In our interview with Dario Forte, Founder and CEO of DFLabs, he talks about his company, forensic standards, he is developing inside ISO committee, and predicts, that prices for forensic services offerings will go higher in the nearest perspective.

Dario Forte is considered to be a highly reputed expert and entrepreneur in the field of GRC (Governance, Risk and Compliance) and Computer Forensics. Former police officer, he worked with many agencies worldwide (Including NASA) and lectured in many Top Tier conferences, including US Department of Defense, US Department of Homeland Security, World Bank.  He currently lives between Italy, USA and Russia. Dario is a very nice and intellectual person and can tell you a hordes of interesting things while you drink a cup of wine with him.

Yuri: Dario, please briefly describe your current occupation?
Dario: I am currently the Founder and CEO of DFLabs, a company specialized in GRC, Incident Management and Digital Forensics. We are a group of 25 people based between Italy and United States. We provide Consulting, Services and Technologies in the fields mentioned above. We currently also produce two software pieces: PTK, a computer forensic software based upon Sleuthkit and IncMan, an incident management software, which also includes Digital investigations and Evidence Case Management.

Yuri: How did you become involved in computer forensic field?
Dario: From a research standpoint I’ve been involved in the field since 1999, when I’ve presented my first paper on Onion Routing at the DFRWS – Digital Forensic Research Workshop – of which I am now part of the Technical Committee. Since then, I’ve been writing over 50 papers and book chapters and participating in many scientific committees and editorial boards worldwide. I am currently co-editor and contributor of several Forensic and Incident/Forensics Related ISO Standards.  From a practitioner standpoint, I’ve been running the computer crime squad at the Italian Financial Police (Guardia di Finanza) in Milano, from 1999 to 2003. Finally I teach incident management at Milano State University at Crema.

Having an MBA helps me to build a better company

Yuri: Do you have any related education? What did you major in at university? What field do you have a degree in?
Dario: After my military studies, I’ve taken a degree in organizational sciences from University of Turin (Italy), a degree in Network Security From Strayer (United States) and an MBA From University of Liverpool.

I also hold many Certifications and Specializations, including CFE, CRISC, CGEIT, CISM. I’ve also studied advanced incident handling at CERT CC (Carnegie Mellon). Having an MBA currently helps me to build a better company and understanding the business concerns behind security incidents and investigations.

Yuri: Please describe your working day. When you get to, what do you do first? What do you do most of the time? Are there days when you work 14 hours or longer? If so, why?
Dario: My day is split between business and strategic tasks, plus lectures at the University. The company I run is composed by three practices: Consulting, Professional Services and Technologies. While the consulting practice is project driven, thus has limited urgency requests, the Professional Service one manages over 50 big incidents per year and requires a strict interaction with the Company Top Management. The Technology Practice, finally, has R&D and Technology Scouting duties.  For all the practices I run the strategic part and demand the implementation to my first line. However, there are tasks which require my personal involvement: big project and high risk incidents. There are moments where I can work even 14 hours per day. The rest of my professional life is composed by long distance business trip. We have businesses worldwide, from Africa to the US, thus sometimes I have to be there.

At the beginning, practical examinations were my main fun

Yuri: What do you like about your job most?
Dario: At the beginning, when I’ve started up, practical examinations were my main fun. Then, when the business grew up, I had to deal with higher level stuff, and I started to learn and handle strategies and standardizations. Currently, I love those two aspects of the companies. The strategic part is mostly business-related, while the standardization is still a high level (and delicate) part but also still allow me to keep my feet in the science and the technologic layer.

Yuri: What is special about your company and tools?
Dario: From the service and consulting standpoint, all the customers we have (They are all above the 3000 employees and 150M Euro revenue) recognize us the excellence in delivery, flexibility and innovation.  The advantages of our technologies are basically two: PTK forensics gives investigators the possibility of investigating the same case from multiple workstation, at the same time without spending huge amount of money, it is the best tool available for small and mid-size labs which have limited budget and won’t spend the same money in other commercial tools. It is also a great platform for training purposes. We have customers such as London Metropolitan Police, Norwegian Police Academy, University of Warwick and many others worldwide. All appreciate the outstanding price/quality ratio of PTK forensics.

IncMan suite, instead, has a module called DIM (Digital Investigation Manager) which can handle over 170 different categories of information, from a complete case management up to very granular evidence lifecycle management. It can automatically interact with external forensic tools (such as Encase, FTK, X-Ways etc) so it can automatically import metadata and evidence info from them. We have many customers worldwide, the software is also localized in Russian, Chinese, and is getting a lot of interest from the entire community.

Our company is defined as: innovative, flexible, effective and reliable.

Our solution handles 2Tb of data every day

Yuri: What is about your company or tool which you are proud of?
Dario: DIM – Digital Investigation Management – is a part of the IncMan suite. We are currently the Incident Management Platform of the Security operation center (SOC) of a major international bank. More than 2Tb of data handled per day, 200 SOC concurrent users, 15000 end-users worldwide, 150 cases per quarter. It is an huge project we can surely be proud of it.

Yuri: What are your immediate plans with regards to your company? Your solutions?
Dario: We are evaluating many strategic proposals we are receiving from the market.  The strategic plan is growing our presence in the United States and the EMEA region, and reaching 100 Employees by 2015. At the moment we are also focused on our product innovation. We have recently announced a new version of our PTK and IncMan suite during the TechnoForensic conference in Myrtle Beach. This is the first step of our 24-month software development strategy.

I can openly say I’ve learnt the human nature

Yuri: It was nice to meet you again at this conference! Another question: I guess at your previous job in Italian police you has been involved in forensic investigations yourself, right? Could you start your own company without this experience? To what extent this experience helps you?
Dario: I would probably have started my own business even without this experience, since I can say that I was an innovator in my past police agency. The unit I’ve been founding in 1999 was the first one at national level and was also the first one to conduct international hacking enforcement operation (http://www.zdnet.co.uk/news/it-strategy/2002/08/02/italian-police-nab-nasa-hackers-2120260/)

That experience, instead, helped me to create innovation in the investigative framework and improve my management skills. It also gave me the possibility of improving my resistance to the stress caused by the workload and the critical aspects of the investigations. I would say, instead, that I collected a big investigative experience during my previous police engagements, when I’ve been working in the Drug Enforcement Unit in Milano, where I can openly say I’ve learnt the human nature.

Yuri: What is the most interesting or unusual investigation you or your company has ever been involved in?
Dario: I must say that every investigation is a different story. The most difficult one has been about 7 month ago. 12000 machines involved. It was pretty tough. We needed different technologies to handle the incident, at the end we were able to solve and eradicate the issue. That gave us a big advance in our experience, especially from a crisis management standpoint. We needed also to act as psychologists, cause the customer was completely in panic.

Forensic requires money. That’s the hard truth

Yuri: In your opinion, what is the current state of computer forensic science in Italy? Of legal computer forensic practices?
Dario: Italy is not different from other countries. There are two types of forensic communities. The practitioners and the advanced. The first are usually good but with limited funds and tools. Thus also their attempts of performing investigations and R&D may be limited as well. The seconds are usually good as well, but have more money to spend (and invest) thus the qualify of the work is higher and usually the deliverable is faster and more effective. Forensic requires money. That’s the hard truth.

Yuri: Are there any obstacles to selling your services in Italian market?
Dario: DFLabs is a global company. So the Italian market is just part of the game. Currently we haven’t found many issues in selling our services and our products, thanks to our high reputation. However, our approach is not just local but international. For example, our official company language is English and we speak Italian only in a limited part of the working time. All our literature is in English, our software is written in many languages and it is not written in Italian.

Small companies are loosing ground

Yuri: Cloud computing is becoming very popular now. Do you feel that forensic market for companies, like yours, is decreasing due to that? Do you think that forensic investigation itself is going to be much more difficult due to the cloud idea implementation?
Dario: Forensic in the cloud is only apparently an issue. It requires standardization for the preservation phase but it is not an impossible task for whom is already aware of the current scientific (and standardized) state of the art. Same can be said about social networks. Those two ways to do business will bring forensic investigation from the “physical evidence management” up to the “logical evidence management” .  The bottom line is: Surely, Cloud Computing (and social network) Data Preservation cannot be conducted  the same way of the conventional one, but with the help of new available forensic techniques (and technologies) such tasks are not that difficult. The only real entry barrier is given by the cost of the investigation. It is becoming higher than before, thus small companies are loosing ground.

Yuri: Sounds encouraging… unless you are a small company… What do you like most about computer forensics?
Dario: The dynamism of the investigations we are conducting.  The quality and the high profile of the customers. The challenges we usually face.

Yuri:  Less?
Dario: Low profile competition. They are usually dumping prices and put customers in trouble. Then, when customers understand what happens, it is too late.

Yuri: You are co-editor of the ISO SC27 Standard of Digital Forensics. What is this standard for? Who are intended users of it? What are intended influence and improvements of its introduction? How have you became involved with it? What is your contribution to it? How much time do you spend working on it? What is the roadmap for this standard release and implementation?
Dario: At the moment I am the Head of the Italian Delegation for the WG4 of the ISO SC 27 . In particular I am working as a subject matter expert for the ISO27037 IT Security – Security techniques – Guidelines for identification, collection, acquisition, and preservation of digital evidence. This standard is in advanced phase and it is edited by Prof. Marthie Grobler. I am also Co-editor of the ISO 27043, a new initiative related to the Investigative Process. While the first one should be released in definitve version by the end of 2012 and is related to acquisition, collection and preservation, the second one should be available by the end of  2013 and is focused on Investigative process.  I am spending most of my time working with my colleague at SC 27, with particular reference to advanced case and evidence management topics. Both documents are surely going to become a reference in the field, since are the result of months of analyisis, negotiation and peer review between the various components of the WorkGroup. Both of them are also covering very advanced topics such as Cloud, Live Forensics and so on. My perception is that this series will have the same value and weight of 27001 in the field of forensics.

Yuri: What forensic resources do you regularly read? What would you recommend to others?
Dario: I usually don’t follow practitioners’ forums and communities. Rather, I usually follow scientific journals and literature. The International Journal of Digital Investigation (Elsevier) is probably something I would suggest to read.

Prices will get back to the higher segment of the offering; hardware duplicators will disappear in 5 years

Yuri: Please give some predictions of what may happen in the nearest 5 years with computer forensics.
Dario: Business  side first. One man band and small service companies will disappear due to the cost of the service delivery. Personal and company liabilities (especially if they work in e-discovery in USA and UK) will increase, along with the insurance costs. After a period of price dumping, prices will get back to the higher segment of the offering and we will assist to a new wave company consolidation and M&A. Companies with an annual revenue stream below of 2M USD will be targeted by the bigger fish or will need to raise capital to avoid hard times.

Small Software companies will increase their value. They will be probably subject to acquisition by bigger fishes as well.

Now technical side. The role of the “old fashion” data preservation (e.g. conventional disk duplication) will change. A new wave of “dynamic” data preservation standardized methods will succeed. Vertical examiner specialization and focus will be necessary. Live Forensic and Incident Response will become fundamental, single disk/examiner investigations will be superseded by distributed forensics and multi-user investigations. Hardware duplicators will become a commodity and will disappear in the next 5 years. Open source forensics will be probably substituted by high profile and advanced  vendor made technologies, due to the lack of budget in the Open Source Community (unless funded by Gov and Intelligence).

Level 3 Advanced Network Forensic will become a milestone.  Remote forensic and incident response will become a milestone as well.

Yuri: Can you please give our readers a bit personal details?
Dario: I am 43 old, I love to travel…. at least I think I must do – I grew up in Naples (Italy) then lived in NYC and South America, but I met my Russian Wife in Estonia. So far, I’ve collected over 450k Air Miles.

I live in the countryside with my family and our dogs. There’s lots of open roads to indulge my passion of cycling and I have been known to do more than 150km a week!

I’ve found and manage a great group of professionals in DF Labs. – the best I can do now is keep them satisfied in their day by day jobs. When it comes to building a team I live by this mantra, “ The less you associate with some people, the more your life will improve. Any time you tolerate mediocrity in others, it increases your mediocrity ” (Powell). Frankly, I couldn’t agree more.

Yuri: Thanks for the interview, Dario, this was indeed very interesting!