Day 1 - Wednesday, January 27, 2021
|09:00||22:00-1||Opening – Welcome Remarks
Dr Bradley Schatz (Schatz Forensic)
Silent Failures in Automated Pipelines Involving Multiple Digital Forensic Tools
Eoghan Casey (University of Lausanne)
|Peer Reviewed Paper Session: IoT device analysis
Session Chair: Matthew Sorell
|10:15||23:15-1||A Forensic Analysis of Micromobility Solutions
Jan-Niclas Hilgert, Martin Lambertz, Ann-Mariya Mateyna (Fraunhofer FKIE), Alina Hakoupian (University of Bonn)
Over the last years, various kinds of micromobility solutions including bikes and escooters have popped up in many cities across the globe. They provide a new, convenient form of transportation requiring only an easy-to-use application for the renting process, thus making micromobility solutions available to a wide user base. Due to this fact, investigators will positively encounter these applications during the analysis of a suspect’s mobile device in the future. Considering their area of application, these apps possibly contain valuable information about a suspect’s movements. This paper aims to shed a light on the question, what exact kind of data these applications store and how it can be accessed during an analysis. We come to the conclusion that all of the micromobility providers we examined, store crucial data on their servers including personal user data, payment information as well as a ride history. In favor of assistance during a forensic analysis of micromobility solutions, we implemented a forensic toolkit for the acquisition of this data making use of the application-specific APIs of the providers. Furthermore, we go a step further and investigate how reliable the acquired movement data is and show whether and how it is possible to create completely spoofed trips.
|10:45||23:45-1||Short Papers A|
|11:00||00:00||Your Car Is Recording: Metadata-driven Dashcam Analysis System
Kukheon Lee, Jong-Hyun Choi, Jungheum Park, Sangjin Lee (Korea University)
Dashcam as an on-board camera is useful as a source of potential digital evidence not only to reveal the truth of a traffic accident but also to explain the situation of a crime scene as a moving surveillance camera. It stores multimedia data as well as a variety of additional information needed for accident investigation including time, location, speed, accelerometer, etc. Under these circum- stances, various studies have been conducted for dashcam forensics, but most of them focused mainly on extracting and interpreting visual video frames. In this paper, we identify and classify various metadata generated by 14 dashcam models produced by 11 manufacturers. Furthermore, we develop a normalized database schema to manage different multiple metadata and then discuss several dashcam forensic activities based on it. In addition, a prototype open-source tool is presented to support the proposed metadata-driven dashcam forensics.
|11:30||00:30||Short Papers B|
|11:50||00:50||Forensic Analysis for AI Speaker with Display Echo Show 2nd Generation As A Case Study Min-A Youn, Yirang Lim, Kangyoun Seo, Hyunji Chung, Sangjin Lee (Korea University)
As the Internet of Things (IoT) era arrives, many Internet-connected devices are being released, and their use is increasing. One of these, the AI speaker, is designed to augment user convenience by using voice recognition. The best- known products are the Amazon Echo family, including Echo and Echo Dot and more recently, Echo Show with display. An AI speaker with display provides diverse functions such as surfing the Internet, taking pictures, making voice or video calls, and controlling smart home devices. To do this, Alexa cloud servers store a variety of configuration values and historical logs, and users can manage their own cloud-native data through interfaces (e.g., Web sites or mobile apps). For this reason, AI speakers with smart display are similar to PCs or smartphones, which can be very profitable from a digital forensic perspective. This paper focuses on detailed research on the second generation of Echo Show. The first step was to collect forensic artifacts stored inside the product by teardown, identifying eMMC flash memory chips and performing chip-off on Echo Show. Alexa app-related artifacts used on smartphones and how to automatically acquire data from the Alexa cloud were also investigated. From three sources including Echo Show, a companion client (smartphone), and the Alexa cloud, it was possible to acquire user credentials, traces of photos, records of watching videos, log files, and Internet histories with timestamp. The second step was to identify the possibility of inferring new information by correlating artifacts collected from different sources. Integrative analysis enables investigators to track suspect activity across digital devices. Third, this paper introduces an updated version of Cloud-based IoT Forensic Toolkit (CIFT) to support digital investigation of Echo Show. Based on the technical findings, this study proposes a digital forensic framework for a smart speaker with a display that can play an important role as a digital witness at a crime scene. Until now, there has been no multilevel approach to acquisition and analysis of Echo Show data in the field of digital forensics. Therefore, this study makes a contribution to the digital forensic community.
|12:20||01:20||DFRWS APAC 2020 Rodeo
The Artifact Genome Project
Abe Baggili (University of New Haven)
Velociraptor – Digging Deeper!
Dr. Michael Cohen has over 20 years of experience in applying and developing novel incident response and digital forensics tools and techniques. He has previously worked in the Australian Department of Defence as an information security specialist, at the Australian Federal Police specializing in digital forensics, network and memory forensics. In 2010 he joined Google, where he created tools in support of the incident response team. Michael has recently founded Velocidex Enterprises – the company behind Velociraptor – an advanced DFIR and endpoint visibility tool.
Day 2 - Thursday, January 28, 2021
|Daily Opening – Welcome Remarks
Dr Bradley Schatz (Schatz Forensic)
Forensic Email Investigation
Arman Gungor, Metaspike
Arman Gungor is a certified computer forensic examiner (CCE) and software developer. He has been appointed by courts as a neutral computer forensics expert as well as a neutral eDiscovery consultant. Arman is passionate about doing digital forensics research, developing new investigative techniques, and creating software to support them.
Forensic Audio Clarification - a hands on workshop for beginners
Download and install the trial version of iZotope RX 8 Advanced:
Go to https://www.izotope.com/en/products/downloads/rx_advanced.html to download the software.
After downloading and installing the software you will have full access to every feature that RX8 Advanced provides with the exception of being able to save your work.
Clarifying and analyzing audio has evolved over the last 20 years into an advanced and interesting science. Software tools are powerful and fast and allow users to quickly try various filters and settings and to hear results instantly.
A user can remove many varieties of noise from audio evidence — air conditioning hum, ringing phone, passing truck, wind noise, ruffle from clothing, and electronic noise. Users can fix over-modulated audio issues, sometimes remove music from recordings — leaving only dialogue, and quickly average audio levels so that the most quiet sounds are louder and the loudest sounds are brought down.
What is the definition of audio noise?
Any signal that impedes the listener from hearing audio they want to hear! As the founder and lead forensic expert of the National Center for Audio and Video Forensics, David Notowitz began his career producing, shooting, and editing television news segments, half hour magazine programs, documentaries, corporate videos, and feature films. He now leads his firm in providing audio and video forensic work to investigate incidents and preparing evidence for trial.
David Notowitz will lead a hands on experience with cleaning audio, explain how the tools work, and educate us on the filters and tools available to audio clarification forensic experts.
David Notowitz, Founder, National Center for Audio and Video Forensics (NCAVF)
Mr. Notowitz is an Emmy award winning producer and multi-faceted video and audio evidence expert. His past specialties include commercial, feature film, and event video production. In 1986 he started Notowitz Productions and produced daily segments for the Financial News Network (since bought by CNBC). Mr. Notowitz created NCAVF, the National Center for Audio and Video Forensics, and has worked as a forensic audio and video expert on many cases assisting police officers, private detectives, insurance investigators, district attorneys, public defenders, and corporate attorneys with cases across California and the country. His evidence analysis has provided assistance to attorneys involved in criminal and civil litigation, federal and state cases, and with plaintiff, prosecution, and defense. A few of the largest corporate clients include Kroger, Target, Home Depot, PetSmart, and McDonalds.
|13:00||02:00||Peer Reviewed Paper Session: Management, training & education
Session Chair: Eoghan Casey
|13:05||02:05||Avoiding Burnout At The Digital Forensics Coalface: Law Enforcement Workplace Strategies For Managing Job-related Stress
Sally Kelty, Emma McQueen, Carly Pymont (University of Canberra), Nathan Green (Australian Federal Police)
Recent evidence suggests digital forensics personnel are at risk of developing burnout and job-related/occupational stress. This may be due to increased and repetitive exposure to challenging incidents, either face to face or via digital imagery in real time or post-event. This exposure includes footage of extreme violence, child exploitation, suicide and death scenes. The risk of stress also aligns with the changing nature of policing where rates of serious crime, especially robbery and homicide have decreased, while digital crime rates in many countries have increased, which has changed workload demands and requiring new skillsets in addition to traditional investigation methods. Occupational stress has high financial and personal costs, impacting organisations, work teams, family, friends and the individual in question. For organisations and teams, occupational stress is associated with increases in workplace accidents, higher absenteeism, early retirement, higher intentions to quit, lower motivation and disillusionment with work tasks, all of which impacts on the cohesion of forensic teams. The aim of this paper is to present the results from a mixed studies critical review on the small, but growing body of evidence on organisational risk factors for occupational stress, and to present key targeted strategies that forensic science and policing agencies can take to manage these risk factors in their digital forensics teams.
|13:30||02:30||Short Papers C|
|13:50||02:50||Law Enforcement educational challenges for mobile forensics
Georgina Humphries, Rune Nordvik (Norwegian Police University College), Harry Manifavas (ICS-FORTH), Phil Cobley (MSAB), Matthew Sorell (University of Adelaide)
Training, tools, and standards are important foundations of mobile forensics. This work focuses on existing curricula and courses in the domain of mobile forensics. In order to identify courses in areas of computing where mobile forensics may be offered, this research utilises open source information gathering, in addition to questionnaire and interviews, to capture additional information and the views and experiences of educators and/or trainers. This research finds that current education and training offerings mainly include topics regarding acquisition of mobile devices and analysis of the acquired data. Current education and training do not cover the areas of a complete mobile forensic investigation, from crime scene to court.
In addition, trainer opinions on skills shortages include the lack of basic knowledge, generic skills in forensics and investigation, lack of skilled practitioners, and necessary mindsets to critically think, investigate and avoid dependency on Digital Forensic software.
|14:35||03:35||Peer Reviewed Paper Session: Interception, decolaking and traffic analysis
Session Chair: Manjoranan Mohanty
|14:40||03:40||Short Papers D|
|15:00||04:00||Identifying interception possibilities for WhatsApp communication
Dennis Wijnberg (National Police of the Netherlands), Nhien-An Le-Khac (University College Dublin)
On a daily basis, law enforcement officers struggle with suspects using mobile communication applications for criminal activities. These mobile applications replaced SMS-messaging and evolved the last few years from plain-text data transmission and storage to an encrypted version. Regardless of the benefits for all law abiding citizens, this is considered to be the downside for criminal investigations. Normal smartphone, computer or network investigations do no longer provide the contents of the communication in real-time when suspects are using apps like WhatsApp, Signal or Telegram. Among them, WhatsApp is one of the most common smartphone applications for communication, both criminal as well as legal activities. At the beginning, WhatsApp communication between smartphone and server used to be in plain-text and therefore visible to law enforcement during a wiretap. Early 2016 WhatsApp introduced end-to-end encryption for all users, immediately keeping law enforcement officers around the world in the dark. Existing research to recuperate the position of law enforcement is limited to a single field of investigation and often limited to post mortem research on smartphone or computer while wiretapping is limited to metadata information. Therefore, it provides only historical data or metadata while law enforcement officers want a continuous stream of live and substantive information. This paper identified that gap in available scenarios for law enforcement investigations and identified a gap in methods available for forensic acquiring and processing these scenarios. In this paper, we propose a forensic approach to create real-time insight in the WhatsApp communication. Our approach is based on the wiretapping, decrypting WhatsApp databases, open source intelligence and WhatsApp Web communication analysis. We also evaluate our method with different scenarios in WhatsApp forensics to prove its feasibility and efficiency. Through these scenarios, we found that by providing real-time intelligence such as profile pictures, their activity, voice and video call behaviour including location data as well as remote access to a suspect WhatsApp account, their conversations including voice messages, (live) geolocation, shared contacts, documents, images and videos are made accessible. Hence, our corresponding method can be used by law enforcement agencies around the world to reinforce their position in the world of WhatsApp communication interception.
|15:30||04:30||Monitoring An Anonymity Network: Toward The Deanonymization Of Hidden Services
Marco Simioni, Pavel Gladyshev, Babak Habibnia (University College Dublin), Paulo Roberto Nunes de Souza (Universidade Federal do Espírito Santo)
Anonymity networks are an example of Privacy Enhancing Technology (PET) whose historical goal is to avoid censorship, preserve users privacy, and promote freedom of speech. Such networks, however, also provide a “safe haven” for criminal activity: previous research observed a dominance of commerce platforms delivered as hidden services within The Onion Router (Tor) network, undoubtedly the most popular anonymization technology at the time of writing, largely around narcotics and illegal financial services.
Extensive research has been conducted on locating hidden services on the Tor network, but a general method that is able, given a service delivered via anonymity network, to effectively produce a list of candidate nodes responsible for delivering the service still remains an open research problem. In this paper we describe the infrastructure we have designed and implemented for monitoring the Invisible Internet Project (I2P) network, which is a smaller scale anonymity network compared to Tor but already proven to be used for illicit activities, and how its output can be used to enable such general method.
|16:00||05:00||IoT network traffic analysis: opportunities and challenges for forensic investigators?
Tina Wu (University of Oxford), Frank Breitinger, Stephen Niemann (University of Liechtenstein)
As IoT devices become more incorporated into our daily lives, their always on approach makes them an ideal source of evidence. While these devices should use encryption to protect sensitive information, in reality this is not always the case e.g. some expose sensitive data like credentials in cleartext. In this paper, we have conducted an extensive analysis on the communications channels of 32 IoT consumer devices. Our experiments consisted of four main parts; first we carried out a port scan to determine if any ports can be exploited and thus gain remote access. Second, we looked at whether any of the devices used encryption and if not what type of content was exposed. Third, we used the network traffic `metadata’ to identify the destination the data terminated. Finally, we examined the communication between the mobile app and the cloud to see if it can be easily exploited using a proxy server. Our findings show that the majority of devices have remote access unavailable. We found the Shannon entropy test a useful pre-test in identifying unencrypted content. Although many devices encrypted their data, we found several in particular smart cameras would send data in cleartext when they detected motion or during updates. We found the majority of data transverses to the US and stored on Amazon servers with most devices contacting multiple destination. Lastly, we discovered many of the IoT device’s mobile apps can be easily exploited using a HTTP Proxy.
Day 3 - Friday, January 29, 2021
|09:00||22:00||Daily Opening – Welcome Remarks
Dr Bradley Schatz (Schatz Forensic)
Extracting Evidence from Damaged Devices
|Peer Reviewed Paper Session: Validation & Filesystem analysis techniques
Session Chair: Bradley Schatz
|10:00||23:00-1||TraceGen: User Activity Emulation for Digital Forensic Test Image Generation
Xiaoyu Du (University College Dublin), Chris Hargreaves (University of Oxford), John Sheppard (Waterford Institute of Technology), Mark Scanlon (University College Dublin)
Digital forensic test images are commonly used across a variety of digital forensic use cases including education and training, tool testing and validation, proficiency testing, malware analysis, and research and development. Using real digital evidence for these purposes is often not viable or permissible, especially when factoring in the ethical and in some cases legal considerations of working with individuals’ personal data. Furthermore, when using real data it is not usually known what actions were performed when, i.e. what was the ’ground truth’. The creation of synthetic digital forensic test images typically involves an arduous, time- consuming process of manually performing a list of actions, or following a ‘story’ to generate artefacts in a subsequently imaged disk. Besides the manual effort and time needed in executing the relevant actions in the scenario, there is often little room to build a realistic volume of non-pertinent wear-and-tear or ‘background noise’ on the suspect device, meaning the resulting disk images are inherently limited and to a certain extent simplistic.
This work presents the TraceGen framework, an automated system focused on the emulation of user actions to create realistic and comprehensive artefacts in an auditable and reproducible manner. The framework consists of a series of actions contained within scripts that are executed both externally and internally to a target virtual machine. These actions use existing automation APIs to emulate a real user’s behaviour on a Windows system to generate realistic and comprehensive artefacts. These actions can be quickly scripted together to form complex stories or to emulate wear-and-tear on the test image. In addition to the development of the framework, evaluation is also performed in terms of the ability to produce background artefacts at scale, and also the realism of the artefacts compared with their human-generated counterparts.
|10:30||23:30-1||Short Papers E|
|10:45||23:45-1||A Contemporary Investigation Of NTFS File Fragmentation
Vincent van der Meer (Zuyd University of Applied Science), Hugo Jonker (Open University of the Netherlands), Jeroen van den Bos (Netherlands Forensic Insitute)
There is a significant amount of research in digital forensics into analyzing file fragments or reconstructing fragmented data. At the same time, there are no recent measurements of fragmentation on current, in-use computer systems. To close this gap, we have analyzed file fragmentation from a corpus of 220 privately owned Windows laptops.
We provide a detailed report of our findings. This includes contemporary fragmentation rates for a wide variety of image-, video-, office-, database-, and archive-related extensions. Our data substantiates the earlier finding that fragments for a significant portion of fragmented files are stored out-of-order. We define metrics to measure the degree of “out-of-orderedness” and find that the average degree of out-of-orderedness is non-negligible. Finally, we find that there is a significant group of fragmented files for which reconstruction is insufficiently addressed by current tooling.
|11:15||00:15||Forensic Analysis Of Refs Journaling
Seonho Lee (The Affiliated Institute of ETRI), Jungheum Park, Hyunuk Hwang, Seungyoung Lee, Sangjin Lee (Korea University), Doowon Jeong (Dongguk University)
Since the analysis of file system is a fundamental step in forensic investigation, file system forensics has been steadily researched. Especially, NTFS forensics has been mainstream research as it is used by Windows, a globally most-used operating system. When investigating NTFS, journaling analysis is an important procedure as it can identify which files are created, modified, and deleted. Meanwhile, Microsoft developed the Resilient File System (ReFS), which is also used in Windows, to maximize data availability; ReFS is also expected to be a popular file system. Similar to the $Logfile and the $UsnJrnl of NTFS, there are artifacts in ReFS: the Logfile and the Change Journal that document information regarding changes to the system.
In this paper, we present the structure and operation of the Logfile and the Change Journal. By kernel reverse engineering, we identify that the ReFS artifacts related to journaling are quite different from the NTFS artifacts; the ReFS artifacts use new record formats, named Log Record and USN RECORD V3, and the metadata of ReFS handling journaling files is distinct from that of NTFS. Through experiments, we identify logging patterns of transaction record and examine the mechanism of ReFS journaling. In this process, we enhance the knowledge of the metadata and structure of ReFS presented by previous research. Based on the result of our research, we also propose a forensic methodology of ReFS journaling and develop a tool, Awesome ReFS Investigation tool (ARIN), which is an open-source for analyzing the ReFS journal. These outcomes may provide considerable assistance to a forensic examiner trying to investigate ReFS volumes.
|11:45||00:45||Birds of a Feather - Introduction (Frank Adelstein)|
|11:50||00:50||Birds of a Feather|
|Peer Reviewed Paper Session: Classification Techniques
Session Chair: KP Chow
|13:30||02:30||CNN Based Zero-day Malware Detection Using Small Binary Segments
Wen Qiaokun, KP Chow (University of Hong Kong)
Malware detection is always an important task in digital forensics. With the advancement of technology, malware have become more and more polymorphic. In the process of digital investigation, forensics always cannot get the entire file of the malware. For example, when conducting corporate cybersecurity forensics, because the limit length of network packages, packets capture tools established by different companies often fail to get the entire file. Otherwise, deleting files may also cause residues of malware segments. Because we even do not know which part the segment we get is, so, we cannot use much domain knowledge to do the detection. Therefore, this paper proposes to detect malwares according to very small sequence binary fragments of PE files by using a CNN-based model. Datasets especially test set are often one of the most difficult problems in zero-day malware detection, because it means that the virus has never appeared before. In this paper, we collect the data by taking advantage of the differences in anti-virus tools at different time points. And Experiments are performed on malwares of different lengths, positions, and combinations. Through experiments, we found that only a short segment is needed to achieve a relatively good accuracy. In the end, for a random piece of continuous malicious code, we achieved an accuracy of up to 0.86 when the length of continuous fragments is 60,000 bytes. For non- contiguous and unordered random pieces of malicious code, we get an accuracy of up to 0.83 using only 1024 bytes(1KB) length fragments. And when using 60,000 bytes length fragment as the baseline, we can finally receive a 0.91 accuracy.
|14:00||03:00||Short Papers F|
|14:15||03:15||Insider Threat Prediction Based on Unsupervised Anomaly Detection Scheme for Proactive Forensic Investigation
Yichen Wei, Kam-Pui P Chow, Siu-Ming Yiu (University of Hong Kong)
The complexity, concealment and infrequency of malicious internal actions make it difficult to detect insider threats. In the process of traditional reactive forensic investigation, analysis and interpretation of the digital evidence are performed after a crime has been committed. Even if insiders can be detected, they have already caused huge damage. In this paper, we propose a novel general unsupervised anomaly detection scheme based on cascaded autoencoders (CAEs) and joint optimization network. Our core idea is to utilize CAEs to do data purification among unlabeled digital evidence, then jointly optimize the dimension reduction and density estimation network to avoid sub-optimal problems. Basing on this scheme, we design an end- to-end insider threat prediction framework for proactive forensic investigation, through which we can make real time response to prevent the harmful influences of insider threats in advance. We extract the tractable and scalable feature representation automatically through the data driven Bidirectional Long Short-Term Memory (LSTM) feature extractor, waiving the time- consuming and customarily expert dependable feature engineering work. Additionally, a hypergraph correction module is applied to solve the commonly existed relatively high false positive rate problem in insider threat detection. We evaluate our scheme and framework on public benchmark datasets. The empirical experiments demonstrate that our models outperform state-of-the-art unsupervised methods.
|14:45||03:45||Short Papers G|
|15:05||04:05||A Novel Adversarial Example Detection Method for Malicious PDFs Using Multiple Mutated Classifiers
Chao Liu, Chenzhe Lou, Min Yu (Chinese Academic of Sciences), SM Yiu, KP Chow (University of Hong Kong), Gang Li (Deakin University)
|15:35||04:35||Awards and Conclusions|
Short Papers A (12 minutes)
|Tracing walking path using Smart Lighting System||Raymond Chan (Singapore Institute of Technology)|
|Enhancing Traditional Forensic Investigations using IOT Traces from Smart Buildings||Francesco Servida, Eoghan Casey, Thomas Souvignet, Olivier Delémont, Timothy Bollé, Manon Fischer (University of Lausanne)|
|The Use Of Object Traces In A Connected World||Hannes Spichiger (University of Lausanne)|
Short Papers B (17 minutes)
|Identifying Camera Temperature Using Sensor Pattern Noise||Richard Matthews, Matthew Sorell, Nickolas Falkner (University of Adelaide)|
|PRNU-Based Verification of Multi-Camera Smartphones||Manoranjan Mohanty (University of Technology Sydney), Jingyi Qiu (University of Auckland)|
|Towards deep fake video detection using PRNU-based method||Manoranjan Mohanty (University of Technology Sydney), Yash Kotadia (University of Auckland)|
Short Papers C (10 minutes)
|Evaluating Results from Automated Systems in Forensic Science||Timothy Bollé, Eoghan Casey, Maëlig Jacquet (University of Lausanne)|
|Use of Automated Systems for Rapid Decisions||Hannes Spichiger, Timothy Bollé (University of Lausanne)|
|Teaching the Next Generation of Cyber Sleuths: Introducing Digital Forensic Science in Secondary School to Advance Career Readiness and Digital Citizenship||Daryl Pfeif, Eoghan Casey, Casey Soden, Karen Peterson (Digital Forensics Solutions / Cyber Sleuth Labs, National Girls Collaborative Project)|
Short Papers D (18 minutes)
|The potential of digital traces in providing evidence at activity level||Hans Henseler (University of Applied Sciences Leiden), CJ de Poot (Amsterdam University of Applied Sciences)|
|Theory And Practice Of The Use Of Digital Evidence In Polish Criminal Court Proceedings||Piotr Lewulis (University of Warsaw)|
|A Unified Approach for Digital Forensics Analysis||Ali Alshumrani, Nathan Clarke, Bogdan Ghita, Stavros Shiaeles (Plymouth University)|
Short Papers E (14 minutes)
|I can login without your password: Data acquisition from web-based server using user credential attack||Jaehyeok Han, Hyunji Chung, Sangjin Lee (Korea University)|
|Comprehensive Statistical Analysis on the Crackability of Real-World Passwords||Aikaterini Kanta, Mark Scanlon (University College Dublin)|
|Identifying Crypto API Usages in Android Apps using a Static Analysis Framework||Daisuke Sumita (National Police Agency, Japan), Kanta Matsuura (University of Tokyo)|
Short Papers F (15 minutes)
|Automatic Classification Upon CVE Items and Cyber Security Articles||Tianyi Wang, KP Chow (University of Hong Kong)|
|Forecasting Developments In Crime And Terrorism - Horizon Scanning In Cyber-enabled Crime, Terrorism and Information Warfare||Kacper Gradon (University of Warsaw)|
|Advanced Forensic Recovery and Analysis of MySQL Data in Deleted State||Johann Polewczyk (UNIL), Francesco Servida, Thomas Souvignet, Timothy Bollé, Eoghan Casey (University of Lausanne)|
Short Papers G (11 minutes)
|The forensic aspects of analysis of deepfake videos based on AI algorithms||Zeno Geradts (Netherlands Forensic Institute)|
|Feature Extraction of Protest Demonstration on Lihkg Discussion Forum||Ao Shen, KP Chow (University of Hong Kong)|
|Calibration of step count logs in Apple Health Data||Luke Jennings, Matthew Sorell (University of Adelaide), Hugo Espinosa, David Rowlands (Griffith University)|
Digital Forensic Challenge
Please join us on Discord!