About This Workshop
Over the past five years, the relevance of Unmanned Aerial Systems (UAS) forensics has increased significantly in response to multiple drone-related incidents that resulted in severe disruptions to public infrastructure. In many of these cases, determining whether the events were benign, accidental or malicious proved challenging due to the lack of evidence or suspect apprehension. Concurrently, the growing adoption of autonomous systems in irregular warfare has positioned UAS as a prominent example of an “emerging and disruptive technology”. While this characterization is now well established in the literature addressing the societal impact of drones, forensic research has been required to evolve rapidly by adapting existing standards, procedures, and technical guidelines to this domain.
The heterogeneity of proprietary and open-source UAS platforms presents substantial challenges not only for standardization but also for achieving sufficient system-level understanding during forensic investigations. As a result, current investigative approaches may be insufficient to reliably identify whether a UAS has been subjected to compromise or intentional manipulation. This limitation directly affects the often blurred Preparedness/Readiness (According to NIST 800-61 and DFRWS process definitions, respectively) phase of the forensic lifecycle, where inadequate knowledge of protocol behavior, security assumptions and exploitable weaknesses may undermine subsequent analysis during the Examination of evidence.
This work investigates these challenges through the analysis of a compromised UAS, demonstrating how vulnerabilities in communication protocol design can be exploited as anti-forensic mechanisms that obstruct evidence acquisition and interpretation. By highlighting the forensic impact of such protocol-level weaknesses, the study underscores the necessity of comprehensive system understanding as a prerequisite for effective preparedness.
Specifically, the most widely adopted open-source communication protocol for unmanned systems, MAVLink, is examined. A series of novel attacks is emulated to assess their anti-forensic effects on both system behavior and the investigative process. The findings illustrate how insufficient awareness of protocol vulnerabilities can impede forensic readiness, reinforcing the need for rigorous security and vulnerability analysis as an integral component of UAS forensic preparedness.