Please note: All times below are in Central Daylight Time.

For clarity, the current time in Chicago, IL is:

Return to the USA 2025 Conference Page

Please find our tentative program items below. Schedules are still work in progress.

Papers

Nine papers have been accepted. There are seven further papers under shepherding.

Accepted papers

  1. Leveraging Memory Forensics to Investigate and Detect Illegal 3D Printing Activities
    Hala Ali, Andrew Case and Irfan Ahmed
  2. Digital Forensics via Chip-Transplantation in Samsung Smartphones
    Sunbum Song, Gibum Kim, Hongseok Yang, Eunji Lee and Sangeun Lee
  3. Bytewise Approximate Matching: Evaluating Common Scenarios for Executable Files
    Carlo Jakobs, Axel Mahr, Martin Lambertz, Mariia Rybalka and Daniel Plohmann
  4. Detecting Hidden Kernel Modules in Memory Snapshots
    Roland Nagy
  5. An Extensible and Scalable System for Hash Lookup and Approximate Similarity Search with Similarity Digest Algorithms
    Daniel Huici, Ricardo J. Rodríguez and Eduardo Mena
  6. Your Forensic AI-Asisstant, SERENA: Systematic Extraction and Reconstruction for ENhanced A2P Forensics
    Jieon Kim, Byeongchan Jeong, Jungheum Park, Seungeun Park and Sangjin Lee
  7. Out of Control: Igniting SCADA Investigations with an HMI Forensics Framework and the Ignition Forensics Artifact Carving Tool (IFACT)
    Lasean Salmon and Ibrahim Baggili

Workshops

Adapting to evolving threats and strengthening security with Purple Teams

by Natalia Ciapponi and Maristela Ames

Abstract:

In a world of ever-evolving threats, organizations must think smarter, act faster, and collaborate better to stay ahead. This workshop dives into the power of purple teaming as a transformative approach to bolster security across diverse defense systems. Together, we’ll explore how offensive and defensive teams can unite to test real-world scenarios, uncover blind spots, and fine-tune detection and response mechanisms. Using actionable insights, practical frameworks, and real-world case studies, attendees will leave equipped to bridge the gap between theory and execution. Discover how purple teams can not only adapt to the latest threats but also anticipate them, ensuring you are always one step ahead of the adversary.

Biographies:

Natalia Ciapponi
Natalia Ciapponi

Natalia Ciapponi is a Threat Researcher and Purple Team Lead at Arctic Wolf, with over 15 years of experience in the software development industry and more than 8 years specializing in cybersecurity.

She holds a Master’s degree in Computer Information Systems and currently leads adversary simulation initiatives focused on emulating real-world threat actors, including ransomware groups and APTs. Her work bridges offensive techniques with detection engineering, helping organizations assess and strengthen their security posture.

Natalia has led her organization’s participation in MITRE ATT&CK Evaluations across both enterprise and MDR tracks and previously served as a technical lead for EDR detection content. She designs and executes tailored Purple Team exercises, translates threat intelligence into actionable testing scenarios, and collaborates closely with cross-functional teams to drive research and internal enablement.

Outside of work, Natalia is a passionate trail runner, wife, and proud mom of a curious toddler.
Maristela Ames
Maristela Ames

Maristela Ames is a Security Researcher at Arctic Wolf with over 20 years of experience in computer science, including approximately 15 years focused on cybersecurity. Her areas of expertise include Threat Emulation, Threat Research, Purple Team exercises, Blue Team operations, and the MITRE ATT&CK framework. She actively researches threat actors and advanced persistent threats (APTs), emulating realistic attack scenarios to enhance security products and defensive capabilities.

Maristela has participated in five MITRE Enterprise evaluations and one MITRE MDR evaluation, representing different security vendors as a threat hunter. This experience has provided her with specialized expertise in preparing teams for third-party evaluations by conducting Purple Team exercises that drive successful MITRE outcomes. Metrics-oriented, she gathers insights that support strategic decision-making to improve the organization’s cybersecurity posture, and she is recognized for her collaborative approach across multiple teams.

Outside of work, she finds inspiration and balance through her passion for arts and music.

From Narrow AI to Generative AI: Integrating AI in Your Daily DFIR Life

by Jess Garcia

Abstract:

Join us for an immersive 4-hour workshop designed to elevate your DFIR skills through the power of AI. This hands-on session will explore the integration of custom Machine Learning models and Generative AI technologies into DFIR workflows, offering practical insights and applications. The workshop is divided into two sessions, each focusing on cutting-edge AI technologies and their practical applications in the field of DFIR.

Part 1: Custom Machine Learning Models for DFIR

  1. Overview: The initial part of the workshop will focus on utilizing lightweight Machine Learning models to address specific tasks related to threat detection and incident response. In many cases, smaller custom models can outperform larger models, including those with trillions of parameters like ChatGPT. They require less computational power, are faster to train and deploy, and can be fine-tuned to capture the nuances of particular problems more effectively than large, general-purpose models.
  2. Key Topics:
    • – Introduction to ML models relevant for Threat Detection & Response.
    • – Gain hands-on experience with machine learning models, including Long Short-Term Memory (LSTM) networks and Transformers.
    • – Guidance for building and configure ML models for Threat Detection & Response.
    • – Solving complex DFIR tasks like Lateral Movement detection, UEBA (User and Entity Behavior Analysis), and anomaly detection.
    • – Practical Exercises: Step-by-step guide to create and deploy custom ML models to perform complex DFIR analysis in real-world scenarios.
  3. Resources: Jupyter Notebooks, Data Science libraries for DFIR (Pandas, ds4n6_lib, Keras, Tensorflow, …)

Part 2: Generative AI Technologies for DFIR

  1. Overview: This part of the workshop will delve into the application of Generative AI models like Large Language Models (LLMs) to solve many of the most challenging tasks that we face in our investigations today. After covering the most important concepts, tools & resources you need to know related to Generative AI for DFIR, we will apply this promising technology to analyze artifacts with a DFIR-Copilot, correlate CTI sources, automate Threat Hunting tasks, and guide forensic investigations with AI- Agents.
  2. Key Topics:
    • – Understanding the basics of Generative AI and its relevance in DFIR.
    • – Explore the role of Generative AI in DFIR and why it is a game-changing technology.
    • – Practical applications of LLMs for Threat Detection & Response.
    • – Enhancing and automating DFIR workflows with AI-Agents.
    • – Solving everyday DFIR challenges using Generative AI.
    • – Practical Exercises: Gain hands-on experience solving common investigative tasks with Large Language Models. Create custom GPTs and Copilots to analyze forensic artifacts, and configure AI-Agents to tackle the most complex DFIR challenges we face today.
  3. Resources: Jupyter Notebooks, ChatGPT API, LLM frameworks (LangChain, LlamaIndex, LangGraph, …)

Who Should Attend:

  • – DFIR Professionals
  • – Cybersecurity Analysts
  • – Incident Response Teams
  • – Anyone interested in leveraging AI for digital forensics and incident response

Why Attend:

  • – Gain practical knowledge of integrating AI into DFIR tasks
  • – Learn to utilize both classical and Generative AI models
  • – Enhance your ability to automate and improve DFIR workflows

Biography:

Jess Garcia
Jess Garcia

Jess Garcia is the Founder of the global Cybersecurity/DFIR firm One eSecurity and a Senior Instructor with the SANS Institute.

During his 25+ years in the field, Jess has led a myriad of complex multinational investigations for Fortune 500 companies and global organizations.

As a founder of One eSecurity, Jess has led his company to become a world-wide service provider for large global customers, providing highly specialized services & technology in the Detection & Response areas.

As a SANS Instructor, Jess stands as one of the most prolific and veteran ones, having taught 10+ different highly technical Cybersecurity/DFIR courses in hundreds of conferences world-wide over the last 22+ years.

Jess has also been a pioneer in the area of AI for Detection & Response. With the mission of bringing Data Science/AI to the DFIR field, Jess launched in 2020 the DS4N6 initiative (www.ds4n6.io), under which he is leading the development of multiple open source tools, standards and analysis platforms for DS/AI+DFIR interoperability. After the advent of Generative AI / LLM Platforms, Jess and his team at One eSecurity are pioneering the field again by defining how organizations should transform their Detection & Response teams and processes, via the introduction of AI in every aspect of the Detection & Response life cycle (CTI, Threat Hunting, Forensic Investigations, etc.).

Jess is a globally recognized cybersecurity expert, regularly speaking at the top Cybersecurity conferences all around the world.

Kubernetes Security: Hands-On Attack and Defense

by Lenin Alevski

Abstract:

Kubernetes is the de facto operating system of the cloud, and more and more organizations are running their workloads on Kubernetes. While Kubernetes offers many benefits, new users may introduce security risks like cluster misconfiguration, leaked credentials, crypto-jacking, container escapes, and vulnerable clusters.

This workshop will teach you the fundamentals of Kubernetes security, from protecting your cluster to securing your workloads. You’ll learn about RBAC, OPA, Security Contexts, Network Policies, and other security features. You’ll also learn how to exploit workloads running on a Kubernetes environment using Living Off the Land (LotL) techniques like exploiting Insecure APIs, Secrets Theft, Container Escape and Pod Privilege Escalation, similar to the ones used by real-world threat actors.

This workshop is designed for both beginners and advanced students. By the end of the workshop, you’ll have a deep understanding of Kubernetes security and the skills to protect your clusters and workloads

Outline:

  • – Kubernetes Security talk: ~40 mins
  • – Q/A for intro talk, 10 mins
  • – Break: 10 mins
  • – Hands-On Attack and Defense workshop: 3 hrs
  • – Abusing docker for privilege escalation
  • – Container escape
  • – Create New Kubernetes Cluster Using Kind
  • – Explore Kubectl Command
  • – Explore k9s To Manage Your Cluster
  • – Deploy Kubernetes Workload
  • – Get a Shell to a Running Container
  • – ConfigMaps & Secrets
  • – Namespaces
  • – Pod Security Context
  • – Kubernetes certificate authority
  • – Pod resource limits
  • – Scratch Containers
  • – Service Account Token
  • – Network Security Policies With Calico
  • – kube-bench: CIS Kubernetes Benchmark
  • – kube-hunter: Hunt for security weaknesses in Kubernetes clusters
  • – kube-linter: Check Kubernetes YAML files and Helm charts
  • – terrascan: Static code analyzer for Infrastructure as Code
  • – kubeaudit: Audit your Kubernetes clusters against common security controls
  • – Challenge 1: NFT Museum
  • – Challenge 2: Network debugging console

This workshop is based on my open-source labs published at https://github.com/Alevsk/dvka/blob/master/workshop/README.md

Required Materials:

  • – Laptop with at least 8gb of Ram (16gb is recommended)
  • – Laptop with at least 40gb of free space (For downloading and running the workshop VM)
  • – Internet connection, mostly to pull docker images and the required tools (kind, kubectl, kustomize, etc).
  • – Any Linux distribution (ie: Kali or Ubuntu) or Mac OSX operating systems, or a virtual machine running them.

Biography:

Lenin Alevski
Lenin Alevski

Lenin Alevski is a Full Stack Engineer and security-focused generalist with a deep passion for Information Security. He currently works as a Security Engineer at Google, where he focuses on building and securing distributed systems, with expertise in application and cloud security. Outside of work, Lenin enjoys playing CTFs, contributing to open-source projects, and sharing insights on security and privacy through his blog at https://www.alevsk.com.

 

Modern Memory Forensics with Volatility 3

by Andrew Case and Hala Ali

Abstract:

Memory forensics—the analysis of volatile memory (RAM)—is an extremely powerful technique for detecting and triaging modern malware. Memory forensics is often a critical component of modern incident response due to the frequent use of memory-only payloads and rootkits that bypass EDRs, hide from live analysis tools, and often leave no file system artifacts. In this workshop, a mix of lectures and hands-on labs provides students with memory forensics knowledge and experience that can be utilized during real-world incident response. A few of the topics that will be covered during this workshop include detection and triage of credential dumping, lateral movement, and memory-only malware loading. By having documentation of these techniques in the slides and gaining hands-on experience analyzing them during the labs, attendees will leave with knowledge that is immediately applicable in real investigations. This workshop is focused on Volatility 3, which is now the standard and supported version of Volatility since its replacing Volatility 2 in April 2025.

Objectives:

– The importance of memory forensics
– Applying memory forensics in modern investigations
– Detailed instructions and examples of using Volatility 3
– Hands-on experience performing memory forensics

Provided to students:

The students will be provided with a virtual machine, memory samples, a PDF of the slides, and a lab guide that documents the exercises.

Biographies:

Andrew Case
Andrew Case

Andrew Case is the Director of Research at Volexity and has significant experience in incident response handling, digital forensics, and malware analysis. He has conducted numerous large-scale investigations that span enterprises and industries. Case is a core developer of Volatility, the most widely used open-source memory forensics framework, and a co-author of the highly popular and technical forensics analysis book “The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory.” Case has spoken at many industry conferences, including DFRWS, Black Hat, DEFCON, RSA, SecTor, BSides*, and OMFW.
Hala Ali
Hala Ali

Hala Ali is a Ph.D. student at Virginia Commonwealth University (VCU). Her research interests include Cybersecurity, Information Security, IoT, and Fog Computing. She received her Bachelor degree in Computer Networks and Operating Systems from Homs University, Syria in 2016, and her Master degree in Computer Science and Information Security from the National Institute of Technology Warangal, India, in 2020. Hala worked on various research projects and published papers on real-time task scheduling in Fog-Cloud Computing and lightweight authentication protocols for IoT. Her current research focuses on memory forensics and software supply chain security.