Ryan Johnson

As a globe-trotting cyber sleuth, Ryan Johnson is always looking to find the bad guy, and to share his enthusiasm and knowledge about digital forensics along the way. Ryan started out performing digital forensic exams for local law enforcement in Durham, N.C., assisting in homicide, fraud, narcotics, and child exploitation cases. He quickly saw the importance of digital evidence in ensuring that guilty parties are held accountable and innocent parties go free.

More About Ryan


Ryan's early work led him to join a team of media exploitation analysts working for the U.S. Army in Iraq. During his year in Iraq he helped gather actionable intelligence, streamline processes, and enhance equipment resources for in-country teams. When he returned stateside, Ryan began to work on computer intrusion cases. Since then he's traveled the globe teaching digital forensics for the U.S. State Department's Anti-Terrorism Assistance Program and served as a digital forensics analyst and consultant. Ryan co-authored several of the State Department's digital forensics courses as well as the book Mastering Windows Network Forensics and Investigations, Second Edition.

Today, with more than 12 years of experience in digital forensics investigations, incident response, network forensics, and vulnerability assessments, Ryan teaches the FOR572: Advanced Network Forensics and Analysis course for SANS.

"My favorite part of teaching for SANS- other than meeting some really cool students- is that I get to hear different perspectives and approaches to all the areas we talk about in class," says Ryan. "There's not been one class where I have not learned something from our students, and those nuggets of gold help me be a better practitioner and a better instructor."

Ryan also currently serves as the Global Head of Threat Management at PricewaterhouseCoopers, where he leads the response, readiness and investigations functions. In addition, based on his background, practical forensic experience, and government clearance, Ryan has been regularly called upon to train U.S.-based government departments, international governments, and corporations in the areas of network and digital forensics.

Ryan earned a Master's of Science degree from Dalhousie University and two Bachelor's degrees from Queen's University. He has taught college students, professionals, law enforcement, attorneys, and judges. Ryan knows that teaching the process, not the tool, is what gives students information they can put into practice outside of the classroom, and he works tirelessly to ensure every student understands the concepts he's teaching.

"I do my best to come up with unique ways to explain or relate information to people from different backgrounds and experience levels," he explains. "I've explained concepts using analogies like the 'paint can method' for understanding Diffie Hellman key exchanges, and a water pitcher and a glass to explain buffer overflows- inadvertently shorting out a computer at the same time! I don't like to stop until I see the light bulbs go on, so my classes aren't your typical 'download' sessions."

When he's not investigating, teaching, or traveling the world, Ryan uses part of his free time to delve into another of his passions, which is research.

"My research interests involve traffic analysis and potential subversion of IoT devices, specifically the ones I have in my house!" he says. At home, you might find Ryan playing with his kids, making dinner for the family, and brewing small batches of beer. And while he'd like more time for actual brewing, he always finds opportunities to make the process more tech-savvy, like building new controllers for his beer brewing setup!

Qualifications Summary:

  • More than 12 years of experience in digital forensics investigations, incident response, network forensics, and vulnerability assessments.
  • Co-author of the book Mastering Windows Network Forensics and Investigation, Second Edition.

Get to Know Ryan Johnson: