Last Day to get an iPad mini, Surface Go 2, or Take $300 Off with OnDemand Training


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

Memory Forensic Baselines: Using Normal to Avoid "Red Herring"

  • Monday, August 24, 2015 at 11:00 AM EDT (2015-08-24 15:00:00 UTC)
  • Alissa Torres

You can now attend the webcast using your mobile device!



As an inherent part of incident response, creation of baselines and incorporation of their use in investigations have been highly effective in identifying malware, and spotting unusual network and user activity. Incident responders now have the ability to apply baselining through live or captured memory analysis due to recent advances in tools and techniques. In this webcast, Alissa will introduce attendees to some direct applications of knowing normal to identify malware as well as avoid time-wasting "red herring", also known to DFIR professionals as the dreaded rabbit hole.

Speaker Bio

Alissa Torres

Alissa Torres is a SANS analyst and certified SANS instructor specializing in advanced computer forensics and incident response (IR). She has extensive experience in information security in the government, academic and corporate environments. Alissa has served as an incident handler and as a digital forensic investigator on an internal security team. She has taught at the Defense Cyber Investigations Training Academy (DCITA), delivering IR and network basics to security professionals entering the forensics community. A GIAC Certified Forensic Analyst (GCFA), Alissa holds the GCFE, GPEN, CISSP, EnCE, CFCE, MCT and CTT+ certifications.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.