SANS Digital Forensics and Incident Response Blog

Announcing: The 2013 SANS Digital Forensics and Incident Response Summit Agenda


Tuesday, July 9, 2013


Room 1

Room 2




Registration | Networking Breakfast

Presented By




Welcome and Introduction to the 2013 Digital Forensics and Incident Response Summit

  • Rob Lee & Alissa Torres— Summit Chairs Digital Forensics and Incident Response Summit




Digital Forensics and Incident Response Summit - Keynote Address - TBA

9:10am —9:20am

Networking Break

9:20am-10:20amTitle: File system journaling forensics theory, procedures and analysis impacts

  • David Cowen with Matthew Seyer, G-C Partners, LLC
Title: Mining for Evil

  • John McLeod - Manager, Incident Response Team
  • Mike Pilkington - Senior Consultant, Incident Response Team
10:20am - 10:40am

Networking Break

10:40am — 11:40amTitle: The "Trusted" Insider Theft of Intellectual Property and Trade Secrets

  • Warren G. Kruse II - VP, Altep, Inc.
  • Michael Barba - Managing Director, BDO
  • George Wade - Senior Manager, Booz Allen
Title: Volatile IOCs for Fast Incident Response

  • Takahiro Haruyama, Forensic Investigator, Internet Initiative Japan Inc.

Lunch & Learn

Presented By

12:40pm —1:40 pmTitle: Johnny AppCompatCache: the Ring of Malware

  • Jeff Hamm - Senior Consultant, MANDIANT
  • Mary Singh - Senior Consultant, MANDIANT
Title — iOS Device Forensics on a Budget

  • Brian Moran - Digital Forensic Analyst, CyberPoint, LLC
1:40pm — 2:40pmTitle: (Mostly) Open Source DFIR — A Toolkit for End-to-End Investigations

  • David Kovar - Manager, Advisory Center of Excellence, Ernst & Young
Title: Offence informs Defense, or does it?

  • Jeff Brown - Director of Cyber Operations, Cyber Clarity
2:40pm — 3:00pmNetworking Break
3:00pm-4:00pmTitle: Open Source Threat Intelligence

  • Kyle Maxwell - Senior Analyst, Verizon Business
Title: Cyber Nightmares: Red October & Shamoon

  • Harold Rodriguez- Malware Reverse Engineer, General Dynamics Fidelis Cybersecurity Solutions
4:00pm-5:00pmTitle: Automating Malware Analysis with Cuckoo Sandbox

  • Claudio Guarnieri - Security Researcher, Rapid7
Title: "My name is Hunter, Ponmocup Hunter"

  • Tom Ueltschi - Security Officer, Swiss Post
5:00pm—6:00pmTitle: Hunting Attackers with Network Audit Trails

  • Tom Cross - Security Researcher, Lancope
  • Charles Herring - Security Researcher, Lancope
Panel Title: Women in DFIR PanelPanelists:

  • Stacey Edwards
  • TBA
  • TBA
  • TBA




Wednesday, July 10, 2013


Networking Breakfast

Presented By


Room 1

Room 2

8:00am-8:30amTitle: Forensic 4Cast Awards

8:30am-9:30amTitle: Autopsy 3: Extensible Open Source Forensics

  • Brian Carrier - VP of Digital Forensics, Basis Technology
Title: Timeline Analysis by Categories

  • Corey Harrell - IT Specialist III, New York Office of the State Comptroller
9:30am- 10:30amTitle: Detecting data loss from cloud synchronization applications

  • Jake Williams - Principal Consultant, CSRgroup Computer Security


Title: A Day in the Life of a Cyber Tool Developer

  • Jonathan Tomczak — Chief Information Officer, TZWorks, LLC


10:30am - 10:50am

Networking Break

10:50am - 11:50pmTitle: Proactive Defense

  • Adam Meyers - Director of Intelligence, CrowdStrike, Inc
Title:The 7 Sins of Malware Analysis

  • Dominique Kilman, Malware Analyst, KPMG LLP

Lunch & Learn

Presented By

  • Title: Plaso — Reinventing the Super Timeline
    • Kristinn Gudjonsson - Senior Security Engineer, Google
Title: Facilitating Fluffy Forensics(a.k.a. Considerations for Cloud Forensics)

  • Andrew Hay - Chief Evangelist, CloudPassage, Inc.
2:00pm—3:00pmTitle: Timeline creation and review, GUI style!

  • David Nides, Manager, Forensic Technology Services KPMG LLP


Title: Building, Maturing, and Rocking a Security Operations Center

  • Brandie Anderson - Manager, Security Operations Center and Security Delivery Operations, Hewlett-Packard


3:00pm—4:00pmTitle: ICS, SCADA, and Non-Traditional Incident Response

  • Kyle Wilhoit - Threat Researcher, Trend Micro
Title: Restoring Credential Integrity after an Enterprise Intrusion

  • James Perry - Lead Associate Booz Allen Hamilton
  • Anuj Soni - Lead Associate Booz Allen Hamilton

Networking Break



In one hour, 10-12 Digital Forensics and Incident Response experts will discuss the coolest forensic technique, plugin, too, command line, or script they used in the last year that really changed the outcome of a case they were working. If you have never been to a lightning talk it is an eye opening experience. Each speaker has 360 seconds (6 minutes) to deliver their message. This format allows SANS to present 10-12 experts within one hour, instead of the standard one presenter per hour. The compressed format gives you a clear and condensed message eliminating the fluff. If the topic isn't engaging, a new topic is just 6 minutes away.

Don't be a script kiddie - Kyle Maxwell, Verizon

Hunting and Sniper Forensics - Jason Lawrence

Incident Readiness - Top 10 Keys to a Successful Forensic Investigation - J Jewitt

Social Media Forensics - Brian Lockrey

Finding Evil Everywhere: Combining host-based and network indicators - Alex Bond

Chasing Malware, Not Rainbows - Frank McClain

Raising Hacker Kids - Joseph Shaw

TBA - Hal Pomeranz

A Decade of Trends in Large-Scale Financial Cyber Breaches - Ryan Vela

Reconstructing Reconnaissance - Mike Sconzo

Advanced Procurement Triage - Michael Ahrendt


Summary & Closing Remarks

Rob Lee & Alissa Torres— Summit Chairs Digital Forensics and Incident Response Summit

Please note: The DFIR SUMMIT agenda is subject to change at any time.