In the interview Pasquale Stirparo, forensic and security researcher at the European Commission, speaks on his passion to his work, his research, forensic standartization and mobile malware-related questions.
Pasquale Stirparo is Digital Forensics and Mobile Security Researcher at the Joint Research Centre of European Commission. His main research interests revolve around the security and privacy issues related to mobile devices communication protocols and mobile applications, mobile malware, mobile forensics and cybercrime. He is also involved in, other than very interested to, the Digital Forensics field from the “standardization” point of view. Prior to join JRC, Pasquale was working as Security Consultant and Digital Forensics Analyst for an Italian-based private company. He has also been invited as speaker to several Italians conferences and seminars on Digital Forensics and lecturer on the same subject for Politecnico di Milano and United Nations (UNICRI). Pasquale is also currently enrolled as Ph.D. student at the Royal Institute of Technology (KTH) of Stockholm, holds a MSc in Computer Engineering from Politecnico di Torino and he’s certified GCFA, OPST, OWSE, ECCE.
Yuri: Pasquale, please briefly describe your current organization and your role there. What is the goal of your institute and what area is covered by its activities?
Pasquale: The Joint Research Centre (JRC) is one of the Directorate-General (DG) of the European Commission; its mission is to provide scientific advice and technical know-how to support a wide range of EU policies. Its status as a Commission service, which guarantees independence from private or national interests, is crucial for pursuing its mission.
I work at the Institute for the Protection and Security of the Citizen (IPSC), in the Digital Citizen Security Unit. The goal of my group is to “investigate, assess, and forecast issues of the exploitation – intentional or unintentional – of personal digital data of citizens in our forthcoming digital society”.
Mobile botnets and mobile malware will be a big issue in the near future
I work as Digital Forensics and Mobile Security Researcher, and at the same time I’m enrolled as Ph.D. student at the Royal Institute of Technology (KTH) of Stockholm. My research interests include security and privacy issues related to mobile devices communication protocols (Bluetooth, NFC, GSM, etc) and applications, mobile malware, mobile forensics and cybercrime. On the mobile communication protocol part I’m currently working on “fuzz testing” the NDEF (NFC Data Exchange Format), to find potential vulnerabilities in the NFC message format, and also the level of security of current NFC mobile payment solutions. On the mobile applications part my colleague and I are studying several categories of applications using different methodologies, in order to find leaks of sensitive information and therefore privacy risks for the users. Mobile forensics plays an important role as one of the methodologies used to analyze the mobile phones. Finally, I started also to look into mobile malware and mobile botnets. Although we don’t see many mobile botnets now and mobile malware is still perceived as low risk compared to their desktop counterpart, I believe it will be a big issue in the near future. On this last aspect of my work, it is clear how and why mobile forensics and cybercrime are linked.
I was very hungry on learning
Yuri: How did you become involved in computer forensic field? Do you have any related education? What did you major in at university? What field do you have a degree in?
Pasquale: I got my Master Degree in Computer Engineering in 2008, within the double degree program between Politecnico di Torino and Royal Institute of Technology (KTH) of Stockholm, with a specialization in Information and Communication System Security. Immediately after I started working as penetration tester at @mediaservice.net, an Italian based security company. I didn’t really know much about computer forensics at that time. After a couple of months, in the company there was the need to train more staff in the forensics division, I was very hungry on learning anything I could, so I started training night and day. It was a fascinating world to me. Few months later I got my GCFA (GIAC Certified Forensics Analyst) certification and after one year (and tons of analysis and investigations) I was the main forensics analyst in the company.
Twitter is the best source of forensics news
Yuri: Please describe your working day. When you get to work, what do you do first? What do you do most of the time? Are there days when you work 14 hours or longer? If so, why?
Pasquale: I’m not really a morning person, so I start the day emptying my inbox in front of a cup of coffee and then I go through my different sources of forensics and security news, and twitter is far the best of all of them. After that, I try to get rid of any “documentation” part like reports, administrative papers to fill, etc., so that by the time I finished the “boring” part my brain is completely ready to start the research work. In this I include reading of papers, technical books and practical code development.
I’m very enthusiast and passionate about my work
For me (luckily or not) my job is also my big passion and sometimes even my hobby. So I happen to work 14 hours or more, my average I would say is around 12 hours a day, and almost every weekend I spend a big amount of time on it. This is not because my boss requires it, I do my normal schedule at the office and then I keep working on my other projects at home at night. It’s because I’m very enthusiast and passionate about it, I have often new ideas that I want to try, new things that I want to learn. Moreover, since I believe very much in the community and in the sharing of knowledge, I’m involved in several organizations, some of that with active roles. This is one more reason why I spend so many hours “working”.
Attorneys and forensics analysts often don’t speak the same language
Yuri: You teach computer forensics, what can you say about today’s students? Are they smarter than you in their age? Are they future forensics stars?
Pasquale: I like to refer to it as digital forensics instead of computer forensics, since now it covers many more aspects than just computers.
So far I’ve never had the chance to teach to people younger than me, because even when I did lectures for the university, it was about post-degree specialization course, and when I was teaching I was 25 and 26 years old. Moreover most of my courses (especially the one for the United Nations) were targeting attorneys and law enforcements officials, only few seminars for pure technicians. This because one of the aspects/issues on which I was (and I’m still) insisting very much, is the fact that attorneys and forensics analysts often don’t speak the same language. This is particularly true in my country (Italy), and you can understand that is of vital importance bringing the two categories closer one to the other, due to the impact of work they have to do together. I didn’t see any future stars yet, but I have to say that finally many attorneys are getting aware and trained on digital forensics, and this is very promising for the future.
Yuri: Do you often travel for business? What events do you speak at?
Pasquale: Having started the new job just 15 months ago, the first year was quite of “preparation” let’s say, so hopefully there will be the chance of publishing and presenting some interesting work around conferences. But so far not yet.
My work has positive impact on the society
Yuri: What do you like about your job most? Less?
Pasquale: Now that I’m doing mainly research, the best thing is to leave complete freedom to my creativity and problem-solving attitude. It’s very stimulating. When I was more involved in criminal investigations (in my previous work was on a daily basis), the idea that with my work and my knowledge I could help to put criminals in jail, and so having a positive impact on the society, was very gratifying. You have to think that my father is a doctor, so I grew up with this “model/example” of putting your knowledge at other people service, to help them, to make good things. He was saving lives, I didn’t really know how I would end up helping people starting to study computer engineering (you have to admit that it can be really hard to link the two things when you are 18), but I found myself into forensics helping, if not saving, people’s lives in a certain way. This is what I like most of our job.
On the other hand, I must say that having to analyze certain type of evidences can be very unpleasant, and you cannot step back when it happens.
Yuri: What is about your current or previous job that you are proud of? An important case solved with your help/tools?
Pasquale: You are proud of every case you solve. But there are two that I think I will always remember. One is the first case I took the lead on, it was a big one, around 10 terabytes to acquire and analyze, over one year of investigation that ended up with more than 900 pages of reports. The second one is a case where the system administrator was stealing confidential documents from the CEO and other managers. I remember I found a group of wav files in a weird folder. While looking at them at first sight with a hex editor, I recognized the starting sequence of a Word file inside the audio one, which turned out to be one of the documents stolen. I was still at the very beginning, so I was very proud of that.
Yuri: Did you ever appear in a court to present your findings?
Pasquale: While I have done many forensics investigations myself, some assisting law enforcement officials, some others for private companies, I never had to appear in court to defend them.
Yuri: What are your immediate plans with regards to your job?
Pasquale: I have some ideas about some forensics tool I would like to develop, and my plan is to focus more and more (if not completely) on mobile security and mobile forensics. Plus I’m also doing my Ph.D. at the same time, which I plan to finish by 2014, so I need to speed up.
I was lucky to do the path from pen-tester to forensics analyst
Yuri: You are pen-tester and vulnerability expert. Can you tell us a bit more on these activities?
Pasquale: This is the way I started. I think it would be very useful for all forensics practitioners to have that background, also in order to be able to think like a potential intruder. This would help a lot both in IR and forensics analysis. I admit that I was lucky to do the path from pen-tester to forensics analyst, it wasn’t planned.
In the field of digital forensics, there are many things that cannot be standardized
Yuri: You are a contributor for one of ISO standards. Please describe your work there. What have you done and why they need this standard? What was your motivation to work on it? Who should been using this standard?
Pasquale: Standardization is something I’ve been interested in almost since the beginning. This because our field is full of “best practices” and “suppose-to-be best practices”, which doesn’t help to give that official character they deserve. This doesn’t even help against the fragmentation that affects this community and that we often hear discussing about. It is also true and obvious that, due to the nature of this field, there are many things that cannot be standardized, such as the interpretation of digital evidences just to give an example, also because technology and tools change at a faster pace than a standard could do. But a general methodology yes, this can and should be standardized and acknowledged by the community. That’s why I believed since the beginning in the development of the ISO27037 “Guidelines for identification, collection, acquisition, and preservation of digital evidence”. As you know, this first part of the forensics process is very important; any mistake during the acquisition or collection may completely invalidate the evidence and therefore compromising the rest of the investigation and the trial. In this phase, as well as during the preservation, a methodology can be applied independently of the tools used. A sort of checklist to follow, that will prevent the practitioner from making mistakes or following a procedure that may be questioned in court. And this should be somehow certified.
On this regards the new born Standards Committee of the Consortium of Digital Forensics Specialist (CDFS), of which I’m also active member, has started to collect all these standards that are around to draw a sort of line about the current state of standardization in the forensics field, which standards are really valuable, which not and what is missing. In this committee there are real forensics practitioners, people with hands on experience that know what they are talking about (something that is usually missing in many “high level” committees), and it’s chaired by Pavel Gladyshev, who is highly knowledgeable.
Yuri: Wow, this world is indeed small, we at Belkasoft have also worked with Pavel.
There are too many “cheap supposed-to-be forensics experts”
Yuri: In your opinion, what is the current state of computer forensic science in Europe? Of legal computer forensic practices there?
Pasquale: I think in Europe we are a “bit behind schedule”, due to few high level training opportunities and investments in the field until recently. Luckily the trend is changing, more and more universities in the last years are starting new degree programs entirely focused on digital forensics and governments are investing more on training LEA as well. Also the announcement of the European Commission, about the establishment of the Cybercrime Centre from 2013, is a positive signal towards increasing the effort and the investments also on digital forensics.
The only problem still persisting is that there are too many “cheap supposed-to-be forensics experts” around, and this is due to the fact that it’s a profession not easy to regulate. It’s not always true that someone who has certification is a good one, as well as it’s not true that who doesn’t have any certification is not good at all.
We will loose the great advantage of data carving
Yuri: Cloud computing is becoming very popular now. Do you think that forensic investigation itself is going to be much more difficult due to the cloud idea implementation?
Pasquale: I’ve never been very fond of cloud computing concept, even less when it comes to forensics. Although all the big vendors keep advertising all the benefits that cloud implementation will bring also to computer forensics, I think it will be more difficult especially regarding the phase of data collection. Let’s just take as example a cloud OS, a browser based web desktop. According to the cloud paradigm, user data can be anywhere in the cloud. This means that all the data of one user could even be on two different servers in two different countries. Therefore, while now law enforcements need a warrant from a local prosecutor to confiscate a pc of a suspect or person under investigation, in the cloud scenario there is the need of one or more international warrants. This will dramatically increase the time needed to obtain those data and prevent the person under investigation from access. Moreover even thinking about the “immediate freeze”, which is the biggest “forensics feature” cloud providers are advertising all over, we will loose the great advantage of data carving, since all we will have it will be a logical image of the system.
Yuri: What every investigator should know on mobile malware?
Pasquale: There is no simple answer to this. It’s a relatively new area that is rising very quickly and it will be one of the major trends in the near future in my opinion, because smartphones are always-on, always connected devices, which are extremely attractive characteristics for malware writers. I think that for those that would like to start working on mobile malware, it is very important first to learn smartphone internals and their architecture, understanding first how the device works.
Yuri: What forensic resources do you regularly read? What would you recommend to others?
Pasquale: I get really a lot from several mailing lists such as win4n6, sans-gcfa and forensics focus. These are the best places to learn and contribute to the community by exchanging ideas, doubts and personal experiences of each practitioner. Then the must blogs are windowsir of Harlan Carvey and the SANS Forensics blog, my subscription to Digital Forensics Magazine and finally twitter. By making a list of people and topics to follow on twitter is the best and quickest way to be updated, I really advise it. I’m also responsible of a monthly forensics newsletter for one of the association I’m involved into, Digital Forensics Alumni, which has received many positive feedbacks so far.
Finally I also read a lot of conference papers, but this is mostly for those who are involved and interested into research and development more than just how to carry on their daily forensics analysis.
The need of mobile forensics experts will increase exponentially
Yuri: Please give some predictions of what may happen in the nearest 5 years with computer forensics.
Pasquale: 5 years in the IT world is almost like an Era, just think that 5 years ago it was almost coming out the first iPhone and the its consequent “revolution” for the mobile world. It’s not easy prediction to make, but I think it will increase exponentially the need of mobile forensics experts.
Yuri: Can you tell any funny story related to computer forensics?
Pasquale: It’s about an old judge, not much aware of computers in general apparently, who asked to have the content of the whole hard disk printed. (smiling)
Yuri: How old are you?
Yuri: How many kids do you have?
Pasquale: I’m not married neither have kids.
Yuri: How do you spend your free time?
Pasquale: I’m a very social person, I love to get surrounded by my friends so most of the activities I do with them. These activities are cooking (a lot), travelling, doing sports (several), going to theater and cinema. When I cannot be with them, I love reading and listening to music. I try also to play guitar, but clearly I wasn’t born to be a musician. (smiling)
Yuri: Heh, I am playing guitar as well!
How many hours of sleep do you usually have?
Pasquale: As less as I can. I try to sleep around 5 to 6 hours per night when I manage, although it happens often to sleep less. Unfortunately 24h are not enough to do all the things I want. (smiling)
Yuri: What is your favorite vacation spot?
Pasquale: Anywhere as long as there is the sea.
I’m crazy about footbal
Yuri: Do you do any sports? Which one? What is your preference in watching professional sports?
Pasquale: I’m Italian so of course I’m crazy about football. But I also do jogging, I like swimming and since one year I started sailing, which is great.
Yuri: When did you have your last vacation? A real vacation, without any Internet and calls from your colleagues or customers?
Pasquale: It happened only once so far. Summer 2011, last week of august. It was one whole week on a sailing boat, in the Mediterranean Sea, so clearly I could not take my laptop with me. That’s the only way to prevent me from being in front of my computer and connected to the Internet, even if I’m on holidays. (smiling)
Yuri: Do you have a dream?
Pasquale: When I started University I was dreaming one day I to receive the Turing Award, which would mean that your knowledge and contribution to the community have been acknowledged by your peers. Now my dream is to build a family and have children.
Yuri: Pasquale, thank you for your interview!