F3 – The First Forensic Forum

‘F3 – The First Forensic Forum’, founded in the late 1990’s when forensic computing was still in its infancy, is a non-profit organisation with one specific goal which is reflected in our mission statement – “F3 exists to provide an open forum for all forensic computing practitioners, to enable them to share their collective knowledge through discussion and training”.

The F3 Committee and its members strive to ensure that F3 remains focused on that aim and concentrates primarily on the forensic examination of bits and bytes. It has no politics and no hidden agendas. It is also important to note that F3 does not seek to align itself with or endorse any service or product.

Regardless of whether you are involved in law enforcement, defense, or the private sector, everyone involved in forensic computing is equally welcome to join F3. There are no restrictions on membership other than that as a member you must be actively employed in the industry either as a forensic IT practitioner, expert or thought leader.

The annual membership fee is GBP65 per organisation per location (so one organisation spread across two sites is required to pay GBP130 per year). This allows ALL forensic members of that organisation to have access to facilities and events provided by F3. The subscription year commences on 6th April each year. At the time of writing (April 2007) F3 has a membership in excess of 1,000 individuals who are actively employed in more than 230 organisations in the UK and overseas.

Get The Latest DFIR News!

Top DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

In a typical year F3 will run four or five one-day workshops, each with a delegate fee ranging between GBP20 to GBP25 per person. F3 also holds an Annual Conference in October or November which we aim to deliver for a delegate fee in the region of GBP160-GBP170 per person, excluding accommodation. The speakers who present at the training days and the Annual Conference are themselves almost always members of F3 (or indeed, associated with one). Speakers are practicing in their particular field of expertise and true to the spirit of F3 they will usually share their knowledge voluntarily. (If you are interested in speaking please e-mail a member of the committee with your details and your application will be jointly considered by the committee). All training material used for the training days and the Annual Conference are hosted on the F3 website (subject to the speakers permission). Access to this material is limited to the membership.

The F3 Committee members are themselves forensic practitioners and are subject to nomination and election each year by the membership. They are not paid a salary and receive no ‘special treatment’. They are required to volunteer their personal or professional time to run F3 and organise all of the events for the following year. Frequently, members of the committee will present at training days.

Contrary to popular belief, F3 does not have a Press Office, an Accounts Department, an IT Section, a clerical assistant, a board of directors, or anything else remotely like that. Each member of the committee does ‘their bit’ mostly from their homes throughout the year to aid in the running of F3.

For more information and e-mail addresses visit www.f3.org.uk. If you are interested in joining F3 submit an e-mail stating your forensic capabilities and involvement to Steve Buddell [email protected] and Lindy Sheppard [email protected]

We hope to see you at our next event!

Warm Regards

The F3 Committee

Leave a Comment

Latest Videos

Quantifying Data Volatility for IoT Forensics With Examples From Contiki OS

Forensic Focus 22nd June 2022 5:00 am

File timestamps are used by forensics practitioners as a fundamental artifact. For example, the creation of user files can show traces of user activity, while system files, like configuration and log files, typically reveal when a program was run. 

Despite timestamps being ubiquitous, the understanding of their exact meaning is mostly overlooked in favor of fully-automated, correlation-based approaches. Existing work for practitioners aims at understanding Windows and is not directly applicable to Unix-like systems. 

In this paper, we review how each layer of the software stack (kernel, file system, libraries, application) influences MACB timestamps on Unix systems such as Linux, OpenBSD, FreeBSD and macOS.

We examine how POSIX specifies the timestamp behavior and propose a framework for automatically profiling OS kernels, user mode libraries and applications, including compliance checks against POSIX.

Our implementation covers four different operating systems, the GIO and Qt library, as well as several user mode applications and is released as open-source.

Based on 187 compliance tests and automated profiling covering common file operations, we found multiple unexpected and non-compliant behaviors, both on common operations and in edge cases.

Furthermore, we provide tables summarizing timestamp behavior aimed to be used by practitioners as a quick-reference.

Learn more: https://dfrws.org/presentation/a-systematic-approach-to-understanding-macb-timestamps-on-unixlike-systems/

File timestamps are used by forensics practitioners as a fundamental artifact. For example, the creation of user files can show traces of user activity, while system files, like configuration and log files, typically reveal when a program was run.

Despite timestamps being ubiquitous, the understanding of their exact meaning is mostly overlooked in favor of fully-automated, correlation-based approaches. Existing work for practitioners aims at understanding Windows and is not directly applicable to Unix-like systems.

In this paper, we review how each layer of the software stack (kernel, file system, libraries, application) influences MACB timestamps on Unix systems such as Linux, OpenBSD, FreeBSD and macOS.

We examine how POSIX specifies the timestamp behavior and propose a framework for automatically profiling OS kernels, user mode libraries and applications, including compliance checks against POSIX.

Our implementation covers four different operating systems, the GIO and Qt library, as well as several user mode applications and is released as open-source.

Based on 187 compliance tests and automated profiling covering common file operations, we found multiple unexpected and non-compliant behaviors, both on common operations and in edge cases.

Furthermore, we provide tables summarizing timestamp behavior aimed to be used by practitioners as a quick-reference.

Learn more: https://dfrws.org/presentation/a-systematic-approach-to-understanding-macb-timestamps-on-unixlike-systems/

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_i0zd7HtluzY

A Systematic Approach to Understanding MACB Timestamps on Unixlike Systems

Forensic Focus 21st June 2022 5:00 am

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...