Christa: In digital forensics, knowing how to write code allows you to create your own forensic tools, test other people’s tools and contribute to the community overall. But among all the learning choices from books to training courses, sometimes you just prefer to take an informal path. That’s where Alexis Brignoni’s tutorials come in. A certified digital forensics examiner and researcher based in Florida, Alexis posts regular tutorials to YouTube in both English and Spanish and runs a concurrent study group on the DFIR discord server. We have Alexis with us here today on the Forensic Focus podcast to talk all about it. I’m your host, Christa Miller and welcome Alexis.
Alexis: Thank you so much. I’m happy and honored to be here.
Christa: Thank you. So to start with, how did you initially become interested in coding?
Alexis: Well, it’s like anything else, a really long story. But you know, making the story short. So I started in university, in college, nipping around different degrees all the way from, you know, theology, major seminary student to education, business administration, different things. I ended up in programming and actually it was one of the best choices.
Christa: Oh, ok.
Alexis: Computer science, best kind of lucky choices I made in my life. And that’s where the interest for coding started. You know, so it was a different time back then.
Christa: So I had a question on here about was Python your first programming language? And it doesn’t sound like it was, so tell us a little bit more about your first programming language and how it led you to Python.
Alexis: Well, I started with COBOL and if you know, or I used to say in Spanish COBOL, and if some of the folks here that have been around, they’ll know. And it’s kind of interesting because, you know, COBOL is an old programming language, really structured. And that’s where I got my start at the university. And you will be surprised how much of our normal, day to day, we-need-to-live infrastructure is built on top of it. It’s ridiculous. Like banks use COBOL by the ton, and there’s a bunch of legacy systems that we need as a society that are built on it. So, you know, sometimes we think, “the latest and greatest,” but sometimes it might not be the “greatest,” in a sense, because the things that have a history that have been tested and proven other ones that remain. And COBOL is, for example, one of those.
Christa: “Sometimes the old ways are best.”
Alexis: Yeah. I mean, it’s all about the testing, right?
Alexis: And especially in our field of forensics, it’s not about going with what’s tested and if it’s not, then test it, to make sure you’re building on solid ground.
Christa: Yep. And I imagine too with all of that relevance that COBOL is probably not a bad programming language to learn for incident responders or aspiring incident responders.
Alexis: Well, if you are going to be looking at these legacy systems, absolutely. And, you see talks, you know, in the big conferences, you know, information security conferences, you’ve got folks that do mainframes and work on COBOL all the time and it’s relevant. And you would think it is not, it is extremely relevant from even penetration testers that specialize in this old, you know… I used to manage, back in the day, a VAX mainframe. I used to work at the college that I graduated from. They hired me right after they graduated me, and one of the things I did was that.
Christa: Okay. Yep.
Alexis: And it still is relevant today. Absolutely.
Christa: Cool. So I’m going to move over to Python now, since that’s the topic of your tutorial series. So there are different Python, so to speak, “subspecies,” some of which are specific to some tools. And I’m thinking of IronPython and you know, there’s a bunch of other, again, “subspecies.” How did you decide which one to learn first?
Alexis: Well, this is a great question because it dovetails with what we’re talking about. You would think, well, Python is one of the most popular in-use languages, latest and greatest. Well, Python as a general rule is 30 years old almost, more or less.
Christa: Oh, wow. I didn’t realise it was that old.
Alexis: Yeah. You know what I mean, let’s not say “old,” because you know, it was young, like us. But I say it in the sense that there’s a level of testing that comes with it. Now, the question is, well, this has been around for a while, why do we have different variations? And I want to make sure that everybody understands, I don’t portray myself as the “Python expert,” as the greatest developer in the universe. I am not, and I did not stay at a Holiday Inn last night either. So what I’m sharing is pretty much my experience and as I do things.
And, well you see some of the tools that we use, commercial tools, for example, IronPython. Well, these come with certain functions or libraries or pretty much the parts that make it a thing. They test them in a way that they’re interoperable, and in case for IronPython, in my experience be really safe from an information security perspective. What that means is that we’re going to try to really lock down these libraries, our functions, so somebody can’t come later and maybe hack our product. And we heard, you know, pretty well-known products in the industry, and it was a big deal about, oh, they’re being hacked. That’s another conversation for another day, but these primary languages try to put certain limitations. Contrast that with Python that comes out, we’re up to [version] 3.9 now. That’s a lot of development, new tools, new ways of doing things.
Alexis: And you know, you have to balance that, but in a commercial product versus like, what I do, it’s non-commercial, it’s an open source, it’s free for everybody. And then how do you balance those capabilities with the security of the system and the integrity of the data that you’re managing, especially if you’re a company that charges a pretty penny for it.
Christa: Yeah. Okay. So what did you finally land on? What’s best for the tools that you develop?
Alexis: I use kind of pure, plain Python, so pretty much I go to the main [web page], python.org, if I’m not mistaken, and I just download the latest version and try to leverage the newer things as they come out. And the thought process of the tools that I do, and [for] the folks that are not familiar with it, I do a lot of triaging tools, and I make sure to explain they’re triaging. Can you do a full exam with the open source tools that, and I say me, but the community, because a lot of people working with me, that we all make sure you can. But I say triaging because the onus — and it should be, this is true for everything — should be on the examiner or the person doing the analysis, the analyst.
Even if you’re using a paid tool, which you have a certain level of assurance, it is still up to you to make sure that the output is correct, and that you’re interpreting correctly what the tools are telling you. So I feel free using the latest Python “things” that come out because at the end of the day, it’s not the tool that goes — in my case, I’m law enforcement — it’s not the tool that goes and testifies. It is me that goes and testifies. It is me that says, look, this is the work that I did. The tool just points me, gave me a point into the right direction. If that makes sense.
Christa: Yeah, it definitely does. So in terms of — like, it sounds like you’ve been programming obviously for a long time — but in terms of incorporating your coding work into your day job and your family obligations and just life in general, how do you fit all that in and what would you suggest to people that are coming new to coding for the first time, that are also trying to juggle those different interests?
Alexis Brignoni: Well, that’s a great question. It’s a pretty deep question because it could go — there’s a lot to be said. So I’ll try to address a few in the time, in the minutes that we have.
Christa Miller: Sure.
Alexis: The first is, I want to encourage people to have time for themselves and the things that they want to do outside of work. And you’re like, you’re not answering the question. Oh, I answered the question. Let me tell you why. This project that I do, I do it a majority of the time in my off time, my personal time. Unless I have a specific requirement to get at some data source that the commercial tools don’t parse, I made the decision of using my own tooling because it’s the one that I can develop the fastest and I do that.
Alexis: And then I try to replicate some of that within those paid frameworks for other people. And what that means is I do my tool first. I get my output quickly. Then I figure out a way to have — just a few examples — to have a Cellebrite or Axiom, Magnet Axiom or FTK, AD Lab, whatever. I put the functionality in those tools and share it with others. And we can discuss more about that maybe later. But the point I’m making with that is, all of that work is done on my own time. And folks in this field, we are really passionate about what we do, but we shouldn’t lose track of — work is not life. I mean, life is not work, I should say. And actually in a sense, it’s work life, it’s part of it, but it’s not life, right?
Alexis: So take that into account. I’m lucky because, you know, when I have time off, I take time off. I mean, by myself. When I’m not dealing with the wife or the kids, or doing some activities with the family, I enjoy coding. I think it’s fun to have a problem like a puzzle and figure out what the solution is, or to transform something from one state to another, to create with words. And that’s one of the things that I like about coding, is that your words become actionable. What you write, what you think, what you speak, actually it has an impact in the world. It has a physical, literal, physical impact. People could go free or could go to jail based on that, on the words that you put on this electronic paper, if that makes sense.
So please take time for yourself. And as you’re learning coding, how to make it part of your work-life balance. Because for most of the forensic examiners, the expectation is that, “Hey, look, we train you, here are some tools, go do some work.” But when you’re adding more stuff like coding and all that at the beginning, make sure you keep that balance because it’s going to be a challenge.
I mean, learning coding, it takes some time, it’s an investment of time. Now, that’s the good thing about it, is that as you get more proficient at it, then it makes your workflow faster. So now you can just say, “Okay, I got it. I’m going to do this, run it. I sit for a little bit of time and I got my output as I need it, as I want it. And in the future, I can repeat that process and automate it. I don’t have to do it by hand.”
I was reading on Twitter, Brett Shavers was saying, well, this person was really proud — some person that he references in his tweet — about how he or she was able to deduplicate, I don’t know how many ridiculous amount of emails or something like that. And it took them, the person 60 hours. And Brett is saying, well, you know, you could MD5 them — hash them — and then just take the duplicates out and it takes two minutes.
Christa: Right. Yep. Yes.
Alexis: It’s a little batch script. It’s a little coding.
Alexis: And sometimes you don’t know what you don’t know, and that person’s spent 60 hours deduplicating things by hand. No, you just code it real quickly and you’re done in two minutes, which by the way, I have an actual example of that, of me duplicating BitTorrent files that I eventually ended up with a script that I put in my repo. And some folks that work ICAC cases — Internet crimes against children cases — they use it as part of their workflow.
Christa: Oh, great.
Alexis: They identify relevant BitTorrent hashes and the like. So yeah, that’s the first part, keep your work-life balance as you’re adding new things that you’re learning and then make them applicable to your job, your workflow, and hopefully enjoy them. I mean, if you enjoy them, it’s not going to be work, in a sense.
Christa: Right. Right. Yeah. Definitely. It doesn’t sound like the sort of thing that you do just because you think you should. What surprised you or what has surprised you the most in your coding career?
Alexis: You know, I guess, I don’t know If I’d say surprised because when you have a background like a systematic — you know, you went to college for computer science, so they teach you data structures and different things in a systematic way. So there’s not a lot of surprise. I guess, not the worst — not surprise, but more of a kind of thinking, my teacher was right. My instructors were right in saying, look, if you learn the underlying concepts of things, then you can apply it to everything.
And I started coding, like I said, with COBOL and then a little bit of C and then a little C#. And at that point, object-oriented languages were starting, which I still need to work on that. I mean, I know what they are, I use them a little bit, but I’m not an object-oriented programmer, but I’m striving to get there.
But even with object-oriented programming, it’s a different paradigm, in a sense. The concepts underlying are the same and underlying the whole thing is the same. You get the structures and how you reference things. They’re the same no matter what language you use.
And I guess that’s more of a life lesson applicable, is that, look, in your work, if you have these principles, ethics, morals, and the integrity of how you do things, that will transmit and show up everywhere in life, even places where you don’t expect it. Things that you learn, you can apply them in different scenarios and situations as needed. And coding to me is like a microcosm of that life — human experience of, look, you learn these things and then you can apply them in ways that you haven’t expected. I started with a little, parsers on there for random things.
Alexis: And then Jessica Hyde, you know, used to be with Magnet and now is with Hexordia. She told me, hey, why don’t you put them all together in one place? So you can start building and people can use it. And now I have all the different versions of my software for different purposes. Folks are contributing and it’s not my software anymore — it’s the community software.
Alexis: And yeah, I mean, not expected. It’s kind of surprising in that way, but the principles remain and they apply at all times. So I think that that’s a pretty cool thing.
Christa: That sounds, I mean, there’s kind of an allegory there to digital forensics in general as well, where, you know, it’s the underlying science of it, no matter, you know, whether you’re doing a computer or a mobile device or a drone or whatever. Right?
Alexis: Yeah. And I tell the folks that I train and mentor, in work and outside of work, you know, the process, the underlying concepts are the basis, and we need to follow them. Because I was telling them, look, we all have biases. We all have biases. Even when we’re coding or not coding or working. And I tell them, look, if you tell me that you don’t have a bias, then that’s a bias actually, telling you, thinking that you don’t have a bias.
Alexis: So what the process guarantees, is that our results and our output, it’s free of that bias because that process doesn’t care about what you think. It is what it is. And you apply that process. It could be in your code, in your analysis, in your life, you know, apply a good process, a good foundation and the results will take care of themselves.
Christa: Yeah, yeah. Yep. So on that note, what made you decide to start tutorials?
Alexis: Well, I love that question because, coming from a systematic university level of learning, a lot of it — and it depends on your instructor — but some of it might be dry. Or they take you into this roundabout, and that might not be applicable to your scenario. And I don’t want to ding roundabouts. They’re great, and they have a lot of them in Europe for your cars.
Alexis: They have a purpose. And yeah, there’s many things in Python that you can learn for different things. But I was thinking, look, if as an examiner, what do I need to know to be as effective as quickly as possible? And it’s tough in a sense, because there’s no book specifically for that, the books that you have for data forensics, this is my opinion, nobody else’s, it’s not my job, this is my opinion. Some of those books say — okay, they assume even, you know some Python — and then they tell you, okay, how do you take a Windows log and parse it? Here, how do you do it? Like a cookbook. Or how do you solve this particular problem with Python? And you go from there. But they don’t really teach you the thought process behind Python in relation to digital forensics.
Alexis: So, I haven’t found a book that I’m satisfied, at least me, yet, that has that process. So what I did was I took a book that is just a general Python book. And when the pandemic started you know, folks had to stay home as our workplaces had to figure out, how can we do work remotely? Because not every workplace was built for remote.
Alexis: So how do we do that? So a part of that is like, okay, let’s do some — have people take advantage of this and do some trainings and do some work from home. And they let us do that. So part of me being at home, part of my work in a sense, was to think, okay, how can we take Python and give it to examiners so they can get to the things they need to examine quicker?
So I took this book — not for forensics, just for Python — and I taught this class, I built this class just for that. So this is fairly straightforward. We learned the basics of the main Python parts. You know, your arm, your legs, your abdomen, your head. So we know what they are, and now we’re going to put them together into a body that’s just for forensics.
So for example, I teach in that class, okay, this is how you open a portable file and take stuff out of it so you can show it to whoever needs it. How about an XML file? How about binary p-list? And I teach people how to take meaning out of these data structures. And I gave a few of the more, harder — I say harder, but mostly used but not — let me rephrase that. Folks that use tools, and the tools are great, tools have viewers. Your forensic tools will, if you want to see what’s inside of a Python — I’m sorry, a binary p-list — the tool will show you. If you want to see the protobuf, the tool will show you. You see the XML, there’s a viewer for that as well. It will show it to you.
But what I’m trying to convey to folks is, look, it’s great the tools show you the thing, but that thing may have a hundred things inside of it when you only need two. So how can I go and just pull out the two that I need, or the three that I need?
And that’s where Python comes in, and a little bit of programming. I teach them how to open the file, analyze it, and figure out, understand what the data structure is, and then pull out what’s relevant and make a little report. That’s it, and in my experience, if you’re an examiner, that’s what you wanna do. You want to take this data that comes in and make it accessible, pull out what you need and show it right there. There’s a lot of nuance into that.
Alexis: How much to show, how much not to show, how you make those decisions, et cetera. But from the point of making the class, as examiners, open the file, get to the data and pull out what you need and present it.
And I got good feedback from folks in the community telling me, look, I’ve done a whole bunch of Python classes and it’s the first time that I did a little script that I could actually use at work. And that just made my day.
Alexis: I think it’s 20-something classes in the whole curriculum. And those that come and make those 20-something hours worth it.
Christa: Yeah, definitely. Going back to — so you just said something about figuring out what nuances to bring to the course and, you know, what to say and what to leave out. Tell us a little bit more about how you translated your day-to-day work and your knowledge to actually teaching others, cause they’re not the same thing.
Alexis: Yeah, absolutely. Absolutely. And, you know, we got to, and we do, I think most people in the community do, but if you’re coming in new and you’re listening to this, make sure — I would advise you, have pride in the work that you do and in the thoroughness of it, because you want to become a subject matter expert of the things that you do on a daily basis.
And that’s where that nuance comes in, in trying to convey to students and in class with most of the people that I mentor, your experiences will inform you on what’s important. Also the experiences of other people, you know, who have been in longer than you. And then you can make those decisions and be able to sustain those decisions.
You have like a data source, like a Google Takeout, which I’m kind of working on now, some of those archives that come from providers. It’s gigs, and gigs, and gigs of data. So how can you make a decision of what you need to pull out, but being also honest to the evidence? Because the last thing you want to do is say, well, I picked these because it would make the other side of that, you know what I mean?
Christa: Right. Yeah.
Alexis: And that’s something that we have to constantly strive to avoid by following the process. So you’ve got to become an expert in that, and be self-critical, in a sense, to make sure that you’re pulling out — and what you’re pulling out — is an accurate reflection of what the source data is telling you. Because your report is not the data. Your analysis is not the data. What your Python coding outputs is not the data. The data is the data. The actual source data is what it is. And you gotta be true to that. That’s what I’m saying. There’s a lot of nuance, and we may not have time for that, but how do we make those decisions on what to pull, what not to pull, and being honest to ourselves on the data, you know?
Christa: Yeah. So what should tutorial attendees expect when they go through your courses?
Alexis: So when we started with the Zoom group, I don’t think the students and myself had any preset expectations, like we were like, we’d like to learn Python, let’s see what we can learn together. But now that the course is done, I can tell the folks, look, this is what you’re going to expect to learn.
Alexis: With book or no book, because you don’t even really need the book that I — not recommended, but — I said we should use. You can expect to start running a script, at least learn how to run scripts and have a little video for that. Just explain how to run scripts, because you don’t have to be a Python coder to run a Python script. So how to run scripts, and then how to start a simple script that will open the file that you care about. It will teach you how to, again, pull out what you need, and then show it either on a screen or a little text file, a little, you know, little report documentation that you can attach to your case. And that’s it.
Alexis: I mean, and you’d be surprised, those little — I say little, but those capabilities, it’s like a seed. You can start with that seed and it becomes a big oak tree — you’d be surprised how much you can do by just opening a file, pulling stuff out, and making a report. Those three steps just by doing that, you can do tons of things.
Christa: Wow. Cool. So when you and I first started talking about doing this podcast or interview in general you had just started to offer the tutorials in Spanish. What was important to you about doing that, to offer this information to native Spanish speakers that might not speak English?
Alexis: Yeah, so part of the things that I do for work is I train partners overseas.
Alexis: You know, law enforcement partners. And again, this is my experience, so again, it’s limited. But in my opinion, there’s some resources there. In Latin America there is a strong information security community in many countries, many experts, but the law enforcement side, I believe there’s not always that communication there between the information sector and the investigators.
Christa: Oh, interesting.
Alexis: And there might be some lag there. Another challenge is depending on the country and the region and whatnot. So I thought, what if I could at least put a little grain of sand, to kind of solve this issue in the sense of putting resources out in Spanish, that folks could use to solve problems and to bring cases to completion. That’s where some of the videos in Spanish come about. For example, protobuf is a data source that people are really intimidated by.
Christa: Oh, why is that?
Alexis: Well, I would say at least, I was intimidated at the beginning because when you kind of look at it makes no sense. You can read some stuff and you can see words. You can see names and things you can read, but then they’re encased inside, what the heck is this?
Alexis: And usually the process was okay, then take, and decode it with a little proto protalk or whatever it’s called. And it gives you another output that has a lot of things that also don’t make sense, absent of some context. So what I tried to teach folks is, look, don’t be intimidated by it. Let me explain how this works. And I would be remiss if I didn’t mention Yogesh Khatri.
Alexis: He used to be a professor, a university professor. Now, he is, I forgot his position, but he [does] just great work. He now lives in Australia and doing fantastic work there in the private sector. And I owe him a lot because he’s the one that really taught me a lot about protobuf, how it’s structured, what it means. So what I receive, I try to give to others, so I want to thank him, you know, for all his kindness towards me.
Anyways, back to the thing. So there’s no need to be intimidated when you understand something. What seems to be hard, is not really hard. It’s a lot of small, simple things that altogether seem complicated. So if you break it down, we can get to it.
And a lot of tools, another thing that I think makes it challenging, is because a lot of tools don’t have support for it. They can have a viewer. I mean, you can see what that file just put up and find something in it, but there’s no way within our paid tools to parse it in a way that can select things and whatnot. So, I sort of teach folks, don’t be intimidated by it. This is how you go around it and figure out what you need to figure out. And with practice, it becomes easy.
Christa: Okay. Well that does it, honestly, for my questions. Was there anything else that you wanted to talk about that we didn’t cover?
Alexis: Well, I want to say, like a future looking statement for everybody. So again, as examiners — and we’re talking about the DF side of DFIR, digital forensics — we have our tools, we have our workflow and our mission, but I truly believe, looking forward, that coding is going to become even more important to the work that we do. So we can’t just rely on just the vendors giving me support for something, because it might take weeks or months, or who knows? This coding is going to be important.
And something that I’m going to start, looking forward, is looking at reverse engineering. Also, as part of my digital forensics work. Mike Williamson used to be a Canadian police officer. Now he works at Magnet. He’s done great, great work in trying to make reverse engineering accessible. And the reason for that is you will have apps that you can not really get to that data unless you understand how the app works on the inside.
Alexis: And how can I run that app and kind of peek inside the app, as it’s running, for you to glean the information you need to crack that data source, to open that treasure or that egg. And that’s something that I think examiners should start thinking about, learning some programming. I recommend Python, doesn’t have to be Python, but something I recommend, and start looking at how can I have some basic reverse engineering skills to add into my skill set? And I think that would be beneficial to everybody.
Christa: Can we expect a joint tutorial between you and Mike coming?
Alexis: Oh my goodness. I mean, I would, I mean, I would love to sit, you know. Mike is my friend. He’s a really good friend, so people understand when we talk all the time, but if we lived closer, I’d be like, dude, I need you to sit with me and teach me over coffee. Like every week. He’s a good guy.
Alexis: And so yeah. Keep your eye out for stuff like he puts really, really important stuff looking towards the future.
Christa: Very cool. Looking forward to that.
Christa: All right. Well, Alexis, thank you again for joining us on the Forensic Focus podcast.
Alexis: No, thank you for having me. It’s been a blast, it’s been a pleasure.
Christa: I’m glad. Thanks also to our listeners, you’ll be able to find this recording and transcription along with more articles, information and forums at www.forensicfocus.com. If there are any topics you’d like us to cover, or if you’d like to suggest someone for us to interview, please let us know.