DFRWS is the leading digital forensics research conference and the 10th annual conference was held from August 2 to 4, 2010 in Portland, Oregon. The conference was held at the University Place Hotel and Conference Center near Portland State University. It featured keynote talks by Troy Larson and Wenke Lee as well as an invited talk by AAron Walters. 16 peer-reviewed papers were presented and 2 panels were featured. Panel 1 was on “Challenges In Corporate Forensics – Why Isn’t Bigger Better?” with Josh Cady, Barbara A. Frederiksen, Michelle Lentzner, Steve Mancini, Sarah Mocas, and Ed Sandoval. Panel 2 was on “Technical Aspects of Large Scale Investigations” with Simson Garfinkel, Vassil Roussev, Bradley Schatz, and Nathan Swenson.

Congratulations to James Okolica and Gilbert Peterson for winning the Best Paper Award for “Windows Operating System Agnostic Memory Analysis“. We would also like to congratulate Solal Jacob for winning the Forensics Challenge. Thanks to the organizing committee, program committee, and sponsors for helping to make the conference go so smoothly.

The DFRWS2010 Challenge Results Challenge offered a chance to perform forensic analysis of memory dumps from a Sony Ericsson mobile device. This challenge was designed to be accessible to a wide audience, combined accessible forensic analysis tasks with some harder problems. We were pleased that the submissions this year came from not just researchers and developers, but also practitioners in the community. Some aspects of the challenge could not be completed using existing tools and new techniques had to be developed. However, many of the questions could be answered without developing new approaches.

Solal Jacob was the winner with a 2 part submission. The first was an analysis of data using open source tools with some specialized modules. Technical document detailing data structures and low-level analysis required to develop modules. The submission used the open source Digital Forensic Framework (DFF), available at www.digital-forensic.org, and provides some new modules specifically for parsing memory dumps of Sony Ericsson K800i devices. Some advanced DFF modules used to analyze the memory were not included in the submission (e.g., timeline and advanced hex edit modules) but these were not core to the memory reconstruction challenge.

Conference Location:

University Place Hotel and Conference Center
Portland, OR, US

August 2, 2010 to August 4, 2010

Keynotes

We Do Windows: Surviving in the Vanguard of Windows Forensics

Troy Larson | Microsoft

Address the challenges for the Microsoft internal network security team in working with the unknowns in the latest versions of Windows. While most of the world is still working on XP, Windows 8 is already on the Microsoft network. The problem is looking at each new version of Windows and figuring out what the new evidentiary artifacts are and how to examine them. It is a much harder job than it sounds because there is no one source of information about everything that is new in the latest version of Windows or Office. This process includes a review of the source code, coordination with developers for detailed information, review of specifications, running tests, examination in hex editors, etc.

Getting Virtual Machine Monitoring Ready for Primetime

Wenke Lee | Georgia Institute of Technology

Committees

Organizing Committee

Conference Chair

Eoghan Casey (cmdLabs)

Conference Vice Chair

Vassil Roussev, PhD (University of New Orleans)

Technical Program Chair

Andreas Schuster (Deutsche Telekom AG)

Technical Program Vice Chair

Florian Buchholz, PhD (James Madison University)

Local Arrangements

Warren Harrison (Portland State University)

Registration

Matthew Geiger (CERT)

Proceedings

Wietse Venema, PhD (IBM)

Keynote

Dave Baker (MITRE)

Advertising / Sponsorship

Daryl Pfeif (Digital Forensics Solutions)

Finances

Rick Smith (ATC-NY)

Demo / Posters

Golden Richard, PhD (University of New Orleans)

Workshops

Frank Adelstein, PhD (ATC-NY)

Web

Brian Carrier, PhD (Basis Technology)

Technical Program Committee

Frank Adelstein

ATC-NY

Cory Altheide

Mandiant

David Baker

MITRE

Nicole Beebe

University of Texas at San Antonio

Richard Bejtlich

General Electric

Florian Buchholz

James Madison University

Brian Carrier

Basis Technology

Harlan Carvey

Terremark

Eoghan Casey

Johns Hopkins University

Jim Early

State University of New York at Oswego

Jon Evans

QinetiQ

Dario Forte

DFlabs

Simson Garfinkel

Naval Postgraduate School

Matthew Geiger

CERT

Pavel Gladyshev

University College Dublin

Grant Gottfried

MITRE

Yong Guan

Iowa State University

Gaurav Gupta

Jadavpur University

Warren Harrison

Portland State University

Sundararaman Jeyaraman

Purdue University

Rob Joyce

ATC-NY

Erin Kenneally

University of California San Diego

Jesse Kornblum

ManTech

Brian Levine

University of Massachusetts

Michael Losavio

University of Louisville

James Lyle

NIST

Nasir Memon

Polytechnic University

Timothy Morgan

Virtual Security Research LLC

Gilbert Peterson

Air Force Institute of Technology

Wei Ren

China University of Geosciences

Golden Richard

University of New Orleans

Marcus Rogers