SANS DFIR WEBCAST - Network Forensics What Are Your Investigations Missing

Traditionally, computer forensic investigations focused exclusively on data from the seized media associated with a system of interest.
Recently, memory analysis has become an integral part of forensic analysis, resulting in a new and significantly different way for digital examiners and investigators to perform their craft.

Now another evolution in computer forensics is at hand - one that includes data collected from network devices as well as the from wires themselves. Every day, more and more network-enabled products hit the market. Incorporating network data from those devices during the analytic process is critical for providing a complete understanding of the event under investigation. Even in traditional data-at-rest examinations, the network may hold the only clues left behind by a diligent attacker that has covered his or her tracks.

We'll discuss how network-based evidence can support traditional data-at-rest computer forensic analysis. Other topics will include the sources and methodologies for collecting network evidence. By knowing what existing data to ask for and what additional data to collect during an investigation, we can provide a more comprehensive analysis of the event at hand.

by Phil Hagen

Philip Hagen has been working in the information security field since 1998, running the full spectrum including deep technical tasks, management of an entire computer forensic services portfolio, and executive responsibilities.

Currently, Phil is an Evangelist at Red Canary, where engages with current and future customers of Red Canary's managed threat detection service to ensure their use of the service is best aligned for success in the face of existing and future threats.

Phil started his security career while attending the US Air Force Academy, with research covering both the academic and practical sides of security. He served in the Air Force as a communications officer at Beale AFB and the Pentagon. In 2003, Phil shifted to a government contractor, providing technical services for various IT and information security projects. These included systems that demanded 24x7x365 functionality. He later managed a team of 85 computer forensic professionals in the national security sector. He has provided forensic consulting services for law enforcement, government, and commercial clients prior to joining the Red Canary team. Phil is also a certified instructor for the SANS Institute, and is the course lead and co-author of FOR572, Advanced Network Forensics and Analysis.