SANS Computer Forensic Instructors are real-world practitioners who specialize in the subjects they teach. All instructors undergo rigorous training and testing before earning SANS Certified Instructor status. This helps us guarantee that what you learn in class will be up-to-date and relevant to your job.
"The instructor was very helpful in making sure that the class has a good understanding of the information covered to date", - Debbie Moeker, 3M.
Rob Lee is an entrepreneur and consultant in the Boston area, specializing in information security, incident response, threat hunting, and digital forensics. Rob is currently the curriculum lead and author for digital forensic and incident response training at the SANS Institute in addition to owning his own firm. Rob has more than 18 years of experience in digital forensics, vulnerability and exploit discovery, intrusion detection/prevention, and incident response.
Rob graduated from the U.S. Air Force Academy and served in the U.S. Air Force as a founding member of the 609th Information Warfare Squadron, the first U.S. military operational unit focused on information operations. Later, he was a member of the Air Force Office of Special Investigations (AFOSI) where he led a team conducting computer crime investigations, incident response, and computer forensics. Prior to starting his own firm, he directly worked with a variety of government agencies, U.S. Department of Defense, and intelligence communities as the technical lead for a vulnerability discovery and an exploit development team, lead for a cyber forensics branch, and lead for a digital forensic and security software development team. Rob was also a director for MANDIANT, a company focused on investigating advanced adversaries, such as the APT, for five years prior to starting his own business.
Rob co-authored the book Know Your Enemy, 2nd Edition. Rob earned his MBA from Georgetown University in Washington DC. Rob is also a co-author of the MANDIANT threat intelligence report M-Trends: The Advanced Persistent Threat.
George Bakos has been interested in computer security since the early 1980s when he discovered the joys of BBSs and corporate databases. These days he is Technical Fellow & Manager of Cyber Threat Assessment & Awareness at Northrop Grumman, a global leader in Cybersecurity, Aerospace & Defense. While at the Institute for Security Technology Studies, George was the developer of Tiny Honeypot and the IDABench intrusion analysis system and led the Dartmouth Distributed Honeynet System, fielding deception systems and studying the actions of attackers worldwide. He developed and taught the U.S. Army National Guard's CERT technical curriculum and ran the NGB's Information Operations Training and Development Center research lab for two years, fielding and supporting Computer Emergency Response Teams throughout the United States. A recognized authority in computer security, he has contributed to numerous books and open source software projects; has been interviewed on radio, television, and online publications; briefed the highest levels of government; and has been a member of the SANS Institute teaching faculty since 2001. Outside the lab, George enjoys the beauties of his home state, Vermont, through skiing, ice and rock climbing, and mountain biking.
George teaches you practical skills and provides real-world examples of IT security issues. - Mark Lian, Northrop Grumman
Rebekah Brown is the threat intelligence lead for Rapid7, supporting incident response, analytic response, global services and product support. She is a former NSA network warfare analyst, U.S. Cyber Command training and exercise lead, and Marine Corps crypto-linguist who has helped develop threat intelligence programs at the federal, state, and local levels as well as in the private sector at a Fortune 500 company. She has an associates degree in Chinese Mandarin, a B.A. in international relations, and is wrapping up a M.A in homeland security with a cybersecurity focus and a graduate certificate in intelligence analysis.
Carlos Cajigas has his heart fully invested in his work. Following the terrorist attacks on September 11, 2001, Carlos was inspired to pursue a career in law enforcement in order to combine his passion for computers with his sense of duty to protect victims of cybercrime and make the world a safer place. Today, Carlos has expanded his pursuits to include being an instructor and blogger, enabling him to share his knowledge and experience with others interested in pursuing a career in digital forensics.
A native of San Juan, Puerto Rico, Carlos began his career with the West Palm Beach Police Department in Florida, first as a police officer and eventually as a digital forensics detective, examiner, and instructor specializing in computer crime investigations. During his law enforcement tenure, Carlos conducted examinations on hundreds of digital devices, from computers and mobile phones to GPS devices, and served as both a fact and expert witness in the State of Florida. In 2013, Carlos taught mobile forensic courses in Latin America for the U.S. State Department's Anti-Terrorism Assistance Program.
Today, Carlos is a senior incident response analyst at IBM, where he is responsible for responding to computer and network security threats for clients located in North and South America. Carlos also teaches FOR408: Windows Forensic Analysis at the SANS Institute, where he brings his experience with law enforcement forensics and enterprise incident response to the classroom.
"My teaching philosophy is simple," Carlos says. "I strive to empower each student by developing their ability to conquer knowledge of a forensic technique, using demonstrations and the sharing of real-life applications and implications as to why a technique is important. I want my students to know which specific artifacts to analyze regardless of the tool chosen for the analysis."
Digital crime has increased dramatically in recent years, and hard drive sizes have expanded exponentially, greatly increasing the amount of cases and devices that need to be analyzed.
"The days of imaging and processing extremely large hard drives for hours before beginning analysis is a thing of the past," says Carlos. "Taking into consideration limited resources and manpower, today's examiners must be as efficient as possible in what we do and how we do it."
To help students overcome these challenges, Carlos shares techniques in his classes on how to directly target specific files and folders that can yield the biggest amount of answers in the least amount of time. "That way you can have answers within minutes rather than within hours," he says.
Carlos has been involved in hundreds of cases and helped obtain numerous convictions using many of the techniques he teaches in class. As an investigator, he gets great satisfaction knowing that he did his part in protecting victims. As a teacher, seeing students grasp his explanation of an artifact can be just as satisfying, knowing that he is preparing them for the challenges of the future.
Carlos holds bachelor's and master's degrees from Palm Beach Atlantic University in Florida, and has completed numerous training courses, including courses offered by Guidance Software (EnCase), National White Collar Crime Center (NW3C), Access Data (FTK), United States Secret Service, the International Association of Computer Investigative Specialists (IACIS) ,and SANS.
Carlos also holds numerous certifications in the digital forensics field, including EnCase Certified Examiner (EnCE), Certified Digital Forensic Examiner (CDFE) from Mile2, Access Data Certified Examiner (ACE), Certified Forensic Computer Examiner (CFCE) from IACIS, and the GIAC Certified Forensic Analyst (GCFA) and GIAC Certified Forensic Examiner (GCFE) from SANS. Carlos is a Florida Department of Law Enforcement (FDLE) certified instructor with experience teaching digital forensic classes. He is an active member of both the International Association of Computer Investigative Specialists (IACIS) and Miami Electronic Crimes Task Force (MECTF).
Carlos also maintains a computer forensics blog aimed at helping other digital forensic examiners use free open-source Linux-based tools to do their jobs. He hopes to develop and increase awareness in this area and believes that open-source tools can provide examiners with alternatives and/or supplement commercial software.
During his free time, Carlos throws his passion into his pursuit of designing and baking the best homemade pizza.
- More than 12 years of experience in digital forensics, both as a law enforcement officer and as an incident responder for IBM.
- Instructor for FOR408: Windows Forensic Analysis at the SANS Institute
Get to Know Carlos Cajigas
- Carlos' blog
- eForensics Magazine Network article Recovering IE History Using Pasco in Linux Ubuntu 12.04, published August 22, 2012
- Carlos Cajigas- Forensics with Open Source Tools blog, started January 1, 2012
- Christa Miller Interview with Carlos Cajigas, July 2012 - Cellebrite Mobile Forensics Blog
- Eric Huber Interview with Carlos Cajigas, November 2012 - A Fistful of Dongles Digital Forensics Blog
- Listen to Carlos discussing Linux Forensics in the "Crimen Digital" Podcast ( Spanish)
Here is what students are saying about SANS Instructor Carlos Cajigas:
- "The instructor has a great teaching style. He is able to balance course content with personal experience in an efficient manner (to not waste time in class). He explains complex concepts very well." - Luis Martinez, Westchester District Attorney's Office
- "One of the best instructors I have had." - Patrick O'Leary, NCDOC
- "Carlos is a great instructor with a lot of energy to drive the point home." - Jason Hultman, Diplomat Pharmacy
- "Great instructor, very experienced in teaching a wide audience." - Brian Plummer, CACI
For Ovie Carroll, digital forensics is all about the hunt for evidence in digital places that are hiding critical clues, followed by deep analysis to prove something that the evidence was never intended to prove. That's why Ovie, a cybercrime expert and veteran law enforcement officer, loves teaching the SANS FOR408 Windows Forensic Analysis course.
"I love exposing students to how exciting digital investigative analysis is," Ovie says. "My passion is for digital evidence and digital investigative analysis. I leverage my abilities, expertise, and my current experience with the U.S. Department of Justice to see across investigative activities around the world, use that vantage point to see the whole picture of where we are in digital investigative analysis and cybercrime fighting, and identify the future challenges in both investigative practices and the courts. And I try to bring all of that to my students."
Ovie's students are clearly getting what he's bringing - many of them finish his classes with renewed career plans. "They leave my class saying that they originally had no intention of going into digital evidence but now see it is more exciting than any other aspect of cybercrime fighting or incident response," he says.
Ovie's teaching philosophy centers on sharing and demonstrating his passion for digital investigative analysis. Drawing on 31 years of law enforcement and cyber investigation experience, his dynamic presentations not only deliver the technical material but also show how each digital artifact can be used to help solve cases.
Ovie's career in digital forensics has its roots in his years-long interest in computers - how they work and how they can and are being used in everyday life. Of particular interest is how companies are collecting, manipulating, analyzing, and monetizing people's every behavior online. "I am always interested in investigating how we can possibly tap into the information computers and companies are collecting to use it for good and to bring justice to victims," he explains.
In addition to teaching digital forensics at SANS and co-authoring the FOR408 Windows Forensic Analysis course, Ovie is the Director of the Cybercrime Lab of the Computer Crime and Intellectual Property Section (CCIPS) at the Department of Justice (DOJ). The lab provides advanced computer forensics, cybercrime investigation, and other technical assistance to DOJ prosecutors to support implementation of the department's national strategies for digital evidence and to combat electronic penetration, data theft, and cyberattacks on critical information systems. He also teaches two classes as an adjunct professor at George Washington University in Washington, DC.
Prior to joining the DOJ, Ovie was a Special Agent in Charge overseeing the Technical Crimes Unit of the Postal Inspector General's Office, where he was responsible for all computer intrusion investigations within the postal service network infrastructure and for providing all digital forensic analysis in support of criminal investigations and audits. He also served as a special agent in the Air Force Office of Special Investigations, investigating computer intrusions and working both general crimes and counterintelligence as well as conducting investigations into offenses including murder, rape, fraud, bribery, theft, and gangs and narcotics.
Computers are front and center in Ovie's free time as well, but he also enjoys plenty of offline activities, including public speaking, scuba diving, travel, and meeting new people.
- 31 years of law enforcement experience and over 20 years of cyber investigative experience
- Director of the Cybercrime Lab of the Computer Crime and Intellectual Property Section (CCIPS) at the Department of Justice (DOJ)
- Adjunct professor at George Washington University
- FOR408 Windows Forensic Analysis co-author and instructor
Get to Know Ovie Carroll:
- Co-host of the Cyberspeak Podcast
- In the News- NYC4SEC Meetup with Ovie Carroll
- Author of Challenges in Modern Digital Investigative Analysis, the U.S. Attorney's Bulletin on Forensic Science and Forensic Evidence I, January 2017
- Co-author of the section on Using "Digital Fingerprints" (or Hash Values) for Investigations and Cases Involving Electronic Evidence of the U.S. Attorney's Bulletin on Gang Prosecution
- Co-author of Computer Forensics: Digital Forensic Analysis Methodology, U.S. Attorney's Bulletin on Computer Forensics
- Co-author of Managing Large Amounts of Electronic Evidence, U.S. Attorney's Bulletin on Computer Forensics
- Co-author of Rethinking the Storage of Computer Evidence, U.S. Attorney's Bulletin on Computer Forensics
This is what students are saying about SANS Principal Instructor Ovie Carroll:
"Ovie is just an awesome instructor. He has a wealth of knowledge and really made the course a live and exciting joy." - Mohamed Abdelsalam, Glencore
"Ovie has got this thing down, pat! He is informative, personal, very very knowledgeable, and, entertaining on top of it all! Really enjoy his teaching methods." - Mike Bowden, Boeing
"Ovie is a great instructor, always has an answer to any question." - Brian Pitchford, Marriott
"He is wonderful. It is high energy. Keeps the student alert." - Selean Jones, Verizon
"Very energetic and extremely knowledgeable. Great instruction and content. Keep up the good work Ovie, it shows in the way you teach that you are very passionate about teaching forensics. I will take additional SANS DFIR classes, but for the money, I will make certain Ovie is teaching. You're just not gonna find an instructor as engaged/entertaining/knowledgable as Mr. Carroll. Very outstanding instruction." - Chad Gish, Metro Nashville PD.
"Great class! The hands on training exercises, SANS material, plus real-life examples have been a tremondous help especially since I have limited experience." - Jamie Schroeder, John Deere
Michael is the lead analyst for Lockheed Martin CIRT's Intel Fusion team, charged with collecting and managing intelligence on adversaries intent on stealing the organization's intellectual property, and development of new detection and analysis techniques. Michael has worked as a security analyst in various sectors including the Financial, Federal Government, and Defense industries. He has an undergraduate degree in Computer Engineering from the University of Dayton, an MS in Computer Science from The George Washington University, has received a variety of industry certifications including SANS GCIA, GREM, and GCFA, and is a SANS Forensics and IR blog contributor. Michael's past speaking engagements include the DC3 Cybercrime Conference, IEEE, and SANS amongst various others.
"Mike Cloppert rocks. Obviously very smart and passionate about what he does." - Nate DeWitt, eBay
David Cowen is a Certified SANS Instructor and a Partner at G-C Partners, LLC, where his team of expert digital forensics investigators pushes the boundaries of what is possible on a daily basis. He has been working in digital forensics and incident response since 1999 and has performed investigations covering thousands of systems in the public and private sector. Those investigations have involved everything from revealing insider threats to serving as an expert witness in civil litigation and providing the evidence to put cyber criminals behind bars.
David has authored three series of books on digital forensics; Hacking Exposed Computer Forensics (1st-3rd editions), Infosec Pro Guide to Computer Forensics, and the Anti Hacker Toolkit (Third Edition). His research into file system journaling forensics has created a new area of analysis that is changing the industry. Combined with Triforce products, David's research enables examiners to go back in time to find previously unknown artifacts and system interactions.
David speaks about digital forensics and file system journaling forensics at DFIR and Infosec conferences across the United States. He has taught digital forensics both as a SANS instructor and as a graduate instructor at Southern Methodist University.
David is a Certified Information Systems Security Professional (CISSP) and a GIAC Certified Forensic Examiner. He is the winner of the first SANS DFIR NetWars and a SANS Lethal Forensicator whose passion for digital forensics can be seen in everything he does. He started in 1996 as a penetration tester and has kept up his information security knowledge by acting as the Red Team captain for the National Collegiate Cyber Defense Competition for the last nine years.
David is the host of the Forensic Lunch, a popular DFIR podcast and live YouTube show, and the author of the award winning Hacking Exposed Computer Forensics Blog. The blog (www.hecfblog.com) contains some 448 articles on digital forensics. David is a two-time Forensic 4cast award winner for both Digital Forensic Article of the Year and Digital Forensic Blog of the year. The Forensic 4cast award winners are nominated by their peers and voted on by the greater DFIR community.
When David is not researching, writing, testifying, or teaching about digital forensics he spends time with his family and working on mastering Texas BBQ.
"David Cowen rocks. He is funny. He is friendly and extremely knowledgeable." -- Bob Akin, SAIC
"David was awesome, brilliant, and entertaining to learn from." -- Jonathan Reitnauer, Vanguard
"I have had the pleasure of teaching with David multiple times and working with him in the forensics field. David's passion and knowledge has made him one of the leading minds and innovators in the digital forensics community. I saw many students loving David's open approach to teaching and the fact you could tell he really cared that they learn and understand the material. He is one of the finest instructors I have had the pleasure of working with. He is one of the best I've seen." --Rob Lee, SANS DFIR Lead
Listen to David Cowen's industry changing research, released on Windows USN Journal Analysis, for real-time tracking of a suspect's activity on a Windows system.
Learn more about David Cowen in this DFIR Hero interview on the SANS DFIR Blog.
A self-described Mac nerd, Sarah Edwards is a forensic analyst, author, speaker, and both author and instructor of SANS FOR518: Mac Forensic Analysis. She has been a devoted user of Apple devices for many years and has worked specifically in Mac forensics since 2004, carving out a niche for herself when this area of forensics was still new. Although Sarah appreciates digital forensics in all platforms, she has a passion for working within Apple environments and is well known for her work with cutting-edge Mac OS X and iOS, and for her forensic file system expertise.
Sarah's dynamic classroom and presentation skills have been heralded by both her students and colleagues. She keeps students interested and engaged. Sarah has more than 12 years of experience in digital forensics, and her passion for teaching is fueled by the ever-increasing presence of Mac devices in today's digital forensic investigations. Given the complexity of most cases and the high probability that an OS X or iOS will be a part of an investigation, deep knowledge of these Operating Systems is crucial to ensure that forensic analysts grasp all the information required in a case and not omit valuable data.
"Apple devices will continue to grow in popularity, and digital forensic investigators and analysts must start paying more attention to them," Sarah explains. "Windows analysis is the base education in the field of digital forensics, and any additional skills you can acquire set you apart from the crowd, whether it is Mac, mobile, memory, or malware analysis."
Sarah has worked with federal law enforcement agencies on a variety of high-profile investigations in such areas as computer intrusions, criminal cases, counter-intelligence, counter-narcotics, and counter-terrorism. Her research and analytical interests include Mac forensics, mobile device forensics, digital profiling, and malware reverse engineering.
A frequent presenter, Sarah has spoken at industry conferences including Shmoocon, Enfuse (formerly known as CEIC), DEF CON, BSides New Orleans, BSides Las Vegas, and the SANS DFIR Summit. She has a bachelor's degree in information technology from the Rochester Institute of Technology and a master's in information assurance from Capitol College. Beyond her deep interest in digital forensics and anything Mac, Sarah loves cooking, reading tech books, traveling anywhere, and "making things work".
Here's What Students Are Saying about SANS Certified Instructor Sarah Edwards:
- "Sarah knows her stuff. This course gets better each day. Very useful information. Well-formed course." - Anthony Cifaretto, Verizon
- "Sarah gave another great day of presentations - her knowledge is impressive." - Ben Keck, Ciena
- "Very comprehensive in-depth coverage of the course topic. Excellent reference materials as a take- away." - Jennifer Barnes, Indiana State Police
- "Sarah Edwards has spent the last several months putting the (FOR518) material together and I have to say that it is fantastic. The content is very detailed and provides excellent information. I have a fair amount of experience investigating Apple systems. In fact, Apple products appear to be the core (get it?) of what we do these days. As such I would not have expected to learn as much as I did but there were times this week when my jaw dropped at one of Sarah's revelations or one of Hal Pomeranz's demonstrations. I learned a great deal and am delighted at the fact that I was able to attend." - Lee Whitfield, 4:cast
SANS Instructor Endorsements:
"Sarah's expertise in authorship and instructing has led to the successful addition of the FOR518 Mac course to our lineup. Sarah's classroom and presentation skills continuously pull in record scores. She is absolutely the best at her trade." - Rob Lee, SANS Fellow and DFIR Curriculum Lead
"Sarah is clearly the Mac subject-matter expert who has designed a top-notch course. She handles student questions with the expertise and grace of the seasoned instructor she is." - Ovie Carroll, SANS Certified Instructor
"Sarah did an amazing job producing an incredibly detailed technical course on Mac Forensics. And then she shows up every time to teach and knocks it out of the park. Students can't help but respond to her total mastery of the material and enthusiasm for the subject matter." - Hal Pomeranz, SANS Fellow
- More than 12 years of Mac forensics experience
- More than 8 years' experience teaching in digital forensics
- FOR518 Mac Forensics Analysis course and author statement
Get to Know Sarah Edwards"
- Sarah's blog
- Digital Forensic Research Workshop (DFRW), Associate Program Committee since February 2014
- SANS 2014 Difference Maker Award, SANS Institute National Cyber Innovation Awards, December 2014
- Listen to Sarah discuss Mobile Forensics in the recent webcast iPhone Forensics - Separating the Facts from Fiction. A Technical Autopsy of the Apple/FBI Debate.
Mathias is a Community SANS instructor of the FOR508 - Advanced Digital Forensics and Incident Response course. He is currently head of CyberDefence at InfoGuard AG. Previously Mathias worked for Mandiant, a Fireeye Company, as an Incident Response Consultant where he investigated major security breaches all over the world. As a yearlong security practitioner Mathias brings experience from real world cases into the curriculum. Before working for Mandiant, Mathias held the position as Lead Security Architect in the largest service line of T-Systems (Deutsche Telekom Group) while working in tandem as security consultant for international clients in the telecommunications, automotive, pharmaceutical and petrol industries. As a security consultant his main focus areas are in Penetration Testing and Incident Response which he sees as two sides of the same coin. In his rare spare time, Mathias likes to fly over the Alps with small airplanes, snowboard, and volunteer as a paramedic for the local ambulance service.
"Mathias is such a great instructor; he explains things in a simple way and he has a lot of anecdotes to share" - Cyril Righi
"Knows what he is talking about, real life examples." - Guy Snellinx
Jess Garcia is the founder and technical lead of One eSecurity, a global Information Security company specialised in Incident Response and Digital Forensics.
With near 20 years in the field, and an active researcher in the area of innovation for Digital Forensics, Incident Response and Malware Analysis, Jess is today an internationally recognised Digital Forensics and Cybersecurity expert, having led the response and forensic investigation of some of the world's biggest incidents in recent times.
In his career Jess has worked in a miriad of highly sensitive projects with top global customers in sectors such as financial & insurance, corporate, media, health, communications, law firms or government, in other Cybersecurity areas as well such as Security Architecture Design and Review, Penetration Tests, Vulnerability Assessments, etc.
A Principal SANS Instructor with almost 15 years of SANS instructing experience, Jess is also a regular invited speaker at Security and DFIR conferences worldwide.
Previously, Jess worked for 10 years as a systems, network and security engineer in the Spanish Space Agency, where he collaborated as a security advisor with the European Space Agency, NASA, and other international organisations.
Jess holds a Masters of Science in Telecommunications Engineering + Computer Science from the Univ. Politecnica de Madrid.
For Phil Hagen, a career in information security chose him even before the movies War Games and Sneakers spurred his broader interest in the field. Phil has been captivated since the early days, working on information security projects since the mid-1990s, but networking grabbed his attention even before that.
"Since installing a 2400bps modem into an Apple //e around 1988, every computer I've used has been able to communicate with others," he says. "Of course the systems themselves are becoming more and more varied, making network analysis a critical component of the investigative process today."
Phil began his studies at the U.S. Air Force Academy's Computer Science Department, where he focused on network security and was an inaugural member of the computer security extracurricular group. He served in the Air Force as a communications officer at Beale AFB and the Pentagon. In 2003, Phil moved over to a position with a government contractor, providing technical services for various IT and information security projects.
Today, Phil's career has spanned the full attack life cycle - tool development, deployment, operations, and the investigative aftermath - giving him rare and deep insight into the artifacts left behind. Phil has covered deep technical tasks, managed an entire computer forensic services portfolio, and handled executive responsibilities. He's supported systems that demanded 24x7x365 functionality, managed a team of 85 computer forensic professionals in the national security sector, and provided forensic consulting services for law enforcement, government, and commercial clients. All of that brings Phil to his role today as the DFIR strategist at Red Canary, where he supports the firm's managed threat detection service.
Phil is also a certified instructor for the SANS Institute, and is the course lead and author of FOR572: Advanced Network Forensics and Analysis. This six-day course provides a hands-on curriculum to learn the skills necessary to perform investigations of network-based incidents, where the hard drives or memory of compromised systems are often missing.
"In each class, I take care to explain the relevance of the concepts to cases I've worked and scenarios I've encountered in the past," says Phil. "In FOR572, our classwork and hands-on materials are all taken from real-world experiences and cases. Our week in class is jam-packed and we deliberately focus our attention on adversary behaviors that have been actively observed in the wild."
Phil also spends time developing and maintaining the SOF-ELK distribution, a virtual appliance that is preconfigured with the ELK stack (Elasticsearch, Logstash, and Kibana). "This takes a lot of time investment, but it's very rewarding to hear from the DFIR community at large when they've used SOF-ELK in their own environments and cases to boost efficiency and effectiveness," he says.
Phil has always been a mentor and teacher at heart, and his relationships with former colleagues and students constitute one of his biggest sources of professional pride. "In my previous job at a large defense contractor, I was responsible for managing the entire computer forensic division," says Phil. "The division consisted of many people in various critical roles, including an exceptional team of site managers that I relied heavily on. Years later, I still stay in touch with most of those managers and many other people from the overall team. They have all grown professionally and it's amazing to see what roles they've taken on. It's humbling to see so many people really pursue the trajectory they set for themselves so many years ago."
In one of his most exciting cases, Phil provided forensic examination and overall investigative support to a law enforcement case involving hundreds of millions of dollars of fraudulent transactions committed against victims around the world. The case lasted several years and involved more than a hundred pieces of media from 10 countries, as well as numerous operating systems, filesystems, and criminal actors. With the ultimate arrest of two subjects high up in the organizational "food chain", the investigative team was successful in completely decapitating the fraudulent scheme itself, due to comprehensively scoping the architecture they used.
When he's not cyber-sleuthing and mentoring students, Phil is an avid runner who has completed two half-marathons and dozens of 5k and 10k races. He tries to run every other day even when he's teaching in order to keep his thoughts clear and his brain geared up. "I get 'rungry' (run hungry) when I skip a day," he says. Phil also enjoys craft beer because of the passion and creativity that today's craft brewers put into their product. Wherever he travels he searches out the local favorite to sample.
- More than 18 years of experience in the information security world
- Course lead and co-author of FOR572, Advanced Network Forensics and Analysis
- Developer of the SOF-ELK distribution
Get to Know Phil Hagen:
- Phil's blog
- Phil's GitHub
- Listen to Phil's SANS DFIR webcast "FOR572 Course Update from the Future: Where We're Going, We Don't Need Roads"
- Listen to Phil's SANS DFIR webcast "DNS Evidence You Don't Know What You're Missing"
- Learn more about Phil's background and his FOR572 course in this video.
- Listen to Phil talk about the latest updates to the SOF-ELK Distribution in The Forensic Lunch with David Cowen
Here's What Students Are Saying about SANS Certified Instructor Philip Hagen:
- "Philip's speaking style draws you in and he's very personable. Useful tools and nice tour of technology which I was not previously aware of." - Frank J. Quinn
- "Even by SANS standards, Phil clearly 'goes the extra mile' in depth of information, especially on exercises." - Dai Morgan, Visa Europe
- "I really like how Phil incorporates real-life examples into the material. It really helps me visualize it!" - Ryan Nelson, Motorola
SANS Instructor Endorsements:
"Phil Hagen and I have worked very closely together for many years. His understanding of networks, underlying technology, and hacker techniques was critical to many operational successes. Phil managed to begin leading several key operational components while at a defense and intelligence community contractor and was soon running the division with over 85 employees and contracts totaling tens of millions of dollars. Phil has never lost his technical edge and was a key asset while working directly with federal law enforcement tracking organized criminals using cyber as a way to commit financial and credit card attacks." - Rob Lee, SANS Fellow and DFIR Curriculum Lead
"Phil is an incredibly gifted author, instructor, and member of the DFIR team! He is well versed in networking protocols and principles, investigative methodology, and advanced analytical techniques. Phil's teaching skills come from his deep experience in supporting military, government agencies, and Fortune 500 clients over the many years of work in information security. He is able to establish a great rapport with his students and delivers the high-quality classroom experience that SANS attendees have come to appreciate." - Heather Mahalik, Senior Instructor and FOR585 Course Lead
Paul A. Henry
Paul Henry is a Senior Instructor with the SANS Institute and one of the world's foremost global information security and computer forensic experts with more than 30 years of experience covering all 10 domains of network security. Paul began his career in critical infrastructure / process control supporting power generation and currently manages security initiatives and incident response for Global 2000 enterprises and government organizations worldwide.
Paul is a principal at vNet Security, LLC and is keeping a finger on the pulse of network security as the security and forensic analyst at Lumension Security and as a retained security expert for multiple financial and healthcare firms.
Throughout his career, Paul has played a key strategic role in launching new network security initiatives to meet our ever-changing threat landscape. Paul also advises and consults on some of the world's most challenging and high-risk information security projects, including the National Banking System in Saudi Arabia, the Reserve Bank of Australia, the Department of Defense's Satellite Data Project (USA), and both government as well as telecommunications projects throughout Southeast Asia.
Paul is frequently cited by major and trade print publications as an expert in perimeter security, incident response / computer forensics and general security trends and serves as an expert commentator for network broadcast outlets, such as FOX, NBC, CNN, and CNBC. In addition, Paul regularly authors thought leadership articles on technical security issues, and his expertise and insight help shape the editorial direction of key security publications, such as the Information Security Management Handbook, where he is a consistent contributor. Paul serves as a featured and keynote speaker at seminars and conferences worldwide, delivering presentations on diverse topics including anti-forensics, network access control, cyber crime, DDoS attack risk mitigation, perimeter security, and incident response.
Listen to Paul discuss "Incident Response and Forensics in the Cloud" in this SANS webcast that every DFIR professional should listen to.
As a globe-trotting cyber sleuth, Ryan Johnson is always looking to find the bad guy, and to share his enthusiasm and knowledge about digital forensics along the way. Ryan started out performing digital forensic exams for local law enforcement in Durham, N.C., assisting in homicide, fraud, narcotics, and child exploitation cases. He quickly saw the importance of digital evidence in ensuring that guilty parties are held accountable and innocent parties go free.
That work led Ryan to join a team of media exploitation analysts working for the U.S. Army in Iraq. During his year in Iraq he helped gather actionable intelligence, streamline processes, and enhance equipment resources for in-country teams. When he returned stateside, Ryan began to work on computer intrusion cases. Since then he's traveled the globe teaching digital forensics for the U.S. State Department's Anti-Terrorism Assistance Program and served as a digital forensics analyst and consultant. Ryan co-authored several of the State Department's digital forensics courses as well as the book Mastering Windows Network Forensics and Investigations, Second Edition.
Today, with more than 12 years of experience in digital forensics investigations, incident response, network forensics, and vulnerability assessments, Ryan teaches the FOR572: Advanced Network Forensics and Analysis course for SANS.
"My favorite part of teaching for SANS- other than meeting some really cool students- is that I get to hear different perspectives and approaches to all the areas we talk about in class," says Ryan. "There's not been one class where I have not learned something from our students, and those nuggets of gold help me be a better practitioner and a better instructor."
Ryan also currently serves as the Global Head of CSIRT at PricewaterhouseCoopers, where he leads the response, readiness and investigations functions. In addition, based on his background, practical forensic experience, and government clearance, Ryan has been regularly called upon to train U.S.-based government departments, international governments, and corporations in the areas of network and digital forensics.
Ryan earned a Master's of Science degree from Dalhousie University and two Bachelor's degrees from Queen's University. He has taught college students, professionals, law enforcement, attorneys, and judges. Ryan knows that teaching the process, not the tool, is what gives students information they can put into practice outside of the classroom, and he works tirelessly to ensure every student understands the concepts he's teaching.
"I do my best to come up with unique ways to explain or relate information to people from different backgrounds and experience levels," he explains. "I've explained concepts using analogies like the 'paint can method' for understanding Diffie Hellman key exchanges, and a water pitcher and a glass to explain buffer overflows- inadvertently shorting out a computer at the same time! I don't like to stop until I see the light bulbs go on, so my classes aren't your typical 'download' sessions."
When he's not investigating, teaching, or traveling the world, Ryan uses part of his free time to delve into another of his passions, which is research.
"My research interests involve traffic analysis and potential subversion of IoT devices, specifically the ones I have in my house!" he says. At home, you might find Ryan playing with his kids, making dinner for the family, and brewing small batches of beer. And while he'd like more time for actual brewing, he always finds opportunities to make the process more tech-savvy, like building new controllers for his beer brewing setup!
- More than 12 years of experience in digital forensics investigations, incident response, network forensics, and vulnerability assessments.
- Co-author of the book Mastering Windows Network Forensics and Investigation, Second Edition.
Get to Know Ryan Johnson:
- Read Ryan's blog post on "The Future of Digital Forensics"
- GIAC Certified Network Forensics Analyst (GNFA)
- Certified Information Systems Security Professional (CISSP)
- GIAC Certified Incident Handler (GCIH)
- Member of the SANS Advisory Board
- Listen to Ryan discuss Network Forensics as a guest speaker alongside Phil Hagen on the DNS Evidence: You Don't Know What You're Missing webcast
- Read Ryan's October Editorial Edition of the SANS Ouch Newsletter
Here's what students are saying about SANS Instructor Ryan Johnson:
- "Great instructor, keeps attention and presents with authority & knowledge." - Paul Mobley
- "Great time, pacing, humor, and most importantly knowledge" -SANS Boston 2016, FOR572 attendee
- "The instructor is Awesome! He was able to articulate and accommodate the entire class regardless of knowledge base. He engages the class and comes prepared to every class. Thus far being the best instructor we have had in this course. I would recommend him to anyone taking FOR572." - Fort Gordon, FOR572 attendee
Nick is the Director of Klein & Co. Computer Forensics, the leading independent computer forensic team from Sydney, Australia. He has over fifteen years of IT experience, specialising in forensic technology investigations and presenting expert evidence in legal and other proceedings. Nick and his team have been engaged as experts in hundreds of cases including commercial litigation and electronic discovery, criminal prosecution and defence, financial fraud, corruption, employee misconduct, theft of intellectual property, computer hacking and system intrusion.
He was previously a senior director in Deloitte Forensic and a team leader in the High Tech Crime Team of the Australian Federal Police, where he worked on international police investigations and intelligence operations including counter terrorism, online child abuse, computer hacking, and traditional crimes facilitated by new technologies.
Nick has presented expert evidence in civil and criminal matters in Australia and overseas, including providing expert testimony in the Bali bombing trials in Indonesia in 2003. He has appeared before Australian State and Commonwealth Parliamentary Committees and participated in Government working groups on cybercrime issues including the Fraud Taskforce of the Australian Banking Association and the Critical Infrastructure Protection forum of the Australian Commonwealth Government. Nick is a regularly presenter at industry forums and a guest lecturer at several institutions including the School of Law at the University of New South Wales and the Centre for Transnational Crime Prevention, Faculty of Law at the University of Wollongong.
Listen to Nick discuss methods to reconstruct anti-forensics in a critical case all DFIR professionals should listen to.
Robert M. Lee
Robert M. Lee is the CEO and Founder of Dragos Security LLC, a critical infrastructure cybersecurity company, where he pursues his passion for control system traffic analysis, incident response, and threat intelligence research.
Rob is a SANS Certified Instructor, the course author of SANS ICS515 - "Active Defense and Incident Response," and the co-author of SANS FOR578 - "Cyber Threat Intelligence." He is also a non-resident National Cyber Security Fellow at New America focusing on policy issues relating to the cybersecurity of critical infrastructure, and a PhD candidate at Kings College London. For his research and focus areas, he was named one of Passcode's Influencers and awarded EnergySec's 2015 Cyber Security Professional of the Year. Rob was also named to the 2016 class of Forbes "30 Under 30" for Enterprise Technology as one of "the brightest entrepreneurs, breakout talents, and change agents" in the sector.
Robert obtained his start in cybersecurity serving as a Cyber Warfare Operations Officer in the U.S. Air Force. He has performed defense, intelligence, and attack missions in various government organizations including the establishment of a first-of-its-kind ICS/SCADA cyber threat intelligence and intrusion analysis mission. Robert routinely writes articles in publications such as Control Engineering and the Christian Science Monitor's Passcode and speaks at conferences around the world. Lastly, Robert, is author of the book "SCADA and Me" and the weekly web-comic Little Bobby.
"Real-world practical insight and the technical skills and tools to create meaningful change."- Billy Glen, Pacific Gas & Electric
"Great teaching style - humor - keeps the atmosphere light."- Tim Sanguinett, NCPA
"Good pace, kept things moving, stayed enthusiastic the entire day."- Michael Nowatkowsk, Army Cyber Institute
To say that digital forensics is central to Heather Mahalik's life is quite the understatement. Heather has worked on high-stress and high-profile cases, investigating everything from child exploitation to Osama Bin Laden's media. She has helped law enforcement, eDiscovery firms, and the federal government extract and manually decode artifacts used in solving investigations around the world. All told she has more than 14 years of experience in digital forensics, including eight years focused on mobile forensics - there's hardly a device or platform she hasn't researched or examined or a commercial tool she hasn't used.
These days Heather is the Director of Forensic Engineering at ManTech CARD. At the SANS Institute she is a senior instructor and the course lead for FOR585: Advanced Smartphone Forensics. As if that isn't a full enough schedule, Heather also maintains www.smarterforensics.com, where she blogs and hosts work from the digital forensics community. She is the co-author of Practical Mobile Forensics (1st and 2nd editions), currently a best seller from Pack't Publishing, and the technical editor for Learning Android Forensics from Pack't Publishing.
Heather is passionate about digital forensics because she loves always having to learn something new. "This field moves so quickly. It is literally impossible to get bored," she says. "If you find yourself bored, branch into another realm of digital forensics. The possibilities are endless and so is the fun! I love digging for artifacts and solving the puzzle."
Heather particularly likes working on mobile and third-party applications, a focus of her work. "I love cracking and hacking into apps that are supposed to be secure," she explains.
She cites her role as a SANS instructor as one of the most fulfilling achievements of her career. Heather loves it when students reach out to tell her that, thanks to her course, they put a criminal away for many years. As she says: "Nothing compares to knowing that the effort you put into writing and maintaining a course makes the world a better and safer place. SANS gives me the opportunity to share that with others."
Heather's background in digital forensics and e-discovery covers smartphone, mobile device, and Windows forensics, including acquisition, analysis, advanced exploitation, vulnerability discovery, malware analysis, application reverse-engineering, and manual decoding, as well as instruction on mobile devices, smartphones, and computers covering Windows, Linux and Macintosh operating systems.
What's her favorite topic to teach from that impressive résumé? "Decrypting and decoding the unparsed data!" she says. "I spend almost 90 percent of my day job trying to crack into the tough stuff, and my experience naturally flows into the classroom."
Heather previously led the mobile device team for Basis Technology, where she focused on mobile device exploitation in support of the federal government. She also worked as a forensic examiner at Stroz Friedberg and the U.S. State Department Computer Investigations and Forensics Lab, where she handled a number of high-profile cases. She has also developed and implemented forensic training programs and standard operating procedures.
Outside of work, Heather puts her passions into being a mom, cooking, reading, riding her horse, and drinking fine wine and bourbon.
Summary of Qualifications:
- 14+ years of experience in digital forensics, with eight years focused on mobile forensics
- Co-author of Practical Mobile Forensics (1st and 2nd editions), currently a best seller from Pack't Publishing.
- Co-author the Advanced Smartphone Forensics Poster, also from Pack't Publishing.
Get to Know Heather Mahalik:
- Heather's blog
- Australian Women in Security Network blog interview
- Interview with Paul's Security Weekly
- Listen to Heather's webcast "iPhone Forensics - Separating the Facts from Fiction. A Technical Autopsy of the Apple/FBI Debate"
- Listen to Heather's webcast "To Trust or Not to Trust: The Relationship Between You and Your Mobile Forensics Tools"
- Listen to Heather's webcast "Smartphone Forensics Moves Fast. Stay Current or You May Miss Relevant Evidence!"
Here's what students are saying about SANS Senior Instructor Heather Mahalik:
- "I have been working with phones since 2009, and Heather very casually showed me how much I don't know. Excellent!" - Harbin Combee, Metropolitan Police Department, Washington, DC
- "I am learning so much, it's exciting. Heather is an excellent instructor. Very smart. Knows her stuff." - Tris Matthews, Goodhue County Sheriff's Office
- "Heather is a great instructor. The only downside will be not being able to bring her back to my office so we can pick her brain every day!" - C. McCollom, Clark County Sheriff's Office
- "Smartphone Forensics course is the only unbiased course in the world for mobile forensics, it is for those who really want to take their skill to the next level and go beyond what their vendor/tool gives them. Heather is an incredible instructor, regarding mobile forensics, she knows it." - David Bernal, SCTIUM
SANS Instructor Endorsements:
"Heather's cool demeanor and patience with her students shows across the board. Her expertise shows in her passion for teaching and her interactions with her students. Her work and connections in government space save lives and are critically important to our nation's security. I feel very fortunate to have her as part of our DFIR instructor family." Rob Lee, SANS Fellow and DFIR Curriculum Lead
"Heather is one of the most knowledgeable and engaging instructors I've ever had the chance to learn from, let alone work with. Her ability to present complex topics at an understandable level without compromising the technical details is amazing. In the classroom, she brings the concepts home with extensive real-world experience - you'll never wonder why a topic is getting coverage - it's because you also know the impact to prior casework. Whether you take one of Heather's classes live in person, live online, or via recording, you'll get a solid learning experience." Phil Hagen, FOR572 author and Certified Instructor
Cindy Murphy served in law enforcement for more than thirty years. For twenty-five of those years, she worked at the Madison Police Department (MPD) in Wisconsin. While at MPD, she had the opportunity to serve as a detective and as a certified digital forensics examiner for over seventeen years. During her time as an investigator, she saw firsthand the emergence of mobile devices as the primary source of evidence in investigations. This pushed her to grow into the mobile forensics expert she is today and enabled her to co-author the SANS FOR585 Advanced Smartphone Forensics course. Just recently, Cindy took a leave of absence from the Madison Police Department to launch Gillware Digital Forensics, where she is co-owner and serves as president and lead examiner. As a life-long police officer, Cindy knows the transition from the public to the private sector to private will present new challenges, but she's looking forward to broadening her professional experience even further, which will benefit both Cindy and her students.
Throughout her career, Cindy has always looked for opportunities to help in meaningful ways. In one recent case, experts spent a year trying to unlock the phone of a 16-year-old girl who was killed in a tragic traffic accident. As the family prepared to spread the girl's ashes in a ceremony a year after her death, Cindy was given the victim's locked phone. She was able to unlock it, enabling the family to see their daughter's last photos. The family sent Cindy a thank you note that said: "We so appreciate this opportunity you've given us to hold onto a piece of our daughter's life we were sure was lost to us."
Digital devices have a huge impact in our world today, and Cindy believes mobile phones have become the diaries of people's lives. That's why mobile forensics is such a vital field. A thorough knowledge of these devices is thus crucial to investigations, since they can provide indispensable evidence that law enforcement can't afford to miss. Cindy knows the tools and programs that support digital forensics, has trained officers how to handle cell phone evidence, and knows how to take care of herself and others when working through tough cases like child pornography. Her extensive experience has given her both the real-world experience and the foundation in training that it takes to excel in the mobile forensics field and share her knowledge with others.
Cindy has been teaching digital forensics since 2002. In 2006, she helped develop the curriculum for a certificate program at Madison Area Technical College. Cindy has served as guest faculty for the National District Attorney's Association, testified as a computer forensics expert in state and federal court on numerous occasions, presented internationally on digital forensics topics, and written frequent articles and whitepapers. She as a master's degree in science degree in forensic computing and cyber crime investigation from University College in Dublin. Cindy is also a military veteran, a mother, an activist in defense of first amendment rights, a musician (banjo, cello, tenor guitar, mandolin, and ukulele), and a Brittany Spaniel enthusiast.
Here's What Students Are Saying about SANS Certified Instructor Cindy Murphy:
"Cindy Murphy is a force to be reckoned with! Very happy I signed up for this class." - Reza Z., DirectTV
"Cindy is Awesome! She fully understands what is happening in the field and how to do our job better." - John P., Shell Oil
"Good, real-world experience. Clearly, Cindy has been there, done that." - Chris Mallow, University of Oklahoma
"Cindy has told me multiple times that teaching others how to do this job was some of the most rewarding work that she can do. Cindy truly believes that her material, instruction, and experience could make a difference in helping stop bad guys around the world. She gets how important the role of our work is in developing additional investigators and responders in law enforcement, media exploitation, and information security fields." - Rob Lee, SANS Fellow & DFIR Curriculum Lead
"Cindy is one of the most dedicated people in the field of digital forensics. She spends tireless hours making herself better at the trade and always gives back to the community through white papers, forensic instruction, conference speaking events, and now through SANS. Cindy is able to take her law enforcement experience and spin it in a way that dazzles the students with her stories and real-life experience. Anyone can speak to slides ? Cindy can add value to the content and gives the material meaning." - Heather Mahalik, SANS Senior Instructor & FOR585 Advanced Smartphone Forensics Course Lead
- Over 30 years of law enforcement experience
- Digital forensics instructor for more than eight years
- FOR585 Advanced Smartphone Forensics course and author statement
Get to know Cindy Murphy:
- Cindy's blog
- Cindy's band website
- Cindy is also involved with the "Girl Tech" program at Madison Area Technical College teaching STEM subjects to middle school girls
- Listen to Cindy discuss Mobile Forensics in the recent webcast iPhone Forensics - Separating the Facts from Fiction. A Technical Autopsy of the Apple/FBI Debate.
- Cindy's DFIR interview
Curiosity wins the day! That is Mike Pilkington's teaching philosophy, because from his perspective, you have to be inspired and excited about solving difficult cases if you want to be great at forensics. As Mike says, "you have to be willing to search for the answers that others can't or won't find." Mike's infectious enthusiasm for digital forensics comes through in his work, in his classes, and in his day-to-day life. It's clear that his hobby and his job are one in the same.
Mike has been an instructor for the SANS Institute since 2008. He currently teaches Windows Forensics In-Depth (FOR408) and Advanced Digital Forensics and Incident Response (FOR508). In addition to teaching, Mike is a dedicated researcher and has published numerous articles for the SANS Forensics Blog.
After spending much of his career as an analyst and incident responder for Halliburton, Mike recently joined the team at Shell. His background working in a large corporate environment gives him a unique perspective among SANS instructors. Mike is also a researcher at heart and will spend hours unraveling the answer to a complicated case or a question from a student. He'll delve deeply into forensic conundrums to identify the best solutions, and then document that knowledge to share with the digital forensics community.
In his current role as a senior incident analyst at Shell, Mike regularly deals with malware and intrusion cases. His work ranges from evaluating and implementing both commercial and open-source forensic tools to consulting with internal groups to resolve intrusions. He has accumulated a broad range of technical expertise, having spent significant time performing software quality assurance, Windows systems administration, LAN and WAN network administration, firewall and IDS/IPS security administration, computer forensic analysis, and incident response. As a forensic analyst, he worked numerous human resource investigations, including cases involving intellectual property theft, inappropriate use of the Internet, employee hacking, IT administrator privilege abuse, and illegal downloading of copyrighted materials.
Mike holds a bachelor's degree in mechanical engineering from the University of Texas, as well as numerous IT security certifications, including the CISSP, EnCE, GCFE, GCFA, and GREM.
· Deep background in corporate cybersecurity
· SANS instructor since 2008
· Professional qualifications: GCFA, GCFE, GREM, EnCE, CISSP
Get to Know Mike Pilkington:
· Mike's DFIR blog is available at https://digital-forensics.sans.org/blog/author/mpilkington
· Mike co-authored the SANS Forensics "Find Evil" poster
· Mike created an example forensics report for SANS FOR408 students (available upon request)
· In addition to regularly presenting six-day SANS forensics classes, Mike's additional speaking engagements include the SANS DFIR Summit, SANS conferences, MIRcon, ISSA, and HTCIA
Listen to Mike discuss Privileged Domain Account Protection: How to Limit Credentials Exposure in this SANS webcast.
Here's What Students Are Saying about SANS Certified Instructor Mike Pilkington:
"The level of detail and knowledge that Mike has is above excellent." - Oz Bogovac, JCI
"Once again, Mike's command-line knowledge really became valuable when we tried to stump him with questions. He knew everything!" - Mike DeZenzo, EY
"The instructor helps by sharing his knowledge in a way it can be understood by the student." - Joseph Selph, IBM
"Very knowledgeable." William Martin, NYSP
"Mike's perspective is unique and extremely valuable to our instructor team. He sees things differently as a result of directly fighting adversaries in his larger multinational corporate environment daily, and he isn't afraid to share his experiences with the class. Mike is also a researcher at heart, and his research has directly resulted in our material being updated, corrected, and expanded. It has made our courses at SANS the best and brimming full of information that make SANS truly on the "cutting edge" and not just words we use in marketing." - Rob Lee, SANS Fellow
"Mike is accomplished, wicked smart, and very passionate about our field. He is that rare individual who doesn't just report a problem - he takes it upon himself to find a solution. As an example, Mike encountered a number of students during his early teaching engagements who were having difficulties grasping the fundamentals of report writing. He took it upon himself to create a sample report that could be shared among instructors. His SANS blog posts are some of my favorites, as he regularly takes it upon himself to look deeper into nagging forensic unknowns and document clever solutions." - Chad Tilbury, SANS Senior Instructor
"I have watched Mike present and have been thoroughly impressed with his smooth delivery, his ability to competently deliver highly technical material in a way that makes it easy for students to understand, and his ability to handle questions. Mike's background in IT brings a highly valuable perspective to the forensic program and inspires students." - Ovie Carroll, SANS Certified Instructor
"Sometimes there's a moment in a case where I find a crucial piece of evidence hidden away where not many investigators would think to look. And I think to myself, 'I'm glad I was the one to work on this case, because this finding was important.' That's how I know I'm in the right field." ~ Hal Pomeranz
Hal Pomeranz is an independent digital forensic investigator who has consulted on cases ranging from intellectual property theft, to employee sabotage, to organized cybercrime and malicious software infrastructures. He has worked with law enforcement agencies in the United States and Europe, and with global corporations.
While perfectly at home in the Windows and Mac forensics world, Hal is a recognized expert in the analysis of Linux and Unix systems, and has made key contributions in this domain. His EXT3 file recovery tools are used by investigators worldwide. His research on EXT4 file system forensics provided a basis for the development of open source forensic support for this file system. Hal has also contributed a popular tool for automating Linux memory acquisition and analysis. But Hal is fundamentally a practitioner, and that's what drives his research. His EXT3 file recovery tools were the direct result of an investigation, recovering data that led to multiple indictments and successful prosecutions.
Raised in the Open Source tradition, Hal shares his most productive tools and techniques with the community via his GitHub and blogging activity. And nobody can show you how to forensicate with Open Source tools like Hal!
Hal is a SANS faculty fellow and the creator and primary instructor for the Securing Linux/Unix (SEC506) course. In the SANS DFIR curriculum he teaches Advanced Digital Forensics, Incident Response, and Threat Hunting (FOR508), Advanced Network Forensics and Analysis (FOR572), Mac Forensics Analysis (FOR518), and Reverse-Engineering Malware: Malware Analysis Tools and Techniques (FOR610). Hal holds the GIAC certification for the following courses: GCUX, GCFA, GNFA, and GREM.
Hal is a regular contributor to the SANS Digital Forensics and Incident Response blog and co-author of the Command Line Kung Fu blog. He's a former board member for USENIX, BayLISA and BackBayLISA; former technical editor for Sys Admin Magazine; and a respected author and highly rated instructor at industry gatherings worldwide. Hal is an avid baseball fan, so in the summer you'll usually find him at his local minor league ballpark or catching up on major league games. He enjoys travel, theatre, and food (both cooking and eating), but his first priority is keeping up with the interests of his kids: Disney, gymnastics, Legos, and video games.
Get to Know Hal
- Over 25 years of industry experience
- Founder and Principal Consultant for Deer Run Associates
- GIAC Certified Forensic Analyst (GCFA), Network Forensic Analyst (GFNA), Malware Analyst (GREM), and Unix Administrator (GCUX)
- SANS Faculty Fellow and SANS' longest tenured instructor
- Hal is a contributor to the SANS Digital Forensics and Incident Response blog
Learn more about Hal Pomeranz in this DFIR Hero interview on the SANS DFIR Blog.
Here's What Students Are Saying about SANS Certified Instructor Hal Pomeranz:
"Great intro to malware analysis. Hal Pomeranz, instructor, was extremely knowledgeable on the subject. Highly recommended." - Jonathon Hinson, Duke Energy
"Hal is one of the finest instructors I've ever had the pleasure the take a class from. He possesses the rare ability to bring information on cutting edge techniques to the classroom and present it in a way that makes his students comfortable with these techniques as if they were old hat." - Chris Calabrese, Medco Health Solutions, Inc.
Listen to Hal discuss Incident Response Event Log Analysis.
Scott J Roberts is an incident responder, manager, and developer at GitHub, the world's code collaborative development platform. Scott has worked major investigations involving criminal fraud and abuse and nation-state espionage while with Symantec, Mandiant, and others. He is a sought-after speaker, having presented on threat intelligence and incident response for SANS, Silicon Valley, and various BSides. He is an author of O'Reilly's upcoming Intelligence Driven Incident Response. Scott is also a member of the SANS CTI Summit and NYU Poly CSAW advisory boards.
Anuj Soni initially pursued a career fighting cybercrime for the thrill of the hunt.
"The rush of tracking bad guys and gals, uncovering their tools, and understanding their motives is just way too fun," he says. "I simply can't get enough of it."
These days, Anuj feeds his passion for technical analysis through his role as a Senior Threat Researcher at Cylance, where he performs malware research and reverse engineering. Anuj also brings his problem-solving abilities to his position as a SANS Certified Instructor, which gives him the opportunity to impart his deep technical knowledge and practical skills to students. When teaching SANS classes Reverse-Engineering Malware (FOR610) and Advanced Digital Forensics and Incident Response (FOR508), Anuj emphasizes establishing goals for analysis, creating and following a process, and prioritizing tasks.
"Tools come and go, but if you develop a process that works for you and are patient with yourself, creativity will flow," he says. "Automate what can be automated and enjoy working through the hard stuff" that is, the actual analysis.
Since entering the information security field in 2005, Anuj has performed numerous intrusion investigations to help government and commercial clients mitigate attacks against the enterprise. His malware hunting and technical analysis skills have resulted in the successful identification, containment, and remediation of multiple threat actor groups. Anuj has analyzed hundreds of malware samples to assess function, purpose, and impact, and his recommendations have improved the security posture of numerous organizations. Highly sought after as a technical thought leader and adviser, Anuj excels not only in delivering rigorous forensic analysis, but also in process development, knowledge management, and team leadership to accelerate incident response efforts.
In addition to teaching SANS courses, Anuj frequently presents at industry events such as the U.S. Cyber Crime Conference, SANS DFIR Summit, and the Computer and Enterprise Investigations Conference (CEIC). He has bachelor's and master's degrees from Carnegie Mellon University and holds certifications in GIAC Reverse Engineering Malware (GREM) and as a EnCase Certified Examiner (EnCE) and Certified Information Systems Security Professional (CISSP).
When not consumed by the excitement of his day job, Anuj spends time with his growing family and enjoys photography, hitting the gym, and mixing up creative cocktails.
- More than a decade of experience performing forensic, malware, and network analysis.
Get to Know Anuj Soni:
- Check out Anuj's blog at https://malwology.com/
- Listen to Anuj discuss "Closing the Door on Webshells" in this SANS webcast that every DFIR professional should hear.
- View Anuj's recent interview at the SANS Cyber Defense Initiative event in Washington, DC.
Here's What Students Are Saying about SANS Certified Instructor Anuj Soni:
- "Anuj is by far the most upbeat instructor. The excitement in class is infectious." - Divyashree Joshi, DIRECTV LLC
- "I value the time Anuj takes to make sure each student is progressing." - Shaun Gatherum, NuScale Power
- "He's very well spoken and very knowledgeable. He kept us on task and any sidebars were related to info being taught." - Ryan Gibson, Qualcomm
"Anuj's technical achievements are outstanding. As an expert in the field, he works on some really critical areas for the government, but he still has time to write for the SANS DFIR blog, tweet, and provide suggestions to improve courses. Anuj's teaching style is extremely engaging and easily show his love of the material. He is one of our highest rated instructors." -Rob Lee, DFIR Curriculum Lead
"I've had the opportunity to see and hear Anuj share his knowledge of malware, incident response and forensics with attendees at several SANS events. Not only does he have deep expertise in these areas, he is also a wonderful teacher. His presentation style, the manner in which he breaks down difficult concepts, and his overall demeanor resonate strongly with his listeners. Even when he covered challenging techniques, students could not escape the grip of his logic and clarity of his explanation. It shows Anuj's inherent talents as an instructor." - Lenny Zeltser, SANS Senior Instructor
"The real voyage of discovery consists not in seeing new sights, but in looking with new eyes." - Proust
This favorite quote of Chad Tilbury has proven to be a recurrent theme throughout his career. When Chad attended the U.S. Air Force Academy, his interest was piqued early on by the thrill and challenge of engaging adversaries in new domains. Chad grew up enthralled by spy novels, so battling real spies with counter-espionage techniques was particularly appealing. A career in computer crime investigations was the perfect fit.
Chad has nearly 20 years of experience working with government agencies, defense contractors, and Fortune 500 companies. And his case list looks like it's been pulled straight from those spy novels he grew up reading: murder, abduction, espionage, fraud, hacking, intellectual property theft, child exploitation, terrorism, and computer intrusions.
He has served as a Special Agent with the Air Force Office of Special Investigations, where he investigated and conducted computer forensics for a variety of crimes and ushered counter-espionage techniques into the digital age. Chad has also led international forensic teams and was selected to provide computer forensic support to the United Nations Weapons Inspection Team.
In addition, Chad has worked as a computer security engineer and forensic lead for a major defense contractor and served as the vice president of worldwide Internet enforcement for the Motion Picture Association of America. In that role, he managed Internet anti-piracy operations for the seven major Hollywood studios in over 60 countries.
"With so many different skills and cultural perspectives on that team, I learned more about the dark underpinnings of the Internet than I ever could have imagined," says Chad.
Today, Chad brings his wealth of experience to his role as technical director at CrowdStrike, where he specializes in incident response, corporate espionage, and computer forensics. Here at SANS, Chad is a senior instructor and co-author for two six-day courses: FOR408: Windows Forensics, which focuses on the core skills required to become a certified forensic practitioner, and FOR508: Advanced Digital Forensics, Incident Response, and Threat Hunting, which teaches sophisticated computer intrusion analysis and advanced threat hunting techniques.
Chad's experience brings immeasurable depth to his classes. He focuses not only on tools and techniques, but also on understanding how those artifacts can be used to prove or disprove questions students are asked to investigate in their daily jobs. As Chad says, "Forensics is both an art and a science, and I find that hearing about real-world applications provides new perspectives and can help unlock a student's ability to think unconventionally."
Chad keeps his class goals simple: teach and lead discussions on the most important topics and make sure students have as much time as possible to work on the exercises. "I'm a big believer in hands-on learning," he says, "and we work hard to ensure the exercises in our classes are as realistic as possible. When students put all the pieces of a forensic investigation together themselves, it leads to those 'aha' moments that are so valuable."
The methodologies Chad teaches in his courses are the same ones he has used successfully on countless examinations. "Our exercises are months in the making, and provide realistic, real-world evidence samples on which to practice," says Chad. "I have had numerous students report going back to their teams, blowing them away with a new technique, and promptly becoming the trainer themselves."
One of Chad's most memorable experiences in the classroom brought that immediacy of techniques to a whole new level.
"I was teaching some of my latest research on browser artifacts, recently added to the FOR408 class. Research showed that a specific browser database could be missing a day or more of information if not properly handled. There happened to be a law enforcement officer in class who was investigating a murder, and in his examination of the suspect's computer he had noted missing data during a critical 24-hour period. From our class discussion, the officer now had a tool and technique to recover the missing data in his case. Not surprisingly, he left class early!"
In addition to being a graduate of the U.S. Air Force Academy, Chad holds B.S. and M.S. degrees in computer science, as well as GCFA, GCIH, GREM, and ENCE certifications.
In his free time, Chad loves to travel and takes full advantage of the unique destinations his career takes him. He spends much of his time at home mountain biking, skiing, snowboarding, and mountaineering. Chad recently took a ski mountaineering trip to Antarctica, about as far away from a Wi-Fi signal as you can get!
- Nearly 20 years of experience working with government agencies, defense contractors, and Fortune 500 companies on a wide variety of cases
- Senior instructor and course co-author for SANS Forensics 408: Windows Forensics and SANS Forensics 508: Advanced Digital Forensics, Incident Response, and Threat Hunting
Get to Know Chad Tilbury
- Chad's blog
- Watch Chad's Geolocation Forensics webcast for SANS
- Explore PowerShell investigations with Chad's What Malware? Hunting Command Line Activity webcast
- "Chad Tilbury is hands down the best instructor that I ever had in my 20 years of military service. Excellent job. Very relevant and up-to-date. An industry leader in this field." - Dannie Walters, U.S. Army
- "Chad's real-world examples are a key part of the training. It really helps to have a knowledgeable instructor who currently works in the industry." - Roger Szulc, MDA
- "I had the immense pleasure of learning from Chad during the SANS Computer Forensics and Investigation course. Chad's ability to break down complex, technically challenging topics and teach them in an understandable manner is second to none. He has helped countless numbers of people including myself gain the GCFA certificate and I wholeheartedly believe he is a true asset to any organization." - Ali Emirlioglu, Senior Security Operations Analyst at Datacom TSS
Alissa Torres is an explorer at heart. Uncovering the full story of an attacker's exploits requires digging into known and unknown forensic artifacts, and this excavation is exactly what intrigues her. With more than 15 years of experience in computer and network security spanning government, academic, and corporate environments, Alissa has the deep experience and technical savvy to take on even the most difficult computer forensics challenges that come her way. Her current role as an Incident Response Advisor at Cargill provides daily challenges "in the trenches" and demands constant technical growth. Alissa is also founder of her own firm, Sibertor Forensics, and has taught internationally in more than 10 countries.
Memory forensics is a bleeding-edge field of Digital Forensics & Incident Response (DFIR), and Alissa is the lead author as well as an instructor of FOR526: Memory Forensics In-Depth and co-author of the SANS Memory Forensics Poster. She also teaches FOR408: Windows Forensic Analysis; FOR508: Advanced Digital Forensics, Incident Response, and Threat Hunting; and SEC504: Hacker Tools, Techniques, Exploits and Incident Handling.
Alissa was introduced to digital forensics during her four years of service in the U.S. Marine Corps. She moved on to various technical roles at KEYW Corporation, Northrop Grumman Information Systems, and as part of Mandiant's computer incident response team (MCIRT). Alissa has worked as an instructor at the U.S. Cyber Challenge Camps and at the Defense Cyber Investigations Training Academy (DCITA), delivering incident response and network basics to security professionals entering the forensics community. She is passionate about sharing knowledge, presenting annually at regional and national industry conferences and encouraging women's participation in science, technology, engineering, and math through regional outreach programs.
As both an investigator and instructor, Alissa has a constant and infectious desire to always learn more and question everything, an ethos embodied in the SANS DFIR classes. "Our curriculum ensures students gain an understanding of why an artifact matters and how the tools interpret the data." Alissa explains. An inquisitive nature can be the determining factor in investigative success, as Alissa learned when she identified a critical error in one of her team's web proxy timeline procedures. This discovery allowed for the correction of contractual fraud investigations involving the U.S. government. Sharing personal success stories like this one gives students real-world applications for the material they are learning and inspires them to evaluate and optimize their own investigative processes, whether in incident response, digital forensic investigations, or internal offensive reconnaissance.
As attackers learn how forensic investigators work, they become increasingly more sophisticated at leaving fewer traces behind. "We are in an arms race where the key difference is training," says Alissa. Toward that end, she encourages her students to ask more questions, grow the common body of knowledge, and make a difference in the digital forensics community. Her teaching style is best described as a type of "exposure therapy" that introduces concepts but then pushes students to get behind the keyboard and apply these concepts themselves.
Alissa's true passion is memory forensics, a rapidly evolving area of expertise for both attackers and defenders. As malware strives for a minimal footprint on the host, the battlefield exists in system memory. Alissa's students take the skills taught in FOR526 and move their investigations forward, in some cases even uncovering new details in their cases before the week-long class ends.
Alissa has a B.S from the University of Virginia and a M.S. in information technology from the University of Maryland. She is a GIAC Certified Forensic Analyst (GCFA), and holds the GCFE, GCIH, GSEC, CISSP, and EnCE certifications. Alissa has served as a member of the GIAC Advisory Board since 2013 and was recognized by SC Magazine as one of its "2016 Women to Watch." Needless to say, she stays pretty busy. When not enmeshed in metadata and memory structures, Alissa catches every soccer game she can, cheering at her kids' games and scheming to attend matches of her favorite team, Everton. In what time she has left from constant cybersecurity vigilance, Alissa enjoys hiking in the Puerto Rican rain forest and scaling rocks at Big Sur.
- More than 15 years of experience in computer and network security
- Lead author of SANS FOR526: Memory Forensics In-Depth
- GIAC Advisory Board Member since January 2013
- Co-author of the Windows Memory Forensics Poster
Listen to Alissa?s webcast at: Know Normal, Find Evil Windows 10 Memory Forensics Overview.
- Read Alissa's white papers on the SANS IR Survey and Building a World Class SOC
- GIAC Security Essentials Certification (GSEC), June 2015
- GIAC Certified Incident Handler (GCIH), June 2014
- GIAC Reverse Engineering Malware (GREM), July 2013
- GIAC Certified Forensic Examiner (GCFE), January 2013
- Certified Forensic Computer Examiner (CFCE), December 2012
- GIAC Certified Penetration Tester (GPEN), July 2012
- GIAC Certified Forensic Analyst (GCFA), November 2011
- Certified Information Systems Security Professional (CISSP), December 2010
- EnCase Certified Examiner (EnCE), July 2010 - July 2019
This is what students are saying about SANS Certified Instructor and course author Alissa Torres:
"I love the energy of Alissa Torres' presentation style." - Scott S., US Govt.
"Alissa kept it interesting by pulling from her past experience and demonstrated great passion for the subject." - Matt Leach
"Alissa's teaching skills are remarkable - she is great." - Serge Tumba, GE Capital
"Fantastic- Energetic- Knowledgeable" - Dennis Mooney, Vanguard
"I highly recommend Alissa and SANS computer forensics courses. In April 2015 I attended the SANS Forensics 508: Advanced Digital Forensics and Incident Response (FOR508) course. I had high expectations for the course based on my team lead's recommendation. Alissa and the course exceeded my expectations. Alissa is an outstanding instructor, and SANS FOR508 was the best information security course I have attended. She mixed energy, knowledge, and experience to keep the content productive, relevant, and interesting. I look forward to attending more SANS courses instructed by Alissa." - Chad Rager, Computer Forensic Engineer at ManTech
"This course is known throughout the industry as THE advanced IR and Threat Hunting course. This combined with Alissa's awesome teaching style makes it worth every penny! Alissa's subject matter expertise, enthusiasm, and insights are second to none! Her personalized attention to simulcast viewers was particularly nice because it felt like we were part of the class." - Will Harmon, Trustwave
"Instructors like Alissa are why people keep coming back to SANS. Awesomeness and non-stop energy. She is one of my favorite instructors I've had from SANS, right up there with the likes of Ed Skoudis, John Strand, and Eric Cole. A brilliant presenter who keeps it fun, informative, and turns what other people could make sleep inducing, into non-stop engaging." - Eric Donaldson, Discover Financial Services
Dr. Johannes Ullrich
As Dean of Research for the SANS Technology Institute, Johannes is currently responsible for the SANS Internet Storm Center (ISC) and the GIAC Gold program. In 2000, he founded DShield.org, which is now the data collection engine behind the ISC. His work with the ISC has been widely recognized, and in 2004, Network World named him one of the 50 most powerful people in the networking industry. Prior to working for SANS, Johannes worked as a lead support engineer for a web development company and as a research physicist. Johannes holds a PhD in physics from SUNY Albany and is based in Jacksonville, Florida. His daily podcast summarizes current security news in a concise format.
Listen to Johannes discuss "HTML5: Risky Business or Hidden Security Tool Chest for Mobile Web App Authentication" in this SANS webcast.
"Johannes has an excellent teaching approach and did a great job of fighting the brain overload later in the day." - Brad Meyers, Molina Healthcare
"Excellent teaching style! Very knowledgeable, listens to questions, will keep explaining in different examples until you understand." - Lori Stockdale, NYISO
When a complex cyber attack put a private equity investment of more than $700 million on hold, the stakes couldn't have been higher. But that's exactly the kind of challenge that motivates Jake Williams, a computer science and information security expert, U.S. Army veteran, certified SANS instructor and co-author of FOR526: Memory Forensics In-Depth and FOR578: Cyber Threat Intelligence. To help mitigate the attack, Jake plied his information security expertise, discovered that not one but three different attackers had compromised the firm's network, and went about countering their moves.
Jake relishes the idea of meeting adversaries on the cyber battlefield. "I went into this field because I wanted a challenge," he says. "Infosec is like a game of chess to me. The attacker plays their moves and you play yours."
Jake started his information security career doing classified work with the U.S. government and was awarded the National Security Agency (NSA) Exceptional Civilian Service Award, which is given to fewer than 20 people annually. "I am immensely proud of the things I've accomplished," Jake says. "I'm positive the world is a safer place because of my work."
Today, Jake runs a successful Infosec consultancy. He's been involved in high-profile public sector cases including the malware analysis for the 2015 cyber attack on the Ukraine power grid. He's also tackled a variety of cases in the private sector. In one, Jake discovered attackers compromising a custom service the client had distributed to all its endpoints. Leveraging experience and insight with advanced persistent threats helped Jake "think like the attacker" and determine the attacker's likely hiding spots.
Jake's work has led to his invention of DropSmack, a proof-of-concept tool for highlighting the danger that cloud-based file sharing services pose to corporate networks, and the creation of ADD (Attention Deficit Disorder), a publicly-available memory anti-forensics toolkit.
Jake's work also led him to teaching. "I chose to be a SANS instructor because they are the very best in the business. Others talk about being the best, but SANS actually is the best," he says. "I love teaching people, but it goes beyond teaching for me. With many students, I'm making lasting professional relationships. Students come back again and again and have a lifelong learning relationship with SANS."
Jake teaches a variety of classes (SEC503, SEC504, SEC660, SEC760, FOR508, FOR526, FOR578, FOR610) and prefers an active learning approach, using demos rather than slides to teach lessons. "It takes me back to my first exploits and I get the chance to relive that magical feeling all over again," he explains.
More importantly, Jake wants students to walk out of class being able to critically analyze a problem, discover a solution, and do something they couldn't do before. "I don't teach button-clicking steps, my goal is to ensure students understand how to take concepts from the class and apply them to their own cases and engagements."
Given his accomplishments, it should come as no surprise that Jake lives, sleeps, and breathes Infosec. When he's not teaching, he's consulting. He's a regular speaker at industry conferences including DC3, BSides (including BSides Las Vegas), DEFCON, Blackhat, Shmoocon, EnFuse, ISSA Summits, ISACA Summits, SANS Summits, and Distributech. He has also presented security topics to a number of Fortune 100 executives.
Jake is also a two-time victor at the annual DC3 Digital Forensics Challenge. He drew on his passion for hands-on capture-the-flag events to design the critically acclaimed NetWars challenges for the SANS malware reversing and memory forensics courses.
- 12-year veteran of information security
- Instructor of eight SANS courses
- Prolific speaker
- Co-author of the SANS FOR526: Memory Forensics In-Depth and FOR578: Cyber Threat Intelligence courses
- GIAC Security Expert (GSE), March 2016
- GIAC Security Essentials Certification (GSEC), June 2015
- GIAC Exploit Researcher and Advanced Penetration Tester (GXPN), March 2015
- GIAC Certified Forensic Analyst (GCFA), October 2013
- GIAC Penetration Tester (GPEN), January 2013
- GIAC Certified Incident Handler (GCIH), January 2013
- GIAC Certified Intrusion Analyst (GCIA), December 2012
- GIAC Certified Windows Security Administrator (GCWN), November 2012
- GIAC Reverse Engineering Malware (GREM), October 2012
- GIAC Certified Forensic Examiner (GCFE), September 2012
- GIAC Systems and Network Auditor (GSNA), February 2012
Get to Know Jake Williams:
Jake teaches the following courses for SANS:
- FOR578: Cyber Threat Intelligence
- FOR526: Memory Forensics In-Depth
- FOR508: Advanced Digital Forensics, Incident Response, and Threat Hunting
- SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking
- FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques
- SEC760: Advanced Exploit Development for Penetration Testers
- SEC504: Hacker Tools, Techniques, Exploits and Incident Handling
- SEC503: Intrusion Detection In-Depth
Here's What Students Are Saying about SANS Certified Instructor Jake Williams:
- "Jake's teaching style and practical experience totally make the course." - Andrew Nelson, Chevron
- "Jake is awesome! The experience is massive!" - Late Adodo Placca, iProcess International
- "Provides great balance between structured analytical approaches and technical analysis." - Ladell Marshall, Goldman Sachs
- "Jake goes off-book in a good way, sharing useful tools & information in addition to the already-included useful tools & info." - Robin Stuart, Salesforce
Aptly called the "Yoda" of malware analysis by his students, Lenny Zeltser keeps his eye on the big picture and focuses on the sum of events rather than individual occurrences. He lives by that philosophy and brings it to his job and classroom. "Even those professional moments that seem insignificant by themselves can be an important piece of the progressive journey that, hopefully, takes us toward our career objectives and honors our ideals," says Lenny. "And you may not even see the value in those moments until you look back on the path."
A seasoned business and technology leader with extensive information security expertise, Lenny started his professional journey in a variety of technical infosec roles before serving as the national lead of the U.S. security consulting practice at a major cloud services provider. Later in his career he oversaw a portfolio of security services at a Fortune 500 technology company. Today, as VP of Products at Minerva Labs, Lenny designs and builds designs creative anti-malware products. Lenny is also a senior instructor at SANS and the primary author of FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques, a course he designed as an on-ramp into the malware analysis field. The course helps students expand and systematize their approaches to examining malicious software using a variety of techniques.
"My goal is to make this topic as accessible to people as possible," says Lenny. "There is indeed much one needs to know to understand the inner workings of malicious code, but the good news is that people can begin learning how to do this work by building on the technical skills they already have, whether they are grounded in system administration, network security, software development or other aspects of IT."
Like many of his students, Lenny's career path began in an IT role, which lends unique strengths to his information security expertise.
"My first job in IT was Unix system administration, then I moved onto Windows sysadmin, and then I spent a bit of time on software development," Lenny explains. "I found myself gravitating toward the information security aspects of these jobs. For me, Infosec exists at the intersection of many disciplines, and working in this field allows me to make use of the skills and interests I've acquired across various aspects of IT."
Along the way, Lenny earned the prestigious GIAC Security Expert professional designation, and he currently serves on the Board of Directors of SANS Technology Institute. Lenny holds a bachelor's degree in computer science from the University of Pennsylvania and a master's in business administration from MIT Sloan.
A co-author of four books on malware, network security, and digital forensics, Lenny also developed the Linux toolkit REMnux to make it easier to use a variety of freely available malware analysis tools, many of which run well on Linux but can be difficult to find and install. REMnux has grown to become a very popular toolkit and today is used by malware analysts throughout the world. The FOR610 course that Lenny teaches covers many of the tools installed on REMnux.
Lenny gives his students more than technical tools, however, and he says that the most important lesson he teaches his students is: "You can do it."
"It's easy to get discouraged when you run into professional challenges that you're not equipped to handle," Lenny explains. "But when you participate in SANS training, you encounter many new tools and concepts that you will be able to attach to the techniques you already know from prior experience in the field. Much of what you learn will occur after you finish the course and begin applying the concepts to your work outside the classroom. I strive to give students the confidence and the core skills they need to keep learning about and curtailing malware threats even after the class ends."
In his free time, Lenny indulges his love of food both as chef and consumer. "Eating a delicious meal in good company is always time well spent for me," he says. Lenny also loves to cook as a way to clear his mind, disconnect from the day-to-day challenges of business and IT, and connect with family and friends. Lenny subscribes to several food and cooking magazines and enjoys experimenting with new recipes, ingredients, and spices. "Not everything I cook turns into a great dish- sometimes experiments lead towards unfavorable results- so I keep reminding myself to think about this process as a journey, not as a destination."
- Senior instructor and member of the Board of Directors at SANS
- VP of Products & Advisory Board Member at Minerva Labs
- Recipient of the GIAC Security Expert (GSE) professional designation
- Co-author of several books on information security, including: Malware: Fighting Malicious Code, Inside Network Perimeter Security: The Definitive Guide to Firewalls, VPNs, Routers, and Intrusion Detection Systems, and CyberForensics: Understanding Information Security Investigations
- Developed and maintains the REMnux Linux Distribution, a toolkit of free malware analysis tools that makes it easier to start analyzing malware
- Has worked in the information security industry for more than two decades
Get to Know Lenny Zeltser
- Lenny's personal website and blog
- Lenny's REMnux Linux toolkit
- Co-author of the SIFT Workstation & REMnux poster and security cheat sheets
- Presenter of introductory malware analysis webcasts
- Listen to Lenny's Reflections of a Security Professional: Podcast Interview
This is what student are saying about Senior Instructor Lenny Zeltser:
- "Lenny presented a wealth of knowledge, tied it together smoothly, and I am leaving with exponentially more knowledge." - David Werden, NGIS
- "Last week, myself and three of my associates attended SANS GREM training. Based on previous recommendations by prior students, we explicitly attended this session given Lenny was the instructor. As someone who has been responsible for development and delivery of training and education services, Lenny is the best instructor I have ever encountered in my professional life. His approachable demeanor, passion for the learning process, and empathy for his students was just as impressive as his mastery of the curriculum. This praise was unanimous among my three associates." - Colin Sheppard, Vice President of Cyber Security & Fraud, International at First Data Corporation
- "Lenny is one of the reasons why it's fun to be in the information security community. His extraordinary intellect and talent for research and innovation is matched by his communication and teaching skills. He's a fantastic writer and a wonderful instructor who has mastered the ability to teach complex concepts in a very approachable manner. Lenny is also one of the nicest people you'll ever run into in our field or any other." - Eric Huber, Cyber Fraud Subject-Matter Expert
- "Lenny Zeltser is another one of those people you read about in magazines and think "Man, I wish I was that guy." A true leader in information security and a great guy all around. Lenny once actually paid me a compliment when I was teaching for SANS, along the lines of being inspired at the time by me being one the folks who happily stood up to teach in front of large crowds (we were both new to the game at the time). I found this humorous since I felt only awe at his own amount of knowledge. I still have the copy of Network Perimeter Security, which he personally sent me to get my opinion of it. I recall that I didn't end up providing my feedback since I felt beneath the ability to comment on it at the time!" - Ed Luck, Principal Consultant, Solutions at Dimension Data
- "I was part of the group that attended and reviewed Lenny's try-out session as a SANS instructor, and was blown away by the energy, expertise, and focus he displayed. Where others have at times failed to properly handle interruptions, especially from people who were trying to lead them astray and/or force them to stumble, Lenny remained focused, put the interrupter nicely but firmly in his place, and postponed further discussion to the Q&A session at the end of the class. When audience members asked targeted questions, inquiring about their understanding of recent developments in information security, he was able to elaborate on each of the topics and help them improve their grasp on various hot topics. Lenny displays lots of dedication, is very intelligent, has a solid grasp of information security, and is capable of explaining complicated technical concepts in easily understandable terms." - Roland Grefer, Principal, Global Support Services Group
When Eric Zimmerman was a Special Agent with the FBI, one of his responsibilities was managing on-scene triage. He identified several gaps in an existing process and started creating solutions to address them. What began as building and expanding a few live response tools took Eric down a path that eventually led to him writing more than 50 programs that are now used by nearly 8,800 law enforcement officers in over 80 countries.
Much of Eric's work involved designing and building software related to investigations of sexual abuse of children. In a single year, Eric's programs led to the rescue of hundreds of these children. As a result, in May 2012, Eric was given a National Center for Missing and Exploited Children's Award, which honors outstanding law enforcement professionals who have performed above and beyond the call of duty. Eric was also presented with the U.S. Attorney's Award for Excellence in Law Enforcement in 2013.
Today, Eric serves as a Senior Director at Kroll in the company's cybersecurity and investigations practice. At SANS, he teaches the FOR508: Advanced Digital Forensics, Incident Response and Threat Hunting course, and is a two-time winner of the SANS DFIR NetWars Tournament (2014, 2015). Eric is also the award-winning author of X-Ways Forensics Practitioner's Guide, and has created many world-class, open-source forensic tools.
Eric is a sought-after instructor and speaker who brings expertise in the cyber realm, complex law enforcement investigations, computer forensics, expert witness testimony, computer systems design, and application architecture to his work and classroom.
"I enjoy teaching this material because of how much potential there is in it to move cases forward quickly," says Eric. "With the pace at which computer storage continues to grow, it will become more and more important for people to understand the most cost-effective artifacts and techniques so these can be leveraged to move through data more quickly."
Eric's teaching philosophy focuses on the long-term gains achieved by not only understanding the nuts and bolts of how to run a tool and consume output, but also getting a deeper understanding of how tools work "under the hood." Those "a-ha" moments are what has kept Eric coming back to the classroom since 2008. His focus on understanding the big picture of digital forensics prepares students to perform better analysis, do new research of their own, and identify the best tools or techniques to perform successful investigations - all skills that will have a lifelong impact.
And even though work brings him great rewards, Eric understands the value of work/life balance. In his spare time, he enjoys spending time with his family, hiking, going to amusement parks with his two sons, and even fitting in a bit of video gaming when possible.
- Former Federal Bureau of Investigation (FBI) Special Agent
- Creates and maintains many free world-class, open-source forensic tools
- Award-winning author of X-Ways Forensics Practitioner's Guide
- Recipient of the National Center for Missing and Exploited Children's Award and the U.S. Attorney's Award for Excellence in Law Enforcement
Get to Know Eric Zimmerman:
- Eric's blog: https://binaryforay.blogspot.com/
- GitHub: https://github.com/EricZimmerman
- Listen to Eric's webcast: (Am) Cache Rules Everything Around Me
Here's What Students Are Saying about Eric Zimmerman:
- "It is easy to see how much passion Eric has for the topics he teaches" - Ken Saganowski, Kroll
- "Deep knowledge - insightful. Gets questions answered thoroughly." - Daniel Lightfoot, PennyMac
- "Good pace and content, he emphasis on important points." Rueben Rubio, Lord Abbett