Rob Lee

Rob Lee is the Chief Curriculum Director and Faculty Lead at SANS Institute and runs his own consulting business specializing in information security, incident response, threat hunting, and digital forensics. With more than 20 years of experience in digital forensics, vulnerability and exploit discovery, intrusion detection/prevention, and incident response, he is known as “The Godfather of DFIR”. Rob co-authored the book Know Your Enemy, 2nd Edition, and is course co-author of FOR500: Windows Forensic Analysis and FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics.

More About Rob

Profile

Rob graduated from the U.S. Air Force Academy and served as a founding member of the 609th Information Warfare Squadron, the first U.S. military operational unit focused on information operations. Later, he was a member of the Air Force Office of Special Investigations (AFOSI) where he led a team conducting computer crime investigations, incident response, and computer forensics.

Prior to starting his own firm, he worked directly with a variety of government agencies, U.S. Department of Defense, and intelligence communities as the technical lead for a vulnerability discovery and an exploit development team, lead for a cyber forensics branch, and lead for a digital forensic and security software development team. Rob was also a director for MANDIANT, a company focused on investigating advanced adversaries, such as the APT, for five years prior to starting his own business.

Rob has more than 20 years' experience in computer forensics, incident response, threat hunting, vulnerability and exploit discovery, and intrusion detection/prevention. Over his career, Rob has worked on both Offensive and Defensive Cyber Operations supporting multiple organizations and agencies in and out of uniform. He co-authored the book Know Your Enemy, 2nd Edition and was recently inducted into the Forensic 4Cast Hall of Fame. Rob is also a co-author of the MANDIANT threat intelligence report M-Trends: The Advanced Persistent Threat. He earned his MBA from Georgetown University in Washington DC and currently lives in the Boston MA area with his family.

What other’s have to say about Rob:

“As a police officer entering the field of digital forensics in the late 2000s, I became familiar with Rob Lee from his appearances on forensics podcasts. His enthusiasm for the profession and his quest to share his knowledge immediately made me a fan. After transitioning to the federal law enforcement side, I was lucky to have Rob as the instructor in my first SANS course, FOR500. Rob started each day by welcoming the class and explaining it was going to be the best day of our forensic lives. His infectious personality fueled his students' enthusiasm, and I still hear his passionate voice explaining prefetch files whenever I start diving into artifacts.” - A former FOR500 attendee

“Rob exceeded all my expectations of him. As a long-time fan of him and his work, it’s an honor to be taught by and to facilitate the class for him. It’s awesome to finally meet your hero!” - A former FOR508 attendee

“I worked with Rob many years ago in AFOSI and, while many things have changed, his passion for DFIR and doing the right thing has remained the same. Rob has truly advanced the knowledge of tens of thousands of professionals around the world with his selfless and relentless approach. Not only have I learned from Rob over the years, but I’ve entrusted the training of my entire team to the educational tracks he’s been so critical in developing.” - A former co-worker

ADDITIONAL CONTRIBUTIONS BY ROB LEE:

WEBCASTS

Threat Hunting Is a Process, Not a Thing: SANS 2018 Survey Results, Part I, September 2018

Threat Hunting in Action: SANS 2018 Survey Results, Part II, September 2018

Introducing the New DFIR “Hunt Evil“ Poster, June 2018

Getting Started with the SIFT Workstation, November 2017

POSTERS

DFIR "Hunt Evil" Poster

Rob's Contributions