The ALL Digital Forensics, Threat Hunting, and Incident Response Training Event

November 5-10, 2018 Hyatt Coral Gables | Miami, FL

sans.org/DFIRCON2018

The ALL Digital Forensics, Threat Hunting, and Incident Response Training Event

@sansforensics #DFIRCON

security practitioners sharing knowledge and networking200+

8coins to earn in DFIR NetWars:

The Coin Slayer

7DFIR hands-on, immersion-style courses taught by real-world practitioners

1 night of community events

Expert @Night talks3

and

Memory Forensics (FOR526)

Mac Forensics (FOR518)

DFIR NETWARS: COIN SLAYER!

Leave Miami with a fortune in coinage. Just:1) Register for the DFIR Netwars Tournament (free with your course enrollment).2) Correctly answer the questions for a specific coin, across all four levels of the class –

to earn that coin.3) Top five scoring individual winners and top team winner will win a DFIR NetWars Coin.

Master the DFIR arts and earn Challenge Coins to prove your expertise.

Windows Forensics (FOR500)

Advanced Incident Response and Threat Hunting

(FOR508)

Memory Forensics (FOR526)

Advanced Network Forensics (FOR572)

Smartphone Analysis (FOR585)

Malware Analysis (FOR610)

Mac Forensics (FOR518)

DFIR NetWars

This course will teach you to:

Conduct in-depth forensic analysis of Windows operating systems and media exploitation, including Windows 10 and the latest server products

Identify artifact and evidence locations to answer critical questions, including Internet usage, application execution, file/folder access, data theft, external device usage, cloud services, and more

Build an in-house forensic capability via a variety of free, open-source, and commercial tools provided within the SANS Windows SIFT Workstation

sans.org/DFIRCON-FOR500 giac.org/gcfe

Build in-depth and comprehensive digital forensics knowledge of Microsoft Windows operating systems. Learn how to recover, analyze, and authenticate forensic data, as well as track detailed user activity and organize findings for use in incident response, internal investigations, and civil/criminal litigation. Use your new skills to validate security tools, enhance vulnerability assessments, identify insider threats, track hackers, and improve security policies.

FOR500: Windows Forensic Analysis Instructors: Rob Lee @robtlee

Lodrina Cherne @hexplates

YOU CAN’T

PROTECT WHAT

YOU DON’T

KNOW ABOUT

“This class is awesome! In the 11 years I’ve been doing digital analysis, this class is by far the best overall for content and organization.”

-David Brubaker, OCPO

Learn advanced skills to hunt, identify, counter, and recover from a wide range of threats within enterprise networks, including advanced persistent threat nation-state adversaries, organized crime syndicates, and hactivists. Use threat hunting to catch intrusions in progress, instead of after attackers have completed their objectives.

FOR508: Advanced Digital Forensics, Incident Response, and Threat Hunting Instructor: Chad Tilbury @chadtilbury

ADVANCED

THREATS ARE IN

YOUR NETWORK –

IT’S TIME TO GO

HUNTING

This course will teach you to:

Detect how and when a breach occurred

Identify compromised and affected systems

Perform damage assessments and determine what was stolen or changed

Contain and remediate incidents

Develop scalable indicators and threat intelligence

Hunt down additional breaches using knowledge of the adversary

sans.org/DFIRCON-FOR508

“This was an amazing class that showed, from beginning to end, how to investigate a possible breach and the ways to identify and prevent it.”

-Jimmy Hwang, Wyndham Worldwide Corp.

giac.org/gcfa

This course will teach you to:

Hunt and perform forensic forensic and IR-based analysis of NetFlow, full-packet capture, and infrastructure log files

Correlate events across different evidence types

Seek Artifacts of Communication that can drive other investigative processes

Efficiently and effectively handle large volumes of evidence

sans.org/DFIRCON-FOR572

This course covers the tools, technology, and processes required to integrate network data sources into your investigations, with a focus on e�ciency and e�ectiveness. There are many use cases for network data, including proactive threat hunting, reactive forensic analysis, and continuous incident response. The techniques we cover can help to close gaps in these use cases and more.

FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response Instructor: Philip Hagen @PhilHagen

BAD GUYS ARE

TALKING –

WE’LL TEACH

YOU TO LISTEN

“This class teaches security pros how to boil the ocean. Every network-focused investigator should be taking this course.”

-Jacob Grant, Arctic Wolf Networks

giac.org/gnfa

During a targeted attack, an organization needs a top-notch and cutting-edge threat hunting or incident response team to counter the threat. This course teaches the tactical, operational, and strategic levels of cyber threat intelligence skills, and the tradecraft required to make security teams better, threat hunting more accurate, incident response more e�ective, and organizations more aware of the evolving threat landscape.

FOR578: Cyber Threat Intelligence Instructor: Peter Szczepankiewicz @_s14

THERE IS NO

TEACHER BUT

THE ENEMY

This course will teach you to:

Generate threat intelligence to detect, respond to, and defeat advanced persistent threats

Validate information received from other organizations to minimize resource expenditures on bad intelligence

Leverage open-source intelligence to complement a security team of any size

Create Indicators of Compromise in formats such as YARA, OpenIOC, and STIX

sans.org/DFIRCON-FOR578

“This course gives a very smart and structured approach to Cyber Threat Intelligence, something that the global community has been lacking to date.”

-John Geary, Citigroup

giac.org/gcti

This course will teach you to: Locate and interpret key evidence on smartphones Recover deleted mobile device data that forensic tools miss Decode evidence stored in third-party applications Learn concepts to create and use custom SQL queries to parse SQLite databases of interest

Detect, decompile, and analyze mobile malware and spyware Successfully handle locked or encrypted devices, applications, and containers

sans.org/DFIRCON-FOR585

Develop advanced skills to detect, decode, decrypt, and correctly interpret evidence recovered from smartphones. This course provides specialized training on how to analyze di�erent file systems and artifacts from smart devices, leveraging a variety of forensic tools, as well as custom scripts and queries to uncover hidden data often crucial to the success of an investigation.

FOR585: Advanced Smartphone Forensics Instructors: Heather Mahalik @HeatherMahalik

Terrance Maguire

SMARTPHONE

DATA CAN’T HIDE

FOREVER –

IT’S TIME TO

OUTSMART THE

MOBILE DEVICE

“The best part about Advanced Smartphone Forensics is that it provides real-world technologies for forensically investigating devices without

the typical point and click approaches.” -David Brubaker, OCPO

giac.org/gasf

This course equips students with the skills necessary to methodically analyze malicious software, acting as a practical on-ramp for professionals who want to expand their skills in this area. Attendees will learn how to perform interactive behavioral analysis of malware, deobfuscate samples, circumvent anti-analysis capabilities, and review key aspects of malicious code for a deeper understanding of its functionality.

FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques Instructor: Lenny Zeltser @lennyzeltser

LEARN TO

TURN MALWARE

INSIDE OUT

This course will teach you to: Examine how malware interacts with the file system, registry, network, and other processes in a Windows environment

Derive Indicators of Compromise from malicious executables to strengthen incident response and threat intelligence efforts

Control relevant aspects of the malicious program’s behavior through network traffic interception and code patching to perform effective malware analysis

Zero in on key aspects of malicious code at the level of assembly and suspicious API calls to understand the nature and threat level of malware

sans.org/DFIRCON-FOR610

“This was an amazing class that showed, from beginning to end, how to investigate a possible breach and the ways to identify and prevent it.”

-Jimmy Hwang, Wyndham Worldwide Corp.

giac.org/grem

This course will teach you to:

Acquire proactive and reactive defenses for each stage of a computer attack

Learn the latest computer attack vectors and how you can stop them

Recover from computer attacks and restore systems for business

Identify attacks and learn defenses for Windows, Unix, switches, routers, and other systems

Develop an incident handling process and prepare a team for battle

sans.org/DFIRCON-SEC504

Attackers are targeting systems with increasing viciousness and stealth. It is essential that defenders understand hacking tools and techniques and gain hands-on experience in finding vulnerabilities and discovering intrusions. This course provides a time-tested, step-by-step process for responding to computer incidents, and a detailed description of how attackers undermine systems so you can prepare, detect, and respond to them and turn the tables on computer attackers.

SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling Instructor: Michael Murr @mikemurr

“The training offered at SANS is the best in the industry, and the SEC504 course is a must for any IT security professional – highly recommended.”

-Michael Hoffman, Shell Oil Products

giac.org/gcih

Bonus SessionsEnrich your SANS training experience! Evening talks by our instructors and selected subject-matter experts help you broaden your knowledge, hear from the voices that matter in computer security, and get the most for your training dollar.

General Session – Welcome to SANS – Michael MurrJoin us for a 30-minute overview to help you get the most out of your SANS training experience. You will receive event information and learn about programs and resources offered by SANS. This brief session will answer many questions and get your training experience off to a great start. This session will be valuable to all attendees but is highly recommended for first time attendees.

State of the Artifact – Keynote– Phil Hagen, Rob Lee, Heather Mahalik, Chad Tilbury, and Lenny ZeltzerJoin the SANS DFIR Faculty as they discuss some of the latest developments in the field of digital forensics and incident response. A rotating cast of instructors will take the stage, discussing some of the latest developments and hot item issues in their respective domains. From Windows and Smartphone forensics to Network and Endpoint Incident Response, and Malware Analysis and Threat Intelligence, no discipline will be left untouched!

How to Write Better Cybersecurity Incident Reports – Lenny ZeltserWriting skills are crucial for information security professionals. After all, readers ignore or misunderstand poorly organized, wordy, and boring text. Since many of us lack formal writing training, we often miss the chance to inform or persuade our managers, colleagues, and clients through written communications. This skill is especially important for creating reports, be they related to security assessments, incidents, policies, budgets, or other topics. Attend this session to learn how to write better cybersecurity reports. You will:• Discover the five “golden elements” of effective reports and learn how to apply

this approach in practice.• Learn the key questions that security incident reports need to address.• Begin improving your skills by identifying and fixing weaknesses in such reports.Join this hands-on session to strengthen your writing skills and, in so doing, boost your information security career.

Using Hashcat to Crack an iTunes Backup Password – Terrance MaguireThis presentation will examine the data structures stored in the manifest.plist of an encrypted iTunes backup file that is used by Hashcat to crack the password. We will explore how to retrieve these structures manually or with a perl script and how to run HashCat to potentially retrieve the password.

DFIR Night Out ReceptionMiami is world renowned for a vibrant and high-energy nightlife! Give your overloaded brain a night off and come join the SANS DFIR faculty and fellow DFIRCON attendees for an evening of networking and fun! Drinks and hors d’oeuvres will be served.

DFIR NetWars – The Coin Slayer Prove you’ve mastered the DFIR arts by playing in the DFIR NetWars: Coin Slayer Tournament. Created by popular demand, this tournament will give you the chance to leave DFIRCON with a fortune in DFIR coinage! To win the new course coins, you must answer all questions correctly from all four levels of one or more of the eight DFIR domains: Windows Forensics, Advanced Incident Response and Threat Hunting, Smartphone Analysis, Mac Forensics, Memory Forensics, Advanced Network Forensics, Malware Analysis, and DFIR NetWars. Take your pick or win them all!

DAY

1D

AY 2

DAY

S 4

& 5

DAY

3

Phil's career has spanned the full attack life cycle – from tool development to deployment, operations, and investigative aftermath – giving him rare and deep insight into the artifacts attackers leave behind. Phil has covered deep technical tasks, managed an entire computer forensic services portfolio, and handled executive responsibilities. He's managed a team of forensic professionals in the national security sector and provided forensic consulting services for law enforcement, government, and commercial clients. @PhilHagen

“ Phil continues to illustrate through examples and paint the big picture for examiners/responders. His approach and teaching style are second to none when it comes to Network Forensics.”-Brad Garnett, Cisco

Philip Hagen SANS Senior Instructor

Teaching FOR572

Lodrina Cherne has over eight years of experience in digital forensics and a lifelong passion for cybersecurity. Her work focuses on preservation and analysis of electronic evidence, including host-based analysis of Windows, MacOS, Android, and iOS systems in matters concerning intellectual property theft, employment disputes, and evidence tampering. She earned a bachelor’s degree in computer science from Boston University and has continued her education by earning the GCFE, GCFA, and GASF certifications from GIAC. @hexplates

Lodrina Cherne SANS Instructor

Teaching FOR500

Terrance Maguire is the chief scientist and managing member of Digital Forensics Academy LLC, conducting digital forensic investigations, carrying out research and development in computer forensics, and providing training to the government and commercial sectors. He has over 27 years of experience in physical and digital forensic investigations. Terrance has developed and led training programs in varied areas of law enforcement and digital evidence, and has experience implementing counterintelligence intrusion detection programs.

Terrance Maguire SANS Certified Instructor

Teaching FOR585

Instructors

Rob Lee SANS Faculty Fellow

Teaching FOR500

Rob Lee is the Curriculum Lead and an author for SANS Digital Forensics and Incident Response training. He earned his MBA from Georgetown and graduated from the U.S. Air Force Academy. As a member of the Air Force Office of Special Investigations, Rob led crime investigations and worked directly with government agencies as a technical lead. He was also a director at MANDIANT, a commercial firm focused on responding to advanced adversaries such as the APT. @robtlee

“ The skills learned are usable immediately on real-world cases as soon as you get back to work from training. Rob is absolutely top notch.”-Jason Janka, University of Florida

SANS Instructors Fewer than 100 individuals are currently qualified and designated to teach as SANS Instructors worldwide. This select group of professionals includes recognized industry experts and real-world practitioners, all of whom have proven to be engaging teachers in the classroom. Their up-to-date examples and deep knowledge ensure that what you learn in class will be relevant to your job. The lineup of SANS Instructors for SANS DFIRCON Miami 2018 includes:

For complete instructor bios, visit: www.sans.org/instructors

Michael has been a forensic analyst with Code-X Technologies for over five years. He has conducted numerous investigations and computer forensic examinations, and has performed specialized research and development. Michael has led SANS Online Training courses and is a member of the GIAC Advisory Board. Currently, Michael is working on an open-source framework for developing digital forensics applications. He holds the GCIH, GCFA, and GREM certifications and has a degree in computer science from California State University at Channel Islands. @mikemurr

“ Mike is exceptional. His presentation is super smooth, and he’s ultra knowledgeable.”-Matt McGuirl, Palo Alto Networks

Michael Murr SANS Principal Instructor

Teaching SEC504

In his previous work with the military, Peter responded to network attacks, and worked with both defensive and offensive red teams. Currently, Peter is a Senior Security Engineer with IBM. He works daily to bring actionable intelligence out of disparate security devices for customers, making systems interoperable. As Peter explains, “Putting together networks only to tear them apart is just plain fun, and allows students to take the information learned from books and this hands-on experience back to their particular work place.” @_s14

“ Peter is a great instructor. He is not only knowledgeable in the field, but captured everyone’s attention for the full class time.”-Michael B., U.S. Government

Peter Szczepankiewicz SANS Certified Instructor

Teaching FOR578

Chad Tilbury SANS Senior Instructor

Teaching FOR508

Chad Tilbury is a technical director at CrowdStrike specializing in incident response, corporate espionage, and computer forensics. He has nearly 20 years of computer forensics experience at government agencies, defense contractors, and Fortune 500 companies around the world. Previously, Chad served as a special agent with the Air Force Office of Special Investigations, where he conducted computer crime investigations and helped bring counter-espionage techniques into the digital age. @chadtilbury

“ Chad is really good at simplifying the complex topics and making them understandable for all.”-Francisco Leon, Bestel

Lenny Zeltser SANS Senior Instructor

Teaching FOR610

Aptly called the “Yoda” of malware analysis by his students, Lenny Zeltser is a seasoned business and technology leader with extensive information security expertise. Lenny started his professional journey in a variety of technical InfoSec roles before serving as the national lead of the U.S. security consulting practice at a major cloud services provider. A co-author of four books on malware, network security, and digital forensics, Lenny also developed the Linux toolkit REMnux to make it easier to use a variety of freely available malware analysis tools. Today, as VP of Products at Minerva Labs, Lenny designs and builds creative anti-malware products. @lennyzeltser

“ Lenny presented a wealth of knowledge and tied it together smoothly. I am leaving with exponentially more knowledge.”-David Werden, NGIS

Heather Mahalik is Director of Forensic Engineering for ManTech CARD, where she leads the forensic effort in analysis, tool testing, and tool development. She has more than 15 years of experience in digital forensics and has supported law enforcement, Fortune 500 companies, and the federal government in extracting and manually decoding artifacts used to solve major investigations ranging from child exploitation to high-profile terrorism investigations. One would be hard-pressed to find a mobile device or platform she has not researched, or a commercial tool she has not used. @HeatherMahalik

“ I appreciate Heather being real and upfront about the difficulties of mobile examinations. Technology changes all the time, and we all have to figure it out and adapt.”-Brad Garnett, Cisco

Heather Mahalik SANS Senior Instructor

Teaching FOR585

Extend and Validate Your Training

• Four months of supplemental online review

• 24/7 online access to your course lectures, materials, quizzes, and labs

• Subject-matter-expert support to help you increase your retention of course material

• Distinguish yourself as an information security leader

• 30+ GIAC cybersecurity certifi cations available

• Two practice exams included

• Four months of access to complete the attempt

More Informationwww.sans.org/ondemand/bundles | www.giac.org

*GIAC and OnDemand Bundles are only available for certain courses.

Extend Your TrainingExperience with an OnDemand Bundle

Get Certifi ed withGIAC Certifi cations

Add an OnDemand Bundle OR GIAC Certifi cation Attemptto your course within seven days of this event to get bundle pricing.*

Special Pricing

“ The course content andOnDemand delivery method have both exceeded my expectations.”

-Robert Jones, Team Jones, Inc.

“ GIAC is the only certifi cation that proves you have hands-on technical skills.”

-Christina Ford, Department of Commerce

Bundle OnDemand or GIAC with your course before Oct 1st and save $40!GIAC and OnDemand Bundle price before Oct 1st: $729GIAC and OnDemand Bundle price on or after Oct 1st: $769

Register online at www.sans.org/DFIRCON2018We recommend you register early to ensure you get your first choice of courses.Select your course and indicate whether you plan to test for GIAC certification. If the course is still open, the secure, online registration server will accept your registration. Sold-out courses will be removed from the online registration. Everyone must complete the online registration form. We do not take registrations by phone.

Cancellation & Access PolicyIf an attendee must cancel, a substitute may attend instead. Substitution requests can be made at any time prior to the event start date. Processing fees will apply. All substitution requests must be submitted by email to registration@sans.org. If an attendee must cancel and no substitute is available, a refund can be issued for any received payments by October 17, 2018. A credit memo can be requested up to the event start date. All cancellation requests must be submitted in writing by mail or fax and received by the stated deadlines. Payments will be refunded by the method that they were submitted. Processing fees will apply.

Pay Early and Save*

DATE DISCOUNT DATE DISCOUNT

Pay & enter code by 9-12-18 $400.00 10-3-18 $200.00

*Some restrictions apply. Early bird discounts do not apply to Hosted courses.

Use code EarlyBird18 when registering early

SANS Voucher ProgramExpand your training budget! Extend your fiscal year. The SANS Voucher Program provides flexibility and may earn you bonus funds for training.

www.sans.org/vouchers

Registration Information

Hyatt Regency Coral Gables 50 Alhambra Plaza Coral Gables, FL 33134 305-441-1234 www.sans.org/event/dfircon-miami-2018/location

Hotel Information

Top 3 reasons to stay at the Hyatt Regency Coral Gables1 No need to factor in daily cab

fees and the time associated with travel to alternate hotels.

2 By staying at the Hyatt Regency Coral Gables, you gain the opportunity to further network with your industry peers and remain in the center of the activity surrounding the training event.

3 SANS schedules morning and evening events at the Hyatt Regency Coral Gables that you won’t want to miss!

Leave the ordinary behind and escape to the Hyatt Regency Coral Gables, a Mediterranean-style resort designed to replicate the Alhambra Palace in Spain. This TAG-approved Miami beach exudes grace and elegance while offering premium amenities and hospitality that comes straight from the heart. When you arrive, you will be greeted by the two-story marble lobby accented with antique candle chandeliers, floral arrangements, arched hallways, and Spanish-style windows for an added sophistication. Welcome to the “Beverly Hills of Miami.”

Special Hotel Rates AvailableA special discounted rate of $205.00 S/D will be honored based on space availability. Government per diem rooms are available at the prevailing rate with proper ID. These rates include high-speed Internet in your room and are only available through October 12, 2018.

NewslettersNewsBites Twice-weekly, high-level executive summaries of the most important news relevant to cybersecurity professionals.

OUCH! The world’s leading monthly free security awareness newsletter designed for the common computer user.

@RISK: The Consensus Security Alert A reliable weekly summary of newly discovered attack vectors, vulnerabilities with active new exploits, how recent attacks worked, and other valuable data.

Case Leads A quarterly email digest of the latest news and updates from experts in DFIR.

WebcastsAsk the Experts Webcasts SANS experts bring current and timely information on relevant topics in IT security.

Analyst Webcasts A follow-on to the SANS Analyst Program, Analyst Webcasts provide key information from our whitepapers and surveys.

WhatWorks Webcasts The SANS WhatWorks webcasts bring powerful customer experiences showing how end users resolved specific IT security issues.

Tool Talks Tool Talks are designed to give you a solid understanding of a problem, and how a vendor’s commercial tool can be used to solve or mitigate that problem.

5705 Salem Run Blvd. Suite 105 Fredericksburg, VA 22407

Save $400 when you pay for any 5- or 6-day course and enter the code “EarlyBird18” by September 12th. Register today at www.sans.org/DFIRCON2018

To be removed from future mailings, please contact unsubscribe@sans.org or (301) 654-SANS (7267). Please include name and complete address. NALT-BRO-DFIRCON-2018

As the leading provider of information defense, security, and intelligence training to military, government, and industry groups, the SANS Institute is proud to be a Corporate Member of the AFCEA community.

Other Free Resources (SANS.org account is not required)• InfoSec Reading Room• Top 25 Software Errors• 20 Critical Controls• Security Policies• Intrusion Detection FAQs• Tip of the Day

• Security Posters• Thought Leaders• 20 Coolest Careers• Security Glossary• SCORE (Security Consensus

Operational Readiness Evaluation)

Join the SANS.org community today to enjoy these free resources at www.sans.org/join