DFIR Summit & Training 2019

Austin, TX | Thu, Jul 25, 2019 - Thu, Aug 1, 2019
This event is over,
but there are more training opportunities.

Advisory Board

The advisory board members are professional in the industry who volunteer their time to review Call for Presentation (CFP) submissions, select and recruit speakers, provide mentorship to speakers, and help create the best event for the community.

Lodrina CherneLodrina Cherne

Lodrina works at Cybereason protecting systems from threats spanning ransomware to APT attacks. In her role she oversees 130,000 endpoints and performs malware research. Lodrina is also an instructor for SANS FOR500: Windows Forensic Analysis. As an instructor she helps instill solid foundational skills, practices, and techniques in students to advance their understanding of DFIR.

David CowenDavid Cowen

David Cowen is a Certified SANS Instructor and a Partner at G-C Partners, LLC, where his team of expert digital forensics investigators pushes the boundaries of what is possible on a daily basis. He has been working in digital forensics and incident response since 1999 and has performed investigations covering thousands of systems in the public and private sector. Those investigations have involved everything from revealing insider threats to serving as an expert witness in civil litigation and providing the evidence to put cyber criminals behind bars.

David has authored three series of books on digital forensics; Hacking Exposed Computer Forensics (1st-3rd editions), Infosec Pro Guide to Computer Forensics, and the Anti Hacker Toolkit (Third Edition). His research into file system journaling forensics has created a new area of analysis that is changing the industry. Combined with Triforce products, David's research enables examiners to go back in time to find previously unknown artifacts and system interactions.

David is a Certified Information Systems Security Professional (CISSP) and a GIAC Certified Forensic Examiner. He is the winner of the first SANS DFIR NetWars and a SANS Lethal Forensicator whose passion for digital forensics can be seen in everything he does. He started in 1996 as a penetration tester and has kept up his information security knowledge by acting as the Red Team captain for the National Collegiate Cyber Defense Competition for the last nine years.

David is the host of the Forensic Lunch, a popular DFIR podcast and live YouTube show, and the author of the award-winning Hacking Exposed Computer Forensics Blog. The blog (www.hecfblog.com) contains some 448 articles on digital forensics. David is a two-time Forensic 4cast award winner for both Digital Forensic Article of the Year and Digital Forensic Blog of the year. The Forensic 4cast award winners are nominated by their peers and voted on by the greater DFIR community.

Mari DeGraziaMari DeGrazia

As a Senior Director for Incident Response at Kroll, Mari leads high-profile incident response cases and assists clients with finding and remediating attackers in their environment. She has written and released numerous programs and scripts to the forensics community, is a published magazine author, and was technical editor for Windows Registry Forensics S.E.

Mattia EpifaniaMattia Epifani

Mattia Epifani is CEO at Reality Net System Solutions, an Italian consulting company involved in InfoSec and Digital Forensics. He works as a digital forensics analyst for judges, prosecutors, lawyers and private companies, both as Court Witness Expert and Digital Forensics Expert. He obtained a University Degree in computer science in Genoa (Italy) and post-graduate training in Computer Forensics and Digital Investigations in Milan. In the last few years he has obtained several certifications in Digital Forensics and Ethical Hacking (GNFA, GSAF, GREM, GCFA, GMOB, GCWN, CIFI, CEH, CHFI, ACE, AME, ECCE, CCE, MPSC). He is a regular speaker on Digital Forensics matters in different Italian and European universities and events. He is author of Learning iOS Forensics and Learning iOS Forensics Second Edition edited by PacktPub. He is also a member of DFA, IISFA, ONIF and T&L Center.

Phil HagenPhil Hagen

Phil began his studies at the U.S. Air Force Academy's Computer Science Department, where he focused on network security and was an inaugural member of the computer security extracurricular group. He served in the Air Force as a communications officer at Beale AFB and the Pentagon. In 2003, Phil moved over to a position with a government contractor, providing technical services for various IT and information security projects.

Today, Phil's career has spanned the full attack life cycle - tool development, deployment, operations, and the investigative aftermath - giving him rare and deep insight into the artifacts left behind. Phil has covered deep technical tasks, managed an entire computer forensic services portfolio, and handled executive responsibilities. He's supported systems that demanded 24x7x365 functionality, managed a team of 85 computer forensic professionals in the national security sector, and provided forensic consulting services for law enforcement, government, and commercial clients. All of that brings Phil to his role today as the DFIR strategist at Red Canary, where he supports the firm's managed threat detection service.

Phil is also a senior instructor for the SANS Institute, and is the course lead and author of FOR572: Advanced Network Forensics and Analysis. This six-day course provides a hands-on curriculum to learn the skills necessary to perform investigations of network-based incidents, where the hard drives or memory of compromised systems are often missing.


Kathryn Hedley

Kathryn has been working in the field of Digital Forensics since 2008, on a variety of civil, criminal and internal investigations across both the private and public sectors. She has a Master of Science degree in Computer Forensics and a Bachelor of Science (Hon) degree in Information Systems, accompanied by the professional certifications: GCFE, GCFA, GNFA, GREM, GASF, GCIH, EnCE, CFSR and X-PERT.

Ryan JohnsonRyan Johnson

Ryan teaches the FOR572: Advanced Network Forensics and Analysis course for SANS. He also currently serves as the Global Head of Threat Management at PricewaterhouseCoopers, where he leads the response, readiness and investigations functions. In addition, based on his background, practical forensic experience, and government clearance, Ryan has been regularly called upon to train U.S.-based government departments, international governments, and corporations in the areas of network and digital forensics.

Ryan earned a Master's of Science degree from Dalhousie University and two Bachelor's degrees from Queen's University. He has taught college students, professionals, law enforcement, attorneys, and judges. Ryan knows that teaching the process, not the tool, is what gives students information they can put into practice outside of the classroom, and he works tirelessly to ensure every student understands the concepts he's teaching.

Jason JordanJason Jordaan

Jason is a certified SANS instructor and member of the SANS DFIR Faculty. He has been practicing digital forensics since 1998 in both the law enforcement and private sectors. He has testified on several occasion in the South African High Court as an expert witness. He is the founder and managing director of DFIRLABS, an independent, private digital forensics and incident response laboratory. Jason has also been involved in training, lecturing, and mentoring in the field of digital forensics since 2010. Besides teaching for SANS, he currently teaches the digital forensics and incident response class at Rhodes University in South Africa for their Master’s Degree in Information Security. He is also an active researcher and writer and has been published in several textbooks and academic journals.

Prior to founding DFIRLABS, Jason was the national head of the Cyber Forensic Laboratory of the Special Investigating Unit in South Africa, which was an elite law enforcement agency with jurisdiction into white collar crimes involving government institutions, which included cyber-crime targeting them. He remains very active in the law enforcement community through the mentoring of law enforcement officials around the globe as part of IACIS.

Jason has a Master’s degree in Computer Science (Cum Laude), a Master’s degree in Forensic Investigation, an Honours degree in Information Systems, a Bachelor’s degree in Criminal Justice Computer Science, and a Bachelor’s degree in Policing. He holds the CFCE, GCFE, GCFA, GCIH, GCCC and CFE certifications.

Nick KleinNick Klein

Nick is a Certified SANS Instructor and the Director of Klein & Co., a leading independent DFIR team from Sydney, Australia. He has over twenty years’ experience, specialising in digital forensic investigations and presenting expert evidence in legal and other proceedings. Nick and his team have been engaged as experts in over a thousand cases including network compromises and data breaches, commercial litigation and electronic discovery, criminal prosecution and defence, financial fraud, corruption, employee misconduct, theft of intellectual property and many more.

He was previously a senior director in Deloitte Forensic and a team leader in the High Tech Crime Team of the Australian Federal Police, where he worked on international police investigations and intelligence operations including counter terrorism, online child abuse, computer hacking, and traditional crimes facilitated by new technologies.

Nick has presented expert evidence in civil and criminal matters in Australia and overseas, including providing expert testimony in the Bali bombing trials in Indonesia in 2003. He has appeared before Australian State and Commonwealth Parliamentary Committees and participated in Government working groups on cybercrime issues. Nick is a regularly international presenter and a guest lecturer at several institutions including the law faculties of the University of Wollongong and New South Wales.

Rob LeeRob Lee

Rob Lee is an entrepreneur and consultant in the Boston area, specializing in information security, incident response, threat hunting, and digital forensics. Rob is currently the curriculum lead and author for digital forensic and incident response training at the SANS Institute in addition to owning his own firm. Rob has more than 18 years of experience in digital forensics, vulnerability and exploit discovery, intrusion detection/prevention, and incident response.

Rob graduated from the U.S. Air Force Academy and served in the U.S. Air Force as a founding member of the 609th Information Warfare Squadron, the first U.S. military operational unit focused on information operations. Later, he was a member of the Air Force Office of Special Investigations (AFOSI) where he led a team conducting computer crime investigations, incident response, and computer forensics. Prior to starting his own firm, he directly worked with a variety of government agencies, U.S. Department of Defense, and intelligence communities as the technical lead for a vulnerability discovery and an exploit development team, lead for a cyber forensics branch, and lead for a digital forensic and security software development team. Rob was also a director for MANDIANT, a company focused on investigating advanced adversaries, such as the APT, for five years prior to starting his own business.

Rob co-authored the book Know Your Enemy, 2nd Edition. Rob earned his MBA from Georgetown University in Washington DC. Rob is also a co-author of the MANDIANT threat intelligence report M-Trends: The Advanced Persistent Threat.

Heather MahalikHeather Mahalik

Heather has worked on high-stress and high-profile cases, investigating everything from child exploitation to Osama Bin Laden's media. She has helped law enforcement, eDiscovery firms, and the federal government extract and manually decode artifacts used in solving investigations around the world. Heather began working in digital forensics in 2002, and has been focused on mobile forensics since 2010 - there's hardly a device or platform she hasn't researched or examined or a commercial tool she hasn't used.

Currently, Heather is the Director of Forensic Engineering at ManTech CARD. At the SANS Institute she is a senior instructor and the course lead for FOR585: Advanced Smartphone Forensics. As if that isn't a full enough schedule, Heather also maintains www.smarterforensics.com, where she blogs and hosts work from the digital forensics community. She is the co-author of Practical Mobile Forensics (1st and 2nd editions), currently a best seller from Pack't Publishing, and the technical editor for Learning Android Forensics from Pack't Publishing.

Francesco PicassoFrancesco Picasso

Francesco Picasso is co-founder of Reality Net System Solutions, an Italian consulting company specialising in InfoSec and Digital Forensics. He performs digital investigations on a daily basis as a DFIR consultant for the public sector and for private companies, trying to implement processes, methodologies and tools to improve the efficiency and effectiveness of their required activities. Often called on as a Court Expert Witness, he is also an external member of private companies C-SOC and C-CERT teams. Francesco started out as a professional developer during the day, but his nightly passion for information security quickly switched to a full time InfoSec and DFIR consultant role. He obtained a Computer Science degree and a Ph.D. in "Intelligent Electronics for Security" and achieved a real-time log correlation patent. Also passionate about reverse engineering, he still practices it during his spare time to implement a so-called offensive digital investigation, which aims at gaining access to protected data. Aware that the sharing of knowledge and experiences is essential in the information technology field, he shares observations from his daily job on the Zena Forensics blog, on GitHub repositories and on Twitter as @dfirfpi.

SziliDavid Szili

David is managing partner and CTO at Alzette Information Security, a consulting company based in Luxembourg. He has more than eight years of professional experience in penetration testing, red teaming, vulnerability assessment, vulnerability management, security monitoring, security architecture design, incident response, digital forensics and software development.

In his instructor role at SANS, David loves to teach concepts of analysis, detection, and response as these are the skills needed by modern-day defenders who face determined attackers. David also focuses on practical application, even when teaching the theoretical background of a material, he makes sure to bring in real-life examples and case studies. He also puts extra emphasis on hands-on skills development and demos during class.

Lee WhitfieldLee Whitfield

Now as an instructor for FOR500: Windows Forensic Analysis, Lee pushes his students to understand how important it is to "get things right," given the power of digital forensics and the impact it has on people's lives. Lee shares his own stories and experiences with his students and strives to create open discussion and the opportunity for students to find the answers for themselves. He wants every student to share his passion for finding the truth, and the drive to continue to build their skills and knowledge moving forward.

Lee also serves as the Lead for the SANS OnDemand Subject Matter Expert team and hosts the Forensic 4:cast Awardsevent at the SANS DFIR Summit each year. In his sparse free time, Lee also produces his own popular digital forensics podcast, Forensic 4:cast. The podcast has afforded him the opportunity to discuss and investigate important issues relating to the field of digital forensics, and in each episode, he interviews a panel of guests on the latest news and issues in the field.

Eric ZimmermanEric Zimmerman

When Eric Zimmerman was a Special Agent with the FBI, one of his responsibilities was managing on-scene triage. He identified several gaps in an existing process and started creating solutions to address them. What began as building and expanding a few live response tools took Eric down a path that eventually led to him writing more than 50 programs that are now used by nearly 8,800 law enforcement officers in over 80 countries.

Much of Eric's work involved designing and building software related to investigations of sexual abuse of children. In a single year, Eric's programs led to the rescue of hundreds of these children. As a result, in May 2012, Eric was given a National Center for Missing and Exploited Children's Award, which honors outstanding law enforcement professionals who have performed above and beyond the call of duty. Eric was also presented with the U.S. Attorney's Award for Excellence in Law Enforcement in 2013.

Today, Eric serves as a Senior Director at Kroll in the company's cybersecurity and investigations practice. At SANS, he teaches the FOR508: Advanced Digital Forensics, Incident Response and Threat Hunting course, and is a two-time winner of the SANS DFIR NetWars Tournament (2014, 2015). Eric is also the award-winning author of X-Ways Forensics Practitioner's Guide, and has created many world-class, open-source forensic tools.