Learn Effective Cyber Security Techniques at SANS Austin 2018. Save $400 thru 10/3.

DFIR Summit & Training 2018

Austin, TX | Thu, Jun 7 - Thu, Jun 14, 2018
This event is over,
but there are more training opportunities.

DFIR Summit Speakers

"With just two days away from my day job, the DFIR Summit was of greater value than anything I've done this year." - Todd Mesick, Precision Castparts

"Presentations were very informative and some were mind-blowing." - Gerald Davis, Parsons

We strive to present the most relevant, timely and valuable content. As a result, this agenda is subject to change. Please check back frequently for changes and updates.

Download the agenda with speaker description and speaker bios.

Thursday, June 7, 2018
Time Presentation Speaker
9:00-9:15 am Welcome & Introductions

Rob Lee (@robtlee), DFIR Lead & Summit Co-Chair, SANS Institute
Phil Hagen (@PhilHagen), Certified Instructor & Summit Co-Chair, SANS Institute, and DFIR Strategist, Red Canary

9:15-10:00 am

Opening Keynote

Kim Zetter (@kimzetter), Journalist, Author of Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon
10:05-10:40 am

#DFIRFIT or Bust! - A Forensic Exploration of iOS Health Data

Sarah Edwards (@iamevltwin), Mac Nerd, SANS Institute, and Parsons Corporation
Heather Mahalik (@heatherMahalik), Principal Forensic Scientist, ManTech, and Senior Instructor, SANS Institute

10:40-11:00 am Networking Break
11:00-11:35 am Windows Forensics: Event Trace Logs Nicole Ibrahim (@nicoleibrahim), Digital Forensics Expert, G-C Partners, LLC
11:35 am - 12:10 pm

A Planned Methodology for Forensically Sound Incident Response in Microsoft’s Office 365 Cloud Environment

Devon Ackerman, Associate Managing Director, Kroll Cyber Security
12:10-1:30 pm Networking Luncheon
1:30-2:05 pm

Evidence Generation X

Lee Whitfield, Subject-Matter Expert, SANS Institute
2:05-2:40 pm Efficiently Summarizing Web Browsing Activity Ryan Benson (@_RyanBenson), Senior Threat Researcher, Exabeam
2:40-3:00 pm Networking Break
3:00-3:35 pm

Mac_apt –The Smarter and Faster Approach to macOS Processing

Yogesh Khatri (@swiftforensics), Assistant Professor, Chaplain College
3:35-4:10 pm

Case Study: ModPOS vs. RawPOS – A Nerd's-Eye View of Two Malware Frameworks

Brandon Nesbit, Senior Managing Consultant, Kroll
Ron Dormido, Director, Cyber Security and Investigations, Kroll

4:10-6:15 pm

Workshop: Practice How You Play: Incident Response War Game

Matt Linton, (@0xMatt), Chaos Specialist, Google
Francis Perron, (@u269C), Program Manager - Incident Response, Google

7:00 pm - ??? DFIR Night Out in ATX!
Friday, June 8, 2018
Time Presentation Speaker
9:00-9:15 am Day 2 Overview and Opening Remarks

Rob Lee (@robtlee), DFIR Lead & Summit Co-Chair, SANS Institute
Phil Hagen (@PhilHagen), Certified Instructor & Summit Co-Chair, SANS Institute, and DFIR Strategist, Red Canary

9:15-10:00 am

Keynote: Living in the Shadow of the Shadow Brokers

Jake Williams (@MalwareJake), Senior Instructor, SANS Institute

10:05-10:40 am

A Process Is No One: Hunting for Token Manipulation

Jared Atkinson (@jaredcatkinson), Adversary Detection Technical Lead, SpecterOps
Robert Winchester, Adversary Detection Lead, SpecterOps

10:40-11:10 am Networking Break & Vendor Expo
11:10-11:45 am $SignaturesAreDead = "Long Live RESILIENT Signatures"

Matthew Dunwoody (@matthewdunwoody), Principal Applied Security Researcher, FireEye/Mandiant
Daniel Bohannon (@danielhbohannon), Senior Applied Security Researcher, FireEye/Mandiant

11:45 am - 12:20 pm

Finding and Decoding Malicious Powershell Scripts

Mari DeGrazia (@maridegrazia), Director of Incident Response, Kroll
12:20-1:30 pm Networking Lunch & Vendor Expo
1:30-2:05 pm

Logging, Monitoring, and Alerting in AWS (The TL;DR)

Jonathon Poling (@JPoForenso), Managing Principal Consultant, SecureWorks
2:05-2:40 pm

Things I Thought Were Ground Truth in Digital Forensics Until I Found Out I Was Totally Wrong – And What to Do About it Now

Cynthia Murphy (@cindymurph), President, Gillware Digital Forensics
2:40-3:15 pm Investigating Rebel Scum’s Google Home Data

Phill Moore (@phillmoore), Blogger, This Week in 4n6

3:15-3:35 pm Networking Break & Vendor Expo
3:35-4:10 pm

Every Step You Take: Application and Network Usage in Android

Jessica Hyde (@B1N2H3X) Director, Digital Forensics/Adjunct Professor, Magnet Forensics, George Mason University
Kim Thomson (@ArdJect), Digital Forensic Examiner, H11 Digital Forensics

4:10-4:45 pm

Automating Analysis with Multi-Model Avocados

Matthew Seyer (@forensic_matt), Consultant, G-C Partners, LLC
4:45-5:20 pm

DNSplice: A New Tool to Deal with Those Super Ugly Microsoft DNS Logs

Shelly Giesbrecht (@nerdiosity), Team Lead, Incident Responder, Cisco
5:20-5:45 pm Forensics 4cast Awards
5:45 pm

Closing Remarks

Rob Lee (@robtlee), DFIR Lead & Summit Co-Chair, SANS Institute
Phil Hagen (@PhilHagen), Certified Instructor & Summit Co-Chair, SANS Institute, and DFIR Strategist, Red Canary