SANS WhatWorks Summit in Forensics and Incident Response

with Rob Lee

Dates:

Pre-Summit Courses: July 5-6, 2009

Summit: July 7-8, 2009

Post-Summit Courses: July 9-15, 2009

Summit Venue:

The Fairmont Washington, D.C.
2401 M Street, NW
Washington D.C. 20037
Phone: (202) 429-2400
Fax: (202) 457-5010
Website: www.fairmont.com/washington

Table of Contents

• Summit Overview
• Questions To Be Answered
• Organizing Committee
• Who Should Attend
• What Attendees are Saying
• Summit Courses
• Read the Blogs
• Immediate Registration

Summit Overview

Criminals are improving their techniques and stealth daily. Are your skills keeping pace?

Why should you attend the 2009 SANS What Works in Forensics and Incident Response Summit?

In the past 10 years, the amount of knowledge gained and techniques learned in the digital forensics profession is staggering. The traditional tools, methods, and techniques have served us well, but the attack landscape has now changed so much that the community needs to have a new discussion on the most reliable techniques, tools, and analysis methods for modern forensics. In a nutshell, what are the new essentials of Computer Forensics and Incident Response in 2009?

The 2009 SANS What Works in Forensics and Incident Response Summit being held in Washington DC on July 7 & and 8 gives you access to the state of the art in computer forensic techniques. Top industry leaders, forensics and incident response professionals, and vendors will discuss the latest defenses and technologies in a series of highly interactive sessions focused on effective incident response and mitigation, forensic analysis, and recovery as a result of a data breach and e-Discovery requests.

Each presentation or panel discussion at the Summit is built around an interactive Q&A session that gives you the opportunity to grill the experts so that you leave with answers to the tough policy, process and technical questions. Case Studies will be shared that illustrate best practices as well as highlight the pitfalls to avoid. Vendor panels will give you the opportunity to compare tools side-by-side and ask the vendors directly the probing questions that will help you determine the best solutions for your organization.

Whether your organization performs forensic analysis in-house or relies on third-party analysis, the SANS What Works in Forensics and Incident Response Summit is the only event that gives you a single source for information about the unique challenges you face daily.

Click here to see the 2009 Forensics and Incident Response Summit Agenda

Expert Speakers Include:

• Craig Ball - Forensic and Legal Expert
• Richard Bejtlich - Director of Incident Response for General Electric
• Jamie Butler - Memory Analysis Expert at Mandiant and co-author "Rootkits: Subverting the Windows Kernel."
• Harlan Carvey - Senior Incident Responder, IBM ISS; Author of "Windows Forensic Analysis"
• Ovie Carroll and Bret Padres - DOJ and Cyberspeak Podcast
• Eoghan Casey - Author "Handbook of Computer Crime Investigation"; Professor at Johns Hopkins University Information Security Institute
• Chris Kelly - Assistant Attorney General Cybercrime Division, Commonwealth of Massachusetts
• Dave Kleiman - Computer Forensics and E-Discovery Expert and Author
• Jesse Kornblum - Senior Forensic Scientist for the ManTech International Corporation
• Troy Larson - Senior Forensic Investigator in Microsoft's IT Security Group
• Lance Mueller - Forensic Blogger and co-owner of BitSec Forensics, Inc
• Detective Cindy Murphy - City of Madison, WI Police Department
• Dr. Doug White - Forensics Expert and ISCFE representative

What Will You Learn at the Forensics and Incident Response Summit?

1. Up-to-the-minute, real-world forensic techniques from industry-recognized experts to find evidence while minimizing the chance of disruption of compromised systems.
2. Methods for ensuring practical and accurate incident response and computer forensics for incidents.
3. Details about products and free tools that should be on your short list for use in effective computer forensics and incident response.
4. Lessons learned from compromises, litigation, and incidents in large- and medium-scale environments.
5. Practices of computer forensic pioneers that push the envelope in developing new tools and techniques for finding key evidence.
6. Current trends in malicious attacks and how our forensic/response processes must adapt based on them.

Questions to Be Answered at the Summit

• When should we pull the plug on a computer?
• Which new tools/techniques are shaping the future of performing forensics and IR?
• Are there alternatives to write-blockers?
• What is the best method of acquiring volatile data?
• What forensics tools, if any, are court-approved?
• What are the top top-three tools to use on a daily basis? Why are they valuable?
• When you hire someone to do forensics or IR, what are the key skills that an entry level analyst should have? What about someone who is intermediate or advanced?
• Which forensic tools should be avoided.?
• Which tools/techniques are the best at performing e-discovery?
• And many..., many more...

Organizing Committee

Toby Finnie - Director, High Tech Crime Consortium

Gary Kessler - Associate Professor Computer & Digital Forensics Program Champlain College

Doug White, Phd, CISSP, CCE. Roger Williams University

Ovie Carroll - Director DOJ Cyber Crime Lab

Eoghan Casey - Johns Hopkins University Jonathan Ham - Independent Consultant, jham corp.

Scott Moulton - System Specialist, Forensic Strategy Services, LLC. Jennifer E. Kolde - Computer Scientist, FBI Cyber Squad

Who Should Attend

• CISOs who see forensics as the "next big challenge."
• Information security professionals who want to ensure they are not left behind in this fast-moving of security
• Incident response personnel who are looking for an integration of forensics and investigative methodologies
• Information security consultants who would like to accelerate their forensic/IR career field
• Law Enforcement personnel who are looking at taking their technical skills to the next level
• Internal investigators who want to learn the latest evidence collection and analysis techniques
• Anyone who would like to stay abreast of the latest threats and techniques for computer forensics and incident response by people actually doing it
• Any organization that is currently attempting to mitigate a large scale intrusion or data breach
• Managers who learn by listening to a panel of experts discuss the recent developments in the incident response and computer forensic fields
• Incident responders who are faced with intrusions that might evade the traditional forensic tools

What Attendees are Saying

What past attendees had to say about the most recent 2008 Forensics Summit...

• The level of intellectual capital at this conference was impressive.
  - Michael Cloppert, Lockheed Martin
• This is the best forum to share info and to find out what works and what doesn't - without vendor spin.
  - Steve Wallace, Lyondell Bassel
• The SANS WhatWorks Summit was an impressive collection of experts from both government and private sector, which provided a timely and informative agenda on incident response and forensic issues.
  - Boyd Barker, Shell Oil Company

Summit Courses

Pre-Summit Courses

9:00am - 5:00pm Monday, July 6, 2009

Advanced Filesystem Recovery and Memory Forensics -

• Rob Lee -- SANS Institute and Forensic/IR Summit Chair; Lead Author and Editor of sansforensics.wordpress.com

Post-Summit Courses

9:00am - 5:00pm Thursday, July 9, 2009 - Monday, July 13, 2009

SEC408 - Computer Forensic and E-discovery Essentials

• Chad Tilbury -- SANS Institute, former Special Agent, Air Force Office of Special Investigations

9:00am - 5:00pm Thursday, July 9, 2009 - Tuesday, July 14, 2009

SEC508 - Computer Forensic and E-discovery Essentials

• Rob Lee -- SANS Institute and Forensic/IR Summit Chair; Lead Author and Editor of sansforensics.wordpress.com

9:00am - 5:00pm Thursday, July 9, 2009 - Monday, July 13, 2009

SEC606 - Drive and Data Recovery Forensics

• Scott Moulton -- Forensic Strategy Services, LLC

Read the Blogs

http://www.darkreading.com/security/management/showArticle.jhtml?articleID=211600781 (GENERAL NEWS)

http://www.forensickb.com/2008/10/sans-forensic-incident-response-summit.html (Lance Mueller)

http://windowsir.blogspot.com/2008/11/ir-preparedness.html (Harlan Carvey)

http://windowsir.blogspot.com/2008/10/sans-forensic-summit_15.html (Harlan Carvey)

http://windowsir.blogspot.com/2008/10/sans-forensic-summit.html (Harlan Carvey)

http://taosecurity.blogspot.com/2008/10/thoughts-on-2008-sans-forensics-and-ir.html (Richard Bejtlich)

http://taosecurity.blogspot.com/2008/10/unify-against-threats.html (Richard Bejtlich)

http://volatility.tumblr.com/ (Aaron Walters)

http://www.f-response.com/index.php?option=com_content&task=view&id=80&Itemid=9 (F-Response)

http://www.sans.edu/resources/securitylab/2009_predictions.php (Security Predictions - Rob Lee)

http://cfed-ttf.blogspot.com/ (Mark McKinnon)

http://windowsir.blogspot.com/2009/04/sans-forensic-summit-agenda.html (Harlan Carvey)