Community: Lethal Forensicator Coins


SANS Lethal Forensicator Coins

Hundreds of SANS Institute digital forensics students have stepped up to the challenge and emerged victorious. They've mastered the concepts and skills, beat out their classmates, and proven their prowess. These are the elite, the recipients of the SANS Lethal Forensicator Coin, an award given to a select few among the thousands of students who have taken any of the SANS Institute Digital Forensics or Incident Response (DFIR) courses. Lethal Forensicator Coins are awarded to those who show exceptional talent, make outstanding contributions to the field, or demonstrate leadership in the digital forensics profession and community. The coins are a challenge to win and an honor to receive. They are also intended to be rare.

Challenges for the Coins are held on the final day of each course. Students must successfully overcome several obstacles, directly compete against fellow students, and prove their proficiency during timed, hands-on incidents. The obstacles, competitions, and hands-on scenarios have been created by SANS's top instructors, who are digital forensics practitioners, subject-matter experts, experienced teachers, and industry leaders in their own right. At the end of the challenge the instructor announces the winner(s) and awards them their coins. The winners are later listed on the SANS Institute's virtual wall of Lethal Forensicator Coin Holders.

Holders of the Lethal Forensicator Coins are properly trained incident responders or investigators who sometimes represent the only defense an organization has in place during a compromise or a complex digital investigation. These analysts know what they are up against and continually strive to further not only their own knowledge, but also the knowledge of the entire digital forensics field. They are proactive in sharing their experience and encouraging learning through participation in the community. They stay ahead of the curve by constantly seeking new knowledge. Often, they are the leaders in the digital forensics and incident response community.

DFIR Course Challenge Coins

  • FOR308: Digital Forensics Essentials
    "Scientia Vincit:" Knowledge is Key
    When it comes to success, knowledge is key. Digital Forensic Professionals are always up to many challenges during their investigations and usually must rely on their fundamental skills to succeed. These skills are often what allows investigators to innovate, and come up with ways to unveil the truth. These foundation concepts also can affect the outcome of any investigation and therefore can affect lives. We must train with that responsibility in mind.

  • FOR498: Battlefield Forensics & Data Acquisition
    "Consector Scientia Intro Strepitus:" Seek Knowledge in the Noise
    Elite responders understand that when bad things happen, seconds matter. Quick and accurate data acquisition is not only key to any investigation but could save a life. There is typically only one shot to obtain the data that can be used as evidence. Seek the data in the noise, arm yourself with the knowledge, and prepare to win in the battlefield of forensics.

  • FOR500: Windows Forensic Analysis
    "Ex Umbra in Solem:" From the Shadows into the Light
    In today's digital world, forensics plays a critical role in uncovering the truth. Forensic examiners shine light on the facts of the case, making good decisions possible. The forces of evil unceasingly develop new ways to hide their activities, making it critical that we continually improve our skills to counter them.

  • FOR508: Advanced Digital Forensics, Incident Response, and Threat Hunting
    "Non Potestis Celare:" You Cannot Hide
    The most successful incident response teams evolve rapidly due to their near-daily interaction with adversaries. New tools and techniques are constantly being developed, providing better visibility and making the network more defensible. Adversaries can no longer hide.

  • FOR610: Reverse-Engineering Malware
    "R.E.M.:" Reverse-Engineering Master
    Attackers today are modifying their malware with increasing frequency to bypass antivirus and other endpoint controls. Through reverse-engineering, R.E.M. professionals can isolate the most appropriate Indicators of Compromise to identify and stop malware.

  • FOR585: Advanced Smartphone Forensics
    "Omnis Tactus Vestigium Relinquit:" Every Contact Leaves a Trace
    Knowing how to recover all of the data residing on a smartphone is now an expectation in the digital forensics field. Examiners must understand the fundamentals of smartphone handling, data recovery, accessing locked devices, and manually recovering data hiding in the background on the device. There are traces of evidence hiding on the device, and the holders of this coin know how to find them.

  • FOR572: Advanced Network Forensics Analysis
    "Malum Loquitur, Bonum Auscultat:" Evil Must Talk, So Good Must Listen
    Network forensic professionals are hunters with great vision who can find a target amidst a mass of camouflaging data. Wisdom, experience, and stealth are all embodied by the owl's watchful, unwavering eye that seeks its prey under the cover of darkness. No matter how crafty adversaries may be, their communications will allow the hunter to identify, find, and ultimately eliminate their presence.

  • FOR518: Mac Forensics
    "Impera magis. Aliter cogita": Command more and think differently.
    Apple users have always thought differently and that goes for Apple forensicators too. The analysts who hold this coin take command of their forensic analysis and appreciate looking at the raw data and interpreting it correctly without the necessity of superfluous tools. Knowing where you came from can help you move forward, this is where the hat tip to the original colored Apple logo comes in. New artifacts are presented to analysts in every OS update, the knowledge of historic elements may provide insight.

  • FOR578: Cyber Threat Intelligence
    "Hominem unius libri timeo": I fear the man of one book.
    FOR578 is all about developing analytical skills. To think critically and expand our views which is a skill that applies to any security profession. The quote is attributed to Thomas Aquinas and despite the common use of the phrase (which is meant to deride the person who is not well studied across multiple subjects) the original meaning was to state that a person who understood one good book well could defeat their opponent. Thus, this phrase can be interpreted two entirely different ways. Both are about self-education and broadening our views on the world.

  • FOR526: Memory Forensics In-Depth
    "Cur mihi oculi dolent?" Why do my eyes hurt?
    Memory forensics reveals deeper insights into the state of a compromised system and stands as the best source for detection of malware and OS/process manipulation/subversion. These analysis methods reveal key evidence which may not be uncovered through querying the operating system or digging through network packets. This quote comes from the original Matrix movie, a question Neo asks of Morpheus when he first wakes from his life in the artificial reality created by sentient machines. It is this awakening and raw view of reality that we as forensic examiners/incident responders strive to achieve through deeper analysis of system memory.

DFIR Challenge Coin Back Design

  • Each Lethal Forensicator Challenge Coin features the same back design, it shows digital forensicators fighting evil in their superhero form.

  • DFIR NetWars
    Staying up to date on the latest challenges in the digital forensics field demands analytical skills that cannot be gained by just reading a textbook. Just like firefighters could never learn the skills to combat a fire by just studying theory, incident responders, threat hunters, and digital forensic investigators must test their skills in action, as they do with DFIR NetWars.

History of the SANS Challenge Coins

SANS Challenge Coins were initially created to recognize students who demonstrate exceptional talent, make outstanding contributions, or serve as leaders in the digital forensics profession and community. The coin is meant to be an honor, and it is intended to be rare. The SANS Institute uses the coins to identify and honor those who excel at detecting and eradicating threats, understand the critical importance of cybersecurity, and continually strive to further not only their own knowledge but also that of the entire digital forensics field. They proactively share their experience and encourage learning through participation in the community, and they are typically leaders in the digital forensics and incident response community.

Legacy SANS DFIR Challenge Coin

The original DFIR Lethal Forensicator coin has been retired with the release of the class-specific coins listed above. However, the holders of this coin are still as worthy of respect for their accomplishments. If you encounter a holder of this coin in the field, you've found an original.

History of the Word "Forensicator"

The term "forensicator" was coined by BJ Lachner and popularized when it was used in the legendary "Forensicator Pro" Cyberspeak Podcast on 1 April 2007 with SANS instructor Ovie Carroll and Brett Padres. In that tongue-in-cheek podcast, Ovie and Brett described a tool called "Forensicator Pro" that would put forensic analysts out of business and was "viewed by many in the community as the end of human involvement in computer forensics examinations." As Brett described it: "Basically you press a button, you point it at an image, and the tool outputs a full forensic examination and report that is perfect." The episode was released as an April Fools' Day joke about what many in the field call "Nintendo Forensics" that rely too much on automated examinations versus traditional analysis, resulting in poor reports. But to this day, Brett and Ovie still receive emails asking where "Forensicator Pro" can be purchased and downloaded!

The term "forensicator" stuck and today is used by many computer forensics and incident response firms to describe individuals who essentially perform the same type of work as the mythical "Forensicator Pro" would have done. The forensicator label has grown in popularity among digital forensic professionals in the workplace, at conferences, and while sharing a cold one with a friend. Here are a few examples:

"Coin Check" Challenge

nitiated by one coin holder to another, a coin check typically begins by a challenger holding his or her coin in the air or slamming it on a table and yelling "coin check!" All who are challenged must respond by showing their coins to the challenger within 10 seconds, and whoever fails to do so must buy everyone a round of drinks. If all the challenged coin holders produce their coin, the challenger must buy the round of drinks. (By the way, if you accidentally drop your coin and it makes an audible sound on impact, then you've "accidentally" initiated a coin check. And, there are no exception to the rules!)

Ways to Earn Lethal Forensicator Coins

There are other ways to win the DFIR Challenge coins besides being an exceptional DFIR student or winning the classroom challenges. Any GOLD GCFAGREMGCFE holder who has written a published white paper that has furthered the field of research in Digital Forensics receives a coin, as do SANS Digital Forensics Blog authors who have written six published entries over a one-year span. In addition, speakers and panelists who participate in a SANS Digital Forensic Summit are awarded coins (vendors and vendor-related speakers are not eligible). Finally, any coin holder can nominate an individual in the digital forensics field who has contributed knowledge, tools, or service.

Please contact if you immediately qualify based on any of the criteria above to receive your coin.

What to Do If Your Name Is Missing from the Lethal Forensicator Coin Holder List

  • Please email
  • Include the event name, year/month, class, and instructor
  • If possible, please include a picture of your coin
  • It might take up to a week after the event to have your name posted, so please be patient.

Email if you have any questions regarding coins.