Top 11 Reasons Why You Should NOT Miss the SANS DFIR Summit and Training this Year

The SANS DFIR Summit and Training 2018 is turning 11! The 2018 event marks 11 years since SANS started what is today the digital forensics and incident response event of the year, attended by forensicators time after time. Join us and enjoy the latest in-depth presentations from influential DFIR experts and the opportunity to take an array of hands-on SANS DFIR courses. You can also earn CPE credits and get the opportunity to win coveted DFIR course coins!

summit video pic

To commemorate the 11th annual DFIR Summit and Training 2018, here are 11 reasons why you should NOT miss the Summit this year:

1.     Save money! There are two ways to save on your DFIR Summit & Training registration (offers cannot be combined):

·       Register for a DFIR course by May 7 and get 50% off a Summit seat (discount automatically applied at registration), or

·       Pay by April 19 and save $400 on any 4-day or 6-day course, or up to $200 off of the Summit. Enter code “EarlyBird18” when registering.

2.     Check out our jam-packed DFIR Summit agenda!

·       The two-day Summit will kick off with a keynote presentation by Kim Zetter, an award-winning journalist who has provided the industry with the most in-depth and important investigative reporting on information security topics. Her research on such topical issues as Stuxnet and election security has brought critical technical issues to the public in a way that clearly shows why we must continue to push the security industry forward.

·       The Summit agenda will also include a presentation about the Shadow Brokers, the group that allegedly leaked National Security Agency cyber tools, leading to some of the most significant cybersecurity incidents of 2017. Jake Williams and Matt Suiche, who were among those targeted by the Shadow Brokers, will cover the history of the group and the implications of its actions.

·       All DFIR Summit speakers are industry experts who practice digital forensics, incident response, and threat hunting in their daily jobs. The Summit Advisory Board handpicked these professionals to provide you with highly technical presentations that will give you a brand-new perspective of how the industry is evolving to fight against even the toughest of adversaries. But don’t take our word for it, have a sneak peek, check out some of the past DFIR Summit talks.


Immerse yourself in six days of the best in SANS DFIR training. Here are the courses you can choose from:

·       FOR500 – Advanced Windows Forensics

·       FOR585 – Advanced Smartphone Forensics

·       FOR610 – Reverse-Engineering Malware

·       FOR508 – Digital Forensics, Incident Response & Threat Hunting

·       FOR572 – Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response

·       FOR578 – Cyber Threat Intelligence

·       FOR526 – Memory Forensics In-Depth

·       FOR518 – Mac and iOS Forensic Analysis and Incident Response

·       MGT517 – Managing Security Operations: Detection, Response, and Intelligence

3.    All courses will be taught by SANS’s best DFIR instructors. Stay tuned for more information on the courses we’re offering at the conference in a future article post.

4.     Rub elbows and network with DFIR pros at evening events, including networking gatherings and receptions. On the first night of the Summit, we’re going to gather at one of Austin’s newest entertainment venues, SPiN, a ping pong restaurant and bar featuring 14 ping pong tables, lounges, great food, and drinks. Give your overloaded brain a break after class and join us at our SANS Community Night, Monday, June 9 at Speakeasy. We will have plenty of snacks and drinks to give you the opportunity to network with fellow students.

5.     Staying to take a DFIR course after the two-day Summit? Attend SANS@Night talks guaranteed to enrich your DFIR training experience with us. Want to know about threat detection on the cheap and other topics? As for cheap (and in this case, that doesn’t mean weak), there are actions you can take now to make threat detection more effective without breaking the bank. Attend this SANS@Night talk on Sunday evening to learn some baselines you should be measuring against and how to gain visibility into high-value actionable events that occur on your systems and networks.

6.     Celebrate this year’s Ken Johnson Scholarship Recipient, who will be announced at the Summit. This scholarship was created by the SANS Institute and KPMG LLP in honor of Ken Johnson, who passed away in 2016. Early in Ken’s digital forensics career, he submitted to a Call for Presentations and was accepted to present his findings at the 2012 SANS DFIR Summit. His networking at the Summit led to his job with KPMG.

7.     Prove you’ve mastered the DFIR arts by playing in the DFIR NetWars – Coin Slayer Tournament. Created by popular demand, this tournament will give you the chance to leave Austin with a motherlode of DFIR coinage! To win the new course coins, you must answer all questions correctly from all four levels of one or more of the six DFIR Domains: Windows Forensics & Incident Response, Smartphone Analysis, Mac Forensics, Memory Forensics, Advanced Network Forensics, and Malware Analysis. Take your pick or win them all!


8.     Enjoy updated DFIR NetWars levels with new challenges. See them first at the Summit! But not to worry, you will have the opportunity to train before the tournament. You’ll have access to a lot of updated posters that can serve as cheat sheets to help you conquer the new challenges, as well as the famous SIFT WorkStation that will arm you with the most powerful DFIR open-source tools available. You could also choose to do an hour of crash training on how to use some of our Summit sponsors’ tools prior to the tournament. That should help give you an edge, right? That new DFIR NetWars coin is as good as won!

9. The Forensic 4:cast Awards winners will be announced at the Summit. Help us text2985celebrate the achievements of digital forensic investigators around the world deemed worthy of the award by their peers. There is still time to cast your vote. (You may only submit one set of votes; any additional voting will be discounted). Voting will close at the end of the day on May 25, 2018.

10.  Come see the latest in tools offered by DFIR solution providers. Summit sponsors and exhibitors will showcase everything from managed services covering advanced threat detection, proactive threat hunting, and accredited incident response to tools that deliver rapid threat detection at scale, and reports that provide insights for identifying potential threats before they cause damage.

11.  Last but not least, who doesn’t want to go to Austin?!? When you think Austin, you think BBQ, right? This city isn’t just BBQ, Austin has amazing food everywhere and there’s no place like it when it comes to having a great time. The nightlife and music include the famous 6th Street – which, by the way, is just walking distance from the Summit venue. There are many other landmarks such as Red River, the Warehouse District, Downtown, and the Market District. You will find entertainment of all kinds no matter what you’re up for. Nothing wrong with some well-deserved play after days full of DFIR training, lectures, and networking!

As you can see, this is an event you do not want to miss! The SANS DFIR Summit and Training 2018 will be held at the Hilton Austin. The event features two days of in-depth digital forensics and incident response talks, nine SANS DFIR courses, two nights of DFIR NetWars, evening events, and SANS@Night talks.

The Summit will be held on June 7-8, and the training courses run from June 9-14.

We hope to see you there!

DFIR Hero — David Cowen Interview


David Cowen is teaching our Windows Forensics Course in  SANS Minneapolis in July 2015.  Sign up now to take this course with David.  We interviewed David so you can get to know him a bit better — he is one of the best in the industry.  A leader.  An astonishing analyst and visionary.  He is our current DFIR Hero.

1.  Who are you?  What is your homepage?

I’m David Cowen. I think most people know me from but I also maintain for our software, for the books and my company site

2.  Twitter handle etc? 

Twitter: @hecfblog


3.  Tell us how you became interested in IR or Forensics.

I was a pen tester in the 90s and I thought that was probably the coolest job I would ever have. Then in 1999 I got a call from a physical company I had a relationship with about a rogue ex-CTO who they suspected was keylogging the other executives. I took on the job, got my first copy of Encase and thanks to our suspects own bad decisions solved the case. After that I was hooked and found something even better than pen testing where people really cared about the results of my work and I made a difference.

4. What gives you the most satisfaction while working on a case?

When I get to see that moment of comprehension in my clients face when they finally understand what we were able to prove happened. Every case is different because the people who perform the actions we investigate are different so finding out what makes them special and helping someone else understand that so they can use it keeps me going. Well that and finding new artifacts!

5.  What forensic techniques do you find the most useful?

All of them I think is the right answer. If I was to promote one thing that people are not doing, it’s testing. Testing their assumptions, tools and theories to make sure that the artifacts they are relying on are repeatable and re-creatable.

6.  What is your forensic tool of choice and why?

You know I have to say Triforce ANJP. File System Journal forensic analysis is something I do in every case now to understand at a lower level exactly what happened in the past on a system.

7.  What area of forensics or incident response needs to be understood by every new investigator?

File system journaling forensics I think is something everyone needs to start looking at. Otherwise validating assumptions and findings before presenting them.

8.  What area of digital foreniscs or incident response is the most exciting development over the past few years?

I have to say File system journaling forensics as its been my main area of research over the last 3 years. Otherwise artifacts like shellbags, shimcache and the rise of memory forensics has been a huge boone for everyone.

9.  Why is teaching computer forensics to new students important?  Why do you like doing it?

You will never fully understand and master a topic until you have to teach it to someone else. Everytime I teach for SANS and talk to the students I walk away with new questions, ideas and theories to test that makes me a better examiner.

Beyond that I love watching students grow in their knowledge and ability through each day of the class. They come out much more confident and prepared for the world when they leave us.

10. How long have you been instructing or teaching individuals in computer forensics?  

I’ve been teaching computer forensic classes since 2001 with the local HTCIA, classes at conventions, private classes for industry as well as teaching a graduate course in forensics once. Teaching is something I enjoy doing and SANS makes it fun.

11.  What is your favorite part of the SANS FOR408: Windows Forensics class?

I think for me it’s the day 6 challenge. After being bombarded with information and artifacts for 5 days you really get a feeling for how well you did as an instructor when the students begin getting excited by using what they learned the last 5 days.

12.  How did you get involved in SANS?  What makes SANS unique?

I reached out to SANS about developing training around my file system journaling forensics research. Given the opportunity to not only help develop new content for SANS but to also teach was too good of an oppertunity to say no to.

The thing that makes SANS different from all of the other courses I’ve taught is the level quality and effort demanded from everything you do. The slides, notes, labs, instruction, everything has to be the best and I enjoy meeting the challenge.

13.  What do you do in your free time when not working on computer forensics?

I like to be a Dad to my kids and of course master the art of Texas BBQ.

David’s Full Bio:

David Cowen is a Partner at G-C Partners, LLC, where his team of expert digital forensics investigators pushes the boundaries of what is possible on a daily basis. He has been working in digital forensics and incident response since 1999 and has performed investigations covering thousands of systems in the public and private sector. Those investigations have involved everything from revealing insider threats to serving as an expert witness in civil litigation and providing the evidence to put cyber criminals behind bars.

David has authored three series of books on digital forensics; Hacking Exposed Computer Forensics (1st-3rd editions), Infosec Pro Guide to Computer Forensics, and the Anti Hacker Toolkit (Third Edition). His research into file system journaling forensics has created a new area of analysis that is changing the industry. Combined with Triforce products, David’s research enables examiners to go back in time to find previously unknown artifacts and system interactions.

David speaks about digital forensics and file system journaling forensics at DFI and Infosec conferences across the United States. He has taught digital forensics both as a SANS instructor and as a graduate instructor at Southern Methodist University.

David is a Certified Information Systems Security Professional (CISSP) and a GIAC Certified Forensic Examiner. He is the winner of the first SANS DFIR NetWars and a SANS Lethal Forensicator whose passion for digital forensics can be seen in everything he does. He started in 1996 as a penetration tester and has kept up his information security knowledge by acting as the Red Team captain for the National Collegiate Cyber Defense Competition for the last nine years.

David is the host of the Forensic Lunch, a popular DFIR podcast and live YouTube show, and the author of the award winning Hacking Exposed Computer Forensics Blog. The blog ( contains some 448 articles on digital forensics.  David is a two-time Forensic 4cast award winner for both Digital Forensic Article of the Year and Digital Forensic Blog of the year. The Forensic 4cast award winners are nominated by their peers and voted on by the greater DFIR community.

When David is not researching, writing, testifying, or teaching about digital forensics he spends time with his family and working on mastering Texas BBQ.

Listen to David Cowen’s industry changing research, released on Windows USN Journal Analysis, for real-time tracking of a suspect’s activity on a Windows system.

David Cowen is teaching our Windows Forensics Course in SANS Minneapolis in July 2015— REGISTER NOW!

2015 DFIR Monterey Network Forensic Challenge Results

2015-03-04 UPDATE: I’ve added some thought process/methodology to the answers inline below.

Thanks to everyone that submitted or just played along with the SANS DFIR Network Forensic Challenge!  We had over 3,000 evidence downloads, and more than 500 submissions!  Per the rules, the winner must have answered four of the six questions correctly.  Then, by random selection among those submissions, the winner was selected.

We’re excited to announce that Henry van Jaarsveld is the winner for this challenge!  Congratulations, and we hope you enjoy your SANS OnDemand Course.  Great work, Henry!

Thanks for all the submissions and interest in this challenge.  If you enjoyed the questions – no matter how many questions you answered – you should check out FOR572: Advanced Network Forensics and Analysis. The class is available via OnDemand, as well as the following live and virtual SANS events:

More live and virtual/remote events are being added all the time, so keep checking the course page for additional offerings.

The challenge answers are listed below:

  1. At what time (UTC, including year) did the portscanning activity from IP address start?

Answer: Aug 29 2013 13:58:55 UTC

Portscanning activity is typically characterized by connection attempts to a range of ports. This is often repaid and originates from the same IP address. Some scanning utilities may or may not use the same source port or a small cluster of source ports. In this case, the following command get you started:

$ grep SRC= messages

The first result is below:

Aug 29 09:58:55 gw kernel: FW reject_input: IN=eth0 OUT= MAC=08:00:27:53:38:ee:08:00:27:1c:21:2b:08:00 SRC= DST= LEN=44 TOS=0x00 PREC=0x00 TTL=41 ID=35517 PROTO=TCP SPT=38553 DPT=3306 WINDOW=1024 RES=0x00 SYN URGP=0

However, we’ve asked for the time in UTC, which is the only recommended time zone to use for forensic reporting. To find the offset, examine the same “messages” file further. This isn’t often an explicitly logged value, so context is necessary. The following line shows the syslog time (system local time) and a corresponding UTC value. Therefore, it is reasonable to state that the system’s time zone is UTC-4 during the time the file was created.

Aug 29 07:07:40 gw kernel: rtc_cmos rtc_cmos: setting system clock to 2013-08-29 11:07:08 UTC (1377774428)

  1. What IP addresses were used by the system claiming the MAC Address 00:1f:f3:5a:77:9b?


This is an exercise in using Wireshark/tshark display filters. The following tshark command will answer the question quickly:

$ tshark -n -r nitroba.pcap -T fields -e 'ip.src' -Y 'eth.src == 00:1f:f3:5a:77:9b and ip' | sort | uniq

-n: suppress DNS lookups
-r nitroba.pcap: file to read
-T fields: use “fields” output format
-e ip.src: output just the “ip.src” field, as defined by the Wireshark/tshark parsers
-Y 'eth.src == 00:1f:f3:5a:77:9b and ip': display filter to limit results to the MAC address of interest and IP traffic, which would be the only traffic to include IP addresses
| sort | uniq: bash shell utilities to narrow results to only unique values

  1. What IP (source and destination) and TCP ports (source and destination) are used to transfer the “scenery-backgrounds-6.0.0-1.el6.noarch.rpm” file?

Answer: and, 30472 and 51851

Again, the tshark utility is your friend.  This is as a multiple-stage process.  First, get the frame number containing the desired request.  This command returns frame number 5846.

$ tshark -n -r ftp-example.pcap -Y 'ftp.request.arg == "scenery-backgrounds-6.0.0-1.el6.noarch.rpm"' -T fields -e frame.number

-n: suppress DNS lookups
-r ftp-example.pcap: file to read
-Y 'ftp.request.arg == "scenery-backgrounds-6.0.0-1.el6.noarch.rpm"': display filter to limit results to just FTP commands that included the argument of interest
-T fields: use “fields” output format
-e frame.number: Get the frame number containing the desired request

Next, find the immediately preceding “Passive Mode” response.

$ tshark -n -r ftp-example.pcap -Y 'ftp.response.code == 227 && frame.number < 5846' -T fields -e frame.number -e ftp.passive.ip -e ftp.passive.port | tail -n 1

-n: suppress DNS lookups
-r ftp-example.pcap: file to read
-Y 'ftp.response.code == 227 && frame.number < 5846'
: Display filter to limit results to just FTP response codes of “227” (Entering Passive Mode) and prior to the frame number containing the request of interest
-T fields: use “fields” output format
-e frame.number -e ftp.passive.ip -e ftp.passive.port: Get the values from the fields of interest
| tail -n 1: Just return the last result from the list

Finally, get IPs and ports from both ends of the data transfer.

$ tshark -n -r ftp-example.pcap -Y 'ip.addr == && tcp.port == 30472' -T fields -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport | sort | uniq

-n: suppress DNS lookups
-r ftp-example.pcap: file to read
-Y 'ip.addr == && tcp.port == 30472'
: Display filter to isolate TCP connection according to IP and port determined above
-T fields: use “fields” output format
-e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport: Get the values from the fields of interest
| sort | uniq: Only display unique lines

  1. How many IP addresses attempted to connect to destination IP address on the default SSH port?

Answer: 49

A connection attempt may or may not be successful, so we can simply limit our search to the high-level filtering provided by nfdump. You could use grep against the text file as well.
There are 55 total connections:

$ nfdump -q -O tstart -r nfcapd.201405230000 -o 'fmt:%sa' 'dst ip and dst port 22' | wc -l

-q: “quiet” output, which suppresses summary header/footer information
-O tstart: order output by “start time” of each record
-r nfcapd.201405230000: input file to read
-o 'fmt:%sa': only display the source IP address for each record
'dst ip and dst port 22': limit flows to those from the IP address of interest, to the default SSH port. You might also limit by TCP protocol by adding “and proto tcp
| wc -l: count the results

There were 49 unique IPs in this data set:

$ nfdump -q -O tstart -r nfcapd.201405230000 -o 'fmt:%sa' 'dst ip and dst port 22' | sort | uniq | wc -l

This is the identical command to that above, but uses the following shell command chain

| sort | uniq | wc -l: Count only unique lines from the nfdump command’s output

  1. What is the byte size for the file named “Researched Sub-Atomic Particles.xlsx”?

Answer: 13,625 bytes

To find the portion(s) of the input pcap that involve the filename of interest, use the “smb.file” field to find the TCP streams of interest.

$ tshark -n -r stark-20120403-full-smb_smb2.pcap -Y 'smb.file == "Researched Sub-Atomic Particles.xlsx"' -T fields -e

This is a large input pcap, so loading it directly to Wireshark is not advisable. Instead, isolate the TCP streams identified above to a new file:

$ tshark -n -r stark-20120403-full-smb_smb2.pcap -Y ' == 2104 or == 2207' -w tcpstreams_2104_2207.pcap
$ md5sum tcpstreams_2104_2207.pcap
fe9c5a388d0d70f74bb96913f120fc7a tcpstreams_2104_2207.pcap

This file is very feasible to open in Wireshark, as it’s a mere 18MB.

After opening the file, you must explore the SMB session – which is not at all a simple process. In the input file generated above, the message we’re interested in is the Trans2 Response message containing Standard File Info for the file of interest. This occurs in frame 749 (frame.time = Apr 5, 2012 14:21:50.574112000). By spelunking the available fields, you’ll find the “End of File” value, which is 13,625. This represents the number of bytes in the file. Note that the Wireshark status bar tells us that Wireshark knows this field by the name “smb.end_of_file”, which could be used to scale this process out via the tshark utility.

  1. The traffic in this Snort IDS pcap log contains traffic that is suspected to be a malware beaconing.  Identify the substring and offset for a common substring that would support a unique Indicator Of Compromise for this activity.

Answer: ULQENP2 at offset 4 (bytes 5-11 of the TCP data segment, zero-based)

There are a number of ways to approach this. The goal is to identify commonalities among the individual sessions, even though we are not (yet) sure what the bytes mean.
This evidence file is small enough to load into Wireshark, then visually explore the content – despite Wireshark not knowing the content is anything other than generic “Data”.
After visually inspecting these fields in the traffic the IDS logged, you should see that bytes 4-10 (zero-based, of course) seem consistent. This can be confirmed with the following display filter:[4-10] == 55:4c:51:45:4e:50:32

After applying this filter, you can quickly see that 100% of the packets in the IDS log file match. Expanding the filter one byte before or after this substring range results in a <100% match. Barring any additional knowledge of the custom protocol used for these communications, this substring and offset would be a good indicator of compromise.

  1. BONUS! Identify the meaning of the bytes that precede the substring above.

Answer: UNIX Timestamp

There is a no magic solution here – just trial and error combined with experience. The UNIX timestamp (number of seconds after Jan 1, 1970 at 00:00:00 UTC) fits into four bytes. Those with a keen eye for timestamps will see that after converting any given four byte sequence to a big-endian integer, then converting that to a timestamp, the Wireshark/tshark “frame.time” field value corresponds almost perfectly in every case. For example:

0x4fe6c278 == 1340523128
$ date -u -d @1340523128
Sun Jun 24 07:32:08 UTC 2012
Corresponding frame.time: Jun 24, 2012 07:32:08.273277000

Super Sunday Funday Forensic Challenge

The Challenge: Starting September 4, 2014 on the Hacking Exposed Computer Forensics Blog the first forensic image will be available for download. Your goal is to solve the question with the first forensic image and email it to

The Challenge:

The first forensic image is available for download. Your goal is to solve the question with the first forensic image located at:!qoxgGYCY!1jM32pncF0wE-TROhaXFI07hZbu5AfZ1BJE-p8tm1mo

and email the answer to the following questions to:

  • What was used to wipe this drive?
  • What special options were given?
  • What file was wiped from this drive?

On receiving a correct answer you will be notified that you have entered stage 2 and that another question and image will be sent to you. There are 5 stages and the player who makes it the farthest with the most correct answer will win!

The Rules:
1.    This will be a multi stage contest lasting two weeks
2.    Final answers must be in by Sept 15th
3.    9/05/14 The first question will be posted
4.    New questions will be given to those who answer the first question correctly
5.    You can start the contest at any point leading up to Sept 15th, there is no penalty for starting late
6.    All submissions must be sent to, do not post answers in the comments
7.    In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post

The Prize:
A free vLive DFIR Online LIVE Course from SANS a prize worth $5,000, you can choose from the following:

FOR408: Windows Forensic Analysis
Oct 6, 2014 – Nov 12, 2014
w/ Mike Pilkington & Ovie Carroll

FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques
Oct 13, 2014 – Nov 19, 2014
w/ Lenny Zeltser & Jake Williams

FOR508: Advanced Incident Response
Oct 14, 2014 – Nov 20, 2014
w/ Jake Williams & Alissa Torres

F-Response Enterprise now in FOR508: Advanced #DFIR

Starting in August, 2014 –  F-Response Enterprise is now part of the SANS 508 Training Course and students will receive it while attending the course.

FOR508 has been updated with cutting edge Enterprise Incident Response capabilities. Starting in the Virginia Beach course attendees will receive a 3 month F-Response Enterprise license as part of the course materials. In addition, registering that license with F-Response immediately after the course will allow students to continue to use that license for an additional 3 months added on to the dongle.

Starting this August in upcoming FOR508 courses, each student will receive:

SIFT Workstation 3

  • Virtual Machine used with many of the class hands-on exercise
  • This course uses the SIFT Workstation 3 to teach incident responders and forensic analysts how to respond to and investigate sophisticated attacks.
  • SIFT contains hundreds of free and open source tools, easily matching any modern forensic and incident response commercial tool suite.
  • Ubuntu LTS Base
  • 64 bit base system
  • Better memory utilization
  • Auto-DFIR package update and customizations
  • Latest forensic tools and techniques
  • VMware Appliance ready to tackle forensics
  • Cross compatibility between Linux and Windows
  • Expanded Filesystem Support (NTFS, HFS, EXFAT, and more)

F-Response Enterprise

  • F-Response software provides read-only access to the full physical disk(s) of virtually any networked computer, plus the physical memory (RAM) of Microsoft Windows systems.
  • Deployable agent to remote systems
  • SIFT Workstation 3 Compatible
  • Vendor Neutral Works with just about any tool
  • Number of Simultaneous Examiners = Unlimited
  • Number of Simultaneous Agents Deployed = Unlimited
  • Gives any IR or forensic tool the capability to be used across the enterprise
  • Perfect for intrusion investigations and data breach incident response situations
  • License Period = 3 months
  • Note: If you register your F-Response Enterprise dongle you receive in class with F-Response, an extended license for an additional 3 months will be provided. A total of 6 months of licensed use

64 GB Course USB


  • USB loaded with APT case images, memory captures, SIFT workstation 3, tools, and documentation

SANS DFIR APT Case Exercise Workbook


  • Exercise book is over 250 pages long with detailed step by step instructions and examples to help you become a master incident responder

“File System Forensic Analysis”

  • Best-selling book on deep file system analysis authored by Brian Carrier

DFIR Summit Specials — Till End of March! #dfir #dfirsummit

Remember starting March 17 2014, use these codes:

  • + Summit Only Promotion – Summit for $495.  Register with code -> SUMMIT
  • + Class & Summit Promotion – Summit for $195 with a class.  Register with code -> COURSE

Stay connected via twitter, using hashtag #DFIRsummit, to hear announcements and discussions surrounding the Summit.

Register Now! –

FOR610 Malware Analysis Course Toolkit Expansion

SANS courses are refreshed several times a year to keep them up-to-date with the latest tools and techniques. Some updates are more significant than others. We’re excited to share some details about the revisions to the FOR610: Reverse-Engineering Malware course, which debuted in 2014.

FOR610 students now receive a pre-built Windows virtual machine (Windows REM Workstation). The cost of the Windows license is included in the tuition. REM Workstation is configured to make it easier for analysts to examine malware and includes  tools that students will use through the course when performing hands-on exercises. Windows REM Workstation supplements the REMnux virtual machine, which students use in the course for utilities that run in a Linux environment.

Every FOR610 student now receives the course toolkit in the form of a USB key, which includes Windows REM Workstation and REMnux virtual machines, along with real-world malware samples that will be the basis of labs and experiments in the class.

The malware analysis toolkit  is compatible with Windows 7 and 8 operating systems, and was expanded to include utilities such as  PeStudio, setdllcharacteristics,  signsrc, Fiddler, Scylla, just to name a few.  The course also migrated from version 1 of OllyDbg to version 2, incorporating several plug-ins compatible with version 2 of the debugger. Lastly, the course update incorporates several new malware samples and analysis techniques.

This popular malware analysis course has helped forensic investigators, incident responders, security engineers and IT administrators acquire practical skills for examining malicious programs that target and infect Windows systems. To learn more about it, and to see what topics are covered on each day of the course, see the updated FOR610 description page.

For additional considerations about refreshing your malware analysis toolkit, take a look at the following posts:  Tools for Analyzing Static Properties of Suspicious Files on Windows  and  Is OllyDbg Version 2 Ready for Malware Analysis?

Deadline Approaching – APT Malware and Memory Challenge #DFIRCON

DEADLINE 31 Jan 2014 — Winner Announced – 3 Feb 2014

DFIRCON APT Malware & Memory Challenge

The memory image contains real APT malware launched against a test system.Your job? Find it.

The object of our challenge is simple: Download the memory image and attempt to answer the questions. To successfully submit for the contest, all answers must be attempted. Each person that correctly answers 3 of the 5 questions will be entered into a drawing to win a FREE Simulcast seat at DFIRCON Monterey this March. The contest ends on January 31st, 2014 and we will announce the winner on February 3rd, 2014. Good luck!

Win a free Simulcast Seat at DFIRCON Monterey – by downloading the memory image and answering the following questions.


To successfully submit for the contest, all answers must be attempted. Please include your name and email address.

The winner will be able to choose from the below Simulcast courses at DFIRCON:

SEC504: Hacker Techniques, Exploits & Incident Handling 
FOR408: Computer Forensic Investigations – Windows In-Depth 
FOR508: Advanced Computer Forensic Analysis and Incident Response 
FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques

SANS Event Simulcast classes are:

Cost-Effective: You can save thousands of dollars on travel costs, making Event Simulcast an ideal solution for students working with limited training budgets or travel bans.

Engaging: Event Simulcast classes are live and interactive, allowing you to ask questions and share experiences with your instructor and classmates.

Condensed: Complete your course quickly; all SANS Event Simulcast classes take no longer than six days to complete.

Repeatable: Event Simulcast classes are recorded and placed in an online archive in case you have to miss part of the class or just wish to view the material again at a later date.

Complete: You will receive the same books, discs, and MP3 audio files that conference students receive, and you will see and hear the same information as it is presented at the live event.

To learn more about the event, please visit

1. Entry: Each participant may respond only once for the challenge. Contest begins on Monday, December 2nd, 2014 and ends Friday, January 31st, 2014. Responses must be submitted by 9pm EST on January 31st.

2. Prize: Each person that correctly answers at least 3 questions will be entered into a drawing to win a FREE Simulcast seat at DFIRCON Monterey this March. SANS will choose only one winner, the seat is transferable to another in the same organization/company and does not include a certification attempt. The winner will be chosen on February 3rd and will be notified by email.

3. Odds of Winning: The odds of winning the contest depend upon the total number of all eligible entries received in the contest period, regardless of method of participation.

4. Release of Liability: SANS is not responsible for lost, late, or unintelligible entries, lost connections, miscommunications, failed transmissions, other technical difficulties or failures.

APT Malware and Memory Challenge

The memory image contains real APT malware launched against a test system. Your job? Find it.

The object of our challenge is simple: Download the memory image and attempt to answer the 5 questions.



  1. What is the Process ID of the rogue process on the system?
  2. Determine the name of the rogue file that is found in the process (PID) that contains the rogue process found in the above question.
  3. How is the malware achieving persistence on the system?
  4. What is the filename of the file that is hiding the presence of the malware on the system?
  5. What is the name of the ISP that hosts the network where the malware is communicating with?

Solution can be found here:


Reverse-Engineering Malware Course Expanded to Include Capture-the-Flag Challenges

SANS expanded its popular Reverse-Engineering Malware course (FOR610) to include a day’s worth of real-world capture-the-flag challenges!  The challenges are designed to reinforce skills covered earlier in the course, making use of the interactive NetWars tournament platform.

By applying the techniques learned earlier in the course, students will solidify their knowledge and can shore up skill areas where they feel they need additional practice. To accomplish this, students will be presented with a variety of challenges involving real-world malware. These challenges will reinforce the ability to respond to typical malware reversing tasks in an instructor-led lab environment and offer additional learning opportunities.

To learn more about the expansion of FOR610, take a look at Jake Williams’ posting on this topic.

Game on!

—  Lenny Zeltser

Lenny Zeltser teaches  malware analysis at SANS Institute and focuses on safeguarding customers’ IT operations at NCR Corp. He  is active on Twitter  and writes a security blog.