Interview Solal Jacob (DFF)

First let’s start by a short resume : Solal, who are you and what is DFF ?

My background is that of of a "classic" geek, not very good at school because I dedicated a lot of my time to my PC, discovering Linux, until I was able to study computing. As I was interested and has already practised computing security a lot, I joined the security lab of my college during the my first year. I also teached attack and prevention technics to students of a master near my college.

Then, during my forth year at college that I passed in China, we have to developed a project with my project group (the current ArxSys team). We decided to develop a framework dedicated to forensic, which becomes today DFF.

DFF is a tool which allows you to do end to end digital investigation. You can use it in several contexts such as computing attacks analysis, fraud, theaft ... everything around digital crimes.

What decided you to jump into such specific domain as Forensic ?

During my studies, I was very interested in computing security and one day, playing a little on school’s PCs with a friend, I noted that, at this time, all the RAM content was accessible through "/dev/mem" and I was able to retrieve the password I used to log in on my X Window session. I started to look at the this topic deeper and that ’s the way I discovered "forensic". I bought some books covering this topic, I discovered that there was not a lot of software dedicated to forensic. The main products were commercials products, very expensive, which are unaffordable for me. A few time after, I have to choose a end of studies project : it was an evidence to choose a security project and as I was interested in Forensic, after discussion ith few friends, we choosed Forensic as a subject. Short after, our school informed us that IRCGN (a french police criminal research agency) was searching a group of students to address a forensic problem. As we wanted to develop a modular software in order to be able to answer to several kinds of problems, we jumped in and a part of the team worked to develop this part of the software in order to answer to IRCGN questions. During these days, we encountered real experts of this domain (a little differents from the TV ones) and the different exchanges helped us to understand the needs and problems of this particular area of computing security.

Last year Paul Rascagneres came to speak about malware reverse with free software but free software in Forensic or reverse are not the first choice. As DFF original creator and main developer, what pros and cons you see to create and use free software in those areas ? Is it a pragmatic or a militant choice to develop and distribute DFF under free licence ?

Foresic area is very specific because it is strongly linked to law. As it will be explained during my talk at RMLL, normally during a trial, scientific proofs have to followed the ’Daubert standard’ to be received. This standard sets a number of rules better followed by open source software than proprietary ones. It is clear that when you have to be sure of your software, being able to verify your software behavior is a must.

On my side, choosing open source is nor a pragmatical choice nor a militant choice. It is a matter of evidence, I only use free software, using them on day to day basis allowing me in the past to discover computing, system behavior due to source code availability. It is so for me an evidence that when I will develop a software it will open source.

Currently it would be so the opposite that would be a problem because it is for me the proprietary softwares that are "abnormal" . It would be very difficult to use them and even more to do it under a proprietary OS. I remember that when DFF has been packaged and accepted for the first time under Debian it has been a great moment for me and the team. I really want to thank Pierre Chifflier for the packaging :)

ArxSys exists now since 2009. Can you tell us what kind of influence it generates to based your company on a free software : creating the company, searching customers, reception by the market and by eventual partners ? You for example received an award at The Assises of Security in 2010, among others solutions and appliances that were almost all proprietary ones.

Choosing free software as a a business model is quite a very specific choice not well understood, in France particularly. Free software brings quite a lot of exposure during the first years because freedom helps the project to spread quickly allowing people to use and test it. We are able to build quickly a large users community, which is particularly true for the forensic market where users have strong attachment to their tools and sometimes are not going easily towards new tools or have not the budget to test them. Unfortunately in France for most of the CIO, Free is as in beer and not as in Freedom. Being able to look at the code is not a major point. When we say that our software is open source, they think "it’s free, my teams are going to test it". But it is hard to understand for us that what my company is selling is services for this software. A lot of work has to be done around top level managers in order to educate them about this point, to be able to transform users in customers.

We also have to said that for public companies and services, the situation is quite different. They are much more aware about open source questions et beyond the fact they also see financial reasons to choose open source, they also appreciate that code is free for the transparency it gives to them (fear about backdoors) and for the fact they contribute to the project. It is the same in the academic world where our tool is very appreciated and already integrated in many courses all around the world.

For the Assises event in 2010, I really think that Herve Schauer "avis", strong advocate of free software in Security, has been very important and I really want to thank him for that. He ws one of the firsts that identifies DFF as an emerging project. That is the proof he practices active survey and he very early understood that Forensic, at that moment almost unknown in France, was one of the future emerging markets for security companies. During this event, freedom has been a key factor.Most of the people are CSO and those of them with technical background often appreciate open source solutions for the quality of the code provided. But for most of them it remains complicated, we need to work a lot to convince them.

RMLL is quite different from all others Security conferences (SSTIC,NSC,CanSec, Hack.lu) by the fact it is a generalist conference with several technical topics (security, adminsys, developement, Internet) but also not technical topics (privacy, medecine, education etc). What are you expected from your talk and workshop ? And from your presence at RMLL ?

My talk and my workshop will try to expose DFF and forensic to the attendees, which I hope will be useful to those who will discover it. May I will have the chance to motivate to contribute to the project.

As all others softwares, we have technical questions to address. The DFF architecture is special and we hope we will be able to adapt it in the future (replace binding generation actually done through "SWIG", write our own type parsing library instead of using "magic" etc) because we have problems to solve like huve data volumes or large computers networks to analyze. Others topics talks will so be interesing for me and will be, I think, informative for me. I will also like to exchange with others people from more general topics because it is also the idea behind freedom.

Thanks !

Thank you very much Solal and see you 8th of July 2013 in Brussels :)

Interview done by email by Christophe Brocas, Security topic co-chairman.