Presentations

Elevating Your Analysis Tactics: The New Forensics Poster

This page contains a list of selected presentations Phil has made or is scheduled to make, as well as other speaking engagements or appearances.

SANS Training Events

FOR572: Advanced Network Forensics and Analysis

Previous Events:

  • SANS Las Vegas 2017: January 23 – 28, 2017; Las Vegas, NV
  • SANS Munich Winter 2017: February 13-18, 2017; Munich, Germany
  • Private Event: February 27 – March 4, 2017; Augusta, GA
  • SANS vLive: February 28 – April 6, 2017; Online
  • SANS 2017: April 9 – 14, 2017; Orlando, FL
  • Threat Hunting and Incident Response Summit: April 20-25, 2017; New Orleans, LA
  • SANS Riyadh 2017: May 6 – 11, 2017; Riyadh, Saudi Arabia
  • SANS Stockholm 2017: May 29 – June 3, 2017; Stockholm, Sweden

Formal Presentations

The Tap House“: This is a series of talks that focus on new and emerging topics in the Network Forensics arena.  No two talks will be quite the same, so feel free to stop in and see what’s new if you’re attending a SANS or other event where we’re holding an event.

Packets move pretty fast. The field of Network Forensics needs to move fast, too. Whether you are investigating a known incident, hunting unidentified adversaries in your environment, or enriching forensic findings from disk- and memory-based examinations, it’s critical to stay abreast of the latest developments in the discipline.

In this SANS @Night series, Phil Hagen will discuss some of the latest technologies, techniques, and tools that you will want to know in pursuit of forensication nirvana.

Phil is also an avid craft beer fan, so there’s a good chance you will learn something about a new notable national or interesting local beer in the process.

This presentation will be helpful for those that wish to keep up-to-date on the most cutting-edge facets of Network Forensics.

  • SANS @Night (SANS Stockholm 2017): May 31, 2017; Stockholm, Sweden

Previous Events:

  • Episode 0x02 – SANS @Night (SANS Las Vegas 2017): January 25, 2017; Las Vegas, NV
  • Episode 0x02 – SANS @Night (SANS Munich Winter 2017): February 14, 2017; Munich, Germany
  • Episode 0x02 – SANS @Night (SANS 2017): April 17, 2017; Orlando, FL
  • Episode 0x03 – SANS @Night (SANS Threat Hunting and Incident Response Summit 2017): April 22, 2017; New Orleans, LA
  • Episode 0x03 – SANS @Night (SANS Stockholm 2017): May 31, 2017; Stockholm, Sweden

The Cider Press – Extracting Forensic Artifacts from Apple Continuity“: This is a special joint presentation with Heather Mahalik, SANS Senior Certified Instructor and course lead for SANS FOR585, Advanced Smartphone Forensics and Sarah Edwards, SANS Certified Instructor and course lead for SANS FOR518, Mac Forensic Analysis.

Apple Continuity allows us to move between our devices without disruption in activity. Just think of the ultimate handoff where you can start browsing the Internet on your iPhone, continue on your Mac without the hassle of having to type a search a second time. Essentially, your devices work together enabling you to do less. Imagine how this looks on a Mac, iPhone or Apple Watch. Will you be able to tell which device the user conducted an activity on? What will the on-device forensic artifacts look like? Continuity requires inter-device communications, so what artifacts will be present on the WiFi and Bluetooth fronts? What if this feature would make or break your investigation?

  • SANS @Night (SANSFIRE 2017): July 25, 2017; Washington, DC
  • SANS @Night (SANS Network Security 2017): September 12, 2017; Las Vegas, NV
  • SANS @Night (SANS CDI 2017): December 18, 2017; Washington, DC

Threat Hunting with Indicators: Not for Prevention Anymore

Threat Hunting is essentially using new intelligence to examine existing data collections. Network data such as NetFlow, Logs, and Full-Packet Capture provides extremely useful source data to facilitate threat hunting and this webcast will show you how.

Traditionally, network defenders have used intelligence such as indicators to feed so-called prevention or real-time detection systems. However, the shelf-life for most threat intelligence is growing shorter – often being outdated as soon as it is released. Instead, security practitioners should use this intelligence as a means of searching for previous activity consistent with those newly-available indicators. This is the essence of hunting.

In this webcast, well explore some recent intelligence releases (possibly including GRIZZLY STEPPE, the Shadow Brokers, or similar). Using pre-collected network evidence, we will identify some false positives that can be ruled out, saving you precious time as well as some potentially suspicious actions that warrant further investigation.

Previous Events:

  • SANS Webcast: March 21, 2017; Online (Archived presentation available at link)

Elevating Your Analysis Tactics: The New Forensics Poster

Join FOR572: Advanced Network Forensics Analysis course author and instructor Phil Hagen as he introduces the brand-new SANS Network Forensic Poster, which will be mailed worldwide in late May. Phil will browse the poster contents and highlight use cases that will help improve your network forensic capabilities. He will also discuss the latest release of the free SOF-ELK analytics VM appliance and show some examples of how it can help make quick work of even massive volumes of forensic data – whether for Network Forensics, Disk-based Forensics, or Security Operations.

  • SANS Webast: June 6, 2017; Online
  • SANS Webcast: July 20, 2017; Online

What’s new on the FOR572 Horizon – Stockholm and Beyond

The forensic worlds moves quickly, and SANS classes are updated frequently to address a rapidly changing landscape. FOR572, Advanced Network Forensics and Analysis, had been freshly updated to include new tools and analytic processes.

The new courseware includes a heavy focus on the SOF-ELK platform for efficient and effective “big data” processing for log and NetFlow evidence. Students will also use the Moloch full-packet capture and analysis platform, providing a free and efficient method of loading existing pcap data or capturing live content.

Numerous additional tools have been updates within the SANS Linux SIFT Workstation, with custom modifications focused on network traffic analysis processes.

The course material also incorporates new protocol variants for HTTP, SMB, and more. Labs have been overhauled to leverage the new tooling and processes as well – helping you to get good findings faster.

In, this webcast, you’ll learn what we’ve added as well as how FOR572 is continually evolving to meet the changing demands evident in your casework. Forensicators, security analysts, and investigators will all benefit. We’re looking forward to you joining the webcast and hope to see you in class at Stockholm or another upcoming event as well.

Previous Events:

  • SANS Webcast: March 7, 2017; Online (Archived presentation available at link)

Creators of Code…Why Not Kids?“: Presented with Genevieve Hagen, a 5th grade student from the Cape Henlopen School District and Lewes Tech employee #3.

This presentation will explain why coding is an important part of childhood education.  We will also cover some of the educational resources available to Cape students as well as the general public.

Previous Events: