UAV (Drone) Forensics
4 Days – 32Hrs
Cost: $2,595
Participants will receive
4-Days of Instruction
Course Manual
Practical Files
Attendance Certificate
Rob Attoe
Lead Developer
Rob is the CEO and Founder of Spyder Forensics. He has over two decades of experience developing and presenting training on Digital Forensics, Cyber Security, Mobile Forensics, and eDiscovery education programs for the global digital investigations community.
As a lifetime member of the International Association of Computer Investigative Specialists (IACIS), Rob instructs regularly at the association’s annual conferences and is a lead instructor for several advanced courses as well as regularly presenting at the premier international digital forensics conferences. Rob has contributed to digital forensic publications and is a subject matter expert in various courses for the ATA program managed by the State Department in the USA.
Course Objectives
This advanced-level course aims to provide participants with the practical skills and competencies necessary for identifying and extracting various sources of data recoverable from Unmanned Aircraft Systems (UAS), commonly known as Drones, along with their associated control devices, in accordance with approved best practices.
Drawing upon cutting-edge research and development from Spyder Forensics, the course offers an introduction to the realm of UAVs (Unmanned Aerial Vehicles) and instructs participants on drone operation. Subsequently, it delves into the best practices for conducting forensically sound extractions and analysis of UAS data, which can be utilized as evidence or for intelligence gathering purposes.
Participants will be guided through the process of collecting data from within the aircraft using non-destructive methods, employing industry-standard tools to create forensic collections of storage media containing flight logs, aircraft data, photos, and video files. Importantly, this is achieved without the need to disassemble the aircraft or its controller. Additionally, students will learn procedures for acquiring application data from mobile devices.
Following data acquisition, attendees will be trained in analyzing flight logs and user data using software specifically designed for these types of structures. This includes understanding workflows to connect data between the drone application and the flight data recovered from the aircraft.
The course emphasizes non-destructive processes for extracting and analyzing data from all UAS hardware, including the handheld device, mobile application, and drone itself. Furthermore, all software utilized in the course is available for use in the DFIR (Digital Forensics and Incident Response) lab at no cost, eliminating the need for additional application purchases to conduct a drone examination.
Primary Learning Objectives
- Become proficient in the extraction of UAV controller data from mobile devices and UAV’s using industry recognized forensic software.
- Recognize types of data available from UAVs, their linked devices, and third-party sources.
- Analyze extracted UAV data effectively to produce reports fit for use in criminal justice proceedings.
- Use a variety of open source and leading forensic applications to examine key artifacts through multiple hands-on labs and student exercises.
UAV (Drone) Forensics - Day 1
Day 1 of the Spyder Forensics UAV (Drone) Forensics course begins with an overview of the course along with an introduction to the Instructor.
It also gives the participants the opportunity to introduce themselves to the Instructor and also to their fellow students, this however is not obligatory.
During this module we will gain first insight into the world of drone forensics and gain knowledge on all aspects of the sUAS systems and its components.
At the conclusion of this module, you will be familiar with all the world of UAV forensics and the need for forensic examinations.
- Introduction to sUAS
- Criminal use of UAV’s
- Manufacturer’s variables
- Attack vectors – risks to public safety
- Drone adaptation
- Capacity and Capability of drones
- Health and Safety – Handling and seizure
- Health and Safety – LiPo Batteries
- Linked devices – controller considerations
- Digital vs. Physical Evidence
- Packaging/Storage and continuity
- Understanding of how flight logs are created and updated.
- Review an aircraft power on flowchart.
Instructor Led Lab
Physical examples of sUAS exhibits and UAV research techniques
- Review physical hardware commonly associated with UAVs
- Examine sample hardware provided in class
UAV (Drone) Forensics - Day 2
During day 2 of the course we will begin to look in-depth at UAV’s and their associated components.
This also gives us the opportunity to explore the different extration techniques and also delve into the responsibilities of the First Responder and the importance of securing the evidence.
Instructor Led Lab
Inspection of exhibit examples and characteristics of each device.
- Incident handling techniques
- Review data ports and hidden locations to connect physically to a UAV
During this module students will be delving deeper into UAVs and their components.
At the conclusion of this module, they will be familiar with all the components of the sUAS and how the system functions from pilot interaction to autonomous flights.
- Learn of UAV Terminology
- Components and features of small, unmanned aircraft systems
- Controller options
- Mobile and Tablet Devices
- Bespoke flight controllers
- Integrated displays
- FPV controllers
- Autonomous flights
- Return-to-home feature
- WiFi controls
- Signal interception.
This module will focus on the collection of data from items such as data storage cards and internal flash media in preparation for the examination phase.
At the conclusion of this module students will understand how to extract data from all parts of the sUAS.
- Extraction techniques to exploit a DJI Drone
- First Responder Responsibilities
- Securing the Evidence for Transport
- Disassembling Techniques
- Data sources and considerations
- Extraction of data from the aircraft
- Extraction of data from mobile \ tablet device
- Extraction of controller data
- Disassembling techniques
- Advanced extractions using a CFID device
- Using FTP to extract data
- Exploitation of ADB connectivity
Instructor Demonstration and Student practicals
Instructor demonstration of collection techniques from the UAV, SD Card and Mobile Device..
UAV (Drone) Forensics - Day 3
Day 3 of the course looks at the processes that deal with analysing the data associated with various elements of UAV’s
We will also look at more advanced techniques which go beyond simply viewing data.
Instructor Led Lab
- UAV Collection Analysis
- Examination notes taking
- Examination of all collected data using free and commercial tools
- Flight Logs from UAV
- Deep dive into the review of flight data going beyond simple flight path analysis
During this module we will be analysing the data collected from the Drone, Mobile device, and Memory cards.
- Techniques in using opensource and commercial forensic tools to review the evidence.
- Interpretation of data contained on the UAV
- File System considerations
- Registered user information
- Aircraft details
- Flight log analysis techniques
- Interpretation of data from portable devices
- Default folder structures of the controlling app from an Android and iOS device
- Synchronized logs vs. local logs
- Error log analysis
- Media file examination (geolocations and dates & times)
- Interpretation of data contained on the UAV
- External Memory Card Analysis
- Techniques in the interpretation additional data on other devices.
- DJI App analysis
- Flight logs
- Graphics and Movies
- Error logs
- Synchronized data analysis
- DJI App analysis
During this module students will be reviewing advanced techniques in the analysis of drone data using a variety of nonstandard techniques that go beyond simple viewing of data.
At the conclusion of this module, you will be familiar with advanced techniques to exploit the drone data for case reporting and presentation.
- Advanced examination workflows
- Additional App and Controller considerations
- Linking hardware devices within the sUAS
- Simplification of data – graphical representation
- Mapping of flight paths
- Automated flight analysis
- PixHawk examinations
Instructor Led Lab
Examination of nonstandard sUAS devices using manufacture tools and open-sourced scripting. Workflows in linking hardware devices within the sUAS including data link devices.
Students will run through exercises in the simplification of data using visualization techques.
UAV (Drone) Forensics - Day 4
On day 4 of the course we will bring all of the learnt knowledge together and look at the preperation of a forensic report which should contain evidence that would be accepted in court.
There will also be a graded student Knowledge Assessment where you will able to put your knowledge into practice.
Instructor Led Lab
Students will be in discussions on a UAV report structure detailing how a typical disclousure would look. Students will review reviewing glossary of terms and how to artiulate common sUAS functions in a court of law.
During this module we will be discussing best practices in the preparation of your forensic report.
At the conclusion of this module, you have the knowledge to create a forensic exploitation report of a UAV.
- Report Structure
- Examiner Qualifications
- Glossary of Terms
- Overview of UAV report considerations
- Presentation of Evidence capable of acceptance in court
- Discussion on courtroom preparation and presentation