As a Special Agent with the Air Force Office of Special Investigations, Chad served on the national computer intrusion team and helped expand counter-espionage techniques into the digital age. He has led international forensic teams, built forensic departments, and spent over eight years as an incident response consultant and technical director with Mandiant and CrowdStrike.
In addition, Chad worked as a computer security engineer and forensic lead for a major defense contractor and served as the vice president of worldwide Internet enforcement for the Motion Picture Association of America. In that role, he managed Internet anti-piracy operations for the seven major Hollywood studios in over 60 countries.
"With so many different skills and cultural perspectives on that team, I learned more about the dark underpinnings of the Internet than I ever could have imagined," says Chad.
Today, Chad brings his wealth of experience to his role as a consultant, where he specializes in incident response, corporate espionage, and computer forensics. Here at SANS, Chad is a senior instructor and co-author for two six-day courses: FOR500: Windows Forensic Analysis, which focuses on the core skills required to become a certified forensic practitioner, and FOR508: Advanced Digital Forensics, Incident Response, and Threat Hunting, which teaches sophisticated computer intrusion analysis and advanced threat hunting techniques.
Chad's experience brings immeasurable depth to his classes. He focuses not only on tools and techniques but also on understanding how those artifacts can be used to prove or disprove questions students are asked to investigate in their daily jobs. As Chad says, "Forensics is both an art and a science, and I find hearing about real-world applications provides new perspectives and can help unlock a student's ability to think unconventionally."
Chad keeps his class goals simple: teach and lead discussions on the most important topics and make sure students have as much time as possible to work on the exercises. "I'm a big believer in hands-on learning," he says, "and we work hard to ensure the exercises in our classes are as realistic as possible. When students put all the pieces of a forensic investigation together themselves, it leads to those 'aha' moments that are so valuable."
The methodologies Chad teaches in his courses are the same ones he has used successfully on countless examinations. "Our exercises are months in the making and provide realistic, real-world evidence samples on which to practice," says Chad. "I have had numerous students report going back to their teams, blowing them away with a new technique, and promptly becoming the trainer themselves."
One of Chad's most memorable experiences in the classroom brought that immediacy of techniques to a whole new level.
"I was teaching some of my latest research on browser artifacts, recently added to the FOR500 class. Research showed that a specific browser database could be missing a day or more of information if not properly handled. There happened to be a law enforcement officer in class who was investigating a murder, and in his examination of the suspect's computer he had noted missing data during a critical 24-hour period. From our class discussion, the officer now had a tool and technique to recover the missing data in his case. Not surprisingly, he left class early!"
In addition to being a graduate of the U.S. Air Force Academy, Chad holds B.S. and M.S. degrees in computer science, as well as GCFA, GCIH, GREM, and ENCE certifications.
In his free time, Chad loves to travel and takes full advantage of the unique destinations his career takes him. He spends much of his time at home mountain biking, skiing, snowboarding, and mountaineering. Chad recently took a ski mountaineering trip to Antarctica, about as far away from a Wi-Fi signal as you can get!
- Over 20 years of experience working with government agencies, defense contractors, and Fortune 500 companies on a wide variety of cases
- Senior instructor and course co-author for SANS Forensics 500: Windows Forensic Analysis and SANS Forensics 508: Advanced Digital Forensics, Incident Response, and Threat Hunting
Get to Know Chad Tilbury
- Watch Chad's Geolocation Forensics webcast for SANS
- Explore PowerShell investigations with Chad's What Malware? Hunting Command Line Activity webcast
- Learn about Windows Credential Attacks and Defense