Save $200 on Cyber Security Training at SANS Miami 2018. Ends 12/27.

Webcasts

To attend this webcast, login to your SANS Account or create your Account.

DNS Evidence: You Donít Know What Youíre Missing

  • Friday, April 22nd, 2016 at 1:00 PM EDT (17:00:00 UTC)
  • Phil Hagen
This webcast has been archived. You can view the webcast presentation and download the slides by logging into your SANS Portal Account or creating an Account. Click the Register Now button after you have logged in to view the Webcast.

You can now attend the webcast using your mobile device!

Overview

Webcast description: With hundreds of network protocols used in a typical network environment, it's easy to get overwhelmed during an investigation. Similarly, the technical and legal hurdles to proper full-packet-capture operations leaves critical gaps from evidence such as firewall logs, intrusion detection system logs, or NetFlow. However, regardless of the protocols used, the Domain Name System (DNS) is often a commonality that forensicators may overlook. DNS may not be glamorous, but it often provides critical insight and context during network forensic cases. Even alone, passive DNS logs can provide an excellent baseline of activity for any environment.

In this webcast, well explore some simple and effective ways to create logs of DNS traffic, what specific value they can provide for other evidence types, and how to exploit these logs at scale.


Join us at the Digital Forensics & Incident Response Summit in June!

The 9th annual Digital Forensics and Incident Response Summit will once again be held in the live musical capital of the world, Austin, Texas. The Summit brings together DFIR practitioners who share their experiences, case studies and stories from the field. Summit attendees will explore real-world applications of technologies and solutions from all aspects of the fields of digital forensics and incident response, all in one single place.

Summit Dates: June 23-24 | Training Course Dates: June 25-30 | Register at sans.org/dfirsummit.


Speaker Bio

Philip Hagen

Phil Hagen is the course lead and author of FOR572, Advanced Network Forensics and Analysis, a course that provides a hands-on curriculum on the skills necessary to perform investigations of network-based incidents, where the hard drives or memory of compromised systems are often missing. He is also a DFIR Strategist at Red Canary. Phil started his career as part of a specialization within the computer science department at the U.S. Air Force Academy, where he focused on network security and was an inaugural member of the computer security extracurricular group. He served in the U.S. Air Force as a communications officer at Beale AFB and the Pentagon, and then in 2003 Phil moved over to a position with a government contractor, providing technical services for various IT and information security projects. Now 18 years later, Phil's work has spanned the full life cycle of attacks--tool development, deployment, operational and investigative aftermath--giving him a rare opportunity to provide deep insight into the artifacts left behind. Phil has covered deep technical tasks, management of an entire computer forensic services portfolio and executive responsibilities. He's supported systems that demanded 24x7x365 functionality, managed a team of 85 computer forensic professionals in the national security sector, and provided forensic consulting services for law enforcement, government, and commercial clients. Phil also spends time developing and maintaining the SOF-ELK distribution. SOF-ELK is a virtual appliance that is pre-configured with the ELK stack (Elasticsearch, Logstash, and Kibana), and it is provided as a free tool to help the DFIR Community boost case efficiency and effectiveness. Phil is a mentor and teacher at heart, one of his biggest source of professional pride.

Need Help? Visit our FAQ page or email webcast-support@sans.org.

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.