SANS DFIR Summit 2022

The Real STEM Sadie takes on the 15th annual SANS DFIR Summit in-person as a neurodivergent, chronically ill woman in cybersecurity.

Note: any text written in gold has a link with more information located in the "Learn More" dropdown menu at the end of the section.

Summit Background

At the end of August, you'll find all of the Digital Forensics & Incident Response (aka DFIR) enthusiasts huddled together in Austin, Texas (USA). Networking, nerding out, and eating BBQ (shoutout to Terry Black's) - the attendees of the SANS DFIR Summit are single-handedly keeping Austin weird.

This FREE summit is available via live online as well as in-person and for each presentation, registered participants have access to the slides and graphic recordings all posted immediately following the conclusion of the presentation. Registered participants also have access to a Slack channel to communicate with other attendees, to ask the presenters questions, to swap virtual business cards (LinkedIn profiles mostly), and to make new connections within and outside of the SANS DFIR community. Weeks after the summit, SANS posts video recordings of the summit talks on their YouTube channel - making them accessible to EVERYONE regardless of their summit attendance.

This unique hybrid approach is perfect for everyone and the fact that it's all FREE means it's a no-brainer decision to attend. Unlike other conferences I've attended on similar subjects, SANS conferences were the first place I felt safe to ask questions to people of ALL experience levels and every single presenter reached out to encourage me to join the DFIR community and actually wanted to help me learn/grow.

When I first was looking for a new job during my transition out of the US Federal Government (the beginning of the pandemic), this was the first SANS conference/summit I attended due to it's cost and presentation medium. Let me tell you - I was immediately hooked. This summit is where I met my current manager, Phil Hagen, who went above and beyond to not only answer my questions about DFIR but to also discuss life and potential career paths with me. Now, here I am working for SANS under Phil's direction so to me this summit was life-altering.

Day 0: Flying to Austin

This trip was full of STEM Sadie firsts, including the first time...

• flying in over 5 years

• traveling with mobility aids (collapsible cane and wheelchair service in airport)

• being seen in public using my mobility aids (and dealing with the associated comments and stares)

• attending a SANS event in-person

• meeting any of (and almost all) of my coworkers since I started working at SANS

• meeting my DFIR community friends and idols in-person

As confident and comfortable as I am being my authentic, chronically ill self, the stigma behind "looking healthy" while using a mobility aid is something I'm still struggling to overcome. Recently mindset has changed from

"If I'm not well enough to walk through an airport then I'm not well enough to go on a trip"

to

"Save your energy for things that matter by using accommodations/aids where you can".

The thing about chronic illness is that it's an lifelong, incurable, ebbing and flowing of symptoms. One day you'll see me (symptom-free) dancing around my room and the next moment I might need a cane to walk due to loss of balance, loss of leg function, uncontrollable tremors, and high blood pressure spells. Shoutout to the airline worker who told me "Girl, you look great! You don't need a wheelchair." To which I responded "Thanks, I do look great - but I also need a wheelchair."

For this trip, my mother/caregiver found this amazing collapsible cane that's opened my eyes to a whole new world of possibility. This cane provides me stability when my body/mind has no idea where it is in space (causing the balance issues) and support when I lose part of my leg function/feeling. The accommodation process with American Airlines was much easier than I anticipated. I went through the official accommodations request form and was approved (with no official proof of disability needed) for a wheelchair escort through the airport from gate to terminal as well as terminal to gate when I landed. Without that escort, I know for certain it would have taken me hours to walk with my cane through each airport, especially when I needed a moment to catch my breath every 10 mins.

Look out world, The Real STEM Sadie is ready for more traveling and adventures just like every other ambitious woman in her late 20s out there!

After landing in Austin, Texas, I made my way to my handicapped room on the 23rd floor. Yes, I too thought the 23rd floor was strange since if there was a fire I would be stranded or probably die trying to hobble down all of those stairs - but I researched and learned that the American Disabilities Act encourages equal dispersion of handicap hotel rooms so I guess it's not out of the ordinary at all. Although there were social/networking events I desperately wanted to attend, I listened to my body and recuperated from the flight alone in my hotel room. This ended up being the correct choice as the swelling in my legs/joints, limb tremors, and raging urticaria subsided completely by the next morning.

Day 1: Summit Start

One hour before the summit starts, the hotel lobby Starbucks is eerily quiet. As I wait for my caramel macchiato in the two-person line, I wonder if I'm in the right building or if everyone who works in DFIR has evolved into superior creatures who don't need coffee to survive. Luckily, one of my coworkers stops me and becomes the first coworker I've ever met in-person and the beacon of hope that I may be in the right building after all. Coffee (with my name misspelled "Suddy") in one hand and my pink cane in the other, I headed into the Summit venue star struck by the hustle and bustle of the registration booth.

Swag flying around everywhere, I catch a glimpse of one of my industry idols (and the second day keynote speaker), Rob T. Lee. I could see his huge smile and hear his jolly laugh from the back of the line and nearly jumped up and down when I finally shook his hand and introduced myself. As I received my badge and swag, I was graced with the warmest welcome by some of my favorite ladies at SANS. Continuing to the conference room where the keynote would soon begin, I continue to encounter more coworkers, my managers Phil and Lee, friends from my NSA days, and new friends and personal heroes I've only conversed with on Twitter. This conference was the most inclusive, friendly, safe, learning-centric one I've been to and not once did I feel like or was treated as a newbie - DFIR, SANS, or otherwise.

The morning sessions for track 1 were diverse, interesting, and well-presented. My favorite talk of the day "Missing Pieces: Tips and Tricks on How to Ensure Your Acquisitions Aren't Missing Critical Data", was presented by two DFIR pros both of whom that I fan girl over via Twitter: Cesar Quezada and Jessica Hyde. This presentation had all of the elements I was looking for - presenting a concept rather than a tool, walking through the speakers' out-of-the-box thought process, applications to real life situations, examples with data, and (perhaps most important to me) information that's both surprising and terrifying leading me down another rabbit hole of paranoia. Once lunch time came around, I got to experience the famous Terry Black's BBQ with my best friend, Brian Moran, and formerly-online-only DFIR friends. I haven't laughed nor smiled that hard with a big group of friends in a very long time - thank you to all of you and I sincerely hope we can meet up again soon!

Unfortunately, I ended up having to miss the afternoon sessions due to a flair up of several symptoms associated with my autoimmune diseases. Luckily, SANS thought of everything and I was able to watch the talks live online from my hotel bed, download the slides/graphic recordings immediately after the talk ended, and the full recordings will be available on YouTube in the near future to rewatch. The afternoon talks ranged from artifacts to workflow automation to implants and more. My personal favorite from the afternoon bunch was "The Truth About USB Device Serial Numbers: And the Lies Your Tools Tell", another paranoia-inducing talk presented by Kevin Ripa.

Originally I planned on writing much more detail about each summit talk I attended, but real-talk I loathe when people put spoiler alerts in the middle of a blog post so

tHiS iS lEfT aS aN eXeRcIsE fOr ThE rEaDeR.

LOL KIDDING!! Sorry for the STEM textbook flashbacks, but seriously check them out for yourself on the SANS YouTube page and hit me up if you're interested in my thoughts (if I have any rattling around in this ADHD -riddled brain).

Day 2: Summit End

0430: BEEP! BEEP! BEEP!

It's the second and final day of the summit, Starbucks is hotter than a Texas summer, and my coffee order has my name spelled correctly. The conference room is PACKED, everyone on the edge of their seats waiting for Rob T. Lee's keynote "The Godfather of Forensics: How to Leverage Your Year One to Get an Offer You Cannot Refuse".

If you take anything away from this blog post or the 2022 SANS DFIR Summit, it's that ROB HAD SPENT MOST OF HIS LIFE NEVER HAVING SEEN THE GODFATHER MOVIES - wait, no - it's bookmark the recording of this keynote and watch it often. This keynote (which made me literally tear up in public) was an honor to attend in person. The speaker was pure magic in his presentation style and touched every single person, from DFIR experts to newcomers, in that conference room. Rob and the DFIR community truly encompass the philosophy that we all are supporting one another on this lifelong journey of learning. From imposter syndrome to working with difficult colleagues to professional development and more, this keynote is going to be a tough one to top.

Being an OSINT enthusiast myself, my favorite talk of the day was "Hunting Threat Actors Using OSINT Forensics" by Abi Waddell. While this talk was extremely tool focused, this talk was in high attendance as Abi took us through the entire clue finding and connecting OSINT process for real-life cases. While the talk focused solely on threat hunting, it inspired me with new ideas and potential attack vectors to consider when analyzing my anonymity/management of attribution when building/using personal sock puppets for OSINT research and for my own personal OPSEC procedures.

At the end of another amazing day of talks, the summit wrapped up with "Updates in DFIR" and the "Forensics 4:Cast Awards". While there were many updates in the DFIR community both related to SANS and in general, the biggest splash was made by the release of "The Ultimate Guide to Getting Started in DFIR" manual, available for download free to the public. This document is a must have for those new to cyber security and DFIR - I know I've already referenced it MORE than a few times since it's release. While Cellebrite dominated the awards ceremony, the host Lee Whitfield earned best overall with his hilarious intro video "We Didn't Start DFIR".

Lee's remix of the Billy Joel classic kicked off the theme of the night as summit attendees migrated to a local bar to celebrate another successful year in DFIR. They danced the night away to an 80s cover band, the Spazmatics - and STEM Sadie was no exception. Despite not being able to drink and using a cane, I broke out that dress I've been dying to wear for the past few years and transformed into "that babe with a mobility aid". Finally feeling my age (late 20s), I met new friends, sang my heart out, and even managed to get out on the dance floor for a song or two.

Key Takeaways

Even though I ended up contracting COVID19, I wouldn't change ANYTHING that happened this summit. During this summit I was able to enjoy time in-person with friends both old and new, to learn new and exciting DFIR concepts, to make industry connections, to finally meet my teammates in-person, and to prove to myself that I'm stronger than I give myself credit for. This next chapter of my late 20's is going to be filled with more accommodated adventure, more time spent with friends, and definitely more DFIR. Thank you to SANS for hosting the DFIR summit and I hope to see everyone there - including YOU - next year!

P.S. Check out the DFIR Detective's StartMe page for every single link related to the DFIR 2022 summit! It's my go-to for all things related to the SANS DFIR 2022 summit.