4 Days Left to Save $200 on SANS Atlanta 2017


To attend this webcast, login to your SANS Account or create your Account.

FOR572 Network Forensics Preview: IT'S ALIVE!!! Investigating with Network-based Evidence

  • Friday, November 15th, 2013 at 1:00 PM EST (18:00:00 UTC)
  • Phil Hagen
This webcast has been archived. You can view the webcast presentation and download the slides by logging into your SANS Portal Account or creating an Account. Click the Register Now button after you have logged in to view the Webcast.

You can now attend the webcast using your mobile device!


Today's digital forensic investigations and incident response activities increasingly include a network-based component. But even seasoned disk- and memory-based analysts must consider how this new domain differs from traditional forensic work. This webcast comes straight from "FOR572: Advanced Network Forensics and Analysis" material. We'll cover the challenges and opportunities common network architectures can provide and how to extract as much value as possible from them. We'll also discuss how a proactive approach can aid in the response to incidents that have not yet occurred... or not yet been discovered. Finally, we will cover how to address the unique operational security (OPSEC) requirements inherent in network-based analysis. Incorrect handling of network evidence or analysis activities could cause the attacker to stay fully aware of your investigation's progress, ensuring they remain one step ahead of the good guys. The upcoming FOR572 course will give you a comprehensive foundation on which to build a network forensics capability - this webcast will get you started.

Speaker Bio

Philip Hagen

Philip Hagen has been working in the information security field since 1998, running the full spectrum including deep technical tasks, management of an entire computer forensic services portfolio, and executive responsibilities.

Currently, Phil is a Strategist at Red Canary, where engages with current and future customers of Red Canary's managed threat detection service to ensure their use of the service is best aligned for success in the face of existing and future threats.

Phil started his security career while attending the US Air Force Academy, with research covering both the academic and practical sides of security. He served in the Air Force as a communications officer at Beale AFB and the Pentagon. In 2003, Phil shifted to a government contractor, providing technical services for various IT and information security projects. These included systems that demanded 24x7x365 functionality. He later managed a team of 85 computer forensic professionals in the national security sector. He has provided forensic consulting services for law enforcement, government, and commercial clients prior to joining the Red Canary team. Phil is also a certified instructor for the SANS Institute, and is the course lead and co-author of FOR572, Advanced Network Forensics and Analysis.

Need Help? Visit our FAQ page or email webcast-support@sans.org.

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.