DIGITAL FORENSIC WAR GAME


Home| Interview| Registration| Howto| Twitter| Request| about

0. Your name / nickname :
Ramon Echavarri / ramandi

1. Your country :
Spain

2. Your website :
None. By now I don't feel I have anything interesting to tell. Maybe someday...

3. Your working area and position :
I'm a sysadmin. I work in a small team that manage a broad range of systems, but not very specialized in any of them. I find it quite funny, since we get a broad vision of the systems, and we can build many of them from the beggining to the end. On the other hand, sometimes I feel I don't really know anything. I guess it's a common problem for many of us... or at least I like to think so.

4. How did you know the real-forensic.com website?
If I remember well, I saw a link in a RoMaNSoFt's tweet (http://twitter.com/roman_soft), a great spanish hacker that I really admire. He takes part in lots of challenges and since he advertises them, is a great source to find challenges.

5. Which one among the real-forensic.com questions is most impressive and why?
I find it very difficult to choose one of the questions, not only because I really enjoyed all of them, but because I think the impressions that we get are absolutely biased depending on our previous knowledge. I will not choose one, but I'll say that I love the challenges that require skills from different areas, and more if they force me to investigate some protocol or product that I didn't know of.

6. Which one among the questions was most challenging and how did you direct your attention to the right point?
I think the challenges are not designed to mislead the player. Almost always I could see clearly what I had to do, although it was challenging to me to get it done. I didn't have to make hard guesses. The exception for me was level 2 (backdoor), in which I had a hard time to guess what the second file format was, since I was working in a windows machine and the lack of file util made me lose some time.

7. You must have a time eager to kick the admin's butt. When was it?
JAJAJA to be honest... Most of the time!! Mainly around 3 in the morning thinking of my alarm clock ringing at 7 o'clock XDD

8. Do you consider the difficulties and levels of the questions appropriate? If not, which questions are problems?
As I told you, I think the difficulty depends a lot on the player's background, so it's difficult to say. I think they were ok, except for the last one, which shocked me since it could be resolved by using a single tool... I guess that tool might not be available when you created the level.

9. What did you do when you resolve all the questions?
Oh, you know... I sang, laughed, danced... and then I fell asleep, exhausted because of the sleep time lost ;-)

10. Did you solve all the questions by yourself? If you receive help from someone/some teams, then who or which team was it and in which part did you get help from them?
I did it by myself. Although I've tried hardly to involve some friends of mine in this hobby, I have not succeed yet.

11. Do you have any question to be involved on season 2? If you have, please let me know.
Just one: when does it begin? I hope I can participate.

12. Is there any problem among the questions on the real-forensic.com website?
I did not find any problem, except for my limited knowledge. Maybe this should answer question 8, but I missed what I think is a more traditional forensic challenge, you know, find the intruder given a disk image and a security breach, creating the time-line...

13. What should we know to settle all the questions and which capability do we need?
I think you only need the curiosity to dig in the abstraction layers and wonder how things really work, and of course, Internet to find the answers to the questions your curiosity ask. Of course, all of your previous knowledge and experience is wellcome ;-).

14. If you want to reveal a hint for the people trying to answer the questions, what do you want to give them?
Since other players, much wiser than me, stopped at level 7, I would encourage them to try a bit more having in mind that many times the solution is quite simple if you don't intend to create a complete tool, but instead a quick hack.
For everyone, just try it once again. If I could solve it, they certainly can. It's not so difficult, but it takes the time to investigate the issue and find a solution.

15. Please introduce good books or thesises about digital forensics to me.
I'm not a forensic investigator, although I like this field a lot since it takes away abstraction layers and deepens in the internal working of systems, which I find not only fascinating, but very useful to troubleshoot functional problems, not only security ones. Not being my primary focus, I have only found the time to read 2 books on forensics:
- "Forensic Discovery", by Wietse Venema (who I'm a total fan of) and Dan Farmer. I simply love this book, it's like computer science poetry for me ;-). I feel it's not "about" digital forensics, but it sets the basis for the whole knowledge branch.
- "Analisis Forense Digital en Entornos Windows", by Juan Garrido with the collaboration of Chema Alonso and Juan Luis G. Rambla. It's in Spanish and means something like Digital Forensic Analysis in Windows Environments. I find it much more tool oriented, but very practical and useful. I've had the luck to meet the authors, who are incredibly knowledgeable and incredibly nice people, and they are turning one of my dreams true by involving some Spanish security experts in publishing their knowledge for all of us, so I can only support them with all my heart and I am totally biased when I said it's a must for native Spanish readers ;-).

16. Can you tell me your episode in your memory about digital forensics or Internet security?
(I'm not sure I have understood this one...) Since my exposure is quite limited I have not been involved in any broad forensic analysis, since we have not had serious security issues yet... or we have not noticed them :-o. To be honest, it would be wonderful to stay like this for a long long time, but I don't think we will be so lucky ;-). By now, since I can only recall other's experiences, I would recommend reading this attack story (in Spanish, sorry):
http://www.securitybydefault.com/2008/10/hackeos-memorables-indonesia.html

17. Please illustrate most frequently used your favorite tools.
As I told you, I'm not a forensic analyst, but a system administrator. Between my tasks I like troubleshooting not obvious problems, and to accomplish it I use really much tcpdump, Sysinternals suite and strace.

18. Let me know what you want for real-forensic.com.
(I'm not sure about this one either, so I'll answer to whatever I want ;-)) When season 2 is online I would like to read your explanation of season 1 challenges and your tips for solving them, or even some notes on your internal tools from which there are traces in the challenges ;-). Maybe it could be a meeting point to collaborate in some other tools that you think the community is misssing.

19. Finally, please tell me the future and the anticipating issues of the digital forensics area.
I don't feel able to guess from my ignorance, but I would love to see some studies in the persistence of data in different public clouds, similar to the one made in "Forensic Discovery" with zoning in mind, depending on the different duplication technologies used in each cloud (we probably won't since I guess those distributed file systems are top secret). Will the forensic practitioners remain analyzing disk images or will we use the bigger and bigger storage areas and log nearly everything to avoid it? Will the public clouds be opened to external forensics or there will be a regulation for the providers to manage incidents? I really don't know very much about today forensics, so even less about tomorrow's.

20. ....
I've talked enough... well, much more than enough ;-). I just want to thank you again for your huge effort to provide us such a entertaining and teaching challenge.

---

Copyright © real-forensic. All Rights Reserved.