SANS Computer Forensic Instructors are real-world practitioners who specialize in the subjects they teach. All instructors undergo rigorous training and testing before earning SANS Certified Instructor status. This helps us guarantee that what you learn in class will be up-to-date and relevant to your job.

"The instructor was very helpful in making sure that the class has a good understanding of the information covered to date", - Debbie Moeker, 3M.

Rob Lee

Rob Lee

Rob Lee is an entrepreneur and consultant in the Boston area, specializing in information security, incident response, threat hunting, and digital forensics. Rob is currently the curriculum lead and author for digital forensic and incident response training at the SANS Institute in addition to owning his own firm. Rob has more than 18 years of experience in digital forensics, vulnerability and exploit discovery, intrusion detection/prevention, and incident response.
Rob graduated from the U.S. Air Force Academy and served in the U.S. Air Force as a founding member of the 609th Information Warfare Squadron, the first U.S. military operational unit focused on information operations. Later, he was a member of the Air Force Office of Special Investigations (AFOSI) where he led a team conducting computer crime investigations, incident response, and computer forensics. Prior to starting his own firm, he directly worked with a variety of government agencies, U.S. Department of Defense, and intelligence communities as the technical lead for a vulnerability discovery and an exploit development team, lead for a cyber forensics branch, and lead for a digital forensic and security software development team. Rob was also a director for MANDIANT, a company focused on investigating advanced adversaries, such as the APT, for five years prior to starting his own business.
Rob co-authored the book Know Your Enemy, 2nd Edition. Rob earned his MBA from Georgetown University in Washington DC. Rob is also a co-author of the MANDIANT threat intelligence report M-Trends: The Advanced Persistent Threat.

George Bakos

George Bakos

George Bakos has been interested in computer security since the early 1980s when he discovered the joys of BBSs and corporate databases. These days he is Technical Fellow & Manager of Cyber Threat Assessment & Awareness at Northrop Grumman, a global leader in Cybersecurity, Aerospace & Defense. While at the Institute for Security Technology Studies, George was the developer of Tiny Honeypot and the IDABench intrusion analysis system and led the Dartmouth Distributed Honeynet System, fielding deception systems and studying the actions of attackers worldwide. He developed and taught the U.S. Army National Guard's CERT technical curriculum and ran the NGB's Information Operations Training and Development Center research lab for two years, fielding and supporting Computer Emergency Response Teams throughout the United States. A recognized authority in computer security, he has contributed to numerous books and open source software projects; has been interviewed on radio, television, and online publications; briefed the highest levels of government; and has been a member of the SANS Institute teaching faculty since 2001. Outside the lab, George enjoys the beauties of his home state, Vermont, through skiing, ice and rock climbing, and mountain biking.

George teaches you practical skills and provides real-world examples of IT security issues. - Mark Lian, Northrop Grumman

Ovie Carroll

Ovie Carroll

Ovie Carroll has over 20 years of federal law enforcement experience. Ovie was a special agent for the Air Force Office of Special Investigations (AFOSI) and Chief of the Washington Field Office Computer Investigations and Operations Branch responsible for investigating all national level computer intrusions into USAF computer systems. Following his career with the AFOSI he was the Special Agent in Charge of the Postal Inspector General's computer crimes unit where he was responsible for all computer intrusion investigations and for providing all computer forensic analysis in support of USPS-OIG investigations. Ovie is currently the Director for the Cybercrime Lab at the Department of Justice, Computer Crime and Intellectual Property Section (CCIPS) and an adjunct professor at George Washington University teaching computer crime investigations. In addition to his career fighting computer crime, Ovie has conducted investigations into a variety of offenses including murder, fraud, bribery, theft, gangs and narcotics.

"Ovie is just an awesome instructor. He has a wealth of knowledge and really made the course a live and exciting joy." - Mohamed Abdelsalam, Glencore

"Ovie has got this thing down, pat! He is informative, personal, very very knowledgeable, and, entertaining on top of it all! Really enjoy his teaching methods." - Mike Bowden, Boeing

Mike Cloppert

Mike Cloppert

Michael is the lead analyst for Lockheed Martin CIRT's Intel Fusion team, charged with collecting and managing intelligence on adversaries intent on stealing the organization's intellectual property, and development of new detection and analysis techniques. Michael has worked as a security analyst in various sectors including the Financial, Federal Government, and Defense industries. He has an undergraduate degree in Computer Engineering from the University of Dayton, an MS in Computer Science from The George Washington University, has received a variety of industry certifications including SANS GCIA, GREM, and GCFA, and is a SANS Forensics and IR blog contributor. Michael's past speaking engagements include the DC3 Cybercrime Conference, IEEE, and SANS amongst various others.

 "Mike Cloppert rocks. Obviously very smart and passionate about what he does." - Nate DeWitt, eBay

David Cowen

David Cowen

David Cowen is a Certified SANS Instructor and a Partner at G-C Partners, LLC, where his team of expert digital forensics investigators pushes the boundaries of what is possible on a daily basis. He has been working in digital forensics and incident response since 1999 and has performed investigations covering thousands of systems in the public and private sector. Those investigations have involved everything from revealing insider threats to serving as an expert witness in civil litigation and providing the evidence to put cyber criminals behind bars.  
David has authored three series of books on digital forensics; Hacking Exposed Computer Forensics (1st-3rd editions), Infosec Pro Guide to Computer Forensics, and the Anti Hacker Toolkit (Third Edition). His research into file system journaling forensics has created a new area of analysis that is changing the industry. Combined with Triforce products, David's research enables examiners to go back in time to find previously unknown artifacts and system interactions.
David speaks about digital forensics and file system journaling forensics at DFIR and Infosec conferences across the United States. He has taught digital forensics both as a SANS instructor and as a graduate instructor at Southern Methodist University.
David is a Certified Information Systems Security Professional (CISSP) and a GIAC Certified Forensic Examiner. He is the winner of the first SANS DFIR NetWars and a SANS Lethal Forensicator whose passion for digital forensics can be seen in everything he does. He started in 1996 as a penetration tester and has kept up his information security knowledge by acting as the Red Team captain for the National Collegiate Cyber Defense Competition for the last nine years.
David is the host of the Forensic Lunch, a popular DFIR podcast and live YouTube show, and the author of the award winning Hacking Exposed Computer Forensics Blog. The blog ( contains some 448 articles on digital forensics.  David is a two-time Forensic 4cast award winner for both Digital Forensic Article of the Year and Digital Forensic Blog of the year. The Forensic 4cast award winners are nominated by their peers and voted on by the greater DFIR community.
When David is not researching, writing, testifying, or teaching about digital forensics he spends time with his family and working on mastering Texas BBQ.

"David Cowen rocks. He is funny. He is friendly and extremely knowledgeable."  -- Bob Akin, SAIC

"David was awesome, brilliant, and entertaining to learn from." -- Jonathan Reitnauer, Vanguard

"I have had the pleasure of teaching with David multiple times and working with him in the forensics field.  David's passion and knowledge has made him one of the leading minds and innovators in the digital forensics community.  I saw many students loving David's open approach to teaching and the fact you could tell he really cared that they learn and understand the material.  He is one of the finest instructors I have had the pleasure of working with.  He is one of the best I've seen."  --Rob Lee, SANS DFIR Lead

Listen to David Cowen's industry changing research, released on Windows USN Journal Analysis, for real-time tracking of a suspect's activity on a Windows system.

Learn more about David Cowen in this DFIR Hero interview on the SANS DFIR Blog.

Sarah Edwards

Sarah Edwards

A self-described Mac nerd, Sarah Edwards is a forensic analyst, author, speaker, and both author and instructor of SANS FOR518: Mac Forensic Analysis.  She has been a devoted user of Apple devices for many years and has worked specifically in Mac forensics since 2004, carving out a niche for herself when this area of forensics was still new. Although Sarah appreciates digital forensics in all platforms, she has a passion for working within Apple environments and is well known for her work with cutting-edge Mac OS X and iOS, and for her forensic file system expertise.   

Sarah's dynamic classroom and presentation skills have been heralded by both her students and colleagues. She keeps students interested and engaged.  Sarah has more than 12 years of experience in digital forensics, and her passion for teaching is fueled by the ever-increasing presence of Mac devices in today's digital forensic investigations. Given the complexity of most cases and the high probability that an OS X or iOS will be a part of an investigation, deep knowledge of these Operating Systems is crucial to ensure that forensic analysts grasp all the information required in a case and not omit valuable data. 

"Apple devices will continue to grow in popularity, and digital forensic investigators and analysts must start paying more attention to them," Sarah explains. "Windows analysis is the base education in the field of digital forensics, and any additional skills you can acquire set you apart from the crowd, whether it is Mac, mobile, memory, or malware analysis."

Sarah has worked with federal law enforcement agencies on a variety of high-profile investigations in such areas as computer intrusions, criminal cases, counter-intelligence, counter-narcotics, and counter-terrorism.  Her research and analytical interests include Mac forensics, mobile device forensics, digital profiling, and malware reverse engineering.

A frequent presenter, Sarah has spoken at industry conferences including Shmoocon, Enfuse (formerly known as CEIC), DEF CON, BSides New Orleans, BSides Las Vegas, and the SANS DFIR Summit. She has a bachelor's degree in information technology from the Rochester Institute of Technology and a master's in information assurance from Capitol College. Beyond her deep interest in digital forensics and anything Mac, Sarah loves cooking, reading tech books, traveling anywhere, and "making things work".

Here's What Students Are Saying about SANS Certified Instructor Sarah Edwards:

"Sarah knows her stuff.  This course gets better each day.  Very useful information.  Well-formed course." - Anthony Cifaretto, Verizon

"Sarah gave another great day of presentations - her knowledge is impressive." - Ben Keck, Ciena

"Very comprehensive in-depth coverage of the course topic.  Excellent reference materials as a take- away." - Jennifer Barnes, Indiana State Police

"Sarah Edwards has spent the last several months putting the (FOR518) material together and I have to say that it is fantastic. The content is very detailed and provides excellent information. I have a fair amount of experience investigating Apple systems. In fact, Apple products appear to be the core (get it?) of what we do these days. As such I would not have expected to learn as much as I did but there were times this week when my jaw dropped at one of Sarah's revelations or one of Hal Pomeranz's demonstrations. I learned a great deal and am delighted at the fact that I was able to attend." - Lee Whitfield, 4:cast

References from SANS Instructors:

"Sarah's expertise in authorship and instructing has led to the successful addition of the FOR518 Mac course to our lineup.  Sarah's classroom and presentation skills continuously pull in record scores.  She is absolutely the best at her trade." - Rob Lee, SANS Fellow and DFIR Curriculum Lead

"Sarah is clearly the Mac subject-matter expert who has designed a top-notch course. She handles student questions with the expertise and grace of the seasoned instructor she is." - Ovie Carroll, SANS Certified Instructor

"Sarah did an amazing job producing an incredibly detailed technical course on Mac Forensics. And then she shows up every time to teach and knocks it out of the park. Students can't help but respond to her total mastery of the material and enthusiasm for the subject matter." - Hal Pomeranz, SANS Fellow

Qualifications Summary

  • More than 12 years of Mac forensics experience
  • More than 8 years' experience teaching in digital forensics
  • FOR518 Mac Forensics Analysis course and author statement

Get to Know Sarah Edwards

Jess Garcia

Jess Garcia

Jess Garcia is the founder and technical lead of One eSecurity, a global Information Security company specialised in Incident Response and Digital Forensics.

With near 20 years in the field, and an active researcher in the area of innovation for Digital Forensics, Incident Response and Malware Analysis, Jess is today an internationally recognised Digital Forensics and Cybersecurity expert, having led the response and forensic investigation of some of the world's biggest incidents in recent times.

In his career Jess has worked in a miriad of highly sensitive projects with top global customers in sectors such as financial & insurance, corporate, media, health, communications, law firms or government, in other Cybersecurity areas as well such as Security Architecture Design and Review, Penetration Tests, Vulnerability Assessments, etc.

A Principal SANS Instructor with almost 15 years of SANS instructing experience, Jess is also a regular invited speaker at Security and DFIR conferences worldwide.

Previously, Jess worked for 10 years as a systems, network and security engineer in the Spanish Space Agency, where he collaborated as a security advisor with the European Space Agency, NASA, and other international organisations.

Jess holds a Masters of Science in Telecommunications Engineering + Computer Science from the Univ. Politecnica de Madrid.

Philip Hagen

Philip Hagen

Philip Hagen has been working in the information security field since 1998, running the full spectrum including deep technical tasks, management of an entire computer forensic services portfolio, and executive responsibilities.

Currently, Phil is the DFIR Strategist at Red Canary, where engages with current and future customers of Red Canary's managed threat detection service to ensure their use of the service is best aligned for success in the face of existing and future threats.

Phil started his security career while attending the US Air Force Academy, with research covering both the academic and practical sides of security. He served in the Air Force as a communications officer at Beale AFB and the Pentagon. In 2003, Phil shifted to a government contractor, providing technical services for various IT and information security projects. These included systems that demanded 24x7x365 functionality. He later managed a team of 85 computer forensic professionals in the national security sector. He has provided forensic consulting services for law enforcement, government, and commercial clients prior to joining the Red Canary team. Phil is also a certified instructor for the SANS Institute, and is the course lead and co-author of FOR572, Advanced Network Forensics and Analysis.

"Philip's speaking style draw you in and he's very personable. Useful tools and nice tour of technology which I was not previously aware of." Frank J. Quinn

Listen to Phil discuss "IT'S ALIVE!!! Investigating with Network-based Evidence" in this SANS webcast that every DFIR professional should listen to.

Paul A. Henry

Paul A. Henry

Paul Henry is a Senior Instructor with the SANS Institute and one of the world's foremost global information security and computer forensic experts with more than 30 years of experience covering all 10 domains of network security. Paul began his career in critical infrastructure / process control supporting power generation and currently manages security initiatives and incident response for Global 2000 enterprises and government organizations worldwide.

Paul is a principal at vNet Security, LLC and is keeping a finger on the pulse of network security as the security and forensic analyst at Lumension Security and as a retained security expert for multiple financial and healthcare firms.

Throughout his career, Paul has played a key strategic role in launching new network security initiatives to meet our ever-changing threat landscape. Paul also advises and consults on some of the world's most challenging and high-risk information security projects, including the National Banking System in Saudi Arabia, the Reserve Bank of Australia, the Department of Defense's Satellite Data Project (USA), and both government as well as telecommunications projects throughout Southeast Asia.

Paul is frequently cited by major and trade print publications as an expert in perimeter security, incident response / computer forensics and general security trends and serves as an expert commentator for network broadcast outlets, such as FOX, NBC, CNN, and CNBC. In addition, Paul regularly authors thought leadership articles on technical security issues, and his expertise and insight help shape the editorial direction of key security publications, such as the Information Security Management Handbook, where he is a consistent contributor. Paul serves as a featured and keynote speaker at seminars and conferences worldwide, delivering presentations on diverse topics including anti-forensics, network access control, cyber crime, DDoS attack risk mitigation, perimeter security, and incident response.

Listen to Paul discuss "Incident Response and Forensics in the Cloud" in this SANS webcast that every DFIR professional should listen to.

Nick Klein

Nick Klein

Nick is the Director of Klein & Co. Computer Forensics, the leading independent computer forensic team from Sydney, Australia. He has over fifteen years of IT experience, specialising in forensic technology investigations and presenting expert evidence in legal and other proceedings. Nick and his team have been engaged as experts in hundreds of cases including commercial litigation and electronic discovery, criminal prosecution and defence, financial fraud, corruption, employee misconduct, theft of intellectual property, computer hacking and system intrusion.

He was previously a senior director in Deloitte Forensic and a team leader in the High Tech Crime Team of the Australian Federal Police, where he worked on international police investigations and intelligence operations including counter terrorism, online child abuse, computer hacking, and traditional crimes facilitated by new technologies.

Nick has presented expert evidence in civil and criminal matters in Australia and overseas, including providing expert testimony in the Bali bombing trials in Indonesia in 2003. He has appeared before Australian State and Commonwealth Parliamentary Committees and participated in Government working groups on cybercrime issues including the Fraud Taskforce of the Australian Banking Association and the Critical Infrastructure Protection forum of the Australian Commonwealth Government. Nick is a regularly presenter at industry forums and a guest lecturer at several institutions including the School of Law at the University of New South Wales and the Centre for Transnational Crime Prevention, Faculty of Law at the University of Wollongong.

Listen to Nick discuss methods to reconstruct anti-forensics in a critical case all DFIR professionals should listen to.


Robert M. Lee

Robert M. Lee

Robert M. Lee is the CEO and Founder of Dragos Security LLC, a critical infrastructure cybersecurity company, where he pursues his passion for control system traffic analysis, incident response, and threat intelligence research.

Rob is a SANS Certified Instructor, the course author of SANS ICS515 - "Active Defense and Incident Response," and the co-author of SANS FOR578 - "Cyber Threat Intelligence."  He is also a non-resident National Cyber Security Fellow at New America focusing on policy issues relating to the cybersecurity of critical infrastructure, and a PhD candidate at Kings College London. For his research and focus areas, he was named one of Passcode's Influencers and awarded EnergySec's 2015 Cyber Security Professional of the Year. Rob was also named to the 2016 class of Forbes "30 Under 30" for Enterprise Technology as one of "the brightest entrepreneurs, breakout talents, and change agents" in the sector.

Robert obtained his start in cybersecurity serving as a Cyber Warfare Operations Officer in the U.S. Air Force. He has performed defense, intelligence, and attack missions in various government organizations including the establishment of a first-of-its-kind ICS/SCADA cyber threat intelligence and intrusion analysis mission. Robert routinely writes articles in publications such as Control Engineering and the Christian Science Monitor's Passcode and speaks at conferences around the world. Lastly, Robert, is author of the book "SCADA and Me" and the weekly web-comic Little Bobby.

"Real-world practical insight and the technical skills and tools to create meaningful change."- Billy Glen, Pacific Gas & Electric

"Great teaching style - humor - keeps the atmosphere light."- Tim Sanguinett, NCPA

"Good pace, kept things moving, stayed enthusiastic the entire day."- Michael Nowatkowsk, Army Cyber Institute

Heather Mahalik

Heather Mahalik

Heather Mahalik is leading the forensic effort as a Principal Forensic Scientist for ManTech CARD. Heather's extensive experience in digital forensics began in 2002. She is currently a senior instructor for the SANS Institute and is the course lead for FOR585: Advanced Smartphone Forensics. Most of Heather's experience includes:

  • Smartphone and Windows forensics: including acquisition, analysis, vulnerability discovery, malware analysis, application reverse engineering, and manual decoding
  • Forensic instruction on mobile, smartphone, computer and Mac forensics in support of the U.S. Government, LE, and commercial level
  • Co-author of Practical Mobile Forensics (1st and 2nd editions), currently a best seller from Pack't Publishing
  • Technical editor for Learning Android Forensics from Pack't Publishing

Previously, Heather led the mobile device team for Basis Technology, where she focused on mobile device exploitation in support of the U.S. Government. She also worked as a forensic examiner at Stroz Friedberg and the U.S. State Department Computer Investigations and Forensics Lab, where she focused her efforts on high profiles cases. Heather maintains where she blogs and hosts work from the digital forensics community.

Listen to Heather's latest webcasts:

To trust or not to trust: The relationship between you & your mobile forensics tool

iPhone Forensics - Separating the Facts from Fiction. A Technical Autopsy of the Apple/FBI Debate

Smartphone Forensics Moves Fast. Stay Current or You May Miss Relevant Evidence!

Student Quotes

"I have been working with phones since 2009, and Heather very casually showed me how much I don't know. Excellent!" Harbin Combee- MPDC

"I am learning so much, it's exciting. Heather is an excellent instructor. Very smart. Knows her stuff." Tris Matthews - Goodhue County Sheriff's Office 

"Heather is a great instructor. The only downside will be not being able to bring her back to my office so we can pick her brain every day!" C. McCollom - Clark County Sheriff's Office

Cindy Murphy

Cindy Murphy

Cindy Murphy served in law enforcement for more than 30 years, including 24 years as a detective with the Madison Police Department in Wisconsin. During 17 of those years she worked as a certified digital forensics examiner.  During her time as an investigator, she saw firsthand the emergence of mobile devices as the primary source of evidence in investigations. This pushed her to grow into the mobile forensics expert she is today and enabled her to co-author the SANS FOR585 Advanced Smartphone Forensics course.  Just recently, Cindy took a leave of absence from the Madison Police Department to launch Gillware Digital Forensics, where she is co-owner and serves as president and lead examiner. As a life-long police officer, Cindy knows the transition from the public to the private sector to private will present new challenges, but she's looking forward to broadening her professional experience even further, which will benefit both Cindy and her students.

Throughout her career, Cindy has always looked for opportunities to help in meaningful ways.  In one recent case, experts spent a year trying to unlock the phone of a 16-year-old girl who was killed in a tragic traffic accident. As the family prepared to spread the girl's ashes in a ceremony a year after her death, Cindy was given the victim's locked phone. She was able to unlock it, enabling the family to see their daughter's last photos. The family sent Cindy a thank you note that said: "We so appreciate this opportunity you've given us to hold onto a piece of our daughter's life we were sure was lost to us."

Digital devices have a huge impact in our world today, and Cindy believes mobile phones have become the diaries of people's lives. That's why mobile forensics is such a vital field. A thorough knowledge of these devices is thus crucial to investigations, since they can provide indispensable evidence that law enforcement can't afford to miss. Cindy knows the tools and programs that support digital forensics, has trained officers how to handle cell phone evidence, and knows how to take care of herself and others when working through tough cases like child pornography. Her extensive experience has given her both the real-world experience and the foundation in training that it takes to excel in the mobile forensics field and share her knowledge with others.

Cindy has been teaching digital forensics since 2002. In 2006, she helped develop the curriculum for a certificate program at Madison Area Technical College. Cindy has served as guest faculty for the National District Attorney's Association, testified as a computer forensics expert in state and federal court on numerous occasions, presented internationally on digital forensics topics, and written frequent articles and whitepapers.  She as a master's degree in science degree in forensic computing and cyber crime investigation from University College in Dublin. Cindy is also a military veteran, a mother, an activist in defense of first amendment rights, a musician (banjo, cello, tenor guitar, mandolin, and ukulele), and a Brittany Spaniel enthusiast. 

Here's What Students Are Saying about SANS Certified Instructor Cindy Murphy

"Cindy Murphy is a force to be reckoned with! Very happy I signed up for this class." - Reza Z., DirectTV

"Cindy is Awesome! She fully understands what is happening in the field and how to do our job better." - John P., Shell Oil 

"Good, real-world experience. Clearly, Cindy has been there, done that." - Chris Mallow, University of Oklahoma

References from SANS Instructors

"Cindy has told me multiple times that teaching others how to do this job was some of the most rewarding work that she can do.  Cindy truly believes that her material, instruction, and experience could make a difference in helping stop bad guys around the world.  She gets how important the role of our work is in developing additional investigators and responders in law enforcement, media exploitation, and information security fields." - Rob Lee, SANS Fellow & DFIR Curriculum Lead

"Cindy is one of the most dedicated people in the field of digital forensics.  She spends tireless hours making herself better at the trade and always gives back to the community through white papers, forensic instruction, conference speaking events, and now through SANS.  Cindy is able to take her law enforcement experience and spin it in a way that dazzles the students with her stories and real-life experience. Anyone can speak to slides ? Cindy can add value to the content and gives the material meaning." - Heather Mahalik, SANS Senior Instructor & FOR585 Advanced Smartphone Forensics Course Lead

Qualifications Summary:

Get to know Cindy Murphy:

Mike Pilkington

Mike Pilkington

Curiosity wins the day! That is Mike Pilkington's teaching philosophy, because from his perspective, you have to be inspired and excited about solving difficult cases if you want to be great at forensics. As Mike says, "you have to be willing to search for the answers that others can't or won't find." Mike's infectious enthusiasm for digital forensics comes through in his work, in his classes, and in his day-to-day life. It's clear that his hobby and his job are one in the same. 

Mike has been an instructor for the SANS Institute since 2008. He currently teaches Windows Forensics In-Depth (FOR408) and Advanced Digital Forensics and Incident Response (FOR508). In addition to teaching, Mike is a dedicated researcher and has published numerous articles for the SANS Forensics Blog.

After spending much of his career as an analyst and incident responder for Halliburton, Mike recently joined the team at Shell. His background working in a large corporate environment gives him a unique perspective among SANS instructors. Mike is also a researcher at heart and will spend hours unraveling the answer to a complicated case or a question from a student. He'll delve deeply into forensic conundrums to identify the best solutions, and then document that knowledge to share with the digital forensics community.

In his current role as a senior incident analyst at Shell, Mike regularly deals with malware and intrusion cases. His work ranges from evaluating and implementing both commercial and open-source forensic tools to consulting with internal groups to resolve intrusions. He has accumulated a broad range of technical expertise, having spent significant time performing software quality assurance, Windows systems administration, LAN and WAN network administration, firewall and IDS/IPS security administration, computer forensic analysis, and incident response. As a forensic analyst, he worked numerous human resource investigations, including cases involving intellectual property theft, inappropriate use of the Internet, employee hacking, IT administrator privilege abuse, and illegal downloading of copyrighted materials.

Mike holds a bachelor's degree in mechanical engineering from the University of Texas, as well as numerous IT security certifications, including the CISSP, EnCE, GCFE, GCFA, and GREM.

Qualifications Summary

·       Deep background in corporate cybersecurity

·       SANS instructor since 2008

·       Professional qualifications: GCFA, GCFE, GREM, EnCE, CISSP

Get to Know Mike Pilkington

·       Mike's DFIR blog is available at

·       Mike co-authored the SANS Forensics "Find Evil" poster

·       Mike created an example forensics report for SANS FOR408 students (available upon request)

·       In addition to regularly presenting six-day SANS forensics classes, Mike's additional speaking engagements include the SANS DFIR Summit, SANS conferences, MIRcon, ISSA, and HTCIA

Listen to Mike discuss Privileged Domain Account Protection: How to Limit Credentials Exposure in this SANS webcast.

Here's What Students Are Saying about SANS Certified Instructor Mike Pilkington:

"The level of detail and knowledge that Mike has is above excellent." - Oz Bogovac, JCI

"Once again, Mike's command-line knowledge really became valuable when we tried to stump him with questions. He knew everything!"  - Mike DeZenzo, EY

"The instructor helps by sharing his knowledge in a way it can be understood by the student." - Joseph Selph, IBM

"Very knowledgeable." William Martin, NYSP

Endorsements from SANS instructors

"Mike's perspective is unique and extremely valuable to our instructor team. He sees things differently as a result of directly fighting adversaries in his larger multinational corporate environment daily, and he isn't afraid to share his experiences with the class. Mike is also a researcher at heart, and his research has directly resulted in our material being updated, corrected, and expanded. It has made our courses at SANS the best and brimming full of information that make SANS truly on the "cutting edge" and not just words we use in marketing."  - Rob Lee, SANS Fellow

"Mike is accomplished, wicked smart, and very passionate about our field. He is that rare individual who doesn't just report a problem - he takes it upon himself to find a solution. As an example, Mike encountered a number of students during his early teaching engagements who were having difficulties grasping the fundamentals of report writing. He took it upon himself to create a sample report that could be shared among instructors. His SANS blog posts are some of my favorites, as he regularly takes it upon himself to look deeper into nagging forensic unknowns and document clever solutions."  - Chad Tilbury, SANS Senior Instructor

"I have watched Mike present and have been thoroughly impressed with his smooth delivery, his ability to competently deliver highly technical material in a way that makes it easy for students to understand, and his ability to handle questions. Mike's background in IT brings a highly valuable perspective to the forensic program and inspires students." -  Ovie Carroll, SANS Certified Instructor

Hal Pomeranz

Hal Pomeranz

"Sometimes there's a moment in a case where I find a crucial piece of evidence hidden away where not many investigators would think to look. And I think to myself, 'I'm glad I was the one to work on this case, because this finding was important.' That's how I know I'm in the right field." ~ Hal Pomeranz

Hal Pomeranz is an independent digital forensic investigator who has consulted on cases ranging from intellectual property theft, to employee sabotage, to organized cybercrime and malicious software infrastructures. He has worked with law enforcement agencies in the United States and Europe, and with global corporations.

While perfectly at home in the Windows and Mac forensics world, Hal is a recognized expert in the analysis of Linux and Unix systems, and has made key contributions in this domain. His EXT3 file recovery tools are used by investigators worldwide. His research on EXT4 file system forensics provided a basis for the development of open source forensic support for this file system. Hal has also contributed a popular tool for automating Linux memory acquisition and analysis. But Hal is fundamentally a practitioner, and that's what drives his research. His EXT3 file recovery tools were the direct result of an investigation, recovering data that led to multiple indictments and successful prosecutions.

Raised in the Open Source tradition, Hal shares his most productive tools and techniques with the community via his GitHub and blogging activity. And nobody can show you how to forensicate with Open Source tools like Hal!

Hal is a SANS faculty fellow and the creator and primary instructor for the Securing Linux/Unix (SEC506) course. In the SANS DFIR curriculum he teaches Advanced Digital Forensics, Incident Response, and Threat Hunting (FOR508), Advanced Network Forensics and Analysis (FOR572), Mac Forensics Analysis (FOR518), and Reverse-Engineering Malware: Malware Analysis Tools and Techniques (FOR610). Hal holds the GIAC certification for the following courses: GCUX, GCFA, GNFA, and GREM.

Hal is a regular contributor to the SANS Digital Forensics and Incident Response blog and co-author of the Command Line Kung Fu blog. He's a former board member for USENIX, BayLISA and BackBayLISA; former technical editor for Sys Admin Magazine; and a respected author and highly rated instructor at industry gatherings worldwide. Hal is an avid baseball fan, so in the summer you'll usually find him at his local minor league ballpark or catching up on major league games. He enjoys travel, theatre, and food (both cooking and eating), but his first priority is keeping up with the interests of his kids: Disney, gymnastics, Legos, and video games.

Get to Know Hal

  • Over 25 years of industry experience
  • Founder and Principal Consultant for Deer Run Associates
  • GIAC Certified Forensic Analyst (GCFA), Network Forensic Analyst (GFNA), Malware Analyst (GREM), and Unix Administrator (GCUX)
  • SANS Faculty Fellow and SANS' longest tenured instructor
  • Hal is a contributor to the SANS Digital Forensics and Incident Response blog

Learn more about Hal Pomeranz in this DFIR Hero interview on the SANS DFIR Blog.

Student Quotes

"Great intro to malware analysis. Hal Pomeranz, instructor, was extremely knowledgeable on the subject. Highly recommended." - Jonathon Hinson, Duke Energy

"Hal is one of the finest instructors I've ever had the pleasure the take a class from. He possesses the rare ability to bring information on cutting edge techniques to the classroom and present it in a way that makes his students comfortable with these techniques as if they were old hat." - Chris Calabrese, Medco Health Solutions, Inc.

Anuj Soni

Anuj Soni

Anuj Soni initially pursued a career fighting cybercrime for the thrill of the hunt.

"The rush of tracking bad guys and gals, uncovering their tools, and understanding their motives is just way too fun," he says. "I simply can't get enough of it."

These days, Anuj feeds his passion for technical analysis through his role as a Senior Threat Researcher at Cylance, where he performs malware research and reverse engineering. Anuj also brings his problem-solving abilities to his position as a SANS Certified Instructor, which gives him the opportunity to impart his deep technical knowledge and practical skills to students. When teaching SANS classes Reverse-Engineering Malware (FOR610) and Advanced Digital Forensics and Incident Response (FOR508), Anuj emphasizes establishing goals for analysis, creating and following a process, and prioritizing tasks.

"Tools come and go, but if you develop a process that works for you and are patient with yourself, creativity will flow," he says. "Automate what can be automated and enjoy working through the hard stuff" that is, the actual analysis.

Since entering the information security field in 2005, Anuj has performed numerous intrusion investigations to help government and commercial clients mitigate attacks against the enterprise. His malware hunting and technical analysis skills have resulted in the successful identification, containment, and remediation of multiple threat actor groups. Anuj has analyzed hundreds of malware samples to assess function, purpose, and impact, and his recommendations have improved the security posture of numerous organizations. Highly sought after as a technical thought leader and adviser, Anuj excels not only in delivering rigorous forensic analysis, but also in process development, knowledge management, and team leadership to accelerate incident response efforts. 

In addition to teaching SANS courses, Anuj frequently presents at industry events such as the U.S. Cyber Crime Conference, SANS DFIR Summit, and the Computer and Enterprise Investigations Conference (CEIC). He has bachelor's and master's degrees from Carnegie Mellon University and holds certifications in GIAC Reverse Engineering Malware (GREM) and as a EnCase Certified Examiner (EnCE) and Certified Information Systems Security Professional (CISSP).

When not consumed by the excitement of his day job, Anuj spends time with his growing family and enjoys photography, hitting the gym, and mixing up creative cocktails.

Qualifications Summary

  • More than a decade of experience performing forensic, malware, and network analysis.

Get to Know Anuj Soni

Student Quotes

  • "Anuj is by far the most upbeat instructor. The excitement in class is infectious." - Divyashree Joshi, DIRECTV LLC
  • "I value the time Anuj takes to make sure each student is progressing." - Shaun Gatherum, NuScale Power
  • "He's very well spoken and very knowledgeable. He kept us on task and any sidebars were related to info being taught." - Ryan Gibson, Qualcomm 

SANS Instructor References

"Anuj's technical achievements are outstanding.  As an expert in the field, he works on some really critical areas for the government, but he still has time to write for the SANS DFIR blog, tweet, and provide suggestions to improve courses.  Anuj's teaching style is extremely engaging and easily show his love of the material.  He is one of our highest rated instructors." -Rob Lee, DFIR Curriculum Lead

"I've had the opportunity to see and hear Anuj share his knowledge of malware, incident response and forensics with attendees at several SANS events. Not only does he have deep expertise in these areas, he is also a wonderful teacher. His presentation style, the manner in which he breaks down difficult concepts, and his overall demeanor resonate strongly with his listeners. Even when he covered challenging techniques, students could not escape the grip of his logic and clarity of his explanation. It shows Anuj's inherent talents as an instructor." - Lenny Zeltser, SANS Senior Instructor

Chad Tilbury

Chad Tilbury

Chad Tilbury has been responding to computer intrusions and conducting forensic investigations since 1998. His extensive law enforcement and international experience stems from working with a broad cross-section of Fortune 500 corporations and government agencies around the world. During his service as a Special Agent with the Air Force Office of Special Investigations, he investigated and conducted computer forensics for a variety of crimes, including hacking, abduction, espionage, identity theft, and multi-million dollar fraud cases. He has led international forensic teams and was selected to provide computer forensic support to the United Nations Weapons Inspection Team. Chad has worked as a computer security engineer and forensic lead for a major defense contractor and as the Vice President of Worldwide Internet Enforcement for the Motion Picture Association of America. In that role, he managed Internet anti-piracy operations for the seven major Hollywood studios in over sixty countries. Chad is a graduate of the U.S. Air Force Academy and holds a B.S. and M.S. in Computer Science as well as GCFA, GCIH, GREM, and ENCE certifications. He is currently a Technical Director at CrowdStrike, specializing in incident response, corporate espionage, and computer forensics.  Chad is a Senior Instructor at the SANS Institute and co-author of the FOR408 and FOR508 courses.

"Chad Tilbury is hands down the best instructor that I ever had in my 20 years of military service. Excellent job. Very relevant and up-to-date. An industry leader in this field." - Dannie Walters, US Army

"Chad's real-world examples are key part of the training. It really helps to have a knowledgeable instructor who currently works in the industry." - Roger Szulc, MDA

Watch Chad teaching Geolocation Forensics in this free SANS webcast-

Alissa Torres

Alissa Torres

Alissa Torres is a certified SANS instructor, specializing in advanced computer forensics and incident response. Her industry experience includes serving in the trenches as part of the Mandiant Computer Incident Response Team (MCIRT) as an incident handler and working on a internal security team as a digital forensic investigator. She has extensive experience in information security, spanning government, academic, and corporate environments and holds a Bachelors degree from University of Virginia and a Masters from University of Maryland in Information Technology. Alissa has taught as an instructor at the Defense Cyber Investigations Training Academy (DCITA), delivering incident response and network basics to security professionals entering the forensics community. She has presented at various industry conferences and numerous B-Sides events. In addition to being a GIAC Certified Forensic Analyst (GCFA), she holds the GCFE, GPEN, CISSP, EnCE, CFCE, MCT and CTT+.

Listen to Alissa discuss "Detecting Persistence Mechanisms" in this SANS webcast that every DFIR professional should listen to.

"I love the energy of Alissa Torres' presentation style." - M. Scott Saul, FBI

"Alissa kept it interesting by pulling from her past experience and demonstrated great passion for the subject." - Matt Leach

"Alissa's teaching skills are remarkable - she is great." - Serge Tumba, GE Capital

"Fantastic- Energetic- Knowledgeable" - Dennis Mooney, Vanguard

"I highly recommend Alissa and SANS computer forensics courses. In April 2015 I attended the SANS Forensics 508: Advanced Digital Forensics and Incident Response (FOR508) course. I had high expectations for the course based on my team lead's recommendation. Alissa and the course exceeded my expectations. Alissa is an outstanding instructor, and SANS FOR508 was the best information security course I have attended. She mixed energy, knowledge, and experience to keep the content productive, relevant, and interesting. I look forward to attending more SANS courses instructed by Alissa." - Chad Rager,  Computer Forensic Engineer at ManTech

Johannes Ullrich, Ph.D.

Johannes Ullrich, Ph.D.

As Dean of Research for the SANS Technology Institute, Johannes is currently responsible for the SANS Internet Storm Center (ISC) and the GIAC Gold program. He founded in 2000, which is now the data collection engine behind the ISC. His work with the ISC has been widely recognized, and in 2004, Network World named him one of the 50 most powerful people in the networking industry. Prior to working for SANS, Johannes worked as a lead support engineer for a web development company and as a research physicist. Johannes holds a PhD in Physics from SUNY Albany and is located in Jacksonville, Florida. His daily podcast summarizes current security news in a concise format.



Listen to Johannes discuss "HTML5: Risky Business or Hidden Security Tool Chest for Mobile Web App Authentication" in this SANS webcast.

"Johannes has an excellent teaching approach and did a great job of fighting the brain overload later in the day." - Brad Meyers, Molina Healthcare

"Excellent teaching style! Very knowledgeable, listens to questions, will keep explaining in different examples until you understand." - Lori Stockdale, NYISO

Jake Williams

Jake Williams

Jake Williams is a Principal Consultant at Rendition Infosec. He has more than a decade of experience in secure network design, penetration testing, incident response, forensics, and malware reverse engineering. Before founding Rendition Infosec, Jake worked with various cleared government agencies in information security roles.

Jake is the co-author of the SANS FOR610 course (Malware Reverse Engineering) and the FOR526 course (Memory Forensics). He is also a contributing author for the SEC760 course (Advanced Exploit Development). In addition to teaching these courses, Jake also teaches a number of other forensics and security courses. He is well versed in Cloud Forensics and previously developed a cloud forensics course for a US Government client.

Jake regularly responds to cyber intrusions performed by state-sponsored actors in financial, defense, aerospace, and healthcare sectors using cutting edge forensics and incident response techniques. He often develops custom tools to deal with specific incidents and malware reversing challenges.

Additionally, Jake performs exploit development and has privately disclosed a multitude of zero day exploits to vendors and clients. Why perform exploit development? It's because metasploit != true penetration testing. He found vulnerabilities in one of the state counterparts to and recently exploited antivirus software to perform privilege escalation.

Jake has spoken at Blackhat, Shmoocon, CEIC, B-Sides, DC3, as well as numerous SANS Summits and government conferences. He is also a two-time victor at the annual DC3 Digital Forensics Challenge. Jake used this experience with, and love of, CTF events to design the critically acclaimed NetWars challenges for the SANS malware reversing and memory forensics courses. Jake also speaks at private engagements and has presented security topics to a number of Fortune 100 executives.

Jake developed Dropsmack, a pentesting tool (okay, malware) that performs command and control and data exfiltration over cloud file sharing services. Jake also developed an anti-forensics tool for memory forensics, Attention Deficit Disorder (ADD). This tool demonstrated weaknesses in memory forensics techniques.

Lenny Zeltser

Lenny Zeltser

Lenny Zeltser is a seasoned business and tech leader with extensive information security expertise. As a product portfolio owner at NCR, he delivers the financial success and expansion of the company's security services and SaaS products. Beforehand, as the national lead of the security consulting practice at Savvis (acquired by CenturyLink), he managed the US team of service professionals, aligning their expertise to the firm's cloud solutions.

Lenny helped shape global infosec practices by teaching incident response and malware defenses at SANS Institute and by sharing knowledge through writing, public speaking and community projects. Lenny has earned the prestigious GIAC Security Expert professional designation and developed the Linux toolkit used by malware analysts throughout the world. His approaches to business and technology are built upon work experience, independent research, a Computer Science degree from the University of Pennsylvania and an MBA degree from MIT Sloan.

Lenny's expertise is strongest at the intersection of business, technology and information security and spans incident response, infosec cloud services and business strategy. To get a sense for his thought process and knowledge areas, take a look at his blog at

"Lenny presented a wealth of knowledge, tied it together smoothly, and I am leaving with exponentially more knowledge." - David Werden, NGIS