Another year, another SANS DFIR Summit come and gone. What a whirlwind! If you have never been to the DFIR Summit in Austin, TX, I would highly recommend it. This year seemed to have more new people attending than ever before. (I don’t have the official counts, so I don’t know for certain.)
- #DFIRFIT or Bust – I loved this talk the most. Take a look at the slides to see why. 😉
- Event Trace Logs – Nicole has been researching these for quite some time, and her presentation goes into awesome detail about these logs. If you’ve never examined ETLs, you really should.
- mac_apt – macOS forensics is my jam. Yogesh’s mac_apt.py pulls [almost] all the things for forensic analysis. Obviously it requires some thought in your analysis to put together a timeline of events, but this script will be a great start in simplifying your efforts.
- DNSplice – Shelly loves her DNS logs! Her python script helps put extra meaning behind the data.
- Forensic 4:Cast Awards – Lee puts a lot of thought and love behind these awards, as evidenced by his 10 years of work on them. Congrats to all the winners and runner-ups!
After the conference, the DFIR Summit offers classroom training. This year I signed up for the FOR585 Advanced Smartphone Forensics course. Heather did a phenomenal job teaching the class and really made sure people understood the concepts. She even taught SQLite in a way that actually made sense! (I’ve struggled for years with SQLite queries, but now I can easily write basic queries, join tables, add case statements, and order columns.)
The final highlight of the DFIR Summit was the NetWars challenge. This year SANS added a Coin Slayer challenge where you could win a challenge coin from a particular course, assuming you answered all questions from all four levels correctly. There ended up being seven people who won Coin Slayer coins – two in Reverse-Engineering Malware and five in Smartphone Forensics. I happened to be one of the lucky ones to earn a Smartphone Forensics coin within the final three minutes of the competition.
All in all, the DFIR Summit was more than worth it! If you get a chance to go, absolutely do it. The Summit will be held in Austin, TX next year July 25-26 (conference) and July 27-Aug 1 (training). Hope to see you there!