Presentations

This page contains a list of our selected presentations, as well as other speaking engagements or appearances.

SANS Training Events

FOR572: Advanced Network Forensics and Analysis

Upcoming Events:

  1. Private Event: July 7-12, 2025 (Ft Walton Beach, FL)
  2. 2025 SANS DFIR Summit: July 26-31, 2025 (Salt Lake City, UT)
  3. Private Event: August 25-29, 2025 (Columbia, MD)
  4. SANS Tallinn September 2025: September 8-13, 2025 (Tallinn, EE)
  5. SANS Network Security 2025: September 22-27, 2025 (Las Vegas, NV)
  6. SANS London October 2025: October 6-11, 2025 (London, UK)
  7. Private Event: October 20-25, 2025 (Augusta, GA)
  8. DFIRCON 2025: November 17-22, 2025 (Miami, FL)
  9. ANYTIME! SANS OnDemand

Recent Events:

  1. Private Event: January 6-11, 2025 (SANS Live Online)
  2. SANS Amsterdam January 2025: January 20-25, 2025 (Amsterdam, NL and SANS Live Online)
  3. SANS Security East 2025: March 3-8, 2025 (Baltimore, MD and SANS Live Online)
  4. Private Event: March 10-15, 2025 (Augusta, GA)
  5. SANS 2025: April 13-18, 2025 (SANS Live Online)
  6. Private Event: April 28-May 3, 2025 (Ft Walton Beach, FL)
  7. SANS Amsterdam May 2025: May 12-17, 2025 (Amsterdam, NL)
  8. Helsinki: May 19-24, 2025 (Helsinki, FI)

Video Content

Check out the videos I’ve published to my YouTube Channel, including Network Forensic content and more! I’m adding more content as time goes on, so subscribe to get the latest information as soon as it’s released.

Formal Presentations

Using SOF-ELK® to Speed Up Incident Response

There is no shortage of digital evidence, with many DFIR and Security Operations teams handling terabytes of log and network data per week. This amount of data presents unique challenges, and many tools are simply inadequate at such a large scale. Commercial platforms that are up to the task are often far out of budgetary reach for small- and medium-sized organizations.

The Elastic Stack, a big data storage and analysis platform, has become increasingly popular due to its scalability and open-source components. Countless investigative and security teams have incorporated Elastic into their toolkits, often realizing the significant level of effort required to customize and manage such a powerful tool. To overcome some of these hurdles, the SOF-ELK platform was created. SOF-ELK aims to be an appliance-like virtual machine that is preconfigured to ingest and parse several hundred different types of log entries, as well as NetFlow data. The intent is to provide analysts and investigators with a tool that leverages the power of the Elastic Stack with minimal setup time and effort. Originally a part of the SANS FOR572, Advanced Network Forensics & Threat Hunting course, SOF-ELK has been incorporated into additional SANS courses and is released as a free and open-source platform for the overall security community.

In this presentation, we explore SOF-ELK’s use cases, types of log data currently supported, as well as how to load data from live or archived sources. We will also show the various dashboards supplied with the VM and show how new features can be activated through the project’s GitHub repository. We’ll demonstrate the use case including a (redacted!) real-world case study involving over 2 million log entries. SOF-ELK helped bring the case to closure in just around an hour.

Previous Events:

Full List of Previous Presentations