When Megan Roddie worked at a startup where she and her colleagues were consulting on an IR investigation affecting a Google Workspace Customer, she found there wasn’t much publicly available information on methodology for Google Workspace DFIR. “That is when I decided to be the one to help make the content exist,” she says.
She is thrilled to have been invited by SANS to become an author. “I had taken SANS courses for years and knew the quality of the materials, instructors, and entire program. The idea that I was being invited to be a part of the creation of that content and experience was too good to pass up. Knowing the quality and standards that SANS strives to meet, the fact they considered me up to par was a major achievement.” She has been looking up to many of the senior staff of SANS, and almost cannot believe she is now working alongside them. “Crazy surreal, but an amazing experience!”
Megan is part of the SANS DFIR Faculty and has co-authored the FOR509 course: Enterprise Cloud Forensics and Incident Response. The biggest challenge she sees for practitioners is the ever-evolving nature of the cloud. “The same goes for us as authors,” she adds. “The UI’s for the portals, the logging policies, and more can change week to week. Similarly, the clouds vary so differently, AWS versus Azure versus GCP.”
With SANS course content only updated every six months, she has made it her goal to write about DFIR concepts as a whole, so students can apply them regardless of the changes cloud providers make. “While the location of tools in a portal or how long logs are retained for may change and vary across different cloud platforms, the concepts of a DFIR investigation remain the same. The analytical process is equal across all platforms, so don’t let yourself be thrown off by different terminology or commands.”