OnDemand Training - Best Special Offers of the Year Ending Soon - Learn More

DFIR Summit & Training 2020 - Live Online

Virtual, US Eastern | Thu, Jul 16 - Sat, Jul 25, 2020

In response to the escalation of the COVID-19 pandemic, we've made the decision to convert this training event into a Live Online event.

The courses below will take place online, using virtual software to stream live instructors to all registered students during the scheduled classroom hours. (Eastern Time) This alternate training format will allow us to deliver the cybersecurity training you expect while keeping you, our staff, and our instructors as safe as possible.

Your registration for a Live Online course includes electronically delivered courseware, live streaming instruction by a SANS instructor, course labs, and four months of online access to course recordings.

DFIR Summit Agenda

Live Online | July 16-17

Two Summit Tracks

DFIR Track | Solutions Track

Add all of the DFIR presentations to your schedule by subscribing to the DFIR Summit Calendar
*You must be registered for the Free Summit to gain access to these presentations. Register now!

Thursday, July 16 - all times are in Eastern Daylight Time, (UTC-4)
9:00-9:15 am EDT
Opening Remarks

Rob Lee @robtlee, Fellow, SANS Institute
Heather Mahalik @HeatherMahalik, Senior Instructor, SANS Institute
Phil Hagen @PhilHagen, Senior Instructor, SANS Institute

calendar Add to Calendar

9:15-10:00 am EDT
Keynote

A DFIRent side of DFIR: Forensicating for Black Lives and Other Social Justice Issues

Matt Mitchell, @geminiimatt, Hacker; Security Researcher; Tech Fellow to the BUILD Program at the Ford Foundation

calendar Add to Calendar
10:05-10:40 am EDT
Track 1

You need a PROcess to check your running processes and modules. The bad guys, and red teams are coming after them!

Michael Gough, @MichaelGoughTX, Principal Incident Response, NCC Group

calendarAdd to Calendar

If there is a file on disk, you can easily SEE the bad fu, but what if the malware is nowhere to be found on the disk? Malware can be broken up into several types, some call it "fileless malware" (poor non-descript term). The malware really isn’t fileless, the file, or code lives somewhere, the registry, WMI database, or the focus of this talk, in memory. This talk will focus on Memware that has been injected into memory, most likely injected a process or added a DLL and may not reside on disk while the system is running.

Do you have a PROcess to detect, investigate, respond, and/or hunt for Memware?

This talk will walk through some commodity and Red Team examples of how this works and what you can do to address this newly expanding threat that is becoming more and more common in commodity malware, Red Team engagements, and of course APT attackers, because it can avoid so many security tools. Attendees will leave with some ideas and tools that can help you detect, investigate and hunt for Memware.


Track 2

Kansa for Enterprise scale Threat Hunting

Jonathan Ketchum, @Un1d1g1t, Threat Hunter/InfoSec Analyst, USAA

calendar Add to Calendar

Over the past 2 years our threat hunting team has made significant improvements to the open-source Kansa project. As an IR/Hunt powershell framework it is a great tool, but it didn't scale beyond a few dozen endpoints. Our code revisions, approved for release this Summer, scale to 150K+ endpoints and decrease execution time to just a few minutes leveraging distributed servers for asynchronous deployment and ELK for collection, aggregation, and analysis at scale. We also built in metrics, safety-measures, and controls to prevent this powerful capability from completely overwhelming the all the resources of a business enterprise network. Leveraging the improved scalable framework, we developed more than 2 dozen new modules that enable hunt analytics at massive scales.... And the whole project is still backward compatible with the current framework. We will cover our changes as well as several case studies to show how we use it for hunting in our environment.

10:40-10:55 am EDT Break
10:55-11:30 am EDT
Track 1

Data Science for DFIR - The Force Awakens

Jess Garcia, @j3ssgarcia, Lead DFIR Analyst/CEO, One eSecurity

calendar Add to Calendar

Data Science (DS) and AI (Machine/Deep Learning) have effectively erupted in our world during the last few years, improving the efficiency of a vast number of areas and opening doors to new possibilities, both in the business front and our personal lives. The adoption of DS/IA in the DFIR field has been, however, modest so far.

During this presentation, Jess Garcia will introduce the different resources available in the DS/AI field, with a focus on the pythonic world (NumPy, Pandas, ScyPy, scikit-learn, Tensorflow/Keras, Matplotlib, ...), and will show how to use these technologies to help in the parsing of DFIR data (timelines, event logs, forensic artifacts, memory objects, ...), obtained with different triage or analysis tools (such as KAPE or volatility). Jess will also present how this techniques help other DFIR processes in the real world, such as Threat Hunting, by allowing to effectively process and analyze thousands of systems and big quantities of DFIR data.

Jess will also release some tools that will help to make use and get value from these technologies in a straightforward way.

To make the most of this presentation, learn before the Summit the most important DS/AI concepts at ds4n6.io


Track 2

Making Memories: Using Memory Analysis for Faster Response to User Investigations

Aaron Sparling, @osintlabworks, Digital Forensics Examiner, Portland Police Bureau
Jessica Hyde, Director of Forensics, Magnet Forensics; Adjunct Professor, George Mason University

calendarAdd to Calendar

What if there was a better way? What if examiners could get to critical data quicker? What if the digital data could inform the interview questions? Typically, investigators do not collect or analyze memory in criminal/end-user investigations. Acquiring and analyzing memory is rapid. This means results from the acquisition and analysis of your memory collection can be completed long before the drive finishes imaging.

11:30-11:40 am EDT

Break

11:40 am - 12:15 pm EDT
Track 1

Using Big DFIR Data in Autopsy and Other Tools

Brian Carrier, CTO, Basis Technology

calendar Add to Calendar

All industries are learning about how to leverage "big data" to make their operations more efficient. DFIR investigations benefit in terms of speed and thoroughness when you leverage data from your and others past cases.

This talk will cover how to use data from past cases to ensure you focus on the most relevant data first. The talk will cover basic concepts so that you can build your own data repository and how to use existing capabilities. For example, Autopsy (free and open source) can store all past file hashes, email addresses, phone numbers, etc. in its Central Repository and its new File Discovery UI can use that data to allow you to prioritize files. If you've seen a file 10 times before and didn't tag it, then it will be scored less than a file never seen before. We'll also cover our experiences with storing and analyzing occurrence data with intrusion-related data in Cyber Triage.

Attend this talk to learn about features in Autopsy that will help you sort through large data sets and to learn about ways you can leverage your past cases.


Track 2

Healthy Android exams: Timelining digital Wellbeing data

Alexis Brignoni, @AlexisBrignoni, Special Agent, Federal Law Enforcement
Joshua Hickman, @josh_hickman1, Senior Associate, Kroll

calendar Add to Calendar

The digital Wellbeing database in Android devices helps users keep track of application usage, device unlocks, notifications received, and many more pattern of life data points by month, day and even up to the hour.

In this presentation attendees will learn how to located the Wellbeing database, understand the different event types it contains, correlate it with other data sources on the device, and leverage python scripts designed to put it all together.

12:15-1:30 pm EDT Lunch
1:30-2:05 pm EDT
Track 1

If at first you don't succeed, try something else

Jim Clausing, @jclausing, Principal Member - Technical Staff, AT&T

calendar Add to Calendar

Using a packer that I found being used in several campaigns several month backs, I'll demonstrate some of the defenses the malware used, and the steps taken to try to (ultimately unsuccessfully) extract the unpacked malware using my usual techniques. When that didn't work out, I took a step back and looked at what I believed was the packed executable. I'll show how going "old school" with the help of tools like CyberChef I found what turned out to be an XOR key that ultimately the creation of python script that was able to extract and unpack the hidden executables without actually reversing the unpacking routine. When your standard techniques don't work, sometimes a little common sense and using your eyes can do the job.


Track 2

Captain's Log: Take your application log analysis from Starfleet to Star Fleek

David Pany, Manager, Mandiant
Ryan Tomcik, Senior Consultant, Mandiant

calendar Add to Calendar

Incident response findings and conclusions are only as strong as the logs and evidence upon which they are based. Mandiant investigations into application-level compromises have revealed that many organizations either do not centralize application logs into a SIEM or, if they do, there is no formalized process for validation, monitoring, or investigation. Many incident handling teams only realize the significant logging deficiencies and security monitoring gaps for their critical applications after an incident has already occurred. Considering your application logging capability from the perspective of an incident response will ensure the logs you need will be available and actionable when the time comes to respond to an incident.

This talk will challenge information security professionals to proactively evaluate their current application logging capabilities and determine how effectively they can detect and respond to application abuse. Threat modeling and attack simulations from an investigator's perspective will help you develop hunting and detection capabilities. Once you have a possible threat to investigate, you can then craft automated investigation workflows that combine multiple data sets, enrich useful indicators, and provide pivot points to identify related threats.

To elevate your threat hunting, detections, and investigations, we will walk through examples of how you can optimize your log data and significantly cut the amount of time and effort required to detect and investigate abuse of your application platform. This talk will use a hypothetical application with activity types and analysis requirements common to applications across many industries. We will walk through a comprehensive but straightforward hunting, detection, and investigation workflow that you can replicate with your team.

2:10-2:45 pm EDT
Track 1

Extract and Visualize Data from URLs using Unfurl

Ryan Benson, @_RyanBenson, Security Engineer, Google

calendar Add to Calendar

Unfurl takes a URL and expands ("unfurls") it into a directed graph, extracting every bit of information from the URL and exposing the obscured. It does this by breaking up a URL into components, extracting as much information as it can from each piece, and presenting it all visually. This "show your work" approach (along with embedded references and documentation) makes the analysis transparent to the user and helps them learn about (and discover) semantic and syntactical URL structures.

Unfurl has parsers for URLs from popular search engines, social media sites, mail services, and chat applications. It also has more generic parsers (timestamps, UUIDs, base64, and more) helpful for exploring new URLs or reverse engineering. It's also easy to build new parsers, since Unfurl is open source (Python 3) and has an extensible plugin system.

No matter if you extracted a URL from a memory image, carved it from slack space, or pulled it from a browser's history file, Unfurl can help you get the most out of it.


Track 2

Just Forensics, Mercifully

Lee Whitfield, @lee_whitfield, Senior Technical Adviser, SANS

calendar Add to Calendar

Most seasoned forensicators have done some significant things over the span of their career. Maybe you've joined the company of your dreams or started your own consultancy. Maybe you work on the best cases with the best people. Either way, life is good as a forensic practitioner. Now that you're an established authority in the field, what's next? Where do you go once you've achieved everything you originally set out to do? You could develop tools like Eric Zimmerman or start mentoring others, both are very noble in helping the community. But what about philanthropic endeavors? So many people are denied access to forensic experts because they lack the funding to do so. Why should you care and what can you do to help?

2:45-3:00 pm EDT Break

3:00- 3:35 pm EDT

Track 1

What the DLL is happening? A practical approach to identifying SOH.

Frank McClain, Senior Detection Engineer, Red Canary

calendar Add to Calendar

There are many ways adversaries can maliciously leverage Dynamic Link Libraries (DLL). One of the most common is Search Order Hijacking (SOH), a simple technique which provides the means to evade detection, establish persistence, and expand infection. As a DFIR analyst, knowing how to identify SOH during an incident is important, as this can trigger other workflows for memory forensics or reverse engineering.

Most of the available information about DLL hijacking focuses on these late stage workflows yet overlooks the earlier stages of investigation. This talk will share a profile for SOH and present real-world examples to aid in identifying its setup and usage.


Track 2

Lucky (iOS) #13: Time to Press Your Bets

Jared Barnhart, Mobile Forensic Engineer, Principal, Parsons Corporation

calendar Add to Calendar

The discovery of checkm8 made forensically sound, full file system iOS extractions possible for the masses. Now that everyone has "jailbreak" access, let's play the odds and go ALL IN for native artifacts. This talk will focus on a few newly discovered forensic gems in iOS 13 to add to an already robust list of crucial files available on every iPhone. The convenience sought by the majority of iOS users is populating priceless data on disk, and Apple hasn't protected it. Whether you are an experienced iOS examiner or brand new to the game, this talk will highlight the best of iOS and point you towards success!

3:40-4:15 pm EDT
Track 1

Did I do that? - Understanding action and artifacts in real-time

Matthew Seyer, @forensic_matt, Manager, KPMG
David Cowen, @HECFBlog, Managing Director, KPMG #instructor

calendar Add to Calendar

By default, when we look at forensic artifacts, the action has already occurred. Have you ever been curious what an action or application would leave behind and how it would appear in your forensics tools? Or, maybe you have seen something in a forensic artifact and wondered what caused it. So many artifacts and so many questions!

Tools like Process Monitor have always assisted in exploring how applications and actions impact the file system. The forensic challenge arises though when you want to see changes to binary structures or internals that are contained within files or registry values to better associate an action to an artifact. For example, answering questions like, “How can an executable have been run by a user without updating the run count?”

What if there was a way to see artifact data change, to connect the dots between what we see left behind in artifacts, and the actions that caused it? In this talk you will learn how to utilize the Windows API to view changes in forensic artifacts in real-time and better understand how actions generate forensic data. We will also demonstrate NEW (and FREE) tools and techniques to enable this type analysis.


Track 2

capa: Automatically Identify Malware Capabilities

Willi Ballenthin, Senior Staff Reverse Engineer, FLARE/FireEye
Moritz Raabe, Staff Reverse Engineer, FLARE/FireEye

calendar Add to Calendar

Effective analysts are those that understand and prioritize files of interest during an incident response. However, understanding if a program is malicious, the role it plays during an attack, and its potential capabilities requires at least basic malware analysis skills. And often, it takes an experienced reverse engineer to recover a file's complete functionality and guess at the author's intent. We are here to clear that roadblock and demonstrate how to algorithmically triage an unknown program.

Our newest tool, called capa, takes automated malware triage to the next level going from simply saying "this is probably bad" to providing a concise description of what a program actually does. capa detects capabilities in programs to reduce the time-to-triage and make malware analysis more accessible. The tool reports a sample's capabilities, role (downloader, backdoor, etc.), and any suspicious or unique functionality. This report provides critical, decision-making information to anyone dealing with potentially malicious programs and especially forensic, intelligence, and malware analysts. Furthermore, with capa, you can make more confident decisions, because the tool explains how it came to a conclusion, letting you verify each step, if necessary.

capa uses a new algorithm that reasons over the features found in a file to identify its capabilities. The lowest level features range from disassembly tricks to coding constructs, while intermediate features include references to recognized strings or API calls. Users compose rules that train capa how to reason about features, and even the significance of other rules. This makes it easy for the community to extend the tool's ability to match capabilities in malware. Incidentally, the growing rule set is a practical taxonomy of the behaviors actually seen in malware and begins to codify the collective knowledge of reverse engineers.

At the SANS DFIR Summit we will open-source capa and share it with the DFIR industry. Attendees will learn how capa works and how to use it to enhance their analysis workflow. Moreover, we will teach attendees how to develop capability detections that extend capa. This way, everyone can leave the conference with both a new tool and the skills needed to customize it for their environment.

4:20-4:55 pm EDT
Track 1

Long Live Linux Forensics

Ali Hadi, @binaryz0ne, Assistant Professor and Cybersecurity Researcher, Champlain College
Brendan Brown, @br_endian, and Victor Griswold, @vicgriswold, Senior Digital Forensics Students, Champlain College

calendar Add to Calendar

90% of the modern Internet is running on Linux. Hundreds of millions of servers and personal computers are collectively utilizing some form of Linux operating system. Despite this, we as forensic investigators are taught almost exclusively how to investigate Windows systems.

Ask yourself this question; if you were asked to investigate a system running Linux, how confident would you feel in your abilities? Do you have the skills required to collect data from this system? Some investigators may feel very confident, but many of us will feel lost when put in this sort of position.

The goal of this talk is to build and grow a DFIR analyst's skills in Linux Forensics by going over a variety of different case studies and scenarios. An attendee should walk away having learned the most important aspects of investigating Linux.


Track 2

Forensic Marriage: The love/hate relationship between eDiscovery and DFIR

Sarah Konunchuk, @SarahKonun13, IR Forensic Investigator, CFC Response
Andrew Konunchuk, @AndrewKonu, Data Operations Analyst, DISCO

calendar Add to Calendar

In this talk you will hear from the two people that make up the Forensic Marriage: Sarah and Andrew Konunchuk. Attendees can expect to learn about the similarities and differences between eDiscovery and DFIR, along with why we both love to hate the other one. In addition, we will also give a brief example of how these two fields marry together to solve a case. This talk is aimed at individuals new in their careers or looking to make a switch from one to the other, as well as giving a technical big picture of why both need to coexist.

4:55-5:00 pm EDT
Day 1 wrap-up

calendar Add to Calendar

Friday, July 17 - all times are in Eastern Daylight Time, (UTC-4)
8:45-8:50 am EDT
Day 2 Welcome & Overview

calendar Add to Calendar

8:50-9:25 am EDT
Keynote

Strengthening Trust in DFIR

Eoghan Casey, Author of Digital Evidence and Computer Crime

Daryl Pfeif, Founder & CEO, Digital Forensics Solutions

calendar Add to Calendar

The cost of security breaches is on the rise. Intrusions into critical infrastructure are increasing. Victim organizations are paying criminals in crypto ransomware incidents. Improper handling of digital evidence during security breaches is making it more difficult for victim organizations to take legal action. Cases involving missed and misinterpreted digital evidence are gaining international attention. Confusion caused by deep fakes is widespread. Growing concerns over surveillance technology is fueling distrust in the already contentious context of criminal justice. Women and minorities are underrepresented in DFIR. Overall, DFIR is not keeping pace with the rapidly evolving challenges of modern society. A sea change in DFIR is needed to protect victims, address ethical concerns, serve justice, and build trust. Pivotal to this transformation is a more diverse and dynamic workforce in DFIR with stronger scientific foundations. To this end, projects such as the Cyber Sleuth Science Lab and Girls Go CyberStart are providing young women and men from traditionally underserved populations with digital forensic knowledge, skills and career pathways. Such initiatives strengthen DFIR through inclusivity and learning, empowering underserved individuals to balance existing inequities and to promote ethical, responsible, and safe behavior in a digital society.

9:25- 10:00 am EDT
Keynote

Learning at Scale

Lodrina Cherne, @hexplates, Certified Instructor, SANS Institute

calendar Add to Calendar

Examiners are aware that no one tool can fulfill all of their digital forensic and incident response collection, analysis, and reporting needs. The need to understand the best solutions for day to day work and when to employ specialist tools is vital for protecting organizations from the latest threats.

10:05-10:40 am EDT

Help! We need an adult! Engaging an external IR team

Liz Waddell, @vlsin, Incident Commander, Talos Incident Response

calendar Add to Calendar

Too often, the decision to bring in a third-party forensic team occurs when an incident has reached crisis level. As an Incident Commander for such a team, Liz has seen many people handle this crisis engagement well, and others – not so much. This presentation will prepare you for what happens when you need additional surge support. We will talk about the considerations to make - when you should engage, how to choose a firm, one-time engagements vs retainers, invoking cyber insurance, and which members of your team should be involved in these discussions (hint: it's not just your CISO). We will discuss what to expect during the engagement “how to properly scope and set objectives with your firm, how to prep for both remote and onsite forensics, tool deployment, what data/logs may be asked for, and establishing command centers.

10:40-10:50 am EDT Break
10:50-11:25 am EDT

Forensic analysis of the Apple HomePod and the Apple HomeKit environment

Mattia Epifani, Digital Forensics Analyst, REALITY NET - System Solutions

calendar Add to Calendar

The Apple HomeKit is an Apple protocol that allows users to communicate with and control connected accessories in their home using the Home App installed on an iPhone or an iPad. An HomeKit environment is based on a Home Hub, that can be used to control and automate HomeKit accessories remotely. The Home Hub can be an HomePod, an Apple TV or an iPad. The HomePod is a voice assistant and smart speaker device manufactured by Apple and based on Siri. According to the latest market trends, it is the third most sold device all over the world, after Amazon Echo/Alexa and Google Home. The aim of this presentation is to explore which techniques can be used by a forensic examiner to extract and analyze data from an Apple HomePod and from a synced device using the Home App. In particular, extraction of data from the device and from a paired iPhone or iPad will be covered during the presentation. Moreover, an overview of the Apple HomeKit system will be provided with examples of analysis of some compatible devices.

11:25-11:35 am EDT Break
11:35-12:10 pm EDT

Hunting bad guys that use TOR in real-time.

Milind Bhargava, Founder, Mjolnir Security

calendar Add to Calendar

As cybercrime has become commonplace, Tor has been the tool of choice for attackers due to the inherent anonymity it provides. But what if you, an Incident Responder, could acquire additional pieces of the puzzle relating to the activities performed by the attacker in order to paint a clear picture of what occurred during the incident.
The outcome of our research demonstrates how viewing the communications leaving and entering the Tor network gives an unprecedented understanding of the thought process and, most importantly, techniques and malwares used by the malicious actors. It also allows an opportunity of a live sneak peek into their different activities allowing an Incident Responder to provide a more conclusive answer to the “how” was the organization attacked.
But even more importantly, we have developed a capability for the Incident Response teams to not just stop their investigation at the Tor node, but to follow the breadcrumbs of an attack even further and finally providing a conclusive answer to the most asked question – was anything taken?

12:15-12:25 pm EDT

Using Storytelling to Be Heard and Remembered

Frank McClain, @littlemac042, Senior Detection Engineer, Red Canary

calendar Add to Calendar

Technical people are typically somewhat lacking in soft skills. We can identify bad things at a glance, but communicating those to others in a way they can understand and relate to is a different story altogether.

This talk will shed light on the importance of storytelling in the DFIR space: not only as a means to share information, but also as a method for those who struggle with the confidence to speak in a group or public setting. Everyone has a story to tell, and this talk provides real-world examples of how that can be done by anyone.

12:25-1:30 pm EDT Lunch
1:30-2:05 pm EDT

From Threat Research to Organizational Threat Detection

O'Shea Bowens @SirMuDbl00d, Founder & CEO, Null Hat Security

calendar Add to Calendar

As many organizations begin to explore the ATT&CK framework, they often hit a fundamental roadblock: how, exactly, do we use this? We'll cover high-level processes, essentially giving you workflows for taking the framework and breaking it down into tangible detections within your environment, along with a pipeline to proven detection techniques.


2:10-2:45 pm EDT

DFIR To Go

Over the past two days, you’ve absorbed a huge amount of information, and hopefully you’re feeling inspired (though tired). But the real challenge is to sustain the momentum, taking ideas, tools, and tips from the Summit and figuring out how to incorporate them into your work. Let this panel of SANS instructors and Summit advisors help by highlighting some of their key takeaways and action items coming out of the Summit talks.

calendar Add to Calendar

2:45-3:00 pm EDT Break
3:00-3:15 pm

Cyber Sleuth: Education and Immersion for the Next Generation of Forensicators

Daryl Pfeif, Founder & CEO, Digital Forensics Solutions

calendar Add to Calendar

The Cyber Sleuth Science Lab engages high school students in Digital Forensic Science using compelling investigations and by solving real-world cases. Students are also immersed in the process of scientific inquiry teaching them technology, engineering, mathematics, and computer science concepts and skills needed in STEM fields. Hear an overview of the project - and how you can get involved to help shape the future of our field.


3:15-4:15 pm EDT

The DFIRlympics

Mari DeGrazia @MariDeGrazia
Brian Moran @BrianJMoran

calendar Add to Calendar

This fun and interactive session will pit SANS instructors and speakers against one another in a (mostly) good-natured round of games, with lots of opportunities for you to buzz in as well. Hosts Mari and Brian will mix relevant DFIR facts with (mostly) useless trivia to close out the content on a high note before wrapping up with the presentation of the annual Forensic 4Cast Awards.

4:15-5:00 pm EDT
Forensic 4cast Awards

calendar Add to Calendar

Solutions Track

Friday, July 17 - all times are in Eastern Daylight Time, (UTC-4)
8:45-8:50 am EDT
Day 2 Welcome & Overview
8:50-9:25 am EDT
Keynote

Strengthening Trust in DFIR

Eoghan Casey, Author of Digital Evidence and Computer Crime

Daryl Pfeif, Founder & CEO, Digital Forensics Solutions

calendar Add to Calendar

The cost of security breaches is on the rise. Intrusions into critical infrastructure are increasing. Victim organizations are paying criminals in crypto ransomware incidents. Improper handling of digital evidence during security breaches is making it more difficult for victim organisations to take legal action. Cases involving missed and misinterpreted digital evidence are gaining international attention. Confusion caused by deep fakes is widespread. Growing concerns over surveillance technology is fueling distrust in the already contentious context of criminal justice. Women and minorities are underrepresented in DFIR. Overall, DFIR is not keeping pace with the rapidly evolving challenges of modern society. A sea change in DFIR is needed to protect victims, address ethical concerns, serve justice, and build trust. Pivotal to this transformation is a more diverse and dynamic workforce in DFIR with stronger scientific foundations. To this end, projects such as the Cyber Sleuth Science Lab and Girls Go CyberStart are providing young women and men from traditionally underserved populations with digital forensic knowledge, skills and career pathways. Such initiatives strengthen DFIR through inclusivity and learning, empowering underserved individuals to balance existing inequities and to promote ethical, responsible, and safe behavior in a digital society.

9:25- 10:00 am EDT
Keynote

Learning at Scale

Lodrina Cherne, @hexplates, Certified Instructor, SANS Institute

calendar Add to Calendar

Examiners are aware that no one tool can fulfill all of their digital forensic and incident response collection, analysis, and reporting needs. The need to understand the best solutions for day to day work and when to employ specialist tools is vital for protecting organizations from the latest threats.

10:05-10:40 am EDT

Devo Logo

Putting Big Data to Work in DFIR

Jason Mical, @devo_Inc, Global Cyber Security Evangelist

calendar Add to Calendar

Next-gen security operations technologies are making good on the promise of streamlined analyst workflows. It’s now possible to pivot from alert and triage work, to running investigations, over to proactive hunting, and back again within a single workflow. In addition, investigation completeness with all digital forensic evidence - from binaries to memory dumps to PCAPs - can be seamlessly brought into the workflow.

Join this session to learn unique approaches in using big data to power investigations, including:

  • Automated evidence enrichments at petabyte scale
  • Processing multiple memory dumps for immediate forensics analysis and determinations
  • Correlating investigation evidence into a threat hunt with a single click
  • Building dashboards to visualize live forensic artifacts
10:40-10:50 am EDT Break
10:50-11:25 am EDT

Palo Alto Networks Logo

How Not to Ruin Your Day: Avoiding Common Threat Hunting Mistakes

Menachem Perlman
, @PaloAltoNtwks, Sr. Manager, Threat Hunting

calendar Add to Calendar

Advanced adversaries use a variety of underhanded tricks to evade detection. They leverage legitimate applications to execute their attacks and manipulate files and log messages to cover their tracks. If threat hunters only focus on known malware and attack tactics, they might miss attackers hiding in plain sight.

During this session, Menachem Perlman, leader of the Managed Threat Hunting team at Palo Alto Networks, will discuss:

  • The basic mistakes many threat hunters make
  • Techniques to find stealthy adversaries, with sample queries you can use
  • How to perform threat hunting at scale using automation and enrichment


Join us for an informative session and gain the knowledge you need to uncover threat actors lurking in your organization.

11:25-11:35 am EDT Break
11:35-12:25 pm EDT

Domain Tools

Profiling Threat Actors in DNS

Taylor Wilkes-Pierce, @tw_pierce, @DomainTools, Senior Sales Engineer

calendar Add to Calendar

Want to learn more about assessing adversary choices when it comes to hosting and registering domains? In this session we’ll explore methodologies for using OSINT DNS and Infrastructure data in responding to phishing and malware incidents with DomainTools Iris.

We’ll cover:

  • Pivoting across DNS / SSL / Registration data to find correlations in malicious activity
  • Profiling actor groups in this dataset to further threat hunting efforts
  • Integrating this data across the SOC to close the loop on hunting and detection

12:25-1:30 pm EDT Lunch
1:30-2:05 pm EDT

Extra Hop

Completing the Triad, The Case For Leading With NDR

John Smith, @jmsazboy, @ExtraHop, Principal Sales Engineer

calendar Add to Calendar

The information security industry has experienced a number of innovations around SIEM and Endpoint Detection and Response (EDR) solutions over the past few years. These solutions have included leveraging Machine Learning and Cyber Threat Intelligence into their platforms for higher fidelity as well as better response to emerging and acute threats our industries and agencies face. Even with these advancements we have still seen several devastating breaches that do more than damage a company’s brand. Unlike real-asset destruction or theft, when intellectual property is stolen or compromised, the owner is never made whole and its value cannot be recouped. The challenge with EDR and SIEM is that they must be configured or installed and any solution that must be configured or installed can be un-configured and un-installed. Many breaches have involved the evasion of properly installed and configured SIEM and EDR solutions. The covert nature of today’s malware and spyware requires a covert response, one where our adversaries are not aware of its presence. In this session, we will discuss and demo the merits of leading with Network Detection and Response (NDR) and how the use of NDR provides coverage against evasion techniques used by attackers against our existing SIEM/EDR investments. Adding the third pillar of NDR to your security triad will provide the needed stability that has been lacking from the traditional two pronged approach to security and visibility.

In this session, we will discuss the ways in which NDR compliments and in many cases improves the efficacy of your existing investments in SIEM and EDR. We will also discuss the differences in signal intelligence between what is on the wire vs what is in a log. And finally, we will discuss reasons to take a “NDR-first” approach to visibility at scale, high fidelity detections and digital surveillance.

The attendees will leave with an understanding of what NDR accomplishes for them and their mission. They will understand how NDR compliments their existing security portfolio and attendees will understand the unique intelligence that only exists on the network that they cannot get from either EDR or SIEM.

2:10-2:45 pm EDT

ThreatConnect Logo

Empowering DFIR Through Automation and Orchestration - Enhancing Your Artifacts with Threat Intelligence

Iain Davison, @ThreatConnect, Security Architect and Technical Director of Strategic Alliances

calendar Add to Calendar

It's harder than ever before for forensics examiners to keep up with the current demands of Digital Forensics. The nature of today's operating environment has resulted in an ever-increasing volume of alerts paired with a growing complexity and scale of subsequent investigations. In this talk we will be discussing in depth what this means in the daily life of examiners performing remote forensics, and how imperative it is to force multiply them to enable quicker and more effective response to incidents. We will explore the key role of operationalized threat intelligence, and why (and how) orchestrating it alongside the forensic processes and technology can enable organizations to be more effective when examining and responding to incidents.

2:45-3:00 pm EDT Break
3:00-3:35 pm EDT

Blue HexagonMicrosoft Logo

Accelerate Your Threat Hunting and IR with Next-Gen NDR+EDR

Balaji Prasad, @inretrospct, @bluehexagonai, VP of Products, Blue Hexagon
Arun Raman, @arunraman, @bluehexagonai, Principal Architect, Blue Hexagon
Heike Ritter, @HeikeRitter, @Microsoft, Senior Program Manager, Microsoft

calendar Add to Calendar

FBI IC3 received 467,361 complaints in 2019—an average of nearly 1,300 every day, with 2020 expected to be even higher. As pernicious threat actors leverage automation to breach defenses and act on objectives, the window of time to detect and respond has shrunk dramatically. Can artificial intelligence, specifically deep learning, which has revolutionized areas like self-driving cars, computer vision, and medical image diagnosis be used to solve cybersecurity challenges? How can NDR and EDR work together to accelerate threat hunting, triage, and IR? Blue Hexagon & Microsoft will dive into one of the first applications of real-time AI for solving variable threats including 0-hour and 0-day threats with Network Detection and Response. Learn how to optimally utilize NDR with Blue Hexagon and EDR with Microsoft Defender ATP together for defense in depth.

3:40-4:15 pm EDT

Magnet Forensics Logo

Dig Deeper: Acquisition and Analysis of AWS Cloud Data

Trey Amick, @amick_trey, @MagnetForensics, Manager, Forensic Consultants
Curtis Mutter, @cmutter79, @MagnetForensics, Senior Product Manager

calendar Add to Calendar

As the landscape of IT systems continues its migration out of the server room and into cloud hosted environments, it is critical that your digital forensics toolkit can adapt to these new environments. Learn how to accelerate your internal investigations across Amazon Web Services with the acquisition of S3 Buckets and EC2 Instances. We will demonstrate how examiners can acquire these remote systems and analyze the contents alongside other evidence items related to the investigation. We'll also highlight how forward-thinking labs can scale up their existing resources and processes with the power of orchestration and automation in both cloud and hybrid environments.

4:15-5:00 pm EDT
Forensic 4cast Awards