DFRWS EU – Recap

lausanneThis article is a recap of some of the main highlights from DFRWS EU which took place at the University of Lausanne, Switzerland, from the 29th-31st of March 2016.

Conference Highlights 

The conference began with a discussion of virtual currencies by André Fischer, Jakob Hasse and Thomas Gloe from dence GmhH. The speakers covered public perception of virtual currencies, particularly the idea of cryptocurrencies providing a theoretically “free” and international form of currency that is virtually untraceable. They focused primarily on Bitcoin, giving an overview of its usage to date and a demonstration of how the setup works.

Following on from this was a discussion of evidence exchange between courts in Europe. Mattia Epifani and his colleagues presented the work they have done so far on the EVIDENCE project, which helps the European Commission with issues surrounding data exchange across borders. Addressing the concerns of law enforcement agencies, corporations and individual practitioners, it aims to redefine the status quo and bridge the gap in the collection, use and exchange of digital evidence within Europe.

The remainder of the first day was taken up with workshops, which were divided into tracks, with options including Microsoft Exchange forensics, Plaso Parser, Tranalyzer and Windows Event Log analysis.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

The main conference began on Wednesday 30th with a keynote from Eoghan Casey and David-Olivier Jacquet-Chiffelle, who spoke about the challenges of digital forensic investigations and how they fit into forensic science as a whole. Casey summed it up in a useful soundbite:

A particularly interesting part of the discussion looked at the concept of subjective versus objective analysis. In scientific fields generally, the latter is seen to be the most useful way of solving a problem or concluding an investigation; however, as Jacquet-Chiffelle pointed out, it is not always quite that simple.

After the morning break was a session concerned with memory forensics. Arkadiusz Socala demonstrated automatic profile generation for live Linux memory analysis, and this was followed by a presenter from BlackBag Technologies who demonstrated pool tag scanning for Windows memory analysis, and compared the tool against well-known alternatives such as Volatility and Rekall.

Oren Halvani spoke about authorship verification, the goal of which is to define who wrote a given document, usually in cases where it is suspected that two documents were written by the same author, despite apparent evidence to the contrary. Modelling the writing style of the author(s) involved was put forward as the best way to do this, and Halvani then demonstrated how this is achieved and extended across different languages and genres of text.

The next subject of discussion was RAID assembly. Christian Zoubek presented his research into reconstructing RAID content from single disks, or from disk images. Following this, Ludovic Staehli spoke about the analysis of drug trafficking on the dark net, and talked through various investigative methods. The presentation included a demonstration of how various branches of forensic science can work together effectively on investigations; in this case, digital, chemical and physical traces were being analysed.

The next subject of discussion followed on nicely from the dark net drug trafficking demonstration, with representatives from the School of Criminal Justice talking about how they use internet forums to monitor the online trafficking of drugs.

Mattia Epifani then took to the stage with a presentation of how to uncover Windows 8 artefacts and secrets, including an overview of default user accounts and how Windows Vaults can be decrypted with open source software to uncover useful evidence.

The final session of the day was devoted to data acquisition, with Shahad Saleem from Pakistan’s National University of Science and Technology presenting a case study for tool selection in mobile device forensics. This was followed by a lively discussion of cold-boot attacks on scrambled DDR3 memory, and how they are still working even with modern technological advances.

The day ended with a gala dinner, including the legendary “forensics rodeo” challenge, along with the best paper award. This year’s forensics rodeo winners were a joint team from Arxsys, RealityNet and a variety of other companies:

(c) Bruno Kerouanton 2016
(c) Bruno Kerouanton 2016

The last day of DFRWS EU kicked off with a fascinating presentation of the forensic analysis of drones, by Zeno Geradts from the University of Amsterdam. Once again the topic of needing to link various forensic sciences together came up, and Geradts also pointed out that there have been huge developments in information storage in recent years, including a process for storing massive amounts of digital data in microscopic DNA strands.

The ever popular topic of data triage was next on the agenda, with Ben Hitchcock addressing the problem of backlogs in forensic investigations and underlining that the problem is only getting bigger as time goes on.

Hitchcock also pointed out that it is important to not overlook the impact backlogs can have on suspects and their families, adding that if it takes two years to solve a case, that is two years of a person who may not be guilty being put through a huge amount of mental strain.

Noora Al Mutawa from the University of Central Lancashire (UK) gave an interesting presentation on how behavioural evidence analysis can be used in cyber stalking investigations. Al Mutawa championed a multidisciplinary approach, in which forensic psychology and digital forensics can work hand in hand to solve cases more quickly and effectively.

Hans Henseler then presented Digital Evidence Dashboard – a combined project with Adrie Stander from Cape Town University – and this was followed by Claudia Mena discussing how to analyse data from Orweb anonymiser on Android devices.

The following session, chaired by Mark Scanlon from University College Dublin, discussed cloud forensics, including the forensic analysis of cloud-native artefacts and conducting investigations of multi-user environments through session-to-session internet history analyses.

The conference concluded with a lively discussion concerning likelihood ratios, with very diverse viewpoints within the room about the usefulness and accuracy of likelihood ratios in forensic investigations.

The next DFRWS conference will be held in Seattle, WA from the 7th-10th of August 2016. The next European chapter of the conference will be held in Lake Constance, Germany from the 21st-23rd of March 2017. Anyone interested in attending either conference should consult the official website for details.

Leave a Comment

Latest Videos

Digital Forensics News Round Up, February 28 2024 #digitalforensics #dfir

Forensic Focus 29th February 2024 4:58 pm

Digital Forensics News Round-Up, February 21 2024 #digitalforensics #dfir

Forensic Focus 21st February 2024 6:19 pm

Alan Platt, Professional Services Consultant at MSAB, discusses his experience as a former UK police officer working in digital forensics. He talks about the different levels of digital forensics capabilities within police forces and how MSAB products like XAMN and XEC Director are used by frontline officers versus lab analysts. 

The discussion covers how MSAB partners with law enforcement to develop custom workflows for mobile device acquisitions that facilitate ISO compliance. Alan explains MSAB's managed service offering, where approved MSAB staff can remotely access a customer's XEC Director server to assist with software updates and troubleshooting. He emphasizes the strict data segregation policies enforced by customers to prevent MSAB from accessing any sensitive case data.

Looking ahead, Alan mentions MSAB's new CEO and hints at some exciting developments coming down the pipeline. He spotlights recent enhancements to XEC Director's speed and database functionality for managing large estates of networked Kiosks. Alan also plugs the new XEC Director training he created to help users fully leverage the platform's capabilities.

00:00 – Introduction to Alan Platt
07:00 – Training
12:00 – Workflows
17:20 – Ensuring a secure environment
19:45 – Customer training
20:35 – Helping customers comply with ISO accreditation
25:00 – Validation and verification
27:30 – ISO standards
30:00 – MSAB’s pipeline plans
32:40 – XEC Director 
43:45 – Privacy of user data

Alan Platt, Professional Services Consultant at MSAB, discusses his experience as a former UK police officer working in digital forensics. He talks about the different levels of digital forensics capabilities within police forces and how MSAB products like XAMN and XEC Director are used by frontline officers versus lab analysts.

The discussion covers how MSAB partners with law enforcement to develop custom workflows for mobile device acquisitions that facilitate ISO compliance. Alan explains MSAB's managed service offering, where approved MSAB staff can remotely access a customer's XEC Director server to assist with software updates and troubleshooting. He emphasizes the strict data segregation policies enforced by customers to prevent MSAB from accessing any sensitive case data.

Looking ahead, Alan mentions MSAB's new CEO and hints at some exciting developments coming down the pipeline. He spotlights recent enhancements to XEC Director's speed and database functionality for managing large estates of networked Kiosks. Alan also plugs the new XEC Director training he created to help users fully leverage the platform's capabilities.

00:00 – Introduction to Alan Platt
07:00 – Training
12:00 – Workflows
17:20 – Ensuring a secure environment
19:45 – Customer training
20:35 – Helping customers comply with ISO accreditation
25:00 – Validation and verification
27:30 – ISO standards
30:00 – MSAB’s pipeline plans
32:40 – XEC Director
43:45 – Privacy of user data

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_ifoHVkjJtRc

How MSAB Is Managing The Digital Forensics Challenges Of Frontline Policing

Forensic Focus 21st February 2024 3:07 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles