Belkasoft Evidence Center: a View from Spain
As a digital forensics company, we are constantly striving to get timely feedback from our users in order
to identify their needs: the interview below is an example.
Let us introduce Guillermo Román Ferrero working as an Incident Response Expert for a Computer Security Incident Response Team. He is also a prolific author with his ‘Follow the White Rabbit’ blog. Mr. Ferrero tried our solution recently and kindly agreed to share his experience and thoughts with us.
Belkasoft Evidence Center: a View from Spain
Digital forensics requires the mentality of an investigator, the ability of putting yourself in the shoes of both the criminal and the victim and get to know the inners of the analyzed system.
What is the source of your interest for digital forensics? What makes it interesting in general in your opinion?
I started studying digital forensics when I was still at university with a specific course on the matter.
I found it very interesting to be able to investigate what an attacker has done to a system and the different
sources of information you can find in any modern computer or almost any other digital system.
Digital forensics requires the mentality of an investigator, the ability of putting yourself in the shoes of both the criminal and the victim and get to know the inners of the analyzed system. In my opinion this is one of the most entertaining jobs you can find on computer security.
Based on this interest, what is your current job role and main responsibilities? What kind of cases do you usually deal with?
My job in a Computer Security Incident Response Team (CSIRT) consists mainly in being able to respond to diverse security issues. Digital forensics, log analysis and correlation, phishing campaigns analysis and monitoring are some. For instance, if a machine or a service gets compromised, it is our job to analyze the case and take measures as required.
… the main technical challenge nowadays in digital forensics and, specially, incident response, is managing a great number of devices and a wide exposition area.
What is the main technical challenge associated with your professional activities nowadays?
In my opinion the main technical challenge nowadays in digital forensics and, specially, incident response, is managing a great number of devices and a wide exposition area. In virtually any company you are going to find attack vectors that evolve every day and it is increasingly more difficult to keep track. Tools such as SIEM and EDR have become indispensable for visibility, leaving behind traditional antivirus and/or IDS solutions.
Comparing investigations with a sort of intellectual quest, what is the main risk of a bad outcome?
It depends on the case. If you are conducting investigation inside a company, a failed investigation can mean you could not detect the malware that infected a server farm later. Maybe the attackers stole documents, but you could not detect the exfiltration. If you conduct criminal investigations, it could mean the whole case becomes invalidated. This is the reason why you should always try to keep track on latest attack vectors and count with the necessary tools.
What kind of personal qualities should an investigator have to win such a quest, in addition to good soft?
Curiosity and meticulousness are some qualities I could name. The first is necessary, again, to keep track on new tendencies. Also, studying matters that you are not curious about at all is a total pain. The former is simply necessary in order to do a good job; you must not leave loose ends in an analysis.
How did you get acquainted with Belkasoft? How did it get your attention?
I had heard about Belkasoft while reading articles about different DFIR tools. Also, I had used Belkasoft Live RAM Capturer before. I got to know Belkasoft employees in April when I attended the first Forensics and Security Congress 2019 in Madrid. You gave a very nice presentation on SQLite digital investigation by Maria Khripun and I could get a trial license for Belkasoft Evidence Center from you so I could try the product. Later on, I had a conversation with Vladislav Derkach about publishing a review of the product on our page Follow the White Rabbit, which I really enjoyed writing.
What is your main impression regarding Belkasoft?
You are a veteran company that has been creating DFIR products for years. Belkasoft has a solid product base and BEC is evidently a very advanced product. I had also used some other products from you before with the same impression.
And speaking about emotions. What is your predominant emotion while working with Belkasoft Evidence Center?
As I said, BEC gave me the impression of a mature product. I was especially surprised that the tool was really stable and did not freeze in any moment of the analysis, which is a usual issue in some other products when launching a full analysis on an acquired hard drive for instance. Also, the UX was fairly complete and intuitive, also an advantage over other solutions.
How do you think BEC would represent an advantage on your future investigations?
I think a complete tool that lets you easily keep track on investigations is key. BEC allows you to gather a lot of evidence types in the same spot, and quickly compare obtained proof. The ability of performing remote acquisition and exporting a full case into a full-featured viewer program were also very interesting when you work in a corporate environment, where mobility and resource sharing are indispensable.
Claim Your 30-day Free Trial Now!