Advanced UAV Forensics Training

The course is broken into two sessions with the first part (three days) focusing on forensic fundamentals, and the necessary and proper techniques and skills for investigating a UAV or UAV incident.  Using the CFID and additional commercial and open-source tools, this first portion of the class will enable investigators and examiners to thoroughly investigate UAVs and associated media and devices. 

Part two of the course covers the advanced techniques to recover data at the board level, through the acquisition of data by connecting to or removing the memory chips in the device.

In both portions of the class, students will learn through a combination of instructor-led lessons as well as extensive hands-on practical lessons. 

You Will Be Able To:

• Investigate a UAV incident comprehensively and thoroughly
• Forensically recover data from the UAV using the CFID, open source, commercial and advanced techniques
• Know where data resides on multiple drone types and brands and how to recover it
• Become a proficient, manufacturer-certified CFID operator
• Use chip reading tools to recover data from removed chips

Who Should Attend:

• Investigators of UAV incidents
• Digital Forensic Examiners, First Responders and Field Operators
• Drone Operators and policy makers
• Intelligence officials

• A foundational knowledge of drones and drone technology 
• Mobile device or computer forensic skills
• Comfortable with hands-on work and device disassembly
• Patience and a strong desire to recover data from challenging devices

• Windows PC with two (2) USB A ports
• Windows OS
• macOS with Bootcamp Windows macOS alone will not work (No Virtual Machines)
• 16 GB RAM
• 1 Terabyte of storage (recommended)
• Full administrative privileges
• NOTE: ALL Windows updates should be done prior to class.

• Official CFID Manufacturer Certification
• Teel Tech UAV Forensics Certification
• Open Source Tools
• 5% Discount on CFID purchases

DAY ONE: Forensic fundamentals and UAV Forensic Basics  

1. Forensic fundamentals and forensic acquisition basics   
2. UAV Forensic Basics covered; Data of interest, internal and external
3. UAV Hardware and Incident response; handling of devices, external components and data contained
4. Open source tools and considerations – using FTK, DJU Assistant, DatCon, etc.
5. Internal UAV memory and media card forensic imaging

DAY TWO: Continued Data Processing Using Open Source and CFID  

1. Using Open Source Tools for External Media Analysis
2. Using Open Source Tools for Internal Media Analysis
3. Using Open Source Tools for Controller Data Analysis
4. Practical, hands-on lessons using FTK Imager, ExifTool, DatCon   
5. Introduction and Familiarization with CFID
6. Using CFID to process media devices
7. Using CFID to acquire and analyze mobile devices
8. Using CFID to acquire UAVs through direct connect and pulling internal SD cards
9. Visualizing CFID acquired data using PC and Android application
10. Familiarization of the CFID (SCG) web site as a resource for information, updates, techniques and more.  

DAY THREE: Manual Data Processing with CFID and Advanced Techniques

1. Manual UAV Log Processing with the CFID. All log types and extraction from forensic image
2. Advanced Log Analysis with CFID.  
3. Using CFID DAT Parser to visualize case specific data
4. Using Open source tools for advanced UAV log analysis
5. Processing UAVs with commercial and open-source tools and techniques
6. Review of Days 1-3 with additional hands-on exercises

DAY FOUR: Processing UAVs Using Advanced Techniques

1. Chip-off and ISP Techniques – when used/why?
2. Common chip/memory types in DJI and low-end/hobby/crude UAVs
3. Acquiring UAV data using Chip-off
4. Demonstrate tool and techniques to recover flight data
5. Hands-on practical lessons with recovered data using CFID and other tools
6. Carving physical images for flight logs

DAY FIVE: Processing UAVs Using Advanced Techniques – Course Review

1. Continued practical lessons and advanced recovery techniques
2. Hands-on with Chip reading tools   
3. Course review and CFID certification practical