Two More Days to Get an iPad Air w/ Smart Keyboard with any 5 or 6 Day SANS Training - Register Today!


To attend this webcast, login to your SANS Account or create your Account.

FOR572 Network Forensics Preview: DHCP and DNS, 'The Correlators'

  • Thursday, December 12, 2013 at 1:00 PM EST (2013-12-12 18:00:00 UTC)
  • Philip Hagen

You can now attend the webcast using your mobile device!



In this webcast, we'll dive into two network protocols that can provide tremendous benefit to an investigator or analyst. We've cherry-picked key material directly from the upcoming course "FOR572: Advanced Network Forensics and Analysis" to demonstrate actionable steps you can use to improve your investigative processes.

DHCP provides a vital link between network activity and the devices responsible for it. When closely pursuing targets of an investigation - often insider threats or other malicious actors with physical access to the environment - DHCP traffic and logs can provide a quick and direct path to the malicious actor's desk.

On the other hand, DNS traffic and logs provide a "one-stop-shop" to assess network activity across an enterprise that typically uses dozens or hundreds of different protocols and services. Analysts often reap huge benefits by cross-referencing DNS activity with NetFlow/IPFIX data, HTTP proxy logs, or any other evidence containing hostnames or IP addresses. With effective correlation, they can establish a clear understanding of malicious activity - even when the underlying data is encrypted or otherwise inaccessible.

FOR572 covers even more network protocols and investigative methodologies, and this webcast will be a primer that gives you big benefits - today.

Speaker Bio

Philip Hagen

Phil Hagen is the course lead and author of FOR572, Advanced Network Forensics and Analysis, a course that provides a hands-on curriculum on the skills necessary to perform investigations of network-based incidents, where the hard drives or memory of compromised systems are often missing. He is also a DFIR Strategist at Red Canary. Phil started his career as part of a specialization within the computer science department at the U.S. Air Force Academy, where he focused on network security and was an inaugural member of the computer security extracurricular group. He served in the U.S. Air Force as a communications officer at Beale AFB and the Pentagon, and then in 2003 Phil moved over to a position with a government contractor, providing technical services for various IT and information security projects. Now 18 years later, Phil's work has spanned the full life cycle of attacks--tool development, deployment, operational and investigative aftermath--giving him a rare opportunity to provide deep insight into the artifacts left behind. Phil has covered deep technical tasks, management of an entire computer forensic services portfolio and executive responsibilities. He's supported systems that demanded 24x7x365 functionality, managed a team of 85 computer forensic professionals in the national security sector, and provided forensic consulting services for law enforcement, government, and commercial clients. Phil also spends time developing and maintaining the SOF-ELK distribution. SOF-ELK is a virtual appliance that is pre-configured with the ELK stack (Elasticsearch, Logstash, and Kibana), and it is provided as a free tool to help the DFIR Community boost case efficiency and effectiveness. Phil is a mentor and teacher at heart, one of his biggest source of professional pride.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.