Sustainability 14 04861
Sustainability 14 04861
Sustainability 14 04861
Review
Drone Forensics and Machine Learning: Sustaining the
Investigation Process
Zubair Baig 1, * , Majid Ali Khan 2 , Nazeeruddin Mohammad 3 and Ghassen Ben Brahim 2
Abstract: Drones have been increasingly adopted to address several critical challenges faced by
humanity to provide support and convenience . The technological advances in the broader domains
of artificial intelligence and the Internet of Things (IoT) as well as the affordability of off-the-shelf
devices, have facilitated modern-day drone use. Drones are readily available for deployment in hard
to access locations for delivery of critical medical supplies, for surveillance, for weather data collection
and for home delivery of purchased goods. Whilst drones are increasingly beneficial to civilians,
they have also been used to carry out crimes. We present a survey of artificial intelligence techniques
that exist in the literature in the context of processing drone data to reveal criminal activity. Our
contribution also comprises the proposal of a novel model to adopt the concepts of machine learning
for classification of drone data as part of a digital forensic investigation. Our main conclusions include
that properly trained machine-learning models hold promise to enable an accurate assessment of
drone data obtained from drones confiscated from a crime scene. Our research work opens the door
for academics and industry practitioners to adopt machine learning to enable the use of drone data in
Citation: Baig, Z.; Khan, M.A.; forensic investigations.
Mohammad, N.; Brahim, G.B. Drone
Forensics and Machine Learning: Keywords: drones; criminal activity; machine learning; digital forensics
Sustaining the Investigation Process.
Sustainability 2022, 14, 4861.
https://doi.org/10.3390/su14084861
ysis of mobile communication towers for anomalies and overhead electricity transmission
line monitoring.
Smartphones play an integral role in the process of controlling drones. They serve
dual purposes in the phone-to-drone interaction, where users can switch between manual
and automatic/autonomous control modes. In [3], the studied drones sent light commands,
drone status, images, and video over WIFI communication channels. Under this setup, a
client smartphone may issue a set of predefined commands that vary the drone’s rotors
to change the drone’s position while operating in the manual mode. Alternatively, image
processing and machine-learning algorithms can run on the client smartphone, generat-
ing commands that return the drone to autonomous flight modes. For longer distance
transmission of data between drones and smartphones, a different method of operation
is employed. It relies on a 2.4 GHz radio communication channel between a transmitter
and a receiver controller attached to a smartphone via a USB cable and a receiver mounted
on the drone’s assembly [4]. Autonomous navigation of the drone can be achieved by
having the smartphone gain access to the drone’s controls to issue commands based on
flight calculations as a result of trajectory calculations and vision-based processing that run
on the smartphone. The authors in [5] suggest building on top of these functions to deploy
an autonomous landing system for drones.
Drones can breach airspace regulations of their jurisdictions as part of malicious attacks
that can be perpetrated by a criminal, where the rogue agent can use a fake email address
to log in to the mobile smart app of a drone and conceal its identity when it is carrying out
some criminal action such as ‘breach of airspace’ or carrying out illegal activities such as
taking photos of strategic or sensitive locales [6]. This threat is posed to vulnerable drones
that have few or no security controls in place to prevent device compromise.
In the event of a drone being involved in criminal activities, its confiscation and
subsequent analysis at a digital forensic investigation laboratory is a crucial part of evidence
gathering and analysis. Such activity precedes any presentation of admissible evidence
against the owner of a confiscated drone.
According to [7], challenges associated with drone forensics include:
1. Post-crash scattering of individual drone components encumbers routine association
of parts to a drone seized at crash site.
2. The diverse types of on-device components for a drone imply that the use of a single
digital forensic investigation tool will not serve the purpose of investigation; a full
range of tools, both hardware and software, would be needed to run a thorough
forensic procedure.
3. Physical data acquisition of forensic images from a drone may not be practicable as
certain drones only permit wireless transfer of images.
4. Access control and protection mechanisms may prevent certain data elements from
being acquired as part of the forensic image. Moreover, drone controller chips may be
accessible only through an owner-signed remote controller, which can be difficult to
emulate by law enforcement.;
5. Certain drones have multiple file systems on them, thus encumbering the process of
identifying the right tool to be able to carry out data acquisition.
6. Add-on software makes it difficult to forecast the software platform, file system and
the corresponding hardware configuration for a seized drone.
7. Flash memory and RAM can lose data after a crash, if the battery of the drone runs out;
8. Data logs may be partial or programmed to not hold any data depending on the drone
model.
9. Deliberate attempts by a remote controller to wipe out data on a confiscated drone
does not help the law enforcement procedure.
As enumerated in the above list of challenges for drone forensics, the introduction of
artificial intelligence-based techniques for accurate modeling of evidence collation of drone-
based criminal activities is anticipated to be a future direction for carrying out forensic
investigations.
Sustainability 2022, 14, 4861 3 of 17
In this paper, we present a robust analysis of existing digital forensic frameworks and
popular drone families in Section 2. The fundamental concepts of machine learning (branch
of artificial intelligence) and adaptability of the same for drones is presented in Section 3.
We propose a novel model for machine-learning-based drone forensics in Section 4. The
paper is concluded in Section 5.
2. Background
2.1. Digital Forensics Frameworks
Several drone forensic frameworks exist in the literature. We summarize these and
provide a gap analysis of existing solutions. Drone components are known to have distinct
identification numbers. Such information may comprise serial numbers of the drone
itself (manufacturer assigned), its propeller, motor, camera, and the on-board GPS device.
Depending on the drone type, such information may or may not be available to the
investigator, but if available, it is useful to foster a linkage between the drone and its
potential ground user.
As part of drone forensics, data generated in flight, which are captured in log files,
can be processed to reveal various aspects of the drone’s movement and operations, such
as, time stamps, flight duration, power speed, yaw, pitch and roll, altitude and drone
type. Data need to be retrievable for analysis, and encryption encumbers such activity. A
visualization of the drone flight can be performed to augment the forensic investigation if
the data are in readable formats.
In [1], the drone forensic paradigm was bifurcated into the following: digital forensics
and hardware or physical forensics. Furthermore, digital forensics was classified as the
procedure conglomerate of network traffic analysis including analysis of drone to controller
communication messages, system log analysis, file systems analysis and camera recordings.
Hardware forensics comprises drone type, payload description, fingerprinting and
drone flight location/trajectory. The typical approach for drone data acquisition consists
of confiscation of the drone from a crash scene and application of various techniques for
careful recovery of hardware and stored data. The proposed drone forensic methodology
comprised the following steps: data acquisition, digital forensics, hardware forensics and
an overall forensic analysis framework. Additionally, forensic procedures entail evidence
preservation and the assurance through a chain of custody of the integrity of confiscated
components and resident data.
As part of hardware forensics, fingerprinting ascertains users who were in contact
with the drone and its individual components such as the battery, propellers, payload and
wings and are captured and subsequently analyzed where payloads may include illegal
contents such as weapons, drugs and mobile devices, given the capability of commercial
drones to carry anywhere between 2 and 20 kg [8,9].
In [10], the authors attempted to study the possibility of image retrieval from a drone’s
memory, flight path reconstruction, and linkage a confiscated drone to a suspected com-
mand and control (rogue) device. The analysis comprised the following drone attributes
for the DJI Phantom 3 and 4 drone types: maximum flight time, maximum transmission
distance, operating frequency, drone–controller connection type, mobile apps supported,
memory definition and flight information. The authors were able to conclude that the com-
munication standard adopted for drone to ground controller communication is significant
in determining the data elements transferred, which can effectively lead to retrieval of
admissible evidence from a confiscated drone.
In summary, existing work comprises proposals to retrieve all drone data in a safe
manner to avoid tampering with evidence. The data vary from one proposed framework to
another and is also contingent upon the availability of data within various drone families.
With the advent of Generation 7 drones, the volume of data as well as their diversity will
only increase over time.
Sustainability 2022, 14, 4861 4 of 17
In [19], it was noted that for Phantom 3 drones, in the absence of flight logs, EXIF data
can yield GPS coordinates that can be used for reconstructing the flight. An IPv4 network
is formed between drone and accompanying components/devices including the drone
itself, the controller, the camera and the mobile smartphone. Through a reverse engineering
(decompilation) of the DJI GO application, the SSID and accompanying password for
this ad hoc IPv4 network can be revealed, which is a useful trait to foster the drone
forensic procedure.
Whilst acknowledging that the DJI Phantom III drone has previously been involved
in malicious activities such as drop bombs, plane watching and remote surveillance, the
authors in [20] present their findings on the forensic analysis of this drone type. Contri-
butions reported include a set of procedures for forensic examiners to follow, the binary
file structure of the flight recording file, the design of a .dat file parser and the correlation
procedure for extracted drone data. As reported previously, the DJI GO smartphone app
stores flight data in.txt format alongside a date and timestamp. The payload of data is
encrypted; however, several data components of the.txt file are readable, namely file length,
file version, flight data including GPS, battery, flight status and general drone information
including drone name, location, serial and model numbers.
In [21], the contributors presented flight recording data for the DJI Spark drone. Data
obtained from the DJI GO mobile app comprised several traits reflective of the flight. These
included photos taken during the flight in JPG format, videos during flight, flight data
stored in the.dat file and .txt files generated during the flight. A correlation analysis was
conducted by the authors to compare the date and timestamps obtained from the drone,
SD card and the DJI GO app on the mobile phone. No significant findings were reported
through their analysis for aiding in the forensic investigation, i.e., corroboration of results
from the three sources was not possible.
In summary, existing literature in the field of digital forensics for drones is at a
preliminary stage, and a significant opportunity exists for the proposal of novel digital
forensic frameworks for drone data analysis. Moreover, the limitations in the amount of
data accessible from a drone can be highlighted as the key impediment to undertaking any
viable forensic investigation on a confiscated/crashed drone.
Sustainability 2022, 14, 4861 7 of 17
presentation of the reconstructed and the actual values to the SVDD (support vector data
description) for training, and the definition and implmenetation of a hypersphere classifier
for anomaly detection.
Reinforced learning-based power provision approaches are used to protect UAV
transmissions against attacks such as eavesdropping and jamming [33]. ML can also be
used for detecting an eavesdropper by building a classifier based on the received signals
associated with eavesdropping attacks and non-attacks [34]. This activity is based upon
prior training of ML models through presentation of data that depict a radio signal jamming
attack to the ML classifier.
Another survey paper [35] focused on deep-learning techniques used in UAV problem
domains for feature extraction, planning and situational awareness. In [36], the authors first
highlighted that drones typically fly at an altitude that is higher than traditional ground
user equipment. Radio signal propagation is affected through flight through height and
also line of sight of free space propagation. A scheme is proposed for the identification of
rogue drones that may be found in a mobile network. Legitimate drones may be registered
with ground equipment. However, unregistered rogue drones permeating the airspace in
sensitive locales may prove to be a security risk. The authors emulated drone deployment
scenarios comprising outdoor drones and ground user equipment for urban scenarios. The
simulation setup included the following parameters: number of flying sites and sectors,
inter-site distance, antennas for a base station (height, power) and carrier frequencies.
Measurement data were collected from the simulations and split into a training and a
testing set. Two machine-learning techniques were adopted, namely logistic regression
(LR) and decision trees (DT). For LR, two categories (variables) were specified, drones
and other user equipment, respectively. DT are supervised-learning models that work on
feature-value tuples extracted from a dataset. In this case, four features were observed,
namely received signal strength indicator (RSSI), standard deviation of the eight strongest
reference signals, difference between top two strength reference signals and serving cell
values. Classification results yielded a 100% accuracy in detection of rogue drones for
>60 m altitudes, and 5% detection rate for lower altitudes. This was attributed to the radio
frequency interference phenomenon, which is more significant at lower altitudes.
In [37], a deep-learning-based approach is presented for drone detection and identifi-
cation. In particular, drone acoustic fingerprints were analyzed for detection and identifica-
tion. Specifications on drone noise data comprised foot printing of drones to produce 1300
audio clips of drone sounds. Furthermore, to ascertain accuracy in detection, the datasets
thus derived were an amalgamation of pure drone noise, silence and drone audio clips
that were captured through drone propeller noise generated in an indoor setting. Audio
clips were also balanced based on time intervals between captures. Each audio file was
processed based on file type, data sampling rate and the bitrate of the channel. Additionally,
audio files were also segmented into smaller chunks (which were further experimented on
to deduce the most accurate segment size) to improve the performance of the deep-learning
classifier. Classification of the processed drone data by the three adopted classifiers, namely
recurrent neural networks (RNN), convolutional neural network (CNN) and convolutional
recurrent neural network (CRNN), were subsequently reported by the contributors when
these were tested on a three-class classification experiment (drone type one, drone type two
and other noise). Results portrayed the superiority of the CNN technique over the other
two.
Lee et al. provide a comprehensive drone detection system using machine learning
in [38]. The authors were able to classify camera-equipped drone data, i.e., image data,
through the adoption of a cascade classification of images using CNNs. Drone data were
manually labeled, comprising 2099 drone images. A total of 1777 were used for training
and the remainder 429 for testing. The system was able to deduce the location of a drone
on a camera-captured image as well as the vendor model of a drone based on machine
classification with reported accuracies of >90%. For feature extraction, the authors were
Sustainability 2022, 14, 4861 9 of 17
able to adopt the Haar feature processing method to extract drone sub-images from the
image dataset obtained from [39].
In [40], an approach for identifying anomalies in a swarm flight comprising multiple
flying drones, wherein certain drones may be deliberately controlled by the adversary to
cause a possible sabotage, was proposed. Flight data from multiple streams were analyzed
to identify such anomalies. Drone data comprising time-series sensory data are sampled
at a certain frequency, with the authors generating 16 samples per time stamp. Data from
normal and anomalous drones are prelabeled. Categories of anomalies were defined into
three, namely noise caused through sensor generated signal disruption in flight, abnormal
signals generated in actual flight but recoverable in flight and signal errors causing the
aircraft to halt flight due to malfunction. The classifier selected for the experiments was the
1D signal unsupervised CNN based on a generative model.
In [41], a prediction technique for drone position is defined based on classification of
drone data through the adoption of machine learning. Drone data captured at the ground
controller are introduced to a naïve Bayes classifier to help predict the power utilization and
current location of a drone, to potentially enable subsequent plans to continue or to interrupt
drone flight. Data fields adopted for classification include drone altitude, switching status
of the four transmitter coils and measured power transfer efficiency. Resulting drone
position is compared against the actual drone position to verify the accuracy in classification.
Training of the classifier is achieved through the introduction of past observations on drone
flight trajectory, path and location as input to facilitate naïve Bayes model generation. Error
rates in accuracy in the range 0.09% to 45%, were noted to depend upon the feature values
such as the transmitter coil-switching values.
The authors in [42] proposed a methodology to detect the presence of a remotely
operated drone, its current status and movement based solely on the communication
between drone and the remote controller. They used random forest algorithms as the
classifier. It also evaluates the effectiveness of the methodology in the presence of heavy
packet loss and evasion attacks. The methodology is specifically designed and evaluated
for remotely operated aircraft systems (RPAS) drones. They have shown a drone detection
accuracy of 99.9% within 30 m without any packet loss and a detection accuracy >97%
within 200 m with a packet loss up to 74.8%.
In [43], authors proposed UAV detection and identification based on radio frequency
(RF) data using a hierarchical ensemble learning approach. The first classifier detects UAVs,
the second one identifies the type of UAV, and the remaining two are used to identify the
mode of operations. Each classifier used ensemble learning based on KNN and XGBoost
algorithms. The proposed approach resulted in a classification accuracy of 99% with
10 classes. Each class uniquely identified the presence or absence of a UAV, its type (out of
three different types of UAVs) and its mode of operation (ON mode, hovering mode, flying
mode and recording mode). The paper also summarized the existing UAV detection using
machine-learning approaches based on different data sources.
The authors in [44] provided a technique to identify the pilot of the drones based on
radio control signals sent to a UAV using a typical transmitter. The dataset was collected
from 20 different trained pilots flying the UAV through three different trajectories. The
dataset consists of nine features including thurst, pitch, roll and yaw at time (t) and their
derivatives at time (t). It also included control simultaneity variable at time (t) which
describes the control signals available simultaneously at time (t). The proposed system
used a random forest algorithm and resulted in an accuracy of 90%. The proposed technique
can be used during forensic analysis to identify the pilot of the UAV and raise an alert in
case of the suspected hijacking of a drone.
The authors in [45] proposed a methodology to detect drone status (flying or at rest)
using just the encrypted communication traffic between the drone and the remote con-
troller. The dataset was collected using communication from a drone running ArduCopter
firmware. The encrypted packet information (without using its contents) was converted
into six features (inter-arrival time, packet size, mean and standard deviation computed
Sustainability 2022, 14, 4861 10 of 17
over a certain number of samples of inter-arrival time and packet size). Three different
classifiers were used for classification (decision tree, random forest and neural networks).
The random forest classifier provided better results for drone detection.
In [46], the authors identified the issue of inter-drone communication reliability,
wherein transmitted packets may not reach the intended target successfully. The au-
thors attempted to apply machine learning for accurate prediction of transmission patterns.
The success/failure probabilities are computed using a Monte Carlo simulation setup com-
prising modeling channel design for transmission. The linear regression machine-learning
technique was adopted alongside a comparative analysis with support vector machines
(SVMs) with a quadratic kernel. The first property observed was the inverse proportionality
between inter-drone distance and probability of a successful packet transmission. To foster
measurement data collection, a total of 20 drones were simulated. Communication channel
success in packet transmission was fixed at a 0.05 probability factor. Specific features
identified for training of linear regression were transmission probability, node locations,
transmission probability within a channel and time. For the SVM-QK classifier, features
comprised quantization factor values, transmission probabilities, times, and locations of
nodes in the network. Average prediction rates were found to yield a very low error rate of
0.00597
Table 2. Summary of machine-learning techniques used for drone data and forensics.
Drone configuration is essential in defining the data elements that are captured by
a drone during flight as well as the amount and frequency of data transmissions that are
made between the drone and a ground remote controller. Drone configuration can be
specified to include log files that contain descriptions of the following key parameters:
• Drone coordinates;
• Flight trajectory;
• Flight duration;
• Battery life;
• Drone-to-controller communication frequency;
• Drone-to-controller data exchange definitions.
Drone data acquisition can be defined to ensure that two copies of drone data are
defined and stored, with the potential to hold a third copy in the Cloud. Real-time analysis
of drone data on the ground controller can also be enabled while it is being transmitted
from the drone to the receiving unit. Through such real-time analysis, only those elements
of the data being captured would be logged, which will prove to be beneficial for digital
forensic procedures that will subsequently be undertaken for forensic analysis. If all data
transmitted to a drone ground controller is logged, it will present an unusually high
volume of data to the machine-learning system, which will also include insignificant data
for forensics. Through such a rapid analysis mechanism, the data volume can be condensed
before it is stored to foster a subsequent forensic procedure. This constitutes the concept of
live forensics [52], wherein, while a system is still operational, the data being generated is
being filtered and intelligently logged to foster a subsequent forensic investigation process.
Additionally, by designing systems that comprise previously seen data models of routine
and suspicious drone data, the overall forensic readiness of such systems is increased.
In Figure 2, we illustrate the machine-learning-based model for drone forensics. As
part of training, raw drone data is transmitted to the ground controller and is stored in
log files for subsequent analysis. All stored data will have to be preprocessed first. The
preprocessing of data can follow one of the following techniques as found in the literature:
entropy analysis, group method for data analysis, Chi-squared feature ranking and k-means
clustering. The training data is generated through test flights that are conducted in various
modes: altitudes, distances and heterogeneous payloads (if the drones have this capacity).
After several runs, the data collected would be representative of actual drone flights. The
process can be repeated with anomalous trajectories representative of a compromised drone
or a drone being involved in criminal activity. An example of such training data includes
drones flying outside acceptable flying zones despite having a clear zone specification in
place.
The application of ML for training and model generation can be subsequently carried
out, where parameters are defined for the ML system that is adopted. The testing phase
comprises the deliberate anomalous behavior of a drone in flight, so that the data generated
Sustainability 2022, 14, 4861 13 of 17
by the drone represents a real-life incident based on a criminal motive. The purpose of
machine-learning algorithm testing is the definition of a robust and high accuracy system
for evaluating real-time drone data, which is being generated by inflight drones and
captured by a ground-based remote controller.
Figure 2. Machine-learning process applied to raw drone data (training) and life drone data (testing).
Following the ML step, the trained and tested models for classification can be placed
in production mode awaiting actual drone data from a confiscated drone from a crash site
to be presented for subsequent classification into normal (routine crash) vs. anomalous
(deliberate attempt by a criminal). As part of the forensic procedure, the confiscated drone
data is subject to the following steps:
1. Data is securely extracted without affecting its integrity;
2. Data is securely stored through validation and cross examination, in order to maintain
a chain of custody;
3. Preprocessing of data is then conducted based on those techniques that were adopted
for preprocessing of the training data;
4. ML-based data classification is then conducted to identify whether or not the drone
was involved in a malicious event.
Though the ability of the ML-based classification systems is very much reliant upon
the quality of training data, the efficacy of the digital forensic procedure can be elevated
through the definition of robust flight paths that a specific drone model can undertake
to emulate a normal flight pattern. For example, a drone that performs temperature
sensing in a given fly zone can be operated with specific characteristics that represent the
‘routine’ flight. Depending upon the use case, this may include altitude ranges, flying zone
coordinates, distance from the remote controller, triggering sensor usage in-flight, etc. By
flying a drone within these predefined bounds, routine operations and associated data can
be generated. By having the drone violate these parameters, obviously without breaching
the aviation policy of the jurisdiction where the flight takes place, a range of anomalous
drone flight data can be generated and collected for subsequent analysis.
Through such preincident activity, the ML-based digital forensic model can be defined
with a high degree of precision, as the training models will have insights on both routine and
malicious flight paths. The other possibility for drone investigators to produce valid training
models from routine flight data only is to use machine-learning techniques such as single-
class SVM that are capable of producing models from training data belonging to a single
class [53]. It may be noted that the adoption of machine learning to identify suspicious
drone flight data may not be acceptably accurate if the training data is not robust enough.
As reported in [51], several pitfalls in the type of data presented to the classifier should be
avoided to prevent a skew in the classification accuracy between true positives/negatives
and false positives/negatives. It is therefore significant to generate preincident drone
data that is both robust and complete to eliminate the chance of inaccuracies in data
classification.
Sustainability 2022, 14, 4861 14 of 17
Data acquisition of drone data is dependent upon its accessibility after an inciden
tsuch as a drone crash has occurred, . The process of data acquisition is dependent upon
availability of a USB connection (port access) to the drone or through a live Wi-Fi network
card that has not been damaged in the crash.
Once the data acquisition process is initiated, a free traversal of all on-device data to
the data acquisition device is carried out.
The second source for data acquisition is the remote controller. As discussed in
Section 2, real time flight data is captured by the remote controller if the preflight firmware
configuration enables such a process. This is practicable in the Parrot AR drone. Moreover,
postincident, the remote controller data can be retrieved through a FTP connection if it is
still accessible. In case it was turned off by the criminal, this data source is unreachable.
However, for purposes of training, model generation and testing, this data is to be presented
to the ML engine.
The next step comprises secure storage of the drone data through a hash computation
of all data elements and subsequent storage of both the fully acquired data and the associ-
ated hash values. It may be noted that the data will comprise audio, video, and generic
data in the form of bits and bytes that can be readily hashed using a known hash function
such as the secure hash algorithm (SHA-3). The purpose of computing the hash value is
to mark the digital forensic procedural register with a description of the personnel who
are handling the investigation and through whose hands the acquired evidence is passed.
The third step in the forensic investigation is the deployment of common software-based
tools to carry out an analysis of the acquired data. These tools include CSVView, Google
API, Google Maps, ExifTool and CyanogenMod. The extracted data is then presented to
the trained machine-learning engine for classification.
Based upon our analysis of drone families (Table 1), we proposed that the following
data elements can be presented to the machine-learning algorithm to enable robust training
for drone forensic readiness:
1. Received signal strength indicator (RSSI)–normal ranges;
2. Drone in-flight acoustic signatures—noise;
3. Flight data as time-series sensory values;
4. Power surge or utilization data;
5. Location data;
6. Network traffic–packet loss data, interarrival times of data packets, packet lengths;
7. Mode of operation data–ON, hovering, flying or recording.
Drone signals lost through longer flights that traverse beyond acceptable limits into no-
fly zones can be referred through higher RSSI (weaker) signals. In-flight acoustic signatures
can refer to a cyberattack, where malicious software may have been successfully installed
on a drone to sabotage its flight. Time series-based collection of IoT sensory data from drone
sensors is essential in the diagnosis of the various value ranges. Subsequent comparison of
sensory data with normal ranges at the receiver’s end will support drone data analysis to
refer to anomalous locales visited by the drone or unusual value ranges that can confirm
the compromise of the drone. Similarly, power surges in a drone can either occur through
malfunction or through deliberate sabotage. Drone location data is essential in identifying
the location coordinates visited by a drone in-flight. We postulate that network traffic data
is also essential in identifying the proximity of a drone to the ground receiver. This data
can subsequently be corroborated with in-flight data obtained from the drone. Operations
data will also be representative of routine flight paths adopted by the drone.
The drone forensic process comprising machine-learning-based model generation and
analysis may suffer from several limitations listed as follows:
1. Limits to the volume of training data that may be available during the training phase
of the machine-learning process;
2. Unclear demarcation in the classes of normal and anomalous data retrieved from
previously crashed/confiscated drones;
Sustainability 2022, 14, 4861 15 of 17
3. Inability of the machine-learning algorithm to accurately classify live drone data into
normal or anomalous (with a high degree of admissible accuracy)
5. Conclusions
Drones are prone to compromise as well as to adoption by malicious actors to carry
out criminal activities. Drones confiscated from a crash site or from a suspect need to be
examined for evidence that may be presented in a court of law to implicate the perpetrators.
We have provided a review of existing forensic frameworks suited for drone forensics,
machine-learning techniques as found in the literature and their adaptability for drone data
analysis, and finally, a model for implementation of machine-learning-based analysis of
captured drone data to support digital forensics investigation. The future direction of this
work would comprise hands-on activities for drone data generation, data collection, and
adoption of the posed machine-learning techniques for conducting a robust digital forensic
investigation.
Author Contributions: Conceptualization, Z.B. and N.M.; methodology, Z.B.; validation, M.A.K.,
G.B.B. and Z.B.; project administration, Z.B. All authors have read and agreed to the published
version of the manuscript.
Funding: This research was funded by Prince Mohammad Bin Fahd University, PCC-Grant-202103.
Institutional Review Board Statement: Not applicable.
Informed Consent Statement: Not applicable.
Conflicts of Interest: The authors declare no conflict of interest.
References
1. Renduchintala, A.; Jahan, F.; Khanna, R.; Javaid, A.Y. A comprehensive micro unmanned aerial vehicle (UAV/Drone) forensic
framework. Digit. Investig. 2019, 30, 52–72. [CrossRef]
2. Drone Technology Uses and Applications for Commercial, Industrial and Military Drones in 2021 and the Future. 2021. Available
online: https://www.businessinsider.com/drone-technology-uses-applications (accessed on 14 April 2022).
3. Hummel, K.A.; Pollak, M.; Krahofer, J. A distributed architecture for human-drone teaming: Timing challenges and interaction
opportunities. Sensors 2019, 19, 1379. [CrossRef] [PubMed]
4. Yanmaz, E.; Quaritsch, M.; Yahyanejad, S.; Rinner, B.; Hellwagner, H.; Bettstetter, C. Communication and coordination for drone
networks. In Ad hoc Networks; Springer: Berlin/Heidelberg, Germany, 2017; pp. 79–91.
5. Tanaka, H.; Matsumoto, Y. Autonomous Drone Guidance and Landing System Using AR/high-accuracy Hybrid Markers.
In Proceedings of the 2019 IEEE 8th Global Conference on Consumer Electronics (GCCE), Osaka, Japan, 15–18 October 2019;
pp. 598–599.
6. Yousef, M.; Iqbal, F. Drone forensics: A case study on a DJI Mavic Air. In Proceedings of the 2019 IEEE/ACS 16th International
Conference on Computer Systems and Applications (AICCSA), Abu Dhabi, United Arab Emirates, 3–7 November 2019; pp. 1–3.
7. Bouafif, H.; Kamoun, F.; Iqbal, F.; Marrington, A. Drone forensics: Challenges and new insights. In Proceedings of the 2018 9th
IFIP International Conference on New Technologies, Mobility and Security (NTMS), Paris, France, 26–28 February 2018; pp. 1–6.
8. Flynt, J. How Much Weight Can a Drone Carry? Available online: https://3dinsider.com/drone-payload/ (accessed on 14 April
2022).
9. Flynt, J. 5 Best Heavy Lift Drones-Large Drones That Have High Lift Capacity. Available online: https://www.dronethusiast.
com/heavy-lift-drones/ (accessed on 14 April 2022).
10. Al-Room, K.; Iqbal, F.; Baker, T.; Shah, B.; Yankson, B.; MacDermott, A.; Hung, P.C. Drone Forensics: A Case Study of Digital
Forensic Investigations Conducted on Common Drone Models. Int. J. Digit. Crime Forensics (IJDCF) 2021, 13, 1–25. [CrossRef]
11. Renduchintala, A.L.S.; Albehadili, A.; Javaid, A.Y. Drone forensics: Digital flight log examination framework for micro drones. In
Proceedings of the 2017 International Conference on Computational Science and Computational Intelligence (CSCI), Las Vegas,
NV, USA, 14–16 December 2017; pp. 91–96.
12. Yousef, M.; Iqbal, F.; Hussain, M. Drone forensics: A detailed analysis of emerging DJI models. In Proceedings of the 2020 11th
International Conference on Information and Communication Systems (ICICS), Irbid, Jordan, 7–9 April 2020; pp. 66–71.
13. Iqbal, F.; Alam, S.; Kazim, A.; MacDermott, Á. Drone forensics: A case study on DJI phantom 4. In Proceedings of the 2019
IEEE/ACS 16th International Conference on Computer Systems and Applications (AICCSA), Abu Dhabi, United Arab Emirates,
3–7 November 2019; pp. 1–6.
14. Lan, J.K.W.; Lee, F.K.W. Drone Forensics: A Case Study on DJI Mavic Air 2. In Proceedings of the 2022 24th International
Conference on Advanced Communication Technology (ICACT), Seoul, Korea, 13–16 February 2022; pp. 291–296.
Sustainability 2022, 14, 4861 16 of 17
15. Bouafif, H.; Kamoun, F.; Iqbal, F. Towards a better understanding of drone forensics: A case study of parrot AR drone 2.0. Int. J.
Digit. Crime Forensics (IJDCF) 2020, 12, 35–57. [CrossRef]
16. Barton, T.E.A.; Azhar, M.H.B. Forensic analysis of popular UAV systems. In Proceedings of the 2017 Seventh International
Conference on Emerging Security Technologies (EST), Canterbury, UK, 6–8 September 2017; pp. 91–96.
17. Carrier, B. Open Source Digital Forensics Tools: The Legal Argument. 2002. http://www.atstake.com/ (accessed on 14 April
2022).
18. Harvey, P. Exiftool for Linux. Available online: http://www.sno.phy.queensu.ca/phil/exiftool/ (accessed on 14 April 2022).
19. Trujano, F.; Chan, B.; Beams, G.; Rivera, R. Security analysis of dji phantom 3 standard. Mass. Inst. Technol. 2016. Available online:
https://courses.csail.mit.edu/6.857/2016/files/9.pdf (accessed on 14 April 2022).
20. Clark, D.R.; Meffert, C.; Baggili, I.; Breitinger, F. DROP (DRone Open source Parser) your drone: Forensic analysis of the DJI
Phantom III. Digit. Investig. 2017, 22, S3–S14. [CrossRef]
21. Kao, D.Y.; Chen, M.C.; Wu, W.Y.; Lin, J.S.; Chen, C.H.; Tsai, F. Drone forensic investigation: DJI spark drone as a case study.
Procedia Comput. Sci. 2019, 159, 1890–1899. [CrossRef]
22. Alhawiti, K.M. Advances in artificial intelligence using speech recognition. Int. J. Comput. Inf. Eng. 2015, 9, 1432–1435.
23. Nadkarni, P.M.; Ohno-Machado, L.; Chapman, W.W. Natural language processing: An introduction. J. Am. Med. Inform. Assoc.
2011, 18, 544–551. [CrossRef]
24. Murphy, R.R. Introduction to AI Robotics; MIT Press: Cambridge, MA, USA, 2019.
25. Abdallah, A.; Maarof, M.A.; Zainal, A. Fraud detection system: A survey. J. Netw. Comput. Appl. 2016, 68, 90–113. [CrossRef]
26. Kulik, S. Neural network model of artificial intelligence for handwriting recognition. J. Theor. Appl. Inf. Technol. 2015, 73, 202–211.
27. Voronin, V.; Marchuk, V.; Semenishchev, E.; Makov, S.; Creutzburg, R. Digital inpainting with applications to forensic image
processing. Electron. Imaging 2016, 28, 1–7.
28. Francisca, O.; Ogbuju, E.; Alayesanmi, F.; Musa, A. The State of the Art in Machine Learning-Based Digital Forensics. SSRN Elec.
J. 2020, doi: 10.2139/ssrn.3668687. [CrossRef]
29. Bertino, E.; Kantarcioglu, M.; Akcora, C.G.; Samtani, S.; Mittal, S.; Gupta, M. AI for Security and Security for AI. In Proceedings
of the Eleventh ACM Conference on Data and Application Security and Privacy, Virtual, 26–28 April 2021; pp. 333–334.
30. Bithas, P.S.; Michailidis, E.T.; Nomikos, N.; Vouyioukas, D.; Kanatas, A.G. A survey on machine-learning techniques for
UAV-based communications. Sensors 2019, 19, 5170. [CrossRef] [PubMed]
31. Hachimi, M.; Kaddoum, G.; Gagnon, G.; Illy, P. Multi-stage jamming attacks detection using deep learning combined with
kernelized support vector machine in 5g cloud radio access networks. In Proceedings of the 2020 International Symposium on
Networks, Computers and Communications (ISNCC), Montreal, QC, Canada, 20–22 October 2020; pp. 1–5.
32. Luo, P.; Wang, B.; Li, T.; Tian, J. ADS-B anomaly data detection model based on VAE-SVDD. Comput. Secur. 2021, 104, 102213.
[CrossRef]
33. Xiao, L.; Xie, C.; Min, M.; Zhuang, W. User-centric view of unmanned aerial vehicle transmission against smart attacks. IEEE
Trans. Veh. Technol. 2017, 67, 3420–3430. [CrossRef]
34. Hoang, T.M.; Duong, T.Q.; Tuan, H.D.; Lambotharan, S.; Hanzo, L. Physical layer security: Detection of active eavesdropping
attacks by support vector machines. IEEE Access 2021, 9, 31595–31607. [CrossRef]
35. Carrio, A.; Sampedro, C.; Rodriguez-Ramos, A.; Campoy, P. A review of deep learning methods and applications for unmanned
aerial vehicles. J. Sens. 2017, 2017, 3296874. [CrossRef]
36. Rydén, H.; Redhwan, S.B.; Lin, X. Rogue drone detection: A machine learning approach. In Proceedings of the 2019 IEEE Wireless
Communications and Networking Conference (WCNC), Marrakesh, Morocco, 15–18 April 2019; pp. 1–6.
37. Al-Emadi, S.; Al-Ali, A.; Al-Ali, A. Audio-Based Drone Detection and Identification Using Deep Learning Techniques with
Dataset Enhancement through Generative Adversarial Networks. Sensors 2021, 21, 4953. [CrossRef]
38. Lee, D.; La, W.G.; Kim, H. Drone detection and identification system using artificial intelligence. In Proceedings of the 2018
International Conference on Information and Communication Technology Convergence (ICTC), Jeju, Korea, 17–19 October 2018;
pp. 1131–1133.
39. CVOnline-Image Databases. Available online: https://homepages.inf.ed.ac.uk/rbf/CVonline/Imagedbase.htm (accessed on 14
April 2022).
40. Ahn, H. Deep learning based anomaly detection for a vehicle in swarm drone system. In Proceedings of the 2020 International
Conference on Unmanned Aircraft Systems (ICUAS), Athens, Greece, 1–4 September 2020; pp. 557–561.
41. Jeong, S.; Bito, J.; Tentzeris, M.M. Design of a novel wireless power system using machine learning techniques for drone
applications. In Proceedings of the 2017 IEEE Wireless Power Transfer Conference (WPTC), Taipei, Taiwan, 10–12 May 2017;
pp. 1–4.
42. Sciancalepore, S.; Ibrahim, O.A.; Oligeri, G.; Di Pietro, R. PiNcH: An effective, efficient, and robust solution to drone detection via
network traffic analysis. Comput. Netw. 2020, 168, 107044. [CrossRef]
43. Nemer, I.; Sheltami, T.; Ahmad, I.; Yasar, A.U.H.; Abdeen, M.A.R. RF-Based UAV Detection and Identification Using Hierarchical
Learning Approach. Sensors 2021, 21, 1947. doi: [CrossRef]
44. Shoufan, A.; Al-Angari, H.M.; Sheikh, M.F.A.; Damiani, E. Drone Pilot Identification by Classifying Radio-Control Signals. IEEE
Trans. Inf. Forensics Secur. 2018, 13, 2439–2447. doi: [CrossRef]
Sustainability 2022, 14, 4861 17 of 17
45. Sciancalepore, S.; Ibrahim, O.A.; Oligeri, G.; Di Pietro, R. Detecting Drones Status via Encrypted Traffic Analysis. In Proceedings
of the ACM Workshop on Wireless Security and Machine Learning (WiseML 2019), Miami, FL, USA, 15–17 May 2019; Association
for Computing Machinery: New York, NY, USA, 2019; pp. 67–72. doi: [CrossRef]
46. Park, J.; Kim, Y.; Seok, J. Prediction of information propagation in a drone network by using machine learning. In Proceedings
of the 2016 International Conference on Information and Communication Technology Convergence (ICTC), Jeju, Korea, 19–21
October 2016; pp. 147–149.
47. Al-Dhaqm, A.; Ikuesan, R.A.; Kebande, V.R.; Razak, S.; Ghabban, F.M. Research Challenges and Opportunities in Drone Forensics
Models. Electronics 2021, 10, 1519. doi: [CrossRef]
48. Viswanathan, S.; Baig, Z. Digital Forensics for Drones: A Study of Tools and Techniques. In International Conference on Applications
and Techniques in Information Security; Springer: Berlin/Heidelberg, Germany, 2020; pp. 29–41.
49. Mekala, S.H.; Baig, Z. Digital Forensics for Drone Data–Intelligent Clustering Using Self Organising Maps. In Future Network
Systems and Security; Doss, R., Piramuthu, S., Zhou, W., Eds.; Springer International Publishing: Cham, Switzerland, 2019;
pp. 172–189.
50. Fei, B.; Eloff, J.; Venter, H.; Olivier, M. Exploring forensic data with self-organizing maps. In Ifip International Conference on Digital
Forensics; Springer: Berlin/Heidelberg, Germany, 2005; pp. 113–123.
51. Feyereisl, J.; Aickelin, U. Self-organizing maps in computer security. In Computer Security: Intrusion, Detection and Prevention;
Hopkins, R.D., Ed.; University of Melbourne: Melbourne, VIC, Australia, 2009; pp. 1–30.
52. Adelstein, F. Live forensics: Diagnosing your system without killing it first. Commun. ACM 2006, 49, 63–66. [CrossRef]
53. He, H.; Ma, Y. Imbalanced Learning: Foundations, Algorithms, and Applications; Wiley-IEEE Press: Hoboken, NJ, USA, 2013.