SANS Digital Forensics and Incident Response Blog

NCS vs DRN: ToorConX

Recently, a coworker and I were privileged with the opportunity to speak at the ToorConX seminars on the topic of digital forensics. It was a 75 minute talk, to a smaller group the day before the main conference was to start. It was structured to be an environment with significantly more interaction between the audience and the presenter.ToorCon

Coming into this sort of talk, the biggest problem is "What do I cover?". It would be foolish to think you are going to be able to have anyone come into the room having never been exposed to forensics in the past and walk out an expert. And at these sort of cons, you have many people that don't work in the field full time but rather have to go into it from time to time due to the circumstances around their job. When everyone is a pen-tester, it can be hard to wow the world with investigations.

In preparation for the day, Matt and I put together a program with roughly 20 minutes of "soft topics" surrounding computer forensics. After that, we went into some technical demonstration, including memory forensics, network forensics, and an examination of an exploited Windows server. We both felt pretty good about this, as we expected the audience to be mostly interested in technical, "hard", topics.

When we started to give the talk, we had a small room filled to the brim with people. This was a great setting, allowing us to have a lot of interaction with everyone. We started the talk out letting everyone know that the slides were a guideline. As long as we talked about items that were interesting to everyone, and this was engaging, I would be happy.

Odd thing is, they really took me seriously.

Right away, we went off the rails. Questions started coming in that had nothing to do with the slides we were showing. It was great. For everyone in the audience, let me thank you again for being awake and interactive during the session. We spent the entire 75 minutes on soft topics, never got to one technical demo. But we had wonderful discussion.

Here is what I found interesting. The audience did not care about the tech. What they wanted to know about was how to handle evidence, how to get evidence introduced to court, if evidence can be changed as long as the change is documented, best ways to collect the evidence, how process should be structured, etc. All adult questions, this audience was not there to be wowed by wiz-bang "look what I can do" demo. They had areas that were gray to them, and were looking for input.

To me, the lesson here goes back to the theme of my blog posts here. The tech is sometimes the easy part, and it is certainly the most fun part, of this work. But the Dull, Repetitive, and Necessary topics are the ones that we need more direction on, more discussion on.

As a side note, if you have never been to ToorCon, I highly recommend it. Perfect sized conference, giving everyone a chance to meet and greet each other. I was very impressed.

Jim O'Gorman, GCFA Silver 1356, works for Continuum Worldwide and lives at You can reach Jim at