SEC504: Hacker Tools, Techniques, and Incident Handling

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsEvery year, digital forensic and incident response professionals from around the world attend the SANS DFIR Summit to learn how to overcome their latest obstacles, hear about the latest open-source forensic tools, share methods and strategies proven effective in their investigations, and connect with the top DFIR practitioners in the industry.
Every talk has a little nugget that you can add to your forensic toolbox no matter what your forensic wheelhouse may be. This is a must-attend event.
The DFIR Summit never disappoints and is still the #1 DFIR event. As a leader, it allows me to keep a pulse on cutting-edge research and to meet folks.
I think this is the very best event in the DFIR Community, bar none. The combination of the best networking opportunities and the world's best instructors and content can't be beat.
This Summit creates a ton of new ideas on how to improve our incident response processes.
The knowledge you'll absorb in just two days will last the entire year. Whether you’re attending your first DFIR Summit or returning for your seventeenth, you'll join a community that shares a common drive to seek truth through digital forensics and eradicate attackers during incident response engagements.
The industry's top practitioners will share their latest digital forensics and incident response research, solutions, tools, and case studies.
You’ll have the chance to engage with Summit Chairs, speakers, and your peers in the community for deep-dive discussions, and casual chats over breaks, meals, and evening receptions.
The days will be filled with the latest in DFIR, but the fun goes up a notch at night for those joining us in Salt Lake City.
Explore the latest tools and solutions in digital forensics, incident response, and threat hunting.
Enhance your knowledge base and add to your toolkit by bundling your Summit experience with a hands-on, immersive course taught by top SANS instructors and course authors.
Looking for Group Purchasing? Contact Us
2 Free practice tests when you add a certification exam attempt to your course. Available for select courses below.
Add OnDemand access for 4 months to help you prepare for your GIAC exam. Available for select courses below.
Play two evenings of the DFIR NetWars Tournament. Free with purchase of a 4, 5, or 6 day course
Jerod has worked in the field of DFIR for the past 18 years. Since 2013, he has focused on incident response, where he leads and coordinates the overall response, as well as participates in deep-dive investigative forensic analysis.
Learn moreMattia Epifani pioneered methodologies for extracting critical evidence from encrypted mobile ecosystems, including iOS and Apple Watch. His groundbreaking work has become foundational for law enforcement and forensic analysts worldwide.
Learn moreJosh is a Digital Forensics Expert with Cellebrite. Previously, he was a Senior Vice President with Kroll, the Forensic Scientist Manager of the N.C. State Crime Lab and a Forensic Computer Agent with the North Carolina State Bureau of Investigation.
Learn moreTony Knutson is a Principal Consultant at Palo Alto Unit 42. He is also part of the SANS OnDemand SME team.
Learn moreScott is a security leader, analyst, software developer, and author. He is Head of Threat Research for Interpres Security and has led security teams and project in the defense industrial base, GitHub, Apple, Splunk, and most recently Argo AI.
Learn moreVeronica is an Assistant Professor at Noroff University. Veronica holds a Master in Science at Rhodes University in Information Security with specialisation in the forensic analysis of malware.
Learn moreThursday 24th July & Friday 25th July
Saturday 26th July - Thursday 31st July
More details to come
Presented by
Mari DeGrazia
Certified Instructor
This research uncovers a real-world covert remote-control system designed by a North Korean IT worker, who was caught operating within an unsuspecting organization.
With increasing cyber threats, Apple introduced a robust security feature known as "Lockdown Mode." This session delves into the intricacies of Lockdown Mode, exploring its purpose and evolution.
Presented by
Bhargav Rathod
Security Analyst
Virtual
With only 23% of surveyed security professionals stating their incident response (IR) playbooks are updated frequently enough to keep up with best practices, a new approach is needed to “power up” the way organizations maintain their playbooks.
Threat actors don’t just break in, they find creative ways to remain persistent. In this session, we will explore persistence techniques used in real-life Microsoft 365 incidents and how to identify them in your environment.
Presented by
Federico Cedolini
DFIR Senior Consultant
Virtual
Cybersecurity professionals are often faced with complex, high-stakes investigations where quick decision-making and investigative accuracy are critical.
Presented by
Tony Knutson
Principal Consultant
Human-operated ransomware groups have increased their focus on cloud environments, targeting identity administrators and cloud misconfigurations to gain persistent access.
Virtual
The proliferation of cloud-based solutions has significantly transformed the landscape of enterprise security, with Microsoft Intune emerging as a pivotal tool for device and application management.
Presented by
Dennis Labossiere
Director
DFIR Bytes are digital forensics and incident response case simulations that provide a real-world investigative experience.
Presented by
Kathryn Hedley
Certified Instructor
Security leaders and teams rely on MDR providers to deliver 24/7 monitoring of security events, augment the expertise of internal SOC analysts, assist with or perform response actions, and offer assurance that adversaries are not present in the environment through threat hunting.
Making Sense of the Chaos explores two distinct threat hunting approaches. Structured, hypothesis-driven hunts, and Unstructured hunts, where data leads the way.
Adversaries leverage the TAILs (The Amnesic Incognito Live System) operating system for conducting criminal activity.
Logs are foundational to nearly all DFIR engagements, yet reliably extracting logs from sources such as network appliances, SaaS applications, and cloud environments can be challenging.
Presented by
Colin Meek
DFIR Consultant
In modern cybersecurity, the ability to connect isolated security alerts into coherent, actionable attack chains is essential. However, traditional detection methods often struggle to contextualize vast amounts of security data, leaving slow and stealthy attacks undetected within a sea of noise and false positives.
Presented by
Ezz Tahoun
Lead Researcher
As many Mac DFIR professionals know, MacOS is constantly changing. New features are regularly being added to the platform that may provide a new source of information that an examiner can use during an investigation.
Get ready for high-energy fun at the DFIR Summit! Join us on the evening of July 24 for Best Corporate Feud—a fast-paced, game show-style competition where teams go head-to-head guessing the most popular answers to fun survey questions. Whether you're on stage or in the audience, everyone gets in on the action!
More to come.
Private browsing, often referred to as "Incognito Mode," is widely considered a way to maintain privacy during internet use. However, while this mode may obscure browsing activity from casual users and the device’s history logs, it does not guarantee complete anonymity.
This hands-on workshop uncovers the critical configurations of roles, permissions, and service accounts, with a special focus on the often-overlooked risks posed by default service accounts and their excessive permissions.
Presented by
Pierre Lidome
Certified Instructor
Today more than ever, we are faced with the daunting task of protecting our environment and stopping attacks. At the same time, the adversary is getting smarter and more effective by the day.
Presented by
Kevin Ripa
Senior Instructor
Artificial intelligence is still one of the most popular buzzwords we use in cybersecurity. We see it added to everything, to the point that we use it to write emails that end up being read by other AI agents.
Presented by
Tarot (Taz) Wake
Certified Instructor
Registration: All students who register for a 4–6 day course will be eligible to play NetWars for free. Registration for this event will be through your SANS Account Dashboard the week of the event.
Registration: All students who register for a 4–6 day course will be eligible to play NetWars for free. Registration for this event will be through your SANS Account Dashboard the week of the event.
A special discounted rate of $209.00 S/D plus applicable taxes will be honored based on space availability.
A limited number of Government Per Diem rooms at the prevailing rate are available with proper ID.
These rates include Internet in your room and are only available through Tuesday, July 1, 2025
Eliminate the hassle of daily commutes and wasted travel time. You’ll have everything you need—from your training to dining and amenities - all in one centralized, convenient location.
Stay where the action is! Maximize your chances to connect with fellow cybersecurity professionals and industry leaders - from impromptu conversations in the lobby to exclusive after-hours events.
SANS live training events include bonus sessions exclusively at the venue. Staying on-site ensures you won’t miss these opportunities to grow your network and engage with peers beyond the conference agenda.
Newly-renovated hotel in downtown Salt Lake City, located just steps away from world-class fashion and dining. Step into style as you enter the lobby featuring high ceilings and comfortable seating. After a day exploring the city, take time to visit Destinations Lounge, the ideal place to meet friends for a cocktail or craft beer. After grabbing drinks, indulge in delicious dining at The Salt Stone, the hotel's on-site restaurant offering all-day dining and in-room service. Work up a sweat in the fitness center, with cardio and weight training options, then kick back in one of the comfortable hotel rooms with crisp linens, free Wi-Fi and Salt Lake City views.
Self-Parking: Hourly: $4.00* Daily: $25.00* Valet Parking: $38.00* *Rates subject to change. Please contact the venue for the most up to date information. SANS attendees will receive 50% off overnight and day self-parking from current cost based on availability.
The SANS North America Summit Volunteer Program is a popular and competitive way for professionals to attend two-day SANS Summits in-person for free, in exchange for their assistance with the Summit. Summit Volunteers assist the team onsite with various tasks to set up, support, and tear down the event afterward. To learn more about the qualifications and how to apply, please visit our NA Summit Volunteer Program page.