Server-side DRONE Analysis
Overview
Server-side DRONE Analysis enables investigators to run or re-run DRONE analysis entirely on the AIR Console against previously collected evidence, without requiring live connectivity to the original asset. This capability allows analysts to retrospectively analyze evidence (PPC files or off-network imports) using the latest DRONE analyzers, keywords, and detection logic, while preserving forensic integrity and investigative continuity.
This feature is particularly valuable when DRONE analysis was not enabled during the original acquisition, when evidence is collected from resource-constrained or offline assets, or when updated threat intelligence needs to be validated against historical evidence.
Within the AIR user interface, this capability is exposed as Re-Analyze on the Investigation Hub case Dashboard page as shown in the following demonstration:
What is Server-side DRONE Analysis?
Server-side DRONE Analysis is a DRONE execution mode that operates exclusively on already collected evidence stored within a case. Instead of executing analyzers on the responder during acquisition, DRONE processors run on the AIR Console and analyze the existing PPC evidence package.
Key characteristics:
No responder or endpoint connectivity is required
Analysis is performed against stored evidence
Results are written back into the original case
Existing findings are preserved and extended, not duplicated
This approach decouples evidence acquisition from analysis, giving investigators flexibility over when and where DRONE analysis is performed.
When should this be used?
Server-side DRONE Analysis is designed for several common investigative scenarios:
DRONE was not enabled during acquisition
Investigators may choose to skip DRONE during acquisition to:
Minimize acquisition time
Reduce responder CPU usage
Quickly access raw evidence first
Server-side DRONE Analysis allows DRONE to be executed later without re-acquiring evidence.
This enables DRONE findings to be generated even if the original asset is no longer reachable, with any live-asset-only analyses excluded.
Retrospective analysis with updated detections
As DRONE analyzers, YARA rules, and keyword logic evolve, investigators may need to:
Validate new threat intelligence
Re-assess older cases
Perform retrospective threat hunting
Server-side DRONE Analysis allows existing evidence to be re-processed using the latest detection logic.
Resource-constrained assets
For older or low-spec systems where responder-side DRONE execution may be undesirable, evidence can be collected quickly and analyzed later on the AIR Console, which typically has greater CPU and memory resources.
How it works
Running DRONE analysis on off-network (imported) evidence
Server-side DRONE Analysis fully supports off-network evidence imports, such as PPC files collected using standalone or offline collectors.
When importing evidence into AIR:
Navigate to the relevant case
Select Import Evidence and upload the PPC (or supported archive)
During the import workflow, enable the option to Run DRONE Analysis
Complete the import
When this option is selected, DRONE analysis is automatically executed on the AIR Console against the imported evidence once ingestion is complete. No responder or endpoint connectivity is required at any stage.
This allows investigators to immediately generate DRONE findings for offline or air-gapped collections, or for evidence acquired outside of a live AIR deployment.
Evidence is acquired or imported into a case (PPC or supported archive)
The investigator selects Run DRONE Analysis from:
The Investigation Hub
Task details
Off-network evidence import flow
DRONE processors execute on the AIR Console against the stored evidence
Findings are generated and written into the existing case context
A visual indicator in the UI shows when server-side DRONE analysis is in progress.
What analyses are supported?
Server-side DRONE Analysis runs all DRONE analyzers that are compatible with evidence-only processing.
Supported
Keyword-based analysis (text, regex, wildcard)
Server-side DRONE analyzers
Evidence scoring and prioritization
Findings correlation within the case
Not supported
Some DRONE analyzers require live asset context and therefore cannot run server-side, including:
Responder-dependent detections
Context-aware analyses requiring live system state
Certain MITRE ATT&CK mappings that rely on responder execution
In the UI, these analyses appear greyed out, indicating they require live asset context and cannot run on imported or offline evidence.
If findings from responder-side DRONE already exist in the case, they are preserved and remain visible alongside server-side results.
Findings behavior
Existing findings are not removed
Findings are not duplicated
New findings are added where applicable
Updated detections may enrich or extend prior results
When multiple acquisitions (PPC files) exist for the same asset within a case, server-side DRONE Analysis is executed against all relevant evidence packages.
Forensic considerations
Server-side DRONE Analysis does not modify the underlying evidence files. The original PPC remains unchanged, ensuring:
Forensic soundness
Integrity-preserving workflows
A consistent chain of custody
Only analytical outputs (findings and metadata) are added to the case.
Limitations and considerations
Server-side DRONE Analysis does not replace responder-side DRONE for live context detection
It should be viewed as complementary, not a substitute
Performance depends on AIR Console resources and evidence size
Summary
Server-side DRONE Analysis provides investigators with the flexibility to analyze forensic evidence when needed, where needed, without dependency on live assets. By separating acquisition from analysis, AIR enables faster workflows, retrospective detection, and robust support for offline and post-incident investigations.
Last updated
Was this helpful?