Today we interview exclusively for LxA Francisco Nadador, specialized in computer forensics, passionate about computer security, hacking and penetration testing. Francisco graduated from the University of Alcalá de Henares and now directs Complumatic, dedicated to teaching classes on security topics and offers services related to this topic for companies.
He completed a Master (Open University of Catalonia) on computer security specializing in two topics, Forensic Analysis and Network Security. For this reason, he received an Honorary Degree and later became a member of the National Association of Computer Judicial Appraisers and Experts. And as he will explain to us, They gave him the Cross Medal for Investigative Merit with a White Badge for his professional career and research. Award also won by Chema Alonso, Angelucho, Josep Albors (CEO of ESET Spain), etc.
Linux Addicts: Please explain to our readers what forensic analysis is.
Francis Swimmer: For me it is a science that tries to give answers to what happened after a computer security incident is a digital scenario, answers of the type What has happened? When did it happen? How did it happen? And what or who caused it?
LxW: From your position and experience, do such important cybercrimes occur with so much
frequency in Spain as in other countries?
FN: Well, according to reports published by the EU and that are in the public domain, Spain is at the bottom of innovative countries, along with the rest of the countries in the southern area, they are studies that offer comparative research and innovation performance of the countries that are part of the EU. This probably causes the number of security incidents here to be significant and their typology diverse.
Companies run risks on a daily basis, but contrary to what it may seem, that is, that they may come from their exposure to the network, they are risks that are usually caused by the weakest link in the chain, the user. Every time the dependence of the devices as well as the number of these that are handled is greater, which causes a good security breach, a study that I read recently said that more than 50% of security incidents were caused by people, workers, ex-workers, etc., costing companies many thousands of euros, in my opinion there is only one solution for this problem, training and awareness and higher certification in ISO27001.
As for Cybercrimes, applications such as WhatsApp, ramsonware (lately called cryptolocker), of course, the virtual currency bitcoin, vulnerabilities of various kinds without conveniently patching, fraudulent payment on the Internet, the "uncontrolled" use of social networks, etc. , are those that have occupied the first positions in the rankings of telematic crimes.
The answer is "YES", in Spain cybercrimes occur as important as in the rest of the EU member states, but more frequently.
LxW: You have received a Matriculation of Honor for your final project of the Master that you did. What's more,
you got an award… Please tell us the whole story.
FN: Well, I am not very fond of awards or recognitions, the truth is, my motto is effort, work, dedication and insistence, be very persistent to achieve the objectives you set for yourself.
I did the Master because it is a subject that I am passionate about, I finished it successfully and from then until now I have dedicated myself to it professionally. I love computer forensic investigation, I like to search and find evidence and I try to do it from the most overwhelming of ethics. The award, nothing important, just someone thought that my Final Master's work deserved it, that's it, I don't give it more importance. Today I am much more proud of a course that I have developed for its completion online on computer forensics and which is now in its second edition.
LxW: What GNU / Linux distributions do you use in your day to day? I imagine Kali Linux, DEFT,
Backtrack and Santoku? Parrot OS?
FN: Well you have named a few yes. For Pentesting Kali and Backtrack, Santoku for Forensic analysis on Mobile and Deft or Helix, for forensic analysis on PC (among others), although they are frameworks, all of them that have tools to perform other tasks related to pentesting and computer forensic analysis, But there are other tools that I like and have a Linux version such as autopsy, volatility, tools like Foremost, testdisk, Photorec, in the communications part, wireshark, to collect information nessus, nmap, to exploit metasploit in an automated way and Ubuntu live itself cd, which allows you to start a machine and then, for example, search for malware, recover files, etc.
LxW: What open source tools are your favorites?
FN: Well I think I got ahead of the answer to this question, but I will delve into something else. To develop my work I mainly use open source tools, they are useful and allow you to do the same things as those that are paid for use license, then, in my opinion, the work can be performed perfectly with these tools.
Here the Linux frameworks take the jackpot, I mean, they are wonderful. Linux is the best platform for the deployment of forensic analysis tools, there are more tools for this operating system than for any other and all of them, well rather, the vast majority are free, well free and Open Source, which allows them to be adapted.
On the other hand, other operating systems can be analyzed without any problem from Linux. The only drawback, perhaps, is that it is a bit more complex in its use and maintenance, and also, since they are not commercial, they do not have continuous support. My favorites, I said them before, Deft, Autopsy, Volatility, and some more.
LxW: Could you tell us a little about The Sleuth Kit… What is it? Applications?
FN: Well, I have already talked in a way about these tools in the previous points. It is an environment to perform forensic computer analysis, its image, "the hound dog", well in the latest version the dog has the face of having a worse genius, the truth .
The most important link in this group of tools, autopsy.
They are volume tools of systems that allow the examination of computer forensic images of different types of platforms in a "NON-INTRUSIVE" way, and this is the most important given its significance in forensics.
It has the possibility of being used in command line mode, then each tool is executed in a separate terminal environment or also, in a much more “friendly” way, the graphical environment can be used, which allows to carry out an investigation in a simple way .
LxW: Can you do the same with the LiveCD distro called HELIX?
FN:Well, it is another of the frameworks for forensic computer analysis, also multi-environment, that is, it analyzes forensic images of Linux, Windows and Mac systems, as well as images of RAM and other devices.
Perhaps its most powerful tools are Adept for device cloning (mainly disks), Aff, a tool for forensic analysis related to metadata and of course! Autopsy. Besides these it has many more tools.
The downside, its professional version is paid, although it also has a free version.
LxW: TCT (The Coroner's Toolkit) is a project that was replaced by The Sleuth Kit.
continue to use then?
FN:TCT was the first of the toolkits for forensic analysis, tools such as grave-robber, lazarus or findkey highlighted it and for the analysis of old systems it is more efficient than its predecessor, a bit the same as it happens with backtrack and kali, I still use both, for example.
LxW: Guidance Software has created EnCase, paid and closed. Also not found for other non-Windows operating systems. Does it certainly make up for this type of software by having free alternatives? I believe that practically all the needs are covered with free and free projects, or am I wrong?
FN: I think I have already answered this, in my modest opinion NO, it does not compensate and YES, all the needs to perform computer forensic analysis are covered with free and free projects.
LxW: Referring to the above question, I see that EnCase is for Windows and also other
tools like FTK, Xways, for forensic analysis, but also many other tools for penetration and security. Why use Windows for these topics?
FN: I would not know how to answer that question with certainty, I use, at least, in 75% of the tests that I carry out tools developed for Linux platforms, although I recognize that there are more and more tools developed for these purposes on Windows platforms, and I also recognize that I put them to the test and sometimes I also use it, yes, as long as it belongs to free-to-use projects.
LxW: This question may be somewhat exotic, to call it something. But do you think that to present evidence in the trials, only the evidence provided by open source software should be valid and not the closed one? Let me explain, it could be very bad thought and come to believe that they have been able to create proprietary software that provides erroneous data in some sense to exonerate someone or certain groups and there would be no way to review the source code to see what it does or does not do that software. It's a bit twisted, but I'm asking you to give your opinion, reassure yourself or, on the contrary, join this opinion ...
FN: No, I am not of that opinion, I use mostly free software tools and in many cases open, but I do not think that anyone develops tools that provide erroneous data in order to exonerate anyone, although it is true that recently some programs have appeared that They deliberately offered wrong data, it was in another sector and I think it is the exception that confirms the rule, really, I don't think so, developments, in my opinion, are done professionally and, at least in this case, they are based exclusively on science, evidences treated from the point of view of science, simply, that is my opinion and my belief.
LxW: A few days ago, Linus Torvalds claimed that total security is not possible and that developers should not be obsessed in this regard and give priority to other features (reliability, performance, ...). Washintong Post picked up these words and alarmed because Linus Torvalds "is the man who has the future of the Internet in his hands", due to the amount of servers and network services that work thanks to the kernel he created. What opinion do you deserve?
FN: I absolutely agree with him, total security does not exist, if you really want total security on a server, turn it off or disconnect it from the network, bury it, but of course, then, it is no longer a server, threats will always exist, what we must cover are the vulnerabilities, which are avoidable, but of course, they must first be found and sometimes it takes time to carry out this search or others do it for obscure purposes.
However, I believe that technologically we are at a very high system security point, things have improved a lot, now it is the user's awareness, as I said in previous answers, and that is still green.
LxW: I imagine that cybercriminals make it more difficult every time (TOR, I2P, Freenet, steganography, encryption, Emergency Self-Destruction of LUKS, proxy, metadata cleaning, etc). How do you act in these cases to provide evidence in a trial? Are there cases where you can't?
FN: Well, if it is true that things are more and more complex and there are also cases in which I have not been able to act, without going any further with the famous cryptolocker, clients have called me asking for my help and we have not been able to do much about it, As is known, it is a ransomware that, taking advantage of social engineering, once again the user is the weakest link, encrypts the content of the hard drives and is leading all computer security professionals, scientific units of the law enforcement, security suite manufacturers and forensic analyst, we are not able to tackle the problem, yet.
To the first question, how do we act to bring these issues to trial, well how do we do with all the evidence, I mean, with professional ethics, also sophisticated tools, knowledge of science and trying to find the answers to the questions that in the first Question, worth the redundancy I stated, I do not find a difference, what happens is that sometimes these answers are not found.
LxW: Would you recommend companies to switch to Linux? Why?
FN: I would not say so much, I mean, I think that if I have something free of a license that provides me with the same services as something that costs money, why spend it? Another question is that it does not provide me with the same services, but, is that if it does. Linux is an operating system that was born from the perspective of the network service and offers similar features to the rest of the platforms on the market, that is the reason that many have selected it with their platform to, for example, offer a web service , ftp, etc., I certainly use it and not only to use forensic distros but also as a server in my training center, I have Windows on my laptop because the license is incorporated with the device, even so I throw a lot of virtualizations Linux.
In answer to the question, Linux does not cost, there are an increasing number of applications that run on this platform and more and more development companies are making products for Linux. On the other hand, although it is not free of malware, the number of infections is lower, this together with the flexibility that the platform gives you to adapt like a glove to the needs, gives it, in my opinion, enough strength to be The first choice of any company and most important of all, everyone can audit what the software does, not to mention that security is one of its strengths.
LxW: At present there is a kind of computer warfare where governments also participate. We have seen malware such as Stuxnet, Stars, Duqu, etc., created by governments for specific purposes, as well as infected firmware (for example, Arduino boards with their modified firmware), "spy" laser printers, etc. But not even the hardware escapes from this, modified chips have also appeared that, in addition to the tasks for which they were apparently designed, also include other hidden functionalities, etc. We have even seen somewhat crazy projects such as AirHopper (a kind of radio wave keylogger), BitWhisper (heat attacks to collect information from the victim), malware capable of spreading by sound, ... Am I exaggerating if I say that they are no longer safe or computers disconnected from any network?
FN: As I have already commented, the safest system is the one that is turned off and some say that it is locked in a bunker, man if it is disconnected I think it is quite safe too, but that is not the question, I mean, in my opinion the question is not the amount of existing threats, there are more and more devices that are interconnected, which implies a greater number of vulnerabilities and computer attacks of various kinds, using, as you have well expressed in the question, different cracks and attack vectors, but I think not We must focus the issue on disconnection to be safe, we must focus on securing all services, devices, communications, etc., as I have already mentioned, although it is true that the number of threats is large, it is no less true that the number of security techniques is no less great, we lack the human factor, awareness and security training, nothing more and our problems, even connected, will be less.
LxW: We finish with the personal opinion and as an expert in security that these systems deserve, you could also provide us with data on which are more difficult to secure and find more security holes:
Regarding the million dollar question, which system is the safest, the answer was given before, none is 100% secure connected to the network.
Windows does not know its source code, therefore nobody knows exactly what it does or how it does it, except developers of course. From Linux the source code is known and, as I said, security is one of its strengths, against it is that it is less friendly and there are many distros. From Mac OS, its strong point, its minimalism that reverts to productivity, it is an ideal system for beginners. For all these reasons, in my opinion the most difficult to secure is Windows, even though the latest studies reveal that it is the one with the least vulnerabilities, well except your browser. In my opinion, it makes no sense to affirm that this or that operating system is more or less vulnerable, all the factors by which it is affected must be taken into account, vulnerabilities, installed applications, users of it, etc. Once all of the above has been taken into account, I believe that the systems should be fortified with all kinds of security measures, in general and applicable to any system, the fortification of the same could be summarized is these basic points:
- Update: Always keep this point in the system and all the applications that use the network up to date.
- Passwords must be adequate, I mean, with a minimum of 8 characters and a large dictionary.
- Perimeter security: A good firewall and IDS would not hurt.
- Not having open ports that do not offer an active and updated service.
- Make backup copies according to the needs of each case and keep them in safe places.
- If you work with sensitive data, encryption of the same.
- Encryption of communications as well.
- Training and awareness of users.
I hope you liked this interview, we will keep doing more. We appreciate you leaving your opinions and comments...
3 comments, leave yours
I liked the interview.
Well, the key factor. The user.
The system is deterministic as well. In the esoteric of Windows I think that is the key. Unlike Linux, which requires time. This is not translated at all, but it does give Linux a bonus.
Interesting everything raised. I would like to know a little more about Helix and its usefulness