BSides Las Vegas, 2016

I absolutely love giving presentations! I love to run my mouth, so being able to do so in front of like-minded individuals is a passion of mine. I’ve started to lose track of the various presentations I’ve given, so I made this page to catalogue my work and provide resources should anyone be interested in reviewing the content.

SANS Summits & Webinars

Oh You Silly Framework!: An Intro to Analyzing .NET Malware – SANS@Mic Sydney

Nov 4, 2020, SANS Sydney 2020 @Mic Webcast

Malware written using Microsoft’s (MS’s) .NET Framework operates differently from your standard compiled Portable Executable (PE). The framework, often pronounced “dot net,” provides modern, functional, and easy-to-use assemblies for creating current-generation software. Once the C Sharp (C#), Visual Basic (VB.NET) or other .NET language is compiled, the result is MS Intermediate Language (MSIL). Upon being executed, the MSIL-based PE uses a just-in-time (JIT) compiler to generate native code, which is what we see run when .NET software/malware executes. Wonderfully for both the malware hobbyist and reverse engineering guru alike, MSIL PEs are easily decompiled back to source code. In this talk, SANS Instructor Ryan Chapman will provide an overview of the .NET framework, discuss malware families known to depend upon the framework, and provide analysis methodologies and tools for ripping these samples apart with ease.

Register for free recorded content here:

LOCKED OUT! Detecting, Preventing, & Reacting to Human Operated Ransomware

2020, SANS Webcast

Human Operated Ransomware (HORA) threat groups are growing in number and strength every day. In this Webcast, SANS Instructor Ryan Chapman will cover the evolution of, tactics inherent to, and threats associated with HORA. Ryan will provide “quick wins” that you can implement now to protect yourself against this ugly threat. Ryan will also focus on what to do if ransomware is running *right now*, along with what to do when ransomware has run and the outlook is bleak. Ryan will wrap up the Webcast with a list of digital forensics and incident response tools that work well within on-prem and cloud-based environments alike. Are you and your company prepared for this looming threat?


Recording available on; requires a free account (simple, easy sign-up)

Hunting Human-Operated Ransomware Operators

Summit Talk Description
The real threat of ransomware these days lies in “Human Operated Ransomware” attacks, in which we see the deployment of ransomware move to secondary or tertiary objectives. The human operators often focus on enumerating the internal environment in preparation of data exfiltration. By the time the ransomware is deployed, the threat actors have already carried out their initial objectives (and stolen your data!). This talk focuses on finding these operators while they are in your network. Find the operators == stop the ransomware deployment.

2020, SANS Threat Hunting & Incident Response Summit


CactusCon & BSides Talks

Implementing a Kick-Butt Training Program: Blue Team GO!

2019, BSides San Francisco & 2018, CactusCon

Operationalizing Cyber Threat Intelligence (CTI): Pivoting & Hunting

2017, CactusCon — Not recorded

Exposing the Neutrino EK: All the Naughty Bits

GitHub repo with files:

2016, BSides Las Vegas

TAPIOCA: How to Automate Yourself Out of a Job

2015, BSides Las Vegas

Work / Vendor Presentations

Protecting Your Workforce from Business Email Compromise

Webinar Description
Join BlackBerry for an informative webinar on safeguarding your workforce from business email compromise and other business critical services for remote workers.

Ryan Chapman, BlackBerry Principal Consultant, Incident Response & Digital Forensics, walks through:
– Tips for securing your business email
– Business email compromise (BEC) threats and how to avoid them
– The evolution of phishing attacks from malware deployment to credential theft
– How BEC attacks should be analyzed and reported
– How a BEC Assessment can help you understand your email-based threat landscape
Don’t miss this valuable presentation on ways to address the threats facing remote workers. Watch this webinar on-demand now.

The official, On-demand webinar is available here:

A modified version of the webinar is also available on YouTube:

BlackBerry Webinar, October 27, 2020

Incident Response in Your Newly Expanded Workforce

2020, Nth Generation Symposium Breakout Session

No recording available, yet

Threat Hunting in 2020: Focal Points for Success

2020, SINC Virtual Roundtable


Sign up at the link above to view recording

IT Security Outlook 2020: What to Expect in the Year Ahead

2020, eSecurity Planet


Sign up to view on-demand.

Threat Intelligence – Buzzword or Buzz-Worthy?

2018, Cisco “Threats: The good, the bad and the ugly” Webinar

JavaScript Deobfuscation

YouTube videos, not quite presentations. But hey, they’re fun!

MalWerewolf: JS/Shellcode Deobfuscation

JS/Shellcode Deobfuscation Tutorial Part 1/2

JS/Shellcode Deobfuscation Tutorial Part 2/2

Splunk Talks

PowerShell Power Hell: Hunting for Malicious PowerShell with Splunk

2016, Splunk .Conf

Security Operations Use Cases: ‘Cause Bears, Pandas, and Sandworms

2015, Splunk .Conf

Security Operations: Hunting Wabbits, Possum, and APT

2016, Splunk Live! Scottsdale

No recording available

Slides available here:

Security Operations Use Cases: ‘Cause Bears, Pandas, and Sandworms

2015, Splunk Live! Santa Clara — Same as 2015 .Conf preso

Security Operations Center Use Cases

2014, Splunk Live! Phoenix

No recording available

Cyber Forensics Workshop

This is a 6-part workshop that I presented to students from Cal State University Fullerton (CSUF) back in 2014. While the version of WireShark we use is quite old, the content is still completely viable here in 2020.

CSUF Cyber Forensics Workshop Part 1/6

CSUF Cyber Forensics Workshop Part 2/6

CSUF Cyber Forensics Workshop Part 3/6

CSUF Cyber Forensics Workshop Part 4/6

CSUF Cyber Forensics Workshop Part 5/6

CSUF Cyber Forensics Workshop Part 6/6