This article is a recap of some of the main highlights from DFRWS EU which took place at the University of Lausanne, Switzerland, from the 29th-31st of March 2016.
Conference HighlightsÂ
The conference began with a discussion of virtual currencies by André Fischer, Jakob Hasse and Thomas Gloe from dence GmhH. The speakers covered public perception of virtual currencies, particularly the idea of cryptocurrencies providing a theoretically “free” and international form of currency that is virtually untraceable. They focused primarily on Bitcoin, giving an overview of its usage to date and a demonstration of how the setup works.
Following on from this was a discussion of evidence exchange between courts in Europe. Mattia Epifani and his colleagues presented the work they have done so far on the EVIDENCE project, which helps the European Commission with issues surrounding data exchange across borders. Addressing the concerns of law enforcement agencies, corporations and individual practitioners, it aims to redefine the status quo and bridge the gap in the collection, use and exchange of digital evidence within Europe.
The remainder of the first day was taken up with workshops, which were divided into tracks, with options including Microsoft Exchange forensics, Plaso Parser, Tranalyzer and Windows Event Log analysis.
The main conference began on Wednesday 30th with a keynote from Eoghan Casey and David-Olivier Jacquet-Chiffelle, who spoke about the challenges of digital forensic investigations and how they fit into forensic science as a whole. Casey summed it up in a useful soundbite:
"Forensic science is a complex and sometimes messy situation – it’s the real world, and some things can’t be modeled." – Eoghan Casey #DFRWS
— Forensic Focus (@ForensicFocus) March 30, 2016
A particularly interesting part of the discussion looked at the concept of subjective versus objective analysis. In scientific fields generally, the latter is seen to be the most useful way of solving a problem or concluding an investigation; however, as Jacquet-Chiffelle pointed out, it is not always quite that simple.
"Good intuition is also part of scientific reasoning – it is important to remember that." – David-Olivier Jacquet-Chiffelle #DFRWS
— Forensic Focus (@ForensicFocus) March 30, 2016
After the morning break was a session concerned with memory forensics. Arkadiusz Socala demonstrated automatic profile generation for live Linux memory analysis, and this was followed by a presenter from BlackBag Technologies who demonstrated pool tag scanning for Windows memory analysis, and compared the tool against well-known alternatives such as Volatility and Rekall.
Oren Halvani spoke about authorship verification, the goal of which is to define who wrote a given document, usually in cases where it is suspected that two documents were written by the same author, despite apparent evidence to the contrary. Modelling the writing style of the author(s) involved was put forward as the best way to do this, and Halvani then demonstrated how this is achieved and extended across different languages and genres of text.
The next subject of discussion was RAID assembly. Christian Zoubek presented his research into reconstructing RAID content from single disks, or from disk images. Following this, Ludovic Staehli spoke about the analysis of drug trafficking on the dark net, and talked through various investigative methods. The presentation included a demonstration of how various branches of forensic science can work together effectively on investigations; in this case, digital, chemical and physical traces were being analysed.
The next subject of discussion followed on nicely from the dark net drug trafficking demonstration, with representatives from the School of Criminal Justice talking about how they use internet forums to monitor the online trafficking of drugs.
Mattia Epifani then took to the stage with a presentation of how to uncover Windows 8 artefacts and secrets, including an overview of default user accounts and how Windows Vaults can be decrypted with open source software to uncover useful evidence.
Windows Vaults allow users to store sensitive info; however, they can be decrypted with open source software #DFRWS https://t.co/I6pL3lyQAt
— Forensic Focus (@ForensicFocus) March 30, 2016
The final session of the day was devoted to data acquisition, with Shahad Saleem from Pakistan’s National University of Science and Technology presenting a case study for tool selection in mobile device forensics. This was followed by a lively discussion of cold-boot attacks on scrambled DDR3 memory, and how they are still working even with modern technological advances.
The day ended with a gala dinner, including the legendary “forensics rodeo” challenge, along with the best paper award. This year’s forensics rodeo winners were a joint team from Arxsys, RealityNet and a variety of other companies:
The last day of DFRWS EU kicked off with a fascinating presentation of the forensic analysis of drones, by Zeno Geradts from the University of Amsterdam. Once again the topic of needing to link various forensic sciences together came up, and Geradts also pointed out that there have been huge developments in information storage in recent years, including a process for storing massive amounts of digital data in microscopic DNA strands.
The ever popular topic of data triage was next on the agenda, with Ben Hitchcock addressing the problem of backlogs in forensic investigations and underlining that the problem is only getting bigger as time goes on.
Over 50 billion WhatsApp messages were sent per minute in 2014, and this is only growing – data triage in cases is a challenge! #DFRWS
— Forensic Focus (@ForensicFocus) March 31, 2016
Hitchcock also pointed out that it is important to not overlook the impact backlogs can have on suspects and their families, adding that if it takes two years to solve a case, that is two years of a person who may not be guilty being put through a huge amount of mental strain.
Noora Al Mutawa from the University of Central Lancashire (UK) gave an interesting presentation on how behavioural evidence analysis can be used in cyber stalking investigations. Al Mutawa championed a multidisciplinary approach, in which forensic psychology and digital forensics can work hand in hand to solve cases more quickly and effectively.
Hans Henseler then presented Digital Evidence Dashboard – a combined project with Adrie Stander from Cape Town University – and this was followed by Claudia Mena discussing how to analyse data from Orweb anonymiser on Android devices.
The following session, chaired by Mark Scanlon from University College Dublin, discussed cloud forensics, including the forensic analysis of cloud-native artefacts and conducting investigations of multi-user environments through session-to-session internet history analyses.
Demonstration of acquisition scripts for Dropbox & Google Drive currently under way at #DFRWS – interesting presentation on cloud forensics.
— Forensic Focus (@ForensicFocus) March 31, 2016
The conference concluded with a lively discussion concerning likelihood ratios, with very diverse viewpoints within the room about the usefulness and accuracy of likelihood ratios in forensic investigations.
The next DFRWS conference will be held in Seattle, WA from the 7th-10th of August 2016. The next European chapter of the conference will be held in Lake Constance, Germany from the 21st-23rd of March 2017. Anyone interested in attending either conference should consult the official website for details.