Gain Top-Notch Cyber Security Skills at SANS Pittsburgh 2018. Save $200 thru 6/27.

DFIR Summit & Training 2018

Austin, TX | Thu, Jun 7 - Thu, Jun 14, 2018
This event is over,
but there are more training opportunities.

Advisory Board

Matt Bromiley (@mbromileyDFIR), Senior Managing Consultant, Kroll; Instructor & Summit Co-Chair, SANS Institute

Matt Bromiley is a Senior Managing Consultant at Kroll, a major incident response and forensic analysis firm where he assists clients with incident response, digital forensics, and litigation support. He also serves as a SANS GIAC Advisory Board member, a subject-matter expert for the SANS Securing The Human Program, and a technical writer for the SANS Analyst Program. Matt brings his passion for digital forensics to the classroom as a SANS instructor for FOR508: Digital Forensics, Incident Response, and Threat Hunting, where he focuses on providing students with implementable tools and concepts. Matt fell into this career somewhat by accident, taking on a junior analyst role because the team was great and the work sounded exciting. Since then, Matt has built a wide-ranging career that gives him a broad perspective on digital forensics. He has helped organizations of all types and sizes, from multinational conglomerates to small, regional companies. His skills run the gamut from disk, database and network forensics to malware analysis and classification, incident response/triage and threat intelligence, memory analysis, log analytics, and network security monitoring. Along with traditional database forensics, Matt has experience deploying such tools as Elasticsearch, Splunk, and Hadoop to assist in large-scale forensic investigations, network security monitoring, and rapid forensic analysis on over 100 systems and over 10TB of logs. He has a particular interest in database and Linux forensics, as well as in building scalable analysis tools using free and open-source software. Outside of work, Matt loves spending time with his family, cooking Texas BBQ, and making his house as automated as possible in hopes that it will one day do work for him.


Chris Crowley (@CCrowMontance), Principal Instructor, SANS Institute

Mr. Crowley has 15 years of industry experience managing and securing networks. He currently works as an independent consultant in the Washington, DC area focusing on effective computer network defense. His work experience includes penetration testing, security operations, incident response, and forensic analysis.Mr. Crowley is the course author for for SANS Management 517 - Managing Security Operations and SANS Management 535 - Incident Response Team Management. He holds the GSEC, GCIA, GCIH (gold), GCFA, GPEN, GMOB, GASF, GREM, GXPN and CISSP certifications. His teaching experience includes FOR585, MGT517, MGT535, SEC401, SEC503, SEC504, SEC560, SEC575, and SEC580; Apache web server administration and configuration; and shell programming. He was awarded the SANS 2009 Local Mentor of the year award. "The Mentor of the Year Award is given to SANS Mentors who excel in leading SANS Mentor Training classes in their local communities."


David Cowen (@hecfblog), Partner, G-C Partner, LLC; Certified Instructor, SANS Institute Certified Instructor

David Cowen is a Certified SANS Instructor and a Partner at G-C Partners, LLC, where his team of expert digital forensics investigators pushes the boundaries of what is possible on a daily basis. He has been working in digital forensics and incident response since 1999 and has performed investigations covering thousands of systems in the public and private sector. Those investigations have involved everything from revealing insider threats to serving as an expert witness in civil litigation and providing the evidence to put cyber criminals behind bars.
David has authored three series of books on digital forensics; Hacking Exposed Computer Forensics (1st-3rd editions), Infosec Pro Guide to Computer Forensics, and the Anti Hacker Toolkit (Third Edition). His research into file system journaling forensics has created a new area of analysis that is changing the industry. Combined with Triforce products, David's research enables examiners to go back in time to find previously unknown artifacts and system interactions.
David speaks about digital forensics and file system journaling forensics at DFIR and Infosec conferences across the United States. He has taught digital forensics both as a SANS instructor and as a graduate instructor at Southern Methodist University.
David is a Certified Information Systems Security Professional (CISSP) and a GIAC Certified Forensic Examiner. He is the winner of the first SANS DFIR NetWars and a SANS Lethal Forensicator whose passion for digital forensics can be seen in everything he does. He started in 1996 as a penetration tester and has kept up his information security knowledge by acting as the Red Team captain for the National Collegiate Cyber Defense Competition for the last nine years.
David is the host of the Forensic Lunch, a popular DFIR podcast and live YouTube show, and the author of the award winning Hacking Exposed Computer Forensics Blog. The blog (www.hecfblog.com) contains some 448 articles on digital forensics. David is a two-time Forensic 4cast award winner for both Digital Forensic Article of the Year and Digital Forensic Blog of the year. The Forensic 4cast award winners are nominated by their peers and voted on by the greater DFIR community.
When David is not researching, writing, testifying, or teaching about digital forensics he spends time with his family and working on mastering Texas BBQ.


Sarah Edwards (@iamevltwin), Mobile Forensic Engineer, Parsons; Author & Certified Instructor, SANS Institute

A self-described Mac nerd, Sarah Edwards is a forensic analyst, author, speaker, and both author and instructor of SANS FOR518: Mac Forensic Analysis. She has been a devoted user of Apple devices for many years and has worked specifically in Mac forensics since 2004, carving out a niche for herself when this area of forensics was still new. Although Sarah appreciates digital forensics in all platforms, she has a passion for working within Apple environments and is well known for her work with cutting-edge Mac OS X and iOS, and for her forensic file system expertise. Sarah's dynamic classroom and presentation skills have been heralded by both her students and colleagues. She keeps students interested and engaged. Sarah has more than 12 years of experience in digital forensics, and her passion for teaching is fueled by the ever-increasing presence of Mac devices in today's digital forensic investigations. Given the complexity of most cases and the high probability that an OS X or iOS will be a part of an investigation, deep knowledge of these Operating Systems is crucial to ensure that forensic analysts grasp all the information required in a case and not omit valuable data.


Phil Hagen (@PhilHagen), DFIR Strategist, Red Canary; Summit Co-Chair, SANS Institute

For Phil Hagen, a career in information security chose him even before the movies War Games and Sneakers spurred his broader interest in the field. Phil has been captivated since the early days, working on information security projects since the mid-1990s, but networking grabbed his attention even before that.
"Since installing a 2400bps modem into an Apple //e around 1988, every computer I've used has been able to communicate with others," he says. "Of course the systems themselves are becoming more and more varied, making network analysis a critical component of the investigative process today."
Phil began his studies at the U.S. Air Force Academy's Computer Science Department, where he focused on network security and was an inaugural member of the computer security extracurricular group. He served in the Air Force as a communications officer at Beale AFB and the Pentagon. In 2003, Phil moved over to a position with a government contractor, providing technical services for various IT and information security projects.
Today, Phil's career has spanned the full attack life cycle - tool development, deployment, operations, and the investigative aftermath - giving him rare and deep insight into the artifacts left behind. Phil has covered deep technical tasks, managed an entire computer forensic services portfolio, and handled executive responsibilities. He's supported systems that demanded 24x7x365 functionality, managed a team of 85 computer forensic professionals in the national security sector, and provided forensic consulting services for law enforcement, government, and commercial clients. All of that brings Phil to his role today as the DFIR strategist at Red Canary, where he supports the firm's managed threat detection service.
Phil is also a certified instructor for the SANS Institute, and is the course lead and author of FOR572: Advanced Network Forensics and Analysis. This six-day course provides a hands-on curriculum to learn the skills necessary to perform investigations of network-based incidents, where the hard drives or memory of compromised systems are often missing.


Rob Lee (@robtlee), DFIR Lead & Summit Co-Chair, SANS Institute

Rob Lee is an entrepreneur and consultant in the Boston area, specializing in information security, incident response, threat hunting, and digital forensics. Rob is currently the curriculum lead and author for digital forensic and incident response training at the SANS Institute in addition to owning his own firm. Rob has more than 18 years of experience in digital forensics, vulnerability and exploit discovery, intrusion detection/prevention, and incident response.
Rob graduated from the U.S. Air Force Academy and served in the U.S. Air Force as a founding member of the 609th Information Warfare Squadron, the first U.S. military operational unit focused on information operations. Later, he was a member of the Air Force Office of Special Investigations (AFOSI) where he led a team conducting computer crime investigations, incident response, and computer forensics. Prior to starting his own firm, he directly worked with a variety of government agencies, U.S. Department of Defense, and intelligence communities as the technical lead for a vulnerability discovery and an exploit development team, lead for a cyber forensics branch, and lead for a digital forensic and security software development team. Rob was also a director for MANDIANT, a company focused on investigating advanced adversaries, such as the APT, for five years prior to starting his own business.
Rob co-authored the book Know Your Enemy, 2nd Edition. Rob earned his MBA from Georgetown University in Washington DC. Rob is also a co-author of the MANDIANT threat intelligence report M-Trends: The Advanced Persistent Threat.


Robert M. Lee (@RobertMLee), CEO, Dragos; Instructor, SANS Institute

A National Cybersecurity Fellow at DC-based think tank New America, Rob was named one of Passcode’s Influencers, awarded EnergySec’s Cyber Security Professional of the Year 2015, and was inducted into Forbes’ 30 under 30 for Enterprise Technology 2016 as one of “the brightest entrepreneurs, breakout talents, and change agents" in the sector. A passionate educator, Rob is the course author of SANS ICS515 “ICS/SCADA Active Defense and Incident Response,” the only ICS-specific incident response course in the world, and the lead author of SANS FOR578 “Cyber Threat Intelligence.”
Rob pursued cybersecurity in the U.S. Air Force, where he served as a Cyber Warfare Operations Officer in the U.S. Intelligence Community. He has performed defense, intelligence, and attack missions focused on identifying and remediating hostile nation-state adversary operations.


Heather Mahalik (@heatherMahalik), Principal Forensic Scientist, ManTech & Senior Instructor, SANS Institute

To say that digital forensics is central to Heather Mahalik's life is quite the understatement. Heather has worked on high-stress and high-profile cases, investigating everything from child exploitation to Osama Bin Laden's media. She has helped law enforcement, eDiscovery firms, and the federal government extract and manually decode artifacts used in solving investigations around the world. All told she has more than 14 years of experience in digital forensics, including eight years focused on mobile forensics - there's hardly a device or platform she hasn't researched or examined or a commercial tool she hasn't used.
These days Heather is the Director of Forensic Engineering at ManTech CARD. At the SANS Institute she is a senior instructor and the course lead for FOR585: Advanced Smartphone Forensics. As if that isn't a full enough schedule, Heather also maintains www.smarterforensics.com, where she blogs and hosts work from the digital forensics community. She is the co-author of Practical Mobile Forensics (1st and 2nd editions), currently a best seller from Pack't Publishing, and the technical editor for Learning Android Forensics from Pack't Publishing.
Heather is passionate about digital forensics because she loves always having to learn something new. "This field moves so quickly. It is literally impossible to get bored," she says. "If you find yourself bored, branch into another realm of digital forensics. The possibilities are endless and so is the fun! I love digging for artifacts and solving the puzzle."
Heather particularly likes working on mobile and third-party applications, a focus of her work. "I love cracking and hacking into apps that are supposed to be secure," she explains.
She cites her role as a SANS instructor as one of the most fulfilling achievements of her career. Heather loves it when students reach out to tell her that, thanks to her course, they put a criminal away for many years. As she says: "Nothing compares to knowing that the effort you put into writing and maintaining a course makes the world a better and safer place. SANS gives me the opportunity to share that with others."
Heather's background in digital forensics and e-discovery covers smartphone, mobile device, and Windows forensics, including acquisition, analysis, advanced exploitation, vulnerability discovery, malware analysis, application reverse-engineering, and manual decoding, as well as instruction on mobile devices, smartphones, and computers covering Windows, Linux and Macintosh operating systems.


Mike Pilkington ( @mikepilkington), Senior Engineer, SANS Research Operations Center


Mike has been an instructor for the SANS Institute since 2008. He currently teaches Windows Forensics In-Depth(FOR500) and Advanced Digital Forensics and Incident Response (FOR508). In addition to teaching, Mike is a dedicated researcher and has published numerous articles for the SANS Forensics Blog.
After spending much of his career as an analyst and incident responder for Halliburton, Mike joined the team at Shell. His background working in a large corporate environment gives him a unique perspective among SANS instructors. Mike is also a researcher at heart and will spend hours unraveling the answer to a complicated case or a question from a student. He'll delve deeply into forensic conundrums to identify the best solutions, and then document that knowledge to share with the digital forensics community.
In hisprevious role as a senior incident analyst at Shell, Mike regularly dealt with malware and intrusion cases. His work ranged from evaluating and implementing both commercial and open-source forensic tools to consulting with internal groups to resolve intrusions. He has accumulated a broad range of technical expertise, having spent significant time performing software quality assurance, Windows systems administration, LAN and WAN network administration, firewall and IDS/IPS security administration, computer forensic analysis, and incident response. As a forensic analyst, he worked numerous human resource investigations, including cases involving intellectual property theft, inappropriate use of the Internet, employee hacking, IT administrator privilege abuse, and illegal downloading of copyrighted materials.
Mike holds a bachelor's degree in mechanical engineering from the University of Texas, as well as numerous IT security certifications, including the CISSP, EnCE, GCFE, GCFA, and GREM.


Chad Tilbury (@chadtilbury), Technical Director, CrowdStrike; Co-Author & Senior Instructor, SANS Institute

Chad has nearly 20 years of experience working with government agencies, defense contractors, and Fortune 500 companies. And his case list looks like it's been pulled straight from those spy novels he grew up reading: murder, abduction, espionage, fraud, hacking, intellectual property theft, child exploitation, terrorism, and computer intrusions.
He has served as a Special Agent with the Air Force Office of Special Investigations, where he investigated and conducted computer forensics for a variety of crimes and ushered counter-espionage techniques into the digital age. Chad has also led international forensic teams and was selected to provide computer forensic support to the United Nations Weapons Inspection Team.
In addition, Chad has worked as a computer security engineer and forensic lead for a major defense contractor and served as the vice president of worldwide Internet enforcement for the Motion Picture Association of America. In that role, he managed Internet anti-piracy operations for the seven major Hollywood studios in over 60 countries.


Ismael Valenzuela (@aboutsecurity), SANS Certified Instructor, GSE #132; Global Director of Foundstone Consulting Services

Since he founded one of the first IT Security consultancies in Spain, Ismael Valenzuela has participated as a security professional in numerous projects across the globe over the past 15 years. He currently works as IR/Forensics Technical Practice Manager at Intel Security in North America. Prior to joining Intel, Ismael worked as Global IT Security Manager for iSOFT Group Ltd, one of the world's largest providers of healthcare IT solutions.
He holds a bachelor's degree in computer science from the University of Malaga (Spain), is certified in business administration, and holds many professional certifications. These include the highly regarded GIAC Security Expert (GSE #132) in addition to GREM, GCFA, GCIA, GCIH, GPEN, GCUX, GCWN, GWAPT, GSNA, CISSP, ITIL, CISM, and IRCA 27001 Lead Auditor from Bureau Veritas UK.
Some of his articles are freely available at http://blog.ismaelvalenzuela.com.


Eric Zimmerman (@EricRZimmerman), Senior Director, Kroll; Certified Instructor, SANS Institite

When Eric Zimmerman was a Special Agent with the FBI, one of his responsibilities was managing on-scene triage. He identified several gaps in an existing process and started creating solutions to address them. What began as building and expanding a few live response tools took Eric down a path that eventually led to him writing more than 50 programs that are now used by nearly 8,800 law enforcement officers in over 80 countries.
Much of Eric's work involved designing and building software related to investigations of sexual abuse of children. In a single year, Eric's programs led to the rescue of hundreds of these children. As a result, in May 2012, Eric was given a National Center for Missing and Exploited Children's Award, which honors outstanding law enforcement professionals who have performed above and beyond the call of duty. Eric was also presented with the U.S. Attorney's Award for Excellence in Law Enforcement in 2013.
Today, Eric serves as a Senior Director at Kroll in the company's cybersecurity and investigations practice. At SANS, he teaches the FOR508: Advanced Digital Forensics, Incident Response and Threat Hunting course, and is a two-time winner of the SANS DFIR NetWars Tournament (2014, 2015). Eric is also the award-winning author of X-Ways Forensics Practitioner's Guide, and has created many world-class, open-source forensic tools.
Eric is a sought-after instructor and speaker who brings expertise in the cyber realm, complex law enforcement investigations, computer forensics, expert witness testimony, computer systems design, and application architecture to his work and classroom.