There are many misconceptions and it is not easy to start in the field, but then if it was easy, everyone would be doing it, right?  FOR498: Battlefield Forensics & Data Acquisition course author Kevin Ripa tells you how to get started in the field in 3 minutes or less.

Authors of the New FOR308: Digital Forensics Essentials course, Kathryn Hedley, Jason Jordaan and Phill Moore talk about what's needed to build your foundation in DFIR.

This presentation identifies areas where organizations should put more focus in order to stop tilting at windmill. 
Learn all about CTI by taking FOR578: Cyber Threat Intelligence course at the summit with Katie Nickels.

David Bianco and Cat Self discuss coming into an existing threat hunting program, prioritizing areas for improvement, and implementing those improvements to make a great hunting program even better.

This guide is a supplement to the SANS FOR572: Advanced Network Forensics and Analysis by course author Phil Hagen. It covers some of what we consider the most useful Linux shell primitives and core utilities.

The FOR508: Advanced Incident Response, Threat Hunting & Digital Forensics course poster helps you understand lateral movement tools and techniques. It provides information on how to hunt more efficiently, quickly perform incident response scoping, and better anticipate future attacker activity.

Memory Forensics SkillBuilder Series: User-Mode Process Dump Analysis with WinDbg

In this webcast series, FOR526: Advanced Memory Forensics & Threat Detection course author Alissa Torres walks through analysis of process dumps to uncover code injection, user-mode hooking and user activity.

Watch User-Mode Process Dump Analysis with WinDbg: Take Two

HuntWorld
Threat Hunting & Incident Response Summit 2017

Adversaries have been coming to our networks for nearly 20 years, repeating the same intrusions day after day, while we repeat more or less the same responses day after day. In this talk  Rob Lee exploriesthe hunting culture over the years and studying what works, what doesn’t, and what the future holds.

Read the State of Malware Analysis - Advice from the Trenches Blog

DFIR Summit 2019

Velociraptor introduces a powerful query language (VQL) to flexibly define artifacts to collect and hunt endpoints at scale and without needing to push new client code. It provides unprecedented visibility into the state of the endpoint and the ability to tailor responses as the investigation evolves. Having this capability in an open-source tool that allows for truly surgical collection – at speed, at scale and free – is a triple bonus.

All the content from the FOR585: Smartphone Forensic Analysis In-Depth course poster in an interactive format to help you navigate and search for content faster.

Authored by FOR518: Mac & iOS Forensic Analysis & Incident Response course author Sarah Edwards, this cheat-sheet describes the core functions and details of the HFS+ Filesystem.

Finding Evil in Windows 10 Compressed Memory
DFIR Summit 2019

This presentation discusses the application of that research in finding malware from real investigations that had previously been inaccessible in memory snapshots.

SIFT® - A digital forensics and incident response-based Linux distribution bundling most open-source DFIR tools available.  Listen to SIFT Distribution author Rob Lee on how to start with the tools.

In this webcast, FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response course author Phil Hagen explores SOF-ELKs use cases, types of log data currently supported, as well as how to load data from live or archived sources. We will also show the various dashboards supplied with the VM and show how new features can be activated through the projects GitHub repository.

EZTools - Cutting-edge open-source windows based digital forensics tool suite for scalable, scriptable, fast forensics. Listen to tool’s author Eric Zimmerman webcast about how to use the tools. Listen to poster author Mark Hallman on how to use the poster