As a globe-trotting cyber sleuth, Ryan Johnson is always looking to find the bad guy, and to share his enthusiasm and knowledge about digital forensics along the way. Ryan started out performing digital forensic exams for local law enforcement in Durham, N.C., assisting in homicide, fraud, narcotics, and child exploitation cases. He quickly saw the importance of digital evidence in ensuring that guilty parties are held accountable and innocent parties go free.
That work led Ryan to join a team of media exploitation analysts working for the U.S. Army in Iraq. During his year in Iraq he helped gather actionable intelligence, streamline processes, and enhance equipment resources for in-country teams. When he returned stateside, Ryan began to work on computer intrusion cases. Since then he's traveled the globe teaching digital forensics for the U.S. State Department's Anti-Terrorism Assistance Program and served as a digital forensics analyst and consultant. Ryan co-authored several of the State Department's digital forensics courses as well as the book Mastering Windows Network Forensics and Investigations, Second Edition.
Today, with more than 12 years of experience in digital forensics investigations, incident response, network forensics, and vulnerability assessments, Ryan teaches the FOR572: Advanced Network Forensics and Analysis course for SANS.
"My favorite part of teaching for SANS- other than meeting some really cool students- is that I get to hear different perspectives and approaches to all the areas we talk about in class," says Ryan. "There's not been one class where I have not learned something from our students, and those nuggets of gold help me be a better practitioner and a better instructor."
Ryan also currently serves as the Global Head of CSIRT at PricewaterhouseCoopers, where he leads the response, readiness and investigations functions. In addition, based on his background, practical forensic experience, and government clearance, Ryan has been regularly called upon to train U.S.-based government departments, international governments, and corporations in the areas of network and digital forensics.
Ryan earned a Master's of Science degree from Dalhousie University and two Bachelor's degrees from Queen's University. He has taught college students, professionals, law enforcement, attorneys, and judges. Ryan knows that teaching the process, not the tool, is what gives students information they can put into practice outside of the classroom, and he works tirelessly to ensure every student understands the concepts he's teaching.
"I do my best to come up with unique ways to explain or relate information to people from different backgrounds and experience levels," he explains. "I've explained concepts using analogies like the 'paint can method' for understanding Diffie Hellman key exchanges, and a water pitcher and a glass to explain buffer overflows- inadvertently shorting out a computer at the same time! I don't like to stop until I see the light bulbs go on, so my classes aren't your typical 'download' sessions."
When he's not investigating, teaching, or traveling the world, Ryan uses part of his free time to delve into another of his passions, which is research.
"My research interests involve traffic analysis and potential subversion of IoT devices, specifically the ones I have in my house!" he says. At home, you might find Ryan playing with his kids, making dinner for the family, and brewing small batches of beer. And while he'd like more time for actual brewing, he always finds opportunities to make the process more tech-savvy, like building new controllers for his beer brewing setup!
- More than 12 years of experience in digital forensics investigations, incident response, network forensics, and vulnerability assessments.
- Co-author of the book Mastering Windows Network Forensics and Investigation, Second Edition.
Get to Know Ryan Johnson:
- Read Ryan's blog post on "The Future of Digital Forensics"
- GIAC Certified Network Forensics Analyst (GNFA)
- Certified Information Systems Security Professional (CISSP)
- GIAC Certified Incident Handler (GCIH)
- Member of the SANS Advisory Board
- Listen to Ryan discuss Network Forensics as a guest speaker alongside Phil Hagen on the DNS Evidence: You Don't Know What You're Missing webcast
- Read Ryan's October Editorial Edition of the SANS Ouch Newsletter
Here's what students are saying about SANS Instructor Ryan Johnson:
- "Great instructor, keeps attention and presents with authority & knowledge." - Paul Mobley
- "Great time, pacing, humor, and most importantly knowledge" -SANS Boston 2016, FOR572 attendee
- "The instructor is Awesome! He was able to articulate and accommodate the entire class regardless of knowledge base. He engages the class and comes prepared to every class. Thus far being the best instructor we have had in this course. I would recommend him to anyone taking FOR572." - Fort Gordon, FOR572 attendee
Upcoming Courses Taught By Ryan Johnson
|Type||Course / Location||Date||Register|
Cyber Threat Intelligence Summit & Training Arlington, VA
Jan 25, 2017 -
Feb 1, 2017
Security Operations Center Summit & Training Washington, DC
Jun 5, 2017 -
Jun 12, 2017
*Course contents may vary depending upon location, see specific event description for details.