This article was originally published on www.wired.com by Eric Niiler on November 16, 2018

If you’re a nefarious sort, you might use a commercial drone to smuggle drugs, carry explosives, or to just spy on your neighbors. Drones are appealing to criminals in part because they seem fairly anonymous, flitting through the sky with an invisible digital tether to its owner. But anonymity is no longer a safe bet. In the hands of crime investigators, a drone can reveal a range of personal and financial information about its owner.

Most of these details are stored in memory chips inside the drone’s circuit board. Or sometimes a law enforcement official gets hold of a drone’s controller instead, which can open up access to its owners’ setup account. The exposed data includes credit card numbers, which might be stored in an owner’s account for after-market purchases, or GPS information about the drone’s flights. It can even include an email or physical address.

With drones more regularly getting caught up in criminal activity, the National Institute of Standards and Technology has assembled an archive of digital readouts from 14 commercial drones, with the goal of helping law enforcement officials learn how to best extract this little-used trove of data. The NIST reference manual gives step-by-step instructions on how to physically remove the individual SD memory chips from each drone, and what to look for once an agent plugs the card into a computer.

NIST technicians are partnering with a Colorado-based tech firm, VTO Labs, a digital security consulting firm. The NIST archive is a digital training ground for law enforcement analysts to figure out what they might find on a specific drone model that gets picked up as evidence in a crime investigation, says Barbara Guttman, who leads NIST’s software quality group. “When you get the [SD] card back, there may be some handshake information with a PC, or there may be some ways to get latitude and longitude of where it was first flown,” she says.

NIST’s drone database includes an in-depth blueprint of the physical capabilities of each drone, such as its speed, rotor rotation rate, and altitude, as well as the information it might contain on its owner. The guide even has photographs depicting what kind of tools you need to take the drone apart without damaging the built-in flash memory chips that can’t be as easily removed as a smart card. “If you have an important case, you don’t want to practice on (the drone itself),” Guttman says.