This three-day advanced level course will equip you with the practical skills and competencies required to identify and extract various sources of data recoverable from Unmanned Aircraft Systems (UAS), also known as Drones, including their associated control devices in line with approved best practices.

Using leading research and development from Spyder Forensics, this course will introduce you to the world of UAV’s and instruct you how to fly a Drone followed by best practices in conducting forensically sound extractions and analysis of UAS data for use as evidence or intelligence gathering. Attendees will learn how to collect data from within the aircraft using non-destructive processes utilizing industry-standard tools to create forensic collections of storage media that include flight logs, aircraft data, photo, and video files without the need to disassemble the aircraft or controller. Students will then learn procedures in the acquisition of application data found on the mobile device.

Once data has been acquired, attendees will master how to analyze the flight logs and user data using software originally designed to work with these types of structures, gaining knowledge on workflows to connect data between the drone application and the flight data recovered from the aircraft.

This course uses non-destructive processes to extract and analyze the data from all hardware in the UAS including the handheld device, mobile application, and drone. All software used in class can be used in the DFIR lab free of charge and without the need to purchase additional applications to conduct a Drone examination.

The course covers in depth architecture and functionality of the Windows NT File System (NTFS), the FAT and the ExFAT File Systems and related directory entry information for locating files on electronic devices. Attendees will gain insight into partitioning structures and disk layouts and the effects of formatting partitions and learn of system area data. File management and directory structures characteristics will be examined in detail as well as techniques for discovering potential evidence that maybe pivotal to a successful examination. This will be followed by topical areas of interest to include file headers and file hashing and recovery of deleted files. This course incorporates an investigative scenario, providing hands-on experience with examination of collected evidence.