3 Days left to get an iPad Pro, Surface Pro, or $400 Off with Online Training!

DFIR Summit & Training 2017

Austin, TX | Thu, Jun 22 - Thu, Jun 29, 2017
This event is over,
but there are more training opportunities.

DFIR Summit Agenda


"There is no substitute for the value of the DFIR Summit. The speakers and networking answer real world questions." - Mark Stingley, University of Texas

We strive to present the most relevant, timely and valuable content. As a result, this agenda is subject to change. Please check back frequently for changes and updates.

Thursday, June 22, 2017
Time Presentation Speaker
9:00-9:15 am Welcome & Introductions
  • Phil Hagen (@PhilHagen), Certified Instructor & Summit Co-Chair, SANS Institute & DFIR Strategist, Red Canary
  • Rob Lee (@robtlee), DFIR Lead & Summit Co-Chair, SANS Institute
9:15-10:00 am

Opening Keynote: The Secret History of Cyber War

Fred Kaplan (@fmkaplan), National Security Columnist, Slate & Author, Dark Territory: The History of Cyber War
10:05-10:40 am The Cider Press - Extracting Forensic Artifacts from Apple Continuity
10:40-11:05 am Networking Break & Vendor Expo
11:05-11:40 am

The Forensics of Plagiarism: A Case Study in Cheating

Tim Ball, PhD, Southern Utah University
11:40-12:15 pm Mac Forensics: Looking into the past with FSEvents Nicole Ibrahim (@nicoleibrahim), Digital Forensics Expert and researcher at G-C Partners, LLC
12:15-1:30 pm Networking Luncheon
1:30-2:05 pm Google Drive Forensics Ashley Holtz (@thec0dem0nkey), Senior Services Engineer, CrowdStrike
2:10-2:45 pm

Your Eyes Can Deceive You - Implications of Firmware Trickery in Metamorphic Hard Drives

Courtney Webb, Team Leader, Electronic Evidence, Law Enforcement
2:45-3:15 pm Networking Break & Vendor Expo
3:15-3:50 pm Boot What? Why Tech Invented by IBM in 1983 is Sill Relevant Today Christopher Glyer (@cglyer), Chief Security Architect, FireEye
3:55-4:30 pm Tracking Bitcoin Transactions on the Blockchain Kevin Perlow, Associate, Booz Allen Hamilton
4:35-5:10 pm

MAC Times, Mac Times, and More

Lee Whitfield (@lee_whitfield), Director of Forensics, Digital Discovery
5:15-5:45 pm Beats & Bytes: Striking the Right Chord in Digital Forensics (OR: Fiddling with Your Evidence)
  • Cindy Murphy (@CindyMurph), President, Gillware Digital Forensics; Certified Instructor, SANS Institute
  • Ryan Pittman, Resident Agent-in-Charge, NASA Office of Inspector General's Computer Crimes Division
5:45-6:45 pm Networking Reception
6:45-??? DFIR Night Out in ATX!
Friday, June 23rd, 2017
Time Presentation Speaker
9:00-9:15 am Day 2 Overview & Opening Remarks
  • Phil Hagen (@PhilHagen), Certified Instructor & Summit Co-Chair, SANS Institute & DFIR Strategist, Red Canary
  • Rob Lee (@robtlee), DFIR Lead & Summit Co-Chair, SANS Institute
9:15-10:00 am

A Million Little Wizards: Scaling Forensics Isn't Magic

Johan Berggren (@jberggren), Senior Security Engineer, Google
10:05-10:40 am Alexa, Are you Skynet?
  • Jessica Hyde (@B1N2H3X), Director of Forensics, Magnet Forensics; Adjunct Professor, George Mason University
  • Brian Moran (@brianjmoran), Digital Strategy Consultant, BriMor Labs
10:40-11:10 am Networking Break & Vendor Expo
11:10-11:50 am

Incident Response in the Cloud (AWS)

Jonathon Poling (@JPoForenso), Principal Consultant / Future Operations, SecureWorks
11:50 am - 12:25 pm EXT File System Recovery Hal Pomeranz (@halpomeranz), Principal, Deer Run Associates
12:25-1:30 p.m Lunch & Learn Sessions
1:30-1:45 pm Open Source DFIR Made Easy: The Setup
  • Stephen Hinck (@StephenHinck), Senior Technical Account Manager, ICEBRG
  • Alan Orlikoski (@AlanOrlikoski), Senior Manager, Incident Response & Threat Protection Team
1:45-2:20 pm

The Audit Log Was Cleared

  • Austin Baker, Consultant, Mandiant
  • Jacob Christie, Incident Responder, Mandiant
2:20-2:55 pm Japanese Manufacturing, Killer Robots, & Effective Incident Handling
  • Scott J. Roberts, SIRT Lead, GitHub
  • Kevin D. Thompson, Security Operations Lead, Heroku
2:55-3:25 pm Networking Break & Vendor Expo
3:25-4:00 pm

Deciphering Browser Hieroglyphics

Ryan Benson (@_RyanBenson), Senior Threat Researcher, Exabeam
4:00-4:35 pm

Processing PCI Track Data with CDPO

David Pany (@DavidPany), Senior Consultant, Mandiant
4:35-5:05 pm

Know Your Creds, or Die Trying

Chad Tilbury (@chadtilbury), Technical Director, CrowdStrike; Senior Instructor, SANS Institute
5:05-5:30 pm Forensic 4cast Awards Lee Whitfield (@lee_whitfield), Director of Forensics, Digital Discovery
5:30 pm

Closing Remarks

  • Phil Hagen (@PhilHagen), Certified Instructor & Summit Co-Chair, SANS Institute & DFIR Strategist, Red Canary
  • Rob Lee (@robtlee), DFIR Lead & Summit Co-Chair, SANS Institute