DNS Evidence You Don’t Know What You’re Missing

With hundreds of network protocols used in a typical network environment, it's easy to get overwhelmed during an investigation. Similarly, the technical and legal hurdles to proper full-packet-capture operations leaves critical gaps from evidence such as firewall logs, intrusion detection system logs, or NetFlow. However, regardless of the protocols used, the Domain Name System (DNS) is often a commonality that forensicators may overlook. DNS may not be glamorous, but it often provides critical insight and context during network forensic cases. Even alone, passive DNS logs can provide an excellent baseline of activity for any environment.

In this webcast, well explore some simple and effective ways to create logs of DNS traffic, what specific value they can provide for other evidence types, and how to exploit these logs at scale.

Presenters:
Philip Hagen

Philip Hagen has been working in the information security field since 1998, running the full spectrum including deep technical tasks, management of an entire computer forensic services portfolio, and executive responsibilities.

Currently, Phil is an Evangelist at Red Canary, where engages with current and future customers of Red Canary's managed threat detection service to ensure their use of the service is best aligned for success in the face of existing and future threats.

Phil started his security career while attending the US Air Force Academy, with research covering both the academic and practical sides of security. He served in the Air Force as a communications officer at Beale AFB and the Pentagon. In 2003, Phil shifted to a government contractor, providing technical services for various IT and information security projects. These included systems that demanded 24x7x365 functionality. He later managed a team of 85 computer forensic professionals in the national security sector. He has provided forensic consulting services for law enforcement, government, and commercial clients prior to joining the Red Canary team. Phil is also a certified instructor for the SANS Institute, and is the course lead and co-author of FOR572, Advanced Network Forensics and Analysis.

Ryan Johnson
Ryan is a Senior Director and lead incident responder in the Cyber Division of consulting firm Alvarez & Marsal. He was a co-owner of Forward Discovery where he was the lead incident responder and supported the maintenance of the Raptor acquisition tool. Ryan has been investigating crimes in the digital realm for more than 10 years including performing media exploitation for the US Army in Iraq.

Ryan has run multiple large-scale breach investigations and also provides clients with proactive assessments which assist them with identifying both security gaps and identifying systems which are already compromised. Ryan teaches with the US State Department's Anti-Terrorism Assistance program and is a co-author of several of their digital forensics courses. Ryan co-authored Mastering Windows Network Forensics and Investigations, Second Edition.

Ryan's industry credentials include: GIAC Network Forensic Analyst (GNFA), GIAC Certified Incident Handler (GCIH), Certified Forensic Computer Examiner (CFCE), Digital Forensics Certified Professional (DFCP), EnCase Certified Examiner (EnCE), and Payment Card Industry Professional (PCIP). He earned an M.S. from Dalhousie University and a B.S. from Queen's University.