Saturday, July 18, 2020

Downloading a DJI Drone flight log (from an iPhone)

Unmanned Aerial Vehicle (UAV) forensics

First and best place to get information about a UAV is on the controller device be it a iPhone, iPad, or Android. 

Will be looking at an unlocked iPhone and where to find flight records.


1.  First plug iPhone into a computer that has iTunes and sync/connect device





2.  Select File Sharing in left column.

                 













3. In left window select the DJI app installed on the device depending on UAV model
(typically DJI Go or DJI Fly).  In this case selecting DJI Fly.



4. Highlight the folder "FlightRecords" and save to local location.





                                  




















5. View saved Flight Records.  Saved as binary(.txt) file with date of flight in filename.




And a .dat file is saved in the MCDatFlightRecords folder:












6.  Convert the .DAT to a CSV with the DatCon tool.
Found at: DatCon download page
*requires java installed

Run tool




Add the .DAT file from the MCDatFlightRecords folder and specify an output directory:
Hit








Hit GO!





CSV Saved



7.  View CSV

The CSV contains several columns on relevant data about UAV including data about direction, temperature, height, wind, battery, controller and more data of possible interest.


Columns will show a list of the  GPS:Long and GPS:Lat and dates







8. *Another method:
AirData - plot the data online

  • Airdata.com great site to upload the downloaded .txt  file to to view the data from the UAV.
  • Create an account and select upload to upload the .txt file from the FlightRecords folder.















Shows lots of data from the binary file!



Example






















Friday, May 8, 2020

ANAB - Guiding Principles of Professional Responsibility for Forensic Service Providers and Forensic Personnel

Long title, great document:
https://anab.qualtraxcloud.com/ShowDocument.aspx?ID=6732

From the ANSI National Accreditation Board(ANAB) these are some great forensic principals for forensic work.

Guiding Principles of Professional Responsibility for Forensic Service Providers and Forensic Personnel

1. Are independent, impartial, detached, and objective, approaching all examinations with due diligence and an open mind.

2. Conduct full and fair examinations. Conclusions are based on the evidence and reference material relevant to the evidence, not on extraneous information, political pressure, or other outside influences.

3. Are aware of their limitations and only render conclusions that are within their area of expertise and about matters which they have given formal consideration.

4. Honestly communicate with all parties (the investigator, prosecutor, defense, and other expert witnesses) about all information relating to their analyses, when communications are permitted by law and agency practice.

5. Report to the appropriate legal or administrative authorities unethical, illegal, or scientifically questionable conduct of other forensic employees or managers. Forensic management will take appropriate action if there is potential for, or there has been, a miscarriage of justice due to circumstances that have come to light, incompetent practice or malpractice.

6. Report conflicts between their ethical/professional responsibilities and applicable agency policy, law, regulation, or other legal authority, and attempt to resolve them.

7. Do not accept or participate in any case on a contingency fee basis or in which they have any other personal or financial conflict of interest or an appearance of such a conflict.

8. Are committed to career-long learning in the forensic disciplines which they practice and stay abreast of new equipment and techniques while guarding against the misuse of methods that have not been validated. Conclusions and opinions are based on generally accepted tests and procedures.

9. Are properly trained and determined to be competent through testing prior to undertaking the examination of the evidence.

10. Honestly, fairly and objectively administer and complete regularly scheduled:

  • relevant proficiency tests; 
  • comprehensive technical reviews of examiners’ work; 
  • verifications of conclusions. 

11. Give utmost care to the treatment of any samples or items of potential evidentiary value to avoid tampering, adulteration, loss or unnecessary consumption.

12. Use appropriate controls and standards when conducting examinations and analyses.

13. Accurately represent their education, training, experience, and area of expertise.

14. Present accurate and complete data in reports, testimony, publications and oral presentations.

15. Make and retain full, contemporaneous, clear and accurate records of all examinations and tests conducted, and conclusions drawn, in sufficient detail to allow meaningful review and assessment of the conclusions by an independent person competent in the field. Reports are prepared in which facts, opinions and interpretations are clearly distinguishable, and which clearly describe limitations on the methods, interpretations and opinions presented.

16. Do not alter reports or other records or withhold information from reports for strategic or tactical litigation advantage

17. Support sound scientific techniques and practices and do not use their positions to pressure an examiner or technician to arrive at conclusions or results that are not supported by data.

18. Testify to results obtained and conclusions reached only when they have confidence that the opinions are based on good scientific principles and methods. Opinions are to be stated so as to be clear in their meaning. Wording should not be such that inferences may be drawn which are not valid, or that slant the opinion to a particular direction.

19. Attempt to qualify their responses while testifying when asked a question with the requirement that a simple “yes” or “no” answer be given, if answering “yes” or “no” would be misleading to the judge or the jury.



MacOS - Property List Files

Property list or ".plist" files can contain relevant data for forensicating on Apple computers and iOS devices.

In a kind of obscure similarity, like how windows stores configurations and setting in the windows registry.  Apple devices can store system and user settings in .plist files.  Can show a user's preferences and/or how he/she uses an application.

Several plist files are created when a system or application is first ran.  Aside from configuration info, plist files can provide information recent items and recently accessed files.

Some plists of potential interest include:
* (~) tilde means current logged in user user's folder.  (/Users/<username>)


  • Recent Apps in the Apple Dock 

~/Library/Preferences/com.apple.dock.plist


  • OS Version and Info

/System/Library/CoreServices/SystemVersion.plist 


  • Last Logged-in user

/Library/Preferences/com.apple.loginwindow.plist


  • Deleted Users

/Library/Preferences/com.apple.preferences.accounts.plist


  • User Interaction with Apple Finder

~/Library/Preferences/com.apple.finder.plist


  • Tracking volumes from the sidebarlist
~/Library/Preferences/com.apple.sidebarlists.plist


  • Shared files list and recent items
/Users/<username>/Library/Application Support/com.apple.sharedfilelist/


  • Recent Spotlight Searches
~/Library/Application Support/com.apple.spotlight.Shortcuts


  • Installed Updates
/Library/Receipts/InstallHistory.plist


  • List of User who can sign in
<VolumeUID>/System/Library/CoreServices/SystemVersion.plist


/<VolumeUID>/com.apple.installer/SystemVersion.plist

<VolumeUID>/System/Library/Caches/com.apple.corestorage/EncryptedRoot.plist.wipekey

  • User Information
<VolumeUID>/var/db/CryptoUserInfo.plist