DFRWS 2012 returned to the greater DC area by being in DC from August 6 to August 8 at the Embassy Suites in Dupont Circle.  This year introduced the first tutorials — now called workshops!  14 peer-reviewed papers were presented along side Keynotes by Ovie Carroll and Danny Quist.  There was also a panel “Triage in Digital Forensics” on the first day that was moderated Eoghan Casey and featured Michael Cohen (Google), Chet Hosmer (WetStone / Allen Corporation), Special Agent Ryan Moore (U.S. Secret Service), and Harry Parsonage (ADF Solutions).  The 2012 conference was held in cooperation with the Association for Computing Machinery (ACM) and its Special Interest Group on Security, Audit and Control (SIGSAC).

The Best Paper Award went to “Surveying The User Space Through User Allocations” by Andrew White, Bradley Schatz and Ernest Foo (Queensland University of Technology).

The 2012 Forensics Challenge was to develop the fastest and most accurate data block classifier.
The scoring will be based on the weighted scores of three criteria:
1. Correctness, as measured by precision & recall rates: 55%.
2. Processing speed, in terms of throughput & scalability: 30%.
3. Quality of code and multi-platform support: 15%.

The winning submission was from Laurence Maddox, Lishu Liu, DJ Bauch & Nicole Beebe from UTSA.

The inaugural workshops were:

  • Automating the Forensics Triage Process Using Python and Linux by Doug Koster (Senior Computer Forensic Analyst, TASC)
  • Google Analytics(tm) Cookies and the Forensic Implications by James Meyer (Forensics Track Instructor, Defense Cyber Investigations Training Academy)
  • Memory Forensics with Volatility by Dr. Michael Cohen (Senior Software Engineer, Google Inc.)
  • Using bulk_extractor for digital forensics triage and cross-drive analysis by Dr. Simson Garfinkel (Associate Professor Naval Postgraduate School)
  • Forensic Triage & Scalable Data Correlation with sdhash by Dr. Vassil Roussev, (Associate Professor, University of New Orleans)
  • Advanced Registry forensics with Registry Decoder by Dr. Lodovico Marziale (Digital Forensics Solutions, LLC)
  • Challenges in Forensic Analysis of Smartphone Memory (Flash) by Eoghan Casey (cmdLabs)

Conference Location:

Embassy Suites - Downtown Washington, DC, US

August 6, 2012 to August 8, 2012


Current and Future Trends in Digital Investigative Analysis

Ovie Carroll | Director for the Department of Justice

Bio: Ovie Carroll has 25-years law enforcement experience and is currently the Director for the Department of Justice, Cybercrime Lab at the Computer Crime and Intellectual Property Section (CCIPS) and a Digital Forensics Certified Examiner (DFCE). The Cybercrime lab provides advanced computer forensics, cybercrime investigative and other technical support to DOJ prosecutors as it applies to implement the Department's national strategies in digital evidence, combating electronic penetrations, data thefts, and cyber attacks on critical information systems.

Mr. Carroll is also an adjunct professor with George Washington University, teaching two classes, Cyber Crime/Internet Investigations, and Interview and Interrogation, in the Masters of Forensic Science program. Mr. Carroll is also a course author and instructor with the SANS Institute where he teaches Digital Forensics.

Prior to joining the Department of Justice, Mr. Carroll was the Special Agent in Charge of the Technical Crimes Unit at the Postal Inspector General's Office, responsible for all computer intrusion investigations within the postal service network infrastructure and for providing all digital forensic analysis in support of criminal investigations and audits. Within the Technical Crimes Unit, Mr. Carroll was also responsible for managing the Technical Surveillance Section whose mission included the deployment, installation, and monitoring of technical surveillance equipment and tracking devices that were used to track people and devices in support of criminal investigations.

Mr. Carroll has also served as the Special Agent in Charge of the Computer Investigations and Operations Branch, Air Force Office of Special Investigations, where he was responsible for coordinating all national level computer intrusions occurring within the United States Air Force. He has extensive field experience applying his training to a broad variety of investigations and operations. As a special agent with the AFOSI, Mr. Carroll worked both general crimes and counterintelligence, and has conducted investigations into a variety of offenses including murder, rape, fraud, bribery, theft, and gangs and narcotics.

Visualization in Malware and Forensics

Danny Quist | Staff member at MIT Lincoln Laboratory

Bio: Danny Quist is a staff member at MIT Lincoln Laboratory. He holds a Ph.D. from the New Mexico Institute of Mining and Technology. Previously, Danny founded Offensive computing, an open malware research site. His interests include reverse engineering, software, and hardware exploitation, virtual machines, and automatic executable classification systems. He has presented at Blackhat, the RSA Conference, Defcon, and Shmoocon.

Abstract: Visualization is a field that has broad applicability to many areas of security. It is very well received among customers and management but is very easy to get wrong. This talk will discuss some of the inherent problems visualizing large security data sets. There will be examples of improving the reverse engineering and forensics processes, as well as some examples of negative sides of visualization.


Organizing Committee

Conference Chair

Vassil Roussev, PhD (University of New Orleans)

Conference Vice Chair

Matthew Geiger (CERT)

Technical Program Chair

Florian Buchholz, PhD (James Madison University)

Technical Program Vice Chair

Brian Levine, PhD (University of Massachusetts)

Local Arrangements

Golden Richard, PhD (University of New Orleans)


Wietse Venema, PhD (IBM)


Frank Adelstein, PhD (ATC-NY)


Dave Baker (MITRE)

Advertising / Sponsorship

Daryl Pfeif (Digital Forensics Solutions)


Andreas Schuster (Deutsche Telekom AG)


Rick Smith (ATC-NY)


Eoghan Casey (cmdLabs)

Demo / Posters

Golden Richard, PhD (University of New Orleans)


Eoghan Casey (cmdLabs), Frank Adelstein, PhD (ATC-NY)

Outreach Coordinator

Tim Vidas (Carnegie Mellon)


Brian Carrier, PhD (Basis Technology)

Technical Program Committee

Frank Adelstein


David Baker


Robert Beverly

Naval Postgraduate School

Nicole Beebe

University of Texas at San Antonio

Matt Bishop

Univ. of California Davis

Florian Buchholz

James Madison University

Juan Caballero


Brian Carrier

Basis Technology

Jedidiah Crandall

University of New Mexico

William Enck

North Carolina State University

Xinwen Fu

Univ. of Massachusetts Lowell

Simson Garfinkel

Naval Postgraduate School

Paul Giura

AT&T Security Research Center

Pavel Gladyshev

University College Dublin

Xuxian Jiang

North Carolina State University

Rob Joyce


Jesse Kornblum

Kyrus Tech

Brian Levine

Univ. of Massachusetts Amherst

Marc Liberatore

Univ. of Massachusetts Amherst

Patrick Mcdaniel

Pennsylvania State University

Fabian Monrose

Univ. of North Carolina at Chapel Hill

Timothy Morgan

Virtual Security Research LLC

Bryan Payne

Sandia National Labs

Sean Peisert

Univ. of California Davis

Golden Richard

University of New Orleans

Vassil Roussev

University of New Orleans

Bradley Schatz

Schatz Forensic Pty. Ltd

Micah Sherr

Georgetown University

Clay Shields

Georgetown University

Vrizlynn Thing

Imperial College London

Wietse Venema

IBM Research

Timothy Vidas

Carnegie Mellon University

Yinglian Xie

Microsoft Research

Dongyan Xu

Purdue University

Cory Altheide


Nicole Beebe

University of Texas at San Antonio

Eoghan Casey

Johns Hopkins University

Michael Cohen


Matthew Geiger

Dell SecureWorks

Sundararaman Jeyarama


Ping Ji

John Jay College of Criminal Justice/CUNY

Joseph Lewthwaite

Defense Cyber Crime Institute

Michael Losavio

University of Louisville

Gilbert Peterson

Air Force Institute of Technology

Steve Romig

Ohio State University

Andreas Schuster

Deutsche Telekom AG

Elizabeth Schweinsberg