SANS Computer Forensic Instructors are real-world practitioners who specialize in the subjects they teach. All instructors undergo rigorous training and testing before earning SANS Certified Instructor status. This helps us guarantee that what you learn in class will be up-to-date and relevant to your job.

"The instructor was very helpful in making sure that the class has a good understanding of the information covered to date", - Debbie Moeker, 3M.

Rob Lee

Rob Lee

Rob Lee is the Chief Curriculum Director and Faculty Lead at the SANS Institute where he oversees the Digital Forensics, Incident Response, Cloud, Pen Testing, Audit, Application Security, and Cyber Defense curricula along with other operational functions in the company. With more than 24 years of experience in computer forensics, vulnerability and exploit discovery, intrusion detection/prevention, and incident response, he provides consulting services in the Washington, D.C. area. Before starting his own business, Rob worked with government agencies in the law enforcement, defense and intelligence communities as a lead forvulnerability discovery and exploit development teams, a cyber forensics branch, and a computer forensic and security software development team. 

Rob graduated from the U.S. Air Force Academy and served in the U.S. Air Force as a founding member of the 609th Information Warfare Squadron, the first U.S. military operational unit focused on information operations. Later, he was a member of the Air Force Office of Special Investigations (AFOSI) where he led a team conducting computer crime investigations, incident response, and computer forensics. Prior to starting his own firm, he directly worked with a variety of government agencies, U.S. Department of Defense, and intelligence communities as the technical lead for a vulnerability discovery and an exploit development team, lead for a cyber forensics branch, and lead for a digital forensic and security software development team. Rob was also a directorfor MANDIANT, a company focused on investigating advanced adversaries, such as the APT, for five years prior to starting his own business. Rob co-authored the book Know Your Enemy, 2nd Edition. Rob earned his MBA from Georgetown University in Washington DC. Rob is also a co-author of the MANDIANT threat intelligence report M-Trends: The Advanced Persistent Threat.

Here is What Students Say About Rob Lee:

"Mr. Lee is flawless. Great teaching style with an excellent delivery of the content." - Dusko Stjepanovic, JSOC

Here is a SANS Summit presentation by Rob T. Lee:

David Bianco

David Bianco

David Bianco may have missed his career calling if not for the chance convergence of his interest in computer science, his love of books, and a pesky intrusion. Part of a student system admin team for the computer science department, David had just finished reading Cliff Stoll's The Cuckoo's Egg when his team experienced their own small intrusion. "Even though I didn't know what I was doing AT ALL, I convinced my boss to allow to me to work the investigation and he agreed," says David.

The rest, as they say, is history. Although he made many mistakes along the way (and luckily the intruder wasn't out to do any real damage), David learned a lot through the process and found that he loved the work, even though he didn't yet realize he could make a career out of it.

Since then, David has been involved in information security for more than 20 years, working with Fortune 500 companies, Wall Street firms, public utilities, and major universities on incident detection and response. He credits his early focus on network security with honing his skills in extracting the most information possible from just the network data, before moving ahead to other areas. Today, he's a Principal Engineer for cybersecurity at Target Corporation.

David wanted to be a SANS instructor since he took his first class, Security Essentials, almost 20 years ago. Today, he teaches SANS FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response. "There's just something amazingly fun about being able to pull apart network traffic and find out what's really going on!" says David.

Watching students have a lightbulb moment in class, then take that new skill back to their jobs and apply it right away, is one of the reasons David loves to teach. An area of professional focus for David is helping others get their security careers started and learn the technical skills necessary to shine. "I still remember how confusing it sometimes was to have to learn all this stuff for the first time, and I hope that shows in my teaching," he says. And due to the caliber of SANS instructors, "being able to call myself one is a useful benchmark for my own development as well."

In his classes, David teaches students to understand their work beyond the tools. "A good analyst knows how to use their tools, but a great analyst has the knowledge and experience necessary to understand and compensate for their tools' limitations," he says. As an instructor, David's goal is to give each student the technical skills and experience to approach any forensic challenge with confidence.

The biggest challenge David sees students encounter is the sheer number of different protocols and data formats with network forensics, many of which are undocumented (especially the malicious ones). He reminds students that the most important thing is to become comfortable not knowing what you're doing when dealing with many unknowns. Treading the same ground over and over with a spirit of curiosity gives investigators incremental context along the way to find a solution.

David contributes to the security community outside the classroom as well. A number of years ago he created a slide called "The Pyramid of Pain," for an internal presentation, then turned it into a post on his blog: Today, the Pyramid is widely cited as a model for applying Cyber Threat Intelligence (CTI) to detection and response. "I feel really lucky to have been in a position where I had the support to formulate and distill my ideas about CTI into an easily-consumable form, and that they have resonated so well with the security community at large," he says.

In addition to blogging, David is the principal contributor to The ThreatHunting Project and active in the DFIR and threat hunting community, speaking and writing on the subjects of detection planning, threat intelligence, and threat hunting. He has written course material for the SANS Institute, served as a contributing editor for Information Security Magazine, and holds the GIAC GNFA certification.

Still an avid reader, David has a particular interest in the history of technology. Two of his favorite books are The Soul of a New Machine, by Tracy Kidder and The Victorian Internet, by Tom Standage. He's also been known to play the Great Highland Bagpipes on occasion.

Qualifications Summary

  • Principal Engineer, Cybersecurity at Target Corporation
  • More than 20 years of experience working with Fortune 500 companies, Wall Street firms, public utilities, and major universities on incident detection and response
  • Creator of "The Pyramid of Pain," a widely cited model for applying CTI to detection and response
  • Principal contributor to The ThreatHunting Project
  • Former contributing editor for Information Security Magazine
  • Instructor for SANS FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response
  • GIAC Network Forensic Analyst (GNFA)

Get to Know David J. Bianco

  • Blog URL:

Matt Bromiley

Matt Bromiley

Matt Bromiley is a principal incident response consultant at a top digital forensics and incident response (DFIR) firm where he assists clients with incident response, digital forensics, and litigation support. He also serves as a SANS GIAC Advisory Board member, a subject-matter expert for the SANS Securing The Human Program, and a technical writer for the SANS Analyst Program.  Matt brings his passion for digital forensics to the classroom as a SANS instructor for FOR508: Digital Forensics, Incident Response, and Threat Hunting, and FOR572: Advanced Network Forensics, where he focuses on providing students with implementable tools and concepts. 

"SANS is the only organization where I have seen students bursting to get out of class to apply their newly acquired skills to current casework," he says.  

Matt fell into this career somewhat by accident, taking on a junior analyst role because the team was great and the work sounded exciting. "My first day, I was working a keylogger case that required me to examine various hardware, test information, extract USB information, and decode logged keys," he recalls. "I was hooked!" 

Since then, Matt has built a wide-ranging career that gives him a broad perspective on digital forensics. He has helped organizations of all types and sizes, from multinational conglomerates to small, regional companies. His skills run the gamut from disk, database and network forensics to malware analysis and classification, incident response/triage and threat intelligence, memory analysis, log analytics, and network security monitoring.  

Along with traditional database forensics, Matt has experience deploying such tools as Elasticsearch, Splunk, and Hadoop to assist in large-scale forensic investigations, network security monitoring, and rapid forensic analysis on over 100 systems and over 10TB of logs. He has a particular interest in database and Linux forensics, as well as in building scalable analysis tools using free and open-source software.  

Matt understands the importance of making the information he's teaching relatable to students. "It's easy to picture every scenario as an advanced persistent threat attack, but some students don't perform those investigations," he explains. So Matt looks for the common ground among all of the specific artifacts and the bigger picture that each artifact helps develop, thus enabling students to enhance their investigations and succeed in their day-to-day careers. 

His extensive experience in digital forensics shines through in his teaching. An energetic, enthusiastic instructor, Matt sees digital forensics as a puzzle that is begging to be solved. He loves piecing together artifacts to tell a vivid story about what has happened, and he strives to inspire his students to have the same passion for "completing the puzzle".

Outside of work, Matt loves spending time with his family, cooking Texas BBQ, and making his house as automated as possible in hopes that it will one day do work for him.

Summary of Qualifications:

  • More than six years in digital forensics and incident response
  • GIAC Advisory Board Member
  • Subject-matter expert for the SANS Securing The Human Program
  • SANS Analyst Program writer

Get to Know Matt Bromiley:

Here's what students are saying about SANS Instructor Matt Bromiley:

"I really valued your lectures, and most importantly, your enthusiasm and expertise on forensics." - Robert S., New York Metropolitan Transportation Authority

"Matt continues to demonstrate passion for the topics being taught. The real-world examples he provides are a great addition to supplement the content in the book." - Michael F., Macquarie Group

"FOR508 lead by Matt Bromiley has dramatically increased my DFIR skills in less than a week, anyone serious about incident response or windows forensics must take this course" - Joe V., Moran Towing Corporation

Rebekah Brown

Rebekah Brown

Rebekah Brown has helped develop threat intelligence programs at the highest levels of government and has had some exciting experiences along the way. She is a former National Security Agency network warfare analyst, U.S. Cyber Command training and exercise lead, and crypto-linguist and Cyber Unit Operations Chief for the U.S. Marine Corps. She's even provided a briefing at the White House.

But if you ask Rebekah what she's most proud of, she'll tell you it's the success of the students and co-workers she's mentored throughout her career.

Rebekah started out in traditional military intelligence work, focused on Chinese cryptologic linguistics. She was then selected to cross-train as a network warfare analyst, which provided the opportunity to fuse her understanding of language and culture with network defense. "I loved the ability to combine different aspects of intelligence and apply it in ways that many people in the intelligence community were just beginning to understand," she says.

Rebekah has since provided threat intelligence for all types of security programs ranging from national security operations to state and local governments and Fortune 500 companies.  She currently is the threat intelligence lead for Rapid7, where she supports incident and analytical response and global services and provides product support. She is also a course instructor and student mentor at SANS, where she teaches FOR578: Cyber Threat Intelligence, a course she co-authored. She is also co-author along with SANS Instructor Scott Roberts of the book Intelligence Driven Incident Response.

In her day-to-day work, Rebekah spends a lot of time focused on understanding intelligence sources, conducting multiple levels of analysis, and explaining what intelligence means and how it can be used to a variety of audiences.

"Regardless of their specific role, all three of these actions are things my students will have to do, most likely on a daily basis," says Rebekah. "Understanding intelligence and its implications and being able to convey that knowledge at different levels are skills that will help make any cyber threat intelligence analyst successful."

A highlight of Rebekah's career was providing a briefing at the White House on the future of cyber warfare and coordinated defensive and offensive cyber operations. "This coordination was something I strongly advocated during my time in DoD cyber operations with the Marine Corps," says Rebekah. "I'm happy to report that the idea has been widely adopted."

A dedicated mentor, Rebekah is most proud of the success achieved by the coworkers she supported throughout her career.  

"Intelligence work requires a team with diverse backgrounds to be successful, but I found that those without a strong background in computer science often felt that they did not have the experience needed to contribute to the team," she explains. "I love helping co-workers and students understand how their previous experience ties into what they are learning, and providing them with tools and resources that they can go back and use at their jobs on day one."

Rebekah has an associate's degree in Chinese Mandarin and a bachelor's degree in international relations, and she is finishing her master's degree in homeland security with a cybersecurity focus as well as a graduate certificate in intelligence analysis.

In her free time, Rebekah enjoys hiking, camping and snowboarding. She also plays the baritone ukulele and is an outfielder for her kickball league in Portland, Oregon. However, Rebekah is never too far from the work she loves. Hailing from a family of engineers, she notes that a common family discussion over Thanksgiving dinner might include implementation of PLCs in waste water treatment labs and the security needed for it!

Qualifications Summary

  • Former Operations Chief for the U.S. Marine Corps Cyber Unit
  • Current threat intelligence lead for Rapid7
  • 12+ years of threat intelligence experience
  •  Certified Information Systems Security Professional (CISSP)
  • SANS FOR578: Cyber Threat Intelligence instructor and co-author

Get to Know Rebekah Brown

Here is a SANS Summit presentation by Rebekah Brown:

Carlos Cajigas

Carlos Cajigas

Carlos Cajigas has his heart fully invested in his work. Following the terrorist attacks on September 11, 2001, Carlos was inspired to pursue a career in law enforcement in order to combine his passion for computers with his sense of duty to protect victims of cybercrime and make the world a safer place. Today, Carlos has expanded his pursuits to include being an instructor and blogger, enabling him to share his knowledge and experience with others interested in pursuing a career in digital forensics.

A native of San Juan, Puerto Rico, Carlos began his career with the West Palm Beach Police Department in Florida, first as a police officer and eventually as a digital forensics detective, examiner, and instructor specializing in computer crime investigations. During his law enforcement tenure, Carlos conducted examinations on hundreds of digital devices, from computers and mobile phones to GPS devices, and served as both a fact and expert witness in the State of Florida. In 2013, Carlos taught mobile forensic courses in Latin America for the U.S. State Department's Anti-Terrorism Assistance Program.   

Today, Carlos is the Managing Partner and Chief Technical Officer of Covert Bit Forensics, a firm specializing in Digital Forensic Investigations. Carlos also teaches FOR500: Windows Forensic Analysis and FOR508: Advanced Digital Forensics, Incident Response, and Threat Hunting at the SANS Institute, where he brings his experience with law enforcement forensics and enterprise incident response to the classroom.

"My teaching philosophy is simple," Carlos says. "I strive to empower each student by developing their ability to conquer knowledge of a forensic technique, using demonstrations and the sharing of real-life applications and implications as to why a technique is important. I want my students to know which specific artifacts to analyze regardless of the tool chosen for the analysis."

Digital crime has increased dramatically in recent years, and hard drive sizes have expanded exponentially, greatly increasing the amount of cases and devices that need to be analyzed.

"The days of imaging and processing extremely large hard drives for hours before beginning analysis is a thing of the past," says Carlos. "Taking into consideration limited resources and manpower, today's examiners must be as efficient as possible in what we do and how we do it."

To help students overcome these challenges, Carlos shares techniques in his classes on how to directly target specific files and folders that can yield the biggest amount of answers in the least amount of time. "That way you can have answers within minutes rather than within hours," he says. 

Carlos has been involved in hundreds of cases and helped obtain numerous convictions using many of the techniques he teaches in class. As an investigator, he gets great satisfaction knowing that he did his part in protecting victims. As a teacher, seeing students grasp his explanation of an artifact can be just as satisfying, knowing that he is preparing them for the challenges of the future.

Carlos holds bachelor's and master's degrees from Palm Beach Atlantic University in Florida, and has completed numerous training courses, including courses offered by Guidance Software (EnCase), National White Collar Crime Center (NW3C), Access Data (FTK), United States Secret Service, the International Association of Computer Investigative Specialists (IACIS), and SANS.

Carlos also holds numerous certifications in the digital forensics field, including EnCase Certified Examiner (EnCE), Certified Digital Forensic Examiner (CDFE) from Mile2, Access Data Certified Examiner (ACE), Certified Forensic Computer Examiner (CFCE) from IACIS, and the GIAC Certified Forensic Analyst (GCFA), GIAC Certified Forensic Examiner (GCFE), GIAC Certified Incident Handler (GCIH), GIAC Advanced Smartphone Forensics (GASF), and GIAC Reverse Engineering Malware (GREM) from SANS. Carlos is a Florida Department of Law Enforcement (FDLE) certified instructor with experience teaching digital forensic classes. He is an active member of both the International Association of Computer Investigative Specialists (IACIS) and Miami Electronic Crimes Task Force (MECTF).

Carlos also maintains a computer forensics blog aimed at helping other digital forensic examiners use free open-source Linux-based tools to do their jobs. He hopes to develop and increase awareness in this area and believes that open-source tools can provide examiners with alternatives and/or supplement commercial software.

During his free time, Carlos throws his passion into his pursuit of designing and baking the best homemade pizza.

Qualifications Summary

  • More than 12 years of experience in digital forensics, both as a law enforcement officer and as an incident responder for IBM.
  • Instructor for FOR500: Windows Forensic Analysis at the SANS Institute

Get to Know Carlos Cajigas

Here is What Students Say About Carlos Cajigas:

"The instructor has a great teaching style. He is able to balance course content with personal experience in an efficient manner (to not waste time in class). He explains complex concepts very well." - Luis Martinez, Westchester District Attorney's Office

"One of the best instructors I have had." - Patrick O'Leary, NCDOC  

"Carlos is a great instructor with a lot of energy to drive the point home." - Jason Hultman, Diplomat Pharmacy

"Great instructor, very experienced in teaching a wide audience." - Brian Plummer, CACI

"The instructor is one of the most exciting, knowledgeable and articulate teachers I've ever had." - Joe Michalek, PWC

Eric Capuano

Eric Capuano

Eric Capuano injects his passion for forensics into every facet of his life. "There is nothing dull or boring about studying advanced adversarial tactics in an effort to become a highly effective defender," he says, comparing this work to a never-ending game of chess where the impacts are real, the stakes are high, and a passion for the game makes it worthwhile to play. 

Eric's career in information security has centered around defending critical networks, often tied to national security or similarly important missions, starting as an information security tactics developer for the United States Air Force. Later, he specialized in intrusion detection signature development, and since departing active duty he has lead cybersecurity operations in both private and government entities. 

Today Eric serves as founder and CTO of Recon Infosec, a provider of managed security services and network defense range simulations. Previously, Eric managed the Security Operations Center for the Texas Department of Public Safety, where he singlehandedly built the agency's first CSIRT, and is an instructor for SANS FOR508: Advanced Digital Forensics, Incident Response, and Threat Hunting, a role he's proud to fill. 

"I firmly believe there is no higher quality training program, in this field or many others for that matter, than SANS," says Eric. "The seamless combination of world-class expert instructors and highly relevant, in-depth course material is unparalleled in any other program I have encountered."

In addition to these roles, Eric continues to serve part-time in the Texas Air National Guard as a Cyber Warfare Operator. He also leads the team that develops and runs, a DFIR CTF, at the Blue Team Village at DEF CON each year. Even in his spare time, Eric enjoys tinkering in Python, analyzing malware, authoring threat signatures/IOCs, and developing/maintaining honeypots and deception systems. 

Eric routinely leverages Windows forensics skills in support of defensive and incident response operations as well as providing support to law enforcement. This experience enables Eric to provide real-world forensics experience not only for LE/investigative purposes, but also for identifying attack methods and infection timelines of compromised systems. He has a passion for detailed threat analysis and uses those skills to bolster defensive postures by leveraging defense-in-depth methodologies.

Eric's raw passion for forensics shines through in the classroom as well, giving him a connection with students from a wide variety of backgrounds. Eric utilizes a range of methods to ensure each of his students has an "ah-ha" moment with the material he's teaching, along with conveying the importance of attention to detail and uncompromised integrity with investigations. "My goal as an instructor is to teach not only the technical skills required to perform the job, but also the core principles and processes that must be followed to preserve accuracy and fidelity in your investigations," he says.

A mentor and teacher at heart, Eric's greatest career highlight is centered around his role as an instructor. "While I sincerely love the technical, hands-on aspect of the job, I feel my most significant accomplishment is the time spent working with analysts that I have had the distinctive honor to train over the years," he says. "By sharing my passion, knowledge, and lessons learned, I hope that I have boosted their careers and helped them quickly identify the areas of this field that they will enjoy the most."

In one memorable situation, a young undergrad was participating in an incident response simulation that Eric was operating at a local security conference. "This young lady had no prior experience in this field but through sheer dedication and drive took first place over 42 other participants in the event," he says. "I found out a few weeks later that the employer of a few other participants in that challenge had offered her a job shortly after her accomplishment that day." Seeing the ripple effect of his efforts was incredibly rewarding and humbling experience for Eric.

Eric is GIAC GCFE, GIAC GCFA, Certified Ethical Hacker, Security+, Linux+, LPIC-1, PCNSE, and A+ certified. He shares opinions and techniques centered around information security on his blog at, and supports and contributes to open source projects in his spare time. "I enjoy leveraging Python to automate security operations to make life easier for analysts and to enhance effectiveness of security teams," he says.

An avid adventure motorcycle rider, Eric's ideal weekend is loading up his motorcycle and heading to the mountains for camping and adventure. 

Qualifications Summary

  • Nearly 15 years of experience defending critical networks, often tied to national security or similarly important missions
  • Former SOC Manager for the Texas Department of Public Safety, where he singlehandedly built the agency's first CSIRT
  • Texas Air National Guard Cyber Warfare Operator
  • Cyber Patriot instructor 
  • Member of the Blue Team Village at DEFCON
  • Python tinkerer

Get to Know Eric Capuano


  • Certified Ethical Hacker
  • Security+
  • Linux+
  • LPIC-1
  • A+ certified 

Student quotes:

"Eric provided awesome views of philosophies of incident handlers- helping me reframe and refocus on the important parts of my job!" -  John Kay, TD Bank

"Excellent coverage of topics presented, Eric was able to get into details of each topic" Deepak Seth, FireEye 

"Eric does a fantastic job in helping those of us who were struggling a bit. Great confidence & presentation skills"  James L., US Army West Point

Ovie Carroll

Ovie Carroll

For Ovie Carroll, digital forensics is all about the hunt for evidence in digital places that are hiding critical clues, followed by deep analysis to prove something that the evidence was never intended to prove. That's why Ovie, a cybercrime expert and veteran law enforcement officer, loves teaching the SANS FOR500 Windows Forensic Analysis course.

"I love exposing students to how exciting digital investigative analysis is," Ovie says. "My passion is for digital evidence and digital investigative analysis. I leverage my abilities, expertise, and my current experience with the U.S. Department of Justice to see across investigative activities around the world, use that vantage point to see the whole picture of where we are in digital investigative analysis and cybercrime fighting, and identify the future challenges in both investigative practices and the courts. And I try to bring all of that to my students."

Ovie's students are clearly getting what he's bringing - many of them finish his classes with renewed career plans. "They leave my class saying that they originally had no intention of going into digital evidence but now see it is more exciting than any other aspect of cybercrime fighting or incident response," he says.

Ovie's teaching philosophy centers on sharing and demonstrating his passion for digital investigative analysis. Drawing on 31 years of law enforcement and cyber investigation experience, his dynamic presentations not only deliver the technical material but also show how each digital artifact can be used to help solve cases.     

Ovie's career in digital forensics has its roots in his years-long interest in computers - how they work and how they can and are being used in everyday life. Of particular interest is how companies are collecting, manipulating, analyzing, and monetizing people's every behavior online. "I am always interested in investigating how we can possibly tap into the information computers and companies are collecting to use it for good and to bring justice to victims," he explains.

In addition to teaching digital forensics at SANS and co-authoring the FOR500 Windows Forensic Analysis course, Ovie is the Director of the Cybercrime Lab of the Computer Crime and Intellectual Property Section (CCIPS) at the Department of Justice (DOJ). The lab provides advanced computer forensics, cybercrime investigation, and other technical assistance to DOJ prosecutors to support implementation of the department's national strategies for digital evidence and to combat electronic penetration, data theft, and cyberattacks on critical information systems. He also teaches two classes as an adjunct professor at George Washington University in Washington, DC.

Prior to joining the DOJ, Ovie was a Special Agent in Charge overseeing the Technical Crimes Unit of the Postal Inspector General's Office, where he was responsible for all computer intrusion investigations within the postal service network infrastructure and for providing all digital forensic analysis in support of criminal investigations and audits. He also served as a special agent in the Air Force Office of Special Investigations, investigating computer intrusions and working both general crimes and counterintelligence as well as conducting investigations into offenses including murder, rape, fraud, bribery, theft, and gangs and narcotics.

Computers are front and center in Ovie's free time as well, but he also enjoys plenty of offline activities, including public speaking, scuba diving, travel, and meeting new people.

Qualifications Summary:

  • 31 years of law enforcement experience and over 20 years of cyber investigative experience
  • Director of the Cybercrime Lab of the Computer Crime and Intellectual Property Section (CCIPS) at the Department of Justice (DOJ)
  • Adjunct professor at George Washington University
  • FOR500 Windows Forensic Analysis co-author and instructor

Get to Know Ovie Carroll:

Here is What Students Say About Ovie Carrol:

"Ovie is just an awesome instructor. He has a wealth of knowledge and really made the course a live and exciting joy." -  Mohamed Abdelsalam, Glencore

"Ovie has got this thing down, pat! He is informative, personal, very very knowledgeable, and, entertaining on top of it all! Really enjoy his teaching methods." -  Mike Bowden, Boeing

"Ovie is a great instructor, always has an answer to any question." - Brian Pitchford, Marriott

"He is wonderful. It is high energy. Keeps the student alert." - Selean Jones, Verizon

"Very energetic and extremely knowledgeable. Great instruction and content. Keep up the good work Ovie, it shows in the way you teach that you are very passionate about teaching forensics. I will take additional SANS DFIR classes, but for the money, I will make certain Ovie is teaching. You're just not gonna find an instructor as engaged/entertaining/knowledgable as Mr. Carroll. Very outstanding instruction." - Chad Gish, Metro Nashville PD.

"Great class! The hands on training exercises, SANS material, plus real-life examples have been a tremondous help especially since I have limited experience." - Jamie Schroeder, John Deere

Lodrina Cherne

Lodrina Cherne

A lifelong curiosity about technology and puzzles, and particularly codes and cryptography, made digital forensics a perfect career for Lodrina Cherne. She sees forensics investigation as a series of facts and data waiting to be identified and discovered, sometimes leading to a clear path, other times showing the investigator that more needs to be done. 

Lodrina brings that curiosity to her professional work and to her role as an instructor for SANS FOR500: Windows Forensic Analysis. She became a SANS instructor to help instill solid foundational skills, practices, and techniques in students to advance their understanding of Digital Forensics and Incident Response (DFIR), as well as to advance the overall DFIR profession. Lodrina finds it particularly rewarding that even one footnote or a single mention among the hundreds of pages covered in a week-long course can help a student some day break a case. 

Lodrina's goal as an instructor is to help students look at an investigation from multiple angles by using different tools to find as many facts as possible. She wants her students to understand the mindset needed and the possible blind spots to be explored when investigating a case. "Even when Windows upgrades and new artifacts are present, we will work to understand the different investigative techniques needed," she explains.

Lodrina also helps students use forensic principles to understand artifacts they might not have even known existed, providing a strong sense of user activity. These artifacts include logons, the external devices used, and the websites visited, among many others. 

Lodrina was a computer forensics examiner for Arsenal Consulting, where she focused on preservation and analysis of electronic evidence, including host-based analysis of Windows, macOS, Android, and iOS systems in matters concerning intellectual property theft, employment disputes, and evidence tampering. 

Lodrina most recently worked as a security analyst and product manager at Cybereason, helping to defend organizations from attack through security research and incident response.

Lodrina has been pursuing her interests or working in cybersecurity for nearly 15 years.  In one particularly memorable investigation, she helped in the acquittal of more than 200 foreign imprisoned senior military officers in Turkey after showing that the electronic documents used to indict them were forged. Known as "Sledgehammer," the case involved sophisticated forgery and backdating of documents related to a military coup in Turkey. Lodrina explained that while everything in the indictment initially looked "right" on the surface to tools and parsers, a few details just didn't line up. "Digging through documents at the lowest level and finding the answers in hex was extremely satisfying and had real-world ramifications for the people who had been wrongly indicted," she says.

Lodrina has a bachelor's degree in computer science from Boston University and holds the GCFE, GCFA, and GASF certifications. She is a member of the GIAC Advisory Board, contributes to the Forensics Wiki, and is a two-time Lethal Forensicator Coin Holder. She was named to SC Magazine's prestigious Women in IT Security 2019 issue in the Women to Watch category.

Lodrina is a powerhouse outside of work as well. She's an internationally classed powerlifter who earned the title of National Champion at the 2013 USA Powerlifting championship and received the bronze medal at the 2014 IPF World Championships. She is also a volunteer case reviewer for the Massachusetts foster care system.

Qualifications Summary

  • Instructor for SANS FOR500: Windows Forensic Analysis 
  • More than eight years of professional experience in digital forensics and nearly 15 years of experience in the field 
  • Key investigator in the Sledgehammer case in Turkey
  • GIAC Advisory Board member
  • Awarded the SANS Challenge Coin twice
  • Contributor to the Forensics Wiki


  • AccessData Certified Examiner (ACE)
  • Certified BlackLight Examiner (CBE)
  • Certified ProDiscover Examiner (CPE)

Jim Clausing

Jim Clausing

Jim Clausing caught his first attacker in 1981 when he discovered a Trojan login program had been planted on a terminal on his college's computer. "Yes, we had only one computer for the entire college," he recalls. Ever since, Jim has been working to secure systems and track down attackers. "It is putting the pieces together, finding the patterns. I love that," says Jim. "I've spent most of my time since then trying to unravel these mysteries."

Today, Jim has over 35 years of experience in the IT field including systems and database administration, and security and research in parallel processing and distributed systems. He's spent the past 20 years as a technical consultant and network security architect for AT&T doing malware analysis, forensics, incident response, intrusion detection, system hardening, and botnet tracking.

When Jim took his first SANS class in 2000, his instructor Stephen Northcutt emphasized giving back to the community. Jim sees teaching and mentoring as one way he can do that. "I've taken enough training to know that SANS provides the absolute best technical security training in the business, so I'm proud to be a part of that," says Jim. "Plus, I learn something from the students every single time I teach."

Jim has now been a SANS instructor for nearly 16 years, teaching a wide variety classes ranging from packet analysis and first responder classes, to reverse engineering malware and CISSP preparation, as well as mentoring intrusion detection, firewall, and forensics courses. Today, he teaches FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques.

In his teaching, Jim strives to share his passion for the field with his students and to lead by example, sharing his experiences for others to learn from. He also focuses on hands-on experiential learning. "The only way to truly learn something is by doing," he says. "That's part of why I love most SANS classes, the hands-on exercises are the best way to learn how to actually do."

Jim notes that students often assume they need to be an assembly language expert to do malware analysis. But as he puts it, "it isn't a dark art or magic, anyone can learn to analyze malware if they put in the time."

In his classes, Jim says students learn the basics and how to recognize the important API calls and control flow, and gradually learn more assembly language as they do more reversing. "We'll show you how you can find IOCs even if you only have an hour to analyze a particular sample or how to figure out most or all of the capabilities of the malware if you have 20-40 hours," says Jim.

Since 2006, Jim has served on the GIAC board of directors, and as a volunteer incident handler at the SANS Internet Storm Center since 2002. He co-authored the SANS Press book, Securing Solaris 8 & 9 Using the Center for Internet Security Benchmark, and holds the GIAC Security Expert (GSE) certification (#26), and the GIAC GCFA, GCIA, and GREM Gold certifications. He also holds the GIAC GCIH, GPPA, GCFE, GCWN, GSEC, GPEN, GPYC and GNFA Silver certifications, as well as the CISSP.

When he's not working or teaching, you'll find Jim on his recumbent bike, which he's ridden more than 1,100 miles annually on in recent years and looking for opportunities to put his instrument-rated private pilot license to use. When he's off the bike and out of the plane, Jim enjoys spending time with his family and their pets, a dog and cats.

Qualifications Summary

  • 35+ years of experience in the IT field including systems and database administration and security
  • Member of the GIAC Board of Directors
  • Co-author of the 2003 SANS Press book, Securing Solaris 8 & 9 Using the Center for Internet Security Benchmark
  • Volunteer incident handler at the SANS Internet Storm Center (
  • Instructor for SANS FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques

Get to Know Jim Clausing


  • GIAC Security Expert (GSE) certification (#26)
  • GIAC Certified Forensic Analyst (GCFA) gold certification
  • GIAC Certified Intrusion Analyst (GCIA) gold certification
  • GIAC Reverse Engineering Malware (GREM) gold certification
  • GIAC Certified Incident Handler (GCIH) silver certification
  • GIAC Certified Perimeter Protection Analyst (GPPA) silver certification
  • GIAC Certified Forensic Examiner (GCFE) silver certification
  • GIAC Certified Windows Security Administrator (GCWN) silver certification
  • GIAC Security Essentials (GSEC) silver certification
  • GIAC Penetration Tester (GPEN) silver certification
  • GIAC Network Forensics Analyst (GNFA) silver certification
  • Certified Information Systems Security Professional (CISSP)
  • GIAC Python Coder (GPYC)
  • GIAC Certified Detection Analyst (GCDA)

David Cowen

David Cowen

David Cowen is a Certified SANS Instructor and a Managing Director at KPMG LLP, where his team of expert digital forensics investigators pushes the boundaries of what is possible on a daily basis. He has been working in digital forensics and incident response since 1999 and has performed investigations covering thousands of systems in the public and private sector. Those investigations have involved everything from revealing insider threats to serving as an expert witness in civil litigation and providing the evidence to put cyber criminals behind bars.  
David has authored three series of books on digital forensics; Hacking Exposed Computer Forensics (1st-3rd editions), Infosec Pro Guide to Computer Forensics, and the Anti Hacker Toolkit (Third Edition). His research into file system journaling forensics has created a new area of analysis that is changing the industry. Combined with Triforce products, David's research enables examiners to go back in time to find previously unknown artifacts and system interactions.
David speaks about digital forensics and file system journaling forensics at DFIR and Infosec conferences across the United States. He has taught digital forensics both as a SANS instructor and as a graduate instructor at Southern Methodist University.
David is a Certified Information Systems Security Professional (CISSP) and a GIAC Certified Forensic Examiner. He is the winner of the first SANS DFIR NetWars and a SANS Lethal Forensicator whose passion for digital forensics can be seen in everything he does. He started in 1996 as a penetration tester and has kept up his information security knowledge by acting as the Red Team captain for the National Collegiate Cyber Defense Competition for the last nine years.
David is the host of the Forensic Lunch, a popular DFIR podcast and live YouTube show, and the author of the award winning Hacking Exposed Computer Forensics Blog. The blog ( contains some 448 articles on digital forensics.  David is a two-time Forensic 4cast award winner for both Digital Forensic Article of the Year and Digital Forensic Blog of the year. The Forensic 4cast award winners are nominated by their peers and voted on by the greater DFIR community.
When David is not researching, writing, testifying, or teaching about digital forensics he spends time with his family and working on mastering Texas BBQ.

Here is What Students Say About David Cowen:

"David Cowen rocks. He is funny. He is friendly and extremely knowledgeable."  -- Bob Akin, SAIC

"David was awesome, brilliant, and entertaining to learn from." -- Jonathan Reitnauer, Vanguard

Here is What Instructors Say About David Cowen:

"I have had the pleasure of teaching with David multiple times and working with him in the forensics field.  David's passion and knowledge has made him one of the leading minds and innovators in the digital forensics community.  I saw many students loving David's open approach to teaching and the fact you could tell he really cared that they learn and understand the material.  He is one of the finest instructors I have had the pleasure of working with.  He is one of the best I've seen."  --Rob Lee, SANS DFIR Lead

Listen to David Cowen's industry changing research, released on Windows USN Journal Analysis, for real-time tracking of a suspect's activity on a Windows system.

Learn more about David Cowen in this DFIR Hero interview on the SANS DFIR Blog.

Domenica Crognale

Domenica Crognale

Domenica "Lee" Crognale likes a challenge, and to her, finding flaws is the fun part of her job. "I actually prefer to take a look at the applications where the developer has marketed them as being totally secure," she says. "You almost say to yourself 'challenge accepted.'"

Early in her career, Domenica took a cybersecurity position focusing on mobile device security, and was hooked. Now with more than ten years of experience analyzing multiple operating systems (Windows, Mac, Linux) and working in the areas of mobile device security, Domenica has seen her share of exciting challenges. "I have been able to point out some very major application flaws on some very popular applications through testing and validation," she says.

At one former position, Domenica received recognition for assisting with the Osama Bin Laden media, a highlight of her career. In another position, she provided training to military special forces, the United States Coast Guard and other government agencies, and has tested and validated various mobile forensics utilities and provided security assessments for many mobile applications. At the State Department she evaluated applications, and realized how much data really isn't protected.

Domenica currently serves as a senior mobile forensic analyst at ManTech International where she dissects the plethora of interesting data left behind by third-party mobile applications.

Domenica is a co-author of SANS FOR585: Advanced Smartphone Forensics. As a co-author, she has been able to share some of her challenges and experiences with students who are interested in the field, something that's been a very rewarding experience. "One former student shared that the she appreciated all of the work that went into the Legacy BlackBerry section of the course, and mentioned that she was able to use the information that she learned in class to assist with prosecuting a subject," says Domenica. "This section was particularly challenging to author, so this feedback made me realize that what we are doing is truly helping make examiners better in the field. I also like that every single case is different. It's still growing and there are so many opportunities to make a difference in this field."

In her teaching, Domenica ensures her students know that it's okay if they don't have all of the answers. "I also stumble through some of this data trying to make sense of all of the millions of things you can find on these devices," she says. "This field will always keep you on your toes because there is always something new. It's your motivation to do research and testing that will set you apart from other examiners."

And even with her experience and wealth of knowledge, Domenica says she still treats every mobile device application the same way as she did her first examinations. "You are never too advanced to research," she says. Also, Domenica says that regardless of having all of the best books, notes and samples, this field requires the need for constant testing. "If you aren't prepared to create test data to verify your findings, you may still be missing a piece of the puzzle."

Domenica maintains multiple certifications including the GASF, EnCE, CCE, and CISSP. She is also a IACIS CFCE mentor and coach, providing mentorship to candidates enrolled in the IACIS certification process.

When she's not investigating, teaching and mentoring, Domenica enjoys spending time with friends and family and her two adopted rescue pups, who make a few appearances in the course material! Luckily, she says, they are willing subjects.

Qualifications Summary

  • Cyber security engineer specializing in mobile devices
  • More than 10 years of experience in the field
  • Senior mobile forensic analyst at ManTech International
  • Co-author of SANS FOR585: Advanced Smartphone Forensics
  • IACIS CFCE mentor and coach


  • CISSP (Certified Information Systems Security Professional)
  • GASF (GIAC Advanced Smartphone Forensics Certification)
  • EnCE (EnCase Certified Examiner)
  • CCE (Certified Computer Examiner)

Richard Davis

Richard Davis

Richard Davis received his first computer, an Atari 800XL, in 1984 at age seven and immediately knew he wanted to work in technology. He began writing his own programs in BASIC, and later C, then got his first IT job in 1995. A year later, at age 19, Richard started his own company, TetraSoft Computers, providing service, networking, consulting, and training, then grew it into one of the largest computer service providers in northwest Georgia. 

After 10 years of operation, Richard sold the company and went to work for the University System of Georgia, where he held multiple roles including Chief Information Security Officer. He eventually landed at Embry-Riddle Aeronautical University, where he now serves as Executive Director of IT Security. 

Over his career, Richard has now amassed more than 24 years of experience in information technology, with 11 years spent specifically in information security. As he transitioned from IT to information security, Richard says digital forensics was an immediate interest. "I have an extensive home lab conducive for learning and experimentation, and often use the hardware/software at my disposal to research new topics and create YouTube content on my channel, 13Cubed," he explains.

Richard previously taught a SANS mentor class for FOR500: Windows Forensic Analysis and now teaches FOR508: Advanced Digital Forensics, Incident Response, and Threat Hunting. "The highlight of my career so far has been the opportunity to train to be a SANS instructor," he says, noting that he appreciates both the challenge and the opportunity of being surrounded by people he considers "rock stars" of their respective disciplines. 

Real-world impact is another reason Richard chose SANS. "It is one thing to learn theory, and another to see real-world examples of how material taught in the classroom can be immediately applicable to students," he says. "That's the difference between taking a university course and a SANS course," noting many students who learn about new forensic artifacts or concepts from SANS have immediately been able to apply that knowledge to active cases.

In the classroom, Richard shares his experiences working on larger cases that involve federal law enforcement, along with other real-world scenarios to help students better understand the content. From live demos to sketching or drawing diagrams and explanations for his class, Richard's primary focus is making the concepts and ideas he teaches understandable in a way that enables students to apply the concepts to real-world scenarios. 

He admits that the biggest challenge students face is the complexity of the material. "You have to truly be interested in it and work hard to achieve understanding," he says. "I've seen some who are motivated only by the promise of a lucrative career, but those who excel in this field are the ones that eat, sleep, and breathe it."

Richard graduated with a bachelor's degree in cybersecurity from the University of Maryland's University College with a 4.0 GPA. He has the ISC2CISSP®certification, GIAC certifications in GCFE, GCFA, GNFA, GREM and GPEN, and Cisco Systems certifications in security and routing and switching. 

In his spare time, Richard directs his talent toward sharing his knowledge with the information security community. He created the 13Cubed YouTube Channel, covering digital forensics and incident response, which now has more than 10,000 subscribers.  When he's not creating videos on digital forensics and pen testing, Richard enjoys astronomy, traveling, and spending time with family and friends.

Qualifications Summary

  • 24+ years of experience in the IT field, with 11+ years specifically in information security
  • Mentor/Instructor for SANS FOR500: Windows Forensic Analysis
  • Technical assistant for FOR508: Advanced Digital Forensics, Incident Response, and Threat Hunting and FOR508: Advanced Digital Forensics, Incident Response, and Threat Hunting
  • Creator of the 13Cubed YouTube Channel, covering digital forensics and incident response

Get to Know Richard Davis


  • ISC Certified Information Systems Security Professional (CISSP®)
  • GIAC Certified Forensic Examiner (GCFE) 
  • GIAC Certified Forensic Analyst (GCFA) 
  • GIAC Network Forensics Analyst (GNFA) 
  • GIAC Reverse Engineering Malware (GREM) 
  • GIAC Penetration Tester (GPEN) 
  • Cisco Certified Network Professional Security (CCNP Security)
  • Cisco Certified Network Professional (CCNP) Routing and Switching 

Mari DeGrazia

Mari DeGrazia

Mari DeGrazia loves the satisfaction of solving a good puzzle. That fascination paired with her technical abilities has made digital forensics the perfect career fit. "There is nothing like the adrenaline rush of figuring out a tough case when you find that smoking gun or vital clue that will help solve it," she says. 

Today, Mari brings her puzzle-solving skills to her position as Senior Director of Incident Response at Kroll Cyber Security, where she leads high-profile incident response cases and helps clients find and respond to attackers in their environment. 

In her role as a SANS instructor for FOR500: Windows Forensic Analysis, Mari draws on nearly 20 years of experience in the IT industry, including 10 years in Digital Forensics and incident Response (DFIR). "I love teaching this topic because it is the cornerstone of forensics," she says.

Mari has taken SANS training courses herself and spoken at several SANS conferences, always coming away impressed with the quality of the instructors and the students alike. She cites that as one of the reasons she chose to become a SANS instructor. 

"SANS training is top notch, and the content is always relevant, up-to-date, and applicable to the real world," she explains. A strong believer in giving back to the community, Mari also appreciates SANS's offering of the SIFT workstation and webcasts, as well as its proactive support of women in the industry. 

A recent highlight of Mari's career was an invitation to be a keynote speaker at the Women in Cybersecurity Conference, where she shared her journey into forensics and passion for it with hundreds of women. 

Mari's varied professional background enables her to relate to students from various career paths who attend her courses. She has worked criminal and civil cases, including providing expert testimony, run her own business where she handled many cell phone cases, and managed a team of investigators for large breach cases in her current position. 

For Mari, it's important that her students gain a firm understanding of both the artifacts and the investigative process. "My goal is for every student to walk out and feel confident about working a Windows case," she says. 

Of course, keeping up with the constant changes in the industry can be a challenge. In her classes, Mari helps students overcome this hurdle by focusing not just on the tools but on sharing techniques and providing a solid understanding of the artifacts. She also encourages students to stay active in the field by attending training sessions and conferences, and by following blogs and the DFIR Twitter community. "There is no magic tool that will do everything for you," she says, "so there needs to be a clear grasp of the underlaying artifacts and not a complete reliance on tools."

A great example of going beyond the tools is a case where Mari discovered Google Analytics artifacts both inside cookies and within the cache artifacts. The Internet history was deleted, and the Google Analytics artifact was all she had, so Mari researched Google Analytics and wrote a tool, then released it to the community to use. "The Google Analytics artifact literally was the saving grace of that case," she explains. "Since then, I have had numerous people tell me the tool has helped them in their investigations as well."

In addition to being a published magazine author and technical editor for several digital forensics books, Mari maintains a blog on which she shares her research and findings. Her blog has been cited as one of the top 10 blogs in digital forensics, "I am passionate about what I do and am constantly digging to find answers to questions," she says.  

In her spare time, Mari enjoys working on Maker projects by volunteering monthly at a non-profit Maker lab for teens. "Each month I come up with a project for the kids to build with their hands, then code it," she says. "I love seeing their reactions and sense of accomplishment after they have completed the project." Mari's overarching goal is to introduce the teens to STEM and show them how fun it can be. 

Qualifications Summary

  • Senior Director of Incident Response at Kroll Cyber Security
  • Nearly 20 years of IT industry experience, including 10 years in DFIR
  • Keynote speaker at the 2017 Women in Cybersecurity Conference
  • Published magazine author and technical editor for several digital forensics books
  • Researches and writes tools and then shares them with the forensics community through her blog
  • Volunteer with a non-profit Maker lab for teens
  • Instructor for SANS FOR500: Windows Forensic Analysis

Get to Know Mari DeGrazia


  • GIAC Certified Forensic Examiner (GCFE)
  • Microsoft Certified Systems Engineer (MCSE)
  • Certified Computer Forensics Examiner (CCFE)
  • Computer Hacking Forensic Investigator (CHFI)
  • Access Data Mobile Phone Examiner (AME)
  • Forensics Tools: EnCase, FTK, Access Data Registry Viewer, IEF, X-Ways, MPE+, Cellebrite
  • Windows, Mac, PHP, MySQL, Python, Kali Linux


  • Investigating Windows Systems (Technical Editor)
  • Make: Magazine, Power Ranger: Remote Power Monitor, April/May 2018
  • EAA Sport Aviation, Controlling a Preheater with a Text Message (Raspberry Pi Project), 2017
  • EForensics Magazine, Trust but Verify: Why When and How, 2016
  • Windows Registry Forensics, SE (Technical Editor), 2016
  • Presentations and Speaking Engagements
  • Forgotten But Not Gone: Gathering NTFS Artifacts of Deletion, SANS Tactical Detection Summit, 2018
  • Finding and Decoding Malicious PowerShell Scripts, SANS DFIR Summit, 2018
  • Working with APFS, Internal Kroll Training, 2018
  • How to Work with Linux LVMs When Your Forensic Tools Don't, Internal Kroll Training, 2017
  • In the Director's Chair, Keynote, Women in Cyber Security Conference, 2017
  • Enemy at the Virtual Gates: An Introduction to Investigating E-Commerce Data Breaches, Techno Security & Digital Forensics Conference, Cactuscon, 2017
  • The Linux Analysis Platform, Techno Security & Digital Forensics Conference, 2017
  • Memory Forensics 101: X-Men vs. Magneto (workshop), Cactuscon, High Tech Crime Investigators Association, 2017
  • Finding and Decoding Malicious PowerShell Scripts (workshop), High Tech Crime Investigators Association, 2017, OSDFCon 2018
  • The Modern World of Breach Monetization (panel), International Association of Privacy Professionals, 2017
  • Panel on Cybersecurity, International Bar Association Summit, 2017
  • Hunting Evil with Timelines, High-Tech Crime Investigators Association, Cactuscon, 2016
  • Trust but Verify: Why, When and How, Sans Digital Forensics and Incident Response Summit, 2016
  • Supersize your Internet Timeline with Google Analytic Cookies, SANS Digital Forensics and Incident Response Summit, Techno Security & Digital Forensics Conference, and Open-Source Digital Forensics Conference, 2014?2015

Community Outreach

  • smARTMAKER Lab (monthly STEM Maker lab for teens), Organizer and Instructor, 2019
  • Willcox Maker Camp (STEM day camp for youth), Organizer and Instructor, July 2018
  • Raspberry Pi Bot Wars (STEM Community Event), Organizer and Coder, 2017
  • Raspberry Pi LED Holiday Party/Workshop (STEM Community Event), Organizer, 2016
  • CyberGirlz, Outreach to young girls interested in STEM, 2016

Evan Dygert

Evan Dygert

A lot has changed since the mid 1980's, but one thing that has remained is Evan Dygert's commitment to the digital world. Evan's career of 30+ years has spanned a variety of digital fields including software development, computer networking and security, and more recently, digital forensics. It is this vast experience that allows Evan to analyze and understand Malware at a fundamental level and share that knowledge with his students.

Evan first applied his focus to digital forensics back in 2003 when his young daughter's browser was hacked. He immediately took an active role in defending against malicious actors at home, and along the way got hooked on digital forensics. As Evan learned more and more about the security field and its sub-specialties, he realized there was an endless world to explore. Today, Evan is a consultant with Dygert Consulting, offering expert consulting and computer forensic services. He is also a senior security engineer with Blue Cross Blue Shield Association. 

When he's not at his day job, Evan is a SANS instructor, teaching FOR10: Reverse-Engineering Malware: Malware Analysis Tools and Techniques, where he shows his class how to implement solid problem-solving approaches with specific malware samples. Evan's classes are interactive and conversational, always with the goal of gaining student understanding. He adjusts the focus of each class to the specific needs of the students attending that session.  In addition to FOR610, Evan teaches SEC503: Intrusion Detection In-DepthSEC504: Hacker Tools, Techniques, Exploits, and Incident Handling and FOR508: Advanced Digital Forensics, Incident Response & Threat Hunting.

A life-long learner himself, Evan stresses the need for continued learning and skill advancement to his students as well. "There are many sources of information to help with improving malware analysis skills," he says. "I share these sources with the class, so they know where to go to continue improving their skills."

Evan's work in digital forensics, computer security and expert witness work has allowed him to write expert reports, affidavits, and testify in depositions, federal hearings and a trial. He also mentors local high school CyberPatriot teams, which have gone to the CyberPatriot National Finals three times.

Fluent in Mandarin Chinese, Evan is also experienced in many computer languages including Java, Pascal, C/C++, assembly language, and Python. He has presented at BSides Orlando, SANS@Night, OWASP AppSec USA and the (ISC)2 Security Congress, and has earned 18 GIAC certifications, including the prestigious GIAC Security Expert (GSE) certification. 

Evan has a bachelor's degree in computer science from Brigham Young University, a master's in business administration from Rollins College, and has completed coursework for a Ph.D. in computer information systems, which he will earn upon completion of his dissertation.

Evan stays busy and working in security doesn't leave much time for hobbies, but in his down time he enjoys traveling, reading and spending time with his wife.  

Qualifications Summary

  • SANS Mentor and Instructor for FOR10: Reverse-Engineering Malware: Malware Analysis Tools and Techniques, SEC503: Intrusion Detection In-Depth, SEC504: Hacker Tools, Techniques, Exploits, and Incident Handlingand FOR508: Advanced Digital Forensics, Incident Resposne & Threat Hunting
  • High school CyberPatriot team mentor, with three national finalist teams
  • Fluent in Mandarin Chinese
  • Experienced in Java, Pascal, C/C++, assembly language, Python and more


  • GIAC Security Expert (GSE) 
  • GIAC Certified Forensic Examiner (GCFE)
  • Certified Information Systems Security Professional (CISSP)
  • Certified Computer Examiner (CCE)
  • Certified Ethical Hacker (CEHv8)
  • GIAC Continuous Monitoring (GMON)
  • GIAC Cyber Security Essentials (GSEC)
  • GIAC Certified Forensic Analyst (GCFA)
  • GIAC Incident Handler (GCIH)
  • GIAC Penetration Testing (GPEN)
  • GIAC Reverse Engineering Malware (GREM)
  • GIAC Certified Windows Security Administrator (GCWN)
  • GIAC Certified Intrusion Analyst (GCIA)
  • GIAC Assessing and Auditing Wireless (GAWN)
  • GIAC Secure Software Programmer-Java (GSSP-JAVA)
  • GIAC Web Application Penetration Tester (GWAPT)
  • GIAC Advanced Penetration Tester (GXPN)
  • GIAC Python Coder (GPYC)
  • GIAC Cyber Threat Intelligence (GCTI)
  • GIAC Network Forensic Analyst (GNFA)
  • GIAC Defending Advanced Threats (GDAT)
  • GIAC Certified UNIX Security Administrator (GCUX)
  • eLearnSecurity Web Application Penetration Tester (eWPT)
  • eLearnSecurity Network Defense Professional (eNDP)
  • eLearnSecurity Certified Professional Penetration Tester Gold (eCPPT Gold)
  • eLearnSecurity Certified Reverse Engineer (eCRE)

Here's what students are saying about SANS Instructor Evan Dygert:

"Evan is very methodological and easy to follow. Friendly and willing to help." Wayne C., O'Reilly Auto Parts

"Evan is fantastic and keeps the class lively and informative." Stephen S., NASA

"Evan is a real pleasure to be around. His humor, calm demeanor & deep tech knowledge make learning this complex material easy & enjoyable." Anonymous 

"Thanks Evan for the awesome FOR610 training, its unbelievable how you can get that much of knowledge and apply it in 6 days." Ahmed E. Wayfair DE

Sarah Edwards

Sarah Edwards

A self-described Mac nerd, Sarah Edwards is a forensic analyst, author, speaker, and both author and instructor of SANS FOR518: Mac and iOS Forensic Analysis and Incident Response.  She has been a devoted user of Apple devices for many years and has worked specifically in Mac forensics since 2004, carving out a niche for herself when this area of forensics was still new. Although Sarah appreciates digital forensics in all platforms, she has a passion for working within Apple environments and is well known for her work with cutting-edge Mac OS X and iOS, and for her forensic file system expertise.   

Sarah's dynamic classroom and presentation skills have been heralded by both her students and colleagues. She keeps students interested and engaged.  Sarah has more than 12 years of experience in digital forensics, and her passion for teaching is fueled by the ever-increasing presence of Mac devices in today's digital forensic investigations. Given the complexity of most cases and the high probability that an OS X or iOS will be a part of an investigation, deep knowledge of these Operating Systems is crucial to ensure that forensic analysts grasp all the information required in a case and not omit valuable data. 

"Apple devices will continue to grow in popularity, and digital forensic investigators and analysts must start paying more attention to them," Sarah explains. "Windows analysis is the base education in the field of digital forensics, and any additional skills you can acquire set you apart from the crowd, whether it is Mac, mobile, memory, or malware analysis."

Sarah has worked with federal law enforcement agencies on a variety of high-profile investigations in such areas as computer intrusions, criminal cases, counter-intelligence, counter-narcotics, and counter-terrorism.  Her research and analytical interests include Mac forensics, mobile device forensics, digital profiling, and malware reverse engineering.

A frequent presenter, Sarah has spoken at industry conferences including Shmoocon, Enfuse (formerly known as CEIC), DEF CON, BSides New Orleans, BSides Las Vegas, and the SANS DFIR Summit. She has a bachelor's degree in information technology from the Rochester Institute of Technology and a master's in information assurance from Capitol College. Beyond her deep interest in digital forensics and anything Mac, Sarah loves cooking, reading tech books, traveling anywhere, and "making things work".

Here is What Students Say About Sarah Edwards:

"Sarah knows her stuff.  This course gets better each day.  Very useful information.  Well-formed course." - Anthony Cifaretto, Verizon

"Sarah gave another great day of presentations - her knowledge is impressive." - Ben Keck, Ciena

"Very comprehensive in-depth coverage of the course topic.  Excellent reference materials as a take- away." - Jennifer Barnes, Indiana State Police

"Sarah Edwards has spent the last several months putting the (FOR518) material together and I have to say that it is fantastic. The content is very detailed and provides excellent information. I have a fair amount of experience investigating Apple systems. In fact, Apple products appear to be the core (get it?) of what we do these days. As such I would not have expected to learn as much as I did but there were times this week when my jaw dropped at one of Sarah's revelations or one of Hal Pomeranz's demonstrations. I learned a great deal and am delighted at the fact that I was able to attend." - Lee Whitfield, 4:cast

Here is What Instructors Say About Sarah Edwards:

"Sarah's expertise in authorship and instructing has led to the successful addition of the FOR518 Mac course to our lineup.  Sarah's classroom and presentation skills continuously pull in record scores.  She is absolutely the best at her trade." - Rob Lee, SANS Fellow and DFIR Curriculum Lead

"Sarah is clearly the Mac subject-matter expert who has designed a top-notch course. She handles student questions with the expertise and grace of the seasoned instructor she is." - Ovie Carroll, SANS Certified Instructor

"Sarah did an amazing job producing an incredibly detailed technical course on Mac Forensics. And then she shows up every time to teach and knocks it out of the park. Students can't help but respond to her total mastery of the material and enthusiasm for the subject matter." - Hal Pomeranz, SANS Fellow

Qualifications Summary:

Get to Know Sarah Edwards:

Here is a SANS Summit presentation by Sarah Edwards:

Mattia Epifani

Mattia Epifani

Mattia Epifani's passion with computers began when he was given a Commodore 64 for Christmas at age six. "After a couple of years, I was writing my first lines of code," he says. He kept the computer as his hobby and passion while pursuing his studies, then pursued a computer science degree at university. "My father is a lawyer, so he was not completely happy when I didn't choose to study law," says Mattia, but over the years he's blended the two with a career in digital forensics, bridging the gap between technical and legal systems.

Today, Mattia is CEO of RealityNet System Solutions, an Italian infosec and digital forensics consulting company, where he works as a digital forensics analyst and expert for judges, prosecutors, lawyers and private companies, at times serving as an expert court witness.

Mattia also brings his passion and expertise to the classroom as an instructor for SANS FOR500: Windows Forensic Analysis and FOR585: Smartphone Forensic Analysis In-Depth, a topic he's particularly passionate about. "I spend my days trying to acquire and analyze digital devices, smartphones in particular," he says. An expert with a vast knowledge of tools and techniques for forensic investigation, Mattia always tries to find a way to achieve his goal even when no tools exist. "I do forensics on a daily basis testing, developing new methods, and going deeper and deeper, and I love teaching by providing real cases and scenarios to my students," he says.

First introduced to SANS as a student, Mattia attended the 2010 DFIR Summit then proceeded to take four years of training because he loved the people and content at SANS so much. From there, he became an instructor.

According to Mattia, the most important thing students learn in his courses is that you need to build your own methodology in forensics. "It is a mix of techniques, rules, procedures, tools and creativity," he says. "I want to teach students how to build their methodology based on their role and their resources, like time and money."

Mattia notes that a challenge for students is the need to stay up-to-date with the daily changes in the digital world, such as new devices, operating systems and applications. He strives to prepare students for these changes by explaining the general concepts behind each area, then providing new methods, often some manual ones, that he's developed for specific cases. Mattia also challenges students to think outside the box when they hit a road block. For example, when dealing with a locked phone and no way to overcome that challenge, he encourages students to ask questions like "was the user using any cloud syncing?" and "Is there any request that we can submit to a provider or carrier to obtain some useful data?" "Usage of encryption and protection mechanisms will make a full analysis of a device more and more difficult, but there are still a lot of things that can be done," he says.

And Mattia has had his own "think outside the box" moments to share with students as a learning example. In one experience, he received a call from a law enforcement unit asking for support on a high-profile case in which an iPhone needed to be unlocked. While facilitating a SANS course in Munich, Mattia took the iPhone to the Cellebrite lab one day after class. With their support he was able to unlock the phone and acquire the necessary data, eventually testifying in court. The information he uncovered provided game-changing evidence for the case.

When he's not teaching and consulting, Mattia supports the EVIDENCE2e-CODEX project through the Italian National Council of Research, where he serves as a researcher helping to build a system to facilitate the exchange of digital evidences among law enforcement agencies in Europe.

Mattia obtained a degree in computer science from the university in Genoa, Italy and received post-graduate training in computer forensics and digital investigations in Milan. He also has several certifications in digital forensics and ethical hacking, including GNFA, GSAF, GREM, GCFA, GMOB, GCWN, GCFE, CIFI, ECCE, CCE.

A regular speaker on digital forensics at Italian and European universities and events, Mattia authored Learning iOS Forensics and Learning iOS Forensics, Second Edition, edited by PacktPub. He is also a member of the Digital Forensics Association (DFA), International Information System Forensics Association (IISFA), ONIF (Osservatorio Nazionale Informatica Forense) and Tech and Law Center.

Although computers continue to be his primary hobby, Mattia enjoys DJing at parties and cheering on his favorite soccer team, Genoa. He also enjoys traveling to new places around the world and learning about the culture and people of the areas he visits.

Qualifications Summary

  • CEO of RealityNet System Solutions, an Italian infosec and digital forensics consulting company
  • Author of Learning iOS Forensics and Learning iOS Forensics, Second Edition, edited by PacktPub
  • Researcher for the EVIDENCE2e-CODEX project through the Italian National Council of Research, helping to build a system to facilitate the exchange of digital evidences among law enforcement agencies in Europe
  • Member of the Digital Forensics Association (DFA), International Information System Forensics Association (IISFA), ONIF (Osservatorio Nazionale Informatica Forense) and Tech and Law Center.
  • Instructor for SANS FOR500: Windows Forensic Analysis and SANS FOR585: Smartphone Forensic Analysis In-Depth

Get to Know Mattia Epifani

  • Blog URL:
  • Company website:


  • GIAC Network Forensics Analyst (GNFA)
  • GIAC Advanced Smartphone Forensics (GASF)
  • GIAC Reverse Engineering Malware (GREM)
  • GIAC Certified Forensic Analyst (GCFA)
  • GIAC Certified Forensic Examiner (GCFE)
  • GIAC Mobile Device Security Analyst (GMOB)
  • GIAC Certified Windows Security Administrator (GCWN)
  • Certified Insurance Fraud Investigator (CIFI)
  • European Certificate on Cybercrime and Electronic Evidence (ECCE)
  • Certified Computer Examiner (CCE)

Mathias Fuchs

Mathias Fuchs

"Renaissance man" may be the most fitting description of SANS instructor Mathias Fuchs, who is the Head of Investigation & Intelligence at the Swiss firm InfoGuard AG as well as a volunteer paramedic and a pilot.

Mathias began his career teaching Linux administration and general IT security and quickly moved into penetration testing and red teaming. As his skills improved (and as breaking into customer systems got more repetitive and less demanding), Mathias sought new challenges that would expand his IT security acumen. So, he moved over to digital forensics and incident response, a field where the attacker unintentionally sets the pace and partly controls what an investigator needs to do - rather than that being dictated by the customer or the investigator.

"Any well-funded advanced persistent threat group makes sure that an investigator never runs out of new challenges," Mathias notes.

The exciting pace of the field continues to inspire Mathias. "As an investigator, you get to see the newest kinds of attacks and the best malware available," he explained, adding that he also is constantly expanding his knowledge base as he learns about each customer's business.

At InfoGuard, Mathias is focused on building the incident response practice. He uses his knowledge and experience to shape his team and proactively mediate pitfalls that are more difficult to change later. Taking on these challenges gives him perspective as a SANS instructor, as many students are still getting up to speed and are in the initial phases of preparing their organization to address potential threats.

Prior to InfoGuard, Mathias was a principal consultant at Mandiant, where he led large-scale cybersecurity investigations all over the world. Before that, Mathias served as a lead security architect at Deutsche Telecom subsidiary T-Systems while working in tandem as a security consultant for international clients in the telecommunications, automotive, pharmaceutical, and petroleum industries.

As an instructor for SANS FOR508: Advanced Digital Forensics, Incident Response, and Threat Hunting, Mathias draws both on his roots in teaching as well as his experience in the field to frame the subject matter with real-world examples. He believes in teaching by example, and tries to work labs as he would a real-life case. Students in the course need to dig into the smallest pieces of the puzzle but still focus on the big picture in an enterprise-wide investigation.

The starting point for each individual student is different, and Mathias loves leveraging all the knowledge available in class - both his own and that of his students.

"In the end, I want my students to be able to question their procedures and their security products to improve how they do incident response by making them more efficient and effective," he says.

To help students deal with bigger cases than they have ever dealt with before, Mathias shares his mistakes as well as his successes. "While there's no substitute for experience, I want my students to be very conscious of the typical risks when running big investigations," he explains. "Besides, I have a ton of cool stories to tell!"

In one particularly extensive case during his time at Mandiant, Mathias was investigating networks with 100,000+ endpoints. "I quickly figured out that the attacker had only been there for two weeks and we were able to completely record and track every single operation he did," says Mathias. The investigators eventually kicked the attacker out after four weeks when he got too aggressive, and the process provided weeks of valuable intelligence for future cases.

In another investigation, Mathias was able to access a crash dump of the RDP server process when it crashed during the attack. "Dissecting this crash dump gave me a lot of information about the attacker group and was key to further investigation, as it helped to quickly find 50 more machines the attacker accessed without installing any malware."

Mathias stays active even when he?s not teaching or in the midst of an investigation, using his pilot's license to fly small airplanes over the Alps, hiking, mountain biking, snowboarding, and volunteering as a paramedic for his local ambulance service.

Qualifications Summary

Get to Know Mathias Fuchs


  • Recipient of the Lethal Forensicator Coin


  • GCFA - GIAC Certified Forensic Analyst
  • GREM - GIAC Reverse Engineering Malware
  • GRID - GIAC Response & Industrial Defence
  • CISA - Certified Information Systems Auditor
  • ITIL v3 Foundation
  • ITIL v2 Foundation
  • PCI Qualified Security Assessor (QSA)

Here is What Students Say About Mathias Fuchs:

"Mathias has very good teaching skills, gives examples from recent news what is invaluable" - Barakat Rita, Gemalto

"He is experienced, cool, and delivers solid knowledge in the classroom." - Erich Lerch, BIT

"Mathias has great knowledge and provides relevant real-world examples." - Ian Jones, Lastline

Jess Garcia

Jess Garcia

Jess Garcia is the founder and technical lead of One eSecurity, a global Information Security company specialised in Incident Response and Digital Forensics.

With near 20 years in the field, and an active researcher in the area of innovation for Digital Forensics, Incident Response and Malware Analysis, Jess is today an internationally recognised Digital Forensics and Cybersecurity expert, having led the response and forensic investigation of some of the world's biggest incidents in recent times.

In his career Jess has worked in a miriad of highly sensitive projects with top global customers in sectors such as financial & insurance, corporate, media, health, communications, law firms or government, in other Cybersecurity areas as well such as Security Architecture Design and Review, Penetration Tests, Vulnerability Assessments, etc.

A Principal SANS Instructor with almost 15 years of SANS instructing experience, Jess is also a regular invited speaker at Security and DFIR conferences worldwide.

Previously, Jess worked for 10 years as a systems, network and security engineer in the Spanish Space Agency, where he collaborated as a security advisor with the European Space Agency, NASA, and other international organisations.

Jess holds a Masters of Science in Telecommunications Engineering + Computer Science from the Univ. Politecnica de Madrid.

Here is What Students Say About Jess Garcia:

"Overall Jess is an amazing instructor - broadly experienced, and methodologically and didactically competent." - Thomas Sülzle, Bundeswehr

Marcus Guevara

Marcus Guevara

Marcus Guevara is a Texas native and the author of the philosophical book "Hacking Theology". He holds a bachelors in Computer Science and a Masters in Cybersecurity. 

After obtaining his Bachelor's degree, Marcus started his career as an integrations software developer. In 2012, he enlisted in the Air Force Texas National Guard as a cyber operator and a few years later was commissioned as a cyber officer in the US Coast Guard. He spent three years helping to build the Coast Guard's cyber force and 24x7 Security Operations Center (SOC) and was fundamental in the creation of the first Coast Guard Cyber Incident Response Team. In 2017, Marcus was designated the first operational member of the US Coast Guard Cyber Protection Team. During that time he worked closely with the National Security Agency (NSA) and US Cyber Command (USCYBERCOM) - among other organizations - to secure and protect the Department of Defense Information Network. Marcus then received orders to stand up the first military contingency inside the Department of Homeland Security's deployable cyber defense force known as the Hunt and Incident Response Team (HIRT). As a member of DHS's HIRT, Marcus led teams performing assessment's and incident response on the nation's critical infrastructure. Marcus exited the military to join Recon InfoSec where he currently is the Director of Security Operations, manages the organizations SOC, participates in Incident Response efforts, and travels to conferences such as DEFCON and BSIDES to help organize the popular training. 

Marcus has five, yes five, children and enjoys philosophy, theology, and leadership development in his free time. He has a passion for learning and for helping others succeed. His desire for teaching comes from the personal philosophy:  "no one gets anywhere in life without the help of others - pay your success forward".

Current Certifications:


Former Certifications:

Certified Ethical Hacker

Philip Hagen

Philip Hagen

For Phil Hagen, a career in information security chose him even before the movies War Games and Sneakers spurred his broader interest in the field. Phil has been captivated since the early days, working on information security projects since the mid-1990s, but networking grabbed his attention even before that.

"Since installing a 2400bps modem into an Apple //e around 1988, every computer I've used has been able to communicate with others," he says. "Of course the systems themselves are becoming more and more varied, making network analysis a critical component of the investigative process today."

Phil began his studies at the U.S. Air Force Academy's Computer Science Department, where he focused on network security and was an inaugural member of the computer security extracurricular group. He served in the Air Force as a communications officer at Beale AFB and the Pentagon. In 2003, Phil moved over to a position with a government contractor, providing technical services for various IT and information security projects.

Today, Phil's career has spanned the full attack life cycle - tool development, deployment, operations, and the investigative aftermath - giving him rare and deep insight into the artifacts left behind. Phil has covered deep technical tasks, managed an entire computer forensic services portfolio, and handled executive responsibilities. He's supported systems that demanded 24x7x365 functionality, managed a team of 85 computer forensic professionals in the national security sector, and provided forensic consulting services for law enforcement, government, and commercial clients. All of that brings Phil to his role today as the DFIR strategist at Red Canary, where he supports the firm's managed threat detection service.

Phil is also a senior instructor for the SANS Institute, and is the course lead and author of FOR572: Advanced Network Forensics and Analysis. This six-day course provides a hands-on curriculum to learn the skills necessary to perform investigations of network-based incidents, where the hard drives or memory of compromised systems are often missing.

"In each class, I take care to explain the relevance of the concepts to cases I've worked and scenarios I've encountered in the past," says Phil. "In FOR572, our classwork and hands-on materials are all taken from real-world experiences and cases. Our week in class is jam-packed and we deliberately focus our attention on adversary behaviors that have been actively observed in the wild."

Phil also spends time developing and maintaining the SOF-ELK distribution, a virtual appliance that is preconfigured with the ELK stack (Elasticsearch, Logstash, and Kibana). "This takes a lot of time investment, but it's very rewarding to hear from the DFIR community at large when they've used SOF-ELK in their own environments and cases to boost efficiency and effectiveness," he says.

Phil has always been a mentor and teacher at heart, and his relationships with former colleagues and students constitute one of his biggest sources of professional pride. "In my previous job at a large defense contractor, I was responsible for managing the entire computer forensic division," says Phil. "The division consisted of many people in various critical roles, including an exceptional team of site managers that I relied heavily on. Years later, I still stay in touch with most of those managers and many other people from the overall team. They have all grown professionally and it's amazing to see what roles they've taken on. It's humbling to see so many people really pursue the trajectory they set for themselves so many years ago."

In one of his most exciting cases, Phil provided forensic examination and overall investigative support to a law enforcement case involving hundreds of millions of dollars of fraudulent transactions committed against victims around the world. The case lasted several years and involved more than a hundred pieces of media from 10 countries, as well as numerous operating systems, filesystems, and criminal actors. With the ultimate arrest of two subjects high up in the organizational "food chain", the investigative team was successful in completely decapitating the fraudulent scheme itself, due to comprehensively scoping the architecture they used.

When he's not cyber-sleuthing and mentoring students, Phil is an avid runner who has completed two half-marathons and dozens of 5k and 10k races. He tries to run every other day even when he's teaching in order to keep his thoughts clear and his brain geared up.  "I get 'rungry' (run hungry) when I skip a day," he says. Phil also enjoys craft beer because of the passion and creativity that today's craft brewers put into their product. Wherever he travels he searches out the local favorite to sample.

Qualifications Summary:

Get to Know Phil Hagen:

Here is What Students Say About Philip Hagen:

"Philip's speaking style draws you in and he's very personable. Useful tools and nice tour of technology which I was not previously aware of." - Frank J. Quinn

"Even by SANS standards, Phil clearly 'goes the extra mile' in depth of information, especially on exercises." -  Dai Morgan, Visa Europe

"I really like how Phil incorporates real-life examples into the material. It really helps me visualize it!" -  Ryan Nelson, Motorola

Here is What Instructors Say About Philip Hagen:

"Phil Hagen and I have worked very closely together for many years.  His understanding of networks, underlying technology, and hacker techniques was critical to many operational successes.  Phil managed to begin leading several key operational components while at a defense and intelligence community contractor and was soon running the division with over 85 employees and contracts totaling tens of millions of dollars. Phil has never lost his technical edge and was a key asset while working directly with federal law enforcement tracking organized criminals using cyber as a way to commit financial and credit card attacks." -  Rob Lee, SANS Fellow and DFIR Curriculum Lead

"Phil is an incredibly gifted author, instructor, and member of the DFIR team!  He is well versed in networking protocols and principles, investigative methodology, and advanced analytical techniques.  Phil's teaching skills come from his deep experience in supporting military, government agencies, and Fortune 500 clients over the many years of work in information security. He is able to establish a great rapport with his students and delivers the high-quality classroom experience that SANS attendees have come to appreciate." -  Heather Mahalik, Senior Instructor and FOR585 Course Lead

Ryan Johnson

Ryan Johnson

As a globe-trotting cyber sleuth, Ryan Johnson is always looking to find the bad guy, and to share his enthusiasm and knowledge about digital forensics along the way.  Ryan started out performing digital forensic exams for local law enforcement in Durham, N.C., assisting in homicide, fraud, narcotics, and child exploitation cases. He quickly saw the importance of digital evidence in ensuring that guilty parties are held accountable and innocent parties go free.

That work led Ryan to join a team of media exploitation analysts working for the U.S. Army in Iraq. During his year in Iraq he helped gather actionable intelligence, streamline processes, and enhance equipment resources for in-country teams. When he returned stateside, Ryan began to work on computer intrusion cases. Since then he's traveled the globe teaching digital forensics for the U.S. State Department's Anti-Terrorism Assistance Program and served as a digital forensics analyst and consultant.  Ryan co-authored several of the State Department's digital forensics courses as well as the book Mastering Windows Network Forensics and Investigations, Second Edition.

Today, with more than 12 years of experience in digital forensics investigations, incident response, network forensics, and vulnerability assessments, Ryan teaches the FOR572: Advanced Network Forensics and Analysis course for SANS.

"My favorite part of teaching for SANS- other than meeting some really cool students- is that I get to hear different perspectives and approaches to all the areas we talk about in class," says Ryan. "There's not been one class where I have not learned something from our students, and those nuggets of gold help me be a better practitioner and a better instructor."

Ryan also currently serves as the Global Head of Threat Management at PricewaterhouseCoopers, where he leads the response, readiness and investigations functions. In addition, based on his background, practical forensic experience, and government clearance, Ryan has been regularly called upon to train U.S.-based government departments, international governments, and corporations in the areas of network and digital forensics.

Ryan earned a Master's of Science degree from Dalhousie University and two Bachelor's degrees from Queen's University. He has taught college students, professionals, law enforcement, attorneys, and judges. Ryan knows that teaching the process, not the tool, is what gives students information they can put into practice outside of the classroom, and he works tirelessly to ensure every student understands the concepts he's teaching.

"I do my best to come up with unique ways to explain or relate information to people from different backgrounds and experience levels," he explains. "I've explained concepts using analogies like the 'paint can method' for understanding Diffie Hellman key exchanges, and a water pitcher and a glass to explain buffer overflows- inadvertently shorting out a computer at the same time! I don't like to stop until I see the light bulbs go on, so my classes aren't your typical 'download' sessions."

When he's not investigating, teaching, or traveling the world, Ryan uses part of his free time to delve into another of his passions, which is research.

"My research interests involve traffic analysis and potential subversion of IoT devices, specifically the ones I have in my house!" he says. At home, you might find Ryan playing with his kids, making dinner for the family, and brewing small batches of beer. And while he'd like more time for actual brewing, he always finds opportunities to make the process more tech-savvy, like building new controllers for his beer brewing setup! 

Qualifications Summary:

  • More than 12 years of experience in digital forensics investigations, incident response, network forensics, and vulnerability assessments.
  • Co-author of the book Mastering Windows Network Forensics and Investigation, Second Edition.

Get to Know Ryan Johnson:

Here is What Students Say About Ryan Johnson:

"Great instructor, keeps attention and presents with authority & knowledge." - Paul Mobley

"Great time, pacing, humor, and most importantly knowledge" -SANS Boston 2016, FOR572 attendee

"The instructor is Awesome! He was able to articulate and accommodate the entire class regardless of knowledge base. He engages the class and comes prepared to every class. Thus far being the best instructor we have had in this course. I would recommend him to anyone taking FOR572." - Fort Gordon, FOR572 attendee

Jason Jordaan

Jason Jordaan

"In seeking the truth, I am both a scientist and philosopher. The scientist part of me wants to know how, while the philosopher part of me wants to know why." Jason Jordaan

A self-described philosophical science and tech nerd, Jason's career in digital forensics grew with the developing field. He first joined the South African police force as a detective fresh out of school, putting his problem-solving talents to use. As the only one in his unit interested in computers, Jason was given every case that looked even remotely like it involved technology. This was in the early 1990s during the early stages of digital forensics, and practitioners like Jason were laying the groundwork for a whole new discipline, even if they didn't realize it at the time.

When he moved to the Special Investigating Unit within South Africa's Department of Justice, Jason developed a formal digital forensics lab for the unit, eventually becoming the national head of the Cyber Forensic Laboratory of the Special Investigating Unit.

As one of the founders of modern-day digital forensics, Jason has perspective on the gaps in training that have existed within the field, which is one of the reasons he began teaching at SANS.

"SANS instructors are real global leaders in their fields, in many ways the best of the best, and I wanted to be part of that elite group," Jason says. "I also loved that SANS instructors were not only some of the best technical teachers in the world, but that all of them were real-world practitioners who taught what they do. SANS instructors are practical experts sought after around the world for their skills and expertise, and they love what they do so much that they share it through teaching."

Beyond being a Certified Instructor for SANS, where he teaches FOR500: Windows Forensic Analysis, Jason also teaches digital forensics and incident response at Rhodes University and serves on the Advisory Board for the Department of Computer Science at the University of Pretoria.

In 2014, Jason left government work to start his own digital forensics practice, broadening his involvement within South Africa and expanding his work to Europe, the United States, and the Middle East. He now serves as the principal forensic analyst at DFIRLABS, an independent digital forensics and incident response laboratory. He is also an active researcher and writer and has published in several textbooks and academic journals. In addition, he remains active in the law enforcement community by mentoring officers in the Asia Pacific region and Europe.

Jason finds testifying in court a particularly fulfilling part of his job. He considers it the ultimate test of the quality of his work. Jason testifies regularly as an expert witness and has established a reputation for objectivity and quality evidence. His extensive court experience has given him insight into the intersection between digital forensics and the law, an important aspect of forensics he shares with his students.

In one complex case, Jason's investigation took over six months and involved a deep-dive analysis of hundreds of compromised computers and services. He uncovered how the hacker had compromised the network, stolen user credentials and source code, modified the code, and created accounts to initiate fraudulent payments, resulting in millions of dollars in losses. When the case went to trial, Jason testified for over two weeks. At the end of the trial, the judge sentenced the perpetrator to a 30-year prison sentence, the longest hacking sentence to date in South Africa, and specifically pointed to the detailed forensic analysis and how it showed the real extent of the hack and the damage that it had done. Following the trial, Jason's expertise was recognized by the South African Department of Justice, and he was invited to serve on an advisory board headed by the Deputy Minister of Justice to develop new cyber-crime legislation.

Jason's passion for the craft is evident in his work and in the classroom. "For many people digital forensics is a job they do, but for me it is who I am. It is part of my DNA and core," he says. Because of this, Jason's teaching philosophy is focused on sharing what he loves, and he is passionate about equipping students with the skills and knowledge to catch the bad guys, protect the innocent, and make an impact in the world.

Jason also recognizes that the learning never stops. "We need to be comfortable living in a world where we have to constantly learn or else risk becoming obsolete," he says. "As an active digital forensic practitioner, I am constantly working on cases, and using the very same methods and techniques that I teach in class to get answers. Everything that I teach I use."

Beyond the methods and techniques, Jason also teaches students to understand what's happening at the file system, operating system, and application level so that they can apply their knowledge critically to determine optimal solutions. Plus, he has some pretty great war stories to share.

Jason has master's degrees in computer science and forensic investigation, an honors degree in information systems, and bachelor's degrees in criminal justice computer science and policing. He is currently completing a PhD in computer science and holds the CFCE, GCFE, GCFA, GCIH and CFE certifications.

When he's not reading, experimenting, or learning about digital forensics, Jason channels his passion for technology and problem-solving into building Lego projects with his son, playing console and board games (he admits he's played his share of Dungeons and Dragons), and pursuing his interest in Star Wars and Star Trek. Jason is also an avid field hockey player and plays competitively in the Masters Interprovincial Division, and he is a long-time martial artist practicing Ninpo.

Qualifications Summary

  • 20+ year veteran of the digital forensics field
  • Former National Head of the Cyber Forensic Laboratory of the Special Investigating Unit in South Africa, which he developed
  • Certified Instructor for SANS FOR500: Windows Forensic Analysis
  • Teaches digital forensics and incident response at Rhodes University
  • Serves on the Advisory Board for the Department of Computer Science at the University of Pretoria
  • Law enforcement officer mentor in the Asia Pacific region and Europe.
  • Trainer, lecturer, and mentor in the field of digital forensics since 2010
  • Researcher and writer whose work has been published in several textbooks and academic journals


  • GIAC Certified Forensic Examiner (GCFE)
  • GIAC Certified Forensic Analyst (GCFA)
  • GIAC Certified Incident Handler (GCIH)
  • Certified Forensic Computer Examiner (CFCE)
  • Certified Fraud Examiner (CFE)

Get to Know Jason Jordaan

  • Company website:
  • Interview with Jason on FraudCast:
  • Interview with Jason by The TechGuy:
  • SANS Webcast Series:
  • DFIRLABS Blog:

Here is what Students are saying about Jason Jordaan:

  • "Jason is a great instructor with years of experience to draw upon and he relates real-world examples of tool usage and artifact discovery that help ground the theory in the real world." - Stephen, Pranceria
  • "Jason delivers the info in an excellent and simple way. No matter what the course level is, he makes it easy to understand." - Mohamed, NESA
  • "Everything is easy to follow and explained with real-world examples." - Joe, Booz Allen Hamilton
  • "I appreciate Jason's real case examples which enrich the course." - Yasmine, PWC
  • "Jason's real-life examples were very interesting and gave me true insight into the required mindset of forensics.  Thank you." - Maurizio Minelli,  GOVCert

Nick Klein

Nick Klein

Nick is the Director of Klein & Co. Computer Forensics, the leading independent computer forensic team from Sydney, Australia. He has over fifteen years of IT experience, specialising in forensic technology investigations and presenting expert evidence in legal and other proceedings. Nick and his team have been engaged as experts in hundreds of cases including commercial litigation and electronic discovery, criminal prosecution and defence, financial fraud, corruption, employee misconduct, theft of intellectual property, computer hacking and system intrusion.

He was previously a senior director in Deloitte Forensic and a team leader in the High Tech Crime Team of the Australian Federal Police, where he worked on international police investigations and intelligence operations including counter terrorism, online child abuse, computer hacking, and traditional crimes facilitated by new technologies.

Nick has presented expert evidence in civil and criminal matters in Australia and overseas, including providing expert testimony in the Bali bombing trials in Indonesia in 2003. He has appeared before Australian State and Commonwealth Parliamentary Committees and participated in Government working groups on cybercrime issues including the Fraud Taskforce of the Australian Banking Association and the Critical Infrastructure Protection forum of the Australian Commonwealth Government. Nick is a regularly presenter at industry forums and a guest lecturer at several institutions including the School of Law at the University of New South Wales and the Centre for Transnational Crime Prevention, Faculty of Law at the University of Wollongong.

Listen to Nick discuss methods to reconstruct anti-forensics in a critical case all DFIR professionals should listen to.

Here is What Students Say About Nick Klein:

"Nick has a natural delivery style which shows his comprehension and integrated knowledge across several management domains." - Scott Reid, Victoria Police

Robert M. Lee

Robert M. Lee

SANS certified instructor Robert M. Lee brings to the classroom one of the most valuable and respected of credentials: real-world experience. Robert is the CEO and founder of his own company, Dragos, Inc., that provides cyber security solutions for industrial control system networks. Consider the 2015 attack on the Ukraine power grid when for the first time in history a power grid went down due to an intentional cyberattack. Robert and a few others formed a specialized team to analyze the event and passed information to the impacted parties as well as the U.S. government and private sector. "I was the first in the industry to publicly confirm the attack and wrote the industry standard report on the attack exploring how it occurred, the lessons learned, and what must be done to protect other infrastructure sites," Robert says. He and his team also analyzed the malware from the 2016 cyber attack on Ukraine's Kiev substation and dubbed it CRASHOVERRIDE as the first ever malware tailored to specifically disrupt electric grid operations.

That experience is what forms his teaching philosophy. "I make it my teaching philosophy to constantly bring in new material into the classroom through my personal experiences and the successes and failures of those I've seen in the industry," says Robert. This augments the traditional classroom material students receive to ensure they get the most relevant and cutting-edge concepts in the industry. But Robert's real-world experience also keeps things interesting. "I enjoy telling and sharing in case studies and stories from the field, looping in bigger concepts into the technical material, and setting a humorous tone so that no matter the seriousness of the topic we all have fun together."

Robert got his start in information security making small control systems for humanitarian missions. He joined the United States Air Force and became a cyberspace warfare operations officer in the U.S. intelligence community. In that role, he created and led a mission examining nation-states targeting ICS, the first mission of its kind in the U.S. intelligence community. For Robert, that intermixing of defense, intrusion analysis, and threat intelligence provided the ultimate thrill.

Robert has worked offense, defense, and intelligence in various government teams. "My time on the offense helped me better appreciate defense and how sometimes we simply get it wrong: defense is not necessarily harder than offense and there are many opportunities we have to defend and make the world a better place," he says.

Robert joined SANS for myriad reasons. He had long been aware of the organization, and followed the career and workings of SANS fellow and DFIR curriculum lead Rob Lee. Also, ongoing encouragement to attend SANS conferences and consider teaching from a number of friends and colleagues such as Dave Shackelford convinced him to give it SANS a shot. His first pitch - a five-day class on identifying and responding to industrial control systems (ICS) attacks - was well-received, and as Robert says, "the rest is history." Today he teaches SANS ICS515: ICS Active Defense and Incident Response, the industry's first and only incident response and threat hunting class for ICS and FOR578: Cyber Threat Intelligence, the industry standard course for threat intelligence training. "The SANS family is amazing, the students are world class, and teaching is what keeps me constantly refreshed and excited in the industry."

In fact, authoring ICS515 and FOR578 have been highlights in his career, Robert says. Industrial control system security as well as cyber threat intelligence are both exciting topics that receive a lot of hype and misconceptions. "I love destroying hype while giving the students the most blunt and actionable information possible," Robert explains, adding that his experiences "gives me a robust view into the problem space and the solutions needed at various levels. My experiences and hard work have afforded me the chance to significantly advance students' skill sets and the way they view the problem."

Central to helping students succeed in their day-to-day careers is ensuring that they understand the big picture, Robert says. That's more than just understanding what command to run on a specific tool or how to use that tool during an incident. Its' about know the larger context of a security strategy is, all its moving pieces, and how to use analysis to help fill knowledge gaps. "This ensures that students who take my classes are not only technically prepared but are also prepared to think differently about the hard challenges their organizations must face when facing the adversary," says Robert.

Robert has a master's degree in cybersecurity and computer forensics from Utica College as well as cyber and warfare training through the U.S. Air Force, and he's pursuing his doctorate in war studies from King's College London. He was named one of Forbes' 30 under 30 in Enterprise Technology in 2016, was awarded EnergySec's 2015 Cyber Security Professional of the Year and named one of Passcode's "Influencers."

Outside of teaching, Robert enjoys running his company Dragos and working with customers in the industrial community. "It allows me to constantly stay relevant, challenge and grow my skills, and directly help people." He also enjoys writing papers and blogs for the industry, and looks for opportunities to travel, snowboard, and play a Steam game or two whenever he can.

Qualifications Summary

Get to Know Robert M. Lee

Publications and Papers

Awards and Honors

  • 2016: Forbes' 30 under 30 in the area of Enterprise Technology
  • 2015: Energy Sector Cyber Security Professional of the Year, awarded by EnergySec
  • 2014: Colonel Sparky Baird Award, awarded by AFCEA
  • 2014: Air Force Association Gill Robb Wilson Award - Air Force Nominee
  • 2013: Air Force Association Gill Robb Wilson Award - Air Force Nominee
  • 2013: AF Information Dominance Award for Outstanding Cyberspace Operations CGO - 693 ISR Gp
  • 2013: Junior Officer (Operator Category) of the Year - Europe/Africa
  • 2013: Military Performer of the Year - Threat Operations Center
  • 2013: CGO of the Year - 693d ISR Gp
  • 2012: Distinguished Young AFCEAN Officer - Central Europe
  • 2012: Outstanding ISR Officer Contributor of the Year - 693rd ISR Group
  • 2011: AFCEA Intelligence Professional of the Year - 693 ISR Group

Here is What Students Say About Robert M. Lee:

"Real-world practical insight and the technical skills and tools to create meaningful change." - Billy Glen, Pacific Gas & Electric

"Great teaching style - humor - keeps the atmosphere light." - Tim Sanguinett, NCPA

"Good pace, kept things moving, stayed enthusiastic the entire day." - Michael Nowatkowsk, Army Cyber Institute

Here is a SANS Summit presentation by Robert M. Lee:

Joshua Lemon

Joshua Lemon

With a keen interest in both computers and investigative work, and a passion for teaching those around him, Josh Lemon is perfectly fit for his job in cybersecurity and incident response and his role as a SANS instructor.

In the years before cybersecurity roles were the norm, Josh started out building, managing, and securing large, complex computer networks and software systems. He worked in a variety of fields providing incident response, digital forensics, and penetration testing services to government, law enforcement, and the commercial sector before eventually taking on a full-time incident response role.  "I took the chance and never looked back," he says.

Today, as a cybersecurity incident response director at, Josh manages the Strategic Response and Research Unit within the Salesforce Security Response Center (SSRC), which provide a dedicated team of highly trained and experienced incident responders to research, develop and champion future technical capabilities for the Incident Response team.

Previously, Josh was the CSIRT Manager for the Commonwealth Bank of Australia leading one of the largest dedicated incident response teams in the Australian commercial sector. He also worked as a managing consult for BAE Systems Applied Intelligence, where he was responsible for all technical cybersecurity services for the Asia Pacific region, overseeing large and complex incident response and offensive security engagements.

In addition to his role at, Josh stays busy teaching two SANS courses: FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics and FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response.

Josh says that even with all the different roles he's held, every job has included a component of teaching others. Josh's teaching skills are so evident, that a former manager and SANS principal instructor encouraged him to explore an instructor role after observing Josh teaching his clients during his time as a consultant.

And the SANS curriculum is a perfect fit from Josh's perspective. "One of the reasons I enjoy teaching for SANS is their DFIR courses are continually updated and tuned to include the most current techniques seen in the wild," says Josh. "I always want to make sure my students are armed with the most up-to-date information to uncover attacks and be able to efficiently investigate them."

In the classroom, Josh sees the massive amount of highly technical information students must consume over the span of only six days as the biggest challenge for his students. "It can be overwhelming for new students and seasoned professional alike", he says. To address this, Josh keeps students focused on the elements they can start using as soon as class ends. "I always leave students with more information to read in the future and encourage them to start keeping a file of 'cool things to read about later,'" he says.

In addition to his work with students, a highlight of Josh's career has been seeing his cases in court. "While the results of court cases are always different, being able to find enough evidence to successfully determine who the malicious actor is behind the keyboard and see law enforcement carry out their work, has been a huge highlight for me," says Josh. "It's rare that DFIR professionals ever get to put a face to someone conducting malicious activity, however, finally seeing a criminal in court, or law enforcement carry out a warrant, brings a large sense of closure to an investigation you've worked hard on."

Josh also has a deep interest in operational efficiency for teams and is constantly working to understand how to improve the work environment for DFIR professionals. "The challenges and stresses of doing DFIR work are fairly unique and that's usually why we see DFIR professionals really only spend approximately 2 years at the cold face of chasing malicious actors around networks," he says. "Understanding how to make that environment better for our industry has been an interest of mine ever since I started managing teams of people."

Josh's current work on tools, technologies, techniques, and automating IR processes has allowed him to see IR and SOC teams become more efficient, more motivated, and more focused on their operational IR work, rather than trying to struggle with tools that aren't really suited to DFIR work.

Josh maintains an infosec blog,, and holds a number of certifications including GCFA, GCIH, GNFA, GPEN, GDAT, GPYC, and GREM.

When he's not helping his team or students, or chasing the malicious actors around a computer network, Josh stays busy in his role as Dad, spending time with his family.

Qualifications Summary

  • Cyber security incident response director at
  • Instructor for FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics and FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response


  • GIAC Certified Forensic Analyst (GCFA)
  • GIAC Certified Incident Handler (GCIH)
  • GIAC Certified Network Forensic Analyst (GNFA)
  • GIAC Certified Penetration Tester (GPEN)
  • GIAC Defending Advanced Threats (GDAT)
  • GIAC Python Coder (GPYC)
  • GIAC Reverse Engineering Malware (GREM)

Get to know Josh Lemon

Here's what students are saying about instructor Josh Lemon:

"Great delivery! Josh has great knowledge about the topic." - Mohamed Gafar, United Nations WFP

"This is my first SANS experience. Josh is very good. I am very happy with both the course content and the delivery." -Vik Somi, Superloop

Heather Mahalik

Heather Mahalik

To say that digital forensics is central to Heather Mahalik's life is quite the understatement. Heather has worked on high-stress and high-profile cases, investigating everything from child exploitation to Osama Bin Laden's media. She has helped law enforcement, eDiscovery firms, and the federal government extract and manually decode artifacts used in solving investigations around the world. Heather began working in digital forensics in 2002, and has been focused on mobile forensics since 2010 - there's hardly a device or platform she hasn't researched or examined or a commercial tool she hasn't used.

These days Heather is the Senior Director of Digital Intelligence at Cellebrite.  At the SANS Institute, Heather is a senior instructor, author and the course lead for FOR585: Smartphone Forensic Analysis In-Depth. As if that isn't a full enough schedule, Heather also maintains, where she blogs and hosts work from the digital forensics community. She is the co-author of Practical Mobile Forensics (1st and 2nd editions), currently a best seller from Pack't Publishing, and the technical editor for Learning Android Forensics from Pack't Publishing.

Heather is passionate about digital forensics because she loves always having to learn something new. "This field moves so quickly. It is literally impossible to get bored," she says. "If you find yourself bored, branch into another realm of digital forensics. The possibilities are endless and so is the fun! I love digging for artifacts and solving the puzzle."

Heather particularly likes working on mobile and third-party applications, a focus of her work. "I love cracking and hacking into apps that are supposed to be secure," she explains.

She cites her role as a SANS instructor as one of the most fulfilling achievements of her career. Heather loves it when students reach out to tell her that, thanks to her course, they put a criminal away for many years. As she says: "Nothing compares to knowing that the effort you put into writing and maintaining a course makes the world a better and safer place. SANS gives me the opportunity to share that with others."

Heather's background in digital forensics and e-discovery covers smartphone, mobile device, and Windows forensics, including acquisition, analysis, advanced exploitation, vulnerability discovery, malware analysis, application reverse-engineering, and manual decoding, as well as instruction on mobile devices, smartphones, and computers covering Windows, Linux and Macintosh operating systems.

What's her favorite topic to teach from that impressive résumé? "Decrypting and decoding the unparsed data!" she says. "I spend almost 90 percent of my day job trying to crack into the tough stuff, and my experience naturally flows into the classroom."

Heather previously led the mobile device team for Basis Technology, where she focused on mobile device exploitation in support of the federal government. She also worked as a forensic examiner at Stroz Friedberg and the U.S. State Department Computer Investigations and Forensics Lab, where she handled a number of high-profile cases. She has also developed and implemented forensic training programs and standard operating procedures.

Outside of work, Heather puts her passions into being a mom, cooking, reading, traveling, and drinking fine wine and bourbon.

David Mashburn

David Mashburn

David Mashburn is currently the IT Security Manager for a global non-profit organization in the Washington, D.C. area. He also has experience working as an IT security professional for several civilian federal agencies, and over 15 years of experience in IT. He holds a masters degree in computer science from John Hopkins University, and a B.S. from the University of Maryland at College Park. David holds multiple security-related certifications, including CISSP, GPEN, GCIH, GCIA, and CEH. He is also a member of the SANS / GIAC Advisory Board, and has previously taught courses in the Cybersecurity curriculum at the University of Maryland - University College.

Here is What Students Say About David Mashburn:

"Dave is a top-notch instructor and delivered the material in spectacular fashion. I would absolutely take another course from him." - Dan Veum, Assurant Inc.

Phill Moore

Phill Moore

Phill Moore has always focused on finding fulfillment through his work, which is why he abandoned his initial pursuit of a career as a business analyst to seek out something that really sparked his interest and felt worthwhile. A career in Digital Forensics and Incident Response (DFIR) was the perfect fit.

Whether prosecuting an offender, stopping an attacker, or saving a business, Phill says that the impact his DFIR work has on people's lives makes it all feel worthwhile. And he has extended his footprint through his research and his work as a SANS instructor for FOR500: Windows Forensic Analysis.

"On a number of occasions, I've had people reach out to me to say that something I've shared or research I've done has helped them with a conviction, and that's really rewarding," Phill explains.

Phill started his career at the State Electronic Evidence Branch (SEEB) in Sydney, Australia providing investigative support by examining electronic devices involved in major crime across the state of New South Wales (NSW). He is now a Digital Forensic Investigator at Klein & Co, working for fellow SANS Instructor Nick Klein.

Throughout his career, Phill has identified, preserved, analyzed, and presented digital evidence on thousands of devices - including computers, mobile devices, GPS devices, and CCTV systems - in local, state, and federal courts. He is credited with spearheading process improvements and information-sharing among digital forensics professionals in Sydney.

Phill also writes a weekly blog summarizing industry news and updates. "I try to keep as close to the people pushing the industry forward as I can," he says. "We can all get better by encouraging our peers to document the research they're doing and share it to help the community validate and improve our understanding."

When considering an instructor role, Phill chose SANS because he sees its curriculum and instructors as the best available.

"The SANS DFIR curriculum is aggressively updated and provides an artifact-first, tool-agnostic approach that ensures people aren't relying on the output of their tools, especially when their tools only get them so far," he explains. "SANS courses encourage students to use the best tools for the job, and to go beyond them when they don't present all the information necessary for an investigation."

In his classes, Phill's goal is to help students become effective on Windows devices by showing them how much can be achieved by combining free tools, great training, a solid understanding of the operating system/file system, and some grit.

"At the end of the day, you're responsible for your investigations," he notes. "There are a lot of great tools out there but they all have their shortcomings."

He sees the biggest challenge for students as simply keeping up with the relentless pace of operating system and application updates. "The number of devices and data sources is increasing, and being able to effectively cut through the noise to identify what happened on a system is key," he says.

To keep up with innovations, Phill encourages students to keep testing, training, learning, and sharing information.  In this regard, he can draw on personal experience. During one of his recent cases, Phill uncovered information on a suspect showing that the individual was committing other, very serious offenses that investigators were unaware of. In that case, Phill points to a combination of luck and persistence that identified passwords across devices and ultimately to an arrest and successful prosecution.

Phill has a bachelor's degree in business IT from the University of New South Wales, a postgraduate certificate in computer forensics from the University of South Australia, and a master's degree in cybersecurity (digital forensics) from the University of New South Wales.

He writes a weekly blog called This Week in 4n6 that provides a roundup of news and updates about DFIR, and he produces a monthly podcast covering a selection of important recent articles. Phill also has a personal research blog documenting some of his DFIR research on topics such as Zone identifiers, examination documentation, and an introduction to mounting APFS volumes on MacOS. Phill's tools, including his GSERPent Google URL Parser and his Homespeak tool for interacting with Google Home devices, can be found on his Github page. He was nominated for the Forensic 4Cast "Blog of the Year" award in 2017 and 2018 and was selected to speak at the SANS DFIR Summit in 2018. In 2019, he was nominated for the Forensic 4Cast "Resource of the Year", "Podcast of the Year", and "Social Media Contributor of the Year".

While Phill's primary interests revolve around forensics and family, he also likes all things superhero, from comic books to TV and movies, and stays active at the gym and on the soccer field. When he's not reading about superheroes or being a DFIR superhero in real life, he enjoys singing to his baby daughter and is constant searching for more time to hone his guitar-playing skills.

Qualifications Summary

  • Instructor for SANS FOR500: Windows Forensic Analysis
  • Writes a weekly blog called This Week in 4n6 that provides a roundup of news and updates about DFIR,  and produces a monthly podcast covering a selection of important recent articles
  • Produces a personal research blog documenting his DFIR research
  • Nominated for the Forensic 4Cast "Blog of the Year" award in 2017 and 2018, and "Resource of the Year", "Podcast of the Year", and "Social Media Contributor of the Year" in 2019.

Get to Know Phill Moore


  • GIAC Certified Forensic Examiner (GCFE)
  • IACIS Certified Forensic Computer Examiner (CFCE)
  • GIAC Certified Forensic Analyst (GCFA)
  • Magnet Certified Forensics Examiner (MCFE)


  • Enfuse 2018 - Oh! You Were On My List Of People To Meet, 2018
  • SANS DFIR Summit 2018 - Investigating Rebel Scum's Google Home Data, 2018
  • SANS Webinar -, 2017

Specialist Courses

  • Magnet AXIOM Examination (AX200), 2019
  • Windows Forensic Analysis (SANS FOR500), 2018
  • X-Ways Forensics & File Systems Revealed, Cbit Digital Forensic Services, 2017
  • The X-Ways Forensics Practitioner's Guide Online and On-Demand Course, Digital Forensics & Incident Response Training, 2017
  • Advanced Digital Forensics, Incident Response, and Threat Hunting (SANS FOR508), 2017
  • Hack It and Track It, Nuix, 2016
  • Windows Forensic Analysis (SANS FOR408), 2016
  • Mac Forensics: Essential Forensic Techniques 1, Blackbag Technologies, 2014
  • Encase Advanced Internet Examinations, Guidance Software, 2013
  • Advanced Photo Forensics,  Nasir Memon, 2012
  • Encase Intermediate Computer Forensics Analysis and Reporting, Guidance Software, 2011
  • Cellebrite Universal Forensic Extraction Device (UFED) Introduction , Point Trading Pty Ltd, 2011

Katie Nickels

Katie Nickels

The human element of cybersecurity, rather than the technical aspect, is what first attracted Katie Nickels to the field. Initially drawn to a career in journalism, Katie found a job at the U.S. Department of Defense (DoD) in cybersecurity that piqued her interest, and then she was hooked. 

"I fell into this field somewhat by accident almost 10 years ago, and I've never looked back," she says. "There are humans behind those keyboards, and tracking what they do and how they do it fascinates me."

Today, Katie is a Principal Intelligence Analyst for Red Canary. She has worked on cyber threat intelligence (CTI), network defense, and incident response for nearly a decade for the DoD, MITRE, Raytheon, and ManTech. 

Katie also serves as an instructor for the SANS FOR578: Cyber Threat Intelligence course, enabling her to share her passion for CTI more broadly. "Early on in my own career, I took SANS SEC401: Security Essentials Bootcamp with Dr. Eric Cole, and learning from his insights helped shape the entire course of my career," Katie says. Now as a SANS instructor, she hopes to provide the same career-shaping support for her students. 

As an instructor, Katie shares her passion for CTI by giving students practical skills they can use to deliver real results. "I hope to challenge the way my students traditionally think and make them aware of the biases we all have that can prevent us from becoming better CTI analysts," she explains. "I want to equip them with the knowledge and tools they need to go back and make real change in their organizations."

A critical skill Katie aims to convey to her students is to help them understand when and how each area of CTI can be applied. "It's important to remember that CTI is responsive to our organization's requirements, so different people might need different types of CTI. By knowing the many ways CTI can help, you can successfully identify which methods are right in certain situations."

Katie's unique background enables her to approach CTI training from a variety of perspectives, from intelligence to adversary behavior, the MITRE ATT&CK knowledge base, network defense, and Security Operations Centers. 

A graduate of Smith College and Georgetown University's prestigious School of Foreign Service Security Studies Program, Katie also serves on the 2019 SANS CTI Summit Advisory Board and received the President's Award from the Women's Society of Cyberjutsu in 2018. 

In her free time, Katie volunteers with the  Cyberjutsu Girls Academy (CGA), a program for teenage girls that seeks to inspire exploration and learning in cybersecurity and STEM. As the CGA program manager, Katie helps organize monthly workshops on topics like Python, robotics, mobile app development, and software-defined radio.

"Seeing our teenage students learn and succeed with CGA has helped drive my passion to teach," says Katie. "It's so rewarding to see a young lady learn to code or successfully make a robot work for the first time!"

When she's not working on cybersecurity and CTI projects, Katie finds balance during her personal time with baking and cake decorating projects, as well as CrossFit workouts.

Qualifications Summary

  • Instructor for SANS FOR578: Cyber Threat Intelligence
  • 10-year veteran of CTI, network defense, and incident response
  • Cyberjutsu Girls Academy Program Manager 
  • 2019 SANS CTI Summit Advisory Board member
  • 2018 recipient of the President's Award from the Women's Society of Cyberjutsu
  • Master's degree from Georgetown University's Service Security Studies Program

Get to Know Katie Nickels



Podcasts and Webcasts

Media Coverage


Francesco Picasso

Francesco Picasso

Francesco Picasso is co-founder of Reality Net System Solutions, an Italian consulting company specialising in InfoSec and Digital Forensics. He performs digital investigations on a daily basis as a DFIR consultant for the public sector and for private companies, trying to implement processes, methodologies and tools to improve the efficiency and effectivness of their required activities. Often called on as a Court Expert Witness, he is also an external member of private companies C-SOC and C-CERT teams. Francesco started out as a professional developer during the day, but his nightly passion for information security quickly switched to a full time InfoSec and DFIR consultant role. He obtained a Computer Science degree and a Ph.D. in "Intelligent Electronics for Security" and achieved a real-time log correlation patent. Also passionate about reverse engineering, he still practices it during his spare time to implement a so-called offensive digital investigation, which aims at gaining access to protected data. Aware that the sharing of knowledge and experiences is essential in the information technology field, he shares observations from his daily job on the Zena Forensics blog, on GitHub repositories and on Twitter as @dfirfpi.

Mike Pilkington

Mike Pilkington

Curiosity wins the day! That is Mike Pilkington's teaching philosophy, because from his perspective, you have to be inspired and excited about solving difficult cases if you want to be great at forensics. As Mike says, "you have to be willing to search for the answers that others can't or won't find." Mike's infectious enthusiasm for digital forensics comes through in his work, in his classes, and in his day-to-day life. It's clear that his hobby and his job are one in the same.

Mike has been an instructor for the SANS Institute since 2008. He currently teaches Windows Forensics In-Depth (FOR500) and Advanced Digital Forensics and Incident Response (FOR508). In addition to teaching, Mike is a dedicated researcher and has published numerous articles for the SANS Forensics Blog.
After spending much of his career working in large corporate environments in the oil & gas industry, Mike joined SANS in 2017 as a full-time researcher in the SANS Research Operations Center (SROC).  His current role focuses on R&D projects in support of the Digital Forensics and Incident Response program.  Mike is a researcher at heart and was extremely excited to join SANS in this capacity!

Before joining SANS full-time, Mike led the US incident response team and the global internal investigations forensics team at Shell.  Prior to Shell, Mike had several roles in IT at Halliburton, including senior incident responder for the last several years of his tenure there.  Mike's core responsibilities were responding to malware and intrusion cases, leading various enterprise DFIR tooling projects, and consulting with internal groups on security reviews and initiatives.

Over the years, Mike has accumulated a broad range of technical expertise, having spent significant time performing software quality assurance, Windows systems administration, LAN and WAN network administration, firewall and IDS/IPS security administration, computer forensic analysis, and incident response. As a forensic analyst, he worked HR investigations, including cases involving intellectual property theft, inappropriate use of the Internet, employee hacking, IT administrator privilege abuse, and illegal downloading of copyrighted materials.

Mike holds a bachelor's degree in mechanical engineering from the University of Texas, as well as numerous IT security certifications.

Qualifications Summary:

  • Deep background in corporate cybersecurity
  • SANS instructor since 2008
  • Professional qualifications: GCFA, GCFE, GNFA, GREM, GCTI, EnCE, CISSP

Get to Know Mike Pilkington:

  • Mike's DFIR articles are available at
  • Mike co-authored the SANS Forensics "Find Evil" and "Hunt Evil" posters
  • Mike created an example forensics report for SANS FOR500 students (available upon request)
  • In addition to regularly presenting six-day SANS forensics classes, Mike's additional speaking engagements include the SANS DFIR Summit, SANS conferences, MIRcon, ISSA, and HTCIA

Listen to Mike discuss Privileged Domain Account Protection: How to Limit Credentials Exposure in this SANS webcast.

Here is What Students Say About Mike Pilkington:
"The level of detail and knowledge that Mike has is above excellent." - Oz Bogovac, JCI

"Once again, Mike's command-line knowledge really became valuable when we tried to stump him with questions. He knew everything!"  - Mike DeZenzo, EY

"The instructor helps by sharing his knowledge in a way it can be understood by the student." - Joseph Selph, IBM

"Very knowledgeable." - William Martin, NYSP

Here is What Instructors Say About Mike Pilkington:
"Mike's perspective is unique and extremely valuable to our instructor team. He sees things differently as a result of directly fighting adversaries in his larger multinational corporate environment daily, and he isn't afraid to share his experiences with the class. Mike is also a researcher at heart, and his research has directly resulted in our material being updated, corrected, and expanded. It has made our courses at SANS the best and brimming full of information that make SANS truly on the "cutting edge" and not just words we use in marketing."  - Rob Lee, SANS Fellow

"Mike is accomplished, wicked smart, and very passionate about our field. He is that rare individual who doesn't just report a problem - he takes it upon himself to find a solution. As an example, Mike encountered a number of students during his early teaching engagements who were having difficulties grasping the fundamentals of report writing. He took it upon himself to create a sample report that could be shared among instructors. His SANS blog posts are some of my favorites, as he regularly takes it upon himself to look deeper into nagging forensic unknowns and document clever solutions."  - Chad Tilbury, SANS Senior Instructor

"I have watched Mike present and have been thoroughly impressed with his smooth delivery, his ability to competently deliver highly technical material in a way that makes it easy for students to understand, and his ability to handle questions. Mike's background in IT brings a highly valuable perspective to the forensic program and inspires students." -  Ovie Carroll, SANS Certified Instructor

Hal Pomeranz

Hal Pomeranz

"Sometimes there's a moment in a case where I find a crucial piece of evidence hidden away where not many investigators would think to look. And I think to myself, 'I'm glad I was the one to work on this case, because this finding was important.' That's how I know I'm in the right field." ~ Hal Pomeranz

Hal Pomeranz is an independent digital forensic investigator who has consulted on cases ranging from intellectual property theft, to employee sabotage, to organized cybercrime and malicious software infrastructures. He has worked with law enforcement agencies in the United States and Europe, and with global corporations.

While perfectly at home in the Windows and Mac forensics world, Hal is a recognized expert in the analysis of Linux and Unix systems, and has made key contributions in this domain. His EXT3 file recovery tools are used by investigators worldwide. His research on EXT4 file system forensics provided a basis for the development of open source forensic support for this file system. Hal has also contributed a popular tool for automating Linux memory acquisition and analysis. But Hal is fundamentally a practitioner, and that's what drives his research. His EXT3 file recovery tools were the direct result of an investigation, recovering data that led to multiple indictments and successful prosecutions.

Raised in the Open Source tradition, Hal shares his most productive tools and techniques with the community via his GitHub and blogging activity. And nobody can show you how to forensicate with Open Source tools like Hal!

Hal is a SANS faculty fellow and the creator and primary instructor for the Securing Linux/Unix (SEC506) course. In the SANS DFIR curriculum he teaches Advanced Digital Forensics, Incident Response, and Threat Hunting (FOR508), Advanced Network Forensics and Analysis (FOR572), Mac Forensics Analysis (FOR518), and Reverse-Engineering Malware: Malware Analysis Tools and Techniques (FOR610). Hal holds the GIAC certification for the following courses: GCUX, GCFA, GNFA, and GREM.

Hal is a regular contributor to the SANS Digital Forensics and Incident Response blog and co-author of the Command Line Kung Fu blog. He's a former board member for USENIX, BayLISA and BackBayLISA; former technical editor for Sys Admin Magazine; and a respected author and highly rated instructor at industry gatherings worldwide. Hal is an avid baseball fan, so in the summer you'll usually find him at his local minor league ballpark or catching up on major league games. He enjoys travel, theatre, and food (both cooking and eating), but his first priority is keeping up with the interests of his kids: Disney, gymnastics, Legos, and video games.

Get to Know Hal

  • Over 25 years of industry experience
  • Founder and Principal Consultant for Deer Run Associates
  • GIAC Certified Forensic Analyst (GCFA), Network Forensic Analyst (GFNA), Malware Analyst (GREM), and Unix Administrator (GCUX)
  • SANS Faculty Fellow and SANS' longest tenured instructor
  • Hal is a contributor to the SANS Digital Forensics and Incident Response blog

Learn more about Hal Pomeranz in this DFIR Hero interview on the SANS DFIR Blog.

Here's What Students Are Saying about Hal Pomeranz:

"Hal is one of the finest instructors I've ever had the pleasure the take a class from. He possesses the rare ability to bring information on cutting edge techniques to the classroom and present it in a way that makes his students comfortable with these techniques as if they were old hat." - Chris Calabrese, Medco Health Solutions, Inc.

Listen to Hal discuss Incident Response Event Log Analysis.

Here is a SANS Summit presentation by Hal Pomeranz:

Kevin Ripa

Kevin Ripa

An investigator at heart, Kevin Ripa bought his first computer as a tool for writing reports for his private investigation agency. As he worked through typical user issues, the "why" of what was going wrong in his machine kept him up at night. So Kevin turned his investigative skills toward his computer and quickly became fascinated by the world inside of it. Now a 25-year veteran of the digital investigations field, Kevin's enthusiasm has not waned: "IT security and digital forensics still inspire me every day, and I can't wait to wake up in the morning and get to work!"

Kevin currently serves as president of The Grayson Group of Companies, which consists of Computer Evidence Recovery, Pro Data Recovery Inc., and J.S. Kramer & Associates, Inc. He provides investigative services to various levels of law enforcement, Fortune 500 companies, and the legal community. He is past president of the Alberta Association of Private Investigators and a former member of the Canadian Department of National Defence, where he served in both foreign and domestic postings.

Kevin has assisted in many complex cyber-forensics and hacking response investigations around the world. He's a sought-after resource for his expertise in information technology investigations and frequently serves as an expert witness.  In one memorable case, Kevin had a client charged with a heinous crime and facing significant jail time. "There was no question that the contraband material was on his computer, but our investigation proved conclusively that he could not have placed the material on the computer, nor was the computer even in his custody when the material was downloaded and viewed," explains Kevin. "In fact, the material had been placed on his computer inadvertently by his accusers, without them knowing that they had done it."

Back when he was a student, Kevin had chosen SANS because of the caliber of the instruction. Today he is a SANS instructor for SEC301: Intro to Information Security, SEC401: Security Essentials Bootcamp Style, and FOR500: Windows Forensic Analysis.

"I teach because I love to share knowledge, and I teach for SANS because it is the best of the best," Kevin explains." I am really fortunate that SANS appreciates my knowledge and allows me the opportunity to pass it on.  I love teaching security and DFIR, because it's like talking about my hobby. And when a student's light bulbs come on, it makes it even more worthwhile."

Kevin's teaching philosophy is that the instructor is there for the students, not the other way around. "If my students do not 'get' something by the end of the section, or day, or course, it is me that has failed as an instructor," he says. Kevin sees it as his duty to make the information understandable to each one of his students, and he wants his students to walk away from his classes reinvigorated about the field they have chosen and feeling they can make an actionable difference in the security of their enterprise. He also strives to remind them that humility is vital for career success.

"Every last one of us is absolutely replaceable, and usually by a machine with no moving parts!"

Teaching students to think outside the box and away from the books, and to use ingenuity to solve real-world problems, is also a key theme in Kevin's courses. For example, he notes that in digital forensics the biggest challenge can sometimes be to know when to stop looking at data. Trying to examine two terabytes of data is daunting, so Kevin teaches students how to prioritize the data and stay within manageable tasks.

Kevin has designed, produced, hosted, and taught numerous industry-related courses, and has had over 100 speaking and training engagements with industry and law enforcement around the world. He has also authored dozens of articles, as well as chapters in a number of manuals, books, and training texts on the subjects of computer security and forensics. Kevin holds a number of industry certifications, including four GIAC certifications (GCFE, GCFA, GSEC, GISF), EnCase Certified Examiner, Certified Data Recovery Professional, and Licensed Private Investigator, and he previously held the Certified Penetration Tester and Certified Ethical Hacker certifications.

In his free time, Kevin loves to tackle renovations, cabinet-making, auto mechanics, reading, discovering new things in cyber, and, above all, building Lego creations with his four-year-old son.

Qualifications Summary

Get to Know Kevin Ripa


  • GIAC Advisory Board
  • Certified Cellular Master Repair Technician Level III
  • Certified Data Recovery Professional
  • Hacking Exploits Investigation Specialist
  • Advanced Lab Data Recovery Specialist
  • Advanced Microsoft Windows Forensics
  • Email Tracing Specialist
  • Internet Investigation Specialist
  • GIAC Information Security Fundamentals (GISF)
  • GIAC Certified Forensic Examiner (GCFE)
  • GIAC Certified Forensic Analyst (GCFA)
  • GIAC Security Essentials Certification (GSEC)
  • EnCase Certified Examiner
  • Licensed Private Investigations Agency and Agent
  • Certified Ethical Hacker v.6

Here is What Students Say About Kevin Ripa:

"Wanna thank Kevin Ripa for providing the FOR500 class with THE BEST training I can honestly say that I have ever had. Highly recommend the course and instructor!!" - Justin Marshall, Network Security Systems Plus, Inc.

"I enjoy how Kevin provides students with real-world scenarios and experiences that relate to the material he is discussing" - Jeff Spurlock, NVARNG

"Best instructor! Explains questions and answers very well" -  Shane Francis, FirstEnergy

"Fantastic instructor, lots of knowledge, interactive and interesting." - Arlina R, NBCU

"The instruction at SANS is top notch. I have been to several SANS training courses and they never disappoint. The Windows Forensic class that I took in Baltimore was by far the best training class I have taken at SANS. Kevin Ripa is an experienced digital forensic talent that SANS is very lucky to have teaching. Kevin kept my attention the entire 6 days and time flew by, never a dull moment. He brings real life experiences and shows the student how the material can be applied. I left the class wanting more and will definitely look to SANS for my future training needs." -  Thomas Seck, Johns Hopkins APL

Andrew Schworer

Andrew Schworer

Anuj Soni

Anuj Soni

Anuj Soni initially pursued a career fighting cybercrime for the thrill of the hunt.

"The rush of tracking bad guys and gals, uncovering their tools, and understanding their motives is just way too fun," he says. "I simply can't get enough of it."

These days, Anuj feeds his passion for technical analysis through his role as a Senior Threat Researcher at Cylance, where he performs malware research and reverse engineering. Anuj also brings his problem-solving abilities to his position as a SANS Certified Instructor, which gives him the opportunity to impart his deep technical knowledge and practical skills to students. As a co-author and instructor for Reverse-Engineering Malware (FOR610) and instructor for Advanced Digital Forensics and Incident Response (FOR508), Anuj emphasizes establishing goals for analysis, creating and following a process, and prioritizing tasks.

"Tools come and go, but if you develop a process that works for you and are patient with yourself, creativity will flow," he says. "Automate what can be automated and enjoy working through the hard stuff" - that is, the actual analysis.

Since entering the information security field in 2005, Anuj has performed numerous intrusion investigations to help government and commercial clients mitigate attacks against the enterprise. His malware hunting and technical analysis skills have resulted in the successful identification, containment, and remediation of multiple threat actor groups. Anuj has analyzed hundreds of malware samples to assess function, purpose, and impact, and his recommendations have improved the security posture of numerous organizations. Highly sought after as a technical thought leader and adviser, Anuj excels not only in delivering rigorous forensic analysis, but also in process development, knowledge management, and team leadership to accelerate incident response efforts. 

In addition to teaching SANS courses, Anuj frequently presents at industry events such as the U.S. Cyber Crime Conference, SANS DFIR Summit, and the Computer and Enterprise Investigations Conference (CEIC). He has bachelor's and master's degrees from Carnegie Mellon University and holds certifications in GIAC Reverse Engineering Malware (GREM) and as a EnCase Certified Examiner (EnCE) and Certified Information Systems Security Professional (CISSP).

When not consumed by the excitement of his day job, Anuj spends time with his growing family and enjoys photography, hitting the gym, and mixing up creative cocktails.

Qualifications Summary:

  • More than a decade of experience performing forensic, malware, and network analysis.

Get to Know Anuj Soni:

Here's What Students Are Saying about SANS Certified Instructor Anuj Soni:

  • "Anuj is by far the most upbeat instructor. The excitement in class is infectious." - Divyashree Joshi, DIRECTV LLC
  • "I value the time Anuj takes to make sure each student is progressing." - Shaun Gatherum, NuScale Power
  • "He's very well spoken and very knowledgeable. He kept us on task and any sidebars were related to info being taught." - Ryan Gibson, Qualcomm 

Here is What Students Say About Anuj Soni:

"Anuj's technical achievements are outstanding.  As an expert in the field, he works on some really critical areas for the government, but he still has time to write for the SANS DFIR blog, tweet, and provide suggestions to improve courses.  Anuj's teaching style is extremely engaging and easily show his love of the material.  He is one of our highest rated instructors." -Rob Lee, DFIR Curriculum Lead

"I've had the opportunity to see and hear Anuj share his knowledge of malware, incident response and forensics with attendees at several SANS events. Not only does he have deep expertise in these areas, he is also a wonderful teacher. His presentation style, the manner in which he breaks down difficult concepts, and his overall demeanor resonate strongly with his listeners. Even when he covered challenging techniques, students could not escape the grip of his logic and clarity of his explanation. It shows Anuj's inherent talents as an instructor." - Lenny Zeltser, SANS Senior Instructor

Peter Szczepankiewicz

Peter Szczepankiewicz

Formerly working with the military, Peter responded to network attacks, and worked with both defensive and offensive red teams. Currently, Peter is a Senior Security Engineer with IBM as well as a certified instructor for the SANS Institute. People lead technology, not the other way around. He works daily to bring actionable intelligence out of disparate security devices for customers, making systems interoperable. Peter expounds, "Putting together networks only to tear them apart, is just plain fun, and allows students to take the information learned from books and this hands-on experience back to their particular work place."

Here is What Students Say About Peter Szczepankiewicz:

"Peter is a great instructor. He is not only knowledgeable in the field, but captured everyone's attention for the full class time. Great instructor!" - Michael B., US Government

David Szili

David Szili

David Szili got his first computer, a 486DX2, at the age of 10 and quickly discovered his talent and passion for bending and twisting systems and programs to achieve results beyond their intended purpose. One of the few games he had on the computer was SimCity, a game that he always ended up losing with a bankrupted city after 20-30 minutes of playing. David discovered a magazine explaining how to edit saved game files, eventually learning how to open the files of his saved games with a hex editor to overwrite the amount of money he had. From that point on, David was hooked and had found his career path.

David brings that passion and curiosity to his role as instructor for SANS FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response, "SANS strives to provide the best quality every time; something that aligns with my personal values." He also likes the fact that SANS is a very active member and supporter of the information security community.

Today, David is managing partner and CTO at Alzette Information Security, a consulting company based in Luxembourg. He has more than eight years of professional experience in penetration testing, red teaming, vulnerability assessment, vulnerability management, security monitoring, security architecture design, incident response, digital forensics and software development. 

In his instructor role at SANS, David loves to teach concepts of analysis, detection, and response as these are the skills needed by modern-day defenders who face determined attackers. David also focuses on practical application, even when teaching the theoretical background of a material, he makes sure to bring in real-life examples and case studies. He also puts extra emphasis on hands-on skills development and demos during class, because "as defenders of an organization," says David, "students need to 'train as they fight.'"

"As security analysts, we never wish to have less data," says David. "However, we have also reached the point where simply handling the volume of data available and effectively processing it is already a huge challenge, let alone finding signs of compromise and malicious activity." He addresses this challenge with his students by teaching them to build up a pragmatic analytic workflow and encouraging a deep understanding of why all the steps in a process need to be performed to get to a solution. David's proudest moments are when former students tell him that they implemented something he shared in class and it worked great.

David has master's degrees in computer engineering and in networks and telecommunication, along with a bachelor's degree in electrical engineering. He also holds several IT security certifications such as GSEC, GCED, GCIA, GCIH, GMON, GNFA, GYPC, GMOB, OSCP, OSWP and CEH. David speaks on a regular basis at international conferences like, BruCON, Hacktivity, Nuit du Hack, x33fcon, BSides Munich, BSidesBUD, and BSides Ljubljana, and he's on the organizing team for BSides Luxembourg, a conference fully dedicated to defense topics. David blogs about information security at David also has an Erdos number of 4.

In his spare time, David likes to work on hobby electronics projects and participate in the development of open-source security tools. David is also a huge fan of movies and TV series and he likes to go to concerts of bands like Walk of the Earth or Postmodern Jukebox.

Qualifications Summary

  • Managing partner and CTO of Alzette Information Security, a consulting company based in Luxembourg
  • Member of the organizing team for BSides Luxembourg, a conference fully dedicated to defense topics
  • Instructor for SANS FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response 

Get to Know David Szili

  • Blog 
  • Presentations and Events:, BruCON, Hacktivity, x33fcon, Nuit du Hack, BSides Munich, BSidesBUD, BSides Ljubljana, BSides Luxembourg (part of the organizing team)

Russell Taylor

Russell Taylor

Russ has been working within IT for over 15 years, his first introduction to "Cyber" was with the Cyber Security Challenge UK. Where he was a competitor in 2011/12 and progressed to the Masterclass where he placed 2nd place over all.

Since the Masterclass he has become an assessor, a content creator and sponsor of the Cyber Security Challenge UK. Russ enjoys working with people looking to enter the security industry, helping and guiding them with an appropriate route.

Russ is currently self-employed, Russ's company has a blog ( of which he is the sole author. Russ has intentionally written the blog to be a learning blog, allowing simple explanations of security activities he has found interesting or challenging.

Russ has a real passion for forensics; both network and host. His networking knowledge is by far his strongest point,

Chad Tilbury

Chad Tilbury

"The real voyage of discovery consists not in seeing new sights, but in looking with new eyes." - Proust

This favorite quote of Chad Tilbury has proven to be a recurrent theme throughout his career. When Chad attended the U.S. Air Force Academy, his interest was piqued early on by the thrill and challenge of engaging adversaries in new domains. Chad grew up enthralled by spy novels, so defending against real spies with counter-espionage techniques was particularly appealing. A career in computer crime investigations was the perfect fit.
Chad has over 20 years of experience working with government agencies, defense contractors, and Fortune 500 companies. And his case list looks like it's been pulled straight from those spy novels he grew up reading: murder, abduction, espionage, fraud, hacking, intellectual property theft, child exploitation, terrorism, and computer intrusions.

As a Special Agent with the Air Force Office of Special Investigations, Chad served on the national computer intrusion team and helped expand counter-espionage techniques into the digital age. He has led international forensic teams, built forensic departments, and spent over eight years as an incident response consultant and technical director with Mandiant and CrowdStrike.  
In addition, Chad worked as a computer security engineer and forensic lead for a major defense contractor and served as the vice president of worldwide Internet enforcement for the Motion Picture Association of America. In that role, he managed Internet anti-piracy operations for the seven major Hollywood studios in over 60 countries.

"With so many different skills and cultural perspectives on that team, I learned more about the dark underpinnings of the Internet than I ever could have imagined," says Chad.

Today, Chad brings his wealth of experience to his role as a  consultant, where he specializes in incident response, corporate espionage, and computer forensics. Here at SANS, Chad is a senior instructor and co-author for two six-day courses:  FOR500: Windows Forensic Analysis, which focuses on the core skills required to become a certified forensic practitioner, and FOR508: Advanced Digital Forensics, Incident Response, and Threat Hunting, which teaches sophisticated computer intrusion analysis and advanced threat hunting techniques.

Chad's experience brings immeasurable depth to his classes. He focuses not only on tools and techniques but also on understanding how those artifacts can be used to prove or disprove questions students are asked to investigate in their daily jobs. As Chad says, "Forensics is both an art and a science, and I find hearing about real-world applications provides new perspectives and can help unlock a student's ability to think unconventionally."  

Chad keeps his class goals simple: teach and lead discussions on the most important topics and make sure students have as much time as possible to work on the exercises. "I'm a big believer in hands-on learning," he says, "and we work hard to ensure the exercises in our classes are as realistic as possible. When students put all the pieces of a forensic investigation together themselves, it leads to those 'aha' moments that are so valuable."
The methodologies Chad teaches in his courses are the same ones he has used successfully on countless examinations. "Our exercises are months in the making and provide realistic, real-world evidence samples on which to practice," says Chad. "I have had numerous students report going back to their teams, blowing them away with a new technique, and promptly becoming the trainer themselves."

One of Chad's most memorable experiences in the classroom brought that immediacy of techniques to a whole new level.

"I was teaching some of my latest research on browser artifacts, recently added to the FOR500 class. Research showed that a specific browser database could be missing a day or more of information if not properly handled. There happened to be a law enforcement officer in class who was investigating a murder, and in his examination of the suspect's computer he had noted missing data during a critical 24-hour period. From our class discussion, the officer now had a tool and technique to recover the missing data in his case. Not surprisingly, he left class early!"

In addition to being a graduate of the U.S. Air Force Academy, Chad holds B.S. and M.S. degrees in computer science, as well as GCFA, GCIH, GREM, and ENCE certifications.

In his free time, Chad loves to travel and takes full advantage of the unique destinations his career takes him. He spends much of his time at home mountain biking, skiing, snowboarding, and mountaineering. Chad recently took a ski mountaineering trip to Antarctica, about as far away from a Wi-Fi signal as you can get!

Qualifications Summary

  • Over 20 years of experience working with government agencies, defense contractors, and Fortune 500 companies on a wide variety of cases
  • Senior instructor and course co-author for SANS Forensics 500: Windows Forensic Analysis and SANS Forensics 508: Advanced Digital Forensics, Incident Response, and Threat Hunting

Get to Know Chad Tilbury

Here is What Students Say About Chad Tilbury:

"Chad Tilbury is hands down the best instructor that I ever had in my 20 years of military service. Excellent job. Very relevant and up-to-date. An industry leader in this field." - Dannie Walters, U.S. Army

"Chad's real-world examples are a key part of the training. It really helps to have a knowledgeable instructor who currently works in the industry." - Roger Szulc, MDA

"I had the immense pleasure of learning from Chad during the SANS Computer Forensics and Investigation course. Chad's ability to break down complex, technically challenging topics and teach them in an understandable manner is second to none. He has helped countless numbers of people including myself gain the GCFA certificate and I wholeheartedly believe he is a true asset to any organization." - Ali Emirlioglu, Senior Security Operations Analyst at Datacom TSS

Here is a SANS Summit presentation by Chad Tilbury:

Alissa Torres

Alissa Torres

Alissa Torres is an explorer at heart. Uncovering the full story of an attacker's exploits requires digging into known and unknown forensic artifacts, and this excavation is exactly what intrigues her. With more than 15 years of experience in computer and network security spanning government, academic, and corporate environments, Alissa has the deep experience and technical savvy to take on even the most difficult computer forensics challenges that come her way. Her current role as an Incident Response Manager at Cargill provides daily challenges "in the trenches" and demands constant technical growth. Alissa is also founder of her own firm, Sibertor Forensics, and has taught internationally in more than 10 countries.

Memory forensics is a bleeding-edge field of Digital Forensics & Incident Response (DFIR), and Alissa is the lead author as well as an instructor of FOR526: Memory Forensics In-Depth and co-author of the SANS Memory Forensics Poster. She also teaches  FOR500: Windows Forensic Analysis; FOR508: Advanced Digital Forensics, Incident Response, and Threat Hunting; and SEC504: Hacker Tools, Techniques, Exploits and Incident Handling.

Alissa was introduced to digital forensics during her four years of service in the U.S. Marine Corps. She moved on to various technical roles at KEYW Corporation, Northrop Grumman Information Systems, and as part of Mandiant's computer incident response team (MCIRT). Alissa has worked as an instructor at the U.S. Cyber Challenge Camps and at the Defense Cyber Investigations Training Academy (DCITA), delivering incident response and network basics to security professionals entering the forensics community. She is passionate about sharing knowledge, presenting annually at regional and national industry conferences and encouraging women's participation in science, technology, engineering, and math through regional outreach programs.

As both an investigator and instructor, Alissa has a constant and infectious desire to always learn more and question everything, an ethos embodied in the SANS DFIR classes. "Our curriculum ensures students gain an understanding of why an artifact matters and how the tools interpret the data." Alissa explains. An inquisitive nature can be the determining factor in investigative success, as Alissa learned when she identified a critical error in one of her team's web proxy timeline procedures. This discovery allowed for the correction of contractual fraud investigations involving the U.S.  government.  Sharing personal success stories like this one gives students real-world applications for the material they are learning and inspires them to evaluate and optimize their own investigative processes, whether in incident response, digital forensic investigations, or internal offensive reconnaissance.

As attackers learn how forensic investigators work, they become increasingly more sophisticated at leaving fewer traces behind. "We are in an arms race where the key difference is training," says Alissa. Toward that end, she encourages her students to ask more questions, grow the common body of knowledge, and make a difference in the digital forensics community. Her teaching style is best described as a type of "exposure therapy" that introduces concepts but then pushes students to get behind the keyboard and apply these concepts themselves.

Alissa's true passion is memory forensics, a rapidly evolving area of expertise for both attackers and defenders. As malware strives for a minimal footprint on the host, the battlefield exists in system memory. Alissa's students take the skills taught in FOR526 and move their investigations forward, in some cases even uncovering new details in their cases before the week-long class ends.

Alissa has a B.S from the University of Virginia and a M.S. in information technology from the University of Maryland. She is a GIAC Certified Forensic Analyst (GCFA), and holds the GCFE, GCIH, GSEC, CISSP, and EnCE certifications. Alissa has served as a member of the GIAC Advisory Board since 2013 and was recognized by SC Magazine as one of its "2016 Women to Watch." Needless to say, she stays pretty busy. When not enmeshed in metadata and memory structures, Alissa catches every soccer game she can, cheering at her kids' games and scheming to attend matches of her favorite team, Everton. In what time she has left from constant cybersecurity vigilance, Alissa enjoys hiking in the Puerto Rican rain forest and scaling rocks at Big Sur.

Qualifications Summary


  • GIAC Security Essentials Certification (GSEC), June 2015
  • GIAC Certified Incident Handler (GCIH), June 2014
  • GIAC Reverse Engineering Malware (GREM), July 2013
  • GIAC Certified Forensic Examiner (GCFE), January 2013
  • Certified Forensic Computer Examiner (CFCE), December 2012
  • GIAC Certified Penetration Tester (GPEN), July 2012
  • GIAC Certified Forensic Analyst (GCFA), November 2011
  • Certified Information Systems Security Professional (CISSP), December 2010
  • EnCase Certified Examiner (EnCE), July 2010 - July 2019

Here is What Students Say About Alissa Torres:

"I love the energy of Alissa Torres' presentation style." - Scott S., US Govt.

"Alissa kept it interesting by pulling from her past experience and demonstrated great passion for the subject." - Matt Leach

"Alissa's teaching skills are remarkable - she is great." - Serge Tumba, GE Capital

"Fantastic- Energetic- Knowledgeable" - Dennis Mooney, Vanguard

"I highly recommend Alissa and SANS computer forensics courses. In April 2015 I attended the SANS Forensics 508: Advanced Digital Forensics and Incident Response (FOR508) course. I had high expectations for the course based on my team lead's recommendation. Alissa and the course exceeded my expectations. Alissa is an outstanding instructor, and SANS FOR508 was the best information security course I have attended. She mixed energy, knowledge, and experience to keep the content productive, relevant, and interesting. I look forward to attending more SANS courses instructed by Alissa." - Chad Rager,  Computer Forensic Engineer at ManTech

"This course is known throughout the industry as THE advanced IR and Threat Hunting course. This combined with Alissa's awesome teaching style makes it worth every penny! Alissa's subject matter expertise, enthusiasm, and insights are second to none! Her personalized attention to simulcast viewers was particularly nice because it felt like we were part of the class."  - Will Harmon, Trustwave

"Instructors like Alissa are why people keep coming back to SANS. Awesomeness and non-stop energy. She is one of my favorite instructors I've had from SANS, right up there with the likes of Ed Skoudis, John Strand, and Eric Cole. A brilliant presenter who keeps it fun, informative, and turns what other people could make sleep inducing, into non-stop engaging." - Eric Donaldson, Discover Financial Services

Lee Whitfield

Lee Whitfield

Lee Whitfield seldom accepts anything that he is told. His curious mind and love of challenging norms compels him to obtain the knowledge for himself. It is part of what makes him a great forensic investigator, and also what he hopes to share with his students.

He began his digital forensics career in 2006, when a neighbor told him about the field. Lee was hooked. Immediately, he started reviewing books, software and taking classes to build up his skills. He soon had the knowledge and skill to become a digital forensic investigator in both in the United States and United Kingdom. Today, Lee is a digital forensic consultant and analyst for his own company, 337 Forensics.

Lee has covered a wide array of situations during his time as a forensic investigator, everything from child abuse, intellectual property theft, attempted murder, and much more. One of his greatest successes was his work on reverse engineering Volume Shadow Copies, which had been a stumbling block for forensic investigators. Due to Lee's work and innovation, access and time to locate files was greatly reduced, essentially allowing a forensic investigator to view the computer's contents from days, weeks, or even months before, including old or deleted files. 

As Lee continued to build and expand his knowledge, he had the opportunity to present at the SANS Forensic Summit. The experience, as well as hearing from other knowledgeable experts, led him to understand that SANS was an organization committed to cutting-edge training and expanding the field of digital forensics. 

Now as an instructor for FOR500: Windows Forensic Analysis, Lee pushes his students to understand how important it is to "get things right," given the power of digital forensics and the impact it has on people's lives. Lee shares his own stories and experiences with his students and strives to create open discussion and the opportunity for students to find the answers for themselves. He wants every student to share his passion for finding the truth, and the drive to continue to build their skills and knowledge moving forward.  

Lee also serves as a Senior Technical Adviser for the SANS Research and Operation Center, helping in the Lab Validation process. He also hosts the Forensic 4:cast Awards event at the SANS DFIR Summit each year. In his sparse free time, Lee also produces his own popular digital forensics podcast, Forensic 4:cast. The podcast has afforded him the opportunity to discuss and investigate important issues relating to the field of digital forensics, and in each episode, he interviews a panel of guests on the latest news and issues in the field. 

Outside of digital forensics and instructing, Lee focuses his time on his wife and four children at home in Dallas, TX. He also enjoys photography and flying his drone. To top it off, Lee is a huge Marvel fan and you'll likely find him at the movie theatre on Marvel movie release nights. 

Qualifications Summary


  • EnCase Certified Examiner (EnCE)
  • GIAC Advanced Smartphone Forensics (GASF)
  • GIAC Certified Forensic Examiner (GCFE)
  • GIAC Reverse Engineering Malware (GREM)

Get to Know Lee Whitfield

Here is What Students Say About Lee Whitfield:

"Lee provides real-world experience that help to show the importance of material." - Tom Hamberger, ManTech

"I appreciate Lee sharing his real-world stories of cases he's been involved in, and how he has been able to use many of the tools discussed to aid in investigations." -  David Montoya, OIT

"Lee is an outstanding instructor!" - D. Werden, TARDEC

"What I learned in Lee's class helped me relate to my every day job and continue to build my skills." - Brian Masuoka, Ernst Young

"I've gained a lot from Lee! The best instructor I ever seen in my life. I highly recommend my colleagues take training with him." Sami, MOD

"Lee keeps the course interesting and easy to understand." Jessica Holmes, Pfizer, Inc.

"Lee is awesome! Thanks for drilling down into the weeds to answer our questions." Daniel F., KPMG

"Mr. Whitfield is a very knowledgable and congenial instructor. He makes the class enjoyable." T. Morales, Stroz Friedberg

Jake Williams

Jake Williams

When a complex cyber attack put a private equity investment of more than $700 million on hold, the stakes couldn't have been higher. But that's exactly the kind of challenge that motivates Jake Williams, a computer science and information security expert, U.S. Army veteran, certified SANS instructor and co-author of FOR526: Memory Forensics In-Depth and FOR578: Cyber Threat Intelligence. To help mitigate the attack, Jake plied his information security expertise, discovered that not one but three different attackers had compromised the firm's network, and went about countering their moves.

Jake relishes the idea of meeting adversaries on the cyber battlefield. "I went into this field because I wanted a challenge," he says. "Infosec is like a game of chess to me. The attacker plays their moves and you play yours."

Jake started his information security career doing classified work with the U.S. government and was awarded the National Security Agency (NSA) Exceptional Civilian Service Award, which is given to fewer than 20 people annually. "I am immensely proud of the things I've accomplished," Jake says. "I'm positive the world is a safer place because of my work."

Today, Jake runs a successful Infosec consultancy. He's been involved in high-profile public sector cases including the malware analysis for the 2015 cyber attack on the Ukraine power grid. He's also tackled a variety of cases in the private sector. In one, Jake discovered attackers compromising a custom service the client had distributed to all its endpoints. Leveraging experience and insight with advanced persistent threats helped Jake "think like the attacker" and determine the attacker's likely hiding spots.

Jake's work has led to his invention of DropSmack, a proof-of-concept tool for highlighting the danger that cloud-based file sharing services pose to corporate networks, and the creation of ADD (Attention Deficit Disorder), a publicly-available memory anti-forensics toolkit.

Jake's work also led him to teaching. "I chose to be a SANS instructor because they are the very best in the business. Others talk about being the best, but SANS actually is the best," he says. "I love teaching people, but it goes beyond teaching for me. With many students, I'm making lasting professional relationships. Students come back again and again and have a lifelong learning relationship with SANS." 

Jake teaches a variety of classes (SEC503, SEC504, SEC660, SEC760, FOR508, FOR526, FOR578, FOR610) and prefers an active learning approach, using demos rather than slides to teach lessons. "It takes me back to my first exploits and I get the chance to relive that magical feeling all over again," he explains.

More importantly, Jake wants students to walk out of class being able to critically analyze a problem, discover a solution, and do something they couldn't do before. "I don't teach button-clicking steps, my goal is to ensure students understand how to take concepts from the class and apply them to their own cases and engagements."

Given his accomplishments, it should come as no surprise that Jake lives, sleeps, and breathes Infosec. When he's not teaching, he's consulting. He's a regular speaker at industry conferences including DC3, BSides (including BSides Las Vegas), DEFCON, Blackhat, Shmoocon, EnFuse, ISSA Summits, ISACA Summits, SANS Summits, and Distributech.  He has also presented security topics to a number of Fortune 100 executives.

Jake is also a two-time victor at the annual DC3 Digital Forensics Challenge. He drew on his passion for hands-on capture-the-flag events to design the critically acclaimed NetWars challenges for the SANS malware reversing and memory forensics courses.

Qualifications Summary:

GIAC Certifications:

  • GIAC Security Expert (GSE), March 2016
  • GIAC Security Essentials Certification (GSEC), June 2015
  • GIAC Exploit Researcher and Advanced Penetration Tester (GXPN), March 2015
  • GIAC Certified Forensic Analyst (GCFA), October 2013
  • GIAC Penetration Tester (GPEN), January 2013
  • GIAC Certified Incident Handler (GCIH), January 2013
  • GIAC Certified Intrusion Analyst (GCIA), December 2012
  • GIAC Certified Windows Security Administrator (GCWN), November 2012
  • GIAC Reverse Engineering Malware (GREM), October 2012
  • GIAC Certified Forensic Examiner (GCFE), September 2012
  • GIAC Systems and Network Auditor (GSNA), February 2012

Get to Know Jake Williams:

Jake teaches the following courses for SANS:

Here's What Students Are Saying about Instructor Jake Williams:

"Jake's teaching style and practical experience totally make the course." - Andrew Nelson, Chevron

"Jake is awesome! The experience is massive!" - Late Adodo Placca, iProcess International

"Provides great balance between structured analytical approaches and technical analysis." -  Ladell Marshall, Goldman Sachs

"Jake goes off-book in a good way, sharing useful tools & information in addition to the already-included useful tools & info." - Robin Stuart, Salesforce

Here is a SANS Summit presentation by Jake Williams:

Lenny Zeltser

Lenny Zeltser

Aptly called the "Yoda" of malware analysis by his students, Lenny Zeltser keeps his eye on the big picture and focuses on the sum of events rather than individual occurrences. He lives by that philosophy and brings it to his job and classroom.  "Even those professional moments that seem insignificant by themselves can be an important piece of the progressive journey that, hopefully, takes us toward our career objectives and honors our ideals," says Lenny. "And you may not even see the value in those moments until you look back on the path."

A tech leader with extensive cybersecurity expertise, Lenny leads the cybersecurity program as the Chief Information Security Officer (CISO) at Axonius. Earlier, he helped build anti-malware software at an innovative startup and oversaw security services at a Fortune 500 technology company. Beforehand, he led the security consulting practice at a leading cloud services provider.

Lenny is also a senior instructor at SANS and the primary author of FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques, a course he designed as an on-ramp into the malware analysis field. FOR610 helps students expand and systematize their approaches to examining malicious software using a variety of techniques.

"My goal is to make this topic as accessible to people as possible," says Lenny. "There is indeed much one needs to know to understand the inner workings of malicious code, but the good news is that people can begin learning how to do this work by building on the technical skills they already have, whether they are grounded in system administration, network security, software development or other aspects of IT."
Like many of his students, Lenny's career path began in an IT role, which lends unique strengths to his information security expertise.
"My first job in IT was Unix system administration, then I moved onto Windows sysadmin, and then I spent a bit of time on software development," Lenny explains. "I found myself gravitating toward the information security aspects of these jobs. For me, Infosec exists at the intersection of many disciplines, and working in this field allows me to make use of the skills and interests I've acquired across various aspects of IT."

Along the way, Lenny earned the prestigious GIAC Security Expert professional designation, and he currently serves on the Board of Directors of SANS Technology Institute and the CISO of Axonius, an innovative cybersecurity company. Lenny holds a bachelor's degree in computer science from the University of Pennsylvania and a master's in business administration from MIT Sloan.
A co-author of four books on malware, network security, and digital forensics, Lenny also developed the Linux toolkit REMnux to make it easier to use a variety of freely available malware analysis tools, many of which run well on Linux but can be difficult to find and install. REMnux has grown to become a very popular toolkit and today is used by malware analysts throughout the world. The FOR610 course that Lenny teaches covers many of the tools installed on REMnux.
Lenny gives his students more than technical tools, however, and he says that the most important lesson he teaches his students is: "You can do it."
"It's easy to get discouraged when you run into professional challenges that you're not equipped to handle," Lenny explains. "But when you participate in SANS training, you encounter many new tools and concepts that you will be able to attach to the techniques you already know from prior experience in the field. Much of what you learn will occur after you finish the course and begin applying the concepts to your work outside the classroom. I strive to give students the confidence and the core skills they need to keep learning about and curtailing malware threats even after the class ends."
In his free time, Lenny indulges his love of food both as chef and consumer. "Eating a delicious meal in good company is always time well spent for me," he says. Lenny also loves to cook as a way to clear his mind, disconnect from the day-to-day challenges of business and IT, and connect with family and friends. Lenny subscribes to several food and cooking magazines and enjoys experimenting with new recipes, ingredients, and spices. "Not everything I cook turns into a great dish—sometimes experiments lead towards unfavorable results—so I keep reminding myself to think about this process as a journey, not as a destination."
Qualifications Summary

Get to Know Lenny Zeltser

  • Lenny's personal website and blog:
  • Lenny's REMnux Linux toolkit:
  • Co-author of the SIFT Workstation & REMnux poster and security cheat sheets
  • Presenter of introductory malware analysis webcasts
  • Listen to Lenny"s Reflections of a Security Professional: Podcast Interview

This is what student are saying about Senior Instructor Lenny Zeltser:

  • "Lenny presented a wealth of knowledge, tied it together smoothly, and I am leaving with exponentially more knowledge." - David Werden, NGIS
  • "Last week, myself and three of my associates attended SANS GREM training. Based on previous recommendations by prior students, we explicitly attended this session given Lenny was the instructor. As someone who has been responsible for development and delivery of training and education services, Lenny is the best instructor I have ever encountered in my professional life. His approachable demeanor, passion for the learning process, and empathy for his students was just as impressive as his mastery of the curriculum. This praise was unanimous among my three associates." - Colin Sheppard, Vice President of Cyber Security & Fraud, International at First Data Corporation
  • "Lenny is one of the reasons why it's fun to be in the information security community. His extraordinary intellect and talent for research and innovation is matched by his communication and teaching skills. He"s a fantastic writer and a wonderful instructor who has mastered the ability to teach complex concepts in a very approachable manner. Lenny is also one of the nicest people you'll ever run into in our field or any other." - Eric Huber, Cyber Fraud Subject-Matter Expert
  • "Lenny Zeltser is another one of those people you read about in magazines and think "man, I wish I was that guy." A true leader in information security and a great guy all around. Lenny once actually paid me a compliment when I was teaching for SANS, along the lines of being inspired at the time by me being one the folks who happily stood up to teach in front of large crowds (we were both new to the game at the time). I found this humorous since I felt only awe at his own amount of knowledge. I still have the copy of Network Perimeter Security, which he personally sent me to get my opinion of it. I recall that I didn't end up providing my feedback since I felt beneath the ability to comment on it at the time!" - Ed Luck, Principal Consultant, Solutions at Dimension Data
  • "I was part of the group that attended and reviewed Lenny's try-out session as a SANS instructor, and was blown away by the energy, expertise, and focus he displayed. Where others have at times failed to properly handle interruptions, especially from people who were trying to lead them astray and/or force them to stumble, Lenny remained focused, put the interrupter nicely but firmly in his place, and postponed further discussion to the Q&A session at the end of the class. When audience members asked targeted questions, inquiring about their understanding of recent developments in information security, he was able to elaborate on each of the topics and help them improve their grasp on various hot topics. Lenny displays lots of dedication, is very intelligent, has a solid grasp of information security, and is capable of explaining complicated technical concepts in easily understandable terms." - Roland Grefer, Principal, Global Support Services Group

Eric Zimmerman

Eric Zimmerman

When Eric Zimmerman was a Special Agent with the FBI, one of his responsibilities was managing on-scene triage. He identified several gaps in an existing process and started creating solutions to address them. What began as building and expanding a few live response tools took Eric down a path that eventually led to him writing more than 50 programs that are now used by nearly 8,800 law enforcement officers in over 80 countries.

Much of Eric's work involved designing and building software related to investigations of sexual abuse of children. In a single year, Eric's programs led to the rescue of hundreds of these children. As a result, in May 2012, Eric was given a National Center for Missing and Exploited Children's Award, which honors outstanding law enforcement professionals who have performed above and beyond the call of duty. Eric was also presented with the U.S. Attorney's Award for Excellence in Law Enforcement in 2013.

Today, Eric serves as a Senior Director at Kroll in the company's cybersecurity and investigations practice. At SANS, he teaches the FOR508: Advanced Digital Forensics, Incident Response and Threat Hunting course, and is a two-time winner of the SANS DFIR NetWars Tournament (2014, 2015). Eric is also the award-winning author of X-Ways Forensics Practitioner's Guide, and has created many world-class, open-source forensic tools.

Eric is a sought-after instructor and speaker who brings expertise in the cyber realm, complex law enforcement investigations, computer forensics, expert witness testimony, computer systems design, and application architecture to his work and classroom.  

"I enjoy teaching this material because of how much potential there is in it to move cases forward quickly," says Eric. "With the pace at which computer storage continues to grow, it will become more and more important for people to understand the most cost-effective artifacts and techniques so these can be leveraged to move through data more quickly."

Eric's teaching philosophy focuses on the long-term gains achieved by not only understanding the nuts and bolts of how to run a tool and consume output, but also getting a deeper understanding of how tools work "under the hood." Those "a-ha" moments are what has kept Eric coming back to the classroom since 2008. His focus on understanding the big picture of digital forensics prepares students to perform better analysis, do new research of their own, and identify the best tools or techniques to perform successful investigations - all skills that will have a lifelong impact.

And even though work brings him great rewards, Eric understands the value of work/life balance. In his spare time, he enjoys spending time with his family, hiking, going to amusement parks with his two sons, and even fitting in a bit of video gaming when possible.

Qualifications Summary: 

  • Former Federal Bureau of Investigation (FBI) Special Agent
  • Creates and maintains many free world-class, open-source forensic tools
  • Award-winning author of X-Ways Forensics Practitioner's Guide
  • Recipient of the National Center for Missing and Exploited Children's Award and the U.S. Attorney's Award for Excellence in Law Enforcement

Get to Know Eric Zimmerman:

Here is What Students Say About Eric Zimmerman:

"It is easy to see how much passion Eric has for the topics he teaches" - Ken Saganowski, Kroll

"Deep knowledge - insightful. Gets questions answered thoroughly." - Daniel Lightfoot, PennyMac

"Good pace and content, he emphasis on important points." -  Rueben Rubio, Lord Abbett

"Eric epitimizes what it means to be a subject matter expert in this field. He really knows this material inside and out. Thank you for the high quality training." - Daniel Huynh

"The fact that SANS has managed to land someone like Eric Zimmerman, speaks volumes about the credibility they carry. Top notch."  - Chris Shandro, Blue Shield of California