#2 – SANS DFIR Summit

Another year, another SANS DFIR Summit come and gone. What a whirlwind! If you have never been to the DFIR Summit in Austin, TX, I would highly recommend it. This year seemed to have more new people attending than ever before. (I don’t have the official counts, so I don’t know for certain.)

The presentation slides have been posted if you’d like to review them. In roughly 2-3 months, the videos should also be posted to YouTube. A few highlights:

  • #DFIRFIT or Bust – I loved this talk the most. Take a look at the slides to see why. 😉
  • Event Trace Logs – Nicole has been researching these for quite some time, and her presentation goes into awesome detail about these logs. If you’ve never examined ETLs, you really should.
  • mac_apt – macOS forensics is my jam. Yogesh’s mac_apt.py pulls [almost] all the things for forensic analysis. Obviously it requires some thought in your analysis to put together a timeline of events, but this script will be a great start in simplifying your efforts.
  • DNSplice – Shelly loves her DNS logs! Her python script helps put extra meaning behind the data.
  • Forensic 4:Cast Awards – Lee puts a lot of thought and love behind these awards, as evidenced by his 10 years of work on them. Congrats to all the winners and runner-ups!

After the conference, the DFIR Summit offers classroom training. This year I signed up for the FOR585 Advanced Smartphone Forensics course. Heather did a phenomenal job teaching the class and really made sure people understood the concepts. She even taught SQLite in a way that actually made sense! (I’ve struggled for years with SQLite queries, but now I can easily write basic queries, join tables, add case statements, and order columns.)

The final highlight of the DFIR Summit was the NetWars challenge. This year SANS added a Coin Slayer challenge where you could win a challenge coin from a particular course, assuming you answered all questions from all four levels correctly. There ended up being seven people who won Coin Slayer coins – two in Reverse-Engineering Malware and five in Smartphone Forensics. I happened to be one of the lucky ones to earn a Smartphone Forensics coin within the final three minutes of the competition.

IMG_2194

All in all, the DFIR Summit was more than worth it! If you get a chance to go, absolutely do it. The Summit will be held in Austin, TX next year July 25-26 (conference) and July 27-Aug 1 (training). Hope to see you there!

5 thoughts on “#2 – SANS DFIR Summit

    • I’m the one who started #DFIRFIT on Twitter so it was neat to see the concept take off over the past year. Sarah and Heather put a lot of thought and effort into testing the Health data, which I can also appreciate from a forensics perspective. There is more testing yet to complete (as per usual), and it will be interesting to see what else they can uncover.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s