The most trusted source for computer security training, certification and research.

select a course
Washington, DC - July 6 - 14, 2009
Global Information Assurance Certification

Absolutely wonderful, both in presentation and content
-Don Seymour, TerpSys

Expert Speakers for SANS WhatWorks Summit in Forensics and Incident Response

Craig Ball - Forensic Challenges from the Court Room Panelist

Craig Ball is a prolific contributor to continuing legal and professional education programs throughout the United States, having delivered over 500 presentations and papers. Craig's articles on forensic technology and electronic discovery frequently appear in the national media, including in American Bar Association, ATLA and American Lawyer Media print and online publications. He also writes a monthly column on computer forensics and e-discovery for Law Technology News called "Ball in your Court," honored as both the 2007 and 2008 Gold Medal honoree as Best Regular Column as awarded by Trade Association Business Publications International. It's also the 2007 Silver Medalist honoree of the American Society of Business Publication Editors as Best Contributed Column and their 2006 Silver Medalist honoree as Best Feature Series and Best Contributed Column. The presentation, "PowerPersuasion: Craig Ball on PowerPoint," is consistently among the top rated continuing legal educational programs from coast-to-coast.

Richard Bejtlich - Keynote: Incident Response: Still Speaking Truth to Power

Richard Bejtlich is Director of Incident Response for General Electric. Prior to joining GE, Richard operated TaoSecurity LLC as an independent consultant, protected national security interests for ManTech Corporation's Computer Forensics and Intrusion Analysis division, investigated intrusions as part of Foundstone's incident response team, and monitored client networks for Ball Corporation. Richard began his digital security career as a military intelligence officer at the Air Force Computer Emergency Response Team (AFCERT), Air Force Information Warfare Center (AFIWC), and Air Intelligence Agency (AIA). Richard is a graduate of Harvard University and the United States Air Force Academy. He wrote "The Tao of Network Security Monitoring" and "Extrusion Detection," and co-authored "Real Digital Forensics." He also writes for his blog (taosecurity.blogspot.com) and TechTarget.com, and teaches for Black Hat.

Ken Bradley - Incident Response Techniques Panelist

Ken Bradley is an incident handler for General Electric working for the GE-CIRT. He has more than 14 years of technological industry and network security experience. Ken has consulted to the commercial and federal sectors with Booz Allen Hamilton, Athena Innovative Solutions and Mandiant. Ken was formerly a member of the elite Air Force Office of Special Investigations, Technical Monitoring Team where he performed network intrusion surveillance, digital forensics and data reconstruction required during network intrusion investigations. He is an expert in large-scale enterprise incident response and has gone 'toe-to-toe' with the most persistent intruders on the internet.

Richard Brittson - Working with Law Enforcement Panelist

Richard Brittson is a retired 2nd Grade NYPD Detective. His last assignment before retiring was the NYPD Computer Crimes Squad. While at the Computer Crimes Squad Richard investigated and provided forensic support for a broad range of crimes which included homicide, computer intrusions and child exploitation. After retiring Richard was a Senior Forensic Consultant for Guidance Software Inc, Professional Services Division based in NYC. Since 2006 he has been the Senior Forensic Examiner and Computer Investigative Analyst for the New York County DA's Office - Identity Theft Unit. Some of his recent cases include the investigation and apprehension of international ID theft rings.

Jamie Butler - Memory Forensic Analysis Essentials

Jamie Butler is a highly respected member of the information security community with over a decade of experience in Windows operating system security. Mr. Butler is a Director at MANDIANT and leads the agent team on the MIR product. Prior to joining MANDIANT, Jamie was the CEO of HBGary Federal. His experience also includes Windows Host Intrusion Detection development at Enterasys Networks and over five years experience at the National Security Agency. Mr. Butler is also co-author of the bestseller, "Rootkits: Subverting the Windows Kernel." (Addison-Wesley, 2005). In addition, Jamie has authored numerous papers and is a frequent speaker at computer security conferences. He is the co-author and instructor of the popular courses Advanced 2nd Generation Digital Weaponry, Offensive Aspects of Rootkit Technology, and Advanced Memory Forensics in Incident Response. Mr. Butler's presentations span seven countries and three continents.

Harlan Carvey - Registry Secrets Every Investigator Should Know and IR Panelist

Harlan Carvey, CISSP, is a computer security engineer located in the Metro DC area. He has conducted penetration tests and vulnerability assessments in support of corporate and federal government clients. He has also performed a wide range of incident response activities, and conducts computer forensics research, with specific attention to the Microsoft Windows family operating systems. He has written numerous articles on information security topics and is the author of several computer forensics books, including Windows Forensics and Incident Recovery and Perl Scripting for Windows Security. His book, Windows Forensic Analysis was published in June, 2007, and the second edition will be available in June, 2009. He has presented on computer security topics at Usenix, DefCon9, BlackHat, HTCIA and RCFG conferences, as well as at the first SANS Forensic Summit in October 2008. Harlan runs the popular blog http://windowsir.blogspot.com/

Ovie Carroll - Law Enforcement Trends and the Future of Computer Forensics and Incident Response and Cyberspeak Podcast

Ovie Carroll is the Director for the Cybercrime Lab at the Department of Justice, Computer Crime and Intellectual Property Section (CCIPS). The Cybercrime lab is responsible for providing computer forensic and other technical support to CCIPS and other DOJ attorneys as it applies to implementing the Department's national strategies in combating computer and intellectual property crimes worldwide. Prior to joining the Department of Justice, Mr. Carroll was the Special Agent in Charge of the Computer Crimes Unit at the United States Postal Service, Office of Inspector General, responsible for all computer intrusion investigations within the USPS network infrastructure and for providing all computer forensic analysis in support of USPS-OIG investigations and audits. Mr. Carroll has also served as the Chief, Computer Investigations and Operations Branch, Air Force Office of Special Investigations, Washington Field Office where he was responsible for coordinating all national level computer intrusions occurring within the United States Air Force. Ovie also is the co-host of the oft quoted podcast called Cyberspeak - http://cyberspeak.libsyn.com/.

Eoghan Casey - Mobile Device Forensics Essentials

Eoghan Casey is a founding partner of cmdLabs specializing in digital forensics, incident response and related training. He frequently responds to security breaches and analyzes digital evidence in a wide range of investigations, including network intrusions with international scope. He has applied digital forensics in response to security breaches to determine the origin, nature and extent of computer intrusions, and has utilized forensic and security techniques to secure compromised networks. Eoghan has performed thousands of forensic acquisitions and examinations, including e-mail and file servers, handheld devices, backup tapes, database systems, and network logs. He has testified in civil and criminal cases, and has submitted expert reports and prepared trial exhibits for computer forensic and cyber-crime cases. Eoghan also conducts research and teaches graduate students at Johns Hopkins Information Security Institute. . He is the author of the widely used textbook Digital Evidence and Computer Crime, currently in its second edition. He is also editor of the Handbook of Computer Crime Investigation, and coauthor of Malware Forensics. Eoghan is editor-in-chief of Elsevier's international Journal of Digital Investigation, which publishes articles on digital forensics and incident response on a quarterly basis. Eoghan holds a B.S. in Mechanical Engineering from the University of California at Berkeley, and an M.A. in Educational Communication and Technology from New York University.

Larry E. Daniel - Forensic Challenges from the Court Room Panelist

Larry E. Daniel has become one of the leading experts in computer forensics in criminal defense in the United States. Deeply committed to the advancement and recognition of the digital forensics profession as a legitimate forensic science, and the rights of defendants to receive adequate expert assistance, Larry devotes a lot of his time to educating attorneys and the general public in the area of digital forensics As part of his commitment to contributing to the legal community, Larry handles several criminal defense cases a year on a pro-bono basis.

Brendan Dolan-Gavitt - Registry Analysis and Memory Forensics: Together at Last

Brendan Dolan-Gavitt is a researcher and current PhD student at the Georgia Institute of Technology's Information Security Center, focusing on memory analysis and virtualization-based security. He has presented work at the Digital Forensics Research Workshop and the Open Memory Forensics Workshop, and continues to write articles on memory forensics on his blog, http://moyix.blogspot.com/. Before attending Georgia Tech, Brendan worked as an Infosec Engineer for the MITRE Corporation, and did his undergraduate work at Wesleyan University in Middletown, CT.

Kris Harms - Evil or Not? Rapid Confirmation of Compromised Hosts Via Live Incident Response

Kris Harms is a Senior Consultant at Mandiant and provides commercial organizations, attorneys and the U.S. Government with expertise in investigating and resolving high risk computer security incidents. He has responded to intrusions for Fortune 100 companies, ecommerce sites and financial institutions. He has also supported multiple counterintelligence intrusion investigations for several government entities. He has assisted organizations with post incident activities such as remediation strategy development, vulnerability management, security architecture design, executive presentations and incident response program development. A frequent industry speaker and instructor, Mr. Harms has appeared on the CBS News program 60 Minutes and PBS's Wealth and Wisdom.

Dave Hull - Incident Response Techniques Panelist

Dave Hull has worked in IT and information security for more than 15 years. Much of that time was spent working in higher education in an environment with a large, open network where the cry "academic freedom!" prevented many security practices, long taken for granted in the corporate world, from taking hold. Surviving worms like Blaster, Sasser and Zotob in academia offers many lessons on incident response. Armed with this experience Hull contributed to the academy's procedures for incident response and forensic investigations. When not responding to incidents or conducting forensic investigations, he put his experience as a software developer to work performing source code analysis on critical applications. In March of 2007, Hull founded Trusted Signal, an information security consultancy specializing in application security, incident response and forensic investigations. His experience in these areas provides an end-to-end perspective on the information security space. He has been published in Sys Admin Magazine, contributes to and edits the SANS Forensics Blog (http://forensics.sans.org) and has taught for SANS. He currently holds a number of industry certifications including GCFA.

Chris Kelly - Working with Law Enforcement Panelist

Chris Kelly is the Managing Attorney for the Cybercrime Division of Attorney General Martha Coakley's Office. In addition to prosecuting and overseeing investigations of crimes with digital components, Chris works with members of the Cybercrime Division to design and implement priority projects and trainings as set forth in the Massachusetts Strategic Plan for Cyber Crime. Prior to joining the AGO, Chris worked in the Suffolk County District Attorney's Office where he created the Computer Crime Division and Computer Forensic Laboratory in 2004. During his tenure in Suffolk, Chris prosecuted hi-tech/Internet, child exploitation, child sexual and physical abuse, and economic crime cases and conducted forensic examinations on digital devices. Chris is an EnCase Certified computer forensic examiner as well as an IACIS certified digital evidence collection specialist. Chris is an adjunct professor of computer forensics at Bunker Hill Community College and a graduate of Boston University and Suffolk University Law School.

Gary C. Kessler - Forensic Challenges from the Court Room Panelist

Gary C. Kessler, Ed.S.,CCE, CISSP is an Associate Professor of Computer & Digital Forensics and director of the M.S. in Digital Investgation Management program at Champlain College in Burlington, Vermont. He is also a member of the Vermont Internet Crimes Against Children (ICAC) Task Force, performing public outreach education, law enforcement training, and mobile device examinations. Gary is a member of the High Technology Crime Investigation Association (HTCIA), a member of the Digital Foresics Certification Board (DFCB) certification commitee, an associate editor of the Journal of Digital Forensic Practice, and on the editorial board of the Journal of Digital Forensics, Security and Law.

Dave Kleiman - Forensic Challenges from the Court Room Panelist

Dave Kleiman (CAS, CCE, CIFI, CEECS, CISM, CISSP, ISSAP, ISSMP, MCSE, MVP) has worked in the Information Technology Security sector since 1990. Currently, he runs an independent Computer Forensic company, DaveKleiman.com, which specializes in litigation support, computer forensic examinations, incident response, and intrusion analysis. He developed a Windows Operating System lockdown tool S-Lok. Dave is a member of many professional security organizations, including the Miami Electronic Crimes Task Force (MECTF), International Association of Computer Investigative Specialists® (IACIS), International Information Systems Forensics Association (IISFA), the International Society of Forensic Computer Examiners® (ISFCE), and the High Tech Crime Consortium (HTCC). He is also on the Certification Committee for National Center for Forensic Science (NCFS) Digital Forensics Certification Board (DFCB), a program of the National Institute of Justice, and the Sector Chief for Information Technology at the FBI's InfraGard®. Dave was a contributing author for Microsoft Log Parser Toolkit, Security Log Management: Identifying Patterns in the Chaos and, How to Cheat at Windows System Administration. Dave was Technical Editor for Perfect Passwords, Winternals® and Administration Field Guide, Windows Forensic Analysis DVD Toolkit, CD and DVD Forensics, Perl Scripting for Windows Security: Live Response, Forensic Analysis, and Monitoring, and The Official CHFITM Exam Study Guide.

Jennifer Kolde - Working with Law Enforcement Panelist

Jennifer Kolde joined the FBI in 2007 as a Computer Scientist with the San Diego Division's National Security Cyber squad, where she provides forensic analysis, malware analysis, and technical subject matter expertise in support of Special Agents' investigations. Prior to joining the FBI, she spent nearly 10 years as a defense contractor with SAIC and CSC, providing network and system administration, network security, incident response, forensics, and malware analysis for the US Navy. Her experience includes managing information security and incident response on a 10,000 node research and development network, geographically distributed from the US East coast to the Asian Pacific Rim. Ms. Kolde received her undergraduate degree from the University of Michigan and her MS in Computer Science and Information Security from James Madison University. She is a former SANS instructor and former Director of the GIAC Certification program, and has edited several technical books for Addison-Wesley.

Jesse Kornblum - Forensic Tool Panelist

Jesse Kornblum is a Senior Forensic Scientist for the ManTech International Corporation. Based in the Washington DC area, his research focuses on computer forensics and computer security. He has authored a number of computer forensics tools including the md5deep suite of hashing programs and a system for fuzzy hashing similar files. A graduate of the Massachusetts Institute of Technology, Mr. Kornblum has previously served as a computer crime investigator for the U.S. Air Force and as the Lead Information Technology Specialist for the Department of Justice. He is proud to have been raised by wolves.

Troy Larson - Forensic Tool Panelist

Troy Larson is the Senior Forensic Investigator in Microsoft's IT Security Group. Prior to joining Microsoft, Mr. Larson worked as a private computer forensics consultant, including two years with the Ernst & Young National Computer Forensics and Incident Response Team. Mr. Larson is a graduate of the University of California, Berkeley, and Boalt Hall School of Law.

Rob Lee - Opening and Closing Remarks and Forensic Summit Chair

Rob Lee is a Principal Consultant for MANDIANT, a leading provider of information security consulting services and software to Fortune 500 organizations and the U.S. Government. Rob has over 13 years experience in computer forensics, vulnerability discovery, intrusion detection, and incident response. Rob graduated the U.S. Air Force Academy and served in the U.S. Air Force as a founding member of the 609th Information Warfare Squadron, the first U.S. military operational unit focused on Information Operations. Later, he was a member of the Air Force Office of Special Investigations where he conducted computer crime investigations and computer forensics. Prior to joining MANDIANT, he worked on contracts for a variety of government agencies, where he was the technical lead for a vulnerability discovery team, contractor lead for cyber forensics branch, and led a security software development team. Rob is the curriculum lead for Digital Forensics at the SANS Institute where he has taught over 10,000 specialists over the past 10 years. Rob also coauthored the bestselling book, Know Your Enemy, 2nd Edition. In addition to working for MANDIANT and the SANS Institute, Rob just completed his MBA at Georgetown University in Washington D.C.

Mark McKinnon - Forensic Tool Panelist

Mark McKinnon is currently the owner of RedWolf Computer Forensics, a software company that creates free and purchased software. Mark has over 20 years experience in IT ranging from Mainframe/Pc programming, Database Administration and Digital Forensics. Some of the more notable free programs are Skype Log Parser, Google Chrome Parser, CSC Parser and the Vista Thumbcache Parser. Mark is the creator of Drive Prophet which is a triage program for Windows Systems. Mark is also an adjunct professor at Davenport University teaching computer forensics and an associate of AK+ Computer Consulting LLC where he does digital forensic examinations and E-Discovery.

Cindy Murphy - Working with Law Enforcement Panelist

Detective Cindy Murphy is employed by the City of Madison, WI Police Department and has been a Law Enforcement Officer for 24 years. She is a certified forensic examiner, involved in computer forensics for over 10 years. Det. Murphy has directly participated in the examination of hundreds of hard drives, cell phones, and other items of digital evidence pursuant to criminal investigations including homicides, missing persons, computer intrusions, sexual assaults, child pornography, financial crimes, and various other crimes. She has testified as a computer forensics expert in state and federal court on numerous occasions, using her knowledge and skills to assist in the successful investigation and prosecution of criminal cases involving digital evidence. She is also a part time digital forensics instructor at Madison Area

Lance Mueller - Forensic Tool Panelist

Lance Mueller (CISSP, GCIH, GREM, EnCE, CFCE, CCE) is the co-owner of BitSec Foresics, Inc. and forensic services and training organization. Lance conducts computer forensic investigations, as well as teach computer forensics to local, state, federal law enforcement officers worldwide. Lance's background includes 15 years in law enforcement where he was assigned to a computer crime task force where he performed computer forensic examinations and he conducted complex intrusion investigations. Lance continues to serve as a Senior Consultant to the U.S. Department of State, Bureau of Diplomatic Security Office of Antiterrorism Assistance and has traveled extensively throughout the Middle East, Africa, South America and South East Asia consulting with international law enforcement. Lance's blog is at http://www.forensickb.com/ agencies and government institutions so that they can acquire the skills needed to detect, prevent, and investigate incidents related to cyber terrorism and cyber crime.

Bret Padres - Forensic Challenges from the Court Room Panelist and Cyberspeak Podcast

Mr. Padres has over 20 years experience in the fields of information security, digital forensics, law enforcement, electronic discovery and counterintelligence. At Stroz Friedberg, Mr. Padres leads the digital forensic laboratory in the DC office and co-manages the firm's digital forensics practice. He has led incident response teams to investigate significant hacking incidents occurring in private corporate networks and at government agencies. He has also designed and implemented digital forensic tools and practices for use in incident response and computer analysis for use in both civil and criminal matters. Mr. Padres has made helpful contributions to the digital forensic field by developing open source digital forensic tools and co-hosting a weekly Internet radio show Cyberspeak (http://cyberspeak.libsyn.com/), in which he interviews other experts and explores digital forensics, network security and computer crime topics with thousands of listeners.

Chris Pogue - INCIDENT RESPONSE TECHNIQUES PANELIST

Chris Pogue is a Senior Security Analyst for the Trustwave SpiderLabs Incident Response and Digital Forensics team. Before moving into Forensics, Chris spent five years as an Ethical Hacker, conducting penetration tests for enterprise level customers. Bringing that knowledge and experience to bear within the SpiderLabs, Chris specializes in incidents involving intrusion, unauthorized access, and reverse engineering malware. Chris is also a former US Army Warrant Officer and has worked with the Army Reserve Information Operations Command (ARIOC) on Joint Task Force (JTF) missions with the National Security Agency (NSA), Department of Homeland Security (DHS), Regional Computer Emergency Response Team-Continental United States (RCERT-CONUS), and the Joint Intelligence Center-Pacific (JICPAC). Chris holds a Bachelor's Degree in Business Management from Grand Canyon University, Master's degree in Information Security from Capella University, is a Certified Information Systems Security Professional, (CISSP), a Certified Ethical Hacker (CEH), a Certified Reverse Engineering Analyst (CREA), and a VISA PCI DSS Qualified Security Assessor (QSA). Chris is also the primary author of the book, Unix and Linux Forensic Analysis, from Syngress/Elsevier. Chris's book is currently being used as a textbook at Saginaw Valley State University and Illinois State University for their computer forensics courses.

Ken Privette - Working with Law Enforcement Panelist

Ken serves as the Special Agent in Charge of Digital Evidence Services (DES), a component of the Joint Mission Support Center providing computer crime and digital forensics support to more than 2000 investigators from the United States Postal Service Office of Inspector General and Postal Inspection Service. He and his team of more than 35 digital forensic examiners have pioneered initiatives such as remote forensics, integration with the USPS CIRT and USPS eDiscovery, as well as the development of forensic tools such as eInvestigator — an online forensic collaboration tool for sharing, parsing and searching digital evidence. Much of Ken's professional career was spent as a Special Agent with the Naval Criminal Investigative Service both overseas and state-side where he conducted investigations involving computer crime, terrorism, and counterintelligence matters. He has also worked in assignments at the Department of Defense Computer Emergency Response Team and served as an instructor in the Computer Forensics, Investigation and Response course for the SANS Institute.

Peter Silberman - Memory Forensic Analysis Essentials

Peter Silberman is an engineer on the product team at MANDIANT, Inc. For a number of years, Peter has specialized in offensive and defensive kernel technologies, reverse engineering, and vulnerability discovery. He enjoys automating solutions to problems both in the domain of reverse engineering and rootkit analysis. Peter now spends most of his time researching solutions to memory forensic problems. Peter is the co-author and teacher of "Advanced Memory Forensics in Incident Response" and has presented his rootkit and malware analysis research at RSA, Black Hat USA, Black Hat Europe, and Hack in the Box.

Special Agent Paul J. Vitchock - Working with Law Enforcement Panelist

Special Agent Vitchock has been investigating cyber crime for the past six years, first in Pittsburgh, Pennsylvania and now in Washington, DC. During that time, he has investigated matters concerning child pornography, intellectual property rights, fraud, and computer intrusions. He currently specializes in transnational organized cyber crime. In that role, he has collaborated with many different law enforcement agencies in the US and abroad. Special Agent Vitchock continues to maintain a CISSP which he earned prior to joining the FBI while employed in the Washington, DC area as a network infrastructure and security consultant.

Elizabeth Whitney - Working with Law Enforcement Panelist

Ms. Whitney is a law enforcement officer with City-County Bureau of Identification and has worked there for 9 years, first as a Crime Analyst and then as a Forensic Computer Examiner. Her background as a criminal defense attorney gives her a unique perspective on forensic practice. She created her agency's digital forensic unit from the ground up and constantly works to keep it able to address new technologies. Her caseload is primarily homicides, sexual assaults, and sexual exploitation of children but also includes robberies, narcotics violations, identity theft and fraud. She is a Certified Forensic Computer Examiner (IACIS), a Certified Computer Examiner (ISFCE), and a Seized Computer Evidence Recovery Specialist (U.S. Department of Homeland Security). She is a member of the Executive Committee of the Scientific Working Group on Digital Evidence, a federal task force that creates white papers and practice guides for digital forensic examiners. She also serves on the cybercrime curriculum committee for her statewide law enforcement training academy and frequently teaches on and speaks on topics related to digital forensics.

Dr. Doug White - Forensic Challenges from the Court Room Expert Brief and Panelist

Doug White has 30 years of experience in technology as a programmer, networking security specialist, forensic examiner, and pen tester. Dr. White holds a CISSP, a Private Investigators license, and is CCE number 30 as well. Doug White is the Director of the FANS laboratory at Roger Williams University, the President of Secure Technology, LLC., and is also a representative of ISFCE at various functions.