Top 11 Reasons Why You Should NOT Miss the SANS DFIR Summit and Training this Year

The SANS DFIR Summit and Training 2018 is turning 11! The 2018 event marks 11 years since SANS started what is today the digital forensics and incident response event of the year, attended by forensicators time after time. Join us and enjoy the latest in-depth presentations from influential DFIR experts and the opportunity to take an array of hands-on SANS DFIR courses. You can also earn CPE credits and get the opportunity to win coveted DFIR course coins!

summit video pic

To commemorate the 11th annual DFIR Summit and Training 2018, here are 11 reasons why you should NOT miss the Summit this year:

1.     Save money! There are two ways to save on your DFIR Summit & Training registration (offers cannot be combined):

·       Register for a DFIR course by May 7 and get 50% off a Summit seat (discount automatically applied at registration), or

·       Pay by April 19 and save $400 on any 4-day or 6-day course, or up to $200 off of the Summit. Enter code “EarlyBird18” when registering.

2.     Check out our jam-packed DFIR Summit agenda!

·       The two-day Summit will kick off with a keynote presentation by Kim Zetter, an award-winning journalist who has provided the industry with the most in-depth and important investigative reporting on information security topics. Her research on such topical issues as Stuxnet and election security has brought critical technical issues to the public in a way that clearly shows why we must continue to push the security industry forward.

·       The Summit agenda will also include a presentation about the Shadow Brokers, the group that allegedly leaked National Security Agency cyber tools, leading to some of the most significant cybersecurity incidents of 2017. Jake Williams and Matt Suiche, who were among those targeted by the Shadow Brokers, will cover the history of the group and the implications of its actions.

·       All DFIR Summit speakers are industry experts who practice digital forensics, incident response, and threat hunting in their daily jobs. The Summit Advisory Board handpicked these professionals to provide you with highly technical presentations that will give you a brand-new perspective of how the industry is evolving to fight against even the toughest of adversaries. But don’t take our word for it, have a sneak peek, check out some of the past DFIR Summit talks.


Immerse yourself in six days of the best in SANS DFIR training. Here are the courses you can choose from:

·       FOR500 – Advanced Windows Forensics

·       FOR585 – Advanced Smartphone Forensics

·       FOR610 – Reverse-Engineering Malware

·       FOR508 – Digital Forensics, Incident Response & Threat Hunting

·       FOR572 – Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response

·       FOR578 – Cyber Threat Intelligence

·       FOR526 – Memory Forensics In-Depth

·       FOR518 – Mac and iOS Forensic Analysis and Incident Response

·       MGT517 – Managing Security Operations: Detection, Response, and Intelligence

3.    All courses will be taught by SANS’s best DFIR instructors. Stay tuned for more information on the courses we’re offering at the conference in a future article post.

4.     Rub elbows and network with DFIR pros at evening events, including networking gatherings and receptions. On the first night of the Summit, we’re going to gather at one of Austin’s newest entertainment venues, SPiN, a ping pong restaurant and bar featuring 14 ping pong tables, lounges, great food, and drinks. Give your overloaded brain a break after class and join us at our SANS Community Night, Monday, June 9 at Speakeasy. We will have plenty of snacks and drinks to give you the opportunity to network with fellow students.

5.     Staying to take a DFIR course after the two-day Summit? Attend SANS@Night talks guaranteed to enrich your DFIR training experience with us. Want to know about threat detection on the cheap and other topics? As for cheap (and in this case, that doesn’t mean weak), there are actions you can take now to make threat detection more effective without breaking the bank. Attend this SANS@Night talk on Sunday evening to learn some baselines you should be measuring against and how to gain visibility into high-value actionable events that occur on your systems and networks.

6.     Celebrate this year’s Ken Johnson Scholarship Recipient, who will be announced at the Summit. This scholarship was created by the SANS Institute and KPMG LLP in honor of Ken Johnson, who passed away in 2016. Early in Ken’s digital forensics career, he submitted to a Call for Presentations and was accepted to present his findings at the 2012 SANS DFIR Summit. His networking at the Summit led to his job with KPMG.

7.     Prove you’ve mastered the DFIR arts by playing in the DFIR NetWars – Coin Slayer Tournament. Created by popular demand, this tournament will give you the chance to leave Austin with a motherlode of DFIR coinage! To win the new course coins, you must answer all questions correctly from all four levels of one or more of the six DFIR Domains: Windows Forensics & Incident Response, Smartphone Analysis, Mac Forensics, Memory Forensics, Advanced Network Forensics, and Malware Analysis. Take your pick or win them all!


8.     Enjoy updated DFIR NetWars levels with new challenges. See them first at the Summit! But not to worry, you will have the opportunity to train before the tournament. You’ll have access to a lot of updated posters that can serve as cheat sheets to help you conquer the new challenges, as well as the famous SIFT WorkStation that will arm you with the most powerful DFIR open-source tools available. You could also choose to do an hour of crash training on how to use some of our Summit sponsors’ tools prior to the tournament. That should help give you an edge, right? That new DFIR NetWars coin is as good as won!

9. The Forensic 4:cast Awards winners will be announced at the Summit. Help us text2985celebrate the achievements of digital forensic investigators around the world deemed worthy of the award by their peers. There is still time to cast your vote. (You may only submit one set of votes; any additional voting will be discounted). Voting will close at the end of the day on May 25, 2018.

10.  Come see the latest in tools offered by DFIR solution providers. Summit sponsors and exhibitors will showcase everything from managed services covering advanced threat detection, proactive threat hunting, and accredited incident response to tools that deliver rapid threat detection at scale, and reports that provide insights for identifying potential threats before they cause damage.

11.  Last but not least, who doesn’t want to go to Austin?!? When you think Austin, you think BBQ, right? This city isn’t just BBQ, Austin has amazing food everywhere and there’s no place like it when it comes to having a great time. The nightlife and music include the famous 6th Street – which, by the way, is just walking distance from the Summit venue. There are many other landmarks such as Red River, the Warehouse District, Downtown, and the Market District. You will find entertainment of all kinds no matter what you’re up for. Nothing wrong with some well-deserved play after days full of DFIR training, lectures, and networking!

As you can see, this is an event you do not want to miss! The SANS DFIR Summit and Training 2018 will be held at the Hilton Austin. The event features two days of in-depth digital forensics and incident response talks, nine SANS DFIR courses, two nights of DFIR NetWars, evening events, and SANS@Night talks.

The Summit will be held on June 7-8, and the training courses run from June 9-14.

We hope to see you there!

DFIR Monterey 2015 Network Forensics Challenge Released

DFIR Monterey 2015

Join us at DFIR Monterey 2015 – a Reverse Engineering Digital Forensics and Incident Response Education (REDFIRE) Event.

This unique Digital Forensics and Incident Response (DFIR) event brings our most popular forensics courses, instructors, and bonus seminars together in one place to offer one of SANS most comprehensive DFIR training experiences. This is a must-attend event for you and your team as our leading experts focus on building the DFIR skills that will take you to that next level.

 Network Forensic Challenge

The objective of the  DFIR Monterey 2015   challenge is simple: Download the network forensics dataset and attempt to answer the 6 questions. To successfully submit for the contest, all answers must be attempted. Each person that correctly answers 4 of the 6 questions will be entered into a drawing to win a FREE DFIR OnDemand course. The contest ends on February 3, 2015 and we will announce the winner by February 9, 2015. Good luck!

Win a free DFIR OnDemand course by downloading the network forensic dataset and answering the following questions.



To successfully submit for the contest. All answers must be attempted. Please include your name and email address.

The winner will be able to choose from the below DFIR OnDemand courses:

SANS OnDemand:

SANS OnDemand is the world’s leading comprehensive online training for information security professionals. OnDemand offers more than 25 SANS courses whenever and wherever you want from your computer (Windows, Mac, and Linux), iPad or Android tablet. OnDemand allows you to learn at your own pace, spend extra time on complex principles, reinforce concepts with quizzes, and repeat lab exercises – all of which increases your retention of the course material.

Your course enrollment gives you printed course books, CD/DVDs/USBs/Toolkits for hands-on exercises (as applicable), four months of online access to our OnDemand e-learning platform featuring a top SANS instructor presenting the material, quizzes, and synchronized video demonstrations/interactive labs (as applicable).

The Network Challenge is sponsored by DFIR Monterey 2015.  To learn more about  DFIRMonterey 2015 , please visit


  1. Entry: Each participant may respond only once for the challenge. Contest begins on Monday, December 1, 2014 and ends Tuesday, February 3rd 2015. Responses must be submitted by 9pm EST on February 3rd.
  2. Prize: Each person that correctly answers at least 4 of the 6 questions will be entered into a drawing to win a FREE DFIR OnDemand course. SANS will choose only one winner, the seat is transferable to another in the same organization/company and does not include a certification attempt. The winner will be chosen by February 9th, 2015 and will be notified by email.

Questions regarding the challenge?  Please send to DFIR-Challenge “at” ( )

SANS Cyber Threat Intelligence Summit – Call For Papers Now Open

 SANS Cyber Threat Intelligence Summit Call For Papers  2015.

Send your submissions to by 5 pm EST on Friday, October 24, 2014 with the subject

“SANS CTI Summit CFP 2015.”

Dates: Summit Dates: February 2 & 3, 2015    Pre‐Summit Course Dates: February 4‐9, 2015

Location:  Washington, DC


Our 3rd annual Cyber Threat Intelligence (CTI) Summit will once again be held in Washington DC.

Summit Co-Chairs:Mike Cloppert and Rick Holland

The goal of this summit will be to equip attendees with knowledge on the tools, methodologies and processes they need to move forward with cyber threat intelligence. Attendees that are either new to CTI or more mature in their CTI journey should be able to take away content and immediately apply it to their day jobs. The SANS What Works in Cyber Threat Intelligence Summit will bring attendees who are eager to hear this information and learn about tools, techniques, and solutions that can help address these needs.

Call for Speakers- Now Open
The 3rd annual Cyber Threat Intelligence Summit Call for Speakers is now open. If you are interested in presenting or participating on a panel, we’d be delighted to consider your user-presented case studies with communicable lessons.

This year, we are focusing on submissions that directly discuss the ingestion, analysis and integration of actionable and accurate CTI We are also very interested in case studies from groups that use threat intelligence in their security, detection, and response programs.  What works?  What doesn’t?

The CTI Summit offers speakers opportunities for exposure and recognition as an industry leader. If you have something substantive, challenging, and original to offer, you are encouraged to submit a proposal.

Benefits of Speaking

  • Promotion of your speaking session and company recognition via the CTI conference website and all printed materials
  • Visibility via the CTI post-Summit on the SANS Website
  • Top presentations invited to do a full SANS Webcast
  • Full conference badge to attend all Summit sessions
  • Speakers can bring 1 additional attendee for free
  • Private speakers-only networking lunches
  • Speaker networking reception on evening before Summit
  • *Speakers may also be recorded and made available via the Internet to a wider audience (at the discretion of SANS).

Submission Requirements

  • Title of Proposed Talk
  • Author Name(s)
  • Author Title
  • Company
  • Speaker Contact Information: Address, phone number, email address
  • Biography
  • Your biography should be approximately 150 words. You may include your current position, titles, areas of professional expertise, experience, awards, degrees, personal information, etc.
  • Abstract
  • The presentation abstract should outline your presentation and what attendees will learn. All content must be strictly educational. The presentation should be relevant to: Media Exploitation Analysts, Legal, Incident Response Teams, Security Operations, and Law Enforcement professionals.
  • Twitter Handle:
  • Google+:
  • Facebook:
  • Blog:
  • YouTube videos featuring you speaking:

Session/panel length: 60 minutes

Presentation: 45 minutes

Question & Answer: 5-10 minutes

Submit your submissions to by 5 pm EST on Tuesday, October 24, 2014 with the subject “SANS CTI Summit CFP 2015”

Super Sunday Funday Forensic Challenge

The Challenge: Starting September 4, 2014 on the Hacking Exposed Computer Forensics Blog the first forensic image will be available for download. Your goal is to solve the question with the first forensic image and email it to

The Challenge:

The first forensic image is available for download. Your goal is to solve the question with the first forensic image located at:!qoxgGYCY!1jM32pncF0wE-TROhaXFI07hZbu5AfZ1BJE-p8tm1mo

and email the answer to the following questions to:

  • What was used to wipe this drive?
  • What special options were given?
  • What file was wiped from this drive?

On receiving a correct answer you will be notified that you have entered stage 2 and that another question and image will be sent to you. There are 5 stages and the player who makes it the farthest with the most correct answer will win!

The Rules:
1.    This will be a multi stage contest lasting two weeks
2.    Final answers must be in by Sept 15th
3.    9/05/14 The first question will be posted
4.    New questions will be given to those who answer the first question correctly
5.    You can start the contest at any point leading up to Sept 15th, there is no penalty for starting late
6.    All submissions must be sent to, do not post answers in the comments
7.    In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post

The Prize:
A free vLive DFIR Online LIVE Course from SANS a prize worth $5,000, you can choose from the following:

FOR408: Windows Forensic Analysis
Oct 6, 2014 – Nov 12, 2014
w/ Mike Pilkington & Ovie Carroll

FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques
Oct 13, 2014 – Nov 19, 2014
w/ Lenny Zeltser & Jake Williams

FOR508: Advanced Incident Response
Oct 14, 2014 – Nov 20, 2014
w/ Jake Williams & Alissa Torres

F-Response Enterprise now in FOR508: Advanced #DFIR

Starting in August, 2014 –  F-Response Enterprise is now part of the SANS 508 Training Course and students will receive it while attending the course.

FOR508 has been updated with cutting edge Enterprise Incident Response capabilities. Starting in the Virginia Beach course attendees will receive a 3 month F-Response Enterprise license as part of the course materials. In addition, registering that license with F-Response immediately after the course will allow students to continue to use that license for an additional 3 months added on to the dongle.

Starting this August in upcoming FOR508 courses, each student will receive:

SIFT Workstation 3

  • Virtual Machine used with many of the class hands-on exercise
  • This course uses the SIFT Workstation 3 to teach incident responders and forensic analysts how to respond to and investigate sophisticated attacks.
  • SIFT contains hundreds of free and open source tools, easily matching any modern forensic and incident response commercial tool suite.
  • Ubuntu LTS Base
  • 64 bit base system
  • Better memory utilization
  • Auto-DFIR package update and customizations
  • Latest forensic tools and techniques
  • VMware Appliance ready to tackle forensics
  • Cross compatibility between Linux and Windows
  • Expanded Filesystem Support (NTFS, HFS, EXFAT, and more)

F-Response Enterprise

  • F-Response software provides read-only access to the full physical disk(s) of virtually any networked computer, plus the physical memory (RAM) of Microsoft Windows systems.
  • Deployable agent to remote systems
  • SIFT Workstation 3 Compatible
  • Vendor Neutral Works with just about any tool
  • Number of Simultaneous Examiners = Unlimited
  • Number of Simultaneous Agents Deployed = Unlimited
  • Gives any IR or forensic tool the capability to be used across the enterprise
  • Perfect for intrusion investigations and data breach incident response situations
  • License Period = 3 months
  • Note: If you register your F-Response Enterprise dongle you receive in class with F-Response, an extended license for an additional 3 months will be provided. A total of 6 months of licensed use

64 GB Course USB


  • USB loaded with APT case images, memory captures, SIFT workstation 3, tools, and documentation

SANS DFIR APT Case Exercise Workbook


  • Exercise book is over 250 pages long with detailed step by step instructions and examples to help you become a master incident responder

“File System Forensic Analysis”

  • Best-selling book on deep file system analysis authored by Brian Carrier

Getting the most out of Smartphone Forensic Exams – SANS Advanced Smartphone Forensics Poster Release

Getting the most out of Smartphone Forensic Exams – 

SANS Advanced Smartphone Forensics Poster Release

There is one certain thing in the DFIR field, and that is that there are far more facts, details and artifacts to remember than can easily be retained in any forensic examiner’s brain. SANS has produced an incredibly helpful array of Posters and Cheat Sheets for DFIR in order to assist examiners with those tidbits of information than can help to jumpstart their forensics exams and or intrusion and incident response investigations.  The most recent addition to the SANS DFIR poster collection is the Advanced Smartphone Forensics Poster, created by SANS FOR585 authors Heather Mahalik, Dominica Crognale, and Cindy Murphy.

These days, digital forensic investigations often rely on data extracted from smartphones, tablets and other mobile devices. Smartphones are the most personal computing device associated to any user, and therefore often provide the most relevant data per gigabyte examined in an investigation. The Advanced Smartphone Forensics Poster will guide you through the elements of the mobile forensic process so that the results of your examination will hold up under scrutiny.

The acquisition of Smartphone evidence can be complicated by the large assortment of device makes, models, and operating systems, with varying levels of acquisition support.  The Smartphone Acquisition guide included in the poster will guide you through the intricacies of acquiring data from locked and unlocked phones for the major Smartphone platforms.

Once data is acquired, interpretation of that data can involve complexities such as data encryption and encoding, and relics of flash memory storage. The Advanced Smartphone Forensics Poster will help you to work through the basics of flash memory data layout, and various types of data encryption and encoding common to Smartphone data to help you get the most out of the acquired evidence.

Commercial tools often miss digital evidence on smartphones and associated applications, and don’t fully address the challenges of mobile malware detection and analysis.  The Advanced Smartphone Forensics poster will help walk you through the basic steps of mobile malware detection and analysis, and provides you with common evidence locations for the major smartphone platforms to help you narrow down and efficiently identify data that is important to your investigation.

Use this poster as a handy reference guide to help you remember how to handle smartphones, where to obtain actionable intelligence, and how to recover and analyze data on the latest smartphones and tablets. Whether you’re new to smartphone forensics or you’re an experienced examiner, the SANS Advanced Smartphone Forensics Poster will help you get the most relevant evidence per gigabyte.

Cindy Murphy, SANS Instructor and Co-Author of FOR585

Finding Evil on Windows Systems – SANS DFIR Poster Release

Adding to our ever growing number of Posters and Cheat Sheets for DFIR, we are proud to announce the  availability of a brand new SANS DFIR Poster “Finding Evil” created by SANS Instructors Mike Pilkington and Rob Lee.

This poster was released with the SANSFIRE 2014 Catalog you might already have one.  If you did not receive a poster with the catalog or would like another copy here is a way to get one.  For a limited time, we have set up a website where anyone can easily order one to use in their hunt to “Find Evil.”

Get the “Find Evil Poster” Here

In an intrusion case, spotting the difference between abnormal and normal is often the difference between success and failure. Your mission is to quickly identify suspicious artifacts in order to verify potential intrusions. Use the information in the poster as a reference for locating anomalies that could reveal the actions of an attacker.

One of the biggest challenges that we have in FOR526 Memory Forensics or FOR508 Advanced Incident Response is the ability for individuals to understand a “normal windows process list.”

  • What should be there?
  • What is good?
  • What would be a flag or something that would draw our attention?

Obviously, this training usually begins with a full explanation of how SVCHOST.EXE is abused, but begins to go further into the heart of windows process list and which processes should you expect and which ones are odd.

We quickly move on to discuss where we might find things that are odd on the 2nd side of the poster.  In the below example is a discussion of looking for Code Injection which we discuss in both FOR526 Memory Forensics and FOR508 Advanced Incident Response

Get the “Find Evil Poster” Here

This poster should be on the wall of every Security Operation Center (SOC) where you have IR teams and analysts hunting down the adversary in your enterprise.  It is meant to aid experts and those who are new in the field, the intricacies of “What is normal?” on a Microsoft Windows System.  This is part of our dedication to helping and giving back to the security community with contributions like these posters and the SIFT 3.0 workstation.

Poster Credits:

Lead authors -> Mike Pilkington and Rob Lee


  • Jared Atkinson
  • Jason Fossen
  • Jesse Kornblum
  • Doug Koster
  • Kristinn Gudjonsson
  • Kris Harms
  • Joachim Metz
  • David Nides
  • Partick Olsen
  • Christian Prickarts
  • Elizabeth Scweinsberg
  • Anuj Soni
  • Alissa Torres
  • Jake Williams
  • Tom Yarrish
  • Chad Tilbury
  • Lenny Zeltser

DFIR Summit Specials — Till End of March! #dfir #dfirsummit

Remember starting March 17 2014, use these codes:

  • + Summit Only Promotion – Summit for $495.  Register with code -> SUMMIT
  • + Class & Summit Promotion – Summit for $195 with a class.  Register with code -> COURSE

Stay connected via twitter, using hashtag #DFIRsummit, to hear announcements and discussions surrounding the Summit.

Register Now! –

Deadline Approaching – APT Malware and Memory Challenge #DFIRCON

DEADLINE 31 Jan 2014 — Winner Announced – 3 Feb 2014

DFIRCON APT Malware & Memory Challenge

The memory image contains real APT malware launched against a test system.Your job? Find it.

The object of our challenge is simple: Download the memory image and attempt to answer the questions. To successfully submit for the contest, all answers must be attempted. Each person that correctly answers 3 of the 5 questions will be entered into a drawing to win a FREE Simulcast seat at DFIRCON Monterey this March. The contest ends on January 31st, 2014 and we will announce the winner on February 3rd, 2014. Good luck!

Win a free Simulcast Seat at DFIRCON Monterey – by downloading the memory image and answering the following questions.


To successfully submit for the contest, all answers must be attempted. Please include your name and email address.

The winner will be able to choose from the below Simulcast courses at DFIRCON:

SEC504: Hacker Techniques, Exploits & Incident Handling 
FOR408: Computer Forensic Investigations – Windows In-Depth 
FOR508: Advanced Computer Forensic Analysis and Incident Response 
FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques

SANS Event Simulcast classes are:

Cost-Effective: You can save thousands of dollars on travel costs, making Event Simulcast an ideal solution for students working with limited training budgets or travel bans.

Engaging: Event Simulcast classes are live and interactive, allowing you to ask questions and share experiences with your instructor and classmates.

Condensed: Complete your course quickly; all SANS Event Simulcast classes take no longer than six days to complete.

Repeatable: Event Simulcast classes are recorded and placed in an online archive in case you have to miss part of the class or just wish to view the material again at a later date.

Complete: You will receive the same books, discs, and MP3 audio files that conference students receive, and you will see and hear the same information as it is presented at the live event.

To learn more about the event, please visit

1. Entry: Each participant may respond only once for the challenge. Contest begins on Monday, December 2nd, 2014 and ends Friday, January 31st, 2014. Responses must be submitted by 9pm EST on January 31st.

2. Prize: Each person that correctly answers at least 3 questions will be entered into a drawing to win a FREE Simulcast seat at DFIRCON Monterey this March. SANS will choose only one winner, the seat is transferable to another in the same organization/company and does not include a certification attempt. The winner will be chosen on February 3rd and will be notified by email.

3. Odds of Winning: The odds of winning the contest depend upon the total number of all eligible entries received in the contest period, regardless of method of participation.

4. Release of Liability: SANS is not responsible for lost, late, or unintelligible entries, lost connections, miscommunications, failed transmissions, other technical difficulties or failures.

APT Malware and Memory Challenge

The memory image contains real APT malware launched against a test system. Your job? Find it.

The object of our challenge is simple: Download the memory image and attempt to answer the 5 questions.



  1. What is the Process ID of the rogue process on the system?
  2. Determine the name of the rogue file that is found in the process (PID) that contains the rogue process found in the above question.
  3. How is the malware achieving persistence on the system?
  4. What is the filename of the file that is hiding the presence of the malware on the system?
  5. What is the name of the ISP that hosts the network where the malware is communicating with?

Solution can be found here: