Lab Overview
This practical lab guides you through the complete drone forensics workflow from evidence collection to report preparation. You will apply the concepts learned in previous parts to realistic scenarios.
📚 Lab Objectives
Complete hands-on exercises covering: evidence seizure and documentation, flight log extraction, GPS data analysis, flight path reconstruction, media evidence examination, and forensic report preparation for court.
Exercise 1: Evidence Collection
1
Drone Evidence Seizure Procedure
Objective
Properly document and seize a drone and associated components while maintaining chain of custody.
Scene Documentation
Photograph the drone and all components in situ before touching anything. Document location with GPS coordinates. Note environmental conditions (weather, time, lighting).
Power State Assessment
Determine if drone is powered on. If on, do NOT turn off immediately - photograph display/status lights, consider RAM capture if applicable. If battery is very low, document current state before power loss.
Component Inventory
List all components: drone body, remote controller, mobile device, batteries (count), SD cards (capacity noted), chargers, carrying case, propellers, any accessories.
Serial Number Recording
Document all serial numbers: drone body (usually underneath or in battery compartment), controller, batteries. Photograph serial number labels.
Storage Media Handling
Remove SD cards using anti-static precautions. Place in evidence bags with write-protect tabs enabled if available. Label each with source location.
Packaging and Sealing
Package drone with propellers removed (safety). Use anti-static bags for electronics. Seal with tamper-evident tape. Complete chain of custody form.
☑ Evidence Collection Checklist
Scene photographs (wide, medium, close-up)
GPS coordinates of recovery location
Drone serial number documented
Controller serial number documented
Battery serial numbers documented
SD cards removed and secured
Mobile device seized (if applicable)
Chain of custody form completed
Evidence bags sealed and labeled
Exercise 2: Flight Log Extraction
2
Extracting and Converting DJI Flight Logs
Objective
Extract flight logs from drone internal storage and mobile device, convert to analyzable format using DatCon.
Forensic Imaging
Create forensic image of SD card using FTK Imager or dd command. Verify image integrity with hash values (MD5 + SHA-256). Document imaging process.
Locate DAT Files
Mount forensic image read-only. Navigate to /MISC/LOG/ or /BLACKBOX/ directories. Identify FLYxxx.DAT files. Note file timestamps and sizes.
Mobile Device Extraction
Use mobile forensic tools to extract DJI app data. Locate FlightRecord folder. Extract encrypted TXT flight records and databases.
DatCon Conversion
Open DatCon. Load DAT or TXT file. Select output parameters (GPS, OSD, Battery, Motor, RC). Export to CSV format. Note any parsing errors.
GPS Export
Use DatCon to export KML/GPX file for mapping. This creates flight path visualization for Google Earth or other GIS tools.
Sample DatCon Command Line Usage
# Basic conversion
java -jar DatCon.jar -i FLY001.DAT -o flight001.csv
# With specific parameters
java -jar DatCon.jar -i FLY001.DAT -o flight001.csv --gps --osd --battery
# Export KML for Google Earth
java -jar DatCon.jar -i FLY001.DAT --kml flight001.kml
Exercise 3: Flight Path Reconstruction
3
Reconstructing and Visualizing Flight Path
Objective
Analyze GPS data to reconstruct the complete flight path and identify key events during the flight.
Flight Path Visualization Example
Takeoff
10:23:45
10:23:45
Landing
10:35:12
10:35:12
Import GPS Data
Open CSV in Excel/Google Sheets. Identify latitude, longitude, and altitude columns. Note timestamp format and timezone.
Create Flight Timeline
Plot altitude vs. time to identify takeoff, flight phases, and landing. Note any sudden altitude changes indicating incidents.
Map Visualization
Import KML into Google Earth Pro. Examine flight path relative to terrain and structures. Identify areas of interest (hovering, circling patterns).
Event Correlation
Cross-reference flight path with media capture timestamps. Identify exactly where photos/videos were taken. Note gimbal orientation.
Anomaly Detection
Look for unusual patterns: flights into restricted areas, sudden signal loss, emergency landings, RTH activations. Document each anomaly with timestamp.
Key Analysis Points
| Analysis Area | What to Look For | Forensic Significance |
|---|---|---|
| Home Point | Initial coordinates, any updates | Pilot location at takeoff |
| Maximum Distance | Furthest point from home | Intent and reach of operation |
| Maximum Altitude | Peak altitude reached | Regulatory compliance (120m limit) |
| Hovering Points | Locations with stationary positions | Areas of surveillance interest |
| Speed Patterns | Rapid movements, sport mode | Evasion attempts, reckless operation |
| Signal Loss Events | RC signal strength drops | Extended range attempts, jamming |
Exercise 4: Media Evidence Examination
4
Analyzing Drone-Captured Media
Objective
Extract and analyze metadata from drone photos and videos, correlate with flight data, and preserve for evidentiary use.
Media Inventory
List all media files from SD card image. Note file types (JPG, DNG, MP4), sizes, and timestamps. Identify any deleted files recovered during imaging.
EXIF Extraction
Use ExifTool to extract metadata from each file. Key fields: GPS coordinates, timestamp, camera model, drone serial, gimbal angles, camera settings.
SRT File Analysis
For video files, examine associated SRT subtitle files. Parse telemetry data embedded at each timestamp. Create spreadsheet of video telemetry.
Content Analysis
Review media content for investigative relevance. Document what is depicted. Note any subjects, locations, or activities of interest.
Geo-Correlation
Plot media capture locations on map. Verify GPS in metadata matches flight log positions at same timestamps. Flag any discrepancies.
ExifTool Commands
# Extract all metadata from a single file
exiftool -a -G DJI_0001.JPG
# Extract GPS coordinates
exiftool -gpslatitude -gpslongitude -gpsaltitude DJI_0001.JPG
# Export metadata from all files to CSV
exiftool -csv -r DCIM/ > media_metadata.csv
# Extract XMP drone data
exiftool -xmp:all DJI_0001.JPG
Exercise 5: Forensic Report Preparation
5
Preparing Court-Ready Forensic Report
Objective
Compile findings into a comprehensive forensic report suitable for legal proceedings, including Section 63 BSA certificate requirements.
Executive Summary
Write clear summary of key findings: drone identification, flight dates/times, locations visited, media captured. Use non-technical language.
Evidence Documentation
Detail chain of custody. List all evidence items with descriptions and identifiers. Include hash values for all digital evidence. Document acquisition methods.
Technical Analysis
Present flight data analysis with visualizations. Include flight path maps, altitude charts, timeline of events. Reference specific data points with timestamps.
Media Summary
Catalog all media evidence. Include thumbnails where appropriate. Detail metadata findings. Note investigative relevance of each item.
Section 63 BSA Certificate
Prepare certificate addressing: (1) regular use of device, (2) information fed in ordinary course, (3) proper operation during relevant period, (4) faithful reproduction. Include hash values and verification.
Conclusions
State findings clearly and objectively. Avoid speculation. Distinguish facts from interpretations. Note any limitations of analysis.
Report Structure Template
📝 Drone Forensic Report Outline
1. Executive Summary (1 page)
2. Case Information - Case number, dates, examiner details
3. Evidence Description - Items received, condition, identifiers
4. Chain of Custody - Complete custody documentation
5. Examination Environment - Tools, versions, workstation
6. Methodology - Procedures followed, standards applied
7. Findings
7.1 Device Information (make, model, serial, firmware)
7.2 Flight Log Analysis (dates, times, locations)
7.3 Flight Path Reconstruction (maps, timelines)
7.4 Media Evidence (inventory, metadata, content)
7.5 Mobile App Analysis (account, history)
8. Conclusions - Summary of factual findings
9. Appendices
A. Section 63 BSA Certificate
B. Hash Values
C. Flight Path Maps
D. Media Thumbnails
E. Raw Data Exports
📚 Key Takeaways
- Evidence collection requires systematic documentation: scene photos, serial numbers, component inventory, and proper packaging
- Always create forensic images before analysis; verify with hash values
- DatCon converts DJI DAT/TXT files to CSV for analysis and KML for mapping
- Flight path reconstruction combines GPS data, altitude charts, and event correlation
- Media analysis includes EXIF extraction, SRT parsing, and geo-correlation with flight logs
- Forensic reports must include Section 63 BSA certificate for electronic evidence admissibility
- Use clear, objective language and distinguish facts from interpretation in reports