DFIR Summit 2014

Austin, TX | Tue, Jun 3 - Tue, Jun 10, 2014

Logs, Logs, Every Where / Nor Any Byte to Grok

  • Phil Hagen, Instructor, SANS Institute
  • Tuesday, June 3rd, 6:30pm - 7:30pm

In the practice of Network Forensics, we frequently lack the ultimate evidence - a full packet capture. Instead, we must seek other Artifacts of Communication, which provide insight to system communications that have long since concluded. These artifacts often come from log events created along the path of communication - switches, routers, firewalls, intrusion detection systems, proxy servers, and a myriad other devices.

The skilled network forensicator will aggregate these different sources, then apply sound analytic processes to the consolidated evidence. Only then can we build a comprehensive understanding of those network communication events and establish the best possible sequence of events around the incident in question.

We will discuss one tool that can be very effective in practice: Logstash. This is a free and open-source solution primarily intended for system and network administrators to observe live data. However, it can also provide great value to the forensicator, who must integrate disparate data sources and formats. New developments around Logstash also make it an ideal tool for the system-based forensicator as well, since supertimeline data can be integrated to the broader view of evidence.

Bonus Sessions

The following bonus sessions are open to all paid attendees at no additional cost. There are many different types of events that fall into these categories:

  • SANS@Night: Evening presentations given after day courses have ended. This category includes Keynotes.
  • Vendor: Events hosted by external vendor exhibitors.
  • Lunch & Learn: Short presentations given during the lunch break.
Tuesday, June 3
Session Speaker Time Type
Logs, Logs, Every Where / Nor Any Byte to Grok Phil Hagen, Instructor, SANS Institute Tuesday, June 3rd, 6:30pm - 7:30pm SANS@Night
Wednesday, June 4
Session Speaker Time Type
Extracting User Credentials using Memory Forensics Alissa Torres, Certified Instructor, SANS Institute Wednesday, June 4th, 5:45pm - 6:45pm SANS@Night
Sushi-grade Smartphone Forensics on a Ramen Noodle Budget Heather Mahalik, Certified Instructor, SANS Institute Wednesday, June 4th, 6:45pm - 7:45pm SANS@Night
Thursday, June 5
Session Speaker Time Type
The Great Browser Schism: How to Analyze IE10 & IE11 Chad Tilbury, Certified Instructor, SANS Institute & Technical Director, CrowdStrike Thursday, June 5th, 5:45pm - 6:45pm SANS@Night
Filesystem Journal Forensics David Cowen, Partner, G-C Partners Thursday, June 5th, 6:45pm - 7:45pm SANS@Night
Monday, June 9
Session Speaker Time Type
Vendor Showcase Monday, June 9th, 9:50am - 10:05am Vendor Event
Dealing With Persistent Smartphone Forensic Challenges Ronen Engler, Senior Manager, Technology & Innovation Monday, June 9th, 12:00pm - 1:00pm Lunch and Learn
Vendor Showcase Monday, June 9th, 3:45pm - 4:05pm Vendor Event
Tuesday, June 10
Session Speaker Time Type
Vendor Showcase Tuesday, June 10th, 10:30am - 11:00am Vendor Event
Facing The New Frontier: A Real Case Study In Performing Computer Forensics Without The Evidence Keith Jones, Lead Cybersecurity Engineer Tuesday, June 10th, 11:30am - 12:30pm Lunch and Learn
Vendor Showcase Tuesday, June 10th, 3:00pm - 3:20pm Vendor Event