Andrea Lazzarotto, Digital Forensics Consultant and Developer

FF: Can you tell us about yourself and how you got started in digital forensics?

Sure. I have been working for years as a Digital Forensics Consultant, as well as a Software Developer. This has allowed me to gain experience in the field of web and mobile applications, both from a programming and a reverse engineering perspective.

In my work, I also like to explore other topics. For instance, I have conducted research on methods for tampering with WhatsApp chats (without leaving any trace). Web page acquisition is another topic I enjoy.

My background is primarily in Informatics: I started with a high school diploma in Industrial IT, followed by a BSc and MSc in Computer Science. My interest in Digital Forensics peaked when it was time to prepare my final dissertation. I wanted to create a program that could be useful for digital forensics practitioners.

When the project became a reality, I reached out to several professionals—one in law enforcement and others in the private sector. This was an excellent learning opportunity, and getting to know them encouraged me to start working in the field.

FF: A few years ago, you developed RecuperaBit, a tool for forensic file system reconstruction. What motivated you to create this tool, and what are some of its key features?

Yes, that’s the one! At the time, I started to become fascinated by file systems and their inner workings. Moreover, there were only a few programs that were really good at recovering data from NTFS, but all of them were proprietary and often not geared toward forensic aspects.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


For this reason, I decided to pursue an ambitious idea: I wanted to write a thesis about the forensic analysis and reconstruction of damaged disk partitions in NTFS format, documenting the process in detail and with a forensic approach.

RecuperaBit is the practical implementation of the techniques and algorithms I created for this purpose.

It is the only open-source program that attempts to recover NTFS partitions under the assumption that they may be badly damaged and unreadable by Windows. It attempts reconstruction of the directory structure regardless of a missing partition table, unknown partition boundaries, partially overwritten metadata, or just a “quick format.”

The end result turned out pretty well. During these years, I received messages from people telling me that RecuperaBit saved their data, and the tool has been included in the CAINE Linux distribution. It has been very rewarding!

FF: More recently, you developed Fuji for macOS forensic acquisition. What challenges does it address in acquiring data from modern Apple computers?

Some years ago, obtaining a forensic image of a Mac computer was relatively easy. You could extract the hard drive, connect it to a write blocker, and proceed to acquire a physical disk image, just as we do today with several kinds of HDDs, SSDs, and memory sticks.

Technology has now evolved, and several generations of Macs have been released since then. Newer Intel-based Macs introduced the T2 security chip for hardware-level encryption, and the storage drive is soldered to the motherboard. Apple Silicon Macs are even more hardened.

Today, we cannot obtain a physical image anymore, and we need to tackle the problem of acquiring these Macs as we would with a modern smartphone. The aim is to achieve a full file system acquisition when the device is already turned on.

Luckily, macOS includes command-line tools that can do this, especially ASR and Rsync. Fuji leverages them through a user-friendly interface that allows the examiner to acquire the entire drive or a single folder using two different methods. No command-line knowledge is needed.

I created Fuji because there are few programs that can perform the forensic acquisition of modern Macs. Most of them are pricey, and none are free or open source.

It was also another nice learning opportunity, given that I had never had the chance to do forensic work on Macs before. To be honest, Fuji is basically the first Mac application I have ever developed.

FF: Why is open source software important in digital forensics?

At first glance, you may think the answer to this question is related to budget. Most digital forensics programs are paid-for, and several of them are outrageously expensive. Not every practitioner or agency can afford to spend money on every item in the toolset, so open source fills this gap.

However, I think this is a limited perspective, and there is more to it.

The most important aspect, I believe, is the ability to understand what a tool does and the chance to ensure the process is repeatable. This is true for open source software written by others, but even more so for the programs that examiners write themselves.

I believe that writing some tools or scripts on your own is very important, and I expect people working in this field to be proficient in programming, at least to a certain extent.

When you write your own software, you can be sure that you know exactly what the program is doing. There is no doubt that you can explain the process when questioned or challenged about it. Even better, it’s a very formative activity because you can gain a deep understanding of the data you need to analyze.

This is totally different from looking at the output results after a black box has analyzed or extracted data without telling you how it did that.

Publishing the software you have written as open source is a natural choice because it can help other examiners. At the same time, you receive scrutiny and reviews from an amazing community of professionals.

FF: Why do you think so many notable open-source digital forensic tools – such as CAINE, Tsurugi, and your own projects – are being developed in Italy at the moment?

Alright, this is where I can definitely play the “budget” card!

Joking aside, I think it’s an interesting question, and I am not sure I know the answer to that. It’s probably related to how this job is done here.

Unlike some other countries, in Italy the majority of the work in this field is done by consultants, i.e. people working as freelancers. We have a few large digital forensics companies and even tool vendors, but these are rare cases.

Most digital forensics “firms” are actually one-man shops, so to speak. This may stem from criminal law, as public prosecutors cannot appoint a company to perform analysis, but only an individual.

The low compensation for examiners working for the prosecution would also be a tough point of discussion.

Other than that, the scientific aspect is heavily emphasized here. You know, techniques and procedures need to be clear and explainable. Routinely, they must be repeatable because there are special provisions for non-repeatable procedures, and those complicate things a little.

Open source facilitates the verifiability of what is being done. Imagine if, during a trial in which DNA evidence plays a crucial role, the biologist told you, “I cannot discuss how I extracted the suspect’s DNA from the scene because it’s a trade secret, but trust me.”

This is what we risk when we use proprietary, black-box-like tools. Sometimes we have no choice, but we like to have an alternative.

And above all, Italians love to experiment and are renowned for their ability to make do with the resources available.

FF: What are you planning to work on next?

Fuji is working pretty well, but there are some rough edges that need to be smoothed out here and there. While I am taking this interview, an additional acquisition module is almost ready to be released.

It does not perform a full disk acquisition, but it is focused on acquiring Sysdiagnose information. Fuji adds a unique twist to the process: it takes the collected unified logs and converts them to SQLite automatically. This provides a smoother experience for the analyst.

I would also like to resume work on RecuperaBit. It was developed more than eight years ago, and at that time, I did not have my current level of experience. Today, I would approach several aspects differently to avoid excessive memory usage and to enhance the user experience. However, reviewing all of the code is a substantial task, and I’m uncertain whether I will find the time to complete it.

FF: And finally, what do you enjoy in your spare time?

I have been practicing karate for several years and still do. Recently, I started attending a group dedicated to board games. I hope to become a black belt in that as well!

Leave a Comment