Join us In-Person in Austin, TX, or Attend Live Online for FREE! Register today. 

Summit: August 3-4 | Training: August 5-10 | Austin, TX & Live Online | Summit CPE Credits: 12
Summit Co-Chairs: Heather Mahalik & Phil Hagen

“Every talk has a little nugget that you can add to your forensic toolbox no matter what your forensic wheelhouse may be. This is a must-attend event.” - A. Sparling 

Every year, forensic and incident response professionals from around the world attend the SANS DFIR Summit to learn how to overcome their latest obstacles, learn about the latest open-source forensic tools, share methods and strategies proven effective in their investigations, and learn from the top DFIR practitioners in the industry. 

The knowledge shared over just two days is enough to last the entire year. Whether this is your first or sixteenth DFIR Summit, you’ll be joining a community that is driven by the search for truth in digital forensics and eradicating adversaries from their target environment through incident response engagements. 

Ask any of the returning attendees - a key benefit is that you’ll have the opportunity to network with other like-minded DFIR professionals. If you work in digital forensics or incident response, the SANS DFIR Summit is the must-attend event of the year. 

Choose Your Experience: In-Person, All Access | Live Online, Free

Join us in Austin, TX for the Full Summit Experience. The $325 In-Person Summit Registration Fee Includes:

• Two Full Days of Highly Technical Content - The industry's top practitioners will share their latest digital forensics and incident response research, solutions, tools, and case studies. In-Person attendees get access to all Keynotes, Summit talks, breakout sessions and workshops.

• Exclusive Networking Opportunities with the top-minds in DFIR - You'll have the chance to engage with leading experts, SANS instructors, and your peers in the community. Attendees tell us time and again that one of the greatest takeaways from SANS Summits is the many industry connections they forge or deepen during their time with us.

• Access to Exhibit Hall and Solutions Tracks - Meet with digital forensics and incident response solution and tool providers throughout the Summit and learn how to leverage their products within your organization.

• Evening Social Events - The days will be filled with the latest and greatest in digital forensics and incident response, but the fun goes up another level at night for those joining us in Austin, TX. Join us for food, drinks, and fun on our Summit Night Out.

• First-Access to Recordings and Presentations - You'll receive exclusive access to approved recordings and presentations post-Summit.

• SANS DFIR Merchandise and Posters

• 2 Full Breakfasts & Lunches, and Breaks with Snacks and Drinks

Live Online attendees will have access to:

• Select Talks and Content - The industry's top practitioners will share their latest digital forensics and incident response research, solutions, tools, and case studies.
• SANS DFIR Summit Solutions Track | Register for Free
• Interactive Chat on Slack – Connect with your DFIR community
• First-Access to Recordings and Presentations - You'll receive exclusive access to approved recordings and presentations post-Summit.

What Attendees Say

"The DFIR Summit never disappoints and is still the #1 DFIR event. As a leader, it allows me to keep a pulse on cutting-edge research and to meet folks." - Brad Garnett

“I think this is the very best event in the DFIR Community, bar none. The combination of the best networking opportunities and the world's best instructors and content can't be beat.“ - John McCash

Bundle Your Summit Experience with a SANS DFIR Course

Enhance your knowledge base and add to your toolkit with a hands-on, immersive course taught by top SANS instructors and course authors. This year we're featuring 13 SANS DFIR courses, and we’re excited to welcome FOUR new DFIR courses to the event lineup including:

• FOR710: Reverse-Engineering Malware: Advanced Code Analysis
• FOR509: Enterprise Cloud Forensics and Incident Response
• FOR608: Enterprise-Class Incident Response & Threat Hunting
• FOR528: Ransomware for Incident Responders

DFIR NetWars and Coin Slayer - Students enrolled in in-person courses at DFIR Summit & Training 2023 can join us for everyone’s favorite action-packed challenge environment where participants can build their skills while having fun.

Sponsorship Opportunities

Sponsorship opportunities are currently available for SANS DFIR Summit & Training 2023. If your organization would be interested in sponsoring, please reach out to sponsorships@sans.org for more information.

The Summit Advisory Board is working hard to finalize the agenda. Check back soon for a complete schedule and list of talks. Here are just some of the presentations you can look forward to:

Once More unto the Data-Breach: Navigating Investigations of Unconventional Data Sources 

Devon Ackerman, Global DFIR Services Leader, Kroll Cyber Risk 

Digital forensics as a science is built upon the foundation of decades of research, experimentation, and independent validation. The discipline in many cases can rely upon well-defined processes and shared knowledge to ensure that results and findings are sound and defensible. However, while much of the practice is concrete, new technologies and new data sources are nearly endless. It is imperative that investigators dealing with novel sources of data are able to think critically, scientifically, and check their assumptions at the door. In this presentation, we will explore the mindset, processes, and real-world examples of investigators encountering unconventional data. Attendees should expect to learn about data structures, tools for developing understanding of those structures, and the mindset required to assess datasets for DFIR investigations when reference material may not exist.

New Today, Old Tomorrow?: Emerging Technology Forensics 

Veronica Schmitt & Emlyn Butterfield, Noroff University

The field of digital forensics and incident response (DFIR) is fast paced and ever evolving. The view of a single computer for an investigation was quashed long ago, every investigation now involves multiple devices and systems spread over large digital ecosystems. Globally, the average number of devices per individual has increased, on average, from 2.4 to 3.8 in the period 2018 to 2023. New technology and systems are continually released with potential to hold artefacts relevant to an investigation. This technology now sees an increasing synergy with a user, including implantation of devices to assist with medical problems and to track general health, and within vehicles for increased personalized driving experiences and integration of technology. As emerging technology becomes more integrated with everyday life, it becomes increasingly smaller, more powerful and with larger storage capabilities, meaning they also become more viable from a DFIR perspective. However, does emerging mean we require specialist fields within DFIR? How foreign are these devices to those in DFIR? Is it beyond the capabilities of the average DFIR practitioner? These questions have all been asked during our research and investigation of emerging technology, both in-house and with external partners. This talk look to encapsulate thinking around emerging technology, providing an overview of the ever-evolving technical landscape and how traditional DFIR tools, systems and procedures may be re-imagined providing additional opportunities in investigations.

Key takeaways:

• Understanding of the current, and potentially the future, emerging technology landscape.
• Translation of traditional DFIR techniques to emerging technology.
• Understanding the new of today may be the old of tomorrow.

Incident Analysis Case Study Focusing on .NET Malware 

Hirokazu Murakami, Senior Researcher, CyCraft

 This year, we observed an attack in Taiwan using DLL sideloading malware. This could have started around 2021 and continued until we started monitoring and making discoveries. The DLL was named "TSVIPSvr.dll" and was loaded by the SessionEnv service and was ultimately intended for C&C communication by Cobalt Strike. We dealt with this attack by working effectively with our monitoring team, endpoint forensics team, and malware analysis team. In this presentation, we will talk about a series of attack techniques and countermeasures, focusing on malware analysis methods and analysis results. This malware was written with .NET. The malware was obfuscated and contained anti-analysis techniques. The malware also attempted to evade detection by reading another Cobalt Strike-encrypted file, decrypting it, and injecting it into the newly executed process. We will explain what problems we encountered in this analysis, how we solved them, and how this malware works. By this presentation, you'll learn about the necessity and usefulness of teamwork, some points in analyzing .NET malware, and the techniques malware uses to evade security.

iOS Advanced Recovery: Looking for Deleted Evidence of WhatsApp Activities 

Luca Cadonici, Digital Forensics Examiner, European Forensic Institute

Starting from the data acquired with a Full File System type extraction, we will proceed with the analysis of the databases of both Apple Photos and Cloudkit-related artifacts to search for evidence related to the exchange of WhatsApp messages in order to verify the original presence of deleted communications and to attribute the receipt or sending of a file to a particular contact.

Beyond the Basics: Microsoft 365 Attacks We Didn't See Coming 

John Ailes, Senior Consultant DFIR, Aon
Julia Paluch, Consultant, Aon 

Even in the fast-paced world of incident response, you will likely come across similar attack patterns, particularly with Business Email Compromise Investigations. We've all come across an incident where you feel like you could write the final report right then and there. However, even the most experienced investigators can sometimes be surprised by the creativity of advanced threat actors. In this talk, we cover three unique real-life case studies that demonstrate that creativity: one where an APT actor leveraged certificate theft to gain M365 access, one where a threat actor flipped the script on an email allowlist, and one where a ransomware threat actor used email security software to hide in plain sight. By attending this talk, participants will gain insights into unique Microsoft 365 attack techniques seen in the wild. Attendees will also gain a new perspective on defending their organization's Microsoft 365 environment against advanced threats.

2 Meta 2 Oculus 

Sadie Gauthier, Courseware Engineer, SANS Institute
Brian Moran, Digital Strategy Consultant, BriMor Labs

Although Meta keeps trying to make Meta happen (and it probably won't happen), one of the most interesting devices from a usability standpoint in the last decade is virtual reality headsets, of which, the Meta (formerly Oculus) Quest is by far the most popular. We delve into a few use case scenarios of the device and explore how the data is stored and accessed on the device. They also explore what data is available on mobile devices that are synced within the Meta ecosystem. And, perhaps most importantly, they explore ways to acquire and parse data from the Meta devices (both hardware and software (including the cloud)) to aid forensicators in the event that a Meta device is included in one of their investigations.

In the meantime, to get a taste of the type of dynamic presentations and speakers you’ll see at the 2023 SANS DFIR Summit, check out these talks from last year's Summit.

Hilton Austin

500 East 4th StreetAustin, TX 78701

Phone: 512-482-8000

Hilton Austin

Hotel Special Rates and Reservations

A special discounted rate of $229.00 S/D plus applicable taxes will be honored based on space availability.

A limited number of Government Per Diem rooms at the prevailing rate are available with proper ID.

These rates include Internet in your room and are only available through Friday, July 14, 2023.

To make a regular reservation, please visit this link.

To make a government per diem reservation, please visit this link.

Top 3 reasons to stay at the Hilton Austin

1. No need to factor in daily cab fees and the time associated with travel to alternate hotels. Everything is in one convenient location!
2. By staying at the Hilton Austin, you gain the opportunity to further network with your industry peers and remain in the center of the activity surrounding the conference.
3. SANS schedules additional networking events at the Hilton Austin that you won't want to miss!

Travel Arrangements and Directions

A discounted drive-in self-parking rate of $20.00 per day plus applicable taxes for attendees is available. $10.00 discount for overnight self-parking for attendees is available. Please visit the hotel’s website or contact them directly at 512-482-8000 for prevailing parking rates that are subject to change prior to the official meeting dates.

From Austin-Bergstrom International Airport (AUS): Approximately 6.7 miles.

Google Maps

Experience Austin

3 Quick Facts about Austin

1. Austin has the largest urban bat colony in North America.
2. Austin gets an average of 300 days of sunshine and is one of the sunniest cities in America.

1. Austin is the only city in the world that still operates moonlight towers.

Recommended Web Links

https://www.austintexas.org/