Papers & Presentations

Papers and presentations will be posted to this page on a regular basis.

Last Update –  March 16, 2014

My ERP got Hacked, an Introduction to Computer Forensics

My ERP got hacked, an Introduction to Computer Forensics (Parts I and II)


“The System Administrator knew something was wrong when he saw there was an additional user account on the Web-based Enterprise Resource Planning (ERP) system that he administered. He kept the system updated and patched, but he now suspects that the system has been hacked and compromised. Now, as a computer forensic investigator, you will have to find out if there was any unauthorized access, how it happened and what was the extent of the damage”.

That was the introduction to “My ERP got hacked, an Introduction to Computer Forensics“, a series of two articles published on the issues 4/2009 and 5/2009 of the prestigious IT security magazine Hakin9. Based on the scenario described above and using an image of a Windows 2003 server that is available on the Internet (more details on the first article), this series will guide you throughout the methods, techniques and tools used to identify, collect, preserve an investigate the digital evidence found during the course of a computer forensic investigation. To do so, you are given specific instructions on how to setup a combined Linux/Windows forensic laboratory environment that will allow you recreate and do the hands-on exercises described in both articles. Do you want to play the role of a computer forensic investigator and find out what happened and what was the extent of the damage?

Thanks to the Hakin9 team (especially to my friend Ewa Dudzic) and the readers that selected my articles as the best in the latest issues, these are now available for download from the Hakin9 website. I have also been authorised to post them on my website, so here they are:

My ERP got hacked, an Introduction to Computer Forensics – Part I  (PDF – 688 KB)

My ERP got hacked, an Introduction to Computer Forensics – Part II  (PDF – 1 MB)

I can’t resist to mention that I received a very positive feedback from many readers, especially from Hakin9’s proofreaders. These were some of their comments:

  • This is a very well written computer forensics article. It is well suited for our readers – IT Security Professionals”.
  • “About first one, I think that the best quality is that it’s very well written, I mean, easy and clear to read, very easy to understand. I think that the topic is quite interesting too, because most of articles explain some techniques about how to hack, but not many about how to defend. I do believe that we should encourage this way of research […] Congratulations to the writer because 29 pages were not long”
  • “It gives a lot of information and an step-by-step guide to forensic investigation, and the fact that they provide a real environment (win2003 image) to do a hands-on-lab, makes the article even more interesting.”
  • “I haven’t finished the article yet but I’m completely loving it. Very understandable plus there are vms included so labs can be done to further one’s study of the material.”

But it was even more encouraging to see that Harlan Carvey, the author of the popular book “Windows Forensic Analysis“, referred to my article on his own blog! In his review of the issue 5/2009 of the magazine, he wrote:

“Something that’s very interesting (and validating) about this edition is Ismael Valenzuela’s “My ERP got hacked – An introduction to computer forensics, pt II” article. Not only does Ismael make use of RegRipper, but he also walks through some techniques for parsing data (i.e., Event Logs/.evt files, IE browser history/index.dat file, etc.) in forensic analysis…very cool stuff, indeed! While Ismael’s article does not explicitly develop a timeline, there are some data collection and analysis techniques illustrated in the article that are pretty spot on and very useful.”

Hope you enjoy this reading as much as I’ve enjoyed writing it 😉

[IN]Secure Magazine - Issue 11

Integrating ISO 27002 into your Software Development Lifecycle

(IN)SECURE Magazine

In this paper, published on the 11th issue of INSECURE Magazine (May 2007), I explain how information security controls can be integrated in the Software Development Lifecycle (SDLC) using ISO/IEC 17799 (now ISO/IEC 27002). The article includes a summary table linking specific clauses in the standard to SDLC phases starting from the risk assessment stage, prior to drawing up security requirements, and continuing right through development, testing and operations to system disposal at the end of its life.

Thanks to Mirko Zorz, INSECURE’s Chief Editor, for publishing my work and thanks to all the colleagues in the security community that have reviewed my article and posted positive comments on their websites. Just to mention a few:

  • Gary Hinson, the brains behind well known sites like, made a short review of the article and included it on the Links section of his ISO 27001 security website. Thanks Gary!
  • Jose Manuel Fernandez, a fellow countryman made also an entry on his blog; this one in Spanish. Thanks mate 😉
  • Javier Ruiz and Agustin Lopez, included my article in the ISO 27000 Guidelines section of their website. They have even asked me to record a podcast on section 12 of the Standard, but haven’t found the time so far, so sorry for that chaps. I own you one!

To download my article only, instead of the full issue click here.

If you happen to find a review somewhere else or want to send me your comments on it, you are welcome!


Catching “Bayas” on the Wire: Practical Kung-Fu to Detect Malware Traffic (pdf ) – in English & Spanish

The slides from my talk at the SANS European Forensic Summit held in October 2013 in Prague, are available both in English and Spanish (presentación de SANS Spain con One eSecurity el 23 de Enero de 2014). An updated version of this talk was presented in a BrightTalk Webinar on March 11th 2014 and can be viewed here.

Catching Bayas on the Wire: Practical Kung-Fu to Detect Malware Traffic (PDF – 9,1 MB)

Atrapando Bayas en la Red (descarga desde el sitio de One eSecurity)

BrighTalk Webinar

Últimos avances en Análisis Forense de sistemas Android (pdf ) – in Spanish

The slides for my talk on Android Forensics at the Symposium for Android Security held in Málaga on April 13th, 2012. More info on my post.

Últimos avances en Análisis Forense de sistemas Android (PDF – 3,8 MB)

When Prevention Fails: Extending IR and Digital Forensics to the Corporate Network (pdf ) – in English

The slides from my @night talk at SANS Boston (August 12th, 2011). More info on my post.

When Prevention Fails, Extending IR and Digital Forensics Capabilities to the Corporate Network (PDF – 6,2 MB)

Network Security Monitoring (pdf ) – in Spanish

Presentation given at the 8th edition of the “Martes Tecnológicos Informando” held at FORMAN facilities in Malaga’s Business Park on May 11, 2010. Slides are in Spanish. Further information can be found on FORMAN’s website.

NSM: Network Security Monitoring (PDF – 11,4 MB)

Windows Forensics Analysis (pdf and mov) – in Spanish

Presentation given at the 3rd FORMAN Security Workshop held at Malaga’s Business Park on April 16, 2008. Slides are in Spanish. A mov file is also available in case you want to watch the presentation in the iPod.

Análisis Forense de un Sistema Windows (PDF – 1,6 MB)

Análisis Forense de un Sistema Windows (MOV – 3,98 MB – 640×480 )