Lake Constance
Conference Location: 
Lake Constance


DFRWS EU 2017 will be held in Überlingen, Lake Constance, Germany. Überlingen is a city on the northern shore of Lake Constance (Bodensee). The conference venue is the Parkhotel St. Leonhard, Überlingen. DFRWS EU 2017 is co-located with the 10th International Conference on IT Security Incident Management & IT Forensics (IMF 2017).

If you have not already done so, please register at the event hotel as soon as possible - space is limited and reserved on a first-come, first-serve basis. To secure your hotel accommodations, please send an email with your arrival-date and departure-date and reference to DFRWS EU 2017 to: veranstaltung@parkhotel-sankt-leonhard.de


Developments in the threat landscape, how to mitigate the risks of targeted attacks?

Freddy Dezure


Freddy Dezeure graduated as Master of Science in Engineering in 1982. He was CIO of a private company from 1982 until 1987. After joining the European Commission, he has held a variety of management functions in administrative, financial and operational areas, in particular in information technology. He has set up the CERT for the EU institutions, agencies and bodies in 2011 and he has been Head of CERT-EU since then. He is a frequent keynote speaker at international conferences.

21st Century Bank Robberies: How modern criminals attack financial institutions

Patrick Lodder


Patrick Lodder is a Lead Security Management Specialist in SWIFT’s Customer Security Intelligence team. The Customer Security Intelligence team supports customers with forensic cyber investigations and with the analysis of compromised customer systems. The results of these investigations, combined with the analysis of threat intelligence specifically related to SWIFT customers, are used to inform users on how they can better protect their local infrastructure against cyber-attacks.

Patrick studied Software Engineering in Utrecht, the Netherlands. He joined SWIFT in 2005 where he held various positions within the EMEA Services & Support division, and was responsible for Implementation and Support of SWIFT's software and services in banks across Europe, the Middle East and Africa.

They Are Coming To Get You For A Wrongful Conviction

Peter van Koppen

VU University Amsterdam

Peter van Koppen JD is a psychologist and full professor of Legal Psychology at the Faculty of Law of VU University Amsterdam.

Peter van Koppen is a member of the Royal Holland Society of Sciences and Humanities. He is editor of the international journal Psychology, Crime, and Law (since 1992). He is a member of the Governing Board of the Netherlands Register of Court Experts.

Van Koppen published, next to some 35 books, 125 articles and 100 chapters in edited volumes, many of legal psychology, but also on the quality of evidence and misbehaviour of police, prosecution and judges.

Van Koppen has served as an expert witness in more than 450 cases. In 2014 he was awarded the Tom Williamson Award for life time achievement by the International Investigative Interviewing Research Group, iIIRG. In 2016 he received the Lifetime Achievement Award of the European Association of Psychology and Law (EAPL).

IT-Forensic challenges in ensuring the rule of law - not only in cyberspace

Martin Lühning

Baden-Württemberg State Bureau of Investigation

Martin Lühning is Head of the Division of Digital Traces at the Baden-Württemberg State Bureau of Investigation. In his prior position, he led the Economic Crime Investigation Division of the Stuttgart Police Department. His expertise includes investigation of Organized Crime, Narcotics, and Economic Crime with specialization in Digital Traces. His extensive practical  experience with digital evidence and criminal investigation gives him a unique perspective of the emerging challenges for law enforcement in this area.


This year brings together two premier research conferences in Europe, the DFRWS digital forensics conference (DFRWS EU 2017) and the International Conference on IT Security Incident Management & IT Forensics (IMF 2017).

Established in 2001, DFRWS has become the premier digital forensics conference, dedicated to solving real world challenges, and pushing the envelope of what is currently possible in digital forensics.

Since 2003, IMF has established itself as one of the premier venues for presenting research on IT security incident response and management and IT forensics. While the first IMF conference was organized to establish a research forum for German speaking researchers and practitioners from the field, it soon became an International conference attracting many experts across Europe. IMF 2017, being the 10th Conference, is also an important mile stone in bringing the two worlds of IT security incident response and management and forensics together. 

Both DFRWS and IMF organise informal collaborative environments each year that bring together leading researchers, practitioners, industry, tool developers, academics, law enforcement, and other government bodies from around the globe to tackle current and emerging challenges in their fields. 

The co-hosting of the two events will help generate new discussions and ideas by bringing together two strong research communities: DFRWS’s community encompassing a broad range of topics in digital forensics, and IMF’s community focusing on IT security incident response and management.

The proceedings of DFRWS EU / IMF 2017 will be published in a special open-access issue of Elsevier's Digital Investigation journal, and will be freely available on the DFRWS website.

The DFRWS EU / IMF 2017 conference extends the 17-year tradition of research conferences organized by DFRWS.org, including the DFRWS US 2016 conference from from August 7 to 10, 2016 in Seattle. The information on the upcoming DFRWS USA, the program and how to register can be found at http://dfrws.org/2016/

Possibilities to contribute:

In recent years, DFRWS and IMF conferences have added practitioner presentations and hands-on tutorials/workshops taught by leading experts in the fields. Presentations are opportunities for industry researchers and practitioners who do not have the time to write a paper, but who have forensics information and experiences that would be of interest to DFRWS / IMF attendees. Presentation proposals undergo a light reviewing process to filter out sales pitches and ensure the topic is relevant to our audience.

We invite original contributions as research papers, non-research practitioner presentations, tutorials/workshops, panels, demos, and posters on the following topics in digital forensics and IT security incident response and management:


IT Security Incident Management

  • Incident management standardization, metrics and life cycle
  • Incident management formats and protocols
  • Incident response and/or Vulnerability response workflows, procedures and tools
  • Incident analysis including live analysis
  • Research in incident management and related processes
  • Development of tools supporting incident management processes
  • Exchange of cyber threat intelligence
  • Sharing of data/information about threats, attacks, incidents, etc.
  • Setup of cyber defense entities including but not limited to: CSIRTs, PSIRTs, ISACs, SOCs and any other organization specialising in (some) IT security incident management processes  
  • Maturity of such cyber defense entities
  • Warning of large scale communities about upcoming threats or detected vulnerabilities
  • Ensuring situational awareness and early warning
  • Mandatory vs. discretionary attack / incident / vulnerability reporting
  • Non-traditional incident management scenarios and approaches (e.g. vehicles, control systems, and SCADA)


Digital Forensics

  • "Big data" approaches to forensics, including data collection, data mining, and large scale visualization
  • Research and development of tools supporting digital forensics
  • Digital forensic laboratories and other organizations specialising in digital forensic science
  • Addressing forensic challenges of systems-on-a-chip
  • Anti-forensics and anti-anti-forensics
  • Bridging the gap between analog and digital traces/evidence/investigators
  • Case studies and trend reports
  • Data hiding and discovery
  • Data recovery and reconstruction
  • Database forensics
  • Digital evidence and the law
  • Digital evidence storage and preservation
  • Digital evidence and open source intelligence analysis
  • Event reconstruction methods and tools
  • Impact of digital forensics on forensic science
  • Interpersonal communications and social network analysis
  • Malware and targeted attacks: analysis, attribution
  • Memory analysis and snapshot acquisition
  • Mobile and embedded device forensics
  • Multimedia forensic analysis
  • Network and distributed system forensics
  • Non-traditional forensic scenarios and approaches (e.g. vehicles, control systems, and SCADA)
  • Storage forensics, including file system and Flash
  • Tool testing and development
  • Triage, prioritization, automation: efficiently processing large amounts of data in digital forensics
  • Typology of digital traces
  • Virtualized environment forensics, with specific attention to the cloud and virtual machine introspection

The above list is only suggestive. We welcome new, original ideas from people in academia, industry, government, and law enforcement who are interested in sharing their results, knowledge, and experience. Authors are encouraged to demonstrate the applicability of their work to practical issues. Questions about submission topics can be sent via email to: eu-papers <at> dfrws <dot> org



RESEARCH PAPERS: Research papers must be original contributions, not duplicate previous work (including the authors' own), and must not be under simultaneous publication review elsewhere. The review process will be "double-blind" (reviewers will not know who the authors are, and authors will not know who the reviewers are). Therefore, the version submitted for review should not contain the names or affiliations of the authors. When referring to their own previous work, authors should use the third person instead of the first person (i.e. "Smith and Jones [2] previously determined..." instead of "We [2] previously determined..."). 

Papers must be written in English and should not exceed 10 single-spaced, two-column pages with 1 inch margins and 10pt font. Papers should be submitted as PDF files. Accepted papers will be required to utilize the provided Microsoft Word template or Elsevier's LaTeX template (elsarticle class with the "5p" option). Authors are encouraged to use these templates for the submission version as well. After using the templates, do not forget to remove authors' names and other revealing information for double-blind submission. 

Authors are expected to present their work in person at the conference. At least one registration per paper is required in order to be included in the proceedings. Authors shall register for the conference prior to submitting their final draft for publication. At the conference, authors of accepted papers will be given 25 minutes to present their work, followed by 5 minutes of questions. 

Research papers must be submitted through the EasyChair site at https://easychair.org/conferences/?conf=dfrwseu2017. Submissions must be in Adobe Acrobat PDF format. Send any questions about research paper submissions to eu-papers (at) dfrws (dot) org. 

PANEL PROPOSALS: These should be one to three pages and clearly describe the topic, its relevance, and a list of potential panelists and their biographies. Panels will be evaluated based on the topic relevance and diversity of the panelists. 

Panel proposals must be emailed to eu-panels (at) dfrws (dot) org in PDF or plain text format. 

NON-RESEARCH PRACTITIONER PRESENTATIONS: DFRWS EU / IMF 2017 is soliciting proposals for 15-minute presentations that showcase forensics experiences of interest to DFRWS attendees, including (but not limited to) case studies and advances in user interface, real-time analysis, and triage. Presentation proposals are not included in the printed proceedings and should not be anonymized. Presentation proposals only undergo a light reviewing process to make sure they are of interest to the community. Sales pitches will not be accepted. Presentation proposals are in the form of an abstract (150-300 words) in PDF format. At least one author is expected to register and present their work in person at the conference. Presenters will be given 15 minutes, followed by 5 minutes of questions. Presentation duration will be strictly enforced. 

Presentation proposals must be submitted through the EasyChair site at https://easychair.org/conferences/?conf=dfrwseu2017. Submissions must be in Adobe Acrobat PDF format. Send any questions about presentation proposal submissions to eu-papers (at) dfrws (dot) org. 

DEMO OR POSTER PROPOSALS: DFRWS EU / IMF 2017  welcomes demonstrations or posters of proof of concept and research-based tools. Proposals should describe the tool, its relevance to the forensics field, and space/equipment needs (e.g., table size, power, networking, etc.).
Demo or poster proposals must be emailed to eu-demos (at) dfrws (dot) org in PDF or plain text format. 

WORKSHOP PROPOSALS: DFRWS EU / IMF 2017 offers an expanded opportunity to present half-day or full-day workshops and vendor-agnostic tutorial sessions. Tutorial/workshop proposals must be emailed to eu-workshops (at) dfrws (dot) org in PDF or plain text format.

LIGHTNING TALKS: Conference attendees are invited to present parts of their ongoing work or open research questions for 5 minutes. Registration for lightning talks is possible at the conference. 



DFRWS continues its outreach to students studying digital forensics. This year DFRWS will be offering an award with a cash prize to the best student paper. A student paper is any paper in which the majority of the work was performed and the paper written by full-time students at an accredited university, college, or high school.

A limited number of scholarships may be awarded to students presenting a paper at the conference. The intent is to help alleviate the financial burden due to the cost of hotel expenses and conference registration.


DFRWS EU/IMF 2017 is organised in cooperation with the German Informatics Society and its Special Interest Group SIDAR.



Papers/Presentations/Panel Proposals Submission Deadline October 3, 2016
Workshop/Tutorials Proposals Submission Deadline October 24, 2016
Papers/Presentations/Panel Proposals Notification December 19, 2016
Demo/Poster Proposals Submission Deadline January 16, 2017
Final Paper Draft and Presenter Registration January 23, 2017


Organizing Committee

Conference Chair: Felix Freiling (Friedrich-Alexander-University)
Conference Chair: Holger Morgenstern (Albstadt-Sigmaringen University)
Conference Vice-Chair: Mariangela Biasiotti (Italian National Research Council)
Technical Program Committee Chair: Pavel Gladyshev, Ph.D. (University College Dublin)
Technical Program Committee Chair: Klaus-Peter Kossakowski (Hamburg University of Applied Sciences)
Technical Program Committee Vice Chair: Joshua James (Digital Forensic Investigation Research Laboratory, Hallym University)
Keynote Chair: Robert-Jan Mora (Royal Dutch Shell)
Keynote Chair: Eoghan Casey, Ph.D. (University of Lausanne)
Proceedings Chair: Vassil Roussev, Ph.D. (University of New Orleans)
Local and Registration Chair: Tobias Scheible (Albstadt-Sigmaringen University)
Advertising/Sponsorship: Daryl Pfeif (Digital Forensics Solutions and DFRWS)
Advertising/Sponsorship: David-Olivier Jaquet-Chiffelle (University of Lausanne)
Advertising/Sponsorship: Hans Henseler (University of Applied Sciences Leiden)
Outreach Chair: Hans Henseler (University of Applied Sciences Leiden)
Outreach Chair: Bruce Nikkel (Bern University of Applied Sciences)
Web Chair: Mark Scanlon, Ph.D. (University College Dublin)
Web Chair: Tim Vidas (Carnegie Mellon University)
Demo & Posters Chair: Thomas Gloe (dence)
Workshop Chair: Robert-Jan Mora (Royal Dutch Shell)
Workshop Chair: Eoghan Casey, Ph.D. (University of Lausanne)
Rodeo Creator: Christian Oertle (Albstadt-Sigmaringen University)

Technical Program Committee

Philip Anderson
Cosimo Anglano (Universitá del Piemonte Orientale)
Frédéric Baguelin (ArxSys)
Harald Baier (University of Applied Sciences, Darmstadt)
Endre Bangerter (Bern University of Applied Sciences)
Nicole Beebe, Ph.D. (UTSA)
Christiaan Beek
David Billard (University of Applied Sciences in Geneva)
Elias Bou-Harb (National Cyber Forensics and Training Alliance / Concordia University )
Owen Brady (King's College London)
Frank Breitinger (University of Liechtenstein)
Eoghan Casey, Ph.D. (University of Lausanne)
Ahmad Raza Cheema (National University of Sciences and Technology)
Michael Cohen (Google)
Patrick De Smet (NICC/INCC)
Mauriella Ditommaso
Jana Dittmann (Universität Magdeburg)
Reza Elgalai
Jon Evans
Felix Freiling (Friedrich-Alexander-University)
Simson Garfinkel, Ph.D. (U.S. Census Bureau)
Zeno Geradts (Netherlands Forensic Institute)
Pavel Gladyshev, Ph.D. (University College Dublin)
Thomas Gloe (dence)
Oliver Göbel (Universität Stuttgart)
Bernd Grobauer (SIEMENS AG)
Michael Gruhn (Friedrich-Alexander-Universität Erlangen-Nürnberg)
Detlef Guenther (Volkswagen AG)
Hans Henseler (University of Applied Sciences Leiden)
Mario Hildebrandt (Universität Magdeburg)
Solal Jacob (ArxSys)
Joshua James (Digital Forensic Investigation Research Laboratory, Hallym University)
David-Olivier Jaquet-Chiffelle (University of Lausanne)
Christian Keil (DFN-CERT)
Stefan Kelm (DFN-CERT)
Bruno Kerouanton
Stefan Kiltz (Universität Magdeburg)
Matthias Kirchner (Binghamton University)
Klaus-Peter Kossakowski (Hamburg University of Applied Sciences)
Christian Krätzer (Universität Magdeburg)
Volker Krummel (WINCOR Nixdorf)
Hanno Langweg (HTWG Konstanz)
Nhien An Le Khac (University College Dublin)
Timothy Leschke, Ph.D. (Johns Hopkins University)
Andrew Marrington (Zayed University)
Holger Morgenstern (Albstadt-Sigmaringen University)
Bruce Nikkel (Bern University of Applied Sciences)
Owen O'Connor
Gilbert Peterson (US Air Force Institute of Technology)
Christian Riess
Vassil Roussev, Ph.D. (University of New Orleans)
Mark Scanlon, Ph.D. (University College Dublin)
Bradley Schatz, Ph.D. (Schatz Forensic)
Tobias Scheible (Albstadt-Sigmaringen University)
Sebastian Schinzel
Martin Schmiedecker (SBA Research)
Thomas Schreck
Marko Schuba (FH Aachen)
Ahmed Shosha (University College Dublin)
Peter Sommer
Michael Spreitzenbarth (Siemens CERT)
Johannes Stüttgen (University of Erlangen-Nuremberg)
Marian Svetlik (Risk Analysis Consultants)
Jean-Philippe Teissier (CERT Société Générale)
Erik Tews
Christina Thorpe (Institute of Technology Blanchardstown)
Simon Tjoa
Philip Turner (Hewlett Packard)
Jeroen van den Bos (Netherlands Forensic Institute)
Ronald van der Knijff
Erwin van Eijk (Netherlands Forensic Institute)
Wietse Venema, Ph.D. (Google)
Tim Vidas (Carnegie Mellon University)
Claus Vielhauer (FH Brandenburg)


DFRWS EU/IMF 2017 registration includes access to all presentations, a copy of the printed proceedings, breakfasts, a welcome reception, and entrance to the famous rodeo challenge. Additionally, registered attendees may attend a banquet (including presentation of best paper awards).

Group discounts are available. If you have a group larger than four, please contact eu-registration (at) dfrws (dot) org

If you are a student in a third level graduate or postgraduate degree programme, you may qualify for a student grant covering part or all of your registration fee and/or travel expenses. Please note that travel grants are normally reserved for students presenting original research papers at the conference. For more information, please contact eu-registration (at) dfrws (dot) org. The decisions will be made by the organizing committee on a case-by-case basis considering your circumstances, provided evidence, objectives of the conference, and the available/remaining funds.

The early bird registration rate expires on February 21st. The regular rate expires on 16th March. The last minute/on-site rate begins on 17th March.

Type of RegistrationEarly BirdRegular RateOnsite Registration
Law Enforcement/Government€350€400€450


Sponsor Benefits

Sponsors of the conference will gain visibility for their companies, demonstrate their support of forensic research and development, and contribute to the success of the conference. All sponsors will have their logo listed on the DFRWS EU 2017 website with a link to their website and will be listed in the printed proceedings. They will also get recognition at specific events that they sponsor.

Details on becoming a sponsor can be found here.


Amazon - Community Leader

At Amazon, we are obsessed with customer trust. Information Security maintains this by guarding the confidentiality and integrity of Amazon and customer data. We assess risk, classify data and systems, detect potential intrusion, and render useless the value of data that may be leaked.

Our teams span over 10 countries worldwide, and our focus areas include: security intelligence, application security, incident response, security operations, risk and compliance, acquisitions and subsidiaries, and external partner security. Our mission includes instilling awareness to safeguard all customer and employee data, applications, services, and assets. To accomplish this, we unite with Amazon organizations to build security best practices into enterprise-wide systems. Our guidance and leadership equip our partners to maintain high security standards.”

We’re hiring new security talent!

Dell - Community Mentor

SecureWorks is a global provider of intelligence-driven information security solutions exclusively focused on protecting its clients from cyberattacks. SecureWorks’ solutions enable organizations to fortify their cyber defenses to prevent security breaches, detect malicious activity in real time, prioritize and respond rapidly to security breaches and predict emerging threats.

Arina - Community Builder

We are the main partner in Digital Forensics, eDiscovery and IT-Security in Europe. With our knowledge and experience we support our customers in critical situations and help to make important business decisions. Our company has the necessary resources to professionally implement comprehensive projects promptly, from the evaluation phase until completion. We are anxious to run an internationally known business providing perfect solutions for our customers' needs. It is our daily business to recognize trends early and prepare our customers against potential future risks by suggesting preventative measures to secure your data and IT infrastructure.

Our mission is to drive the industry of mobile forensics

MSAB was founded in 1984 and we have a vast experience in mobile technology. Together with pioneering law enforcement organizations we have helped create the mobile forensics industry and we are still committed to driving and leading it forward. Our task is to develop the best possible solutions for mobile forensics and our reason for being is to help our customers do their job for society.

Demo Sponsor

Compelson, in the forensics field since 1996, will present their new generation tools. The all-in-one MOBILedit Forensic Express is capable of a wide range of deleted data recovery, advanced application data analysis, multiple-device concurrent extractions, beautiful reports and huge phone base support. Free on-demand application analysis will be introduced.

Also to be presented is the pioneering digital photo analysis tool, Camera Ballistics, that matches a photo to a camera or phone, like a bullet to a gun answering the question if a photo was taken by an analyzed device. The tool uses the latest research in mathematics and physics.

Local Host Sponsor

Local Host Sponsor

Student Scholarship Sponsor

BFK edv-consulting GmbH was founded by christoph Fischer in 1990 in Karlsruhe, Germany as a spin off of the university of Karlsruhe‘s micro-Bit virus center. originating from there BFK operated the first cert in Germany and was the first full member from Europe in the First organisation (Forum for incident response and security teams). christoph Fischer was member of the board of directors at First, and co-founder of the european it-security organisation eicar.

BFK is providing support in cases of computer emergency, forensic investigation and is consulting companies in topics of it security, malware protection, network security, threat intelligence, and auditing. 

DomainTools helps security analysts turn threat data into threat intelligence. We take indicators from your network, including domains and IPs, and connect them with nearly every active domain on the Internet. Those connections inform risk assessments, help profile attackers, guide online fraud investigations, and map cyber activity to attacker infrastructure. Fortune 1000 companies, global government agencies, and leading security solution vendors use the DomainTools platform as a critical ingredient in their threat investigation and mitigation work. Learn more about how to connect the dots on malicious activity at http://www.domaintools.com or follow us on Twitter:@domaintools

Proud Publishing Partner with DFRWS