World-class instructors teaching today's, critical cyber skills - SANS Online Training

DFIR Summit & Training 2021 - Live Online

Virtual, US Eastern | Thu, Jul 22 - Sat, Jul 31, 2021

DFIR Summit Agenda

Live Online | July 22-23

New DFIR Solutions Track - Learn More and Register

Sign Up to Receive Updates About DFIR Summit 2021

dfir summit 2021 agenda

Check back soon for the complete agenda.


Confirmed 2021 Summit talks include:

Automating Google Workspace Incident Response


Megan Roddie, Cyber Threat Researcher, IBM

Incident responders require a toolset and resources that allow them to efficiently investigate malicious activity. In the case of Google Workspace, there are an increasing number of subscribers, but resources to assist in the analysis of security incidents are lacking. For this reason, the goal of the research behind this presentation is was to develop a tool that expands on Google’s default administrative capabilities with the intent of providing value to incident responders. Through providing both additional context and purposeful views, incident responders can more quickly identify malicious activity and respond accordingly. This tool has been released publicly and this presentation will discuss the limitations of Google Workspace's existing response capabilities, demonstrate the new tool's functionality and its benefits, and discuss additional areas of coverage needed.


Cobalt Strike Hunting

Chad Tilbury, SANS Institute

Cracked versions of Cobalt Strike have rapidly become the attack tool of choice among enlightened global threat actors, making an appearance in almost every recent major hack, including SolarWinds, the massive Hafnium attacks targeting Microsoft Exchange servers, and a majority of recent ransomware attacks. The use of Cobalt Strike is unsurprising as it provides an all-in-one framework for mounting large scale network penetrations with an unparalleled amount of flexibility. The bad news is Cobalt Strike can be extremely stealthy. However, the good news is a known threat inevitably provides detection opportunities for defenders, and, currently, there is no larger known threat. Using examples taken directly from an actual enterprise-wide attack used in the SANS FOR508 class, this presentation will demonstrate Cobalt Strike based attacks from both the attacker and defender perspectives. Attendees will gain insight into how Cobalt Strike operates and artifacts left behind via many of its common attack techniques, leaving with a range of practical detections that can be immediately put to use during incident response and threat hunting.


Exploring Windows Command-Line Obfuscation

Wietze Beukema, Threat Detection Engineer, PwC UK

Many will have heard of DOSfuscation, which are techniques to obfuscate command-line options of cmd.exe executions. As it turns out, there are many other Windows executables of which the command-line can be obfuscated in various ways, which makes it possible to bypass certain rule-based detection methods (e.g. in EDR). In this session we'll take a closer look at 5 different obfuscation techniques, using practical examples (nearly 50 built-in Windows binaries are vulnerable to at least one of them!). It'll be discussed how one can find obfuscation opportunities in any executable. Finally, the implications of this type of rule bypass as well as best practices for robust and resilient detections are examined.


EZ Tools/KAPE: How to Contribute to and Benefit from Open Source Contributions

Andrew Rathbun, Senior Associate, Kroll

Learning what EvtxECmd and SQLECmd Maps are, what RECmd Batch Files are, what KAPE Targets/Modules are, how to make them (very briefly), and how to ensure you're keeping KAPE/EZ Tools up to date to benefit from all the open source contributions that occur in the associated GitHub repositories.


Forensic Analysis of Xiaomi IoT Ecosystem

Evangelos Dragonas, Digital Forensic Researcher, University of Piraeus, Greece

The number of Xiaomis connected IoT devices is growing extremely fast. It is therefore safe to conclude that is highly likely for Xiaomi IoT devices to become silent witnesses in a crime scene investigation. Not only law enforcement officers, but also incident responders and the rest of the DFIR practitioners should get familiar with the artifacts that can be obtained from the examination of such devices. To this respect, all the potential sources of evidence in the Xiaomi IoT ecosystem will be presented. The challenges faced during this research will be addressed, as well as the methods used to overcome them. Furthermore, attendees will be granted access to SQL queries and parsers, developed during this research, in order to assist them during their investigations. Takeaways of this talk: -Learn where evidentiary data might be located in the Xiaomi IoT Ecosystem (smartphone application, network traffic, cloud, IoT device), -Learn what kind of artifacts can be retrieved from these sources and how they can be correlated, -Brief presentation of the aforementioned artifacts, -Access to guides, SQL queries and parsers developed in the process of the forensic analysis References https://www.statista.com/statistics/967485/worldwide-xiaomi-number-of-connected-devices/


Greppin’ Logs

Noah Rubin, Manager, Stroz Friedberg
Jon Stewart, VP, Stroz Friedberg

Terabytes of Exchange logs got you down? Need to look for 100 IP addresses but haven't got 100 hours? This talk will discuss how to optimize systems for log searching, and cover a variety of command-line tools, including Stroz Friedberg's open source multipattern grep tool, Lightgrep. We'll also demonstrate techniques for generating histograms and other statistics from logs to discover interesting patterns of attacker behavior, and how to enrich events with external data sources. You'll leave with handy techniques for slicing and dicing the biggest of logs with ease.


Order of Volatilty in Modern Smartphone Forensics

Mattia Epifani, Digital Forensics Analyst, REALITY NET Snc

When dealing with modern smartphone devices, both Android and iOS, we often rely on native communication protocols (for example, ADB on Android and iTunes Backup service on iOS) to extract data and we often need to interact "live" with the device to allow communications. As mentioned since 2002 in the RFC 3227 "When collecting evidence you should proceed from the volatile to the less volatile". The aim of this presentation is to show how to leverage native Android and iOS communication protocols to extract as much data as possible, in the proper order.


Reporting for Digital Forensics

Jason Wilkins, Digital Forensics Examiner, Clayton County Police Dept.

After two years in the industry, I realized that there seemed to be a lack of proper instruction on report writing for Digital Forensics. Investigators are expected to simply ‚€œpick up‚€ how to do this on the job, even if there is no one with experience there to teach them. Because of this, I will be discussing how to create clear, concise reports for digital forensics. I will discuss the guidelines, the importance of good reporting, and various ways of generating them.


Stringlifier: An Open Source Tool for Random String Classification

Vivek Malik, Security Engineer Adobe Inc.
Kumar Vikramjeet, Security Engineer, Adobe Inc.

While shifting from traditional log analysis towards a data science-based approach, security professionals often battle with complex random strings in logs/commands/codes, which makes statistical analysis cumbersome. For example, can you differentiate between 7f41suf9312, 32185544-ABC3123-9845678, GCEFi519719312? These could be passwords, API keys or hashes. Stringlifier is an open-source tool that assists in categorizing such strings. It leverages machine learning to distinguish between normal and random character sequences and it provides fine-grained classifications to assist professionals in characterizing strings in raw text. During this presentation we will have a series of hands-on exercises on how to sanitize your data, process/classify random strings, and identify leaked credentials in public repositories.


To get a taste of the type of dynamic presentations and speakers you’ll see at the 2021 DFIR Summit, check out these talks from the 2020 Summit below or view the full playlist here:

Making Memories: Using Memory Analysis for Faster Response to User Investigations - SANS DFIR Summit 2020
- Aaron Sparling, @osintlabworks, Digital Forensics Examiner, Portland Police Bureau
- Jessica Hyde, Director of Forensics, Magnet Forensics; Adjunct Professor, George Mason University


Help! We Need an Adult! Engaging an External IR Team - SANS DFIR Summit 2020
- Liz Waddell, @vlsin, Incident Commander, Talos Incident Response


Extract and Visualize Data from URLs using Unfurl - SANS DFIR Summit 2020
- Ryan Benson, @_RyanBenson, Security Engineer, Google