Alessandro is and unbelievable talent in the DFIR world, not only do I look forward to anything he writes either on his own site or over on The DFIR Report but on social media also.
He knows his stuff and I just don’t say this because he writes at The DFIR Report who in my head are like this secret service in DFIR akin to the SAS or Navy Seals the best of the best writing about DFIR but also, he is a THREE TIMES Lethal Forensicator at SANS over GCFA & GASF.
SANS Lethal Forensicator Coins
Hundreds of SANS Institute digital forensics students have mastered the concepts and skills, beat out their classmates, and proven their prowess. These are the elite, the recipients of the SANS Lethal Forensicator Coins, awards given to a select few among the thousands of students who have taken any SANS DFIR courses.
GIAC Advanced Smartphone Forensics (GASF)
The popularity of mobile devices in our work and personal lives has become increasingly broad and complex. The volume and type of data that these devices carry such as contact lists, email, work documents, SMS messages, images, internet browsing history and application specific data make them important for the individual who carries the device and allows for a rich source of data for forensic examinations.
GIAC Certified Forensic Analyst (GCFA)
The GCFA certifies that candidates have the knowledge, skills, and ability to conduct formal incident investigations and handle advanced incident handling scenarios, including internal and external data breach intrusions, advanced persistent threats, anti-forensic techniques used by attackers, and complex digital forensic cases. The GCFA certification focuses on core skills required to collect and analyze data computer systems.
The DFIR Report
They are a group of volunteer analysts which investigate and report on cyber intrusions.
They also offer multiple services such as C2 tracking and more.
Along the lines I am finding in DFIR with everyone I speak to, they are the nicest people in cybersecurity, genuinely think of all parts in cybersecurity DFIR has the nicest bunch of people who have a real comradery and “In this together” attitude and vibe and Alessandro fits this too, great guy and lovely to speak with.
How did you get starting in Hacking, DFIR, Cybersecurity?
First and foremost, I want to thank you for inviting me to this interview.
My professional career began quite some time ago. I didn’t get my first computer until I was about 16 years old, which was later than most people. Even the ability to browse the Internet arrived “late”, a few months after I purchased the PC. During this time, all I could do was explore the operating system, trying to figure out why certain things happened when I pressed an icon or opened a terminal. I became more enthusiastic as I experimented. I began to wonder, “How can I accomplish this? How am I going to do that? How can I connect two computers without using the Internet? How can I make the other computer perform actions on my behalf?” And the frenzy of learning certain concepts literally invaded me. The turning point came when the Internet was finally installed in my home, and I won’t deny that I felt lost. I had no idea where to begin, no idea “how” to begin, and no idea “what” to look for. After I got the hang of it, I began lurking in some IRC channels (oh, how I miss IRC)! It was the ideal location for being insulted 😀 . Attending those channels was my first introduction to “hacking” topics, despite the fact that I dislike the term.
I began by doing some penetration testing assignments before moving on to work as a Principal Security Consultant for a well-known company in Italy, providing Threat Intelligence services. The more penetration testing I did, the more I convinced myself that because I knew how to do “potentially bad things,” I should know where to look if someone needed to figure out “what bad things” had happened to a computer system. I realized then that the world of DFIR was one I wanted to master. Today, I do DFIR in the areas of “response” to a computer incident and expert witness service. What I enjoy most about this job is the genuine possibility of assisting people in need, whether due to ransomware or a specific charge.
Big fan of you CTF writeup, what other things do you do to keep your skills up?
I’ve lost track of how many CTFs I’ve completed, and I can’t tell you how stupid I was not to have written writeups for each of them. I believe I was affected by the classic imposter syndrome. In any case, I don’t think staying current today is as difficult as it was 10 or 12 years ago. Many well-known people share their expertise through blog posts, articles, and books. As I always tell my younger colleagues, this job unfortunately necessitates a great deal of good will in terms of staying current and being willing to make time to do so. Personally, I try to attend as many CTFs as possible (family obligations permitting), I try to contribute to the DFIR/Threat Intel community by actively collaborating with The DFIR Report, and I experiment a lot in my personal lab. These “experiments” are nothing more than simulating scenarios encountered during my work and attempting to determine whether I could have done better in some area or discovered more information by analyzing a specific artifact that I was previously unaware of. This is something I try to do almost everywhere, from analyzing a compromise to analyzing a smartphone in legal contexts.
Over on The DFIR Report it is fast becoming one of the main places people go to for in depth write ups of real attacks and Intrusions, I know i learn something from every article. How did you get involved with them?
I am delighted that our content and articles contribute to the spread of knowledge in the community and are actually useful. I had the pleasure of beginning to collaborate with them nearly two years ago, in the early stages of the project. I saw on Twitter that the guys were looking for help because they were swamped with data to analyze and decided to apply. Fortunately, they appeared to enjoy it and decided to begin this collaboration.
In respect of DFIR what is the main skills you wish you learnt earlier than you did?
Good question.
The answer is not simple because, if you think about it, every new discovery and skill you learned could have been critical in previous situations. Furthermore, beyond the purely technical aspect, I learned to value the ability to have the empathy required to deal with situations that are extremely stressful for your client. Knowing how to pose correctly is a skill and a fundamental requirement for this job.
I was reading you used to do Penetration Testing before making the jump to DFIR, what made you want to focus more on this section of Cybersecurity?
As I previously stated, after several years in the world of penetration testing, I felt compelled to concentrate on something that could assist me in detecting and investigating what I was doing with the offending part. Again, the desire to assist people who may be in “unpleasant” situations won out.
Do you still dabble in Penetration Testing?
Without a doubt!!! In my opinion, knowing Penetration Testing/Red Teaming is essential for attempting to excel in DFIR, so I cannot afford to relax in this area either. Obviously, I can’t devote as much time to it as I did a few years ago, but when I can, I participate in a few bug bounty programs (public and private).
With regards to CTF do you do many CTF and if so where abouts?
CTFs have always been fascinating to me. With limited time, I’ve decided to take part in the Cellebrite one, Magnet Forensics, and the everlasting SANS Holiday Challenge, all of which I enjoy.
I don’t deny that I’d like to find the time to organize some of DFIR’s CTFs myself someday.
Do you use any sites like TryHackMe and HackTheBox?
I started playing with HackTheBox a long time ago but never finished it. Instead, I never attempted to use the TryHackMe service.
Is there any aspect of DFIR you haven’t done much of and would like to learn and get into more?
That is an excellent question. The impostor syndrome frequently takes over here as well, causing me to constantly research new concepts and novel artifacts on various operating systems. In general, I would like to advance my DFIR knowledge of the Cloud world, particularly Azure. For years, the world has been moving in this direction, and mastering Digital Forensics concepts applicable to the Cloud world has proven to be a must-have. Because the subject is so broad, there will be a lot of research.
What’s the plans for 2023?
I have a lot of plans for 2023. I’d like to continue actively contributing to the community, both with the guys at TheDFIRReport and, more importantly, with something of my own, specifically a series of courses with an exclusively technical focus aimed at helping both people new to this field and those with some experience. I would also like to serve as a mentor to anyone who needs to be followed more consistently or who simply needs someone to talk to.
I’m also working on a couple of top-secret projects, so we’ll see what comes of it.
Give a follow on the socials:-
- Alessandro Twitter – https://twitter.com/samaritan_o
- Alessandro Website – https://www.dfirblog.com/
- The DFIR Report Twitter – https://twitter.com/TheDFIRReport
- The DFIR Report Website – https://thedfirreport.com/