Day 1: Tuesday, 21st March 2017

Note: Workshop descriptions at bottom of page

                                                                                                               
8:00-9:00 Registration
9:00-10:30 Workshops: Session I Room Heiligenberg: Forensic Artifacts in Windows 10 Room Überlingen: eMMC Chip off – Benefits and Risks    
10:30-11:00 Coffee Break/Networking
11:00-12:30 Workshops: Session II Room Heiligenberg: Chip-off Workshop Room Überlingen: Building Forensics Tools in Go    
12:30-13:00 Lunch at Conference Hotel
13:00-14:30 Workshops: Session III Room Heiligenberg: Chip-off Workshop Room Überlingen: Building Forensics Tools in Go Room Reichenau: Hands on Introduction to MattockFS Room Mainau: Introduction to Digital Forensic Prolog
14:30-15:00 Coffee Break/Networking
15:00-16:30 Workshops: Session IV Room Heiligenberg: Chip-off Workshop Room Überlingen: Building Forensics Tools in Go Room Reichenau: Hands on Introduction to MattockFS Room Mainau: Introduction to Digital Forensic Prolog
- -
18:00-20:00 Welcome Reception

Day 2: Wednesday, 22nd March 2017

08:00-08:45Registration
08:45-09:00Welcome and Announcements
09:00-10:00Keynote: Freddy Dezeure, Developments in the threat landscape, how to mitigate the risks of targeted attacks?
10:00-10:30Coffee break / Networking
10:30-12:00Session I: Memory Analysis
Chair: Pavel Gladyshev

  • Aya Fukami, Saugata Ghose, Yixin Luo, Yu Cai and Onur Mutlu. Improving the Reliability of Chip-Off Forensic Analysis of NAND Flash Memory Devices | PDF
  • Jan Peter van Zandwijk. Bit-errors as a source of forensic information in NAND flash-memory | PDF
  • Adam Pridgen, Simson Garfinkel and Dan Wallach. Picking up the trash: exploiting generational GC for memory analysis | PDF
12:00-13:00Lunch at conference hotel
13:00-14:00Keynote: Patrick Lodder, 21st Century Bank Robberies: How modern criminals attack financial institutions
14:00-14:30Coffee Break / Networking
14:30-15:30Session II: Training and Processes
Chair: Eoghan Casey

  • Mark Scanlon, Xiaoyu Du and David Lillis. EviPlant: An Efficient Digital Forensic Challenge Creation, Manipulation and Distribution Solution | PDF
  • Felix Freiling and Christian Zoubek. Do Digital Investigators Have To Program? A Controlled Experiment in Digital Investigation | PDF
   
16:00-17:00Bus transfer to Sigmaringen
17:00-17:45Champagne Reception at Sigmaringen Castle, Welcome by the Prince, S.H. Karl Friedrich von Hohenzollern, the mayor of Sigmaringen, Thomas Schärer and the president of Albstadt-Sigmaringen University, Dr. Mühldorfer
17:45-19:00Guided tour of the castle
19:30-22:30Conference Dinner & Talk: Peter van Koppen, They are coming to get you for a wrongful conviction
 Rodeo Download Links
https://hs-as.de/rodeo/dfrws-rodeo.zip
https://hs-as.de/rodeo/dfrws-rodeo.zip.md5
https://hs-as.de/rodeo/dfrws-rodeo.zip.sha256
https://hs-as.de/rodeo/References_Reading-Material.txt
https://hs-as.de/rodeo/The-Case_The-Task.txt
22:30-23:30Bus transfer to conference hotel

Day 3: Thursday, 23rd March 2017

08:30-09:00Registration
09:00-10:00Keynote: Martin Lühning, IT-Forensic challenges in ensuring the rule of law - not only in cyberspace
10:00-10:30Coffee Break / Networking
10:30-12:00Session III: Network Forensics
Chair: Bruce Nikkel

  • Dinil Mon Divakaran, Kar Wai Fok, Ido Nevat and Vrizlynn Thing. Evidence Gathering for Network Security and Forensics | PDF
  • Elias Bou-Harb and Mark Scanlon. Behavioral Service Graphs: A Formal Data-Driven Approach for Prompt Investigation of Enterprise and Internet-wide Infections | PDF
  • Daniel Spiekermann, Jörg Keller and Tobias Eggendorfer. Network Forensic Investigation in OpenFlow Networks with ForCon | PDF
12:00-13:00Lunch at conference hotel
13:00-14:30Session IV: Storage and File Systems
Chair: Bruce Nikkel

  • Karl Wüst, Petar Tsankov, Sasa Radomirovic and Mohammad Torabi Dashti. Force Open: Lightweight Black Box File Repair | PDF
  • Andreas Dewald and Sabine Seufert. AFEIC: Advanced Forensic Ext4 Inode Carving | PDF
  • Christian Zoubek and Konstantin Sack. Selective deletion of non-relevant Data | PDF
14:30-15:30Poster session pitches and lightning talks
15:30-16:00Coffee break / Poster session
16:00-17:00Session V: Cloud and Data Exfiltration
Chair: Mark Scanlon

  • Dario Lanterna and Antonio Barili. Forensic Analysis of Deduplicated File Systems | PDF
  • Felix Freiling, Thomas Glanzmann and Hans P. Reiser. Characterizing Loss of Forensic Information due to Abstraction Layers | PDF
17:00-17:15Conference wrap-up
   
18:00-19:00Planning Session for DFRWS EU 2018

Workshop Descriptions

Hands-on introduction to MattockFS: An immutable storage & message-bus component for asynchronous computer forensic frameworks.

(https://github.com/pibara/MattockFS)

by Rob Meijer

While the growing use of triage in the computer-forensic process has mitigated the growth of the amount of data-reaching computer forensic labs, and while SSD technology result in-largely CPU restrained forensic data processing for small size-investigations, for medium to large investigations the use of-traditional harddisks remains dominant and combined with advanced in-CPU processing power, has shifted bottlenecks from being largely CPU-based to being increasingly more IO based. The pervasive use of secure-hashing in the lab-side forensic process combines CPU bound aspects-important in small scale investigations run with SSD technology as-well as IO bound aspects in medium to large investigation run with-traditional harddisks. Further, anti-forensics form a growing concern-in (semi-)automated forensic processing. MattockFS aims to provide a-local message-bus and data-archive building block for use in-(semi-)automated lab-side digital forensic media-data processing. A-building block that considers IO concerns that come with message-bus-based asynchronous processing, hashing related performance concerns-and anti-forensics related integrity concerns. The presented building-block will be illustrated with both a native and a python based-walkthrough, which the attendees will be able to follow hands-on using-MattockFS on their laptops. The intended audience is digital forensic-practitioners and researchers. Some investigative experience, and a-working knowledge of Linux and Python is required. A familiarity with-semi-automated lab-side processing as well as asynchronous data-processing models would be an advantage although not strictly-required.

Introduction to Digital Forensic Prolog, a forensic extension to the Prolog programming language

(http://digitalfire.ucd.ie)

by Pavel Gladyshev (DFIRE @ University College Dublin)

This workshop provides an introduction to DFIRE-Forensics Prolog, which is a forensic extension of Prolog language.-Unlike traditional data-centric programming languages, Prolog views-computation as logical inference: the data is viewed as evidence for-proving statements posed by the user. Prolog is well suited for-creating forensic expert systems that query file systems, Registry-hives, and other tree-like data structures. Prolog has a built-in text-parser, which makes it suitable for processing text files. DFIRE-Forensic Prolog introduces additional language extensions allowing it-to process image files, parse binary data, represent and reason about-date-time information. In addition, DFIRE Forensic Prolog access and-manipulate case files created by Autopsy forensic browser (run-queries, access bookmarks, add artifacts, create reports, etc.), and-can embed fragments of Python and/or Scala code for interoperability-and performance reasons. Additional features are under development.-This workshop introduces key capabilities of DFIRE Forensic Prolog in-a series of hands-on exercises that explore a simulated forensic case.-The intended audience is digital forensic practitioners and-researchers. Some investigative experience as well as familiarity with-Autopsy forensic browser would be an advantage although is not-strictly required

eMMC Chip off – benefits and risks

by Martin Westman (MSAB)

This workshop delves into a study of eMMC memory-chips on digital devices, which revealed widespread repurposing of use-eMMC chips. The standardization of eMMC memory makes it-straightforward to reuse them in a different device. As a result, new-digital devices can contain data from the previous owner of a reused-eMMC chip. This prior data can be extracted using chip off techniques,-and the lack of data sanitization presents significant risks.-Recycling eMMC saves production costs for manufacturers and is-positive for the environment, but must be performed responsibly to-protect privacy. In the meantime, digital forensic examiner must deal-with the reality of new devices potentially containing data from a-prior life of the eMMC memory chips. This workshop addresses these-issues, and discusses strategies for addressing the risk. The process-and equipment of performing eMMC chip off is demonstrated, and the-results are presented and analysed. Forensic examiners need to be-aware of these issues and take it into account when dealing with-devices that contain reused eMMC chips. This workshop also raises-awareness of potential digital privacy risks associated with reused-eMMC chips.

Forensic Artifacts in Windows 10

by Roman Locher (Arina)

Let’s face it: To keep up to date with all the changes in forensic-artifacts, is a really hard, if not impossible, task for many-investigators and forensic experts. To help you out on this challenge-on the Windows operating system part, we provide this workshop that-will focus on the forensically interesting areas in the Windows 10-operating system. You will learn about newly gained forensic-artifacts, but also about the ones we might have lost compared to-Windows 7/8. Among other topics we will talk about the new Microsoft-Edge browser, the Recycle Bin, Prefetch Files, Thumbnails, and many-more.

Building Forensics Tools in Go

by Joe Sylve and Vico Marziale

In this hands-on workshop attendees will learn how to develop-forensics tools in Google's Go programming language. We will first-present an overview of the Go programming language, focused on those-parts that are most useful for developing forensics tools, and then-present a simple parser for a commonly encountered forensic artifact.-Last, attendees will develop a simple parser for another common-forensics artifact, with the assistance of the presenters. This-workshop is intended for forensics tool developers. Some programming-experience is a must, preferably in a C-like language, but no-experience with Go specifically is required. Participants will be-provided with handouts of a Go "cheat sheet" and a copy of the-presentation slides. Participants will also need to have Go installed-(on their platform of choice - all common OSs are supported).

Chip-off workshop

(http://www.rusolut.com)

Sasha Sheremetov, CTO of Rusolut

In this workshop we will discuss topics related to special technology for physical image extraction and data acquisition from broken flash devices and smartphones – “chip-off” and try it on practice. We will use a special platform for chip-off data recovery and digital forensics – Visual Nand Reconstructor. The chip-off technology will be shown on the real chips and dumps extracted from damaged smartphones and other flash memory devices. Each participant will have the software installed on the computers in couple with hardware and be able to practice with several cases.

The workshop is divided into three parts:

- In the first part, we will discuss about types of memory chips, its architecture and the ways they store and allocate data. We will also have a look at the structure of data in NAND and the data encoding methods which controllers use in order to prevent fast degradation of memory. To finish this section we will discuss the whole workflow of chip-off process, step by step.
- In the second part, we will introduce Visual Nand Reconstructor and its features including hardware platform – reader, raw NAND and eMMC adapters for physical image extraction. We will plug the chips into adapters and reader, and then extract physical images out of memory chips.
- The third part will be practical, with analysis of dump from different devices and its processing to files in the Visual Nand Reconstructor software. At the end of day we will talk about the challenges that modern devices bring to digital forensic specialists and the special methods for data acquisition from corrupted embedded devices such as monolithic SD cards, microSD cards and other devices.