DFIR Summit Agenda
Live Online | July 16-17
Two Summit Tracks
Add all of the DFIR presentations to your schedule by subscribing to the DFIR Summit Calendar
*You must be registered for the Free Summit to gain access to these presentations. Register now!
Thursday, July 16 - all times are in Eastern Daylight Time, (UTC-4) | |
---|---|
9:00-9:15 am EDT |
Opening RemarksRob Lee @robtlee, Fellow, SANS Institute |
9:15-10:00 am EDT |
KeynoteA DFIRent side of DFIR: Forensicating for Black Lives and Other Social Justice IssuesMatt Mitchell, @geminiimatt, Hacker; Security Researcher; Tech Fellow to the BUILD Program at the Ford Foundation ![]() |
10:05-10:40 am EDT |
Track 1You need a PROcess to check your running processes and modules. The bad guys, and red teams are coming after them!Michael Gough, @MichaelGoughTX, Principal Incident Response, NCC Group If there is a file on disk, you can easily SEE the bad fu, but what if the malware is nowhere to be found on the disk? Malware can be broken up into several types, some call it "fileless malware" (poor non-descript term). The malware really isn’t fileless, the file, or code lives somewhere, the registry, WMI database, or the focus of this talk, in memory. This talk will focus on Memware that has been injected into memory, most likely injected a process or added a DLL and may not reside on disk while the system is running.
Track 2
Jonathan Ketchum, @Un1d1g1t, Threat Hunter/InfoSec Analyst, USAA
|
10:40-10:55 am EDT | Break |
10:55-11:30 am EDT |
Track 1
Jess Garcia, @j3ssgarcia, Lead DFIR Analyst/CEO, One eSecurity Data Science (DS) and AI (Machine/Deep Learning) have effectively erupted in our world during the last few years, improving the efficiency of a vast number of areas and opening doors to new possibilities, both in the business front and our personal lives. The adoption of DS/IA in the DFIR field has been, however, modest so far.
Track 2
Aaron Sparling, @osintlabworks, Digital Forensics Examiner, Portland Police Bureau
|
11:30-11:40 am EDT |
Break |
11:40 am - 12:15 pm EDT |
Track 1
Brian Carrier, CTO, Basis Technology
Track 2
Alexis Brignoni, @AlexisBrignoni, Special Agent, Federal Law Enforcement
|
12:15-1:30 pm EDT | Lunch |
1:30-2:05 pm EDT |
Track 1
Jim Clausing, @jclausing, Principal Member - Technical Staff, AT&T
Track 2
David Pany, Manager, Mandiant
|
2:10-2:45 pm EDT |
Track 1
Ryan Benson, @_RyanBenson, Security Engineer, Google
Track 2
Lee Whitfield, @lee_whitfield, Senior Technical Adviser, SANS
|
2:45-3:00 pm EDT | Break |
3:00- 3:35 pm EDT |
Track 1
Frank McClain, Senior Detection Engineer, Red Canary
Track 2
Jared Barnhart, Mobile Forensic Engineer, Principal, Parsons Corporation
|
3:40-4:15 pm EDT |
Track 1
Matthew Seyer, @forensic_matt, Manager, KPMG
Track 2
Willi Ballenthin, Senior Staff Reverse Engineer, FLARE/FireEye
|
4:20-4:55 pm EDT |
Track 1
Ali Hadi, @binaryz0ne, Assistant Professor and Cybersecurity Researcher, Champlain College 90% of the modern Internet is running on Linux. Hundreds of millions of servers and personal computers are collectively utilizing some form of Linux operating system. Despite this, we as forensic investigators are taught almost exclusively how to investigate Windows systems. Ask yourself this question; if you were asked to investigate a system running Linux, how confident would you feel in your abilities? Do you have the skills required to collect data from this system? Some investigators may feel very confident, but many of us will feel lost when put in this sort of position. The goal of this talk is to build and grow a DFIR analyst's skills in Linux Forensics by going over a variety of different case studies and scenarios. An attendee should walk away having learned the most important aspects of investigating Linux.
Track 2
Sarah Konunchuk, @SarahKonun13, IR Forensic Investigator, CFC Response
|
4:55-5:00 pm EDT |
Day 1 wrap-up
|
Friday, July 17 - all times are in Eastern Daylight Time, (UTC-4) | |
8:45-8:50 am EDT |
Day 2 Welcome & Overview |
8:50-9:25 am EDT |
KeynoteStrengthening Trust in DFIREoghan Casey, Author of Digital Evidence and Computer Crime Daryl Pfeif, Founder & CEO, Digital Forensics Solutions The cost of security breaches is on the rise. Intrusions into critical infrastructure are increasing. Victim organizations are paying criminals in crypto ransomware incidents. Improper handling of digital evidence during security breaches is making it more difficult for victim organizations to take legal action. Cases involving missed and misinterpreted digital evidence are gaining international attention. Confusion caused by deep fakes is widespread. Growing concerns over surveillance technology is fueling distrust in the already contentious context of criminal justice. Women and minorities are underrepresented in DFIR. Overall, DFIR is not keeping pace with the rapidly evolving challenges of modern society. A sea change in DFIR is needed to protect victims, address ethical concerns, serve justice, and build trust. Pivotal to this transformation is a more diverse and dynamic workforce in DFIR with stronger scientific foundations. To this end, projects such as the Cyber Sleuth Science Lab and Girls Go CyberStart are providing young women and men from traditionally underserved populations with digital forensic knowledge, skills and career pathways. Such initiatives strengthen DFIR through inclusivity and learning, empowering underserved individuals to balance existing inequities and to promote ethical, responsible, and safe behavior in a digital society. |
9:25- 10:00 am EDT |
KeynoteLearning at ScaleLodrina Cherne, @hexplates, Certified Instructor, SANS Institute Examiners are aware that no one tool can fulfill all of their digital forensic and incident response collection, analysis, and reporting needs. The need to understand the best solutions for day to day work and when to employ specialist tools is vital for protecting organizations from the latest threats.
|
10:05-10:40 am EDT |
Help! We need an adult! Engaging an external IR teamLiz Waddell, @vlsin, Incident Commander, Talos Incident Response Too often, the decision to bring in a third-party forensic team occurs when an incident has reached crisis level. As an Incident Commander for such a team, Liz has seen many people handle this crisis engagement well, and others – not so much. This presentation will prepare you for what happens when you need additional surge support. We will talk about the considerations to make - when you should engage, how to choose a firm, one-time engagements vs retainers, invoking cyber insurance, and which members of your team should be involved in these discussions (hint: it's not just your CISO). We will discuss what to expect during the engagement “how to properly scope and set objectives with your firm, how to prep for both remote and onsite forensics, tool deployment, what data/logs may be asked for, and establishing command centers.
|
10:40-10:50 am EDT | Break |
10:50-11:25 am EDT |
Mattia Epifani, Digital Forensics Analyst, REALITY NET - System Solutions
|
11:25-11:35 am EDT | Break |
11:35-12:10 pm EDT |
Milind Bhargava, Founder, Mjolnir Security
|
12:15-12:25 pm EDT |
Frank McClain, @littlemac042, Senior Detection Engineer, Red Canary
|
12:25-1:30 pm EDT | Lunch |
1:30-2:05 pm EDT |
From Threat Research to Organizational Threat DetectionO'Shea Bowens @SirMuDbl00d, Founder & CEO, Null Hat Security As many organizations begin to explore the ATT&CK framework, they often hit a fundamental roadblock: how, exactly, do we use this? We'll cover high-level processes, essentially giving you workflows for taking the framework and breaking it down into tangible detections within your environment, along with a pipeline to proven detection techniques.
|
2:10-2:45 pm EDT |
DFIR To GoOver the past two days, you’ve absorbed a huge amount of information, and hopefully you’re feeling inspired (though tired). But the real challenge is to sustain the momentum, taking ideas, tools, and tips from the Summit and figuring out how to incorporate them into your work. Let this panel of SANS instructors and Summit advisors help by highlighting some of their key takeaways and action items coming out of the Summit talks. |
2:45-3:00 pm EDT | Break |
3:00-3:15 pm |
Cyber Sleuth: Education and Immersion for the Next Generation of ForensicatorsDaryl Pfeif, Founder & CEO, Digital Forensics Solutions The Cyber Sleuth Science Lab engages high school students in Digital Forensic Science using compelling investigations and by solving real-world cases. Students are also immersed in the process of scientific inquiry teaching them technology, engineering, mathematics, and computer science concepts and skills needed in STEM fields. Hear an overview of the project - and how you can get involved to help shape the future of our field.
|
3:15-4:15 pm EDT |
The DFIRlympicsMari DeGrazia @MariDeGrazia This fun and interactive session will pit SANS instructors and speakers against one another in a (mostly) good-natured round of games, with lots of opportunities for you to buzz in as well. Hosts Mari and Brian will mix relevant DFIR facts with (mostly) useless trivia to close out the content on a high note before wrapping up with the presentation of the annual Forensic 4Cast Awards. |
4:15-5:00 pm EDT |
Forensic 4cast Awards
|
Solutions Track
Friday, July 17 - all times are in Eastern Daylight Time, (UTC-4) | |
---|---|
8:45-8:50 am EDT |
Day 2 Welcome & Overview |
8:50-9:25 am EDT |
KeynoteStrengthening Trust in DFIREoghan Casey, Author of Digital Evidence and Computer Crime Daryl Pfeif, Founder & CEO, Digital Forensics Solutions The cost of security breaches is on the rise. Intrusions into critical infrastructure are increasing. Victim organizations are paying criminals in crypto ransomware incidents. Improper handling of digital evidence during security breaches is making it more difficult for victim organisations to take legal action. Cases involving missed and misinterpreted digital evidence are gaining international attention. Confusion caused by deep fakes is widespread. Growing concerns over surveillance technology is fueling distrust in the already contentious context of criminal justice. Women and minorities are underrepresented in DFIR. Overall, DFIR is not keeping pace with the rapidly evolving challenges of modern society. A sea change in DFIR is needed to protect victims, address ethical concerns, serve justice, and build trust. Pivotal to this transformation is a more diverse and dynamic workforce in DFIR with stronger scientific foundations. To this end, projects such as the Cyber Sleuth Science Lab and Girls Go CyberStart are providing young women and men from traditionally underserved populations with digital forensic knowledge, skills and career pathways. Such initiatives strengthen DFIR through inclusivity and learning, empowering underserved individuals to balance existing inequities and to promote ethical, responsible, and safe behavior in a digital society. |
9:25- 10:00 am EDT |
KeynoteLearning at ScaleLodrina Cherne, @hexplates, Certified Instructor, SANS Institute Examiners are aware that no one tool can fulfill all of their digital forensic and incident response collection, analysis, and reporting needs. The need to understand the best solutions for day to day work and when to employ specialist tools is vital for protecting organizations from the latest threats. |
10:05-10:40 am EDT |
Putting Big Data to Work in DFIR Jason Mical, @devo_Inc, Global Cyber Security Evangelist Next-gen security operations technologies are making good on the promise of streamlined analyst workflows. It’s now possible to pivot from alert and triage work, to running investigations, over to proactive hunting, and back again within a single workflow. In addition, investigation completeness with all digital forensic evidence - from binaries to memory dumps to PCAPs - can be seamlessly brought into the workflow. Join this session to learn unique approaches in using big data to power investigations, including:
|
10:40-10:50 am EDT | Break |
10:50-11:25 am EDT |
How Not to Ruin Your Day: Avoiding Common Threat Hunting Mistakes Advanced adversaries use a variety of underhanded tricks to evade detection. They leverage legitimate applications to execute their attacks and manipulate files and log messages to cover their tracks. If threat hunters only focus on known malware and attack tactics, they might miss attackers hiding in plain sight.
|
11:25-11:35 am EDT | Break |
11:35-12:25 pm EDT |
Profiling Threat Actors in DNS Taylor Wilkes-Pierce, @tw_pierce, @DomainTools, Senior Sales Engineer Want to learn more about assessing adversary choices when it comes to hosting and registering domains? In this session we’ll explore methodologies for using OSINT DNS and Infrastructure data in responding to phishing and malware incidents with DomainTools Iris. We’ll cover:
|
12:25-1:30 pm EDT | Lunch |
1:30-2:05 pm EDT |
Completing the Triad, The Case For Leading With NDR John Smith, @jmsazboy, @ExtraHop, Principal Sales Engineer The information security industry has experienced a number of innovations around SIEM and Endpoint Detection and Response (EDR) solutions over the past few years. These solutions have included leveraging Machine Learning and Cyber Threat Intelligence into their platforms for higher fidelity as well as better response to emerging and acute threats our industries and agencies face. Even with these advancements we have still seen several devastating breaches that do more than damage a company’s brand. Unlike real-asset destruction or theft, when intellectual property is stolen or compromised, the owner is never made whole and its value cannot be recouped. The challenge with EDR and SIEM is that they must be configured or installed and any solution that must be configured or installed can be un-configured and un-installed. Many breaches have involved the evasion of properly installed and configured SIEM and EDR solutions. The covert nature of today’s malware and spyware requires a covert response, one where our adversaries are not aware of its presence. In this session, we will discuss and demo the merits of leading with Network Detection and Response (NDR) and how the use of NDR provides coverage against evasion techniques used by attackers against our existing SIEM/EDR investments. Adding the third pillar of NDR to your security triad will provide the needed stability that has been lacking from the traditional two pronged approach to security and visibility. In this session, we will discuss the ways in which NDR compliments and in many cases improves the efficacy of your existing investments in SIEM and EDR. We will also discuss the differences in signal intelligence between what is on the wire vs what is in a log. And finally, we will discuss reasons to take a “NDR-first” approach to visibility at scale, high fidelity detections and digital surveillance. The attendees will leave with an understanding of what NDR accomplishes for them and their mission. They will understand how NDR compliments their existing security portfolio and attendees will understand the unique intelligence that only exists on the network that they cannot get from either EDR or SIEM. |
2:10-2:45 pm EDT |
Empowering DFIR Through Automation and Orchestration - Enhancing Your Artifacts with Threat Intelligence Iain Davison, @ThreatConnect, Security Architect and Technical Director of Strategic Alliances It's harder than ever before for forensics examiners to keep up with the current demands of Digital Forensics. The nature of today's operating environment has resulted in an ever-increasing volume of alerts paired with a growing complexity and scale of subsequent investigations. In this talk we will be discussing in depth what this means in the daily life of examiners performing remote forensics, and how imperative it is to force multiply them to enable quicker and more effective response to incidents. We will explore the key role of operationalized threat intelligence, and why (and how) orchestrating it alongside the forensic processes and technology can enable organizations to be more effective when examining and responding to incidents.
|
2:45-3:00 pm EDT | Break |
3:00-3:35 pm EDT |
Accelerate Your Threat Hunting and IR with Next-Gen NDR+EDR Balaji Prasad, @inretrospct, @bluehexagonai, VP of Products, Blue Hexagon FBI IC3 received 467,361 complaints in 2019—an average of nearly 1,300 every day, with 2020 expected to be even higher. As pernicious threat actors leverage automation to breach defenses and act on objectives, the window of time to detect and respond has shrunk dramatically. Can artificial intelligence, specifically deep learning, which has revolutionized areas like self-driving cars, computer vision, and medical image diagnosis be used to solve cybersecurity challenges? How can NDR and EDR work together to accelerate threat hunting, triage, and IR? Blue Hexagon & Microsoft will dive into one of the first applications of real-time AI for solving variable threats including 0-hour and 0-day threats with Network Detection and Response. Learn how to optimally utilize NDR with Blue Hexagon and EDR with Microsoft Defender ATP together for defense in depth. |
3:40-4:15 pm EDT |
Dig Deeper: Acquisition and Analysis of AWS Cloud Data Trey Amick, @amick_trey, @MagnetForensics, Manager, Forensic Consultants As the landscape of IT systems continues its migration out of the server room and into cloud hosted environments, it is critical that your digital forensics toolkit can adapt to these new environments. Learn how to accelerate your internal investigations across Amazon Web Services with the acquisition of S3 Buckets and EC2 Instances. We will demonstrate how examiners can acquire these remote systems and analyze the contents alongside other evidence items related to the investigation. We'll also highlight how forward-thinking labs can scale up their existing resources and processes with the power of orchestration and automation in both cloud and hybrid environments. |
4:15-5:00 pm EDT |
Forensic 4cast Awards |