Guillermo Román Ferrero works as an Incident Response Expert for a Computer Security Incident Response Team. He is also a prolific author with his Follow the White Rabbit blog. Mr. Ferrero tried Belkasoft's digital forensics solutions recently and kindly agreed to share his experience and thoughts with us.
Guillermo, how did you become interested in digital forensics?
I started studying digital forensics when I was still at university with a specific course on the matter. I found it very interesting to be able to investigate what an attacker has done to a system and the different sources of information you can find in any modern computer or almost any other digital system.Digital forensics requires the mentality of an investigator, the ability to put yourself in the shoes of both the criminal and the victim and get to know the innards of the analyzed system. In my opinion this is one of the most entertaining jobs you can find in computer security.
What is your current job role, and what are your main responsibilities? What kind of cases do you usually deal with?
My job in a Computer Security Incident Response Team (CSIRT) consists mainly in being able to respond to diverse security issues. Digital forensics, log analysis and correlation, phishing campaigns analysis and monitoring are some examples. For instance, if a machine or a service gets compromised, it is our job to analyze the case and take measures as required.
What is the main technical challenge associated with your professional activities nowadays?
In my opinion the main technical challenge nowadays in digital forensics and, specifically, incident response, is managing a great number of devices and a wide exposition area. In virtually any company you are going to find attack vectors that evolve every day and it is increasingly difficult to keep track.
Tools such as SIEM and EDR have become indispensable for visibility, leaving behind traditional antivirus and IDS solutions. And even before they become useful in a company, you must have the appropriate tools to analyze the evidence pointed out by them. There is no use in having a great visibility on your environment if you cannot properly analyze the data afterwards.
What is the main risk of a bad outcome in a digital forensic investigation?
It depends on the case. If you are conducting an investigation inside a company, a failed investigation can mean you could not detect the malware that infected a server farm later. Maybe the attackers stole documents, but you could not detect the exfiltration.
If you conduct criminal investigations, it could mean the whole case becomes invalidated. This is the reason why you should always try to keep track of the latest attack vectors and use the necessary tools.
What kind of personal qualities should an investigator have, in addition to understanding how to use the software?
Curiosity and meticulousness are some qualities I could name. The first is necessary, again, to keep track of new tendencies. Also, studying matters that you are not curious about at all is a total pain. The former is simply necessary in order to do a good job; you must not leave loose ends in an analysis.
How did you get acquainted with Belkasoft? How did it come to your attention?
I had heard about Belkasoft while reading articles about different DFIR tools. Also, I had used Belkasoft Live RAM Capturer before. I got to know some Belkasoft employees in April when I attended the first Forensics and Security Congress 2019 in Madrid. There was a very nice presentation on SQLite digital investigation by Maria Khripun and I could get a trial license for Belkasoft Evidence Center so I could try the product. Later on, I had a conversation with Vladislav Derkach about publishing a review of the product on our page Follow the White Rabbit, which I really enjoyed writing.
What has been your main impression of Belkasoft?
You are a veteran company that has been creating DFIR products for years. Belkasoft has a solid product base and BEC is evidently a very advanced product. I had also used some other products from you before with the same impression.
BEC gave me the impression of a mature product. I was especially surprised that the tool was really stable and did not freeze in any moment of the analysis, which is a usual issue in some other products when launching a full analysis on an acquired hard drive, for instance. Also, the UX was fairly complete and intuitive, also an advantage over other solutions.
How do you think BEC would give you an advantage in your future investigations?
I think a complete tool that lets you easily keep track of investigations is key. BEC allows you to gather a lot of evidence types in the same spot, and quickly compare obtained proof. The ability to perform remote acquisition and export a full case into a full-featured viewer program were also very interesting when you work in a corporate environment, where mobility and resource sharing are indispensable. In an ever-changing environment such as information security, where new attack vectors appear every day, capacity of adaptation and reaction speed is key, and tools such as BEC will certainly help us.
Guillermo Román Ferrero works as an Incident Response Expert for a Computer Security Incident Response Team. He is also a prolific author with his Follow the White Rabbit blog.
Find out more about Belkasoft's solutions at belkasoft.com.