SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

The attribution of cybercrime remains one of the greatest challenges for investigators, largely due to the extensive concealment measures employed by threat actors.
Linux Extended File Attributes provide functionality similar to NTFS Alternate Data Streams (ADS). While often used for legitimate purposes, they can also be abused to conceal malicious content.
Volatile memory on Android devices often contains critical evidence — Encryption keys, credentials, and transient user data that traditional extractions miss.
As smart homes become more widespread, they present a growing but often overlooked source of digital evidence.
Forensic imaging doesn’t have to rely on costly proprietary hardware. 4n6pi is a lightweight, open-source project that leverages Raspberry Pi hardware to create forensically sound disk images in E01 format.
Incident responders often rely on the “Spreadsheet of Doom” (SOD) to track findings and observations, but managing, updating, and extracting insights from these spreadsheets can be cumbersome.
As macOS adoption grows in enterprise environments, threat actors are increasingly targeting these systems, leaving incident responders to adapt their investigative approaches.
This presentation delves into the field of PDF forensic analysis and unveils practical techniques to identify non-original (tampered, altered, or fabricated) PDF documents.
In 2024, Google shifted Google Maps location history storage from the cloud to mobile devices, introducing the location-history.json file on iOS.
Forensic WACE is a free, multi-threaded tool designed for semantic forensic analysis of WhatsApp databases on iOS and Android.
How do Apple’s Lockdown Mode and Advanced Data Protection compare to Google’s Advanced Protection introduced in Android 16?
What happens when you face one of the most aggressive, capable, and determined threat group - while they’re still active in the network?
In modern enterprises, managing digital forensics, incident response, and security audits across hundreds of endpoints and cloud systems is challenging.
When it comes to attacks on generative AI, Prompt Injection is everywhere. So everywhere, in fact, that it’s starting to lose all meaning. If everything is Prompt Injection, then nothing really is — right? In this talk, we’ll go beyond the buzzword and into the world of APE: a structured, practical taxonomy designed for the teams on the front lines, Red Teams, SOCs, Incident Response, and Intelligence. APE helps make sense of the chaos by categorising how adversaries are actually targeting AI systems. Whether you're testing defences, triaging incidents, tracking threat actors, or just trying to figure out what’s going wrong with your chatbot at 3 a.m., APE gives you the vocabulary and framework to work smarter. Because let’s be honest, AI isn’t going anywhere, and neither are the people trying to break it.
The term DFIR has become really popular over the last several years and is used as an all-encompassing term for digital forensics and incident response. But the reality is that there is actually an inherent contradiction between digital forensics and incident response, because the actual end goals of digital forensics and incident response are actually not the same. The reality is that for most organizations, incident response focuses on making the pain go away, and maybe improving security going forward. Thinking about a legal outcome is far from the reality for most organizations.
As the world of information technology continues to change, so does the role of the security leader. Whether you're a CISO, Director of Security, or someone aspiring for such a position, you should consider how the current trends in IT and business affect your professional journey. Does your current approach to security leadership set you up for success?
Attend this session to learn how experienced CISOs:
- Align their security strategy to the business it aims to support
- Ask the right questions to excel in challenging situations
- Gain support for their efforts from non-security stakeholders
- Use technical and communication skills to their advantage
Those of us whose professional roots are grounded in technology often look at enterprise defenses from the perspective of the threats. While understanding the relationship between attacks and defenses is important, it's no longer sufficient. Attend this session to learn how to think about the role of a modern security leader to succeed in today's business environment.
How exactly is Generative AI (GenAI) changing the way Forensicators & Hunters work today? In this talk Jess Garcia will answer that question by presenting everything you need to know to integrate GenAI in your everyday DFIR tasks and get ready for this new era.
Registration: All students who register for a 4–6 day course will be eligible to play NetWars for free. Registration for this event will be through your SANS Account Dashboard the week of the event.
About DFIR NetWars: Focused on digital forensics, incident response, threat hunting, and malware analysis, this tool-agnostic approach covers everything from low-level artifacts to high-level behavioral observations.
Registration: All students who register for a 4–6 day course will be eligible to play NetWars for free. Registration for this event will be through your SANS Account Dashboard the week of the event.
About DFIR NetWars: Focused on digital forensics, incident response, threat hunting, and malware analysis, this tool-agnostic approach covers everything from low-level artifacts to high-level behavioral observations.