Embed Size (px)
Citation preview
The Only Training Event that Focuses EXCLUSIVELY on Digital Forensics,
Threat Hunting, and Incident Response
Fellow DFIR professionals with whom to network and share experiences200+
@sansforensics #DFIRCON
Memory Forensics (FOR526)
Mac Forensics (FOR518)
8coins to earn in DFIR NetWars:
The Coin Slayer tournament
8DFIR hands-on, immersion-style courses taught by real-world practitioners
1Expert @Night talks3
and
night of community events
DFIR COIN SLAYER!November 7 & 8
Leave Miami with a motherlode of coinage! All you have to do is:1) Register for the DFIR Netwars Tournament (free with your course purchase).2) Correctly answer all of the class-coin-specific questions across all four levels in
order to earn a class-specific coin.3) Score in the top five of individual players or first among the teams in order to earn a
DFIR NetWars coin.
This is your chance to prove you've mastered the DFIR arts by earning DFIR Challenge coins.
Windows Forensics (FOR500)
Incident Response and Threat Hunting
(FOR508)
Memory Forensics (FOR526)
Network Forensics (FOR572)
Smartphone Analysis (FOR585)
Malware Analysis (FOR610)
Mac Forensics (FOR518)
DFIR NetWars
FOR498 provides first responders, investigators and digital forensics teams with the advanced skills to quickly and properly identify, collect, preserve, and respond to data from a wide range of storage devices and repositories, ensuring that evidence integrity is beyond reproach. Numerous hands-on labs throughout the six-day course give students practical experience for rapid triage and digital acquisition from hard drives, mobile phones, cloud storage, Internet of Things devices, and everything in between.
FOR498: Battlefield Forensics & Data Acquisition NEW!
Instructor: Eric Zimmerman @EricRZimmerman
PRODUCE
ACTIONABLE
INTELLIGENCE
IN 90 MINUTES
OR LESS
This course will teach you to:
Learn and master the tools, techniques, and procedures necessary to effectively locate, identify, and collect data no matter where it is stored
Handle and process a scene properly to maintain evidentiary integrity
Perform data acquisition from at-rest storage, including both spinning media and solid-state storage
Identify the numerous places where data for an investigation might exist
Perform Battlefield Forensics by going from evidence seizure to actionable intelligence in 90 minutes or less
sans.org/DFIRCON-FOR498
“This course taught me invaluable info that I wasn’t aware of previously, such as RAID acquisition, tool usage, and data recovery.”
-Nina Turner, Travelers
This course will teach you to:
Conduct in-depth forensic analysis of Windows operating systems and media exploitation, including Windows 10 and the latest server products
Identify artifact and evidence locations to answer critical questions, including Internet usage, application execution, file/folder access, data theft, external device usage, cloud services, and more
Build an in-house forensic capability via a variety of free, open-source, and commercial tools provided within the SANS Windows SIFT Workstation
sans.org/DFIRCON-FOR500 giac.org/gcfe
Build in-depth and comprehensive digital forensics knowledge of Microsoft Windows operating systems. Learn how to recover, analyze, and authenticate forensic data, as well as track detailed user activity and organize findings for use in incident response, internal investigations, and civil/criminal litigation. Use your new skills to validate security tools, enhance vulnerability assessments, identify insider threats, track hackers, and improve security policies.
FOR500: Windows Forensic Analysis Instructor: Rob Lee @robtlee
YOU CAN’T
PROTECT WHAT
YOU DON’T
KNOW ABOUT
“This class is awesome! In the 11 years I’ve been doing digital analysis, this class is by far the best overall for content and organization.”
-David Brubaker, Obtaining Operator Certification Program Office
Threat hunting and incident response tactics and procedures have evolved rapidly over the past several years. Your team can no longer a�ord to use antiquated techniques that fail to properly identify compromised systems, provide ine�ective containment of the breach, and ultimately fail to rapidly remediate the incident. Learn hands-on incident response and threat hunting tactics and techniques that elite responders and hunters are successfully using to detect, counter, and respond to real-world breach cases.
FOR508: Advanced Digital Forensics, Incident Response, and Threat Hunting NEW!
Instructor: Jake Williams @MalwareJake
ADVANCED
THREATS ARE IN
YOUR NETWORK –
IT’S TIME TO GO
HUNTING
This course will teach you to:
Detect how and when a breach occurred
Identify compromised and affected systems
Perform damage assessments and determine what was stolen or changed
Contain and remediate incidents
Develop scalable indicators and threat intelligence
Hunt down additional breaches using knowledge of the adversary
sans.org/DFIRCON-FOR508
“This class is great for all levels of practitioners. I think threat hunting is an overlooked skill and this is a great jump into it.”
-Ryan Dozier, ISYS Technologies
giac.org/gcfa
This course will teach you to:
Extract files from network packet captures and proxy cache files, allowing for follow-on malware analysis or definitive data loss determination
Use historical NetFlow data to identify relevant past network occurrences, allowing for accurate incident scoping
Use scalable tools including SOF-ELK® and Moloch to handle large volumes of log, NetFlow, and pcap source data
Reverse-engineer custom network protocols to identify an attacker’s command-and-control abilities and actions
sans.org/DFIRCON-FOR572
This course covers the tools, technology, and processes required to integrate network data sources into your investigations, with a focus on efficiency and effectiveness. There are many use cases for network data, including proactive threat hunting, reactive forensic analysis, and continuous incident response. The techniques covered in this course can help to close gaps in these use cases and more.
FOR572: Advanced Network Forensics: Threat Hunting, Analysis & Incident Response NEW!
Instructor: Hal Pomeranz @hal_pomeranz
BAD GUYS ARE
TALKING –
WE’LL TEACH
YOU TO LISTEN
“Essential to any investigator’s skill set, this course makes the advanced network forensics techniques easily graspable.”
-Casey Brooks, Leidos Cyber
giac.org/gnfa
During a targeted attack, an organization needs a top-notch and cutting-edge threat hunting or incident response team to counter the threat. This course teaches the tactical, operational, and strategic levels of cyber threat intelligence skills, and the tradecraft required to make security teams better, threat hunting more accurate, incident response more e�ective, and organizations more aware of the evolving threat landscape.
FOR578: Cyber Threat Intelligence Instructor: Peter Szczepankiewicz @_s14
THERE IS NO
TEACHER BUT
THE ENEMY
“This course was invaluable in framing my role as a hunter in the intelligence consumption/generation process.”
-Christopher Vega, CitiGroup
This course will teach you to:
Generate threat intelligence to detect, respond to, and defeat advanced persistent threats
Validate information received from other organizations to minimize resource expenditures on bad intelligence
Leverage open-source intelligence to complement a security team of any size
Create Indicators of Compromise in formats such as YARA, OpenIOC, and STIX
sans.org/DFIRCON-FOR578 giac.org/gcti
This course will teach you to: Locate and interpret key evidence on smartphones Recover deleted mobile device data that forensic tools miss Decode evidence stored in third-party applications Learn concepts to create and use custom SQL queries to parse SQLite databases of interest
Detect, decompile, and analyze mobile malware and spyware Successfully handle locked or encrypted devices, applications, and containers
sans.org/DFIRCON-FOR585
This course provides examiners and investigators with advanced skills to detect, decode, decrypt, and correctly interpret evidence recovered from mobile devices. The course features 31 hands-on labs, a forensics challenge, and a bonus take-home case. Students will learn how to analyze di�erent datasets, leverage the best tools, methods, and custom scripts to determine how data are stored and encoded on each type of device, and correctly interpret the data once recovered. Learn what you are missing by relying fully on your forensic tools and get the knowledge to find and extract the correct evidence from smartphones with confidence.
FOR585: Smartphone Forensic Analysis In-Depth
Instructor: Heather Mahalik @HeatherMahalik
SMARTPHONE
DATA CAN’T HIDE
FOREVER – IT’S TIME
TO OUTSMART THE
MOBILE DEVICE
“The best part about this course is that it provides real-world technologies for forensically investigating devices without the typical
point and click approaches.” -Brad Wardman, PayPal
giac.org/gasf
LEARN TO
TURN MALWARE
INSIDE OUT
This course will help you gain and expand your skills to analyze malware in an insightful, e�cient, and consistent manner. You’ll learn to examine the behavior of malicious software, deobfuscate scripts, assess suspicious documents, debug and disassemble malicious code, and bypass anti-analysis capabilities. Regardless of your prior exposure to these topics, you’ll leave with a strong understanding of the techniques for reversing malicious software using a variety of monitoring utilities, a disassembler, a debugger, and many other freely available tools.
FOR610: Reverse-Engineering Malware: Malware Analysis Tools & Techniques
Instructor: Lenny Zeltser @lennyzeltser
This course will teach you to: Examine how malware interacts with the file system, registry, network, and other processes in a Windows environment
Derive Indicators of Compromise from malicious executables to strengthen incident response and threat intelligence efforts
Control relevant aspects of the malicious program’s behavior through network traffic interception and code patching to perform effective malware analysis
Zero in on key aspects of malicious code at the level of assembly and suspicious API calls to understand the nature and threat level of malware
sans.org/DFIRCON-FOR610
“This was an amazing class that showed, from beginning to end, how to investigate a possible breach and the ways to identify and prevent it.”
-Jimmy Hwang, Wyndham Worldwide Corp.
giac.org/grem
This course will teach you to:
Acquire proactive and reactive defenses for each stage of a computer attack
Learn the latest computer attack vectors and how you can stop them
Recover from computer attacks and restore systems for business
Identify attacks and learn defenses for Windows, Unix, switches, routers, and other systems
Develop an incident handling process and prepare a team for battle
sans.org/DFIRCON-SEC504
Attackers are targeting systems with increasing viciousness and stealth. It is essential that defenders understand hacking tools and techniques and gain hands-on experience in finding vulnerabilities and discovering intrusions. This course provides a time-tested, step-by-step process for responding to computer incidents, and a detailed description of how attackers undermine systems so that you can prepare, detect, and respond to them and turn the tables on computer attackers.
SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling
Instructor: Michael Murr @mikemurr
“The training offered at SANS is the best in the industry, and the SEC504 course is a must for any IT security professional – highly recommended.”
-Michael Hoffman, Shell Oil Products
giac.org/gcih
Bonus SessionsEnrich your SANS training experience! Evening talks by our instructors and selected subject-matter experts help you broaden your knowledge, hear from the voices that matter in computer security, and get the most for your training dollar.
Keynote: Making Forensic Processing EZer – Eric ZimmermanThere are many reasons to write forensics tools, from making them open-source to being free from a vendor for updates and breaking reliance on APIs. But designing and building tools is not enough – responders will quickly need to run multiple tools in a consistent and efficient manner. Once robust and dedicated tools are in place for the most important artifacts, you need the means to coordinate, automate, and run those tools across data. Tools such as KAPE address this need and provide a way for end users to build collection and processing tool chains that make sense for them. Conceptually, it is a short hop from the consistent and efficient processing of tool chains to scalable, automated processing. The key is reliability and efficacy of the processing tool chain, whether you are concerned with light-weight scans of tens of thousands of disks or more in-depth triage of scores of disks at a time. Tools such as KAPE provide a means to simplify the development, testing, and implementation of forensics tasks for automation. Once the automation is reliable, scale is largely a matter of increasing the instances where the automation runs. In this talk, Eric Zimmerman will explore the development and refinement process of EZ Tools and how KAPE can be used as the “glue” to tie things together.
Top 10 Writing Mistakes in Cybersecurity and How You Can Avoid Them – Lenny ZeltserImprove your communication skills by avoiding the top 10 mistakes in cybersecurity writing. You’ll learn by spotting and fixing problems in excerpts from security reports, emails, and other content you regularly create.The mistakes you’ll see in this session will scan the key aspects of writing: structure, look, words, tone, and information. Discover how these elements work together to capture and hold your readers’ attention and deliver your message. Learn how to be sure that you never make such mistakes. Benefit from the presenter’s experience of writing in cybersecurity for over two decades. The talk will not only help you write better, but also preview the techniques covered in the short SANS course SEC402: Cybersecurity Writing: Hack the Reader.
A Wild Goose Chase: Hunting for Hard-to-Find Smartphone Applications and Malware – Heather MahalikSmartphone applications and mobile malware are sometimes so buried into Android and iOS file systems that they are difficult to uncover. This talk will focus on methods used to identify, isolate and analyze third-party applications for iOS and Android devices as well as find malware that isn’t detected by a simple scan. Yes, iPhones have malware too! Don’t believe us? Come see for yourself.
DFIR Night Out ReceptionMiami is world-renowned for a vibrant and high-energy nightlife! Give your overloaded brain a night off and come join the SANS DFIR faculty and fellow DFIRCON attendees for an evening of networking and fun! Drinks and hors d’oeuvres will be served.
DFIR NetWars – The Coin Slayer Prove you’ve mastered the DFIR arts by playing in the DFIR NetWars: Coin Slayer Tournament. Created by popular demand, this tournament will give you the chance to leave DFIRCON with a fortune in DFIR coinage! To win the new course coins, you must answer all questions correctly from all four levels of one or more of the eight DFIR domains: Windows Forensics, Advanced Incident Response and Threat Hunting, Smartphone Analysis, Mac Forensics, Memory Forensics, Advanced Network Forensics, Malware Analysis, and DFIR NetWars. Take your pick or win them all!
DAY
1D
AY 2
DAY
S 4
& 5
DAY
3
InstructorsRob Lee SANS Faculty Fellow
Rob Lee is the Curriculum Lead and an author for SANS’ digital forensic and incident response training. He earned his MBA from Georgetown and graduated from the U.S. Air Force Academy. As a member of the Air Force Office of Special Investigations, Rob led crime investigations and worked directly with government agencies as a technical lead. He was also a director at MANDIANT, the commercial firm focused on responding to advanced adversaries such as the APT.
Heather Mahalik SANS Senior Instructor
Heather is the author and course lead for FOR585: Smartphone Forensic Analysis In-Depth. Heather has worked on high-stress and high-profile cases, investigating everything from child exploitation to Osama Bin Laden’s media. She has helped law enforcement, eDiscovery firms, military and the federal government extract and manually decode artifacts used in solving investigations around the world. Heather began working in digital forensics in 2002, and has been focused on mobile forensics since 2010.
Michael Murr SANS Principal Instructor
Michael has been a forensic analyst with Code-X Technologies for over five years, conducted numerous investigations and computer forensic examinations, and performed specialized research and development. Currently, Michael is working on an open-source framework for developing digital forensics applications. Michael holds the GCIH, GCFA, and GREM certifications and has a degree in computer science from California State University at Channel Islands.
Peter Szczepankiewicz SANS Certified Instructor
In working earlier in his career with the U.S. military, Peter responded to network attacks and served with both defensive and offensive red teams. Currently, Peter is a Senior Security Engineer with IBM. People lead technology, not the other way around, and Peter works daily to bring actionable intelligence out of disparate security devices for customers, making systems interoperable.
Jake Williams SANS Senior Instructor
Jake Williams is an expert in secure network design, pen testing, incident response, forensics, and malware reverse engineering. Cleared by various government agencies, he regularly responds to cyber intrusions by state-sponsored actors in the financial, defense, aerospace, and healthcare sectors. He developed a cloud forensics course for the U.S. government, the pen testing tool Dropsmack, and the anti-forensics tool ADD, and builds other custom solutions at his company, Rendition Infosec.
Lenny Zeltser SANS Senior Instructor
A seasoned business and technology leader with extensive information security expertise, Lenny started his professional journey in a variety of technical InfoSec roles before serving as the national lead of the U.S. security consulting practice at a major cloud services provider. Later in his career he oversaw a portfolio of security services at a Fortune 500 technology company. Today, as VP of Products at Minerva Labs, Lenny designs and builds creative anti-malware products.
Eric Zimmerman SANS Certified Instructor
Eric serves as a Senior Director at Kroll in the company’s cybersecurity and investigations practice. In his previous work with the FBI, Eric managed on-scene triage. He identified several gaps in an existing process and started creating solutions to address them. This led to him writing more than 50 programs that are now used by nearly 8,800 law enforcement officers in over 80 countries.
Hal Pomeranz SANS Faculty Fellow
Hal Pomeranz is an independent digital forensic investigator who has consulted on cases ranging from intellectual property theft to employee sabotage and organized cybercrime and malicious software infrastructures. He has worked with law enforcement agencies in the United States and Europe, and with global corporations. While perfectly at home in the Windows and Mac forensics world, Hal is a recognized expert in the analysis of Linux and Unix systems, and has made key contributions in this domain.
Extend and Validate Your Training
More Informationwww.sans.org/ondemand/bundles | www.giac.org*GIAC and OnDemand Bundles are not available for all courses.
Add an OnDemand Bundle OR GIAC Certifi cation Attemptto your course within seven days of this event to get bundle pricing.*
Special Pricing
* Bundle OnDemand or GIAC with your course before Oct 1st and save $30!GIAC and OnDemand Bundle price before Oct 1st: $769GIAC and OnDemand Bundle price on or after Oct 1st: $799
• Four months of supplemental online review
• 24/7 online access to your course lectures, materials, quizzes, and labs
• Subject-matter-expert support to help you increase your retention of course material
Extend Your TrainingExperience with an OnDemand Bundle
• Distinguish yourself as an information security leader
• 30+ GIAC cybersecurity certifi cations available
• Two practice exams included
• Four months of access to complete the attempt
Get Certifi ed withGIAC Certifi cations
“ GIAC is the only certifi cation that proves you have hands-on technical skills.”-Christina Ford, Department of Commerce
“ The course content andOnDemand delivery method have both exceeded my expectations.” -Robert Jones, Team Jones, Inc.
Register online at www.sans.org/DFIRCON2019We recommend you register early to ensure you get your first choice of courses.Select your course and indicate whether you plan to test for GIAC certification. If the course is still open, the secure, online registration server will accept your registration. Sold-out courses will be removed from the online registration. Everyone must complete the online registration form. We do not take registrations by phone.
Cancellation & Access PolicyIf an attendee must cancel, a substitute may attend instead. Substitution requests can be made at any time prior to the event start date. Processing fees will apply. All substitution requests must be submitted by email to [email protected]. If an attendee must cancel and no substitute is available, a refund can be issued for any received payments by October 16, 2019. A credit memo can be requested up to the event start date. All cancellation requests must be submitted in writing by mail or fax and received by the stated deadlines. Payments will be refunded by the method that they were submitted. Processing fees will apply.
SANS Voucher ProgramExpand your training budget! Extend your fiscal year. The SANS Voucher Program provides flexibility and may earn you bonus funds for training.
www.sans.org/vouchers
Registration Information
Hyatt Regency Coral Gables 50 Alhambra Plaza Coral Gables, FL 33134 305-441-1234 www.sans.org/event/dfircon-miami-2019/location
Hotel Information
Top 3 reasons to stay at the Hyatt Regency Coral Gables1 No need to factor in daily cab
fees and the time associated with travel to alternate hotels.
2 By staying at the Hyatt Regency Coral Gables, you gain the opportunity to further network with your industry peers and remain in the center of the activity surrounding the training event.
3 SANS schedules morning and evening events at the Hyatt Regency Coral Gables that you won’t want to miss!
Leave the ordinary behind and escape to the Hyatt Regency Coral Gables, a Mediterranean-style resort designed to replicate the Alhambra Palace in Spain. This TAG-approved hotel exudes grace and elegance while offering premium amenities and hospitality that come straight from the heart. When you arrive, you will be greeted by the two-story marble lobby accented with antique candle chandeliers, floral arrangements, arched hallways, and Spanish-style windows for an added sophistication. Welcome to the “Beverly Hills of Miami.”
Special Hotel Rates AvailableA special discounted rate of $211 S/D will be honored based on space availability. Government per diem rooms are available at the prevailing rate with proper ID. These rates include high-speed Internet in your room and are only available through October 15, 2019.
Extend and Validate Your Training
More Informationwww.sans.org/ondemand/bundles | www.giac.org*GIAC and OnDemand Bundles are not available for all courses.
Add an OnDemand Bundle OR GIAC Certifi cation Attemptto your course within seven days of this event to get bundle pricing.*
Special Pricing
* Bundle OnDemand or GIAC with your course before Oct 1st and save $30!GIAC and OnDemand Bundle price before Oct 1st: $769GIAC and OnDemand Bundle price on or after Oct 1st: $799
• Four months of supplemental online review
• 24/7 online access to your course lectures, materials, quizzes, and labs
• Subject-matter-expert support to help you increase your retention of course material
Extend Your TrainingExperience with an OnDemand Bundle
• Distinguish yourself as an information security leader
• 30+ GIAC cybersecurity certifi cations available
• Two practice exams included
• Four months of access to complete the attempt
Get Certifi ed withGIAC Certifi cations
“ GIAC is the only certifi cation that proves you have hands-on technical skills.”-Christina Ford, Department of Commerce
“ The course content andOnDemand delivery method have both exceeded my expectations.” -Robert Jones, Team Jones, Inc.
Pay Early and Save*
DATE DISCOUNT DATE DISCOUNT
Pay & enter code by 9-11-19 $350 10-2-19 $200
*Some restrictions apply. Early bird discounts do not apply to Hosted courses.
Use code EarlyBird19 when registering early
NewslettersNewsBites Twice-weekly, high-level executive summaries of the news most relevant to cybersecurity professionals.
OUCH! The world’s leading monthly free security awareness newsletter designed for the common computer user.
@RISK: The Consensus Security Alert A reliable weekly summary of newly discovered attack vectors, vulnerabilities with active new exploits, how recent attacks worked, and other valuable data.
WebcastsAsk the Experts Webcasts SANS experts bring current and timely information on relevant topics in IT security.
Analyst Webcasts Analyst Webcasts share highlights and key results from our Analyst Program whitepapers and surveys.
WhatWorks Webcasts The SANS WhatWorks webcasts share powerful customer experiences, showing how end users resolved specific IT security issues.
Tool Talks Tool Talks are designed to give you a solid understanding of a problem, and how a vendor’s commercial tool can be used to solve or mitigate that problem.
5705 Salem Run Blvd. Suite 105 Fredericksburg, VA 22407
Save $350 when you pay for any 4-, 5-, or 6-day course and enter the code “EarlyBird19” by September 11th. Register today at www.sans.org/DFIRCON2019
To be removed from future mailings, please contact [email protected] or 301-654-SANS (7267). Please include name and complete address. NALT-BRO-DFIRCON-2019
As the leading provider of information defense, security, and intelligence training to military, government, and industry groups, the SANS Institute is proud to be a Corporate Member of the AFCEA community.
Other Free Resources (SANS.org account not required)• InfoSec Reading Room• Top 25 Software Errors• 20 Critical Controls• Security Policies• Intrusion Detection FAQs• Tip of the Day
• Security Posters• Thought Leaders• 20 Coolest Careers• Security Glossary• SCORE (Security Consensus
Operational Readiness Evaluation)
Join the SANS.org community today to enjoy these free resources at www.sans.org/join
