Last day to get an iPad Air w/ Smart Keyboard or Pixel 4a Smartphone with 5-6 day course registration! View details.

DFIR Summit

Austin, TX | Thu, Jun 23 - Thu, Jun 30, 2016
This event is over,
but there are more training opportunities.

Featured DFIR Summit Information

icon Webcasts

DFIR Summit Chairman

Rob Lee

icon Featured Presentation


Puzzle Solving and Science: The Secret Sauce of Innovation in Mobile Forensics?
Friday, June 24 - 9:45am
More Information

icon Summit Speakers


View our Summit Speaker biographies here!

Summit Agenda

Don't miss the opportunity to attend the most comprehensive DFIR event of the year! Learn how to defeat your enemy and become a DFIR Superhero in 8 days! View the schedule overview using the tabs above.

Time Presentation Speaker
9:00-9:10am Welcome and Opening Remarks

Rob Lee, DFIR Lead, SANS Institute @robtlee

9:10-10:00am Keynote: Defending a Cloud

Troy Larson, Microsoft Security Response Center | Azure

10:00-10:30am Networking Break and Vendor Expo
10:30-11:00am iOS of Sauron: How iOS Tracks Everything You Do

Sarah Edwards, Mac Nerd, Parsons Corporation; Author and Instructor, FOR518, SANS Institute

Expanding the Hunt: A Case Study in Pivoting Using Passive DNS and Full PCAP

Gene Stevens, Chief Technology Officer, ProtectWise, Inc.

Dr. Paul Vixie, CEO, Farsight Security


Hello Barbie Forensics

Andrew Blaich, Ph.D, Lead Security Analyst, Bluebox Security

Andrew Hay, CISO, Data Gravity

Start-Process PowerShell: Get-ForensicArtifact

Jared Atkinson, Hunt Capability Lead, Veris Group's Adaptive Threat Division


You Don't Know Jack About .bash_history

Hal Pomeranz, Principal, Deer Run Associates; Fellow, SANS Institute

CryptoLocker Ransomeware Variants Are Lurking "In the Shadows;" Learn How to Protect Against Them

Ryan Nolette, Security Operations Lead, Carbon Black

12:10-12:25pm Ken Johnson Memorial Scholarship

Rob Lee, DFIR Lead, SANS Institute

Matt Bromiley, Mandiant
David Nides, KPMG

12:25-1:30pm Lunch and Learn TBA

Rising from the Ashes: How to Rebuild a Security Program Gone Wrong... With Help from Taylor Swift

Mike Hracs, Senior Consultant, Deloitte

Shelly Giesbrecht, Incident Responder, Cisco

Tracking Threat Actors through YARA Rules and Virus Total

Kevin Perlow, Senior Consultant, Booz Allen Hamilton

Allen Swackhamer, Associate, Booz Allen Hamilton


All About that (Date)Base

Matt Bromiley, Senior Consultant, Mandiant

Jacob Christie, Consultant, Mandiant

FLOSS Every Day: Automatically Extracting Obfuscated Strings from Malware

William Ballenthin, Reverse Engineer, FireEye

Moritz Raabe, Reverse Engineer, FireEye


UAV Forensics

David Kovar, Senior Manager - Cybersecurity Practice, EY

Plumbing the Depths: Windows Registry Internals

Eric Zimmerman, Sr. Director, Kroll Cyber Security

3:10-3:40pm Networking Break and Vendor Expo

Trust but Verify: Why, When and How

Mari DeGrazia, Director, Kroll Cyber Security

The Incident Response playbook for Android and iOS

Andrew Hoog, CEO and Co-Founder, NowSecure


Analyzing Dridex, Getting Owned by Dridex, and Bringing in the New Year with Locky


What Does my SOC Do?: A Framework for Defining an InfoSec Ops Strategy

Austin Murphy, Director of Incident Response, CrowdStrike Services

4:45-5:15pm Forensic 4cast Awards

Lee Whitfield, Director of Forensics, Digital Discovery

6:00pm DFIR Night in Austin
Join fellow attendees and speakers for a night of networking and fun
Time Presentation Speaker
9:00-9:45am Keynote: The History of Data Forensics, and Get off my Lawn!

Andy Rosen, President, ASR Data Acquisition & Analysis, LLC

9:45-10:30am Panel: Puzzle Solving and Science
The Secret Sauce of Innovation in Mobile Forensics
10:30-11:00am Networking Break and Vendor Expo

What Would You Say You Do Here?: Redefining the Role of Intelligence in Investigations

Rebekah Brown, Threat Intelligence Lead, Rapid7

Using Endpoint Telemtry to Accelerate the Baseline

Keith McCammon, Co-Founder and VP of Detection Operations, Red Canary


Who Watches the Smart Watches

Brian Moran, Digital Strategy Consultant, BriMor Labs

Deleted Evidence: Fill in the Map to Luke Skywalker

Mary Singh, Senior Consultant, FireEye

12:05-1:15pm Lunch and Learn TBA

Seeing Red: Improving the Blue Teams with Red Teaming

Dave Hull, Product Engineer, Tanium

Hadoop Forensics

Kevvie Fowler, National Leader - Cyber Response Services, KPMG Canada


Rocking your Windows EventID with ELK Stack

Rodrigo Ribeiro Montoro, Security Researcher, Clavis Security Brazil

To Automate of Not To Automate; That is the Incident Response Question

Dr. Brian Carrier, VP - Digital Forensics, Basis Technology

2:20-2:50pm Networking Break and Vendor Expo

Incident Detection and Hunting @ Scale: An Introduction to osquery

Scott J. Roberts, Bad Guy Catcher, GitHub

Kevin Thompson, Senior Incident Responder, Heroku

Dive into DSL: Digital Response Analysis with Elasticsearch

Brian Marks, Senior Associate, KPMG

Andrea Sancho Silgado, Associate, KPMG

3:25-3:55pm stoQ'ing your Splunk

Ryan Kovar, Staff Security Strategist, Splunk

Marcus LaFerrera, Director of Development, PUNCH Cyber Analytics Group

Accurate Thinking: Analytic Pitfalls and How to Avoid Them

Kyle Maxwell, Senior Researcher, Verisign iDefense

4:00-4:30pm Leveraging Cyber Threat Intelligence in an Active Cyber Defense

Erick Mandt, Analyst, Air Force Office of Special Investigations (AFOSI)

Robert M. Lee, Author and Instructor, SANS Institute

4:30pm Closing Remarks and Wrap Up
Rob Lee, DFIR Lead, SANS Institute @robtlee