When Georgian law enforcement seized more than 90 drones in 2024 as part of Operation SkyHawk, they weren’t just collecting contraband — they were collecting evidence. Cellular metadata from SIM-enabled aircraft, GPS flight logs, device records from recovered hardware: pieced together, they helped identify a multistate prison-contraband network that ended in 150 arrests. That is drone forensics at scale, and it represents a discipline that has moved from niche capability to law enforcement necessity faster than the tooling and standards have been able to follow.

A recovered drone is, forensically speaking, a dense physical artifact. It carries GPS home points and waypoint histories, timestamped altitude and velocity data, onboard photos and video, serial numbers traceable to purchase records, and — if paired to a mobile device — a link to an operator’s app, account credentials, and social media coordination evidence. Remote ID–compliant aircraft (those over 250 grams, with FAA operator compliance required as of 2024) also broadcast identification and location information via Wi-Fi or Bluetooth. That passive, automatically stored record has become a new forensic layer that predates any investigator’s arrival at a scene. It does not, however, exist for drones under 250 grams — a category that includes most off-the-shelf FPV platforms and an expanding range of commercial micro-UAS.

Four Evidence Locations and the Encryption Problem

DJI controls between 70 and 75 percent of the global consumer and prosumer drone market, which makes its proprietary log format the dominant forensic challenge in the field. On any DJI platform, evidence lives in four places: the drone’s internal memory (encrypted DAT files), a removable SD card, the paired mobile device, and DJI cloud services including FlightHub. Of these, the paired mobile device is frequently the most forensically accessible. On iOS, DJI flight logs reside at Documents/FlightRecords/MCDatFlightRecords/; on Android, at /sdcard/DJI/dji.go.v5/FlightRecord/, with shared preferences protected by AES-256 encryption.

Older DJI DAT files can be processed with DatCon, a free tool that outputs more than 279 data columns — GPS coordinates, altitude, motor speeds, velocity components. But DatCon cannot handle encrypted logs from the Mavic Air, Mavic 2, Mavic Air 2, Mavic Mini, or Neo series. For version 13 and later DJI flight logs, decryption requires API keys obtained through DJI’s Developer Technologies portal. The open-source dji-log-parser (MIT licensed) is, per a 2025 analysis by researcher Mathias Fuchs, “apparently the only free tool supporting version 13+ encrypted logs” — and it still requires those API keys. Commercial tools fill the gap at considerable expense: Cellebrite UFED, licensed at $6,000–$15,000 per year, supports multiple DJI models and can recover deleted data. Magnet AXIOM from version 7.8 onward “Decrypts encrypted flight logs from DJI Fly apps via online key exchange with DJI servers,” per its product documentation. Oxygen Forensic Detective extends support further, covering DJI, Parrot, ArduPilot, AWM, iFlight, and PX4-based platforms, with data sources spanning mobile apps, cloud services, internal memory, SD cards, computer backups, and third-party drone management software.

The forward edge of the encryption problem is DJI’s 151-gram Neo2, released in November 2025. It stores 49 gigabytes internally with no microSD slot, mounts as USB mass storage when powered off via USB-C, but requires online decryption services for its logs. Tamper-evident glue-embedded connectors complicate physical access. When software pathways are blocked — by damage, wiped storage, or construction like the Neo2’s — investigators turn to hardware extraction. Hot-air rework stations ($150–$800), chip readers such as the UP-828P ($300–$500), and JTAG boxes such as the RIFF Box 2 ($300–$500) allow direct access to circuit-board memory. For 8-pin SOIC SPI flash chips, a $15 CH341A USB programmer may be sufficient. Custom and FPV platforms present their own log formats: Betaflight flight controllers record PID controller data, gyroscope readings, motor outputs, and GPS at up to 200 Hz on SPI flash; ArduPilot and Pixhawk platforms write comprehensive telemetry — attitude, GPS, stick inputs, executed commands — to DataFlash .bin files on SD card.

From Teardown to Indictment: Battlefield Component Forensics

Law enforcement forensics and battlefield intelligence forensics have converged on the same core discipline through different threat pressures. Conflict Armament Research, which investigates weapons systems recovered in active conflict zones, analyzed four UAS recovered in Ukraine in November 2022 — one Shahed-131, two Shahed-136, and one Mohajer-6 — and traced 495 components to manufacturers across 13 countries.

“More than 70 manufacturers based in 13 different countries and territories produced these components, with 82 per cent of them manufactured by companies based in the United States.” — CAR November 2022 report on Shahed/Mohajer UAS components

A subsequent CAR analysis of Russian-produced Geran-2 UAVs found, according to Conflict Armament Research reporting, that they consisted almost entirely of components manufactured outside the Russian Federation — including by manufacturers in China, Switzerland, and the United States. The teardown of Russia’s Lancet strike drone revealed an Nvidia Jetson TX2 AI module and a Xilinx Zynq system-on-chip enabling real-time AI-assisted targeting — both commercial off-the-shelf components. CAR also documented more than 800 missile and UAV components from maritime seizures in the Red Sea during 2024 and 2025, tracing supply networks used by Houthi forces.

Component forensics produces criminal liability, not just intelligence. In December 2024, the U.S. Department of Justice indicted individuals for conspiring to illegally export U.S. drone navigation technology to Iran. The same navigation system was determined to have been used in the drone that struck the Tower 22 base in Jordan in January 2024, killing three U.S. service members. That is the direct line from component teardown to federal prosecution — and it is not a hypothetical.

Standards, Certification, and the Discipline Being Built in Real Time

NIST’s Computer Forensic Reference Datasets project established a baseline for the field. Built in collaboration with VTO Labs, the dataset includes forensic images from 14 drone makes and models, projected to expand to 30. Each image contains serial numbers, flight paths, geolocation data, launch and landing coordinates, photos, videos, user databases, and recoverable deleted files. VTO Labs used three units per model: one kept intact for software extraction, one disassembled for circuit-board and camera analysis, and a third for chip-off extraction; pilot controls and remote devices were disassembled separately.

“The drone images will allow investigators to do a dry run before working on high-profile cases,” said Barbara Guttman, manager of digital forensic research at NIST. NIST’s Computer Forensic Tool Testing program establishes test specifications and validation hardware for forensic software tools generally, but as of the project’s publication there was no standardized validation framework specifically for drone forensic tools — a gap the discipline has not closed.

Certification pathways exist but are not interoperable. Vendors including Cellebrite, IACIS, and Oxygen Forensics offer drone-forensics certification courses. There is no federal standard governing which qualifications an expert must hold before testifying to drone forensic evidence in a criminal proceeding.

Why It Matters

The threat environment makes these gaps consequential. Rogue drone incursions into NFL stadium restricted airspace rose from approximately 12 in 2017 to 2,845 in 2023 — an increase the Combating Terrorism Center at West Point characterizes as more than 20,000 percent. Federal prison drone-incident reports increased 2,000 percent from 2018 to the period studied, from 23 annual incidents to 479, with operators documented flying heavy-lift drones carrying 25-pound payloads at 75 mph from more than 100 miles away. In an Ohio prison-smuggling case, forensic analysis of GPS flight logs led investigators directly to the operators’ staging areas. A Southern California fentanyl-smuggling operation was dismantled through forensic analysis of flight logs and video footage. Federal law enforcement agencies have flagged a rising trend in drone use linked to criminal activity on U.S. soil.

Forensic evidence has real limits. Serial numbers identify a device, not its operator. GPS coordinates can be spoofed or disabled. Sub-250-gram aircraft are exempt from Remote ID. Criminal operations frequently span multiple devices, multiple accounts, and multiple jurisdictions. As SkySafe notes, “attribution is not always definitive.”

What drone forensics offers is not certainty but evidentiary leverage: the capacity to move, as SkySafe puts it, beyond situational awareness toward “actionable evidence that can support enforcement and accountability.” That capacity is being built in real time, by investigators, standards bodies, tool vendors, and battlefield researchers who are all running to catch up with a threat that did not wait for them.

Sources