Presentations

This page contains a list of our selected presentations, as well as other speaking engagements or appearances.

SANS Training Events

FOR572: Advanced Network Forensics and Analysis

Upcoming Events:

  1. SANS Tallinn September 2025: September 8-13, 2025 (Tallinn, EE)
  2. SANS Network Security 2025: September 22-27, 2025 (Las Vegas, NV and SANS Live Online)
  3. SANS London October 2025: October 6-11, 2025 (London, UK and SANS Live Online)
  4. Private Event: October 20-25, 2025 (Augusta, GA)
  5. Private Event: October 27 – November 1, 2025 (Ft Walton Beach, FL)
  6. SANS DFIRCON 2025: November 17-22, 2025 (Miami, FL and SANS Live Online)
  7. SANS CTI Summit 2026: January 28 – Feb 2, 2026 (Arlington, VA and SANS Live Online)
  8. SANS 2026: March 26 – April 3, 2026 (Orlando, FL and SANS Live Online)
  9. SANS London April 2026: April 13-18, 2026 (London, UK)
  10. ANYTIME! SANS OnDemand

Recent Events:

  1. Private Event: January 6-11, 2025 (SANS Live Online)
  2. SANS Amsterdam January 2025: January 20-25, 2025 (Amsterdam, NL and SANS Live Online)
  3. SANS Security East 2025: March 3-8, 2025 (Baltimore, MD and SANS Live Online)
  4. Private Event: March 10-15, 2025 (Augusta, GA)
  5. SANS 2025: April 13-18, 2025 (SANS Live Online)
  6. Private Event: April 28-May 3, 2025 (Ft Walton Beach, FL)
  7. SANS Amsterdam May 2025: May 12-17, 2025 (Amsterdam, NL)
  8. Helsinki: May 19-24, 2025 (Helsinki, FI)
  9. Private Event: July 7-12, 2025 (Ft Walton Beach, FL)
  10. 2025 SANS DFIR Summit: July 26-31, 2025 (Salt Lake City, UT)
  11. Private Event: August 25-29, 2025 (Columbia, MD)

Video Content

Check out the videos I’ve published to my YouTube Channel, including Network Forensic content and more! I’m adding more content as time goes on, so subscribe to get the latest information as soon as it’s released.

Formal Presentations

Using SOF-ELK® to Speed Up Incident Response

There is no shortage of digital evidence, with many DFIR and Security Operations teams handling terabytes of log and network data per week. This amount of data presents unique challenges, and many tools are simply inadequate at such a large scale. Commercial platforms that are up to the task are often far out of budgetary reach for small- and medium-sized organizations.

The Elastic Stack, a big data storage and analysis platform, has become increasingly popular due to its scalability and open-source components. Countless investigative and security teams have incorporated Elastic into their toolkits, often realizing the significant level of effort required to customize and manage such a powerful tool. To overcome some of these hurdles, the SOF-ELK platform was created. SOF-ELK aims to be an appliance-like virtual machine that is preconfigured to ingest and parse several hundred different types of log entries, as well as NetFlow data. The intent is to provide analysts and investigators with a tool that leverages the power of the Elastic Stack with minimal setup time and effort. Originally a part of the SANS FOR572, Advanced Network Forensics & Threat Hunting course, SOF-ELK has been incorporated into additional SANS courses and is released as a free and open-source platform for the overall security community.

In this presentation, we explore SOF-ELK’s use cases, types of log data currently supported, as well as how to load data from live or archived sources. We will also show the various dashboards supplied with the VM and show how new features can be activated through the project’s GitHub repository. We’ll demonstrate the use case including a (redacted!) real-world case study involving over 2 million log entries. SOF-ELK helped bring the case to closure in just around an hour.

Previous Events:

Full List of Previous Presentations