#2 – SANS DFIR Summit

comments 5
Conferences / Digital Forensics / Incident Response / Smartphone Forensics

Another year, another SANS DFIR Summit come and gone. What a whirlwind! If you have never been to the DFIR Summit in Austin, TX, I would highly recommend it. This year seemed to have more new people attending than ever before. (I don’t have the official counts, so I don’t know for certain.)

The presentation slides have been posted if you’d like to review them. In roughly 2-3 months, the videos should also be posted to YouTube. A few highlights:

  • #DFIRFIT or Bust – I loved this talk the most. Take a look at the slides to see why. šŸ˜‰
  • Event Trace Logs – Nicole has been researching these for quite some time, and her presentation goes into awesome detail about these logs. If you’ve never examined ETLs, you really should.
  • mac_apt – macOS forensics is my jam. Yogesh’s mac_apt.py pulls [almost] all the things for forensic analysis. Obviously it requires some thought in your analysis to put together a timeline of events, but this script will be a great start in simplifying your efforts.
  • DNSplice – Shelly loves her DNS logs! Her python script helps put extra meaning behind the data.
  • Forensic 4:Cast Awards – Lee puts a lot of thought and love behind these awards, as evidenced by his 10 years of work on them. Congrats to all the winners and runner-ups!

After the conference, the DFIR Summit offers classroom training. This year I signed up for the FOR585 Advanced Smartphone Forensics course. Heather did a phenomenal job teaching the class and really made sure people understood the concepts. She even taught SQLite in a way that actually made sense! (I’ve struggled for years with SQLite queries, but now I can easily write basic queries, join tables, add case statements, and order columns.)

The final highlight of the DFIR Summit was the NetWars challenge. This year SANS added a Coin Slayer challenge where you could win a challenge coin from a particular course, assuming you answered all questions from all four levels correctly. There ended up being seven people who won Coin Slayer coins – two in Reverse-Engineering Malware and five in Smartphone Forensics. I happened to be one of the lucky ones to earn a Smartphone Forensics coin within the final three minutes of the competition.

IMG_2194

All in all, the DFIR Summit was more than worth it! If you get a chance to go, absolutely do it. The Summit will be held in Austin, TX next year July 25-26 (conference) and July 27-Aug 1 (training). Hope to see you there!

5 Comments

  1. keydet89 says

    Stacey, I’d love to hear your thoughts as to why you liked the DFIRFit content.

    Like

    • Iā€™m the one who started #DFIRFIT on Twitter so it was neat to see the concept take off over the past year. Sarah and Heather put a lot of thought and effort into testing the Health data, which I can also appreciate from a forensics perspective. There is more testing yet to complete (as per usual), and it will be interesting to see what else they can uncover.

      Like

  2. keydet89 says

    Stacey,

    Thanks. Not having been there, what does “testing the Health data” refer to?

    Like

  3. Pingback: Week 25 – 2018 – This Week In 4n6

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s