Join us at the Rocky Mountain Hackfest, Live Online!! Virtual summit and courses take place June 4-13.


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right.Once you register, you can download the presentaion slides below.

FOR572 Course Update from the Future - Where We’re Going, We Don’t Need Roads

  • Wednesday, November 09, 2016 at 11:00 AM EST (2016-11-09 16:00:00 UTC)
  • Philip Hagen

You can now attend the webcast using your mobile device!



As you know, SANS authors continually update course materials to address the latest threats, tools, and methodologies. This December, the latest version of FOR572 Advanced Network Forensics Analysis goes into production, starting at Cyber Defense Initiative 2016 in Washington DC.

This update includes a more thorough integration of the latest version of the SOF-ELK distribution, for both log aggregation and NetFlow analysis. Students will learn how to load both logs and archived NetFlow to SOF-ELK for efficient, effective analysis. Weve also added the Moloch full-packet analysis platform to the materials. Moloch allows the user to load live or previously-captured network traffic to a rich and scalable analysis engine. It makes quick work of hunting large captures for critical artifacts of communication.

Additionally, we added the latest versions of numerous tools, new analytic workflows, an updated custom version of the SANS Linux SIFT Workstation and lots more. Tune into this webcast to get an overview of whats new and exciting in the course starting at CDI. Were really excited to make an already great course even better - and hope you can join us for the fun at one of our upcoming events.


FOR572 Advanced Smartphone Forensics Course

Instructor: Phil Hagen

For more information or to register visit:

Speaker Bio

Philip Hagen

Phil Hagen is the course lead and author of FOR572, Advanced Network Forensics and Analysis, a course that provides a hands-on curriculum on the skills necessary to perform investigations of network-based incidents, where the hard drives or memory of compromised systems are often missing. He is also a DFIR Strategist at Red Canary. Phil started his career as part of a specialization within the computer science department at the U.S. Air Force Academy, where he focused on network security and was an inaugural member of the computer security extracurricular group. He served in the U.S. Air Force as a communications officer at Beale AFB and the Pentagon, and then in 2003 Phil moved over to a position with a government contractor, providing technical services for various IT and information security projects. Now 18 years later, Phil's work has spanned the full life cycle of attacks--tool development, deployment, operational and investigative aftermath--giving him a rare opportunity to provide deep insight into the artifacts left behind. Phil has covered deep technical tasks, management of an entire computer forensic services portfolio and executive responsibilities. He's supported systems that demanded 24x7x365 functionality, managed a team of 85 computer forensic professionals in the national security sector, and provided forensic consulting services for law enforcement, government, and commercial clients. Phil also spends time developing and maintaining the SOF-ELK distribution. SOF-ELK is a virtual appliance that is pre-configured with the ELK stack (Elasticsearch, Logstash, and Kibana), and it is provided as a free tool to help the DFIR Community boost case efficiency and effectiveness. Phil is a mentor and teacher at heart, one of his biggest source of professional pride.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.