Archived Presentations

Old presentations never die on the Internet.  This is just a listing of old presentations Lewes Tech employees have given.

SANS Training Events

FOR572: Advanced Network Forensics and Analysis

  1. Course Beta #1: October 28 – November 2, 2013; Washington, DC
  2. DFIRCON 2014: March 5 – 10, 2014; Monterey, CA
  3. SANS 2014: April 7-12, 2014; Orlando, FL
  4. SANS Security West 2014: May 10 – 15, 2014; San Diego, CA (With Simulcast)
  5. Digital Forensics and Incident Response Summit: June 3 – 10, 2014; Austin, TX
  6. SANSFIRE 2014: June 23 – June 28, 2014: Baltimore, MD
  7. SANS Boston 2014: July 28 – August 2, 2014; Boston, MA
  8. SANS vLive: August 5 – September, 11, 2014; Online
  9. SANS Bangalore 2014: September 15 – 27, 2014; Bangalore, India
  10. SANS Network Security 2014: October 20 – 25, 2014: Las Vegas, NV (With Simulcast)
  11. Private SANS OnSite: October 27 – November 1, 2014; Rochester, MN
  12. SANS Sydney 2014: November 10 – 22, 2014; Sydney, Australia
  13. Cyber Threat Intelligence Summit: Feb 4 – 9, 2015; Washington, DC
  14. DFIR Monterey: February 23 – 28, 2015; Monterey, CA (With Simulcast)
  15. SANS Singapore 2015: March 16 – 21, 2015; Singapore
  16. SANS 2015: April 13 – 18, 2015; Orlando, FL
  17. SANS vLive: April 21 – May 28, 2015; Online
  18. Private SANS OnSite: June 1 – 6, 2015; Augusta, GA
  19. SANSFIRE 2015: June 13 – 20, 2015; Baltimore, MD
  20. Digital Forensics and Incident Response Summit: July 9 – 14, 2015; Austin, TX (With Simulcast)
  21. SANS San Jose 2015: July 20 – 25, 2015; San Jose, CA
  22. Private vLive event: August 10-14, 2015; Online
  23. SANS San Antonio 2015: August 17 – 22, 2015; San Antonio, TX (Co-teach with Ryan Johnson)
  24. SANS Virginia Beach 2015: August 24 – September 4, 2015; Virginia Beach, VA
  25. Network Security 2015: September 12 – 19, 2015; Las Vegas, NV
  26. Community SANS: September 28 – October 3, 2015; Columbia, MD (Co-teach with Ryan Johnson)
  27. SANS DFIR Prague 2015: October 5 – 10, 2015; Prague, Czech Republic
  28. SANS vLive: October 20 – November 25, 2015; Online
  29. SANS Cyber Defense Initiative 2015: December 14-19, 2015; Washington, DC
  30. Private Event: March 7 – 12, 2016; Blacksburg, VA (With Simulcast)
  31. SANS 2016: March 14-19, 2016; Orlando, FL
  32. SANS Secure Europe 2016: April 4-9, 2016; Amsterdam, Netherlands
  33. SANS Threat Hunting and Incident Response Summit 2016: April 14-19, 2016; New Orleans, LA
  34. SANS Security West 2016: April 29 – May 6, 2016; San Diego, CA
  35. SANS Melbourne 2016: May 16-21, 2016; Melbourne, Australia
  36. SANS vLive: May 23 – June 29, 2016; Online
  37. SANSFIRE 2016: June 13-18, 2016; Washington, DC (With Simulcast)
  38. Digital Forensics and Incident Response Summit: June 25-30, 2016; Austin, TX
  39. SANS London in the Summer 2016: July 11-16, 2016; London, United Kingdom
  40. Community SANS: August 15-20, 2016; Columbia, MD
  41. SANS Virginia Beach 2016: August 28 – September 2, 2016; Virginia Beach, VA
  42. SANS Network Security 2016: September 12 – 17, 2016: Las Vegas, NV
  43. SANS DFIR Prague 2016: October 10 – 15, 2016; Prague, Czech Republic
  44. SANS October Singapore 2016: October 31 – November 5, 2016; Singapore, Singapore
  45. SANS London 2016: November 14 – 19, 2016; London, United Kingdom
  46. Private SANS Onsite: November 21-26, 2016; Amsterdam, Netherlands
  47. SANS Cyber Defense Initiative 2016: December 12-17, 2016; Washington, DC
  48. SANS Las Vegas 2017: January 23 – 28, 2017; Las Vegas, NV
  49. SANS Munich Winter 2017: February 13-18, 2017; Munich, Germany
  50. Private Event: February 27 – March 4, 2017; Augusta, GA
  51. SANS vLive: February 28 – April 6, 2017; Online
  52. SANS 2017: April 9 – 14, 2017; Orlando, FL
  53. Threat Hunting and Incident Response Summit: April 20-25, 2017; New Orleans, LA
  54. SANS Riyadh 2017: May 6 – 11, 2017; Riyadh, Saudi Arabia
  55. SANS Stockholm 2017: May 29 – June 3, 2017; Stockholm, Sweden
  56. SANS Secure Europe 2017: June 12 – 17, 2017; Amsterdam, Netherlands
  57. Digital Forensics and Incident Response Summit: June 24 – 29, 2017; Austin, TX
  58. SANS London July 2017: July 3 – 8, 2017; London, UK
  59. SANSFIRE 2017: July 24 – 29, 2017; Washington, DC (With Simulcast)
  60. SANS Network Security 2017: September 10 – 15, 2017; Las Vegas, NV
  61. SANS EMEA DFIR Summit 2017: October 2 – 7, 2017: Prague, Czech Republic
  62. SANS October Singapore 2017: October 16 – 21, 2017; Singapore, Singapore
  63. SANS Tokyo Autumn 2017: October 23 – 28, 2017; Tokyo, Japan (With Simultaneous Japanese Translation)
  64. SANS Sydney 2017: November 13 – 18, 2017; Sydney, Australia
  65. SANS London November 2017: November 27 – December 3, 2017; London, United Kingdom
  66. SANS Munich December 2017: December 4 – 9, 2017; Munich Germany
  67. SANS Cyber Defense Initiative: December 14 – 19, 2017; Washington, DC (With Simulcast)
  68. Private event: January 22 – 27, 2018; Augusta, GA
  69. SANS Southern California/Anaheim: February 12 – 17, 2018; Anaheim, CA (With Simulcast)
  70. SANS London March: March 5 – 10, 2017; London, United Kingdom (Co-teach with David Szili)
  71. SANS Northern VA Spring: March 19 – 24, 2018; McLean, VA (Co-teach with Matt Bromiley)
  72. SANS 2018: April 3 – 8, 2018; Orlando; FL
  73. SANS Seattle Spring: April 23 – 28, 2018; Bellvue, WA
  74. Security West: May 11 – 16, 2018; San Diego, CA
  75. SANS DFIR Summit: June 9 – 14, 2018; Austin, TX
  76. SANS Oslo 2018: June 18 – 23, 2018; Oslo, Norway
  77. Private event: July 9 – 14, 2018; Lansing, MI
  78. SANSFIRE 2018: July 16 – 21, 2018; Washington, DC
  79. SANS Copenhagen 2018: August 27 – September 1, 2018; Copenhagen, Denmark (Co-teach with David Szili)
  80. SANS Threat Hunting and Incident Response Summit: September 8 – 13, 2018; New Orleans, LA (with Simulcast)
  81. Network Security 2018: September 23 – 28, 2018; Las Vegas, NV
  82. SANS October Singapore 2018: October 22 – 27, 2018; Singapore
  83. SANS DFIRCON Miami 2018: November 5 – 10, 2018; Miami, FL
  84. SANS San Francisco Fall 2018: November 26 – December 1, 2018; San Francisco, CA
  85. SANS Frankfurt 2018: December 10 – 15, 2018; Frankfurt, Germany
  86. Private event: January 7 – 12, 2019; Ft Walton Beach, FL
  87. SANS Threat Hunting London 2019: January 14 – 19, 2019; London England
  88. SANS Security East 2019: February 4 – 9, 2019; New Orleans, LA
  89. SANS Brussels February 2019: February 25 – March 2, 2019; Brussels, Belgium
  90. SANS St. Louis 2019: March 11 – 29, 2019; St. Louis, MO
  91. Private event: March 18 – 22, 2019; San Antonio, TX
  92. SANS 2019: April 1 – 6, 2019; Orlando, FL
  93. SANS Security West 2019: May 9 – 14, 2019; San Diego, CA
  94. SANS Zurich June 2019: June 3 – 8, 2019; Zurich, Switzerland
  95. SANSFIRE 2019: June 17-22; Washington, DC
  96. Private Event: July 8 – 13, 2019; Ft Walton Beach, FL
  97. SANS DFIR Summit 2019: July 27 – August 1, 2019; Austin, TX (with Simulcast)
  98. Private event: August 5 – 10, 2019; Ft Walton Beach, FL
  99. SANS Amsterdam August 2019: August 19 – 24, 2019; Amsterdam, Netherlands
  100. SANS Network Security 2019: September 9 – 14, 2019; Las Vegas, NV
  101. THIR Summit 2019: October 2 – 7, 2019; New Orleans, LA (with Simulcast) (Co-teach with David J. Bianco)
  102. SANS October Singapore 2019: October 14 – 19, 2019; Singapore, Singapore
  103. SANS Paris November 2019: November 4 – 9, 2019; Paris, France
  104. UPCOMING! Private event: November 18 – 23, 2019; San Antonio, TX
  105. SANS Cyber Defense Initiative 2019: December 12 – 17, 2019; Washington, DC (with Simulcast) (Co-teach with Josh Lemon)
  106. January 20 – 25, 2020; Tokyo, Japan (with Simultaneous Japanese Translation)
  107. SANS Security East 2020: February 3 – 8, 2020; New Orleans, LA (Co-teach with Brian Olson)
  108. SANS Scottsdale 2020: February 17 – 22, 2020; Scottsdale, AZ
  109. Private event: March 2 – 7, 2020; Ft Walton Beach, FL
  110. Private event: March 16 – 21, 2020 (SANS Live Online)
  111. SANS 2020: April 5 – 10, 2020 (SANS Live Online)
  112. Private event: March 20 – 25, 2020 (SANS Live Online)
  113. Private event: June 1 – 6, 2020 (SANS Live Online)
  114. DFIR Summit 2020: July 18 – 23, 2020 (SANS Live Online)
  115. Private event: August 3 – 8, 2020 (SANS Live Online)
  116. SANS Reboot: August 10-15, 2020 (Crystal City, VA and SANS Live Online)
  117. SANS Network Security 2020: September 20 – 25, 2020 (SANS Live Online)
  118. Private event: October 19-24, 2020 (SANS Live Online)
  119. DFIRCON 2020: November 2-7, 2020 (SANS Live Online)
  120. SANS CDI 2020: December 14-19, 2020 (SANS Live Online)
  121. SANS 2021: March 22-27, 2021 (SANS Live Online)
  122. OnDemand Studio Recording: April 12-17, 2021 (Philadelphia, PA)
  123. DFIRCON East: May 3-8, 2021 (SANS Live Online)
  124. SANS Paris June 2021: June 14-19, 2021 (SANS Live Online)
  125. Miami: June 21-26, 2021 (SANS Live Online)
  126. DFIR Summit: July 26-31, 2021 (Austin, TX)
  127. Private Event: October 4-9, 2021 (SANS Live Online)
  128. Private Event: November 15-20, 2021 (SANS Live Online)
  129. SANS Austin: December 6-11, 2021 (Hybrid: Austin, TX and SANS Live Online)
  130. Private Event: January 31-February 5, 2022 (Augusta, GA)
  131. London Spring: March 7-12, 2022 (London, UK)
  132. SANS 2022: April 10-15, 2022 (Hybrid: Orlando, FL and SANS Live Online)
  133. SANS Cyber Security East 2022: May 16-21, 2022 (SANS Live Online)
  134. Private Event: June 6-11, 2022 (Augusta, GA)
  135. SANSFIRE: July 11-16, 2022 (Washington, DC)
  136. DFIR Summit: August 17-22, 2022 (Austin, TX and SANS Live Online)
  137. Private Event: September 12-16, 2022 (Columbia, MD)
  138. SANS Gulf Region: November 5-10, 2022 (Dubai, UAE and SANS Live Online)

Lethal Network Forensics

  • US Cyber Crime Conference: April 27 – 28 2014, Leesburg, VA

US Cyber Challenge Camp: Network Forensics

  • Moraine Valley Community College: August 13, 2013; Palos Hills, IL
  • University of Delaware: July 22, 2014; Newark, DE
  • Virginia Tech: June 23, 2015; Blacksburg, VA

FOR558: Network Forensics

  • Community SANS: February 6 – 10, 2012; Arlington, VA
  • Community SANS: October 14 – 19, 2012; Quantico, VA
  • Community SANS: February 25 – March 1, 2013; New York, NY

Formal Presentations

US Cyber Challenge Camp: “Large-Scale Forensic Analysis with SOF-ELK® and the Elastic Stack”

  • Delaware Technical Community College: June 25, 2019; Dover, DE

“The [Encrypted] Elephant in the Room”

There is no arguing that the Internet is becoming both more widely and heavily encrypted. This has drastically changed (read: decreased) what traffic network forensicators and defenders can see and therefore use to perform their jobs. However, all hope is not lost. In this talk, we will first briefly explore some of what got us to this point, but more extensively discuss the current state of network traffic analysis in general and what we as an industry can do to overcome it. We will talk about legal, architectural, and technical means of maintaining meaningful visibility in a typical network environment, as well as how our analytic procedures can keep pace with the broader Internet trends.

The road ahead is still full of terabytes of NetFlow, logs, and yes – even full-packet-captures of network traffic. Encryption will remain a constantly evolving technology, meaning security professionals must also stay nimble in the face of this perpetual change.

The Tap House“: This is a series of talks that focus on new and emerging topics in the Network Forensics arena.  No two talks will be quite the same, so feel free to stop in and see what’s new if you’re attending a SANS or other event where we’re holding an event.

Packets move pretty fast. The field of Network Forensics needs to move fast, too. Whether you are investigating a known incident, hunting unidentified adversaries in your environment, or enriching forensic findings from disk- and memory-based examinations, it’s critical to stay abreast of the latest developments in the discipline.

In this @Night series, Phil Hagen will discuss some of the latest technologies, techniques, and tools that you will want to know in pursuit of forensication nirvana.

Phil is also an avid craft beer fan, so there’s a good chance you will learn something about a new notable national or interesting local beer in the process.

This presentation will be helpful for those that wish to keep up-to-date on the most cutting-edge facets of Network Forensics.

  • Episode 0x00 – SANS @Night (SANS DFIR Summit 2015): July 10 2015; Austin, TX
  • Episode 0x00 – SANS @Night (SANS San Jose 2015): July 23, 2015; San Jose, CA
  • Episode 0x00 – SANS @Night (SANS Virginia Beach 2015): August 17, 2015; Virginia Beach, VA
  • Episode 0x00 – SANS @Night (SANS DFIR Prague 2015): October 6, 2015; Prague, Czech Republic
  • Episode 0x00 – SANS @Night (SANS Cyber Defense Initiative 2015): December 16, 2015; Washington, DC (Slides available here)
  • Episode 0x01 – SANS @Night (SANS Security West 2016): May 3, 2016; San Diego, CA
  • Episode 0x01 – SANS @Night (SANS London in the Summer 2016): July 13, 2016; London, England
  • Episode 0x01 – SANS @Night (SANS Virginia Beach 2016): August 30, 2016; Virginia Beach, VA
  • Episode 0x02 – SANS @Night (SANS October Singapore 2016): November 2, 2016; Singapore,  Singapore
  • Episode 0x02 – SANS @Night (SANS London 2016): November 17, 2016; London, United Kingdom
  • Episode 0x02 – SANS @Night (SANS Cyber Defense Initiative): December 14 ,2016; Washington, DC
  • Episode 0x02 – SANS @Night (SANS Las Vegas 2017): January 25, 2017; Las Vegas, NV
  • Episode 0x02 – SANS @Night (SANS Munich Winter 2017): February 14, 2017; Munich, Germany
  • Episode 0x02 – SANS @Night (SANS 2017): April 17, 2017; Orlando, FL
  • Episode 0x03 – SANS @Night (SANS Threat Hunting and Incident Response Summit 2017): April 22, 2017; New Orleans, LA
  • Episode 0x03 – SANS @Night (SANS Stockholm 2017): May 31, 2017; Stockholm, Sweden
  • Episode 0x03 – SANS @Night (SANS Secure Europe 2017): June 13, 2017; Amsterdam, Netherlands
  • Episode 0x04 – SANS @Night (SANS SANS EMEA DFIR Summit 2017): October 2, 2017; Prague, Czech Republic
  • Episode 0x04 – SANS @Night (SANS Secure October Singapore 2017): October 18, 2017; Singapore, Singapore
  • Episode 0x04 – SANS @Night (SANS Tokyo Autumn 2017): October 25, 2017; Tokyo, Japan
  • Episode 0x04 – SANS @Night (SANS Munich December 2017): December 5, 2017; Berlin, Germany
  • Episode 0x05 – SANS @Night (SANS DFIR Summit 2018): June 10 2018; Austin, TX

“State of the Artifact” (with Rob Lee, Chad Tilbury, and Heather Mahalik)

Join the SANS DFIR Faculty as they discuss some of the latest developments in the field of digital forensics and incident response. A rotating cast of instructors will take the stage, discussing some of the latest developments and hot item issues in their respective domains, from Windows and Smartphone forensics, to Network and Endpoint Incident Response, and more.

  • Keynote Address at SANS DFIRCON 2018: November 5, 2018; Miami, FL

“Traveling Paranoid (But Not Too Paranoid” (With Chris Crowley)

As every security professional knows, travel can be even more stressful when you’re carrying multiple laptops, evidence drives, mobile devices, connection cables, and the like. Whether traveling domestically or internationally, your private data and that of your clients is arguably at the greatest risk when transiting customs or other airport screening points. One must realistically consider whether you would give up encryption passwords or forfeit your hardware at a border crossing, for example.

Now, consider how people within your organization would deal with the same challenges. How should you equip them for international and domestic travel without creating an imposition on their busy schedules? How can you keep up with delivering information to traveling staff? What advice do you give them regarding foreign (or domestic) customs agents demanding passwords and data access? What sort of knowledge do you want to develop about attempts to access your information assets while your staff travels?

This talk will cover various practical ways we can protect electronic interests in various common situations for you and your organization. We’ll cover both preventive measures as well as mechanisms to detect that your gear has been fiddled with while outside your immediate control. Measures for various operating systems will be addressed, while considering how to maintain practical paranoia but without drawing attention to oneself.

  • SANS @Night (SANS Network Security 2018): September 24, 2018; Las Vegas, NV

“Convergence Forensics: Leveraging Multiple Skills to Analyze Evidence”

One discipline is not enough to solve investigations relating to digital evidence. In this Keynote, Phil will expand on scenarios where multiple skills are needed to hunt and uncover evidence. Network Forensics, Memory Forensics, Malware detection, Malware analysis and Data Synchronization between smartphones, Mac and Windows computers may change the way you need to look at your evidence. Simply having tunnel vision in your field will limit your success! A change in your approach may change your success rate when examining digital media.

  • Keynote Address at SANS Seattle: April 23, 2018; Bellevue, WA
  • October 18, 2018; Hong Kong
  • October 19, 2018; Taipei

“What’s New in FOR572”: All SANS courses are updated regularly to ensure they include the latest investigative tools, techniques, and procedures, as well as reflect trends in attacker methodologies. In this webcast, Phil Hagen will discuss the latest updates in the course, as well as some exciting developments in the OnDemand delivery for the course. Well also discuss the corresponding Network Forensics poster, which was released coincident with the new course version.

  • SANS Webcast: April 10, 2018; Online (Archived version available at link)

Smartphone and Network Forensics Goes Together Like Peas and Carrots“: This is a special joint presentation with Heather Mahalik, SANS Senior Certified Instructor and course lead for SANS FOR585, Advanced Smartphone Forensics.

Although two distinct and critical forensic disciplines, there are strong ties between the smartphone and network aspects of the forensic process. Smartphone investigations cover myriad devices, operating systems, applications, and data storage mechanisms but a great deal of their functionality involves a single common technology – TCP/IP communications. On the other hand, hunting an attacker’s network activities within your environment often identifies endpoints including smartphones as relevant to the investigation, which need in-depth device analysis.

In this talk, Heather Mahalik, will address the smartphone side of this investigative coin as covered in SANS FOR585, Advanced Smartphone Forensics. Phil Hagen will look at things from the network side as covered in SANS FOR572, Advanced Network Forensics and Analysis. We connected several smartphone devices to a heavily instrumented wireless network, then conducted some typical smartphone-based activities on the devices. Heather will address the artifacts from the device-centric point of view, while Phil will examine the network evidence to see what can be learned about the on-device activities.

As often identified in the forensic process, a comprehensive approach is necessary to conduct a thorough investigation.

  • SANS @Night (SANS Network Security 2015): September 16, 2015; Las Vegas, NV (Slides available here)
  • Keynote Address (SANS South Florida 2015): November 9, 2015; Ft Lauderdale, FL
  • SANS @Night (SANS 2016): March 16, 2016; Orlando, FL
  • SANS Community Night (SANS Melbourne 2016): May 17, 2016; Melbourne, Australia
  • Techno Security & Forensics Investigations Conference: June 8, 2016; Myrtle Beach, SC
  • SANS @Night (SANSFIRE 2016): June 14, 2016; Washington, DC
  • Private event: September 8, 2016
  • SANS @Night (Network Security 2016): September 14, 2016; Las Vegas, NV

Threat Hunting with Indicators: Not for Prevention Anymore

Threat Hunting is essentially using new intelligence to examine existing data collections. Network data such as NetFlow, Logs, and Full-Packet Capture provides extremely useful source data to facilitate threat hunting and this webcast will show you how.

Traditionally, network defenders have used intelligence such as indicators to feed so-called prevention or real-time detection systems. However, the shelf-life for most threat intelligence is growing shorter – often being outdated as soon as it is released. Instead, security practitioners should use this intelligence as a means of searching for previous activity consistent with those newly-available indicators. This is the essence of hunting.

In this webcast, well explore some recent intelligence releases (possibly including GRIZZLY STEPPE, the Shadow Brokers, or similar). Using pre-collected network evidence, we will identify some false positives that can be ruled out, saving you precious time as well as some potentially suspicious actions that warrant further investigation.

Previous Events:

  • SANS Webcast: March 21, 2017; Online (Archived presentation available at link)

Elevating Your Analysis Tactics: The New Forensics Poster

Join FOR572: Advanced Network Forensics Analysis course author and instructor Phil Hagen as he introduces the brand-new SANS Network Forensic Poster, which will be mailed worldwide in late May. Phil will browse the poster contents and highlight use cases that will help improve your network forensic capabilities. He will also discuss the latest release of the free SOF-ELK analytics VM appliance and show some examples of how it can help make quick work of even massive volumes of forensic data – whether for Network Forensics, Disk-based Forensics, or Security Operations.

Previous Events:

  • SANS Webcast: June 6, 2017; Online
  • SANS Webcast: July 20, 2017; Online

What’s new on the FOR572 Horizon – Stockholm and Beyond

The forensic worlds moves quickly, and SANS classes are updated frequently to address a rapidly changing landscape. FOR572, Advanced Network Forensics and Analysis, had been freshly updated to include new tools and analytic processes.

The new courseware includes a heavy focus on the SOF-ELK platform for efficient and effective “big data” processing for log and NetFlow evidence. Students will also use the Moloch full-packet capture and analysis platform, providing a free and efficient method of loading existing pcap data or capturing live content.

Numerous additional tools have been updates within the SANS Linux SIFT Workstation, with custom modifications focused on network traffic analysis processes.

The course material also incorporates new protocol variants for HTTP, SMB, and more. Labs have been overhauled to leverage the new tooling and processes as well – helping you to get good findings faster.

In, this webcast, you’ll learn what we’ve added as well as how FOR572 is continually evolving to meet the changing demands evident in your casework. Forensicators, security analysts, and investigators will all benefit. We’re looking forward to you joining the webcast and hope to see you in class at Stockholm or another upcoming event as well.

Previous Events:

  • SANS Webcast: March 7, 2017; Online (Archived presentation available at link)

Creators of Code…Why Not Kids?“: Presented with Genevieve Hagen, a 5th grade student from the Cape Henlopen School District and Lewes Tech employee #3.

This presentation will explain why coding is an important part of childhood education.  We will also cover some of the educational resources available to Cape students as well as the general public.

Previous Events:

DNS Evidence: You Don’t Know What You’re Missing

With hundreds of network protocols used in a typical network environment, it’s easy to get overwhelmed during an investigation. Similarly, the technical and legal hurdles to proper full-packet-capture operations leaves critical gaps from evidence such as firewall logs, intrusion detection system logs, or NetFlow. However, regardless of the protocols used, the Domain Name System (DNS) is often a commonality that forensicators may overlook. DNS may not be glamorous, but it often provides critical insight and context during network forensic cases. Even alone, passive DNS logs can provide an excellent baseline of activity for any environment.  In this webcast, well explore some simple and effective ways to create logs of DNS traffic, what specific value they can provide for other evidence types, and how to exploit these logs at scale.

  • SANS Webcast: April 22, 2016 (Archived video available via link)

Passive DNS Logs: The Pulse of the Network

Although some network protocols are more commonly seen than others, the staggering reality is that there are thousands of protocols an analyst may encounter during the course of an investigation, incident response, or threat hunting program. Therefore, network forensic analysts will recognize great efficiencies by reviewing those which provide insight to many other protocols. A prime example is the Domain Name System, or DNS. By logging all DNS queries and their responses, it’s possible to characterize the nature of nearly every other protocol – even many undocumented, custom, and proprietary ones. This webcast will review several different methods one can use to log DNS activity or extract it from existing evidence, as well as analytic cases where it can provide decisive value by itself or as clarifying evidence in support of NetFlow and logs.

  • SANS Webcast: March 8, 2016 (Archived video available via link)
  • SANS @Night (SANS Threat Hunting and Incident Response Summit): April 15, 2016; New Orleans, LA
  • Private Event: November 30, 2016; Amsterdam, Netherlands

Convergence Forensics: Leveraging Multiple Skills to Analyze Evidence

One discipline is not enough to solve investigations relating to digital evidence. In this Keynote, Phil will expand on scenarios where multiple skills are needed to hunt and uncover evidence. Network Forensics, Memory Forensics, Malware detection, Malware analysis and Data Synchronization between smartphones, Mac and Windows computers may change the way you need to look at your evidence. Simply having tunnel vision in your field will limit your success! A change in your approach may change your success rate when examining digital media.

  • SANS Keynote (SANS Threat Hunting and Incident Response Summit): April 14, 2016; New Orleans, LA
  • Private Event: November 29, 2016; Amsterdam, Netherlands

Emerging Trends in DFIR- Lightning Talks

Together with the SANS DFIR Faculty, we unveil the top Emerging Trends in DFIR in a series of lively, hard-hitting lightning talks (15 minutes each). Get a glimpse into the near future for incident response, threat hunting, cyber threat intelligence, and digital forensics.

  • SANS @Night (SANS Security West 2016): May 2, 2016; San Diego, CA

The Ukrainian Power Grid Cyber Attack: Forensics After Dark

On Dec 23rd, 2015 the lights went out in three different regions of Ukraine. A well funded group of threat actors orchestrated the first ever cyber attack on a power grid that caused outages. Immediately following the attack incident response was underway with many around the world watching a geopolitically tense situation between Ukraine and Russia. A week later, the SANS ICS team was able to confirm publicly that the power outages were the result of an intentional cyber attack and provide guidance to the rest of the world on protecting their power grid.

In this presentation, SANS Certified Instructors Alissa Torres, Anuj Soni, Phil Hagen, and Robert M. Lee will break down the attack step by step and show different forensic tools and techniques for malware analysis, memory forensics, network forensics, and threat intelligence as it related to this attack. You don’t have to be scared of the dark to want to keep the lights on.

  • SANS Keynote Presentation (SANS DFIR Summit 2016): June 25, 2016; Austin, TX

Network Forensics: Pre-Collected Evidence through Continuous Monitoring“: You never know what evidence you’ll need during an investigation until you really need it.  This problem is amplified when it still averages hundreds of days to discover a breach.  In this talk, we’ll discuss Network Forensic methodologies commonly used in hunt or investigative operations and how to pre-stage evidence collection platforms to support those tasks.

  • NSA Information Assurance Symposium 2015: June 29, 2015; Washington, DC

Logs, logs every where / Nor any byte to grok“: In this webcast, we will discuss Logstash.  Logstash is one tool that can be a very effective tool for examining log files from the wide variety of sources we tend to find in forensic casework. Although Logstash is a free and open-source solution intended for system and network administrators to observe live data, it can also provide great value to the forensicator, who must integrate disparate data sources and formats. New developments around Logstash also make it an ideal tool for the system-based forensicator as well, since supertimeline data can be integrated as well.

  • SANS Webcast: May 1, 2013
  • SANS @Night (SANS DFIR Summit 2014): June 3, 2014; Austin, TX
  • SANS @Night (SANS Boston 2014): July 31, 2014; Boston, MA
  • SANS @Night (SANS Bangalore 2014): September 25, 2014; Bangalore, India
  • SANS @Night (SANS Network Security 2014): October 23, 2014; Las Vegas, NV
  • SANS @Night (SANS Sydney 2014): November 12, 2014; Sydney, Australia

APT Attacks Exposed: Network, Host, Memory, and Malware Analysis“: This talk is perfect for those in the trenches or for those in management who really want to understand how a response team identifies and responds to these adversaries. What is it they are after? How did they get in? How did our systems fail to detect them? These questions and more will be answered in this presentation, which covers all major aspects of the incident response and forensic process.

  • DFIRCON 2014: March 5, 2014; Monterey, CA
  • SANS 2014: April 7, 2014; Orlando, FL
  • CEIC 2014: May 21, 2014; Las Vegas, NV

There’s GOLD in Them Thar Package Management Databases!“: There is a lot of useful file metadata stored in package management databases for popular Linux distributions.  The RedHat Package Manager (RPM) and Debian’s dpkg are two examples. We’ll focus on how to leverage RPM in forensic investigations, as it can provide a quick and effective way to find changed files that warrant more in-depth analysis.  We’ll also discuss potential shortfalls to consider in using this method.

  • SANS @Night (DFIRCON 2014): March 8, 2014; Monterey, CA
  • SANS @Night (SANS 2014): April 11, 2014; Orlando, FL

DHCP and DNS, ‘The Correlators’“: DHCP provides a vital link between network activity and the devices responsible for it. DHCP traffic and logs can often provide a quick and direct path to the malicious actor’s desk. On the other hand, DNS traffic and logs provide a “one-stop-shop” to assess network activity across an enterprise that typically uses dozens or hundreds of different protocols and services. Cross-referencing DNS activity with NetFlow/IPFIX data, HTTP proxy logs, or any other evidence containing hostnames or IP addresses can establish a clear understanding of malicious activity – even when the underlying data is encrypted or otherwise inaccessible.

Network Forensics and Analysis: Preparing for the Future of Investigations“: While the fast-paced forensic world can provide a “moving target” for managers to track, being aware of developing trends can help to ensure staff members are prepared for the “next thing” before it hits their caseload. Training examiners and investigators to perform comprehensive forensic casework will be the defining factor for organizations that successfully adapt to the network-centric landscape that lies ahead.

IT’S ALIVE!!! Investigating with Network-based Evidence“: Even seasoned disk- and memory-based analysts must consider how network analysis differs from traditional forensic work. We’ll discuss how a proactive approach can aid in the response to incidents that have not yet occurred… or not yet been discovered. We will also address the unique operational security (OPSEC) requirements inherent in network-based analysis. Incorrect handling of network evidence or analysis activities could cause the attacker to stay fully aware of your investigation’s progress, ensuring they remain one step ahead of the good guys.

Network Forensics: The Final Frontier (Until the Next One)“: Traditionally, computer forensic investigations focused on data from static data. Recently, memory analysis has become an integral part of forensic analysis. Now, data from network devices and the wires themselves is becoming necessary to complete our understanding of an event.  By knowing what existing data to ask for and what additional data to collect, we can provide a more comprehensive analysis of an event.

  • National Cyber Crime Conference: May 1, 2012; Boston, MA
  • DHS Computer Forensic Conference: July 25, 2012; Glynco, GA
  • High Technology Crime Investigation Association (HTCIA) Conference and Training Expo: September 17, 2012; Hershey, PA
  • SANS Webcast: September 28, 2012
  • HTCIA Northeast Chapter: January 25, 2013; New York, NY
  • SANS DFIR Monterey: February 24, 2015; Monterey, CA

What Evil Lurks in the Browsers of Man? The Network Knows!“: New web-based technologies like AJAX permeate the online experience.  What critical evidence may be overlooked while analyzing traditional browser artifacts and how can network forensics fill the gaps in our forensic investigation?

  • SANS360 (SANS CDI 2011): December 13, 2011; Washington DC

Digital Threat 2011“: A look at the evolving threats presented by online actors and how an Information Security strategy can be adopted or modified to better prepare for them.

  • Institute of Internal Auditors (IIA) 2011 Mid-Atlantic District Conference: October 20, 2011; Richmond, VA
  • US Special Operations Command (USSOCOM) Information Assurance Conference:  August 31, 2011; Tampa, FL

SQL Ginsu“: How using a database to structure and store large quantities of data from an investigation can simplify and improve the flexibility of the analytic process

  • SANS @Night (SANSFIRE): July 21, 2011; Washington, DC

Additional Engagements

2015 Cyber Security Summit, October 21, 2015; Boston, MA:  Moderated panel entitled “Corporate Espionage and Insider Threat – Monitoring Outlier Behavior that Indicates Malicious Intent”

Insider threat has been synonymous of late with terms such as breach, data leakage and a host of cyber security implications often aimed at the consumer. While personnel files, social security numbers, credit cards, and PII are often the target of attacks, corporations are now watching much more! What happens when a fast riser or even an uninspired employee decides to go to a competitor or launch his or her own endeavor?  What data, clients or even personnel are they exfiltration on the way out? How would you know? There are many identifiers and triggers that often go undetected. Insiders know how to go unnoticed (slow and low), just as malware finds its way through layers and layers of defenses. How do we defend against corporate espionage? What are the implications? What are the signs?

2015 Delaware Innovation Week Dev Talks: “The Path To More Secure Development is Somewhere Between an Racetrack and The Fury Road”

It’s no secret that a development team’s goals are at odds with those of a practical security process. Developers are rightfully focused on delivering a product that meets scope, budget, and schedule constraints. Security processes, however are often seen as unneeded impediments to those goals, not as critical components to success. However, developers don’t need to build for the “worst case scenario”. Rather, it is far cheaper and easier to build some basic security awareness into a development project at inception rather than near or after its release. In the Internet age, skimping on or ignoring security entirely is far too dangerous a road to choose. In this presentation, Phil will briefly discuss the reality of threats facing developers today, as well as some simple ways to mitigate the risks they present.

Other Events