Ryan's early work led him to join a team of media exploitation analysts working for the U.S. Army in Iraq. During his year in Iraq he helped gather actionable intelligence, streamline processes, and enhance equipment resources for in-country teams. When he returned stateside, Ryan began to work on computer intrusion cases. Since then he's traveled the globe teaching digital forensics for the U.S. State Department's Anti-Terrorism Assistance Program and served as a digital forensics analyst and consultant. Ryan co-authored several of the State Department's digital forensics courses as well as the book Mastering Windows Network Forensics and Investigations, Second Edition.
Today, with more than 12 years of experience in digital forensics investigations, incident response, network forensics, and vulnerability assessments, Ryan teaches the FOR572: Advanced Network Forensics and Analysis course for SANS.
"My favorite part of teaching for SANS- other than meeting some really cool students- is that I get to hear different perspectives and approaches to all the areas we talk about in class," says Ryan. "There's not been one class where I have not learned something from our students, and those nuggets of gold help me be a better practitioner and a better instructor."
Ryan also currently serves as the Global Head of Threat Management at PricewaterhouseCoopers, where he leads the response, readiness and investigations functions. In addition, based on his background, practical forensic experience, and government clearance, Ryan has been regularly called upon to train U.S.-based government departments, international governments, and corporations in the areas of network and digital forensics.
Ryan earned a Master's of Science degree from Dalhousie University and two Bachelor's degrees from Queen's University. He has taught college students, professionals, law enforcement, attorneys, and judges. Ryan knows that teaching the process, not the tool, is what gives students information they can put into practice outside of the classroom, and he works tirelessly to ensure every student understands the concepts he's teaching.
"I do my best to come up with unique ways to explain or relate information to people from different backgrounds and experience levels," he explains. "I've explained concepts using analogies like the 'paint can method' for understanding Diffie Hellman key exchanges, and a water pitcher and a glass to explain buffer overflows- inadvertently shorting out a computer at the same time! I don't like to stop until I see the light bulbs go on, so my classes aren't your typical 'download' sessions."
When he's not investigating, teaching, or traveling the world, Ryan uses part of his free time to delve into another of his passions, which is research.
"My research interests involve traffic analysis and potential subversion of IoT devices, specifically the ones I have in my house!" he says. At home, you might find Ryan playing with his kids, making dinner for the family, and brewing small batches of beer. And while he'd like more time for actual brewing, he always finds opportunities to make the process more tech-savvy, like building new controllers for his beer brewing setup!
- More than 12 years of experience in digital forensics investigations, incident response, network forensics, and vulnerability assessments.
- Co-author of the book Mastering Windows Network Forensics and Investigation, Second Edition.
Get to Know Ryan Johnson:
- Read Ryan's blog post on "The Future of Digital Forensics"
- GIAC Certified Network Forensics Analyst (GNFA)
- Certified Information Systems Security Professional (CISSP)
- GIAC Certified Incident Handler (GCIH)
- Member of the SANS Advisory Board
- Listen to Ryan discuss Network Forensics as a guest speaker alongside Phil Hagen on the DNS Evidence: You Don't Know What You're Missing webcast
- Read Ryan's October Editorial Edition of the SANS Ouch Newsletter