$400 Amazon Gift Card with OnDemand Training through March 10 - Learn More!


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

Cloud Storage Forensics: Endpoint Evidence

  • Tuesday, December 03, 2019 at 3:30 PM EST (2019-12-03 20:30:00 UTC)
  • Chad Tilbury

You can now attend the webcast using your mobile device!



An often overlooked area of cloud forensics is data and metadata stored on the local device. Unsurprisingly, devices which have synchronized to a cloud storage service may contain a wealth of information relevant to an investigation. Devices regularly record metadata on locally synchronized files in addition to files only present in the cloud. Deleted items may still be recoverable, and files may be present in cloud storage cache folders even when they were not selected for local synchronization. In short, cloud storage data can be more accessible on the local device and can contain files and metadata distinctly different than the current cloud repository. However, endpoint collection includes its own set of challenges. In this webcast, SANS Senior Instructor Chad Tilbury will discuss these challenges and provide a strategy for ensuring you are not missing critical evidence in your investigations. 

Speaker Bio

Chad Tilbury

Chad has over 20 years of experience working with government agencies, defense contractors, and Fortune 500 companies. He served as a Special Agent with the Air Force Office of Special Investigations, where he investigated and conducted computer forensics for a variety of crimes, including murder, abduction, espionage, fraud, hacking, intellectual property theft, child exploitation, terrorism, and computer intrusions. He has led international forensic teams, built forensic departments, and spent over eight years as an incident response consultant and technical director with Mandiant and CrowdStrike. Here at SANS, Chad is a senior instructor and co-author for two six-day courses: FOR500: Windows Forensic Analysis, which focuses on the core skills required to become a certified forensic practitioner, and FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics, which teaches sophisticated computer intrusion analysis and advanced threat hunting techniques.

Need Help? Visit our FAQ page or email webcast-support@sans.org.

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.