Scribd
Upload
410 views

2023 SANS Report Digital Forensics

The 2023 SANS Report on Digital Forensics discusses the key focus areas of digital forensics and incident response (DFIR) including Windows/Mac forensics, threat hunting, incident response, cloud forensics, mobile device forensics, malware analysis, network forensics, memory forensics, and ransomware incident response. It emphasizes the importance of specializing in one or more areas of DFIR due to the difficulty and breadth of the field. The report concludes by encouraging attendees to pursue their strengths, take training, and apply their skills to help address the shortage of DFIR professionals.

Uploaded by

azman alias
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
410 views

2023 SANS Report Digital Forensics

The 2023 SANS Report on Digital Forensics discusses the key focus areas of digital forensics and incident response (DFIR) including Windows/Mac forensics, threat hunting, incident response, cloud forensics, mobile device forensics, malware analysis, network forensics, memory forensics, and ransomware incident response. It emphasizes the importance of specializing in one or more areas of DFIR due to the difficulty and breadth of the field. The report concludes by encouraging attendees to pursue their strengths, take training, and apply their skills to help address the shortage of DFIR professionals.

Uploaded by

azman alias
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 18

2023 SANS Report: Digital Forensics

2023 SANS Report:


Digital Forensics
Sponsored by Cisco, Corelight, Grayshift

©2023 SANSTM Institute | www.sans.org 1


Today’s Speakers
• Heather Mahalik – Faculty Fellow instructor, author, and DFIR curriculum
lead, SANS; Senior Director of Digital Intelligence, Cellebrite
• Domenica Lee Crognale – Certified Instructor, author and Principal
Security Engineer SROC, SANS
• John Gamble – Senior Director of Product Marketing, Corelight
• David Smalley – Worldwide Lead for the Digital Forensic Specialist team,
Grayshift

©2023 SANSTM Institute | www.sans.org 2


Today’s Agenda
• DFIR explained
• Breaking down the specialties
• Quotes from those whom we deem specialists
• The way forward
• Sponsor panel discussion

©2023 SANSTM Institute | www.sans.org 3


Let Us Explain
DFIR = Digital Forensics and Incident Response

Essentially computer forensics with core specialties

Shortage of professionals

Great pay and amazing opportunities

People seem to love their jobs!

©2023 SANSTM Institute | www.sans.org 4


DFIR Focus Areas
Windows & Mac forensics

Threat hunting (intel)

Incident response (IR)

Cloud forensics

Mobile device forensics

Malware analysis and reverse engineering

Network forensics

Memory forensics

Ransomware IR

©2023 SANSTM Institute | www.sans.org 5


Why Specialize
Inch-deep and mile-wide knowledge in DFIR is dangerous.

DFIR is not easy.


• Requires research
• Requires training
• Requires practical application

Often one specialty can branch into another.

Determine which focus is right for you.

©2023 SANSTM Institute | www.sans.org 6


Windows and Mac Forensics
Most prevalent platforms used

Involves identifying, preserving, extracting, analyzing, and documenting


artifacts of interest

©2023 SANSTM Institute | www.sans.org 7


Threat Hunting (Intel)

Hunting cyber threats attributed to notable threat actors

Requires gathering, filtering, and disseminating intel to warn and stop attacks

Requires learning and understanding of common TTPs used by threat actors

©2023 SANSTM Institute | www.sans.org 8


Incident Response
Requires knowledge from many DFIR disciplines

The trade of following the cyclic approach


• Preparation of systems and procedures
• Identification
• Containment
• Eradication of attackers and re-entry points
• Recovery from incidents and system restoration
• Lessons learned

©2023 SANSTM Institute | www.sans.org 9


Cloud Forensics
Involves understanding artifacts that are generated, logged, and retained in
cloud repositories

Requires an understanding of the different providers and methodologies

Essentially hunting for “anything and everything” in the cloud

©2023 SANSTM Institute | www.sans.org 10


Mobile Device Forensics
Involves securing, acquiring, and analyzing data from
smartphones and mobile devices

Requires training and constant research—always evolving

©2023 SANSTM Institute | www.sans.org 11


Malware Analysis and
Reverse Engineering
Involves identifying and describing the functionality and impact of malicious
applications running on a computer

The examiner must spot the malware, dig into the source code, and explain what
the malware is built to do if it runs on a computer system.

Often requires knowledge of the system being examined

©2023 SANSTM Institute | www.sans.org 12


Network Forensics
Involves capturing and analyzing traffic on premises and in the cloud

Requires the ability to learn the various protocols that can be used to transfer
data across different network types and the best tools to analyze each

Often ties in nicely to IR, malware analysis, ransomware, and mobile forensic
cases

©2023 SANSTM Institute | www.sans.org 13


Memory Forensics
Specialists are needed when the activity of the attack is not detectable on the
active file system.

Examiners must know how to collect data (because it is fragile), and they must
also know how to analyze the data

Like malware analysis, often requires knowledge of different operating systems

©2023 SANSTM Institute | www.sans.org 14


Ransomware Incident Response
Requires the same skills as the incident responder

The goal is to identify how the attack occurred.

Determine the amount of damage done

©2023 SANSTM Institute | www.sans.org 15


The Way Forward
Don’t assume you have to do just one thing.

Be curious.

Be a team player—one person can’t do it all.

Most niche specialties are open to all—entry level to senior.

Consider your strengths.

Take free training.

Apply for the job.

©2023 SANSTM Institute | www.sans.org 16


Q&A
Please use Zoom’s Q&A window to
submit questions to our presenters.

Type your question, tell us if it’s


for a specific presenter, and then
click Send.

©2023 SANSTM Institute | www.sans.org 17


Acknowledgments
Thanks to our sponsors:

To our special guests: John Gamble, David Smalley

And to our attendees, thank you for joining us today!

©2023 SANSTM Institute | www.sans.org 18

You might also like