Lethal Forensicator Coins are awarded to those who show exceptional talent, make outstanding contributions to the field, or demonstrate leadership in the digital forensics profession and community. The coins are a challenge to win and an honor to receive. They are also intended to be rare.
Challenges for the Coins are held on the final day of each course. Students must successfully overcome several obstacles, directly compete against fellow students, and prove their proficiency during timed, hands-on incidents. The obstacles, competitions, and hands-on scenarios have been created by SANS's top instructors, who are digital forensics practitioners, subject-matter experts, experienced teachers, and industry leaders in their own right. At the end of the challenge the instructor announces the winner(s) and awards them their coins. The winners are later listed on the SANS Institute's virtual wall of Lethal Forensicator Coin Holders.
Holders of the Lethal Forensicator Coins are properly trained incident responders or investigators who sometimes represent the only defense an organization has in place during a compromise or a complex digital investigation. These analysts know what they are up against and continually strive to further not only their own knowledge, but also the knowledge of the entire digital forensics field. They are proactive in sharing their experience and encouraging learning through participation in the community. They stay ahead of the curve by constantly seeking new knowledge. Often, they are the leaders in the digital forensics and incident response community.
DFIR Course Challenge Coins
DFIR Challenge Coin Back Design
Each Lethal Forensicator Challenge Coin features the same back design, it shows digital forensicators fighting evil in their superhero form.
Staying up to date on the latest challenges in the digital forensics field demands analytical skills that cannot be gained by just reading a textbook. Just like firefighters could never learn the skills to combat a fire by just studying theory, incident responders, threat hunters, and digital forensic investigators must test their skills in action, as they do with DFIR NetWars.
Legacy SANS DFIR Challenge Coin
History of the SANS Challenge Coins
SANS Challenge Coins were initially created to recognize students who demonstrate exceptional talent, make outstanding contributions, or serve as leaders in the digital forensics profession and community. The coin is meant to be an honor, and it is intended to be rare. The SANS Institute uses the coins to identify and honor those who excel at detecting and eradicating threats, understand the critical importance of cybersecurity, and continually strive to further not only their own knowledge but also that of the entire digital forensics field. They proactively share their experience and encourage learning through participation in the community, and they are typically leaders in the digital forensics and incident response community.
History of the Word "Forensicator"
The term "forensicator" was coined by BJ Lachner and popularized when it was used in the legendary "Forensicator Pro" Cyberspeak Podcast on 1 April 2007 with SANS instructor Ovie Carroll and Brett Padres. In that tongue-in-cheek podcast, Ovie and Brett described a tool called "Forensicator Pro" that would put forensic analysts out of business and was "viewed by many in the community as the end of human involvement in computer forensics examinations." As Brett described it: "Basically you press a button, you point it at an image, and the tool outputs a full forensic examination and report that is perfect." The episode was released as an April Fools' Day joke about what many in the field call "Nintendo Forensics" that rely too much on automated examinations versus traditional analysis, resulting in poor reports. But to this day, Brett and Ovie still receive emails asking where "Forensicator Pro" can be purchased and downloaded!
The term "forensicator" stuck and today is used by many computer
forensics and incident response firms to describe individuals who
essentially perform the same type of work as the mythical "Forensicator
Pro" would have done. The forensicator label has grown in popularity
among digital forensic professionals in the workplace, at conferences,
and while sharing a cold one with a friend. Here are a few examples:
- HolisticInfosec.org write-up on the SANS SIFT Workstation 2.0 (PDF)
- @forensicator on Twitter
- Definition of forensicator on Urban Dictionary
"Coin Check" Challenge
Initiated by one coin holder to another, a coin check typically begins by a challenger holding his or her coin in the air or slamming it on a table and yelling "coin check!" All who are challenged must respond by showing their coins to the challenger within 10 seconds, and whoever fails to do so must buy everyone a round of drinks. If all the challenged coin holders produce their coin, the challenger must buy the round of drinks. (By the way, if you accidentally drop your coin and it makes an audible sound on impact, then you've "accidentally" initiated a coin check. And, there are no exception to the rules!)
Ways to Earn Lethal Forensicator Coins
There are other ways to win the DFIR Challenge coins besides
being an exceptional DFIR student or winning the classroom challenges.
Any GOLD GCFA, GREM, GCFE holder who has written a published white paper that has furthered the field of research in Digital Forensics receives a coin, as do SANS Digital Forensics Blog authors who have written six published entries over a one-year span. In addition, speakers and panelists who participate in a SANS Digital Forensic Summit are
awarded coins (vendors and vendor-related speakers are not eligible).
Finally, any coin holder can nominate an individual in the digital
forensics field who has contributed knowledge, tools, or service.
What to Do If Your Name Is Missing from the Lethal Forensicator Coin Holder List
- Please email email@example.com
- Include the event name, year/month, class, and instructor
- If possible, please include a picture of your coin
- It might take up to a week after the event to have your name posted, so please be patient.
PLEASE NOTE: the coin holder page is updated ONCE at the beginning of each month. Depending on the date of the event or inquiry, names will be scheduled to be added on the next update.