DFIR Summit 2019 Call for Presentations (CFP) Now Open



350x200_No-Date_DFIR-2018 (1)The 2019 DFIR Summit CFP is now open through 5 pm CST on Monday, March 4th.

The 12th annual SANS Digital Forensics & Incident Response (DFIR) Summit is the most comprehensive DFIR event of the year, bringing together an influential group of experts, immersion-style training, and industry networking opportunities in one place.

Summit talks will explore real-world applications of technologies and solutions from all aspects of the fields of digital forensics and incident response. All talks should be technical and specific and provide actionable takeaways.

The DFIR Summit offers speakers the opportunity to present their latest tools, findings, and methodologies to their DFIR industry peers. If you have something substantive, challenging, and original to offer, you are encouraged to submit a proposal.

We are looking for proposed presentations on topics including, but not limited to:

  • Case studies in Digital Forensics, Incident Response, or Media Exploitation that solve a unique problem or case study
  • New forensic or analysis tools and techniques
  • Discussions of new artifacts related to Cloud, Smartphones, Windows, and Mac platforms, malware reverse engineering, or network communications
  • Improving the status quo of the DFIR industry by sharing novel approaches
  • Challenges to existing assumptions and methodologies that might change the industry
  • New analytic techniques that can extract and analyze data more rapidly and/or at a larger scale

Benefits of Speaking

  • Promotion of your speaking session and company recognition via the DFIR Summit website and all printed material
  • Visibility via the DFIR post-Summit on the SANS DFIR Website
  • Full conference badge to attend all Summit sessions
  • Speakers can bring 1 additional attendee for free to attend the summit
  • Private speakers-only networking lunches
  • Speakers-only networking reception on the evening before Summit
  • Continued presence and thought leadership in the community via the SANS DFIR YouTube channel

Who Should Submit

Diversity of thought is critical to any organization’s success, and SANS Summits encourage participation by everyone regardless of age, culture, ethnicity, sexual orientation, or gender identification. Whatever your background, whoever you are, we encourage you to respond to a CFP. We welcome people who are newer to the field or who have not yet done any public speaking, and we can provide mentoring and guidance to help you develop an impactful presentation.

Most talks will be 35 minutes of content + 5 minutes of Q&A. However, we are always interested in exploring new formats, especially for interactive learning.

Monday, March 4, 2019 | 5 pm CST

CFP Submissions must be made via our online form.

Invite – SANS #DFIR Free Open House And Community Night – Dec 10 2012 – Wash D.C.

We would like to invite you to a free and open DFIR Community reception/talks at SANS Digital Forensics and Incident Response Campus at CDI 2012  in Washington D.C.

Join us and network with others in the DFIR community then stay for a few evening DFIR presentations.


Monday, December 10th

The Dupont Circle Hotel
1500 New Hampshire Ave Nw
Washington DC 20036


Schedule for Dec 10th

6:00pm – 7:00pm SANS DFIR Campus Open House Community Reception (w/food and drinks)
7:15pm – 8:15pm  “Malware Analysis using REMnux” w/ Lenny Zeltser
8:15pm – 9:15pm “Detecting Persistence Mechanisms” w/Alissa Torres

Open House and Evening Events at the DFIR Campus on December 10th are fully open to the public.  Please register to attend the Open House and evening presentations here: https://www.sans.org/bonus-sessions/register/1427/24463


Synopsis of Talks

 “Malware Analysis using REMnux” w/ Lenny Zeltser

Though some tasks for analyzing Windows malware are best performed on Windows laboratory systems, there is a lot you can do on Linux with the help of free and powerful tools. REMnux is an Ubuntu distribution that incorporates many such utilities. This practical session presents some of the most useful REMnux tools. Lenny Zeltser, who teaches SANS’ reverse-engineering malware course, will share how you can use the utilities installed on REMnux to:

– Study network interactions of malicious programs

– Analyze malicious websites and obfuscated JavaScript

– Examine malicious PDF documents

– Explore important aspects of suspicious Windows executables

– Identify malware artifacts in memory snapshot files

If you haven’t experimented with Linux-based tools for malware analysis, you’ve been missing out. And if you’ve been meaning to begin exploring the field of malware analysis, this talk will help you get started.

8:15pm – 9:15pm “Detecting Persistence Mechanisms” w/Alissa Torres

Often times, artifacts of persistence created by an attacker in order for their malware to survive on a system are important leads to unravel the adversary’s methodologies. These techniques, including registry keys, scheduled tasks and other methods, can be excellent indicators for the signature creation used in enterprise scanning. How do you find these valuable artifacts? What tools can you use to aid in their discovery? This presentation covers the common persistence techniques used in today’s malware and the forensic techniques and tools that can be used to uncover them.

We look forward to seeing you at the DFIR Campus in December!  Again – please  register  to attend the Open House and evening presentations here: https://www.sans.org/bonus-sessions/register/1427/24463

Network Forensics (FOR558) in Arlington, VA

Now that the holidays are over, it’s time to re-focus on challenges ahead. That includes training to help you to successfully tackle those tasks ahead in the new year. It’s an ideal time to join Phil Hagen in Arlington, VA for FOR558: Network Forensics. This course has been in high demand, and now you’ll be able to attend in a small-class setting afforded by a community event. The course runs from Feb 6 to Feb 10, 2012, and registration is open now.

Network communications have continued to grow at a breakneck pace. This has resulted in the incorporation of network-based evidence in forensic investigations. Traditionally, these investigations were dominated by the analysis of data at rest, collected from magnetic and optical media. More recently, memory analysis has found a place in the forensic process. Now, we need to consider network-based data to establish a more complete picture of actions a subject has taken during a period of interest. In the case of a savvy attacker who diligently covered his or her tracks, network data may be the only evidence an incident even occurred.

“Deep packet analysis proved multiple tools and techniques for analyzing packets and recreating the events associated with the captures.” -Nicholas Brink, Nationwide

Network forensics often involves analysis at the packet level, and you’ll spend a lot of time with Wireshark and other low-level tools. You’ll also learn how log data from network infrastructure devices can help close the analytical gaps left after performing media forensics on a system.

“Exactly the training I need to understand what’s happening on the wire.” -Mike Ryan, UBC

This community SANS event will teach you the skills and tools needed to incorporate network forensics into your existing procedures. You’ll cover the same 5-day curriculum offered at larger conferences, while conserving your organization’s travel budget. Class sizes are also smaller, providing a course experience more tailored to students’ needs. Although the course won’t solely consist of government employees, Phil’s background with both the government and commercial sectors will ensure everyone will receive actionable training for their case load.

“I would give this course four and a half (4.5) out of five (5) stars and highly recommend it to any #DFIR practitioner.” “The lab exercises and course material give the student practical application immediately, plus you get the SNIFT VM, supplement exercises, VMs, and puzzles.” -Brad, Digital Forensic Source Blog

Register to join us in Arlington this February – you won’t want to miss it!

Instructor Biography

Phil Hagen started his security career over 15 years ago while attending the US Air Force Academy, with research covering both the academic and practical sides of security.  He served in the Air Force as a Communications Officer, and was assigned to a base-level “Year 2000” project management office.  The plans he helped create were later used during California’s rolling power blackouts.  At the Pentagon, he later managed a support team serving 200 analysts.

In 2003, Phil shifted to a government contractor, providing technical services for exotic IT security projects.  These included systems that demanded 24x7x365 functionality.  He supported the design, deployment, and support of a specialized network for 100 security engineers in ten offices.  He later managed a team of 85 computer forensic professionals, holding P&L responsibilities for the business line.

Recently, Phil formed Lewes Technology Consulting, LLC.  He applies his IT and security experience to small and medium businesses as they track toward their business goals, and performs forensic casework and infosec training.

Winter 2012 Digital Forensic and Incident Response Community Events


FOR508 – ADVANCED FORENSICS AND IR-  SAN ANTONIO – Mon, Jan 30, 2012 – Sat, Feb 4, 2012

FOR408 WINDOWS FORENSICS – MIAMI –   Mon, Feb 6, 2012 – Sat, Feb 11, 2012

FOR408 – WINDOWS FORENSICS – LOS ANGELES – Mon, Feb 6, 2012 – Sat, Feb 11, 2012

FOR558 – NETWORK FORENSICS – ARLINGTON VA – Mon, Feb6, 2012 – Fri, Feb 10, 2012

FOR408 – WINDOWS FORENSICS – VAIL COLORADO – Mon, Mar 26, 2012 – Sat, Mar 31, 2012