2015 DFIR Summit Review

It’s always bittersweet to write conference “review” posts. I usually find myself missing the best part(s) of the conference and wishing the conversations could last just a bit longer, while simultaneously eagerly looking forward to and excited about next year. SANS’ DFIR Summit is a perfect example of this dilemma.

Let me begin with a piece of advice: If you work in DFIR, and have not attended a Summit, I would highly recommend trying to make it down to Austin next year. Without a doubt, the amount of knowledge and experience gathered in one place for a brief period of time shifts the global DFIR equilibrium to central Texas. The tools we all love to use, blogs we love to read, and trainings we have learned so much from? All here and all accessible.

But it goes beyond a face from your Twitter feed across the room or watching a great talk from your favorite analyst. We are approachable. We are willing to talk, share, teach, and learn. The atmosphere is relaxed and fun while remaining educational and informative. A true problem of choice is whether to watch an expert talk about keylogger forensics or an expert talk about new Windows 8 artifacts. An even tougher decision is which expert to buy a beer later on to pick their brain(s) even further! Despite all of this, the summit never loses its core concept: DFIR knowledge is useless if it’s contained within only one mind. We all benefit by sharing our experiences, successes, failures, and research with each other.

To say one talk should be watched over another is simply a downright lie. Luckily for us all, videos will be posted in the SANS Video archive shortly. I’d recommend taking the time to watch them all. Skip an episode during the next binge Netflix run, and watch mind blowing WMI or registry research. If you’re a forensic lunch fan, there was a live episode that featured DFIR Catchphrase and Brian Moran’s thoughts on building a house. Trust me — each talk will be worth your time and will hopefully provoke thought about a new lens with which to examine artifacts.

If you’re limited on time, then start with the SANS 360 videos — limited to 360 seconds in length. But don’t let that fool you — they are still packed with experience and knowledge. I’d be a fool if I didn’t mention there is one that is exceptionally clever from this year — you’ll know it when you see it.

Last but not least, I had the opportunity to speak at the Summit this year. My talk was on NoSQL forensics, the (lack of) artifacts that are there, and how to approach these types of artifact-less investigations. As always, the audience was the best part, and I was able to walk away with new thoughts, ideas, and research to perform. Feedback was amazing and only helps me grow as a forensicator. If anyone is interested, I’ve posted my slides up here. I can’t say it enough — thank you, thank you to the audience and your ability to make me a better forensicator.

A special thanks to Rob Lee, Alissa Torres, and David Cowen for putting on a fantastic show. And thanks again to this great DFIR community and all that we do to give back and help each other grow. If DFIR went away tomorrow, rest assured we’d still be amongst friends and surrounded by some of the smartest folks out there.


Originally published at www.505forensics.com on July 9, 2015.

Like what you read? Give Matt B a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.