This page contains a list of our selected presentations, as well as other speaking engagements or appearances.

SANS Training Events

FOR572: Advanced Network Forensics and Analysis

Previous Events:

  • Private event: January 22 – 27, 2018; Augusta, GA
  • SANS Southern California/Anaheim: February 12 – 17, 2018; Anaheim, CA (With Simulcast)
  • SANS London March: March 5 – 10, 2017; London, United Kingdom (Co-teach with David Szili)
  • SANS Northern VA Spring: March 19 – 24, 2018; McLean, VA (Co-teach with Matt Bromiley)
  • SANS 2018: April 3 – 8, 2018; Orlando; FL
  • SANS Seattle Spring: April 23 – 28, 2018; Bellvue, WA
  • Security West: May 11 – 16, 2018; San Diego, CA
  • SANS DFIR Summit: June 9 – 14, 2018; Austin, TX
  • SANS Oslo 2018: June 18 – 23, 2018; Oslo, Norway
  • Private event: July 9 – 14, 2018; Lansing, MI
  • SANSFIRE 2018: July 16 – 21, 2018; Washington, DC
  • SANS Copenhagen 2018: August 27 – September 1, 2018; Copenhagen, Denmark (Co-teach with David Szili)
  • SANS Threat Hunting and Incident Response Summit: September 8 – 13, 2018; New Orleans, LA (with Simulcast)
  • Network Security 2018: September 23 – 28, 2018; Las Vegas, NV
  • SANS October Singapore 2018: October 22 – 27, 2018; Singapore
  • SANS DFIRCON Miami 2018: November 5 – 10, 2018; Miami, FL
  • SANS San Francisco Fall 2018: November 26 – December 1, 2018; San Francisco, CA
  • SANS Frankfurt 2018: December 10 – 15, 2018; Frankfurt, Germany

Formal Presentations

The [Encrypted] Elephant in the Room

There is no arguing that the Internet is becoming both more widely and heavily encrypted. This has drastically changed (read: decreased) what traffic network forensicators and defenders can see and therefore use to perform their jobs. However, all hope is not lost. In this talk, we will first briefly explore some of what got us to this point, but more extensively discuss the current state of network traffic analysis in general and what we as an industry can do to overcome it. We will talk about legal, architectural, and technical means of maintaining meaningful visibility in a typical network environment, as well as how our analytic procedures can keep pace with the broader Internet trends.

The road ahead is still full of terabytes of NetFlow, logs, and yes – even full-packet-captures of network traffic. Encryption will remain a constantly evolving technology, meaning security professionals must also stay nimble in the face of this perpetual change.

  • UPCOMING! Keynote Address at SANS St. Louis: March 11, 2019; St. Louis, MO

“State of the Artifact” (with Rob Lee, Chad Tilbury, and Heather Mahalik)

Join the SANS DFIR Faculty as they discuss some of the latest developments in the field of digital forensics and incident response. A rotating cast of instructors will take the stage, discussing some of the latest developments and hot item issues in their respective domains, from Windows and Smartphone forensics, to Network and Endpoint Incident Response, and more.

  • Keynote Address at SANS DFIRCON 2018: November 5, 2018; Miami, FL

“Traveling Paranoid (But Not Too Paranoid” (With Chris Crowley)

As every security professional knows, travel can be even more stressful when you’re carrying multiple laptops, evidence drives, mobile devices, connection cables, and the like. Whether traveling domestically or internationally, your private data and that of your clients is arguably at the greatest risk when transiting customs or other airport screening points. One must realistically consider whether you would give up encryption passwords or forfeit your hardware at a border crossing, for example.

Now, consider how people within your organization would deal with the same challenges. How should you equip them for international and domestic travel without creating an imposition on their busy schedules? How can you keep up with delivering information to traveling staff? What advice do you give them regarding foreign (or domestic) customs agents demanding passwords and data access? What sort of knowledge do you want to develop about attempts to access your information assets while your staff travels?

This talk will cover various practical ways we can protect electronic interests in various common situations for you and your organization. We’ll cover both preventive measures as well as mechanisms to detect that your gear has been fiddled with while outside your immediate control. Measures for various operating systems will be addressed, while considering how to maintain practical paranoia but without drawing attention to oneself.

  • SANS @Night (SANS Network Security 2018): September 24, 2018; Las Vegas, NV

“Convergence Forensics: Leveraging Multiple Skills to Analyze Evidence”

One discipline is not enough to solve investigations relating to digital evidence. In this Keynote, Phil will expand on scenarios where multiple skills are needed to hunt and uncover evidence. Network Forensics, Memory Forensics, Malware detection, Malware analysis and Data Synchronization between smartphones, Mac and Windows computers may change the way you need to look at your evidence. Simply having tunnel vision in your field will limit your success! A change in your approach may change your success rate when examining digital media.

  • Keynote Address at SANS Seattle: April 23, 2018; Bellevue, WA
  • October 18, 2018; Hong Kong
  • October 19, 2019; Taipei

What’s New in FOR572“: All SANS courses are updated regularly to ensure they include the latest investigative tools, techniques, and procedures, as well as reflect trends in attacker methodologies. In this webcast, Phil Hagen will discuss the latest updates in the course, as well as some exciting developments in the OnDemand delivery for the course. Well also discuss the corresponding Network Forensics poster, which was released coincident with the new course version.

  • SANS Webcast: April 10, 2018; Online (Archived version available at link)

The Tap House“: This is a series of talks that focus on new and emerging topics in the Network Forensics arena.  No two talks will be quite the same, so feel free to stop in and see what’s new if you’re attending a SANS or other event where we’re holding an event.

Packets move pretty fast. The field of Network Forensics needs to move fast, too. Whether you are investigating a known incident, hunting unidentified adversaries in your environment, or enriching forensic findings from disk- and memory-based examinations, it’s critical to stay abreast of the latest developments in the discipline.

In this SANS @Night series, Phil Hagen will discuss some of the latest technologies, techniques, and tools that you will want to know in pursuit of forensication nirvana.

Phil is also an avid craft beer fan, so there’s a good chance you will learn something about a new notable national or interesting local beer in the process.

This presentation will be helpful for those that wish to keep up-to-date on the most cutting-edge facets of Network Forensics.

  • SANS @Night (SANS DFIR Summit 2018): June 10 2018; Austin, TX