Phill Moore

Whether providing evidence to prosecute an offender, stopping an attacker, or saving a business, Phill says that the impact his DFIR work has on people's lives makes it all feel worthwhile. And he has extended his footprint through his research and his work as a SANS as FOR500: Windows Forensic Analysis and FOR528: Ransomware for Incident Responders course instructor.

More About Phill

Profile

Whether providing evidence to prosecute an offender, stopping an attacker, or saving a business, Phill says that the impact his DFIR work has on people's lives makes it all feel worthwhile. And he has extended his footprint through his research and his work as a SANS as FOR500: Windows Forensic Analysis and FOR528: Ransomware for Incident Responders course instructor.

"On a number of occasions, I've had people reach out to me to say that something I've shared or research I've done has helped them with a conviction, and that's really rewarding," Phill explains.

Phill started his career at the State Electronic Evidence Branch (SEEB) in Sydney, Australia providing investigative support by examining electronic devices involved in major crime across the state of New South Wales (NSW). He is now a Lead Investigator at CyberCX, working for fellow SANS Instructor Nick Klein.

Throughout his career, Phill has identified, preserved, analyzed, and presented digital evidence on thousands of devices - including computers, mobile devices, GPS devices, and CCTV systems - in local, state, and federal courts. Now he spends time leading teams to assist small, medium, and large organizations deal with everything from civil investigations and business email compromise to ransomware and nation state threats as an incident responder and forensic analyst.

Phill also writes a weekly blog summarizing industry news and updates. "I try to keep as close to the people pushing the industry forward as I can," he says. "We can all get better by encouraging our peers to document the research they're doing and share it to help the community validate and improve our understanding."

He is also a faculty member of the SANS Technology Institute, an NSA Center of Academic Excellence in Cyber Defense and multiple winner of the National Cyber League competition.

"The SANS DFIR curriculum is aggressively updated and provides an artifact-first, tool-agnostic approach that ensures people aren't relying on the output of their tools, especially when their tools only get them so far," he explains. "SANS courses encourage students to use the best tools for the job, and to go beyond them when they don't present all the information necessary for an investigation."

In his classes, Phill's goal is to help students become effective on Windows devices by showing them how much can be achieved by combining free tools, great training, a solid understanding of the operating system/file system, and some grit.

"At the end of the day, you're responsible for your investigations," he notes. "There are a lot of great tools out there but they all have their shortcomings."

He sees the biggest challenge for students as simply keeping up with the relentless pace of device, operating system and application updates. "The number of devices and data sources is increasing, and being able to effectively cut through the noise to identify what happened on a system is key," he says.

To keep up with innovations, Phill encourages students to keep testing, training, learning, and sharing information. In this regard, he can draw on personal experience. During a former police investigation, Phill uncovered information on a suspect showing that the individual was committing other, very serious offenses that investigators were unaware of. In that case, Phill points to a combination of luck and persistence that identified passwords across devices and ultimately to an arrest and successful prosecution.

Phill has a bachelor's degree in business IT from the University of New South Wales, a postgraduate certificate in computer forensics from the University of South Australia, and a master's degree in cybersecurity (digital forensics) from the University of New South Wales.

He writes a weekly blog called This Week in 4n6 that provides a roundup of news and updates about DFIR, and he produces a monthly podcast covering a selection of important recent articles. Phill also has a personal research blog documenting some of his DFIR research on topics across Endpoint, Mobile, IOT, and cloud evidence sources. Phill's tools and research, including his repository of Business Email Compromise resources (Awesome-BEC) can be found on his Github page. He has also been nominated for Forensic 4Cast every year since 2017, winning the “Resource of the Year” award in 2019.

While Phill's primary interests revolve around forensics and family, he also likes all things superhero, from comic books to TV and movies, and stays active at the gym and on the soccer field. When he's not reading about superheroes or being a DFIR superhero in real life, he enjoys spending time with his wife and children and is constantly searching for more time to hone his guitar-playing skills.

Qualifications Summary

  • Instructor for SANS FOR500: Windows Forensic Analysis course
  • Instructor for SANS FOR528: Ransomware for Incident Responders course
  • Writes a weekly blog called This Week in 4n6 that provides a roundup of news and updates about DFIR, and produces a monthly podcast covering a selection of important recent articles
  • Produces a personal research blog documenting his DFIR research
  • Nominated for various Forensic 4Cast awards

Get to Know Phill Moore

Certifications

  • GIAC Certified Forensic Examiner (GCFE)
  • IACIS Certified Forensic Computer Examiner (CFCE)
  • GIAC Certified Forensic Analyst (GCFA)
  • GIAC Battlefield Forensics and Acquisition (GBFA)
  • Magnet Certified Forensics Examiner (MCFE)

Presentations

  • Enfuse 2018 - Oh! You Were On My List Of People To Meet, 2018
  • SANS DFIR Summit 2018 - Investigating Rebel Scum's Google Home Data, 2018

ADDITIONAL CONTRIBUTIONS BY PHILL MOORE:

WEBCASTS

Getting Started in DFIR: Testing 1,2,3, Feb 2021

Securing Your Future in DFIR, April 2020

www.google.com/search?q=what+does+this+all+mean?, May 2017