SANS DFIR Summit & Training

Virtual Conference | July 16-17, 2020


The annual SANS Digital Forensics & Incident Response (DFIR) Summit is the most comprehensive DFIR event of the year, bringing together a passionate and influential group of experts, cutting edge research and tools, immersive training, and industry networking opportunities. Learn more and save your spot.

“Opening Remarks” By Phil Hagen

Thursday, July 16 | 9:00–9:15 AM (ET)

Red Canary’s Phil Hagen and senior instructor at the SANS Institute will be joined by Heather Michalik and Rob Lee, senior instructor and fellow at  SANS Institute to kick off the event and address digital forensics or incident response professionals.

“What the DLL is happening? A practical approach to identifying SOH” By Frank McClain

Thursday, July 16, 2:45–3:20 PM (ET)

There are many ways adversaries can maliciously leverage Dynamic Link Libraries (DLL). One of the most common is Search Order Hijacking (SOH), a simple technique which provides the means to evade detection, establish persistence, and expand infection. As a DFIR analyst, knowing how to identify SOH during an incident is important, as this can trigger other workflows for memory forensics or reverse engineering.

Most of the available information about DLL hijacking focuses on these late stage workflows yet overlooks the earlier stages of investigation. This talk will share a profile for SOH and present real-world examples to aid in identifying its setup and usage.

“Using Storytelling to Be Heard and Remembered” By Frank McClain

Friday, July 17 | 12:10–12:20 PM (ET)

Technical people are typically somewhat lacking in soft skills. We can identify bad things at a glance, but communicating those to others in a way they can understand and relate to is a different story altogether.

This talk will shed light on the importance of storytelling in the DFIR space: not only as a means to share information, but also as a method for those who struggle with the confidence to speak in a group or public setting. Everyone has a story to tell, and this talk provides real-world examples of how that can be done by anyone.

Phil Hagen
Frank McClain
CIRT Training Lead