Aitor Azpiroz

Aitor Azpiroz is a Principal DFIR consultant with One eSecurity, where he leads the DFIR Technical Unit. Along with his work at One eSecurity, Aitor works with the SANS Institute as an instructor of FOR500 and holds a position on the SANS Advisory Board. He has a degree in Telematics Engineering and numerous certifications in Digital Forensics. His goal as a SANS instructor is to teach students to think out of the box—to not simply solve a puzzle by letting a tool do all the work, but to adopt an investigative approach and methodology so that you understand what you are doing and why. Aitor has regularly been invited to speak about incidents and investigations that he was part of or led. He has also appeared in local cybersecurity magazines.

More About Aitor


After finalizing his degree in Telematics Engineering, Aitor wasn’t sure which direction he wanted to take his career. “I started as a developer in a small corporation and soon enough realized that life was not meant for me.” Shortly after, he got the opportunity to join One eSecurity as a junior. “They were specialized in Incident Response and Digital Forensics. Right from the moment I got a glimpse of what DFIR meant, I knew that was exactly what I wanted to do onwards.” For 11 years now, Aitor has been maturing his DFIR capabilities at that same company. “I grew from being a junior analyst to leading the DFIR service. During these years I haven’t stopped traveling around the world—mainly Europe, America and the Middle East—facing complex investigations and incidents that still nowadays excite us every time we are engaged by one of our customers.”

As the leader of the DFIR Technical Unit at One eSecurity, Aitor is responsible for the whole area of DFIR and all the projects related to it. “That means I am supervising all the DFIR services we deliver, including initial stages of incidents, investigation progress and reporting. But also, I ensure the whole team is prepared and trained accordingly to the BCP and our internal standards. Moreover, I am responsible for defining the service catalog, resourcing and recruitment requisites, and the development of roles and responsibilities, internal processes, and policies.”

Aitor finds it hard to just highlight one specific investigation that he is really proud of. “But if I had to point out the best investigation or incident that I’ve been involved in, it would be the attack against the Polish and Mexican financial institutions linked to the Lazarus group in 2017. During that engagement, we developed the capabilities to perform massive deep computer forensic analysis against more than 400 endpoints in less than one month.” He also mentions working together with LEA in the prosecution of one of the biggest cybergangs in Latin America, responsible for stealing dozens of millions of dollars from financial institutions.

Ever since Aitor started in the field of cybersecurity, he has been a SANS student. “Even nowadays, where I consider myself an expert, I still learn from the material provided by SANS.” His teaching philosophy is that whenever you don’t know how something works, you shake it, test it, crash it, until you figure it out. “This is something that we usually observe in the forensics field. Artifacts are not documented; therefore, we understand how things work or get recorded by trial and error.”

That is exactly why, as FOR500: Windows Forensics course Instructor, he never says to his class: ”In order to analyze artifact X, use tool Y.’ There are a few challenges in the forensics field. Aitor highlights facing uncommon situations or non-expected behaviours from operating systems, or the output obtained from tools, which leads to not finding the results you were expecting, or facing situations that might seem impossible at the beginning. “Therefore, I always try to focus my teaching into making the students think outside of the box, not solving a puzzle just by letting a tool do all the work, but with an investigative approach and methodology where they understand what they are doing and why they are doing it.”