SQLite is a relational database management system which is the most popular format for application developers due to its standalone functionality and ease of setup, management and low resource usage. Most mobile applications have built in SQLite databases to store user data, along with the main web browsers that we use daily. With the release of Windows 10 we have also seen Microsoft adopt SQLite to store data for applications such as TimeLine, the Photo App and Microsoft OneDrive. With this widespread popularity it has become more important that examiners understand the structure of this database format and how to extract and report on information stored within the tables, that our forensic tools may not support. This course will give participants an understanding of SQLite, how data is stored and the skills necessary to create queries to extract, interpret and present information in a meaningful manner. This includes translating dates and times and querying information stored in multiple tables to create more robust reports.

SQLite is a relational database management system which is the most popular format for application developers due to its standalone functionality and ease of setup, management and low resource usage. Most mobile applications have built in SQLite databases to store user data, along with the main web browsers that we use daily. With the release of Windows 10 we have also seen Microsoft adopt SQLite to store data for applications such as TimeLine, the Photo App and Microsoft OneDrive. With this widespread popularity it has become more important that examiners understand the structure of this database format and how to extract and report on information stored within the tables, that our forensic tools may not support. This course will give participants an understanding of SQLite, how data is stored and the skills necessary to create queries to extract, interpret and present information in a meaningful manner. This includes translating dates and times and querying information stored in multiple tables to create more robust reports.

This three-day advanced level course will equip you with the practical skills and competencies required to identify and extract various sources of data recoverable from Unmanned Aircraft Systems (UAS), also known as Drones, including their associated control devices in line with approved best practices.

Using leading research and development from Spyder Forensics, this course will introduce you to the world of UAV’s and instruct you how to fly a Drone followed by best practices in conducting forensically sound extractions and analysis of UAS data for use as evidence or intelligence gathering. Attendees will learn how to collect data from within the aircraft using non-destructive processes utilizing industry-standard tools to create forensic collections of storage media that include flight logs, aircraft data, photo, and video files without the need to disassemble the aircraft or controller. Students will then learn procedures in the acquisition of application data found on the mobile device.

Once data has been acquired, attendees will master how to analyze the flight logs and user data using software originally designed to work with these types of structures, gaining knowledge on workflows to connect data between the drone application and the flight data recovered from the aircraft.

This course uses non-destructive processes to extract and analyze the data from all hardware in the UAS including the handheld device, mobile application, and drone. All software used in class can be used in the DFIR lab free of charge and without the need to purchase additional applications to conduct a Drone examination.

The course covers in depth architecture and functionality of the Windows NT File System (NTFS), the FAT and the ExFAT File Systems and related directory entry information for locating files on electronic devices. Attendees will gain insight into partitioning structures and disk layouts and the effects of formatting partitions and learn of system area data. File management and directory structures characteristics will be examined in detail as well as techniques for discovering potential evidence that maybe pivotal to a successful examination. This will be followed by topical areas of interest to include file headers and file hashing and recovery of deleted files. This course incorporates an investigative scenario, providing hands-on experience with examination of collected evidence.

The Spyder Forensic Advanced Windows® 10 Forensic Analysis course will give participants unbiased knowledge and skills necessary to analyze artifacts left behind through system and user interaction with the host system, utilizing industry standard tools and open source applications to explore the data in greater depth by learning how applications function and store data in the file system. Students will learn to use various applications and utilities to successfully identify, process, understand and document numerous Windows® artifacts that are vitally important to forensic investigations. The participant will also gain knowledge on how to process Edge browser history, cookies, temp files InPrivate browsing challenges and analysis, BitLocker encryption, Windows® Action Center (Notifications SQLite Database) and other Windows® 10 specific artifacts. The course includes gaining in depth knowledge of JumpLists, Registry analysis and prefetch files, Timeline and how they relate to forensic investigations and conclude with an in-depth look into OneDrive and synchronization processes between trusted devices.