±Forensic Focus Partners
New Today: 0
New Yesterday: 4
±Forensic Focus Partner Ads
· Using SQL as a date/time conversion tool
· Forensics and Bitcoin
· Investigation and Intelligence Framework (IIF) – an evidence extraction model for investigation
· Extracting data from dump of mobile devices running Android operating system
· Development of Digital Forensic Tools on Mobile Device, a Potential Area to Consider?
· Can You Get That License Plate?
· How To Decrypt WeChat EnMicroMsg.db Database?
· A guide to RegRipper and the art of timeline building
· Recovering Evidence from SSD Drives in 2014: Understanding TRIM, Garbage Collection and Exclusions
InterviewsBack to top Back to main Skip to menu
Jacopo (forum member 'jaclaz')
It is difficult to describe the kind of activities I am involved with as there is no simple definition of them.
I worked for twenty years in one of the (at the time) top thirty construction firms in Italy, being involved - at various levels - in all kinds of construction and building projects, from roads/highways to railways and from civil to industrial buildings, both in Italy and abroad. Then, around ten years ago, a number of reasons prompted me to become "freelance".
A building project - both the design/planning part and the execution - represents a rather complex interdisciplinary task, involving a number of professional figures that tend to be highly specialized and that - often - have different points of view. Typically there are the owner/proprietor/investor (or public administration), the contractor, the architect, the structural engineer, the geologist, the electrical engineer, the hydraulics/thermal engineer, the various sub-contractors and suppliers, besides the accountants and the lawyers. Each of them may have a point of view on the issues restricted to his/her field of experience and often what is needed is someone that is not actually any of them but that can have a more comprehensive view on the whole process and that coordinates communication, or sometimes simply induces these people to communicate with each other.
Basically I have two kinds of customers, the proprietor/investor and the contractor. In both cases the final scope is to deliver the project or the building with the best possible quality, in the least possible time, and with the least possible cost.
This can be achieved in a number of ways, from finding the most appropriate construction method to adequately manage the planning, to coordinating all efforts in the "right" direction to effectively manage the project timetable/activities.
Notwithstanding accurate planning and great attention to detail - this latter borders on obsession in my case - anything may (and usually will from time to time) go wrong, and when this happens there is a need for a quick and effective solution to the issue at hand, to re-schedule/re-organize processes, etc., and here my role becomes more evident.
Another activity is that of project cost estimation, again either working for the investor to determine in advance the expected cost of a project or working for the contractor to determine the bid offer that is to be submitted when invited to tender.
In a nutshell, I am a sort of jack-of-all-trades (and master of none) for all matters connected to building and construction and I attempt to use my experience to put together bits and pieces into something that is harmonious and effective, by making things as simple as possible, reducing problems to their essence and (hopefully) solving them.
There are however some activities in my profession that do have similarities or connections to digital forensics. When you make a project execution plan you use tools that allow the creation of GANTT charts, usually adopting a WBS (Work Breakdown Structure) to divide the project into elementary activities and to connect them and "place" them in time with logical cause-effect relationships in order to analyze the critical path (so-called CPM or Critical Path Management techniques), which is very similar to making a timeline during an investigation.
Another aspect of my profession that has some points in common with the forensics field is that I am sometimes called when a problem arises in a building project or in the administrative parts of it (like contractor claims, fines or penalties for damages, delays, etc.) to find out who is responsible.
These are however civil cases and, though it can happen, it is rare for me to be called as an expert witness in court; most of the work is with the lawyers and in writing reports.
You’re an active member of the Forensic Focus forums. How did you become interested in digital forensics?
My interests are oriented towards OS booting, filesystems and data recovery. These fields are of course closely linked to digital forensics.
I was one of those kids that disassembled things to see what was inside them and understand how they worked (and I even managed to reassemble a few items properly!) Computers have been a hobby since the time I built (some of the readers may be old enough to remember the good ol'times) my first computer, a Sinclair ZX-80, and more generally I have been always interested in any kind of technology. If the term had been already invented at the time I could have easily been defined as a "geek".
Then, in my professional life, I had a few occasions to find what I call "the IT wall". At least here in Italy in the years when computers entered the corporate world there was an abundance of a particular kind of IT guy, that took advantage of the fact that no one else was familiar with the way computers worked and either provided answers like "it is not possible" or "you can't do that", or "well, we will need to hire a professional programmer and it will take 6 months to have that". Due to some peculiarities of my character, "it is impossible" or "you can't do that" are like magic words to induce me to prove that it is actually possible and that I can do it (or at least find the actual reason why something is impossible). On a couple of occasions it happened that everything that was needed to create a Work Progress Report was somehow stuck in a corrupt hard disk or in a program database that went astray. Due to Murphy's Law these events normally happened on Saturdays or during the holiday periods, and something needed to be done, and quickly, and most probably with the help of some luck and ingenuity, I was able to recover the hard disk contents or rebuild the broken database, etc. This made me take an interest in the field, and since then I studied a bit more in this niche.
What insights gained from your own professional experience do you think may be useful for digital forensics examiners to consider?
I would say that what you learn from professional experience, in any field, if you have the right attitude of course, is to get to know people, how they behave, how they react, particularly when under stress. You learn to ask (both yourself and others) the right questions, at the right time, and to understand the answers.
This is seemingly something that is not directly related, and I understand how the social engineering aspect is generally considered of minor importance in digital forensics, but instead of cracking an access password, getting it from the post-it note in the first drawer on the left, and knowing it will be there, is as effective as having a set of GPUs crunching away numbers for a few days.
The other generic thing that also applies to any field is that there is often more than one way to skin a cat, and that one must always see if there are possible alternatives and explore/evaluate them. More specifically in the digital forensics field, I learned to pay the maximum possible attention to details, to document everything, to keep archives - paper or digital - well ordered. This is a key factor when and if you need - possibly years later - to review a project or to support or challenge claims in court.
Based on your involvement in the Forensic Focus forums, what do you make of the current state of digital forensics education?
Most probably because I am getting oldish, I believe that there are two main issues, not actually "new", still the same ones since universities (and students) were born.
On one hand I see how some – of course not all – of the courses on digital forensics are either very generic, plainly out of date, or very distant from actual activities in the workplace; on the other I see how - again this does not apply to all of them - students are mostly interested in getting good grades (as opposed to learning the subject matter and consequently getting good grades). Nothing really new under the sun, but still sometimes disturbing.
What I have noticed is that a number of students that come to the Forensic Focus forums to ask for advice or answers are lacking the kind of curious, inquisitive mind that should be a basic prerequisite for an investigator. They want to learn how to do something, but they rarely want to understand why you would do that something, which alternatives there may be to it, what else can be done additionally, etc.
The typical new poster on Forensic Focus (among the students) is a second or third year; someone who should already be very familiar with the Windows or Linux command line, have more than a basic knowledge of filesystems and OS behaviours, be capable of writing his/her own little batch or AutoIt or Python scripts, yet from the kind of questions they ask I have the impression that besides lacking this knowledge (and this could be the fault of the course they are attending) what they really lack is the "passion" for understanding, delving deeper, etc.
This can also be due to the way they are taught; as I see it, the main scope of a university should be to open their minds and to have them love the things they study, but also to teach them the specifics of the field.
There is an ongoing thread on Forensic Focus here where I am not the only one to highlight how some "digital forensics" courses seem actually "generic computer science" with a handful of specific modules added. This is in line with my gut feeling that some of the students are taking these courses because they are new, "cool" or trendy, and they in theory allow for quickly finding a job, and real interest in the specific subject matter and profession is somehow "optional".
Most of the questions they ask can usually be easily answered by doing some research, and the net is an incredibly vast search territory. I have to stress the fact that this field is all about searching and finding (fragments of) information; one needs to have an attitude for it, and I see quite a lot of the students lacking the will to experiment. I often like to cite Ray Bradbury: Life is "trying things to see if they work".
How do you think students can make the most of resources such as Forensic Focus?
I guess that the best thing would be (obviously) reading its contents - there is an incredible amount of knowledge and experience in the board's discussions, sometimes a bit hidden and needing the capability to read between the lines, but still I believe that a dedicated student would learn invaluable information from it.
The other very good thing that can come from taking part in the forum is the possibility to make contact with "real" experts and professionals, people that have been there and done that, and can understand - because they themselves went through the same problems - the issues at hand.
What I see lacking is involvement. I mean the forum provides the means to communicate, and to communicate "at the same level" with people that are in the business, and often have been in it for years and at its top levels. The typical student (again not all of them) joins the forum to ask a specific question, doesn’t come back for a couple of years and then all of a sudden reappears to ask if anyone has an internship or a job.
During this period the student has undoubtedly been busy studying, and often studying hard, but the idea of coming back from time to time, posting something about his/her achievements, using the forum to publish some original research, never crosses their minds. In other words the forum is seen and used often in a "selfish" manner, as a sort of helpline and not (as it should be) as a community, a place to discuss the themes of interest with other people in the same field, but also a place where your next employer may be reading your posts, and could notice you or your work.
What do you do in your spare time?
I take part in computer related forums and, more generally, try to learn new, strange things.