Mark Hallman

Mark has been performing computer-related investigations for over 12 years. Mark lead and assisted in investigations involving identification, preservation, research, analysis, and presentation of ESI for Fortune 100 and NLJ firms across the United States as well as governmental agencies such as the Department of Justice, the Department of Labor and the Securities and Exchange Commission. Mark's certifications include GCFE, CGFA, GCHI, EnCE, and CCE.

More About Mark


Mark has helped Fortune 100 and NLJ firms across the United States preserve, collect, and analyze Electronically Stored Information (ESI) in complex litigation. He has led, and assisted in investigations involving identification, preservation, investigation, analysis, and presentation of ESI for law firms, corporations as well as governmental agencies such as The Department of Justice, The Department of Labor and The Securities and Exchange Commission.

Along his career Mark has been successful in building technology consultancies where his skills in forensics tool research and evaluation, development of ESI collection protocols, development of investigation “play books”, training of the analyst team and application on those tools and techniques for deployment on client projects grew. After building and selling his Oracle Applications consulting company in 1998, he decided to take some time off. Once he was ready to get back in the game, he started looking at the various disciplines of information technology security because it seemed interesting and challenging to him. “I came across computer forensics and I knew that is what I wanted to do. I took a class and was hooked. Then I found SANS and took some real classes and I knew I have picked the right next step. I was the cool combination of solving the puzzle and archaeology is the best way I can describe it. The picture of what happened on a device becomes clearer as you peel away the layers.”

Mark is currently an Instructor and a Subject Matter Expert (SME) at the SANS Institute, where he participates in multiple projects supporting the development of SANS courseware and actively participates in client relationship management and technical sales. “I believe that in our careers as in sport, we only get better by practicing/competing with the best. Working with the SANS team either as an instructor or as an SME allow me identify problems, search for answers and guiding SANS students through corrective steps to make better forensicators”

As an instructor, Mark encourages students to walk away with skills and knowledge that they can use immediately as well an understanding that the best tool is their own brain and investigative/analytic skills that they will develop and nurture over time. “The reward of teaching comes when I get to see the light go on when a student first understands a challenging topic. I care about the transfer of knowledge part of teaching. I want to them to problem solve and the apply tools to answer the questions.”

Mark’s teaching philosophy is one of getting the students to understand and practice that DFIR is about analysis and/or solving the puzzle. “Learning how to use a programs or script is good. But if you cannot apply the why, what, who, where, when and how to those tools you are not going to get very far. Learn how to play the game not just how to use the tools.”

One of the biggest challenges in DFIR today is just keeping up with the changes in the industry. “There have several times in my career where I have scripted tools and processes that allow for a faster / repeatable method collecting and processing data. I believe that the real significance of this to the team was not the script per se, but the amount of time that it gave back to the team for analysis.” The other challenge is to develop a healthy DISTRUST of your tools. “Tools, even from the best developers, can generate incorrect or incomplete results.”

For this reason, Mark makes a point in teaching students the underlying functions and meaning of a particular artifact. “You have enough of an understanding of a tool to verify it output. I am not saying that you need to be able to code the tool but rather to generate user/system activity and see if they tool accurately reflects that activity. You must be able to verify it against other tools. Tools are there to help us do our job more efficiently not to take the responsibility of understanding the artifacts away from us as investigators.”

In his spare time, he tries to spend as much time as he can outdoors. Racing sailboats was a huge part of his life for about 30 years. He got to race all over the world and was on the US Sailing in 1990 – 1992. He finished 4th at the trials and did not go to Barcelona but I enjoyed every minute of it. Now most of his time on the water he spends fly fishing or kayaking.

Get to Know Mark Hallman

  • SANS Instructor and Subject Matter Expert at SANS Institute
  • Mark has 12 + years in SQL database design, programming, and database administration.
  • He has in-depth forensics experience with Windows, Mac OSX, Linux, iSO and Android operating systems.
  • Mark’s breadth of forensics tools includes EnCase, FTK, Nuix, X-Ways, Cellebrite, Blackbag tools, SANS SIFT, Internet Evidence Finder (IEF), and many open source forensic tools.


  • In addition to being a GIAC Certified Forensic Analyst (GCFA), Mark holds the GCFE, CCE EnCE, and CHFI forensic certifications.

Additional Contributions by Mark Hallman:




  • plaso_filters - Scripts to facilitate filtering with Plaso
  • kape-at-scale - Repo for code, techniques, ideas and questions about implementing KAPE at Scale
  • DFRWS-2019-KAPE-Workshop - Slides, scripts, notes, link, etc. from my 2019 DFRWS KAPE Workshop
  • scrips_configs - Various scripts and config files
  • Process-EventLogs - Process select Event Logs and Event ID's with EvtxECmd
  • mdwiki-examples - A collection of example wesbites created with MDwiki
  • evtx - C# based evtx parser with lots of extras
  • Get-KAPEModuleBinaries - Parses KAPE module files and downloads binaries referenced by BinaryURL
  • kape-min - A sample minimal "install" of KAPE for testing with powershell remoting.