficiency of law enforcement training processes in UAVs. None of the UAVs were exposed to forensic analyses; however, an effective framework was finally constructed, which applied to the examination and analysis of the stages involved.
The authors in
[28] were the first researchers that comprehensively analyzed the DJI Phantom 3 Standard. The examined UAV was flown towards two different sites. Then, the collected data were separated into three parts: controller, drone, and phone/tablet. Eventually, they explored two types of files of interest: the “.dat” files produced by the UAV and the “.txt” files produced by the DJI GO application. The files were first subjected to the decryption and decodification processes; after that, the information about the GPS locations, flight status, Wi-Fi connections, remote control, motors, etc., was extracted. When the obtained data were analyzed, and the proprietary file structures were well-understood, the researchers developed the DROP tool for the analysis of the evidentiary files. They also developed a forensically-sound open-source drone parser (DROP) tool.
In
[29], the researchers comprehensively discussed how the GPS coordinates could be used as location evidence while examining the crimes committed with the help of a drone. They attempted not only to extract the system logs but also to visualize GPS coordinates on maps, where the web-based third-party platforms were used to plot the flight paths.
In
[30], the authors explored the flight data correlation among drones, SD cards, and mobile phones. Finding a connection between a drone and a suspect significantly facilitates criminal inspections. The application of specific software to private UAV devices could provide many digital items such as GPS timestamps and waypoints, several connected satellites, barometer, pitch, roll, battery status, azimuth, distance, photos, and videos.
In
[31], the essential major log parameters of the autonomous drone were analyzed, and it was suggested to employ comprehensive software architecture related to drone forensics with preliminary results. The researchers expected that their developed software could provide a user-friendly graphical user interface (GUI) based on which the users could extract and investigate the onboard flight information. In addition, they claimed their findings would contribute to the body of the drone forensics field by designing a new tool that greatly helps run investigations effectively on criminal deeds executed with the help of drones.
As reported in
[32], open-source tools, e.g., ExifTool and CsvView, have been used in different studies to extract items from mobile applications of drones using mobile forensic techniques. The researchers in that paper used Windows and Kali (a Linux distribution) as forensic workstations to conduct the needed analyses on A.R Drone and DJI Phantom 3. Different open-source tools such as Geo-Player have been used primarily to visualize the data related to the flight path. Due to the absence of a proper built environment, including a package manager, configuration tools, and a compiler within the UAV system, this option entails making a serious change to the data existing in the UAV. Therefore, it was terminated in favor of the logical level acquisition. This was carried out by mounting a forensic mass storage device onto a UAV; the existing files were copied entirely from the mounted “/ data” partition using the “cp” command.
Ref.
[33] discussed the challenges that might arise during a UAV/drone forensic analysis. For this purpose, the currently employed forensic guidelines were evaluated for their efficiency when used in the DRF domain. After that, the authors offered their own set of guidelines in this regard. To end with, they explained how their procedures could be effectively implemented when analyzing a drone forensically. They employed DJI Phantom 3 drone as their case study. A key limitation in UAV forensics is that there is not any confirmed forensically useful tool (this indeed recommends a direction for future research). For example, the subsequent logical step is the creation of different parsing tools that can analyze original data and make available readable and reliable information. In addition, UAVs are expected to attain the capacity needed for being properly integrated with radio communication services in the future.
In
[34], a novel architecture was introduced using the ID-based Signcryption to guarantee the authentication process and privacy preservation. In the initial step, the authors defined the key elements that the architecture relies on. After that, they investigated the interactions between these elements to explore how the process goes on. Next, they elaborated on their proposed authentication scheme. Thus, the RFID tags were applied to tracking the drones and the temporary identity to preserve privacy. In addition, they simulated the calculation of the average renewal of temporary identity by testing the drones’ different times and speeds.
The researchers in
[35] made a forensic analysis of a captured UAV. Security forces may capture suspected UAVs using different techniques or tools such as a shotgun; these devices may break into private properties. It is necessary to determine what software/hardware modules are used to examine a UAV. After that, the investigator needs to perform three activities: gathering accessible evidence, providing the chain of custody, and analyzing the media/artifact loaded on the UAV. The increasing incidence of unlawful utilization of UAVs reflects legal ambiguity and uncertainty in the existing aviation regulations. This problem has resulted in a shortage of evidence and fundamental standards.
In
[36], the authors attempted to identify the potential cyber-physical security threats and address the current challenges attributed to UAV security before a time in the future when UAVs are the predominant vehicles used by ordinary people. Furthermore, in that study, there is a suggestion about using a certain method that can be applied effectively to examining large-scale cyber-security attack vectors of such systems concerning four classes of systems, which are highly important to UAV operations. Furthermore, the authors elaborated on the contributions of their findings and suggested the appropriate ways to defend against such attacks. The researchers in
[37] designed arbitrary software and then applied it to a locked target to gain access to the device’s interior sensors and logs with the help of neutralization and hardening strategies to predict the effectiveness. The researchers in
[38] designed an innovative scheme called distributed, agent-based secure mechanism for IoD and smart grid sensors monitoring (DASMIS). They aimed to test a hybrid of peer-to-peer (P2P) and client-server (C/S) network architecture with reduced protocol overheads for immediate and bandwidth-efficient communication. Each node within this system is assigned with an initial status and provided with a python-based agent that can scan and detect in read-only node IDs, node MAC address, system calls made, node IP address, all running system programs and applications, installed applications, and modifications. The agent securely authenticates the nodes, puts communications in a coded form, and approves inter-node access. This can prevent and detect different attacks, e.g., modification, masquerading, and DoS attacks. In addition, it can execute data encryption and hashing and report the changes to other peer nodes and the server located at the C&C center. In
[39], the researchers attempted to facilitate the processes such as generating, analyzing, validating, and optimizing data to trace evidence recovery. To do this, they introduced and explained the approach adopted for solving this problem considering the target fiber retrieval context using self-adhesive tapes.
In
[40], the authors attempted to adapt digital forensic processes to enhance drone incident response plans by implementing the drone forensic analysis process. The authors in that study provided more detailed information about the developed Drone Forensics and Incident Response Plan. They concluded that the Federal Aviation Administration (FAA) could update what unmanned aerial systems (UAS) require based on two classifications of UAS. In addition, they performed an inclusive review of the existing literature. They found that it lacks research concentrating on incident responses and forensic analysis frameworks designed specifically for remotely piloted aerial systems. Then, they attempted to bridge this gap. The researchers in
[41] introduced the concept of “electromagnetic watermarking” as a technique exploiting the IEMI impacts to embed a watermark into civilian UAVs so that forensic tracking could be done well. In
[42], many aircraft accident investigators and drone forensics investigators were surveyed to find out how they employ forensic models to carry out forensic analyses on drones. The authors analyzed the data using the chi-square test of independence; it revealed no significant connection between the drone investigations of the groups of respondents and the techniques they use to perform UAS forensics.
[43] introduced a new method to accurately and quickly determine whether a drone is lying on the ground or in the sky. These results are attained just by eavesdropping on the radio traffic and processing it using standard machine learning techniques (instead of using any active approach). The authors in that study asserted that if the network traffic is classified properly, the exact status of a drone could be accurately determined using the overall operating system of ArduCopter (for instance, several DJI and Hobbyking vehicles). Furthermore, a lower bound was created on the detection delay when using the aforementioned method. It was confirmed that their proposed solution could discriminate against a drone’s state (moving or steady) with approximately 0.93 SR in 3.71 s. The researchers in
[44] assessed and discussed the security vulnerabilities of Parrot Mambo FPV and Eachine E010 drones. They then suggested proper countermeasures to enhance their resilience against possible attacks. The findings showed that Parrot Mambo FPV was vulnerable to de-authentication and FTP service attacks, while Eachine E010 was susceptible to radio frequency (RF) replay and custom-made controller attacks.
The authors in
[45] discussed the overall legal processes that need to be taken into action to collect drones from the crime scene and investigate them in the laboratory. In addition, in
[46], a model was introduced for collecting and documenting digital data from the flight items and the related mobile devices to aid investigators in forensically examining two common drone systems, i.e., the Mavic Air and DJI Spark. Recently, several studies have been conducted in the drone forensics domain. For example, in
[47], a novel drone forensic readiness framework was proposed; however, it lacked a real implementation. Moreover, the authors addressed several issues and challenges in the drone forensics domain in
[16][48][49][50][51][52][53][16,48,49,50,51,52,53].
The variety of drone infrastructures makes drone forensics a diverse, complex, and unclear domain. Researchers and developers typically deal with the drone forensics domain from three perspectives: drone infrastructures perspective and technical perspective as well as drone incident perspective. However, they vary in covering the perspectives. For example, some models covered all three drone forensics perspectives, whereas others covered two, and others covered only one.
The comprehensive review of all drone forensic models reveals that the drone forensics domain lacks a unified model/framework for data collection and analysis. There is a lack of a post-investigation stage that can facilitate evaluating the investigation stage and overcoming previous mistakes.
3. Machine Learning Techniques Used in the Drone Forensics Field
Machine learning (ML) is an artificial intelligence (AI) area that deals with developing mathematical predictive models. These models are created in a way to analyze large volumes of data and uncover repeated patterns by using the underlying correlations among the various components of the data. This aids in the decision-making process without human interference. Such techniques also attempt to increase the forecast accuracy by learning from “experience” (also known as historical data). A training phase and a testing phase are both included in machine learning algorithms. The process of enhancing prediction performance is closely based on the process of training the model, when these models are given a large amount of historical data to produce mathematical values, simulating an artificially trained brain. Systems security
[54], natural language processing
[55], robotic vehicles
[56], fraud detection
[57], text and handwriting classification
[58], object categorization
[59], digital forensics
[60], and speech recognition
[61] are some of the areas of ML. ML models may also be applied to the discovery and detection of hidden patterns in the data being analyzed as well as the classification of the data. This is where the process is tested. Each of these algorithms follows a different approach to data analysis. Random forest, naïve Bayes, KNN, linear regression, artificial neural network (ANN), SVM, and decision tree are examples of such techniques. ML has been applied to studying a variety of issues linked to UAV. The authors in
[62] presented a comprehensive study of machine learning algorithms for UAV-based communications. The study discussed how machine learning has been used to improve numerous phases of UAV-based communication, including channel modelling, resource management, positioning, and security. The paper divided the ML applications into four categories: (1) security (public safety, network jamming, and eavesdropping), (2) positioning (placement, detection, and mobility), (3) resource management (network planning, power management, routing, and data caching), and (4) physical layer (channel modelling, interference management, and spectrum allocation). The article then summarized the relevant work in each of these domains. An aggressive attempt to inject noise into a communication channel to disrupt ordinary communication exchange is known as a jamming attack. A two-classifier-based technique for identifying jamming attacks on a cloud radio access network (C-RAN) network was proposed in
[63]. The multilayer perceptron (MLP) was the first classifier, and the Kernlab support vector machine (KSVM) was the second. In a low-dimensional space, jamming attacks were found to be non-linearly separable. As a result, for certain jamming attack vectors that bypass the MLP classifier, the differentiation between two classes of radio signal data can be achieved by the use of a KSVM machine learning solution. Their results were promising; they assisted to demonstrate the importance of using machine learning to classify data in order to refer to a jamming or eavesdropping attempt.
The authors in
[64] proposed an anomaly detection model to reduce several attack vectors’ consequences. Their ML-based anomaly detector can detect five attack types: constant position deviation (message modification), random position deviation (message modification), velocity drift attack (message modification), DOS attack (message deletion) with constructive and destructive interference, and flight replacement attack (message injection). The automatic dependent surveillance-broadcast (ADS-B) air traffic surveillance system was the case study in their research (automatic dependent surveillance-broadcast). Preliminary ADS-B data reconstruction, combined presentation of the reconstructed and actual values to the SVDD (support vector data description) for training, and the definition and implementation of a hypersphere classifier for anomaly detection are parts of the two-step anomaly detection scheme. Reinforced learning-based power provisioning techniques are used to protect UAV transmissions from attacks such as eavesdropping and jamming
[65]. ML can be used to detect an eavesdropper by building a classifier based on the received signals connected to eavesdropping attacks and non-attacks
[66]. They developed the ML classifier by feeding it with data that showed a radio signal jamming attack.
Deep-learning algorithms proposed for feature extraction, planning, and situational awareness in UAV-related domains were the subject of another review article
[65]. In
[66], first, the researchers noted that drones frequently fly higher than typical ground user equipment. Flight altitude and line of sight propagation in open space both have an impact on radio signal transmission. They suggested a technique for locating rogue drones that could be found in a mobile network. Ground-based technology can be used to register drones that are lawful. On the other side, unregistered rogue drones that enter restricted airspace could be a security risk. The authors created virtual drone deployment scenarios for urban settings that included outside drones and ground-based equipment. The simulation scenario took into account the quantity of flying sites and sectors, inter-site distance, antennas for a base station (height and power), and carrier frequencies. Data obtained from the simulation were gathered and split into two categories: training and testing. The logistic regression (LR) and decision trees (DTs) were employed as two ML techniques. Other user equipments and drones were chosen as the two categories (variables) for LR. DT is a supervised learning model that learns by accessing feature-value tuples from a dataset. In this instance, the following items were noted: the serving cell data, the received signal strength indicator (RSSI), the standard deviation of the eight strongest reference signals, and the difference between the top two reference signals for strength. The classification results demonstrated a 100% accuracy in detecting rogue drones at heights more than 60 m and a 5% detection rate for lower altitudes. This had to deal with radio frequency interference, a more common phenomenon at lower altitudes.
Ref.
[67] proposed a deep-learning-based method for detecting and identifying drones. Particular attention was paid to the identification and detection of drone acoustic fingerprints. Drones were used to create 1300 audio samples for the drone noise data standards. Additionally, to assure the accuracy of detections, the datasets included a combination of drone audio recordings recorded in an interior environment employing drone propeller sounds, stillness, and pure drone noise. To equalize audio clips, time gaps between captures were also utilized. Processing was done based on the file type, data sampling rate, and channel bitrate of each audio file. The deep-learning classifier became more successful by segmenting audio samples into more manageable portions (which were then experimented to determine the most accurate segment size). In a three-class classification experiment, the three selected classifiers—recurrent neural networks (RNN), convolutional neural networks (CNN), and convolutional recurrent neural networks (CRNN)—reported the classification of the processed drone data (drone type one, drone type two, and other noise). The CNN method was proven to produce better results than the other two.
A full drone identification approach based on ML was presented by Lee et al. in
[68]. Using a CNN-based cascade classification method, the authors could classify picture data (data produced by drones with cameras) for their study. A total of 2206 drone pictures had their tags manually added. In total, 1777 were utilized for training, and the remaining 429 were used for testing. The system was able to determine the location of a drone on a camera-captured image and the vendor model of a drone based on machine classification, with stated accuracy rates of more than 90%. In
[69], using the Haar feature processing method, the authors were able to extract drone sub-images with the help of the pictures collected.
The researchers in
[67] offered a way to spot anomalies in a swarming flight with numerous flying drones, where the adversary might purposefully influence some drones to sabotage. Flight data from several streams were examined in order to discover these irregularities. The authors produced 16 samples per time stamp when sampling the drone data, which was made up of time-series sensory data. Prelabeled data were gathered from both normal and unusual drones. Three types of anomalies were identified: noise produced by sensor-induced signal interruptions in flight, anomalous signals generated in flight but recoverable in flight, and signal faults that force an aircraft to land as a result of a malfunction. A generative model-based 1D signal unsupervised CNN classifier was chosen for the studies.
In
[68], based on the classification of drone data using ML, a drone position prediction method was defined. A naïve Bayes classifier may predict a drone’s power usage and current location using drone data gathered at the ground controller, which may allow later plans to continue or cease flying. Drone altitude, the four transmitter coils’ switching status, and the measured power transfer efficiency are among the data fields used for classification. To confirm the correctness of the classification, the resulting drone position was contrasted with the actual drone position. To create a naïve Bayes model, the classifier was trained utilizing the prior observations of the drone flight trajectory, path, and position as input. The accuracy error rates ranged from 0.09 to 45%, which were shown to be dependent on feature parameters such as transmitter coil-switching values. Based simply on the communication between the drone and the remote controller, the authors in
[69] developed a methodology to detect the presence of a remotely operated drone, its current condition, and its movement. As a classifier, they used the random forest technique. It also assesses the methodology’s efficacy in the face of high packet loss and evasion attempts. The methodology was created and tested exclusively for RPAS (remotely piloted aircraft systems) drones. They showed a detection accuracy of 99.9% within 30 m without packet loss and detection accuracy of >97% within 200 m with up to 74.8% packet loss.
The authors of
[70] suggested a hierarchical ensemble learning technique for radio frequency (RF) data-based UAV detection and identification. UAVs are initially detected, then their types and modes of operation are identified by the second and third classifiers. Each classifier used ensemble learning based on the KNN and XGBoost algorithms. The proposed method attained a classification accuracy of 99% with ten categories. There are three different types of UAVs, and each class indicates its nature and manner of operation (ON mode, hovering mode, flying mode, or recording mode). Additionally, in
[68], the current machine-learning-based methods were examined to find a way to identify UAVs from diverse data sources.
In
[71], a method was described for identifying the drone pilots via radio control signals broadcast to a UAV using a standard transmitter. Twenty trained pilots who flew the UAV on three different routes were contacted to collect the data required. There were nine characteristics in the dataset, including thrust, pitch, roll, and yaw at the time (t) and their derivatives at the time (t) (D). Additionally, a control simultaneity variable at a time (t) was provided, describing the control signals available at the time (t). The proposed system was shown to have an accuracy rate of 90% and used the random forest algorithm. The suggested method can be applied to forensic analysis in the event of a suspected drone hijacking to locate the UAV’s pilot and raise the alarm.
In
[43], the authors proposed using only the encrypted communication traffic between the drone and the remote controller to determine the drone’s status (flying or at rest). A drone equipped with ArduCopter firmware was used to collect the data. Six features were produced without using the contents of the encrypted packet (inter-arrival time, packet size, mean and standard deviation computed over a certain number of samples of inter-arrival time and packet size). Three different classifiers, i.e., decision tree, random forest, and neural networks, were used to classify data. The random forest classifier yielded superior results for drone detection.
The authors of
[72] recognized inter-drone communication reliability as a concern, where transmitted packets may not arrive at their intended locations. To effectively predict the transmission patterns, the authors employed ML. Utilizing a Monte Carlo simulation setup that incorporates transmission channel modeling, the success/failure probability was determined. The ML method for linear regression was combined with a comparative analysis using support vector machines (SVMs) with a quadratic kernel. The first property identified was the negative link between inter-drone distance and the likelihood of a successful packet transfer. A total of 20 drones were simulated to encourage measurement data collection. In packet transmission, the chance of communication channel success was set to 0.05. Transmission probability inside a channel, node locations, and time were all recognized as specific features for linear regression training. Quantization factor values, transmission probabilities, timings, and network node locations were among the features used by the SVM-QK classifier. The average prediction rates yielded an extremely low error rate of 0.00597.
The literature showed that digital forensics for drones utilizing ML algorithms had received less attention. Very little research focuses on employing ML techniques for forensic analysis of drone data. The authors of
[16] surveyed existing drone forensics (DRF) studies. They discussed the difficulties and possibilities in drone forensics. They also developed an approach to investigating drone-related events.
On the other hand, several models and frameworks have been proposed in the literature for drone and digital forensics to solve the challenges and issues of drone forensics
[73][74][75][76][77][78][79][80][81][82][73,74,75,76,77,78,79,80,81,82].