DFRWS EU – Recap

lausanneThis article is a recap of some of the main highlights from DFRWS EU which took place at the University of Lausanne, Switzerland, from the 29th-31st of March 2016.

Conference Highlights 

The conference began with a discussion of virtual currencies by André Fischer, Jakob Hasse and Thomas Gloe from dence GmhH. The speakers covered public perception of virtual currencies, particularly the idea of cryptocurrencies providing a theoretically “free” and international form of currency that is virtually untraceable. They focused primarily on Bitcoin, giving an overview of its usage to date and a demonstration of how the setup works.

Following on from this was a discussion of evidence exchange between courts in Europe. Mattia Epifani and his colleagues presented the work they have done so far on the EVIDENCE project, which helps the European Commission with issues surrounding data exchange across borders. Addressing the concerns of law enforcement agencies, corporations and individual practitioners, it aims to redefine the status quo and bridge the gap in the collection, use and exchange of digital evidence within Europe.

The remainder of the first day was taken up with workshops, which were divided into tracks, with options including Microsoft Exchange forensics, Plaso Parser, Tranalyzer and Windows Event Log analysis.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


The main conference began on Wednesday 30th with a keynote from Eoghan Casey and David-Olivier Jacquet-Chiffelle, who spoke about the challenges of digital forensic investigations and how they fit into forensic science as a whole. Casey summed it up in a useful soundbite:

A particularly interesting part of the discussion looked at the concept of subjective versus objective analysis. In scientific fields generally, the latter is seen to be the most useful way of solving a problem or concluding an investigation; however, as Jacquet-Chiffelle pointed out, it is not always quite that simple.

After the morning break was a session concerned with memory forensics. Arkadiusz Socala demonstrated automatic profile generation for live Linux memory analysis, and this was followed by a presenter from BlackBag Technologies who demonstrated pool tag scanning for Windows memory analysis, and compared the tool against well-known alternatives such as Volatility and Rekall.

Oren Halvani spoke about authorship verification, the goal of which is to define who wrote a given document, usually in cases where it is suspected that two documents were written by the same author, despite apparent evidence to the contrary. Modelling the writing style of the author(s) involved was put forward as the best way to do this, and Halvani then demonstrated how this is achieved and extended across different languages and genres of text.

The next subject of discussion was RAID assembly. Christian Zoubek presented his research into reconstructing RAID content from single disks, or from disk images. Following this, Ludovic Staehli spoke about the analysis of drug trafficking on the dark net, and talked through various investigative methods. The presentation included a demonstration of how various branches of forensic science can work together effectively on investigations; in this case, digital, chemical and physical traces were being analysed.

The next subject of discussion followed on nicely from the dark net drug trafficking demonstration, with representatives from the School of Criminal Justice talking about how they use internet forums to monitor the online trafficking of drugs.

Mattia Epifani then took to the stage with a presentation of how to uncover Windows 8 artefacts and secrets, including an overview of default user accounts and how Windows Vaults can be decrypted with open source software to uncover useful evidence.

The final session of the day was devoted to data acquisition, with Shahad Saleem from Pakistan’s National University of Science and Technology presenting a case study for tool selection in mobile device forensics. This was followed by a lively discussion of cold-boot attacks on scrambled DDR3 memory, and how they are still working even with modern technological advances.

The day ended with a gala dinner, including the legendary “forensics rodeo” challenge, along with the best paper award. This year’s forensics rodeo winners were a joint team from Arxsys, RealityNet and a variety of other companies:

(c) Bruno Kerouanton 2016
(c) Bruno Kerouanton 2016

The last day of DFRWS EU kicked off with a fascinating presentation of the forensic analysis of drones, by Zeno Geradts from the University of Amsterdam. Once again the topic of needing to link various forensic sciences together came up, and Geradts also pointed out that there have been huge developments in information storage in recent years, including a process for storing massive amounts of digital data in microscopic DNA strands.

The ever popular topic of data triage was next on the agenda, with Ben Hitchcock addressing the problem of backlogs in forensic investigations and underlining that the problem is only getting bigger as time goes on.

Hitchcock also pointed out that it is important to not overlook the impact backlogs can have on suspects and their families, adding that if it takes two years to solve a case, that is two years of a person who may not be guilty being put through a huge amount of mental strain.

Noora Al Mutawa from the University of Central Lancashire (UK) gave an interesting presentation on how behavioural evidence analysis can be used in cyber stalking investigations. Al Mutawa championed a multidisciplinary approach, in which forensic psychology and digital forensics can work hand in hand to solve cases more quickly and effectively.

Hans Henseler then presented Digital Evidence Dashboard – a combined project with Adrie Stander from Cape Town University – and this was followed by Claudia Mena discussing how to analyse data from Orweb anonymiser on Android devices.

The following session, chaired by Mark Scanlon from University College Dublin, discussed cloud forensics, including the forensic analysis of cloud-native artefacts and conducting investigations of multi-user environments through session-to-session internet history analyses.

The conference concluded with a lively discussion concerning likelihood ratios, with very diverse viewpoints within the room about the usefulness and accuracy of likelihood ratios in forensic investigations.

The next DFRWS conference will be held in Seattle, WA from the 7th-10th of August 2016. The next European chapter of the conference will be held in Lake Constance, Germany from the 21st-23rd of March 2017. Anyone interested in attending either conference should consult the official website for details.

Leave a Comment

Latest Videos

Digital Forensics News Round-Up, June 12 2024 #dfir #digitalforensics

Forensic Focus 12th June 2024 5:51 pm

Digital Forensics News Round-Up, June 12 2024 #dfir #digitalforensics

Forensic Focus 12th June 2024 5:39 pm

Internal investigations and eDiscovery face rising challenges in the data collection landscape. There is an urgent need to preserve and analyze data; rising costs for server infrastructure and overhead and the increasing complexity and volume of data from emerging sources is overwhelming. Laptops, computers, phones, tablets, cloud sources, and messaging applications – data is stored anywhere and everywhere with employee communications being the riskiest data sources.

The scope and specific challenges of data collection affect organizations and law firms differently, presenting a need for a variety of solutions to best fit their needs. With Cellebrite’s suite of SaaS (Software-as-a-Service) cloud-based collection solutions, corporate investigators and eDiscovery practitioners can close investigations and get to review faster.

Cellebrite's market-leading SaaS based solutions minimize business disruption and save organizations money by:

- Eliminating the need for large upfront costs and maintenance expenses
- Minimizing overhead costs without hosting the solution, no hardware shipping, and no technical calls for assistance
- Minimal and predictable data collection costs, allowing you to scale your usage according to your specific needs and budgetary considerations
- Stay up to date with continuous updates to data sources with updates pushed to the Cellebrite cloud
- Close investigations and review discovery faster with cloud-based innovation
- Manage customer requests and provide transparency throughout your organization across the globe

Watch Cellebrite's webinar where Monica Harris, Product Business Manager, showcases how Cellebrite’s range of SaaS-based solutions have you covered whether you need remote collection across all devices, including computers, cloud sources, chat applications, and mobile devices or full-file system advanced collection capabilities across the widest range of mobile devices and applications.

Internal investigations and eDiscovery face rising challenges in the data collection landscape. There is an urgent need to preserve and analyze data; rising costs for server infrastructure and overhead and the increasing complexity and volume of data from emerging sources is overwhelming. Laptops, computers, phones, tablets, cloud sources, and messaging applications – data is stored anywhere and everywhere with employee communications being the riskiest data sources.

The scope and specific challenges of data collection affect organizations and law firms differently, presenting a need for a variety of solutions to best fit their needs. With Cellebrite’s suite of SaaS (Software-as-a-Service) cloud-based collection solutions, corporate investigators and eDiscovery practitioners can close investigations and get to review faster.

Cellebrite's market-leading SaaS based solutions minimize business disruption and save organizations money by:

- Eliminating the need for large upfront costs and maintenance expenses
- Minimizing overhead costs without hosting the solution, no hardware shipping, and no technical calls for assistance
- Minimal and predictable data collection costs, allowing you to scale your usage according to your specific needs and budgetary considerations
- Stay up to date with continuous updates to data sources with updates pushed to the Cellebrite cloud
- Close investigations and review discovery faster with cloud-based innovation
- Manage customer requests and provide transparency throughout your organization across the globe

Watch Cellebrite's webinar where Monica Harris, Product Business Manager, showcases how Cellebrite’s range of SaaS-based solutions have you covered whether you need remote collection across all devices, including computers, cloud sources, chat applications, and mobile devices or full-file system advanced collection capabilities across the widest range of mobile devices and applications.

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_SE7Cl5jkigk

Maximising Data Collection With SaaS Innovations

Forensic Focus 10th June 2024 12:42 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles