Tuesday, March 18, 2014

Daily Blog #268: SANS DFIR Summit details

Hello Reader,
            You may have seen on Sunday's post some information about my upcoming talk at the SANS DFIR Summit. I thought I would spend some time this week talking about each of the events I'll be talking about in detail so you can set your expectations on which event you'd like to see me at the most (or all of them!). I try to always talk about something different at the major events to keep things interesting for both of us. I also always put my slides up from the event here on the blog, maybe one day they'll let me put up recordings of the talks as well!

Click here to learn more about the event and see the schedule.

Today I wanted to focus on the SANS DFIR Summit as they choose a topic I submitted and was hoping they would like called 'Best Finds of 2014'. I'll be speaking on the first day at 1:45pm in Track 2. I'm excited about this talk because of the huge amount of space SANS has granted me to operate within the topic. Typically when I submit a topic to a CFP I have to choose one particular aspect of our research and focus on it for an hour, which you'll see me doing at other conferences this year. This topic though let's me really show you a wider survey of whats really cool and more importantly forensically useful from a whole years worth of research. I'll be hitting the highlights through all of the best artifacts we've covered here in the blog and those that we've only talked about during the Forensic Lunch.

I've found continued success in our own cases this year with the artifacts and analysis techniques I'll be showing this year and I'll give case citations to those of you who need to support using new artifacts by proving their use in past cases. My citations will be for US Civil courts (state and federal) so for those of you on the criminal side you'll likely have to do more validation. So I'm very confident in the utility of these artifacts having used them and defended them in court and achieving great results for our clients.

Here is the list of topics I proposed back in January:
 
  • Detecting writes to NTFS disks with the ntfs-3g driver
  • Recovering MTP access
  • Outlook attachment access through USN Journals
  • Artifacts from renaming accounts in Windows 7
  • Using task scheduler logs to recover past login
I'll be adding more to that list as we just keep finding more cool stuff! I love forensics, if you couldn't tell, and there is still so much we don't know that can lead to conclusive results and findings.

In addition to all of that SANS has made buying a ticket to the event much more affordable. If you use the discount code 'SUMMIT' now through March 31, 2014 the cost of a ticket will drop by $1,000. So the two day SANS DFIR Summit would just be $495 which includes great technical presentations (no sales pitches here) and lots of fun and socializing with your fellow forensic friends.

If that is still too much for your training budget you can still win a free pass to the event in upcoming Sunday Fundays so you have lots of opportunities to come down to Austin this June!