Month: October 2017

Interview with Pasquale Stirparo

In the interview, Pasquale Stirparo, forensic and security researcher at the European Commission, speaks on his passion for his work, his research, forensic standardization and mobile malware-related questions.

Pasquale Stirparo is Digital Forensics and Mobile Security Researcher at the Joint Research Centre of European Commission. His main research interests revolve around the security and privacy issues related to mobile devices communication protocols and mobile applications, mobile malware, mobile forensics, and cybercrime. He is also involved in, other than very interested to, the Digital Forensics field from the “standardization” point of view. Prior to joining JRC, Pasquale was working as Security Consultant and Digital Forensics Analyst for an Italian-based private company. He has also been invited as a speaker to several Italians conferences and seminars on Digital Forensics and lecturer on the same subject for Politecnico di Milano and United Nations (UNICRI). Pasquale is also currently enrolled at the Ph.D. student at the Royal Institute of Technology (KTH) of Stockholm, holds an MSc in Computer Engineering from Politecnico di Torino and he’s certified GCFA, OPST, OWSE, ECCE.

Pasquale Stirparo, Digital Forensics, and Mobile Security Researcher at the Joint Research Centre of European Commission.

Yuri: Pasquale, please briefly describe your current organization and your role there. What is the goal of your institute and what area is covered by its activities?

Pasquale: The Joint Research Centre (JRC) is one of the Directorate-General (DG) of the European Commission; its mission is to provide scientific advice and technical know-how to support a wide range of EU policies. Its status as a Commission service, which guarantees independence from private or national interests, is crucial for pursuing its mission.

I work at the Institute for the Protection and Security of the Citizen (IPSC), in the Digital Citizen Security Unit. The goal of my group is to “investigate, assess, and forecast issues of the exploitation – intentional or unintentional – of personal digital data of citizens in our forthcoming digital society”.

Yuri: Pasquale, please briefly describe your current organization and your role there. What is the goal of your institute and what area is covered by its activities?

Pasquale: The Joint Research Centre (JRC) is one of the Directorate-General (DG) of the European Commission; its mission is to provide scientific advice and technical know-how to support a wide range of EU policies. Its status as a Commission service, which guarantees independence from private or national interests, is crucial for pursuing its mission.

I work at the Institute for the Protection and Security of the Citizen (IPSC), in the Digital Citizen Security Unit. The goal of my group is to “investigate, assess, and forecast issues of the exploitation – intentional or unintentional – of personal digital data of citizens in our forthcoming digital society”.

Mobile botnets and mobile malware will be a big issue in the near future

I work as Digital Forensics and Mobile Security Researcher, and at the same time, I’m enrolled at the Ph.D. student at the Royal Institute of Technology (KTH) of Stockholm. My research interests include security and privacy issues related to mobile devices communication protocols (Bluetooth, NFC, GSM, etc) and applications, mobile malware, mobile forensics, and cybercrime. On the mobile communication protocol part I’m currently working on “fuzz testing” the NDEF (NFC Data Exchange Format), to find potential vulnerabilities in the NFC message format, and also the level of security of current NFC mobile payment solutions. On the mobile applications part, my colleague and I are studying several categories of applications using different methodologies, in order to find leaks of sensitive information and therefore privacy risks for the users. Mobile forensics plays an important role as one of the methodologies used to analyze the mobile phones. Finally, I started also to look into mobile malware and mobile botnets. Although we don’t see many mobile botnets now and mobile malware is still perceived as low risk compared to their desktop counterpart, I believe it will be a big issue in the near future. On this last aspect of my work, it is clear how and why mobile forensics and cybercrime are linked.

I was very hungry on learning

Yuri: How did you become involved in computer forensic field? Do you have any related education? What did you major in at university? What field do you have a degree in?

Pasquale: I got my Master Degree in Computer Engineering in 2008, within the double degree program between Politecnico di Torino and Royal Institute of Technology (KTH) of Stockholm, with a specialization in Information and Communication System Security. Immediately after I started working as penetration tester at, an Italian based security company. I didn’t really know much about computer forensics at that time. After a couple of months, in the company there was the need to train more staff in the forensics division, I was very hungry on learning anything I could, so I started training night and day. It was a fascinating world to me. A few months later I got my GCFA (GIAC Certified Forensics Analyst) certification and after one year (and tons of analysis and investigations) I was the main forensics analyst in the company.

Twitter is the best source of forensics news

Yuri: Please describe your working day. When you get to work, what do you do first? What do you do most of the time? Are there days when you work 14 hours or longer? If so, why?

Pasquale: I’m not really a morning person, so I start the day emptying my inbox in front of a cup of coffee and then I go through my different sources of forensics and security news, and Twitter is far the best of all of them. After that, I try to get rid of any “documentation” part like reports, administrative papers to fill, etc., so that by the time I finished the “boring” part my brain is completely ready to start the research work. In this, I include reading of papers, technical books, and practical code development.

I’m very enthusiast and passionate about my work

For me (luckily or not) my job is also my big passion and sometimes even my hobby. So I happen to work 14 hours or more, my average I would say is around 12 hours a day, and almost every weekend I spend a big amount of time on it. This is not because my boss requires it, I do my normal schedule at the office and then I keep working on my other projects at home at night. It’s because I’m very enthusiast and passionate about it, I have often new ideas that I want to try, new things that I want to learn. Moreover, since I believe very much in the community and in the sharing of knowledge, I’m involved in several organizations, some of that with acting roles. This is one more reason why I spend so many hours “working”.

Attorneys and forensics analysts often don’t speak the same language

Yuri: You teach computer forensics, what can you say about today’s students? Are they smarter than you in their age? Are they future forensics stars?

Pasquale: I like to refer to it as digital forensics instead of computer forensics since now it covers many more aspects than just computers.

So far I’ve never had the chance to teach to people younger than me, because even when I did lectures for the university, it was about post-degree specialization course, and when I was teaching I was 25 and 26 years old. Moreover, most of my courses (especially the one for the United Nations) were targeting attorneys and law enforcement officials, only a few seminars for pure technicians. This because one of the aspects/issues on which I was (and I’m still) insisting very much, is the fact that attorneys and forensics analysts often don’t speak the same language. This is particularly true in my country (Italy), and you can understand that is of vital importance bringing the two categories closer one to the other, due to the impact of work they have to do together. I didn’t see any future stars yet, but I have to say that finally many attorneys are getting aware and trained in digital forensics, and this is very promising for the future.

Yuri: Do you often travel for business? What events do you speak at?

Pasquale: Having started the new job just 15 months ago, the first year was quite of “preparation” let’s say, so hopefully there will be the chance of publishing and presenting some interesting work around conferences. But so far not yet.

My work has positive impact on the society

Yuri: What do you like about your job most? Less?

Pasquale: Now that I’m doing mainly research, the best thing is to leave complete freedom to my creativity and problem-solving attitude. It’s very stimulating. When I was more involved in criminal investigations (in my previous work was on a daily basis), the idea that with my work and my knowledge I could help to put criminals in jail, and so having a positive impact on the society, was very gratifying. You have to think that my father is a doctor, so I grew up with this “model/example” of putting your knowledge at other people service, to help them, to make good things. He was saving lives, I didn’t really know how I would end up helping people starting to study computer engineering (you have to admit that it can be really hard to link the two things when you are 18), but I found myself into forensics helping, if not saving, people’s lives in a certain way. This is what I like most of our job.

On the other hand, I must say that having to analyze the certain type of evidence can be very unpleasant, and you cannot step back when it happens.

Yuri: What is about your current or previous job that you are proud of? An important case solved with your help/tools?

Pasquale: You are proud of every case you solve. But there are two that I think I will always remember. One is the first case I took the lead on, it was a big one, around 10 terabytes to acquire and analyze, over one year of investigation that ended up with more than 900 pages of reports. The second one is a case where the system administrator was stealing confidential documents from the CEO and other managers. I remember I found a group of wave files in a weird folder. While looking at them at first sight with a hex editor, I recognized the starting sequence of a Word file inside the audio one, which turned out to be one of the documents stolen. I was still at the very beginning, so I was very proud of that.

Pasquale and the digital whiteboard.

Yuri: Did you ever appear in a court to present your findings?

Pasquale: While I have done many forensics investigations myself, some assisting law enforcement officials, some others for private companies, I never had to appear in court to defend them.

Yuri: What are your immediate plans with regards to your job?

Pasquale: I have some ideas about some forensics tool I would like to develop, and my plan is to focus more and more (if not completely) on mobile security and mobile forensics. Plus I’m also doing my Ph.D. at the same time, which I plan to finish by 2014, so I need to speed up.

I was lucky to do the path from pen-tester to forensics analyst

Yuri: You are pen-tester and vulnerability expert. Can you tell us a bit more about these activities?

Pasquale: This is the way I started. I think it would be very useful for all forensics practitioners to have that background, also in order to be able to think like a potential intruder. This would help a lot both in IR and forensics analysis. I admit that I was lucky to do the path from pen-tester to forensics analyst, it wasn’t planned.

In the field of digital forensics, there are many things that cannot be standardized

Yuri: You are a contributor for one of ISO standards. Please describe your work there. What have you done and why they need this standard? What was your motivation to work on it? Who should be using this standard?

Pasquale: Standardization is something I’ve been interested in almost since the beginning. This because our field is full of “best practices” and “supposed-to-be best practices”, which doesn’t help to give that official character they deserve. This doesn’t even help against the fragmentation that affects this community and that we often hear discussing. It is also true and obvious that, due to the nature of this field, there are many things that cannot be standardized, such as the interpretation of digital evidence just to give an example, also because technology and tools change at a faster pace than a standard could do. But a general methodology yes, this can and should be standardized and acknowledged by the community. That’s why I believed since the beginning in the development of the ISO27037 “Guidelines for identification, collection, acquisition, and preservation of digital evidence”. As you know, this first part of the forensics process is very important; any mistake during the acquisition or collection may completely invalidate the evidence and therefore compromising the rest of the investigation and the trial. In this phase, as well as during the preservation, a methodology can be applied independently of the tools used. A sort of checklist to follow, that will prevent the practitioner from making mistakes or following a procedure that may be questioned in court. And this should be somehow certified.

On this regards the newborn Standards Committee of the Consortium of Digital Forensics Specialist (CDFS), of which I’m also active member, has started to collect all these standards that are around to draw a sort of line about the current state of standardization in the forensics field, which standards are really valuable, which not and what is missing. In this committee, there are real forensics practitioners, people with hands-on experience that know what they are talking about (something that is usually missing in many “high level” committees), and it’s chaired by Pavel Gladyshev, who is highly knowledgeable.

Yuri: Wow, this world is indeed small, we at Belkasoft have also worked with Pavel.

There are too many “cheap supposed-to-be forensics experts”

Yuri: In your opinion, what is the current state of computer forensic science in Europe? Of legal computer forensic practices there?

Pasquale: I think in Europe we are a “bit behind schedule”, due to few high-level training opportunities and investments in the field until recently. Luckily the trend is changing, more and more universities in the last years are starting new degree programs entirely focused on digital forensics and governments are investing more on training LEA as well. Also, the announcement of the European Commission, about the establishment of the Cybercrime Centre from 2013, is a positive signal towards increasing the effort and the investments also on digital forensics.

The only problem still persisting is that there are too many “cheap supposed-to-be forensics experts” around, and this is due to the fact that it’s a profession not easy to regulate. It’s not always true that someone who has certification is a good one, as well as it’s not true that who doesn’t have any certification is not good at all.

We will loose the great advantage of data carving

Yuri: Cloud computing is becoming very popular now. Do you think that forensic investigation itself is going to be much more difficult due to the cloud idea implementation?

Pasquale: I’ve never been very fond of cloud computing concept, even less when it comes to forensics. Although all the big vendors keep advertising all the benefits that cloud implementation will bring also to computer forensics, I think it will be more difficult especially regarding the phase of data collection. Let’s just take as the example a cloud OS, a browser-based web desktop. According to the cloud paradigm, user data can be anywhere in the cloud. This means that all the data of one user could even be on two different servers in two different countries. Therefore, while now law enforcement needs a warrant from a local prosecutor to confiscate a pc of a suspect or person under investigation, in the cloud scenario there is the need of one or more international warrants. This will dramatically increase the time needed to obtain those data and prevent the person under investigation from access. Moreover even thinking about the “immediate freeze”, which is the biggest “forensics feature” cloud providers are advertising all over, we will lose the great advantage of data carving since all we will have it will be a logical image of the system.

Yuri: What every investigator should know on mobile malware?

Pasquale: There is no simple answer to this. It’s a relatively new area that is rising very quickly and it will be one of the major trends in the near future in my opinion because smartphones are always-on, always connected devices, which are extremely attractive characteristics for malware writers. I think that for those that would like to start working on mobile malware, it is very important first to learn smartphone internals and their architecture, understanding first how the device works.

Pasquale and the digital glass of wine.

Yuri: What forensic resources do you regularly read? What would you recommend to others?

Pasquale: I get really a lot from several mailing lists such as win4n6, sans-gift and forensics focus. These are the best places to learn and contribute to the community by exchanging ideas, doubts and personal experiences of each practitioner. Then the must blog are windows of Harlan Carvey and the SANS Forensics blog, my subscription to Digital Forensics Magazine and finally Twitter. By making a list of people and topics to follow on twitter is the best and quickest way to be updated, I really advise it. I’m also responsible for a monthly forensics newsletter for one of the association I’m involved into, Digital Forensics Alumni, which has received many positive feedbacks so far.

Finally, I also read a lot of conference papers, but this is mostly for those who are involved and interested in research and development more than just how to carry on their daily forensics analysis.

The need of mobile forensics experts will increase exponentially

Yuri: Please give some predictions of what may happen in the nearest 5 years with computer forensics.

Pasquale: 5 years in the IT world is almost like an Era, just think that 5 years ago it was almost coming out the first iPhone and its consequent “revolution” for the mobile world. It’s not the easy prediction to make, but I think it will increase exponentially the need of mobile forensics experts.

Yuri: Can you tell any funny story related to computer forensics?

Pasquale: It’s about an old judge, not much aware of computers in general appearance, who asked to have the content of the whole hard disk printed. (smiling)

Yuri: How old are you?

Pasquale: 28

Yuri: How many kids do you have?

Pasquale: I’m not married neither have kids.

Yuri: How do you spend your free time?

Pasquale: I’m a very social person, I love to get surrounded by my friends so most of the activities I do with them. These activities are cooking (a lot), traveling, doing sports (several), going to theater and cinema. When I cannot be with them, I love reading and listening to music. I try also to play guitar, but clearly, I wasn’t born to be a musician. (smiling)

Yuri: Heh, I am playing guitar as well!

How many hours of sleep do you usually have?

Pasquale: As less as I can. I try to sleep around 5 to 6 hours per night when I manage, although it happens often to sleep less. Unfortunately, 24h is not enough to do all the things I want. (smiling)

Yuri: What is your favorite vacation spot?

Pasquale: Anywhere as long as there is the sea.

I’m crazy about footbal

Yuri: Do you do any sports? Which one? What is your preference in watching professional sports?

Pasquale: I’m Italian so of course I’m crazy about football. But I also do jogging, I like swimming and since one year I started sailing, which is great.

Yuri: When did you have your last vacation? A real vacation, without any Internet and calls from your colleagues or customers?

Pasquale: It happened only once so far. Summer 2011, last week of August. It was one whole week on a sailing boat, in the Mediterranean Sea, so clearly I could not take my laptop with me. That’s the only way to prevent me from being in front of my computer and connected to the Internet, even if I’m on holidays. (smiling)

Pasquale on a digital yacht (but without the laptop!)

URI: Do you have a dream?

Pasquale: When I started University I was dreaming one day I to receive the Turing Award, which would mean that your knowledge and contribution to the community have been acknowledged by your peers. Now my dream is to build a family and have children.

Yuri: Pasquale, thank you for your interview!

Interview with Ilya Sachkov

Ilya Sachkov, Founder, and CEO at Group IB, in this interview, tell us about DDoS and malware threat as well as Russian cybercrime specifics.

Ilya Sachkov, CISM, the founder and head of Group-IB, the leading Russian company, specializing in the investigation of computer crime, information security breaches, and computer forensics. The author of a technology of investigation of circumstances of DDoS attacks. The member of the International Information Systems Forensics Association (IISFA), the Association of Certified Fraud Examiners (ACFE), the Honeynet Project, the Russian Information Systems Security Professional Association (RISSPA) and the Committee against Cyber-Crime at the Russian Association of Electronic Communication (RAEC).

Ilya Sachkov, the founder and head of Group-IB, expert in DDoS attack investigations

Yuri: Ilya, what is your current job?

Ilya: Now I’m holding the position of General Manager in Group-IB. I’m responsible for the long-term development planning, bringing new products and services to the market, collaboration with strategic partners from business and law-enforcement agencies. I’m keeping our development within the values that lay the foundation of our business and guarantee that all the employees and the company, in general, are as professional as possible. Apart from the management, I’m trying (but it happens rarely) to take part in the most resonance investigations. In addition, I’m co-chairman of the commission for cybercrime in Russian Association for Electronic Communications and the Expert for Cybercrime in Russian Duma.

My first investigation was at 11th year of school

Yuri: How did you become involved in computer security field?

Ilya: I studied in the physics and math school-laboratory #444 in Moscow. The training in the Information Security started when I was in 9th form. When I was in 11th form, I clearly understood who I would be and took part in my first investigation for the Ministry of education and science. That time unknown persons used schools’ logins and passwords to get a free Internet access. They used malicious software for gathering information. As for me, it was very interesting and I got my first reward for that investigation.

Being a senior, I was reading lections to our lecturers

Yuri: Do you have any related education? What did you major in at university?

Ilya: I have graduated Bauman MSTU in Moscow for a degree with honors. I have been studying at the Information Security Department at the Faculty of Information and Management Systems. There I’ve accepted a systematic approach for the information processing. But all of the special skills were gained by the self-education or during the work. It happened that I read lections for some of our teachers at the upper years.

Yuri: Please describe your working day. When you get to, what do you do first? What do you do most of the time?

Ilya: Fortunately, I don’t have a typical working day. The day is overwhelmed with meetings and conferences and often with speeches at different events. Usually, it starts at 9-10 AM in the morning and ends late at night. Thanks to the possibility of remote work many things I do at home. It happened that I worked all the vacation because there was an internet access in the hotel. But the life has shown that it’s not the best way of relaxing. That’s why I started to go offline.

Our business is not just about earning money

Yuri: What do you like about your job most? Less?

Ilya: I like most that our business is not just a way of getting money. There’s a huge meaning for the entire society. The job we are doing helps to denounce violators, decrease the number of incidents, and give the money back, and so on. It’s linked with the travels, dangers and even some kind of romantics. We always have to learn and discover something new; take the floor, contact with people. I like less that we have a winter and bad weather in autumn, but I think it’s not about the job itself.

The first investment in our company was returned in a week

Yuri: This is something you would not complain if you try to spend these seasons in St-Petersburg, rather than in Moscow (smiling). How did you join your company? How it started and what is its’ main differentiation to others?

Ilya: I started to work in the 11th form. It was my luck and I managed to work at responsible positions in the field of the information security in large and international companies when I was very young. At some moment I felt bored. So, I understood that information security is not the thing I actually want. All the time long I was remembering investigations of the incidents in school and tried to work with incidents and investigations as much as possible. Once upon a time I’ve got an American book about computer crime investigations – «Incident Response: Investigating Computer Crime» by Kevin Mandia and Chris Prosise. I was wondering who is doing the same things in Russia and discovered that such organization doesn’t exist. When I asked the K-department (special police department for stopping computer crime) representative “Can I come to work with you?” he just said “No”. (Now we perform 30-40% of work by the requests from police). So I had to establish my own business. We started with a small lab in MSTU but very soon we could rent our own office. The first investment of $5 000 was repaid in a week when we got our first investigation. After just a half of year, we were overwhelmed with a work from police and commercial organizations. It happened despite the fact that in 2003 very small amount of people understood what the business in the field of computer crime and investigations is.

Yuri: What is special about your company?

Ilya: First of all we are the only company of our kind in the CIS. We managed to attract professional specialists in our field one by one. For now, we are always invited in every resonance or difficult case linked with cybercrime or malfeasance in informational technologies. So, we are at the sharpest edge of the fight against cybercrime and can see its’ most current and deep aspects.

Our customers call us magicians

Yuri: What is the most unusual thing a customer has ever said about your company or your solutions?

Ilya: Usually our clients don’t believe that it’s possible to find or bring an offender to book. When it happens they say “How did you do it”? They even call us magicians, but, of course, we work without any magic.

Yuri: What is the most challenging investigation you have ever been involved too?

Ilya: For example, in 2012 the hugest gangs in the history of Russian cybercrime were identified and arrested during our investigations. In addition, we participated in the first Russian case when the client, organizer, and executor of the large DDoS-attack were discovered. There also are some investigations we can’t talk about, even if we want. Speaking about large-scale international investigations, I should admit the case with a spammer Leo Kuvaev.

Our company is the best expert in Russian cybercrime

Yuri: What is about your company or tool which you are proud of?

Ilya: I’m proud of the statistics for the completed investigations – it’s about 90%. The rest 10% we use to produce new utilities, methods, and recommendations that will help the customer to prepare for the incident better and be sure of the possibility of the investigation. Our company became the best expert in Russian cybercrime. That’s why Russian media contact us for all the questions linked with the information security. We are very proud of it and will not leave our position of #1 in this field.

Yuri: Your company has recently opened an office in the USA. Is it tough for Russian organization to get trust from American customers? Russia and China are considered the faithless countries due to the amount of cybercrime, so it is hard to imagine how cautious Americans trust you.

Ilya: There was no risk in opening an American office. Among our clients, there are international and generally American companies, which need our support and help within Russian market. US companies tried to involve American criminalists and investigators but didn’t achieve any adorable result. There are a lot of specific Russian nuances, which have to be taken into account. Legal peculiarities, technical questions – I’m not speaking about a simple language barrier. That’s why a half of our clients are international companies, which want to get high-quality services in Russia. For example, we are the vendor for the CIS investigations for the Microsoft.

While opening US office, we had a minimum plan:

1. Support existing clients from the USA being physically available (office in New York) in the same time zone.

2. Provide 24-hour operation for our incident reaction center CERT-GIB, and eliminate night workers in Moscow.

3. Work with local police for the problems of Russian cybercrime counteraction.

The Internet has no borders and the business is out of the politics

After several first months, we repaid all the expenses for the representative office opening. When the minimum plan was completed we started with common commercial activities. Of course, it’s difficult to compete with American giants in the corporate sector. But the first year shows that our service as Russian cybercrime specialists is in high demand. Many potential competitors in the USA became our partners.

Russian man can be watchful to Americans and vice a versa. But I personally think that all of this is just a prejudice and a lack of education. The businessmen have already understood that the Internet has no borders and the business is out of the politics. We are also beyond these borders.

Yuri: By the way, to the previous question: can you confirm that there are really that much Russians in cybercrime?

Ilya: We divide Russian cybercriminals to Russian citizens and Russian-speaking citizens of former SU countries. But in any case, I can say that there are quite a lot of Russian hackers. It can be explained by a good technical education and hard years or 90th when many people lost their honesty and generosity. But Russia does not stand out against all other countries. There are a lot of hackers in the US, China, countries of South Africa. Yes, there are persons of natural gifts in Russia, they can invent new schemes and are good in code writing – it’s the fact. But as for the number of hackers and incidents, the RF is not a leader definitely.

Russian hackers are famous for new schemes

Yuri: What is Russian specifics in cybercrime?

Ilya: Russians are famous for new schemes. Usually, Russians invent new approaches which are used by all the other hackers: botnets, DDoS-attacks, affiliate programs and so on. All of these were invented by Russians. Speaking about now I can say that we have a unique situation. I call it “three-headed dragon”: the feel of impunity, the technical ability to theft and an economical possibility to legalize stolen money. That’s why organized gangs appear in Russia, and it’s difficult to fight them within the legal field.

In Russian criminal code there is no such concept as “digital evidence”

Yuri: What is Russian specifics for doing computer forensics?

Ilya: The specifics of the legal system force Russian criminalists to know a lot not only in information technologies but also in legal nuances. It’s quite difficult to work with digital proof if there’s no such concept in the criminal code.

Yuri: Your MSc thesis dealt with creating a mathematical model of a botnet. Can you give more details? Do you use this model in your current work?

Ilya: I’ve composed a methodology of discovering so-called botnet mold by logs of attack, a type of malware, and some other parameters, which you can get from Honeynet. This model was being developed from 2007 to 2009. It allows comparing the molds of attacks and identifying attacker’s botnet. Let’s assume that there’s a test buy of an attack, which will be aimed to our protected resource. And we get a mold. The next time when the attack will target any usual website, our methodology allows us to check is that the same botnet in 90% of cases. When p2p-botnets and decentralized C&C appeared we had to modify the methodology significantly, but in 2009 it helped to solve many crimes linked with DDoS-attacks. I know that my methodology is being used in the USA and Germany to investigate similar crimes.

The best protection from DDoS is legal pressure

Yuri: Your company fights against DDoS attacks. What methods do you use?

Ilya: We use our traffic routing and analysis system with points of presence in India, China, the USA, Germany, Russian and Argentina For example, we’ve defended from the attack of 24 Gb/s to one of the largest Russian media. But think that the best protection from DDoS is legal pressure. In another case, it becomes to the armament race.

Yuri: What are your immediate plans with regards to your company? Your solutions?

Ilya: We plan to work more actively in European, Arabic and Asia markets. Also, we’ll launch channel sales of our software for the financial operations protection.

I  know computer crime agents, who cannot prepare a list with right questions to an expert

Yuri: What do you think every police/private investigator should know about computer forensics?

Ilya: I think that, first of all, every police representative should know that there’s such area like computer forensics and understand what it can do for the investigation. If everybody knows about it – they will have no more questions. I know criminal investigators for murders, who solved the most difficult cases with the computer forensics. But I also know agents for computer crime, who cannot prepare a list with right questions for an expert. Everybody working with any crime, linked with information technologies, must know about and use the computer forensics. Information technologies pierce through all parts of our life. They contain a lot of marks. We should use them for right things and quickly draw necessary information.

We have no goal to threaten anyone with Russian hackers

Yuri: In your interviews, you say Russian cybercrime market is about 2B while worldwide it is 7B, what makes Russian market one of the biggest shares in the world. How did you calculate the figure?

Ilya: We have been doing this job for a whole year. Performing computer investigations, we gather information about cybercriminals’ accounts in different payment systems. Considering the largest players, statistics and mathematical modeling, we get the approximate evaluation of the whole market. It’s important that information is based on the real accounts – just after that, we use the math. We get similar info from our partners all over the world. All of it underlay the research and in March of the current year, we publish the report for the last year. We should admit that analysts re-check the information and use new sources every year. We understand the responsibility in numbers publication, that they can be used for the political fight. But we have no goal to threaten anyone with Russian hackers. First of all, we want to explain that there are world-scale problems, but not just competition “who is the first and who is the second.”

Development of computer forensics in Russia has just been started

Yuri: In your opinion, what is the current state of computer forensic science in Russia? Of legal computer forensic practices?

Ilya: The average evaluation is 5 points from 10 in all the country. There are special situations with our and some governmental labs, which can compete with the most advanced Western facilities. But they are just an exclusion from the rules. In the country-wide scale, the development of computer forensics has just been started. The legislation needs many serious improvements. For example, we need to add a concept of “digital proof”, define the sequence of gathering for digital proofs, etc. There’s also a need to toughen the criminal code in terms of computer crime. Now malefactors don’t feel any serious responsibility.

Yuri: How can you explain the fact that it is so big?

Ilya: I cannot say that computer forensics is developed well in our country. In many regions, it’s just in the first stage. But I can admit positive moments. The government clearly understands the meaning of this area and started investing in the labs and experts’ education.

Yuri: I actually was speaking about the cybercrime market size… Anyway. What are Russian legal system and practice specifics?

Ilya: It’s difficult to speak about any specifics because our system doesn’t differ much from the worldwide one. There was no special school formed in Russia in the area of computer forensics. Our experts always carefully learn world’s trends, trying to adopt the best practices and improve them. In some cases, we definitely lag behind our Western colleagues, but we manage to decrease this lag little by little.

Yuri: I’ve heard that in one case a police investigator went online on a suspect’s computer two weeks after arresting that suspect and still, evidence found on this computer was acknowledged by a court. In the US this situation will lead to a total invalidation of all evidence from such computer.

Ilya: Frankly speaking I hear of this for the first time. It seems to be the sole precedent and the demonstration of the weak understanding of the computer crime specifics. In other cases, this kind of actions would lead to rejection of proofs.

Customers often don’t believe that computer criminal can be caught

Yuri: Are there any obstacles to selling services like yours?

Ilya: The main obstacle is that people often don’t believe that computer malefactors could be caught. Quite often they even don’t go to the police, where they can get free help. What can we say about commercial service? Nevertheless, the situation is changing little by little. The media started to pay attention to the computer crime. The materials about the basics of the cybersecurity started to appear with the stories about identifying and arresting of the next malefactor group by the police. It allows changing social opinion and destroying the myth about unstoppable hackers. When people will finally understand that the offender can be successfully identified and brought to responsibility, the computer forensic in Russia will advance with strides.

The problem with clouds is the absence of synchronization for the international legislation

Yuri: Cloud computing is becoming very popular now. The more data is in a cloud, the less data is on a suspect’s computer, right? Do you think that digital investigation itself is going to be much more difficult due to the cloud idea implementation? How does this reflect on your company?

Ilya: Behind any cloud, there are severs and computers. That’s why computer forensics must be ready only for growing amount of data. The only thing that prevents is the absence of synchronization for the international legislation. Law-enforcement agencies cannot get “legal access” to any cloud. As for our company, we have not experienced any difficulties with clouds. Honestly, the job became even easier.

More crimes are being solved with the help of social networks

Yuri: The same question about social networks, which displace usual evidence such as mailboxes, chats, etc.: does this make investigations more difficult?

Ilya: It’s not a secret that a number of solved crimes has grown because of social networks. It’s the same for us. Social networks bring huge possibilities for the analysis and search. As for computer forensics, I’ve noticed no problems with Russian networks.

Yuri: What do you like most about computer forensics? Less?

Ilya: Computer malefactors always leave marks. I love computer forensic for the possibility of finding cause and effect within different incident stages. I don’t like that computer is bad for my eyes.

Yuri: What forensic resources do you regularly read? What would you recommend to others?

Ilya: I benefit from my position in the company, so getting interesting articles, printed by analysts after prior selection. If there was no such service, I’d use and

Russian government clearly understands the meaning of this area and started investing to the labs and experts’ education

Yuri: What do you see as major trends in cybercrime? Globally and in particular, in Russia?

Ilya: Superprofit. The interest of traditional criminals for the computer crime. Misunderstanding the sharpness of the problem by the major part of the society. This is true for Russia and the entire world.

Yuri: Please give us some projections of what we will see in computer forensics in the 5-year perspective.

Ilya: Considering the rate of the Internet speed growth and amounts of processed information I want forensic complexes to raise their speed and to be ready for huge data arrays in so-called clouds.

Yuri: How many kids do you have?

Ilya: There are no kids yet, but I want to have a son in the nearest time.

Yuri: How do you spend your free time?

Ilya: Sport, reading, tea, coffee, and cinema.

Yuri: How many hours of sleep do you usually have?

Ilya: Usually 6-7 hours.

Yuri: What is your favorite vacation spot?

Ilya: I’m not sure yet. I try to explore new places every year.

I hold first-class in swimming

Yuri: Do you do any sports? Which one? What is your preference in watching professional sports?

Ilya: I hold first-class in swimming. Also, I go in for fitness and some martial arts.

Yuri: When did you have your last vacation? A real vacation, without any Internet and calls from your colleagues or customers?

Ilya: The Samui Island – Thailand Kingdom.

Yuri: Great, this is also one of my favorites. Do you have a dream?

Ilya: Yes, but Russian proverb says, that I should not speak about my dream or it will not come true. That’s why I won’t tell about my big dream. Apart of it, I want to play the guitar and go for horse walk to the places of Civil War battles.

Yuri: Guitar is something I can help with! (smiling) Thank you for your interview, Ilya!

Interview with Tolga Gonenli

Tolga Gonenli is well-known conference organizer, which we’ve met with at the first EuroForensics conference. He, now, organizes EMEA Intelligence, the only Intelligence and Surveillance technologies conference in the region. It is very interesting to learn, what is behind the curtains of conference preparations. Today Tolga shares his experience regarding that.

Tolga Gonenli, graduated University of Massachusets, Amherst, with a degree in Political Science. Following his graduation he went back to his homeland, the Republic of Turkey, where he excelled in running international trade shows for different employers and sectors, finally to become one of the coordinators of CeBIT Eurasia, the largest ICT exhibition in the EMEA region.

His career allowed Tolga to be able to analyse the current ICT sector in the region, which led him to discover the need for specialized conferences in forensic sciences and intelligence technologies.

Tolga is now the managing partner of A.T. Strategies (ATS), a company which represents many international companies in counter terror technologies, lawful interception, and forensics. ATS, together with its partnering company Komtera Technologies, organizes an annual event by the name EMEA Intelligence: International Intelligence and Surveillance Technologies Conference and Exhibition in Turkey.

Tolga Gonenli, managing partner of A.T. Strategies

Yuri: Tolga, please briefly describe your current occupation.

Tolga: I am the managing partner of ATS Consultancy, which organizes the only intelligence & surveillance technologies conference and exhibition, namely ‘EMEA Intelligence’ in the EMEA region as well as represents major international defense, detection, forensics and surveillance equipment and infrastructure companies especially in the Republic of Turkey.

Yuri: What did you major in at university?

Tolga: I majored in Political Science at the University of Massachusetts, Amherst. I did one year exchange at the University of Heidelberg in Germany within the social sciences department; adding the European perspective to my education.

I believe in boutique events with subject matter focus

Yuri: You are successful event organizer. Why did you decide to organize forensics conferences?

Tolga: I used to be one of the coordinators of a major IT gathering in the entire region including Turkey. My personal assessment of the event/exhibition business is that the era of the major events which umbrella over gross number of topics, is coming to an end. I believe boutique events with subject matter focus, housing both a conference and an exhibition under the same roof, enabling the user to interact with the experts speaking at the conference are going to be the future of this business.

The regional market indicated that the EMEA region did not have an international IT security and/or security IT event at the time. We started with a forensics focus, later to evolve, with the feedback coming from both the end-users and the vendors, into an intelligence and surveillance event. I believe our business can easily be categorized under the topic of ‘Homeland Security’.

An organizer has to understand the needs of both end-users and vendors

Yuri: What features do you think you have which help you to be that successful in conference organization?

Tolga: An event organizer has to understand the needs of the end-user as well as the vendor in the region. I seek and receive feedback from both these players in the market and construct the following year’s event accordingly. The major feature of personal success and the success of any conference and/or exhibition is flexibility and market compatibility.

Yuri: I have been attending only two conferences with both computer and medical forensics in one. One of them was EuroForensics. Why did you decide to couple these two branches of forensic science?

Tolga: Bringing digital & medical forensics together under one roof did not prove to be a successful model, and received much criticism. We therefore took a different route and created an only digital content event by the name ‘EMEA Intelligence’.

Tolga Gonenli and his conference

Yuri: To what extent is it complex to organize a conference of this size? What is the most complex thing to solve?

Tolga: The most complex part of any event is attracting the right portfolio of international visitors.

Turkey is the best location here for information flow

Yuri: Why Turkey? Is it just because you are from there or is there some major idea behind choosing this country?

Tolga: Turkey is indisputably the best location for information flow in the EMEA region. Social and political standing and future vision of Turkey, signals a regional leadership of all information flow, bridging west to the east, south-east, and north-east.

Yuri: What is the most challenging in organizing a conference? What is, vice versa, your reward?

Tolga: Challenge is to attract the right portfolio of international visitors, which also possess the buying and/or decision making power. Reward is the sustainable network created around the event.

Yuri: How do you measure conference success?

Tolga: The answer is three-fold; a successful event is:

  1. Where the vendor attending the event meets their prospective buyer, and receives information about future projects & tenders.
  2. Where the vendors find suitable and sustainable partnerships in the region, enabling them to coordinate their sales and services in countries abroad.
  3. Where the visitors learn about the future vision of the vendors, are able to share their current problems, and find new technologies, which may address their issues.

We try to visit as many conferences as possible

Yuri: Do you visit other conferences of this kind? Do you improve, basing on such experience?

Tolga: We try to visit as many conferences as possible of similar backgrounds to improve our vision leading up to the best possible service for the attending vendors as well as visitors. We also ask our network to give us feedback based on their experience attending other events, and what they believe would increase their value/return by their participation to EMEA Intelligence.

Yuri: What would you recommend to a person, who’d like to organize brand new conference in their country? What are the major fiducial points?

Tolga: One would have to contact all concerned parties within their own country, and gather information as to what their needs are regarding their operational mission & vision. Analysis of this information is fundamental to the success and sustainability of the event, which will unavoidably benefit both the vendor and the visitor attending the event.

Yuri: What forensic resources do you regularly read?

Tolga: I follow

Yuri: What do you see as major trends in forensic conferences? More or less interest, more or less visitors/exhibitors of any kind, etc?

Tolga: We believe the major trends are counter-intelligence, lawful interception, image and video analysis, homeland security, and forensic accounting.

Yuri: How old are you?

Tolga: 31

Yuri: How many kids do you have?

Tolga: None

Yuri: How do you spend your free time?

Tolga: Sports

Yuri: How many hours of sleep do you usually have?

Tolga: 6

Yuri: What is your favorite vacation spot? What is the most unusual place you have ever been to?

Tolga: Maine, USA. Unusual is in the eye of the beholder.

Yuri: Do you do any sports? Which one? What is your preference in watching professional sports?

Tolga: Waterpolo, Martial Arts & Golf

Yuri: When did you have your last vacation? A real vacation, without any Internet and calls from your colleagues or customers?

Tolga: Exactly 12 months ago.

Yuri: Do you have a dream?

Tolga: You will hear about it in 6 months to 1 year time frame.

Yuri: Very intriguing! Thanks, Tolga, for your interview!

‘He, now, organizes EMEA Intelligence,

the only Intelligence and Surveillance technologies conference in the



Interview with Alan Kakareka

In our interview with Almantas (or Alan) Kakareka, Founder and CTO of Demyo, Inc, he speaks on malware threat and Russians.

Almantas is a InfoSec consultant to businesses around the globe and a founder and CTO of Demyo, Inc. He has over 10 years of IT security-related experience. His expertise are vulnerability assessments, threat intelligence and penetration testing. Almantas has a Master of Science degree in Computer Science from Florida International University and certifications such as CISSP, GSNA, GSEC, CEH.

Alan Kakareka, InfoSec consultant, Founder and CTO of Demyo, Inc.

Yuri: Alan, please briefly describe your current occupation.

Alan: My current occupation is the same as it was for the last 10 years or so. I work in the InfoSec field. Currently in VA, Pen Test and threat intelligence areas. In the past I have worked probably in every InfoSec field possible, i.e. memory analysis, HDD forensics, network forensics, source code auditing, threat modeling, and reverse engineering, just to name a few. Check it out

All good things come to those who wait

Yuri: How did you become involved in computer security field?

Alan: My grandma was working in IT department at some university back then. One-day preschool was closed or something, so she took me to her job. I was 6 years old back then and it was 1985. I saw a computer with black background and green letters and I fell in love… Since then all my attention become electronics and IT-focused. Back then computers were insanely expensive, and I was visiting friends, who had them and computer clubs to get my hands on them.

After many years of frustration the day has come and my parents bought me a computer for my 13th birthday. The luckiest day in my life! I got some kind of ZX Spectrum clone, with Z80 processor, which was 3.5Mhz. I had to use cassette player to load data from the cassette tape and to my biggest fear at the end I used to get “R Type Loading Error”. A few of years later I bought my first PC, it was 386SX with 4 megabytes of RAM IIRC, monochromic VGA monitor, and started sitting on this computer day and night, day and night.

My parents become worried for my health and my grades at school so my father started to take my mouse with him when he goes to sleep. Well it solved only one problem – my bad knowledge of shortcuts, thanks daddy! After couple of days I got caught again in front of computer at night, and this time mouse and keyboard were gone. Bad days has come, but there was a solution to buy another set of mouse and keyboard from my friend. Voilà! Another couple nights of happiness.

Are you still here? Patience please, answer is coming to this question (smiling). All good things come to those who wait. So my parents called up some friend who put a BIOS password on the system, and my good days were over. This was my first InfoSec project. I had to figure out how to take it away. You have to remove BIOS battery and it usually defaults all BIOS settings. Now it seems very easy, but back then it took me quite some time to figure it out, to figure out how to take BIOS password away.

All I knew was “hello”, “goodbye” and “give me some more beer”

Yuri: Do you have any related education?

Alan: My bachelors is in electrical engineering, so if you need your bulbs to be changed at the office please call me (smiling). I got EE degree from Kaunas University Of Technology, which is located in Lithuania. After moving from Lithuania to USA back in 2003 I was looking for a job for a long time without any success to my greatest disappointment. I started working crappy jobs all over and investing all other free time into IT, just like years before.

One night I read a post at some forum, the guy was eventually in the same situation and he put it like this “I didn’t get the job I wanted until I got a degree from US University”. That was it, I drove to Florida International University next morning to ask about programs they had. I had to pass English test, do my bachelors evaluation and GMAT test. Needless to say, being born and rised outside of USA, English was not native language for me. All I knew was “hello, goodbye, and give me some more beer”. Ok, that’s a joke. So I got my masters of science in management information systems.

Yuri: Please describe your working day.

Alan: A short version would be: “wake up, solve problems, go to sleep”.

Alan and Intel are in very close relations!

Yuri: When you get to, what do you do first?

Alan: Start reading my email, and that’s how my job starts.

I go to sleep when I’m done, not then I’m tired

Yuri: What do you do most of the time? Are there days when you work 14 hours or longer?

Alan: Oh yeah, a lot of these days. If I have a project that just has to be done, I’m eager to get it done. I go to sleep when I’m done, not then I’m tired.

Yuri: What do you like about your job most? Less?

Alan: In general I like InfoSec because it is something new every day. Typically I get bored pretty fast, but InfoSec keeps my interest up all the time. There are new exploits every day, new ways to attack and defend every day, new twists in forensics every day. What I don’t like much is report writing, but oh well, many times report is the only deliverable to the client, so it has to be pristine. And I’m getting better at it; I used to write report in the end, now I start early and filling in the all the blanks as I go from the very beginning.

Yuri: How did you start your company?

Alan: I wanted to have my own team for a long time. Good time come up about 2 years ago and here we are.

Yuri: What are the most often projects your company works on?

Alan: Pen Testing, Vulnerability Assessments and Threat Intelligence.

Our customers come first and I really mean it

Yuri: What is special about your company?

Alan: Our customers come first and I really mean it.

Yuri: What is the most interesting thing a customer has ever said about your company or your solutions?

Alan: ”I didn’t know Russians are able to do good work.” USA people confuse me to be Russian all the time, probably because of the accent.

Yuri: What is about your company, you are proud of?

Alan: Aside from our customers being priority number one, I’m proud about our work environment for our employees. We don’t have directions what OS, what programming languages, what tools have to be used and so on. Invent your own OS or programming language for God’s sake. There is only one goal − to get the job done beyond expectations and on time.

Yuri: I remember your talk at HackersHalted in Miami, where you gave an excellent overview of various Russian h4x0r resources. Do you use them in your investigations? Was you successful in penetrating to closed areas of such resources? Did it really help?

Alan: Every Russian hacker forum has closed sections, usually there are 4 sections in total, 0 level would be a public section where everybody can read and write messages, it is indexed by search engines and so on. Some forums require you to register an account with them to be able to see 0 level, but it is free and quick, so it’s no brainer. To get into 1st access level you need to be in the forum a little bit, and write some useful posts; 50-200 posts depending on the forum and you will be granted to the 1st level automatically. To get into the 2nd level you need to share some “good info”, some databases what not, to become a known and trusted persona with good feedback. To get to the 3rd and most interesting level you basically have to commit crime, and then others will vote on you.

I was on and off Russian hacking forums for long time

Yuri: Why have you chosen to become an expert in Russian cybercrime?

Alan: I was on and off Russian hacking forums for long time, I like to go there and see what is new in this arena. At one of my past jobs I had a breach our team had hard time solving. I went to Russian underground and was lucky enough to find some hacker posting just about our incident. That gave a great deal of insider information what happen. That case struck my head and since then I try to find information for my clients and cases in the underground. For company it is so much cheaper to know what’s happening in the underground that relates to the company and take action against it. The issue is many company don’t want to spend much money on proactive security, even if its 10 times cheaper to do so beforehand, they just spend millions afterwards, when all bad publicity is on the news and data is lost.

I wish I could speak Chinese

Yuri: Why Russian? Just because of language?

Alan: Language is one of the factors, I speak Russian and that helps, I wish I could speak Chinese as well (smiling).

Yuri: Are there really that much Russians in cybercrime?

Alan: May of them, as an example take a look at one of many Russian hacking and cracking forums – It has 2 million messages and 115 000 users. There are many more open and hidden forums with their own hidden sections.

Yuri: What is Russian specifics in cybercrime?

Alan: Russians are typically after money, where Chinese are mostly after information, blueprints or trade secrets. It does not mean they can’t switch, but that’s the common approaches by them.

Yuri: Do you often have a work connected to Russian cybercrime?

Alan: All the time.

Yuri: What is the most famous Russian-made malware?

Alan: Probably ZeuS, it’s all over Internet with its many plugins and many ways to exploit browsers. Some time ago ZeuS source code leaked, and a lot of new malware was created based on it. Many clones and modified versions of ZeuS are in the wild now.

Alan investigates threats of beer in Malta.

Yuri: Some time ago I have interviewed Pasquale Stirparo, who says the future of malware is mobile malware. What do you think on this statement?

Alan: I couldn’t agree more. Mobile devices are much less defended, a typical desktop or laptop has all the resources to exercise defense in depth, i.e. have antivirus engine on it 24/7, has resources to send syslogs to SIEM almost in real time, has resourses to have full disk encryption, tons of space locally and CPU to do a million things at any moment.

It is easier to attack mobile devices

Mobile devices on the other hand are limited on resources, they can have AV running on them 24/7 but it will slow down devices considerably, will suck out its battery, and this practice is not used 9 times out of 10. That’s why it is easier to attack mobile devices, they are less protected. One more thing it is annoying to type in complex, long passwords on mobile devices, so they typically contain much easier passwords.

Yuri: Are Russians already doing something like this? Chinese? Americans?

Alan: I have no doubt everybody does that who has skills to do it :)

Yuri: Ilya Sachkov from Group IB thinks that the problem in Russia is insufficient laws, which do not even have a notion of digital evidence. Do you agree?

Alan: It is insufficient laws, one more thing we have to remember it’s not enough just to write a law, that law should make sense, be in the best interest to the public and be enforced.

Yuri: What computer forensics or security resources do you regularly read? What would you recommend to others?

Alan: Other than I constantly read Russian hacking forums I like to read papers on, also follow full-disclosure mailing list.

Yuri: What do you see as major trends in cybercrime? Globally and in particular, in Russia?

Alan: As one of your questions mentioned mobile malware it is probably the case, Internet is getting mobile more and more, more smartphones, more various networks are being widely deployed (4G LTE, WiMax, and others), even cars are in the works to be constantly connected to the Internet.

Yuri: You are an author of Computer Security Handbook. What was your motivation to write it?

Alan: I just want to share my knowledge and ideas with others.

Yuri: Everyone knows it is very hard to complete a book. Whom do you recommend it to read, which readers?

Alan: I recommend it to everybody who wants to upgrade their skill and prosper in InfoSec. I didn’t write the whole book, I’m a co-author with many other great folks (smiling). This book has many interesting topics, and covers a wide array of technologies and techniques. The second edition is coming out in early 2013, which will have even more topics.

I’m 4!+9

Yuri: How old are you?

Alan: I’m x years old, where x = 4!+9

Yuri: Do you do any sports? Which one? What is your preference in watching professional sports?

Alan: I like basketball the most, however if it’s a super final of any sport I try to watch it.

I dream retina display will have anti-glare screen

Yuri: Do you have a dream?

Alan: I dream macbook pro with retina display will have anti-glare screen option sometime in the future.

Yuri: What music do you like?

Alan: I like psycho trance. Sesto Sento is one of my favorite groups.

Yuri: Thanks for your really amusing interview, Alan!