Cyber4Drone: A Systematic Review of Cyber Security and Forensics in Next-Generation Drones

: Cyber Security and forensics for Unmanned Aerial Vehicles (UAVs) pose unique requirements, solutions, and challenges. As UAVs become increasingly prevalent for legitimate and illegal use, ensuring their security and data integrity is important. Solutions have been developed to tackle these security requirements. Drone forensics enables the investigation of security incidents involving UAVs, aiding in identifying attackers or determining the cause of accidents. However, challenges persist in the domain of UAV security and forensics. This paper surveys drone threat models, security, and privacy aspects. In particular, we present the taxonomy of drone forensics for investigating drone systems and talk about relevant artifacts, tools, and benchmark datasets. While solutions exist, challenges such as evolving technology and complex operational environments must be addressed through collaboration, updated protocols, and regulatory frameworks to ensure drones’ secure and reliable operation. Furthermore, we also point out the ﬁeld’s difﬁculties and potential future directions.


Introduction
Unmanned Aerial Vehicles (UAVs), commonly known as drones, are controlled and piloted remotely and are employed for defense and rescue missions.Drones were primarily used for defense purposes (for example, they are highly utilized in the Ukraine-Russia war), but in recent years, their use for civilian purposes has grown significantly.Drones are being used for tasks such as patrolling and policing, search and rescue, agrotech and videography, and preventing and identifying poachers due to the domination of the digital lifestyle.Additionally, drones have been found in unintended violations of no-fly zones, raising the possibility that terrorists could use them to cause terror and possibly other harm [1].By 2025, the worldwide drone industry is anticipated to reach $42.8 billion, growing 13.8% annually [2].
Cyber forensics is the domain of forensic science that deals with gathering evidence from digital devices and analyzing events.Drone forensics deals with the forensic analysis of drones for investigation purposes.The popularity and affordability of drones have also increased their use in illegal activities.Investigations depend heavily on the drone taken from the crime scene and the gadgets it was attached to.Evidence can be gleaned from a drone and its ground controller, including the drone's identification number, prior flight locations, camera images, logs, and software used.Drone forensics are difficult because they rely on volatile memory and dynamic data that might be lost when the battery is discharged [3,4].When criminals utilize technology to hide their tracks, law enforcement officers are left to try and retrieve evidence from their computers, phones, or storage drives for investigations.Authorities need a dependable way to extract data from these seized drones so that the evidence is stored and acceptable in court.
Currently, recreational drone usage dominates the landscape, with enthusiasts being the primary users.However, major companies such as Amazon, Google, and Meta have ambitious plans to incorporate drones into their operations for delivering goods and services.As the number of operational drones continues to rise, it is expected that an increase in security, privacy, and safety concerns will follow.Drones can be controlled remotely or autonomously through onboard computers [5].Drones rely on a network of sensors and actuators that establish communication with the Ground Control System (GCS) via wireless links.Consequently, drones become vulnerable to potential attacks targeting their cyber and/or physical components, the interface between them, the wireless link, or even a combination of multiple components.In a popular example of drone takeover, an American drone that purportedly breached Iranian airspace was successfully landed by an Iranian cyber warfare team [6].A possible sequence of events reveals that a combination of cyber attacks was deployed, wherein all contacts with the drone were initially cut off by jamming both the satellite and ground control signals.Further, a GPS spoofing attack was initiated to deceive the drone into believing it was landing in its home base by feeding it with manipulated GPS data to make it land in Iran.
Due to the significance of drone security, this paper analyzes recent drone system assaults in this article.This work also focuses on protocols, related threats, targeted security features, and solutions proposed in the literature.It examines the related security and privacy challenges of drones.It also presents a comprehensive drone forensics methodology for the analysis of drone systems and talks about relevant artifacts, tools, and benchmark datasets.The findings of this study will help academics and developers better understand the state of drone forensics and security today.
Methodology: The research methodology selected for this paper amounts to a systematic literature review, in which a rigid framework for searching the literature is used to answer precise research questions.This is to ensure accurate and impartial data search and retrieval.For the review of the literature, we used the snowballing approach.A preliminary collection of papers was identified via a database search utilizing relevant keywords and filters.The search engines used were DTU Findit, Google Scholar, Semantic Scholar, and Scopus.Following the selection of the beginning set, a number of iterations of snowballing were conducted, using the reference lists of the papers that had previously been included to find new ones to add (backward snowballing).Additionally, we took into account publications that mentioned previously processed ones (forward snowballing).Finally, all publications that were recognized moved on to the data extraction stage, which was carried out in line with the research study.In our review, we used keywords such as drone, UAV, security, and forensics and their synonyms and keyword combinations for searching.Figure 1 provides a glimpse of the publishing pattern over the last decade.Contributions of the paper: This systematic survey aims to review and classify the existing drone forensic techniques.A taxonomy is designed based on forensic artifacts, their type, generation method, and location.In particular, we describe the process of conducting a UAV forensic investigation, together with drone artifacts, forensic analysis tools, and benchmark datasets.Furthermore, this review presents drone architecture, threat models, and attack scenarios.This survey would help in understanding the current state of the drone ecosystem.
Structure of the paper: In Section 3, we present an overview of the drone and its architecture.Section 4 defines the identified threats and attack models.Security and privacy issues of drone systems are detailed in Section 5. Section 6 discusses the proposed drone forensics framework, forensic artifacts, related tools, and benchmark datasets.Furthermore, we discuss and present future challenges in Section 7. Finally, we conclude this work in Section 8.

Related Works
Numerous review studies have covered the privacy and security concerns with drones.These earlier survey investigations have contributed to building a strong grasp of the problems.Table 1 compares our proposed work with a brief summary of the existing survey research on drone security problems and forensics.To the best of our knowledge, the level of security concerns and forensics related to the various categories of drones is lacking from the reviews that have already been published.Additionally, most papers offer scant details on the problems or conducted research before the drone paradigm existed.We identified related reviews/surveys in drone forensics during our keyword searches.Gulatacs et al. [7] introduced a comprehensive seven-phase framework for UAV digital forensics investigation.Their study focused on the Phantom III model and involved a meticulous examination of three distinct types of forensic evidence.Among the artifacts analyzed, the EXIF header of photographs taken by the UAV's onboard camera played a crucial role.Additionally, two log files stored as binary files were scrutinized, along with the EXIF headers of the captured images, which enabled the reconstruction of the UAV's flight path.
Salamh et al. [8] discussed discovering personally identifiable information, testing, and evaluating currently available forensic software tools.Furthermore, the researchers examined data storage mechanisms and evidence organization within two DJI UAV models, namely the Phantom 4 and Matrice 210.Their study also involved investigating the retrieval of flight trajectories from UAVs through the utilization of 3D visualization software.Yahuza et al. [9] examines recent trends in Internet of Drones (IoD) network security and privacy challenges and the extent of security and privacy vulnerabilities posed by various drone categories.It also discusses the necessity for a secure IoD architecture and recommends one.A detailed taxonomy of assaults on the IoD network is also presented.
Salamh et al. [10] present a ten-phase technical forensic process for studying forensic evidence from Remotely Piloted Aerial Systems (RPAS), which can help simplify drone identification and investigation.They analyzed drone photos from the Computer Forensics Reference Datasets (CFReDS) for drone identification.Clark et al. [11] discussed the primary account for specific file structures stored by the studied drone and the primary detailed forensic investigation of the DJI Phantom III drone.The research includes preliminary findings on TXT files, proprietary, encrypted, and encoded files on the drone's mobile device.These files contained a wealth of information, including GPS coordinates, battery life, and flight time.The widely acceptable open-access tool Drone Open Source Parser (DROP), which parses copyrighted DAT files taken from the drone's nonvolatile internal storage, is also presented.
Yaacoub et al. [12] examined the new hazards posed by drones in cyber attacks and methods to counter these attacks.Furthermore, they provided a comprehensive overview of the use of drones in various domains.A practical attack scenario is demonstrated against a specific drone model.It enables them to adopt and develop new tactics and technologies for improved UAV attack detection and defense.
Al-Room et al. [13] looked into six different drone brands widely utilized in illegal activities and collected forensically relevant data such as GPS location, photographs and videos, flight paths of the drones, and information on the drone's ownership.The experiment showed that drone forensics might help law enforcement agencies acquire essential information for criminal investigations.
Security and privacy in the age of commercial drones are investigated by Nassi et al. [14].It provides a framework for analyzing attack and prevention strategies, conducting a thorough evaluation, and identifying scientific flaws.It also includes a list of societal targets, profiles of attackers, an examination of threats, a technique for analyzing preventative measures, and a full review.They have also provided a method for evaluating countermeasures, comprehensive examination, and identification of scientific gaps.
The forensic investigation study thoroughly examines a Parrot AR drone 2.0 [15] to enhance our understanding of drone forensics, encompassing various challenges, forensic investigation procedures, and experimental discoveries.The authors provide novel perspectives on drone forensics by exploring forensic methodologies, obtaining access to the drone's digital storage, and retrieving significant data.These valuable insights aid digital forensic investigators in determining ownership, recovering flight data, and accessing media assets.

Overview of Drones
The primary components of a drone system include a Ground Station Controller, physical sensors, actuators, a Power Management System (PMS), a Flight Control Board (FCB), a rotor system, an Electronic Speed Controller (ESC), and a Transceiver Control Unit (TCU).These crucial elements, such as ESC, FCB, TCU, and PMS, can serve as potential sources for drone forensics procedures.They store vital data related to flight control, flight records, internal monitoring, and information from transceivers and sensors mounted on the drone.It is important to note that the specific components may vary depending on the drone's purpose or usage.Additionally, inertial sensors are responsible for altering control surfaces and thrust, while navigation components, such as GPS, Compass, Galileo, GLONASS, or other inertial sensors, aid in drone navigation by adjusting thrust and control surfaces.

Drone Architecture
The three primary components of a drone system are the drone, the Ground Control System (GCS), and the data communication link.An aircraft, a power source, a flight controller, a precise navigation system, and a sensor system are primary components of a drone.An architecture of a drone system and its primary components are shown in Figure 2.

Drone Craft
The drone system's central mobile component is the drone craft, which resembles a flying robot that can be operated remotely or fly autonomously using software-controlled flight plans integrated into the system.There are four main types of drones: Multi-Rotor Drones, Fixed-Wing Drones, Single-Rotor Drones, and Fixed-Wing Hybrid VTOL (Vertical Take-Off and Landing) drones.Multi-rotor aircraft equipped with multiple motors come in various configurations, such as tricopters (3 rotors), quadcopters (4 rotors), hexacopters (6 rotors), or octocopters (8 rotors).In contrast, fixed-wing drones are designed to function as airplanes with a single rigid wing, eliminating the need to maintain a constant airborne position and making them energy-efficient.Aside from the rotors, the flight controller is another crucial component of a drone craft.It collects sensor data, processes it into meaningful information, and depending on the control mode, either transmits the data to the Ground Control System (GCS) or directly updates the state of the actuator control units.The flight controller provides the GCS communication interface as depicted in Figure 2.

Datalink
The datalink is the wireless connection between UAV and GCS that carries control and data signals.The UAV's operating range determines the communication link chosen.UAV operations are divided into Line-Of-Sight (LOS) missions, in which control signals are sent and received via direct radio waves, and Beyond Line-Of-Sight (BLOS) missions, in which the drone is controlled via satellite systems or a relaying aircraft, which could be a drone itself, based on their distance from the GCS.

Ground Control Station
GCS is the base structure that allows human operators to manage and monitor drones throughout their missions.A GCS provides a wireless link to connect with the drone, allowing it to send commands and collect real-time data.GCSs vary in size depending on the drone's type and mission.It can be a self-contained facility with several workstations for tactical and strategic applications.

Drone Communications
Unmanned aerial systems are used for various defense and civilian purposes, including pollutant research, glaciology studies, wildfire management, disaster management, hurricane tracking, flood impact investigations, and illegal narcotic identification.A drone system or UAS must be able to communicate with other entities in its network.WiFi is a common mode of communication between UAVs and base stations.WiFi has a relatively low transmission range, often a few hundred meters.The range of radio communication is thousands of meters.As shown in Figure 2, a general drone network is made up of drones, ground control stations (GCS), navigation satellite systems, and air traffic control systems such as Automated Dependent Surveillance-Broadcast (ADS-B) systems.The following communication links are used to communicate between network entities: 3 GHz-This system can have a range of more than 40 miles and better penetration abilities, depending on the amount of power employed.Because of its low data rates, it provides poor video quality.(ii) The range of a 2.4 GHz system can be up to 15 miles.As 2.4 GHz is also utilized for control, using it for video will cause interference.(iii) The most widely used frequency for video transmission is 5.8 GHz because of its short wavelength and high data rate transfer capacity.Compared to the other options, it produces a clear video.However, it can only penetrate a restricted distance of 5 miles due to its small wavelength.

Threat Models and Attack Scenarios
The attacks on emerging drone technology bring risks to the safety and security of data, infrastructure, and the public.The attacker can exploit the zero-day vulnerabilities and security gaps to enter drone communication networks [28,29].Drone forensics can play a significant role in identifying the attacker's objective.Drone forensics is a systematic investigation procedure that collects, preserves, and analyzes the drone's digital, software, and hardware-related evidence.Drone forensics can help to build a new technology/policy to reduce the impact of similar attacks in the future and help to increase the security level.This section discusses various drone security attacks to give systematic paths for the drone investigation process.Unreliable communication mediums and frequency-based vulnerabilities increase the attack risks [30].The latest technology drones, which have their camera, and GPS signal associated with it, are also vulnerable to attacks.The taxonomy classification of Drone attacks with impacts and their execution tools and the mechanism is shown in Table 2.

RF Jamming
RF connects a drone to the ground transmitter or remote control.Radio frequencies in ranges lie between 2.4 GHz to 5.8 GHz, and 2.4 GHz and 5.8 GHz are the most common frequency used to control a drone remotely.The attacker tries to identify the operating channel frequency and tune it to that frequency.On the same frequency as the target device, RF jammers broadcast strong signals compared to the target device's signals.The combination of broadcasted signals overwhelms the receiver, preventing it from decoding any target signals.Figure 3 shows a generalized RF jamming attack scenario.These attacks violate drone availability.The usage of frequency hopping and multiple narrow bandwidth signals with short bursts of transmission make jamming difficult.

Cloning
In a hostile physical environment, exposure to drones allows an adversary to capture, clone, or temper with these devices.An Iranian popular drone manufacturer's recent advanced long-range drones are accused of being designed by reverse engineering from a US drone captured in 2011 [99].In a cloning attack, the attacker physically captures and possibly reprograms a drone and creates clone(s) by copying the captured one.The cloned drone can then be used to mount further attacks.The genuine user thinks he has all the authority over the drone, but in reality, he flies the clone of the drone, and the attacker drives the original drone.The attack can use identifiers, secret keys, hardwired keys, and stored data of cloned drones to eavesdrop on existing communication.Tamper-resistant hardware and drone behavioral monitoring can be used to counter such attacks.Remote attestation can be significant in detecting the trustworthiness of deployed drones.

GPS Spoofing
Civil GPS is an extensively used protocol.GPS is used to find the location of the drone or UAV.GPS is a broadcast system only, and it tracks the drone with the help of satellites and measures the time of flights of the data signals.GPS works on the trilateration principle, in which the drone receives the signal from satellites in the form of place and time (sent and receive).In a GPS spoofing attack, the GPS receiver is made to believe that the drone is located differently than its actual physical location.Recent drones have inbuilt GPS sensors for location guidance and tracking for various missions with other features such as location hold, altitude hold, return to home function, etc.The GPS being unencrypted makes drones prone to a GPS spoofing attack.The adversary sends false or modified GPS signals to the drone.A commonly employed method known as a replay attack involves capturing and replaying the signal received from a satellite, introducing an additional delay.This technique needs real-time visibility of the satellites and a transmitter with sufficient power to overpower the direct signals received from the satellite.By manipulating the observed time-of-flight of the signal, a receiver can be deceived into believing it is located at a greater distance from the satellite than it is.Table 3 illustrates GPS frequency bands and their usage in different fields [25].
Another GPS-based attack is GPS jamming.Disconnecting the receiver from the authentic satellite can be an easy way.However, under the Wireless Telegraphy Act, it is an offense to "knowingly use" such a device to block GPS signals.Recently, a GPS jamming attack caused 46 drones to plummet during a display over Victoria Harbour [100].These attacks can be detected by verifying the claimed position of satellites with various techniques, such as remote attestation and periodic or random location checking.Attackers have demonstrated the use of software to hack the video feeds of Predator (and likely Reaper) drones.Software such as SkyGrabber Version 3.2 is popular for offline satellite internet downloads.It intercepts satellite data, including movies, music, pictures, etc., that are downloaded by other users and saves information on the hard disk.It exploits the unencrypted and unauthenticated communication link used for data feeds sent to the ground station using communication satellites.In this attack, the adversary needs to customize the satellite dish for selecting a satellite provider and start grabbing the data packets.The SkyGrabber intercepts data, assorts them into files, and saves the files locally.It is a downloadable computer program that has been used to capture drone images and video recordings.SkyGrabber software can take satellite internet data and assemble it in files such as .avi,.mp3,.mp4,etc., and save this file on hard disk [101].Attackers use this software, and if the connection between the drone and ground station is unencrypted, they use it to access their videos and other files that are shared between the drone and ground station and can also be used to monitor.
Figure 4 illustrates image and video capture by sky grabber software in the BLOS scenario.These attacks violate drone confidentiality and integrity because the sky grabber software attack breaks the secretiveness and violates the access information.These attacks have some prevention techniques; Firstly, using a suitable cryptographic approach.The message sent between the drone and remote control is encrypted and not easily broken by the attacker.Another possible method is to have authentication to allow only authorized access to broadcasted information [101].

RTL-SDR Attack
Aviation sectors such as UAVs are vulnerable to SDR Attacks.The newest threat to aviation, RTL-SDR software, is installed on a system, and it has hardware used to connect to the tuned frequency and can listen to message exchanges between the devices.The common RTL-SDR frequency is 25 mhz-1750 mhz.It is used to receive and decode radio signals cheaply using a personal computer device.RTL-SDR explores the vulnerability of aviation.By the RTL-SDR, we can easily listen to all the information shared between the ground station (monitor or remote) and UAVs [102].RTL-SDR is a software-hardware device installed in pc, and hardware is connected to a pc via USB or cable.The attacker tunes the frequency at which the drone flies with the help of RTL-SDR.As tuning is comparatively easy in RTL-SDR because it knows the range of frequency the drone and other aviation devices are working.After tuning, the attacker eavesdrops on the information shared between the drone and GCS [103].Hack-RF is a similar device used to work with radio frequency.The basic hack-RF 1 has a receiver and transmitter.The attacker can tune to an RF frequency by using it and can even transmit messages [104].A hack-RF device can receive and transmit between 1 Hz and 6 GHz, which is better in terms of range than RTL-SDR.
As the connection shown in Figure 5, the pc, RTL-SDR dongle, and antenna are the leading equipment used in the link.Firstly the RTL-SDR dongle is connected to the pc; the SDR antenna is further connected to the SDR dongle.The SDR sharp software running on the system is simulated with the SDR dongle.These attacks violate the drone's confidentiality and integrity.When the communication between the drone and drone device control is encrypted, the attack is not easy to execute.A possible method to restrict this attack is to employ frequency hopping, employ message confidentiality, and user authentication.

Deauth Attack
Rather than disrupting a system by decrypting and intercepting network traffic, a Denial-of-Service (DoS) attack occurs when an attacker intentionally floods a system with excessive messages.The prevalence of DoS attacks can be attributed to their accessibility, as they do not require an in-depth understanding of network security or cryptography.A DoS attack can be executed without cracking passwords or gaining access to the targeted system.In the case of a Deauth attack, which is a type of DoS attack, a WLAN user becomes the target.The attacker sends deauthentication packets to a wireless access point (AP) with the intention of deceiving the AP into believing that the packets originated from a legitimate client or vice versa.Drone manufacturers develop mobile applications to control and configure drones, with these applications utilizing WiFi signals for drone operation.In a Deauth attack on a drone, WiFi is exploited to disconnect the drone, enabling further attacks in a chain.Tools such as the Aircrack-ng suite, ESP8266 Deauther software, and WiFi jammer hardware can be employed for such attacks.However, the effectiveness of this attack is limited when the packet transmission power is low or the access point lacks a public deauthentication code.Implementing WiFi encryption and following best password practices are significant preventive measures against such attacks.

ESC-PWM Signal Attack
A drone's flight controller (FC) is comprised of sensors and an embedded processor.It is connected to the power distribution board, the radio unit, the Electronic Speed Controller (ESC), and the radio receiver.Each ESC unit is linked to an electric motor.Pulse Width Modulation (PWM) is employed to control the ESC units, which in turn control the electric motor that propels the drone.Many ESCs include built-in overheating and under-voltage protections that turn them off during extreme conditions.ESC behavior must be reliable under all circumstances.Few drones have firmware that is stored in volatile memory and requires uploading every time they are powered on.The performance of the flight controller can be impacted by changing this firmware.Once the firmware is uploaded, it is difficult to identify such changes [96].As ESC firmware can be upgraded over a PWM servo cable, modifying the firmware to alter the functionality of the ESC once it receives a predefined PWM control signal could have disastrous consequences.

Sensor-Based Attack
UAVs are equipped with sensors for various applications to monitor specific tasks or functions in the air.In sensor-based attacks, the attacker manipulates or exploits the sensor data inputs and manages to manipulate or change such parameters to misguide the sensors; the most common example is inaccurate GPS data from sensors.Drones should use secure communication between the sensors and a proper authentication mechanism that can prevent access to any information from sensors.The misbehavior detection and intrusion detection mechanism can help to identify malicious data reading or compromised sensors [105].Radar, infrared, and electro-optical sensors, among others, are all susceptible to manipulation.In electronic warfare, directed energy is employed to manipulate signals within the electromagnetic spectrum.This manipulation extends beyond radio and radar frequencies to encompass signals within the infrared, visible, and ultraviolet ranges [106].

Denial of Service Attack
Small drones are susceptible to denial-of-service attacks because the attacker can access the flight controller's settings and allow them to interfere with the UAV system.This means that someone with such access can modify flight control commands, including the shutdown command, which could be mistakenly triggered while the drone is in operation.Moreover, certain drones in this category have limited computational capabilities due to their small size.Consequently, bombarding these drones with random commands via the data link can result in unexpected behavior and potentially cause the drone to halt unexpectedly [16].

Man in the Middle (MITM) Attack
Using Man in the Middle attacks, adversaries with access to privileged networks may try to change network traffic in real time.This kind of attack enables the attacker to snoop on network traffic going to and/or coming from a specific device.The adversary has the ability to block, log, change, or inject traffic into the communication stream if a MITM attack is established.MITM attacks can be performed on a few drones (for example, XBee).Researchers have demonstrated how internal parameters (such as destination high and destination low) of the XBee chips can be remotely changed by the attacker.An attacker can eavesdrop on packets, block the operator, or even reroute packets.

Security and Privacy of UAVs
In this section, we go through the safety, security, and privacy concerns related to the use of drones.We specifically look at these systems' weaknesses to potential attacks that could lead to a malicious attack or drone crash, and we assess the security needs of such systems.The following specific privacy and security conditions must be satisfied for a secure safe flight operation:

•
Authorization: Only authorized operators should be given access to the UAV system's resources, including the ground control station and the aircraft.During communication, an ongoing authentication process between the operator and the UAV is necessary.• Availability: All components of the UAS should be assured to fulfill their respective activities under defined geographical and temporal conditions, ensuring that the system's availability is maintained throughout the operational period.It is also critical to manage the repair and update activities in a way that does not compromise the UAV system's availability when it is in use.

•
Integrity: The UAS should be designed to verify that the telemetric data, GPS, and serial communications are authentic and have not been tampered with intentionally or inadvertently.

Network Security
Multiple drones or swarm drones are used to complete the mission by creating a network and communicating with one another in terms of improving efficiency and productivity.However, there are various security vulnerabilities for both networking and control centers.Table 5 lays out the different attacks and security issues with respect to UAV networks.The challenge of multi-UAV communication requires the installation of a communication infrastructure.The table presents a comparative analysis of eavesdropping, DoS attack, forgery, replay, MITM, and protocol-based attacks.It includes solutions and limitations to network attacks.-GCS datalink affected -False +ves and -ves with respect to anatomy-based IDS Network [37] Forgery Attacks -Creating a security architecture with multiple layers [25] -In multi-UAVs, the network is more complex.
Transport [128,129] Protocol-based Attacks -Using blockchain technique [130] -Using IDS techniques for security -framework for durability and trustworthiness that will enable the flight operation to be repaired even after attacks [131] -The introduction of trade-offs between performance and security.

Communication Security ADS-B Security
There are two forms of ADS-B: ADS-B in and out.Planes and helicopters are equipped with both types; however, limited UAVs are only equipped with ADS-B.The data transmitted by ADS-B is not secured because it broadcasts information to all adjacent planes.As a result, anyone can listen to the broadcast and even broadcast the data using low-cost technology [132].Whenever one or more UAVs inside a region receive this broadcast, the initial flight will be disrupted, similar to GPS spoofing.As a result, there's a chance of a crash.Encryption and user identification have been offered as solutions to implement ADS-B security [133][134][135].

Privacy Issues of UAVs
This segment covers unauthorized user parties receiving sensitive data monitored by UAVs, such as surveillance videos, pictures, and data collected.Additional types of sensitive information related to operating UAVs, including real-time GPS coordinates, speed, altitude, and battery status, should be treated as confidential and accessible solely to the operator.Ensuring the data privacy of flying UAVs is imperative for safeguarding the security of flight operations [136].Insecure communications can be vulnerable to traffic analysis attacks, where adversaries can eavesdrop on the communication traffic to obtain sensitive details regarding the UAV's flight operations.The UAV's secrecy and privacy are affected by this form of passive attack.This segment covers unauthorized user parties receiving sensitive data monitored by UAVs, such as surveillance videos, pictures, and data collected.Additional types of sensitive information related to operating UAVs, including real-time GPS coordinates, speed, altitude, and battery status, should be treated as confidential and accessible solely to the operator.Ensuring the data privacy of flying UAVs is imperative for safeguarding the security of flight operations [].Insecure communications can be vulnerable to traffic analysis attacks, where adversaries can eavesdrop on the communication traffic to obtain sensitive details regarding the UAV's flight operations.The UAV's secrecy and privacy are affected by this form of passive attack.This segment covers unauthorized user parties receiving sensitive data monitored by UAVs, such as surveillance videos, pictures, and data collected.Additional types of sensitive information related to operating UAVs, including real-time GPS coordinates, speed, altitude, and battery status, should be treated as confidential and accessible solely to the operator.Ensuring the data privacy of flying UAVs is imperative for safeguarding the security of flight operations [].Insecure communications can be vulnerable to traffic analysis attacks, where adversaries can eavesdrop on the communication traffic to obtain sensitive details regarding the UAV's flight operations.The UAV's secrecy and privacy are affected by this form of passive attack.
The attacker can launch a traffic monitoring attack on insecure connections by listening to the traffic and obtaining crucial flying operation details.The UAV's secrecy and privacy are affected by this form of passive attack.Digital data can be recovered using forensics techniques for data collection and analysis, even in protected conversations.Another sort of privacy attack that targets UAVs happens whenever an attacker gains unauthorized access to the UAS's vital components, such as sensors and storage (e.g., hijacking).The opponent in this scenario leaks flight data to the public, compromising flight operations.

Drone Forensics
The advancement of drone technology has expanded possibilities.Drones utilized for surveillance or payload delivery utilize a range of sensors and communication mechanisms to receive instructions from ground stations.The operational framework of a drone relies on an integrated system known as the Unmanned Aerial System (UAS), which encompasses various components such as computers, mobile devices, directional antennas, and towers, among others [4,137].As a result, conducting a comprehensive investigation of the entire UAS is an integral part of drone digital forensics.

Drone Forensic Framework
Digital forensics plays a crucial role in the successful prosecution of cybercriminals, encompassing a wide range of digital devices such as computer systems, network devices, mobile devices, and storage devices.To ensure an effective forensic investigation, there are several critical actions that must be followed.Therefore, it is essential to consider a number of important steps in order to perform a digital forensic investigation successfully.In this section, we propose a drone forensic framework, which outlines a step-by-step process for collecting evidence by an investigator.
Figure 6 illustrates the proposed framework for drone forensics.As shown in the figure, the framework consists of broadly four phases: collection, examination, analysis, and reporting.The framework is designed taking into consideration existing works in literature.

Collection
In the forensic procedure, it is the initial stage.The devices or components that operate in the subsequent steps are identified and marked.Both pictures and notes of the scene are recorded.What device (or evidence) is present, where it is situated, how it is kept (in which format), and finally, safely isolating them are the primary determinants of the collection phase.Preventing tampering with digital evidence also involves prohibiting access to the collected devices.Seized devices such as memory cards and hard drives are isolated and forensically imaged to preserve and prevent data alteration of original media.
In terms of drone forensics, the relevant devices are the linked mobile device, memory card, drone chip, and Ground Station Controller (GSC).The accessible gadgets found and confiscated at the crime scene are identified and collected.Data stored in the device of interest is collected using different extraction methods.To be used for subsequent analysis, the data must be collected without affecting or affecting the source.A poor approach may make the evidence in court inadmissible.Thus, techniques for gathering evidence from a device should be reliable and forensically sound.The acquisition can be physical or logical.First, the logical extraction is performed by connecting the device to a forensic operating system.This provides quick access to the accessible data on the device's file system.Write blocks are employed wherever possible to maintain evidence integrity.After logical extraction, physical extraction is performed if required by employing JTAG, ISP, and Chip Off extractions.
Joint Test Action Group (JTAG), a manufacturing industry standard for testing printed circuit boards (PCBs), was created to test PCBs that had just come off an assembly line.Connecting the Test Access Ports (TAPs) on a PCB is a step in the procedure known as JTAG Forensics.The technique known as "chip-off forensics" entails removing a memory chip from a device and preparing it so that a chip reader may gather the raw data to produce a physical data dump.When used in forensics, In-System Programming (ISP) is the procedure of connecting to a flash memory chip with the goal of obtaining a device's complete memory contents.Before performing a chip-off, examiners first use a non-destructive technology such as JTAG or ISP.

Examination
Once the devices have been identified and raw data extracted from them during the collection phase, the subsequent step is the examination phase.In this phase, the primary objective is to identify and extract data from the imaged devices.The raw data imaged or collected in the previous phase is forensically examined to identify logical files and logs.In terms of drone forensics, relevant logs and files are extracted from drones, mobile devices, GSC, and memory cards.Three major categories of data looked for during the examination phase are event logs, flight logs, and media files.
An event log is a chronologically ordered list of recorded events.Event logs are also a core component of OS.The recorded event in "Event Logs" originated from OS, network, hardware, or database query and is any significant action recognized by the OS.A general event log contains crucial information such as the date and time of the occurrence, the action of the event, severity, the process involved, and other relevant information such as hardware or logical addresses.They can be located in collected drone chips and the Ground Station Controller (GSC).Entries in event logs are generally due to warnings and errors by the camera, radio, battery, GCS failsafe, GPS, ADSB failsafe, and sensors [138].
During drone investigations, flight logs play a vital role as they contain extensive data in various formats.These logs primarily encompass crucial information such as the drone's location, speed, flight duration, gimbal angle, and camera shooting timing.Flight logs are typically found in the Ground Station Controller (GSC).Additionally, the examination of recorded media, such as photos and videos stored on the drone's memory card, holds significant importance in the investigative process.Popular drones store media-related files (.JPG, .MP4, and .DNG) in DCIM or MISC directory.Different media files can be located in GSC, drone chips, mobile devices, and memory cards.
For all relevant data items, the examiner needs to answer: What data were created?; How was the data created?;Who created the data?; Who edited the data?; and When was the data created?

Analysis
The analysis phase involves correlating the examined data to extract information.Logs are analyzed to identify important events and metadata information.Event logs are useful in extracting controller commands and system events.They help in identifying the commands which were issued by the user during the flight to GSC.Flight logs are useful in extracting GPS coordinates and sensor metadata.Any hardware failures during flight can also be detected using them.Media files examined during the previous phase contain recorded videos and images.During the investigation, it is important to analyze the recorded media, such as photos and videos, stored on the drone's memory card.These media files contain valuable Exchangeable Image Format (EXIF) metadata, which includes GPS readings.To extract this EXIF data from the media files, Exiftool can be utilized as a reliable tool [139].This becomes particularly useful when flight logs are unavailable, such as when the images were transferred to a separate storage device or if the drone suffered damage.Furthermore, in addition to providing the aforementioned information, examiners also assess how the obtained data is relevant to the case at hand.If required, the examiner reconstructs fragments of data and draws conclusions based on the evidence found.However, it might take numerous iterations of examination and correlation with other information.

Reporting
During the reporting phase, the information gathered is consolidated and transformed into evidence, which is then presented in the form of a report.These reports play a crucial role in effectively communicating the information to all relevant parties.The report encompasses comprehensive details regarding the analyzed evidence, interpretation, and attribution.It includes a comprehensive account of the investigative processes employed, such as evidence collection methods, imaging procedures, the devices involved, the operating system, and the software utilized.It also involves the process of summarization and explanation of conclusions.These issues have critical importance for the report to be prepared.There are two important issues to consider while preparing the report: i. evidence validation, i.e., to demonstrate that evidence integrity is maintained during the investigation process; ii. the second one is to show that operations conducted are clear, transparent, and repeatable, putting aside exceptional situations.
With reference to drone forensics, the documentation must include log visualization and route chart visualization.Route charts are a visualization of GPS and flight data annotated on 3D or 2D maps.Tools such as "GeoPlayer", "GPS Visualizer", and "WebFlightPath" are tools helpful in generating route charts [140].Table 6 presents a list of analyses of existing drone forensic tools, which can come in handy to the investigator.Event and flight logs often contain sensor and hardware information such as flight time, barometric altitude, and battery voltage.Log visualization tools are used to visualize them against flight duration.

Drone Forensics Artifacts
Digital artifacts are digital entities with forensic value.The investigator, while performing drone forensics, collects data, information, or evidence of something that has occurred, such as logs, metadata, route chart, and many more.These artifacts help the investigator create a timeline of events and executions on a drone by a user.
The Ground Station Controller, Flight Control Board, and TCU (Transceiver Control Unit) constitute a potentially trustworthy form of evidence in terms of possible digital forensic artifacts.The ground station controlling unit can also be used to extract log and memory information.Data saved inside the memory, contents of various log files, and electromagnetic wave data are all examples of digital forensic artifacts from drone equipment.Memory artifacts could come from the FCB.These elements include data from the aircraft's internal monitoring unit, flight record information, flight control information, and data from installed transmitters and sensors.Digital artifacts via respective transceivers and installed sensors, on the other hand, would provide additional verifiable data for the investigation [11,13,141].In this section, we present a comprehensive analysis of forensic artifacts that an investigator looks for while performing drone forensics.The artifacts retrieved during drone forensics are primarily categorized into EXIF data, files, log data, personal identifiable information, and sensor data.Few artifacts can be in multiple categories, and in some cases, an artifact can lead to generating other ones (e.g., media files store timestamps and geo-location information).Table 6 provides a list of drone artifacts and their classification.The source of the artifact can be EXIF data, system files, ground controller, memory card, or physical observation [8,43].

Drone Forensics Tools
Tools are an important factor while performing digital investigation on the device and artifacts on the scene.Investigators are required to adhere to procedures for forensics and artifact retrieval.For example, locating Personal Identifiable Information (PII), recovering media files, analyzing GPS information, and visualizing drone route charts.As mentioned previously, forensic tools are a must in forensic examiners' toolkits.They required different stages of forensic investigation for drone chip-off extraction, mobile device forensics, memory card imaging, metadata extraction, logs, and flight data visualization.
In this section, we have performed a comprehensive analysis of tools popularly used during the forensic investigation of drones.They are classified based on their usage into categories: decoding, network, imaging, visualization, and miscellaneous purposes.Table 7 illustrates the compiled list.Decoding tools include the ones used to parse coded formats such as .csv,.dat,and log files.Network tools include the ones used for network traffic scanning, capture, and analysis.Imaging and analysis tools include the ones used for logical imaging, searching, acquiring, data viewing, analysis, and extraction.Visualization tools include the ones used for visualizing the analyzed data, such as flight path and telemetry data.

Drone Forensic Datasets
The information age has been ushered in by modern technology, which has made it simpler to create and store enormous data.Data generated and stored by a drone is vital during forensics.A dataset refers to a group of interconnected and distinct elements that possess varying interpretations depending on the situation, and it is employed for conducting experiments or analyses.The purpose of datasets is to assess or examine a particular process, such as evaluating a practitioner's performance in a training setting, assessing the capabilities of a tool or technique, or testing a hypothesis related to the functionality of the software or an application.A dataset may be used to analyze the situation and, more crucially, to aid in decision-making.A forensic dataset assists in the development and testing of forensic tools as well as investigator training prior to working on real-life scenarios.As a result, datasets and the applications that may be made with them are significant.In this section, we enlist various drone forensic datasets containing drone images acquired in different scenarios.The contents of these dataset ranges from logical, physical, and chip-off images.Moreover, some focus on RF signals acquired from different drone flights.Table 8 gives a comprehensive list of drone datasets available in the literature.UAV attack dataset [155] The collection includes recordings from a normal flight and one in which the UAV is subjected to GPS spoofing and jamming.
DroneFace [156] Face pictures acquired from a variety of angles and altitudes in an unrestricted atmosphere can be useful for future research into incorporating face detection and recognition methods into UAVs.

Dataset Remarks
Drone Tracking [157] Clips of a flying UAV being recorded using many commercial cameras and highly precise 3D UAV trajectory classification algorithm recorded by Fixposition's exact real-time RTK system.Ground truth time synchronization and ground truth camera positions are also included in several clips.
Amateur UAV Detection [158] Non-drone, UAV-like "negative" entities are included in the dataset.Yolov2-tiny and Yolov3-voc versions were utilized with this dataset.Working with Yolo design and the darknet platform is usually recommended.
Phantom III drone imagery [159] The imagery in this collection was captured using a Phantom III drone.A DJI FC300S visible light camera as well as a Senterra 1.2MP GS-0002 6.05 mm nearinfrared camera placed on the UAV produced two sets of images.It gives you an image log with the GPS location of the collection points.

Discussion and Directions for Future Works
Digital forensic professionals face challenges when conducting forensic investigations on Unmanned Aerial Vehicles (UAVs) due to the diverse range of digital components present in a typical UAV.This makes it challenging for forensic investigators to concentrate on a specific forensic tool that can retrieve all the necessary data for the investigation process.
In certain instances, acquiring an image file of the data from a UAV's airborne camera without compromising its integrity is difficult.In terms of forensic photography, numerous UAVs feature USB connectors that do not facilitate direct access to the internal disk.
Accessing flight data via onboard flight microcontrollers frequently demands special user authorization through the wireless controller, which is unlikely to be available to security agencies and forensic investigators.In addition, most flight data retrieved from the flight microcontroller is encrypted.As a result, the lack of a microcontroller complicates the forensic investigation process.
Software, hardware, and firmware for onboard UAVs have not yet been standardized, and they differ from one manufacturer to the other.There are currently no standard protocols for flight controllers; thus, there is no common format for flight data.Users can also boost the efficiency of a UAV by adding extra elements or changing it with Software Developer Kits given by many UAV manufacturers.
Accessibility to flight data via the internal flight controller chip frequently necessitates specific owner authorization via the wireless controller, which is unlikely to be available to law enforcement agencies and forensic experts.In addition, most flight data retrieved from the flight microchip is encrypted.As a result, the lack of a remote controller complicates forensic analysis.
UAVs rely significantly on a volatile memory, which means that the flight data recorded there would be lost if the battery is dead.Additionally, some sensor information can be designed to be transferred to a secure server inside a cloud infrastructure or to be shared on file-sharing or social websites.
It must be emphasized that although offering a way to do forensics, the majority of drone forensics research focuses on commercial drones that use proprietary software.As a result, their methodologies, or at least part of them, are difficult to standardize [160].Due to developments in drone manufacturing, forensic frameworks and methods require regular updating.For reference, Table 9 lists acronyms used in the paper.

Conclusions
The skies are becoming crowded with flying objects as a result of the continued acceptance of UAVs in a variety of fields, from agriculture to shipping and from monitoring to rescue operations.UAVs' ability to provide unique services while saving time and money suggests that this trend will persist.Additionally, we have already seen their nefarious use in a number of physical and digital acts.Based on the aforementioned, it is evident that digital forensics investigations on drones will soon become the standard as a result of the proliferation of drones and the enemies' use of them.To conduct an investigation, insurance companies, law enforcement, security organizations, and private citizens will need to gather evidence from a drone.However, as already mentioned in this study, a drone differs significantly from conventional computer equipment.In actuality, a very complicated environment is created by its physical characteristics, mobility, and dual nature with regard to control.
We covered a thorough analysis of drone systems, subsystems, and networks, focusing on the threats they face and the consequences a cyber attack might have on their operations.A thorough categorization of known drone threats discovered by business and academia are also given.We further addressed security and privacy concerns and gave an overview of the attack surfaces and limitations of the domains.We provide the drone forensic framework's taxonomy and a thorough investigation.We have discussed the forensic approach to carry out the investigation process for drones and the framework for the same.In addition, the process of conducting a UAV forensic investigation is described, together with drone artifacts, forensic analysis tools, and benchmark datasets.The case studies are not included in the literature.Finally, we discussed the work that has been proposed in each area and indicated potential study directions.

Figure 1 .
Figure 1.Number of publications over the last decade related to keywords: Drone, UAV, Security and Forensics.Note that the graph only accounts for publications having the desired keyword(s) in their title or abstract and belonging to the related field of research.

Figure 2 .
Figure 2. Drone system, components of drone and its architecture.

Table 2 .
Taxonomy classification of Drone attacks with impacts and their execution tools and mechanism.Z1: Drones, Z2: Communication Networks, Z3: Base Stations, Z4: Ground Control Stations, Z5: Certification Authorities, Production and Manufacturing Units, and other involved devices.

Table 4
presents state-of-the-art general drone security solutions and mechanisms used available in the literature.Furthermore, it analyzes security threats, targeted zones (Drones, Communication Networks, Base Stations, Ground Control Stations and Certification Authority), security considerations, parameters used, and open issues.

Table 5 .
UAV Network Security issues and proposed solutions.

Table 8 .
Drone datasets available in the literature.