Phill Moore

Phill Moore has always focused on finding fulfillment through his work, which is why he abandoned his initial pursuit of a career as a business analyst to seek out something that really sparked his interest and felt worthwhile. A career in Digital Forensics and Incident Response (DFIR) was the perfect fit.

More About Phill


Whether prosecuting an offender, stopping an attacker, or saving a business, Phill says that the impact his DFIR work has on people's lives makes it all feel worthwhile. And he has extended his footprint through his research and his work as a SANS for FOR500: Windows Forensic Analysis instructor, and as a FOR308: Digital Forensics Essentials course co-author

"On a number of occasions, I've had people reach out to me to say that something I've shared or research I've done has helped them with a conviction, and that's really rewarding," Phill explains.

Phill started his career at the State Electronic Evidence Branch (SEEB) in Sydney, Australia providing investigative support by examining electronic devices involved in major crime across the state of New South Wales (NSW). He is now a Digital Forensic Investigator at Klein & Co, working for fellow SANS Instructor Nick Klein.

Throughout his career, Phill has identified, preserved, analyzed, and presented digital evidence on thousands of devices - including computers, mobile devices, GPS devices, and CCTV systems - in local, state, and federal courts. He is credited with spearheading process improvements and information-sharing among digital forensics professionals in Sydney.

Phill also writes a weekly blog summarizing industry news and updates. "I try to keep as close to the people pushing the industry forward as I can," he says. "We can all get better by encouraging our peers to document the research they're doing and share it to help the community validate and improve our understanding."

When considering an instructor role, Phill chose SANS because he sees its curriculum and instructors as the best available.

"The SANS DFIR curriculum is aggressively updated and provides an artifact-first, tool-agnostic approach that ensures people aren't relying on the output of their tools, especially when their tools only get them so far," he explains. "SANS courses encourage students to use the best tools for the job, and to go beyond them when they don't present all the information necessary for an investigation."

In his classes, Phill's goal is to help students become effective on Windows devices by showing them how much can be achieved by combining free tools, great training, a solid understanding of the operating system/file system, and some grit.

"At the end of the day, you're responsible for your investigations," he notes. "There are a lot of great tools out there but they all have their shortcomings."

He sees the biggest challenge for students as simply keeping up with the relentless pace of operating system and application updates. "The number of devices and data sources is increasing, and being able to effectively cut through the noise to identify what happened on a system is key," he says.

To keep up with innovations, Phill encourages students to keep testing, training, learning, and sharing information. In this regard, he can draw on personal experience. During one of his recent cases, Phill uncovered information on a suspect showing that the individual was committing other, very serious offenses that investigators were unaware of. In that case, Phill points to a combination of luck and persistence that identified passwords across devices and ultimately to an arrest and successful prosecution.

Phill has a bachelor's degree in business IT from the University of New South Wales, a postgraduate certificate in computer forensics from the University of South Australia, and a master's degree in cybersecurity (digital forensics) from the University of New South Wales.

He writes a weekly blog called This Week in 4n6 that provides a roundup of news and updates about DFIR, and he produces a monthly podcast covering a selection of important recent articles. Phill also has a personal research blog documenting some of his DFIR research on topics such as Zone identifiers, examination documentation, and an introduction to mounting APFS volumes on MacOS. Phill's tools, including his GSERPent Google URL Parser and his Homespeak tool for interacting with Google Home devices, can be found on his Github page. He was nominated for the Forensic 4Cast "Blog of the Year" award in 2017 and 2018 and was selected to speak at the SANS DFIR Summit in 2018. In 2019, he was nominated for the Forensic 4Cast "Resource of the Year", "Podcast of the Year", and "Social Media Contributor of the Year".

While Phill's primary interests revolve around forensics and family, he also likes all things superhero, from comic books to TV and movies, and stays active at the gym and on the soccer field. When he's not reading about superheroes or being a DFIR superhero in real life, he enjoys singing to his baby daughter and is constant searching for more time to hone his guitar-playing skills.

Qualifications Summary

  • Instructor for SANS FOR500: Windows Forensic Analysis course
  • Co-author and instructor of the FOR308: Digital Forensics Essentials course
  • Writes a weekly blog called This Week in 4n6 that provides a roundup of news and updates about DFIR, and produces a monthly podcast covering a selection of important recent articles
  • Produces a personal research blog documenting his DFIR research
  • Nominated for the Forensic 4Cast "Blog of the Year" award in 2017 and 2018, and "Resource of the Year", "Podcast of the Year", and "Social Media Contributor of the Year" in 2019.

Get to Know Phill Moore


  • GIAC Certified Forensic Examiner (GCFE)
  • IACIS Certified Forensic Computer Examiner (CFCE)
  • GIAC Certified Forensic Analyst (GCFA)
  • Magnet Certified Forensics Examiner (MCFE)


  • Enfuse 2018 - Oh! You Were On My List Of People To Meet, 2018
  • SANS DFIR Summit 2018 - Investigating Rebel Scum's Google Home Data, 2018
  • SANS Webinar -, 2017

Specialist Courses

  • Magnet AXIOM Examination (AX200), 2019
  • Windows Forensic Analysis (SANS FOR500), 2018
  • X-Ways Forensics & File Systems Revealed, Cbit Digital Forensic Services, 2017
  • The X-Ways Forensics Practitioner's Guide Online and On-Demand Course, Digital Forensics & Incident Response Training, 2017
  • Advanced Digital Forensics, Incident Response, and Threat Hunting (SANS FOR508), 2017
  • Hack It and Track It, Nuix, 2016
  • Windows Forensic Analysis (SANS FOR408), 2016
  • Mac Forensics: Essential Forensic Techniques 1, Blackbag Technologies, 2014
  • Encase Advanced Internet Examinations, Guidance Software, 2013
  • Advanced Photo Forensics, Nasir Memon, 2012
  • Encase Intermediate Computer Forensics Analysis and Reporting, Guidance Software, 2011
  • Cellebrite Universal Forensic Extraction Device (UFED) Introduction , Point Trading Pty Ltd, 2011



Getting Started in DFIR: Testing 1,2,3, Feb 2021

Securing Your Future in DFIR, April 2020, May 2017