Top 11 Reasons Why You Should NOT Miss the SANS DFIR Summit and Training this Year

The SANS DFIR Summit and Training 2018 is turning 11! The 2018 event marks 11 years since SANS started what is today the digital forensics and incident response event of the year, attended by forensicators time after time. Join us and enjoy the latest in-depth presentations from influential DFIR experts and the opportunity to take an array of hands-on SANS DFIR courses. You can also earn CPE credits and get the opportunity to win coveted DFIR course coins!

summit video pic

To commemorate the 11th annual DFIR Summit and Training 2018, here are 11 reasons why you should NOT miss the Summit this year:

1.     Save money! There are two ways to save on your DFIR Summit & Training registration (offers cannot be combined):

·       Register for a DFIR course by May 7 and get 50% off a Summit seat (discount automatically applied at registration), or

·       Pay by April 19 and save $400 on any 4-day or 6-day course, or up to $200 off of the Summit. Enter code “EarlyBird18” when registering.

2.     Check out our jam-packed DFIR Summit agenda!

·       The two-day Summit will kick off with a keynote presentation by Kim Zetter, an award-winning journalist who has provided the industry with the most in-depth and important investigative reporting on information security topics. Her research on such topical issues as Stuxnet and election security has brought critical technical issues to the public in a way that clearly shows why we must continue to push the security industry forward.

·       The Summit agenda will also include a presentation about the Shadow Brokers, the group that allegedly leaked National Security Agency cyber tools, leading to some of the most significant cybersecurity incidents of 2017. Jake Williams and Matt Suiche, who were among those targeted by the Shadow Brokers, will cover the history of the group and the implications of its actions.

·       All DFIR Summit speakers are industry experts who practice digital forensics, incident response, and threat hunting in their daily jobs. The Summit Advisory Board handpicked these professionals to provide you with highly technical presentations that will give you a brand-new perspective of how the industry is evolving to fight against even the toughest of adversaries. But don’t take our word for it, have a sneak peek, check out some of the past DFIR Summit talks.


Immerse yourself in six days of the best in SANS DFIR training. Here are the courses you can choose from:

·       FOR500 – Advanced Windows Forensics

·       FOR585 – Advanced Smartphone Forensics

·       FOR610 – Reverse-Engineering Malware

·       FOR508 – Digital Forensics, Incident Response & Threat Hunting

·       FOR572 – Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response

·       FOR578 – Cyber Threat Intelligence

·       FOR526 – Memory Forensics In-Depth

·       FOR518 – Mac and iOS Forensic Analysis and Incident Response

·       MGT517 – Managing Security Operations: Detection, Response, and Intelligence

3.    All courses will be taught by SANS’s best DFIR instructors. Stay tuned for more information on the courses we’re offering at the conference in a future article post.

4.     Rub elbows and network with DFIR pros at evening events, including networking gatherings and receptions. On the first night of the Summit, we’re going to gather at one of Austin’s newest entertainment venues, SPiN, a ping pong restaurant and bar featuring 14 ping pong tables, lounges, great food, and drinks. Give your overloaded brain a break after class and join us at our SANS Community Night, Monday, June 9 at Speakeasy. We will have plenty of snacks and drinks to give you the opportunity to network with fellow students.

5.     Staying to take a DFIR course after the two-day Summit? Attend SANS@Night talks guaranteed to enrich your DFIR training experience with us. Want to know about threat detection on the cheap and other topics? As for cheap (and in this case, that doesn’t mean weak), there are actions you can take now to make threat detection more effective without breaking the bank. Attend this SANS@Night talk on Sunday evening to learn some baselines you should be measuring against and how to gain visibility into high-value actionable events that occur on your systems and networks.

6.     Celebrate this year’s Ken Johnson Scholarship Recipient, who will be announced at the Summit. This scholarship was created by the SANS Institute and KPMG LLP in honor of Ken Johnson, who passed away in 2016. Early in Ken’s digital forensics career, he submitted to a Call for Presentations and was accepted to present his findings at the 2012 SANS DFIR Summit. His networking at the Summit led to his job with KPMG.

7.     Prove you’ve mastered the DFIR arts by playing in the DFIR NetWars – Coin Slayer Tournament. Created by popular demand, this tournament will give you the chance to leave Austin with a motherlode of DFIR coinage! To win the new course coins, you must answer all questions correctly from all four levels of one or more of the six DFIR Domains: Windows Forensics & Incident Response, Smartphone Analysis, Mac Forensics, Memory Forensics, Advanced Network Forensics, and Malware Analysis. Take your pick or win them all!


8.     Enjoy updated DFIR NetWars levels with new challenges. See them first at the Summit! But not to worry, you will have the opportunity to train before the tournament. You’ll have access to a lot of updated posters that can serve as cheat sheets to help you conquer the new challenges, as well as the famous SIFT WorkStation that will arm you with the most powerful DFIR open-source tools available. You could also choose to do an hour of crash training on how to use some of our Summit sponsors’ tools prior to the tournament. That should help give you an edge, right? That new DFIR NetWars coin is as good as won!

9. The Forensic 4:cast Awards winners will be announced at the Summit. Help us text2985celebrate the achievements of digital forensic investigators around the world deemed worthy of the award by their peers. There is still time to cast your vote. (You may only submit one set of votes; any additional voting will be discounted). Voting will close at the end of the day on May 25, 2018.

10.  Come see the latest in tools offered by DFIR solution providers. Summit sponsors and exhibitors will showcase everything from managed services covering advanced threat detection, proactive threat hunting, and accredited incident response to tools that deliver rapid threat detection at scale, and reports that provide insights for identifying potential threats before they cause damage.

11.  Last but not least, who doesn’t want to go to Austin?!? When you think Austin, you think BBQ, right? This city isn’t just BBQ, Austin has amazing food everywhere and there’s no place like it when it comes to having a great time. The nightlife and music include the famous 6th Street – which, by the way, is just walking distance from the Summit venue. There are many other landmarks such as Red River, the Warehouse District, Downtown, and the Market District. You will find entertainment of all kinds no matter what you’re up for. Nothing wrong with some well-deserved play after days full of DFIR training, lectures, and networking!

As you can see, this is an event you do not want to miss! The SANS DFIR Summit and Training 2018 will be held at the Hilton Austin. The event features two days of in-depth digital forensics and incident response talks, nine SANS DFIR courses, two nights of DFIR NetWars, evening events, and SANS@Night talks.

The Summit will be held on June 7-8, and the training courses run from June 9-14.

We hope to see you there!

Coin Check: Win the challenge, join the elite list of lethal forensicators & take home a brand new DFIR challenge coin!

forensics_coin (1)Hundreds of SANS Institute digital forensics students have stepped up to the challenge and conquered. They’ve mastered the concepts and skills, beat out their classmates, and proven their prowess. These are the elite, the recipients of the SANS Lethal Forensicator Coin, an award given to a select portion of the thousands of students that have taken any of the SANS Institute Digital Forensics or Incident Response (DFIR) courses. Now, the institute is expanding the opportunity for students to earn these highly coveted tokens in each of the SANS DFIR courses.

Thanks to an effort led by curriculum lead Rob Lee & the SANS DFIR faculty, students can now win specific SANS Lethal Forensicator Coins designed to go with each of the DFIR course themes. These coins are tailored to be icons and the precious prizes to be won by students as a proof and symbol of their mastery in a specific digital forensics specialty.

New DFIR course challenge coins available now:

500FOR500: Windows Forensic Analysis

“Ex Umbra in Solem”: From the Shadows into the Light
In today’s digital world, forensics plays a critical role in uncovering the truth. Forensic examiners shine light on the facts of the case, making good decisions possible. And the forces of evil unceasingly develop new ways to hide their activities, forcing us to continually improve our skills to counter them.

508FOR508: Advanced Digital Forensics, Incident Response & Threat Hunting

“Non Potestis Celare”: You  cannot hide
The most successful incident response teams are evolving rapidly due to near-daily interaction with adversaries. New tools and techniques are being developed, providing better visibility and making the network more defensible. Adversaries can no longer hide.

610FOR610: Reverse-Engineering Malware

“R.E.M”: Reverse-Engineering Master

Today,  attackers are modifying their malware with increasing frequency to bypass antivirus and other endpoint controls. Through reverse-engineering Malware (R.E.M) Analysis Masters can isolate the most appropriate Indicators of Compromise (IOCs) to stop & identify malware.

585FOR585: Advanced Smartphone Forensics

“Omnis Tactus Vestigium Relinquit”:  Every contact leaves a trace
Knowing how to recover all of the data residing on the smartphone is now an expectation in the digital forensics field, and examiners must understand the fundamentals of smartphone handling, data recovery, accessing locked devices, and manually recovering data hiding in the background on the device. There are traces of evidence hiding on the device, and you know how to uncover them.

572FOR572: Advanced Network Forensics Analysis

“Malum Loquitur, Bonum Auscultat”: Evil must talk, so good must listen

Network Forensic professionals are hunters with great visibility, who can find a target among a mass of camouflaging data. Wisdom, experience, and stealth are all embodied by the owl’s watchful, unwavering eye, seeking its prey under the cover of darkness. No matter how crafty an adversary may be, their communications will allow the hunter to find, identify, and ultimately eliminate their presence.

518FOR518: Mac Forensics

“Impera magis. Aliter cogita”: Command more and think differently.

Apple users have always thought differently and that goes for Apple forensicators too. The analysts who hold this coin take command of their forensic analysis and appreciate looking at the raw data and interpreting it correctly without the necessity of superfluous tools. Knowing where you came from can help you move forward, this is where the hat tip to the original colored Apple logo comes in. New artifacts are presented to analysts in every OS update, the knowledge of historic elements may provide insight.

FOR578_coinFOR578: Cyber Threat Intelligence

“Hominem unius libri timeo”: I fear the man of one book.

FOR578 is all about developing analytical skills. To think critically and expand our views which is a skill that applies to any security profession. The quote is attributed to Thomas Aquinas and despite the common use of the phrase (which is meant to deride the person who is not well studied across multiple subjects) the original meaning was to state that a person who understood one good book well could defeat their opponent. Thus, this phrase can be interpreted two entirely different ways. Both are about self-education and broadening our views on the world.

FOR526_coinFOR526: Memory Forensics In-Depth

“Cur mihi oculi dolent?” Why do my eyes hurt?

Memory forensics reveals deeper insights into the state of a compromised system and stands as the best source for detection of malware and OS/process manipulation/subversion. These analysis methods reveal key evidence which may not be uncovered through querying the operating system or digging through network packets. This quote comes from the original Matrix movie, a question Neo asks of Morpheus when he first wakes from his life in the artificial reality created by sentient machines. It is this awakening and raw view of reality that we as forensic examiners/incident responders strive to achieve through deeper analysis of system memory.


Netwars DFIR Netwars

Staying up-to-date with the latest challenges in the digital forensics field demand analytical skills that cannot be gained by just reading a textbook. Just like firemen could never learn the skills of how to fight a fire by just studying theory, incident responders, threat hunters, and digital forensic investigators can test their skills with DFIR Netwars.

New DFIR Challenge coin back design:

BackThe challenges for each course are held on the last day. Students must successfully overcome a number of obstacles, directly compete against fellow students, and prove their proficiency during timed, hands-on incidents. The obstacles, competitions and hands-on scenarios have been created by SANS’ top instructors – digital forensics practitioners, subject matter experts, experienced teachers and professional leaders in their own right. At the end of the challenge, the instructor announces the winner(s) who are awarded the coins at the end of the 6th day of class and winners are later on listed on the SANS Institute’s virtual wall of Lethal Forensicator Coin Holders.


History of the SANS Challenge coins:

The coin – more precisely, Round Metal Object (RMO) – was initially created to recognize students who demonstrate exceptional talent, contributions, or who serve as leaders in the digital forensics profession and community. The coin is meant to be an honor; it is also intended to be rare. SANS Institute uses the coins to identify and honor those who excel at detecting and eradicating threats, understand the critical importance of cybersecurity and continually strive to further not only their knowledge but also the knowledge of the entire digital forensics field. They actively share their experience and encourage learning through participation in the community and are typically leaders in the digital forensics and incident response community.

Those who are awarded the Lethal Forensicator are also bestowed special privileges and recognition, including participation in the so-called and well-regarded “coin check” challenge and response.

“Coin check” Challenge:

Initiated by one coin holder to another, a coin check typically begins by a challenger holding his or her coin in the air or slamming it on a table and yelling “coin check!” All who are challenged must respond by showing their coins to the challenger within 10 seconds, and whoever fails to do so must buy everyone a round of drinks. If all the challenged coin holders do produce their coin, the challenger must by the round of drinks. (By the way, if you accidentally drop your coin and it makes an audible sound on impact, then you’ve “accidentally” initiated a coin check. And, there are no exceptions to the rules!)

Coin checks aside, there are other ways to win the DFIR Challenge coins besides being an exceptional DFIR student and winning the classroom challenges. Each GOLD GCFA, GREM, GCFE member that has written a published white paper that has furthered the field of research in the Digital Forensics field receives a coin, as do SANS Digital Forensics Blog authors who have written six published entries over a one-year span. In addition, speakers and panelists who participate at a SANS Digital Forensic Summit are awarded coins (vendors and vendor-related speakers are not eligible). Finally, any coin holder can nominate an individual in the digital forensics field who has contributed knowledge, tools or service.

For more information on our SANS DFIR courses, please visit our Forensics Courses list. And to read more about the coin and the history of the term “Forensicator,” check out our Community – Lethal Forensicator Coin page.

4 Cheat Sheets for Malware Analysis

What tools can assess a suspicious RTF file? How to deobfuscate a JavaScript attachment? Where to set breakpoints for unpacking a malicious executable? What utilities can intercept a C2 traffic in the lab? How do the various reverse-engineering methods fit together?

So much to remember! I created 4 cheat sheets to make it easier to recall answers to these and many other malware analysis questions.

Some of these cheat sheets have been around for a while; I recently updated them to reflect the latest tools and techniques. The one listed first is brand new:

I placed a 1-page limit on each of these cheat sheets to force myself to be selective and succinct. As the result, their contents are quite condensed. You’re welcome to print PDF versions of each file or modify Microsoft Word versions for your own needs.

Many of the tools and techniques captured in these cheat sheets are covered in the FOR610: Reverse-Engineering Malware course I’ve co-authored at SANS.

For additional references from SANS faculty members, see the Community: Cheat Sheets page on the SANS Digital Forensics and Incident Response site.

— Lenny Zeltser

Lenny Zeltser is a senior instructor at SANS Institute and a VP of Products at Minerva. He is active on Twitter.

Using ProcDOT Plugins to Examine PCAP Files When Analyzing Malware

ProcDOT is a free tool for  analyzing the actions taken by malware when  infecting a laboratory system. ProcDOT  supports plugins, which could extend the tool’s built-in capabilities.  This article looks at  two plugins that help examine contents of the  network capture file loaded into ProcDOT.  If you’re not already familiar with ProcDOT,  review its documentation before proceeding.

As of this writing, the tool comes with the Servers List plugin. In addition, you can install the Extract Files Form PCAP plugin, mentioned below, from its Github repository.  If you’re using the REMnux distribution, you will find ProcDOT and these plugins already installed and configured (run the “update-remnux” command to get the latest versions).

The directory structure of ProcDOT files includes the “plugins” subdirectory. This is where you should  copy the files that implement the plugins. Once the plugins have been installed, they will be visible in the Plugins menu of ProcDOT.  However, you won’t be able to actually use the plugins until after you’ve loaded the data files that you want to analyze.


The Servers List plugin, written by ProcDOT’s author Christian Wojner,  generates a listing of hostnames and IP addresses from the loaded PCAP file, as shown below. It’s not an earth-shattering feature, but this can be handy if the network capture includes a lot of systems.


The plugin Extract Files Form PCAP  was  created by  Brian Maloney. It allows you to extract files transferred during the network session that was captured in the PCAP file. After asking you to specify the output directory, this plugin saves the carved files there.


Though standalone PCAP carving and mining tools exist, it’s convenient to perform    such tasks within ProcDOT if you’re already using the tool for examining other aspects of the infected system in your  malware analysis lab.

—  Lenny Zeltser

Lenny Zeltser teaches  malware analysis at SANS Institute and focuses on safeguarding customers’ IT operations at NCR Corp. He  is active on Twitter  and writes a security blog.

How to Install SIFT Workstation and REMnux on the Same Forensics System

Having the  right  tools at your fingertips can save hours and even days when examining digital evidence or analyzing malicious artifacts. You can now  install two  popular Linux  distros, SIFT Workstation and REMnux, on the same system to create a powerful  toolkit for digital forensics and incident response. To quote @ma77bennett,  this combo  is reminiscent of “Transformers combining together to form a super robot.”

You can start with SIFT and then add REMnux, or begin  with REMnux and add SIFT to it.  If you prefer the look and feel of SIFT Workstation, use SIFT as the starting point. If you like the look of REMnux, start with that one.

Option 1: Add REMnux to SIFT Workstation

If you wish to start with SIFT Workstation, make sure you have the latest version of SIFT running on Ubuntu 14.04 64-bit. Follow instructions to download SIFT as a pre-built virtual appliance or use the SIFT bootstrap script to install it.

After booting into SIFT Workstation and making sure that it has Internet access, run the following command to install REMnux on it:

wget --quiet -O - | sudo bash

You’ll need to enter the SIFT user’s password when promoted. By default, the password  on the SIFT Workstation’s virtual appliance is “forensics”.


The REMnux installer will run for a while, depending on the speed of your Internet connection and the strength of your system. Once it completes,  reboot the system.  In this configuration, REMnux will not replace the SIFT skin, and your system will look like a standard SIFT Workstation with the exception of a few REMnux documentation shortcuts that the installer will add to the desktop.

Option 2: Add SIFT Workstation to REMnux

If you wish to start with a REMnux system,  make sure you have REMnux installed according to its installation instructions  to get a REMnux virtual appliance or use the REMnux installer script to bootstrap its installation.

Note that the REMnux virtual appliance is configured to use little RAM by default; if planning to install SIFT into the same virtual machine, increase the RAM to at least 4GB. Also, if using the  REMnux installation machine to install REMnux on a compatible system of your own, be sure to allocate  enough RAM and disk space to accommodate your SIFT plans.

After booting into REMnux  and making sure that it has Internet access, run the following command to install SIFT  on it:

wget --quiet -O - | sudo bash -s -- -i -s -y

The SIFT installation script will run for a while, depending on the speed of your Internet connection and the strength of your system. Once  it completes, reboot the system.


In this configuration, SIFT will not replace the REMnux branding   and your system will look like a standard REMnux system, with the exception of a few SIFT documentation shortcuts that the installer will add to the desktop.


Updating the SIFT+REMnux System

To keep your system up to date with the upgraded and newly-added software,  periodically run the following update scripts for SIFT and REMnux,  preferably in the order in which you’ve installed the two distros, such as:


There you have it, two powerful forensics-focused distros combined in one super-toolkit. Be sure to read  REMnux and SIFT  documentation sites for each distribution  to learn how to use the powerful utilities now available at your fingertips.

—  Lenny Zeltser

Lenny Zeltser teaches  malware analysis at SANS Institute and focuses on safeguarding customers’ IT operations at NCR Corp. He  is active on Twitter  and writes a security blog.

Installing the REMnux Virtual Appliance for Malware Analysis

The REMnux project provides a lightweight Linux distribution for assisting malware analysts with reverse-engineering malicious software. The REMnux distro is available as a virtual appliance OVA file  in  the  Open Virtualization Format, which can be imported into most virtualization tools, such as VMware and VirtualBox. REMnux is used my many malware analysts and is incorporated into SANS’ FOR610: Reverse-Engineering Malware course.

If you’re interested in adding SIFT Workstation capabilities  after installing REMnux using the  instructions below, follow the steps outlined in the article How to Install SIFT Workstation and REMnux on the Same Forensics System.

Installing the  REMnux Virtual Appliance With VMware

Install the VMware tool of your choice, such as VMware Player (free), or VMware Workstation (paid) or VMware Fusion (paid). Download the REMnux OVA   file by following the link from the project’s website. If using VMware Player, don’t double-click this file to open it due to a problem on some VMware Player installations. Instead, open VMware Player, select “Open a Virtual Machine” and point to the downloaded OVA file. It’s OK to double-click the file if using VMware Workstation or Fusion.

In the Import Virtual Machine window, specify the name for the VMware virtual machine you will create out of the OVA file and point to the location where the virtual machine’s files will be stored. Click Import.

Importing REMnux virtual appliance into VMware Player or Workstation

VMware will create the REMnux virtual machine in the designated folder. The import process can take 10-30 minutes, depending on the speed of your system. Once this is done, you can delete the OVA file that you’ve downloaded. You don’t need that file to run the imported virtual system.

Prior to starting the virtual machine, consider modifying its properties, perhaps allocating more RAM to it, if you  wish.

For step-by-step instructions with screenshots, see the VMware Workstation-specific slideshow.

Installing the  REMnux Virtual Appliance With VirtualBox

Install VirtualBox. Download the REMnux OVA file by following the link from the project’s website and double-click on it. Alternatively, open the file it from the VirtualBox user interface using File > Import Appliance and point to the downloaded OVA file.

There is no need to extract contents of the OVA file manually before importing it. Simply load the OVA file into your virtualization software to begin the import. If you attempt to extract OVA file’s contents and try importing the embedded OVF file in VirtualBox, you will likely encounter an error, such as “could not verify the content of against the available files, unsupported digest type.”

In the Import Virtual Appliance window click Import.  If necessary, modify parameters of the virtual machine, such as its name and how much RAM you’d like to allocate to it.

VirtualBox will create the REMnux virtual machine in the designated folder. The import process can take 10-30  minutes, depending on the speed of your system. Once this is done, you can delete the OVA file that you’ve downloaded. You don’t need that file to run the imported virtual system.

For step-by-step instructions with screenshots, see the VirtualBox-specific slideshow.

Update REMnux Software After Importing

Click Start to power up your REMnux virtual machine, then run  the following  command on REMnux to update its software

update-remnux full

This will allow you to benefit from any enhancements introduced after the virtual appliance has been packaged. Your system needs to have Internet access for this to work.

For more information about REMnux and to download its virtual appliance, visit  As an alternative to downloading the virtual appliance, you can run the REMnux installation script on an existing compatible system, as described in the distro’s documentation.

—  Lenny Zeltser

Lenny Zeltser teaches  malware analysis at SANS Institute and focuses on safeguarding customers’ IT operations at NCR Corp. He  is active on Twitter  and writes a security blog.