DJI Ecosystem Overview
DJI (Da-Jiang Innovations) dominates the consumer drone market with approximately 70% global market share. Due to this dominance, DJI drone forensics is a critical skill for any forensic practitioner. This part provides deep technical knowledge of DJI's proprietary systems and analysis techniques.
By the end of this part, you will understand the DJI product ecosystem, analyze DAT file structures, extract data from DJI Fly/GO apps, use forensic tools like DatCon, and understand DJI cloud data acquisition.
DJI Product Lines
Understanding DJI product lines helps identify the specific drone model and its forensic characteristics.
Mavic Series
Foldable consumer/prosumer drones. Mavic Air, Mavic 2, Mavic 3. Most commonly encountered in investigations.
Mini Series
Sub-250g drones (Mini, Mini 2, Mini 3). Nano category under Indian regulations. Limited internal storage.
Phantom Series
Professional aerial photography. Phantom 4 Pro still widely used. Larger internal storage.
Inspire Series
Cinema-grade drones. Inspire 2, Inspire 3. Dual operator capability, extensive logging.
Enterprise Series
Matrice series for industrial use. Enhanced data logging, RTK GPS capability.
FPV Series
First-person view racing drones. Different log format, high-speed flight data.
DJI Mobile Applications
| App | Drone Compatibility | Package Name |
|---|---|---|
| DJI Fly | Mini series, Mavic 3, Air 2/2S, Avata | dji.go.v5 |
| DJI GO 4 | Mavic 2, Phantom 4, Spark | dji.go.v4 |
| DJI GO | Phantom 3, Inspire 1 (Legacy) | dji.pilot |
| DJI Pilot | Enterprise/Matrice series | dji.pilot.pad |
DAT File Analysis
DJI drones store flight data in proprietary DAT files. Understanding their structure is essential for forensic analysis.
DAT File Locations
- Drone Internal Memory: /BLACKBOX/ or /LOG/ directories (FLYxxx.DAT)
- Mobile App: FlightRecord/ directory (encrypted TXT files)
- SD Card: LOG/ directory (if logging to SD is enabled)
DAT File Structure
Common Record Types
| Record Type | ID | Data Contents |
|---|---|---|
| OSD General | 0x0001 | Position, altitude, speed, flight mode |
| GPS | 0x0000 | Raw GPS data, satellite info |
| IMU | 0x0800 | Accelerometer, gyroscope data |
| Battery | 0x000C | Cell voltages, temperature, status |
| RC | 0x0008 | Remote control inputs |
| Gimbal | 0x0005 | Camera orientation, mode |
| Home | 0x000D | Home point coordinates |
| App Message | 0xFE | Warnings, errors, user actions |
Mobile app flight records (TXT files) are encrypted with a scrambling algorithm. Tools like DatCon can decrypt these files. The DAT files on the drone itself are generally not encrypted but use proprietary binary format.
DJI Forensic Tools
Several tools are available for analyzing DJI data. Understanding each tool's capabilities is essential.
The most widely used free tool for DJI DAT file analysis. Converts DAT files to CSV format for analysis in Excel or other tools.
Visualization tool that works with DatCon output. Creates charts and graphs of flight parameters over time.
Autopsy digital forensics platform with drone analysis modules. Provides integrated analysis of drone storage and mobile devices.
Commercial mobile forensic tools with drone app support. Extract and analyze DJI app data from mobile devices.
Using DatCon - Basic Workflow
1. Launch DatCon application
2. File > Open > Select .DAT or .txt flight record
3. For encrypted TXT files, decryption happens automatically
4. File > Create CSV > Choose output location
5. Select parameters to export (GPS, OSD, Battery, etc.)
6. Open CSV in Excel or import to visualization tool
7. File > KML File > Export flight path for Google Earth
DJI App Forensics
The mobile application contains rich forensic data including account information, cached flights, and media.
DJI Fly App Database Analysis
The main database (dji_fly.db) contains multiple tables with forensic value:
| Table | Contents | Forensic Value |
|---|---|---|
| flight_record | Flight summaries, duration, distance | Flight history overview |
| user_info | DJI account details | User identification |
| aircraft_info | Registered drones, serial numbers | Device correlation |
| media_file | Downloaded/cached media references | Media file tracking |
| geofence_unlock | No-fly zone unlock requests | Intent to fly in restricted areas |
Flight Record Analysis
Flight records stored in the app are typically encrypted TXT files. Key data extractable includes:
- Flight Summary: Date, duration, max altitude, max distance, max speed
- Takeoff/Landing Locations: GPS coordinates with timestamps
- Home Point History: Initial and any updated home points
- Media Capture Events: When photos/videos were triggered
- Warning Events: Low battery, signal loss, geofence warnings
- Flight Mode Changes: Manual, GPS, Sport, Tripod modes
Even if flight records are deleted from the app, check map cache tiles (stored in map_cache/ directory). The presence of specific map tiles indicates areas the user was interested in or flew over. Map tiles follow standard XYZ naming convention and can reveal flight planning locations.
DJI Cloud Data
DJI offers cloud services that may contain valuable forensic data synced from user devices.
DJI Cloud Services
- Flight Sync: Automatic upload of flight records (if enabled)
- Media Sync: Photos and videos backed up to DJI cloud
- Device Registration: Drones linked to account
- Firmware History: Update records
- Geofence Unlocks: History of no-fly zone unlock requests
Obtaining DJI Cloud Data
DJI is a Chinese company with servers in multiple jurisdictions. Obtaining cloud data typically requires:
1. Account Access: With user consent or court order, login to DJI account and download data
2. MLAT Request: For non-cooperative scenarios, Mutual Legal Assistance Treaty request through appropriate diplomatic channels
3. API Access: Some enterprise accounts have API access for data export
DJI AeroScope
DJI AeroScope is a drone detection system that can identify DJI drones and their pilots:
- Detects DJI drones within range (varies by AeroScope model)
- Captures drone serial number, pilot location, flight path
- Used by airports, government facilities, law enforcement
- Historical data can be valuable for investigation timeline
Firmware Analysis
Drone firmware can provide insights into device capabilities and modifications.
Firmware Considerations
- Version Verification: Compare firmware version to release history
- Modified Firmware: Some users install hacked firmware to bypass restrictions
- NFZ Bypass: Modified firmware may disable geofencing
- Altitude Limits: Stock firmware limits can be modified
Indicators of Modified Firmware
- Firmware version not matching any official release
- Missing or modified no-fly zone database
- Unusual parameter settings in flight logs
- Flights in restricted areas without unlock records
Modified firmware is strong evidence of intent to circumvent safety features. Document firmware version and any indicators of modification. This can be crucial for establishing criminal intent in unauthorized flight cases.
- DJI dominates the market; understanding their ecosystem is essential for drone forensics
- DAT files contain detailed binary flight data with GPS, IMU, battery, motor, and control records
- Mobile app flight records are encrypted TXT files that can be decrypted with tools like DatCon
- DatCon is the primary free tool for DJI forensics; commercial tools like Cellebrite offer enhanced capabilities
- DJI app databases contain user accounts, registered drones, flight history, and geofence unlock requests
- Cloud data requires legal process; consider MLAT for international requests to DJI
- Modified firmware indicating geofence bypass is strong evidence of criminal intent