DFRWS EU 2017 was held March 21-23, 2017 in Überlingen, Lake Constance, Germany. Überlingen is a city on the northern shore of Lake Constance (Bodensee). The conference venue is the Parkhotel St. Leonhard, Überlingen. DFRWS EU 2017 is co-located with the 10th International Conference on IT Security Incident Management & IT Forensics (IMF 2017).

This year brings together two premier research conferences in Europe, the DFRWS digital forensics conference (DFRWS EU 2017) and the 10th International Conference on IT Security Incident Management & IT Forensics (IMF 2017).  12 peer-reviewed research papers were published in a special issue of Digital Investigation Journal.  There were 4 featured keynote addresses, 6 workshops, and a reception at Sigmaringen Castle.

The Best Paper Award went to “Improving the Reliability of Chip-Off Forensic Analysis of NAND Flash Memory Devices” by Aya Fukami, Saugata Ghose, Yixin Luo, Yu Cai, and Onur Mutlu.


DFRWS EU/IMF 2017 is organised in cooperation with the German Informatics Society and its Special Interest Group SIDAR.

Conference Location:

Parkhotel St. Leonhard, Lake Constance, Germany

March 21, 2017 to March 23, 2017


Developments in the threat landscape, how to mitigate the risks of targeted attacks?

Freddy Dezure | CERT-EU

Freddy Dezeure graduated as Master of Science in Engineering in 1982. He was CIO of a private company from 1982 until 1987. After joining the European Commission, he has held a variety of management functions in administrative, financial and operational areas, in particular in information technology. He has set up the CERT for the EU institutions, agencies and bodies in 2011 and he has been Head of CERT-EU since then. He is a frequent keynote speaker at international conferences.

21st Century Bank Robberies: How modern criminals attack financial institutions

Patrick Lodder | SWIFT

Patrick Lodder is a Lead Security Management Specialist in SWIFT’s Customer Security Intelligence team. The Customer Security Intelligence team supports customers with forensic cyber investigations and with the analysis of compromised customer systems. The results of these investigations, combined with the analysis of threat intelligence specifically related to SWIFT customers, are used to inform users on how they can better protect their local infrastructure against cyber-attacks.

Patrick studied Software Engineering in Utrecht, the Netherlands. He joined SWIFT in 2005 where he held various positions within the EMEA Services & Support division, and was responsible for Implementation and Support of SWIFT's software and services in banks across Europe, the Middle East and Africa.


They Are Coming To Get You For A Wrongful Conviction

Peter van Koppen of  VU University Amsterdam

Peter van Koppen JD is a psychologist and full professor of Legal Psychology at the Faculty of Law of VU University Amsterdam.

Peter van Koppen is a member of the Royal Holland Society of Sciences and Humanities. He is editor of the international journal Psychology, Crime, and Law (since 1992). He is a member of the Governing Board of the Netherlands Register of Court Experts.

Van Koppen published, next to some 35 books, 125 articles and 100 chapters in edited volumes, many of legal psychology, but also on the quality of evidence and misbehaviour of police, prosecution and judges.

Van Koppen has served as an expert witness in more than 450 cases. In 2014 he was awarded the Tom Williamson Award for life time achievement by the International Investigative Interviewing Research Group, iIIRG. In 2016 he received the Lifetime Achievement Award of the European Association of Psychology and Law (EAPL).

IT-Forensic challenges in ensuring the rule of law – not only in cyberspace

Martin Lühning of Baden-Württemberg State Bureau of Investigation

Martin Lühning is Head of the Division of Digital Traces at the Baden-Württemberg State Bureau of Investigation. In his prior position, he led the Economic Crime Investigation Division of the Stuttgart Police Department. His expertise includes investigation of Organized Crime, Narcotics, and Economic Crime with specialization in Digital Traces. His extensive practical  experience with digital evidence and criminal investigation gives him a unique perspective of the emerging challenges for law enforcement in this area.

This year brings together two premier research conferences in Europe, the DFRWS digital forensics conference (DFRWS EU 2017) and the International Conference on IT Security Incident Management & IT Forensics (IMF 2017).

Established in 2001, DFRWS has become the premier digital forensics conference, dedicated to solving real world challenges, and pushing the envelope of what is currently possible in digital forensics.

Since 2003, IMF has established itself as one of the premier venues for presenting research on IT security incident response and management and IT forensics. While the first IMF conference was organized to establish a research forum for German speaking researchers and practitioners from the field, it soon became an International conference attracting many experts across Europe. IMF 2017, being the 10th Conference, is also an important mile stone in bringing the two worlds of IT security incident response and management and forensics together.

Both DFRWS and IMF organise informal collaborative environments each year that bring together leading researchers, practitioners, industry, tool developers, academics, law enforcement, and other government bodies from around the globe to tackle current and emerging challenges in their fields.

The co-hosting of the two events will help generate new discussions and ideas by bringing together two strong research communities: DFRWS’s community encompassing a broad range of topics in digital forensics, and IMF’s community focusing on IT security incident response and management.

The proceedings of DFRWS EU / IMF 2017 will be published in a special open-access issue of Elsevier’s Digital Investigation journal, and will be freely available on the DFRWS website.

Possibilities to contribute:

In recent years, DFRWS and IMF conferences have added practitioner presentations and hands-on tutorials/workshops taught by leading experts in the fields. Presentations are opportunities for industry researchers and practitioners who do not have the time to write a paper, but who have forensics information and experiences that would be of interest to DFRWS / IMF attendees. Presentation proposals undergo a light reviewing process to filter out sales pitches and ensure the topic is relevant to our audience.

We invite original contributions as research papers, non-research practitioner presentations, tutorials/workshops, panels, demos, and posters on the following topics in digital forensics and IT security incident response and management:

IT Security Incident Management

  • Incident management standardization, metrics and life cycle
  • Incident management formats and protocols
  • Incident response and/or Vulnerability response workflows, procedures and tools
  • Incident analysis including live analysis
  • Research in incident management and related processes
  • Development of tools supporting incident management processes
  • Exchange of cyber threat intelligence
  • Sharing of data/information about threats, attacks, incidents, etc.
  • Setup of cyber defense entities including but not limited to: CSIRTs, PSIRTs, ISACs, SOCs and any other organization specialising in (some) IT security incident management processes
  • Maturity of such cyber defense entities
  • Warning of large scale communities about upcoming threats or detected vulnerabilities
  • Ensuring situational awareness and early warning
  • Mandatory vs. discretionary attack / incident / vulnerability reporting
  • Non-traditional incident management scenarios and approaches (e.g. vehicles, control systems, and SCADA)

Digital Forensics

  • “Big data” approaches to forensics, including data collection, data mining, and large scale visualization
  • Research and development of tools supporting digital forensics
  • Digital forensic laboratories and other organizations specialising in digital forensic science
  • Addressing forensic challenges of systems-on-a-chip
  • Anti-forensics and anti-anti-forensics
  • Bridging the gap between analog and digital traces/evidence/investigators
  • Case studies and trend reports
  • Data hiding and discovery
  • Data recovery and reconstruction
  • Database forensics
  • Digital evidence and the law
  • Digital evidence storage and preservation
  • Digital evidence and open source intelligence analysis
  • Event reconstruction methods and tools
  • Impact of digital forensics on forensic science
  • Interpersonal communications and social network analysis
  • Malware and targeted attacks: analysis, attribution
  • Memory analysis and snapshot acquisition
  • Mobile and embedded device forensics
  • Multimedia forensic analysis
  • Network and distributed system forensics
  • Non-traditional forensic scenarios and approaches (e.g. vehicles, control systems, and SCADA)
  • Storage forensics, including file system and Flash
  • Tool testing and development
  • Triage, prioritization, automation: efficiently processing large amounts of data in digital forensics
  • Typology of digital traces
  • Virtualized environment forensics, with specific attention to the cloud and virtual machine introspection

The above list is only suggestive. We welcome new, original ideas from people in academia, industry, government, and law enforcement who are interested in sharing their results, knowledge, and experience. Authors are encouraged to demonstrate the applicability of their work to practical issues. Questions about submission topics can be sent via email to: eu-papers <at> dfrws <dot> org


RESEARCH PAPERS: Research papers must be original contributions, not duplicate previous work (including the authors’ own), and must not be under simultaneous publication review elsewhere. The review process will be “double-blind” (reviewers will not know who the authors are, and authors will not know who the reviewers are). Therefore, the version submitted for review should not contain the names or affiliations of the authors. When referring to their own previous work, authors should use the third person instead of the first person (i.e. “Smith and Jones [2] previously determined…” instead of “We [2] previously determined…”).

Papers must be written in English and should not exceed 10 single-spaced, two-column pages with 1 inch margins and 10pt font. Papers should be submitted as PDF files. Accepted papers will be required to utilize the provided Microsoft Word template or Elsevier’s LaTeX template (elsarticle class with the “5p” option). Authors are encouraged to use these templates for the submission version as well. After using the templates, do not forget to remove authors’ names and other revealing information for double-blind submission.

Authors are expected to present their work in person at the conference. At least one registration per paper is required in order to be included in the proceedings. Authors shall register for the conference prior to submitting their final draft for publication. At the conference, authors of accepted papers will be given 25 minutes to present their work, followed by 5 minutes of questions.

Research papers must be submitted through the EasyChair site at https://easychair.org/conferences/?conf=dfrwseu2017. Submissions must be in Adobe Acrobat PDF format. Send any questions about research paper submissions to eu-papers (at) dfrws (dot) org.

PANEL PROPOSALS: These should be one to three pages and clearly describe the topic, its relevance, and a list of potential panelists and their biographies. Panels will be evaluated based on the topic relevance and diversity of the panelists.

Panel proposals must be emailed to eu-panels (at) dfrws (dot) org in PDF or plain text format.

NON-RESEARCH PRACTITIONER PRESENTATIONS: DFRWS EU / IMF 2017 is soliciting proposals for 15-minute presentations that showcase forensics experiences of interest to DFRWS attendees, including (but not limited to) case studies and advances in user interface, real-time analysis, and triage. Presentation proposals are not included in the printed proceedings and should not be anonymized. Presentation proposals only undergo a light reviewing process to make sure they are of interest to the community. Sales pitches will not be accepted. Presentation proposals are in the form of an abstract (150-300 words) in PDF format. At least one author is expected to register and present their work in person at the conference. Presenters will be given 15 minutes, followed by 5 minutes of questions. Presentation duration will be strictly enforced.

Presentation proposals must be submitted through the EasyChair site at https://easychair.org/conferences/?conf=dfrwseu2017. Submissions must be in Adobe Acrobat PDF format. Send any questions about presentation proposal submissions to eu-papers (at) dfrws (dot) org.

DEMO OR POSTER PROPOSALS: DFRWS EU / IMF 2017  welcomes demonstrations or posters of proof of concept and research-based tools. Proposals should describe the tool, its relevance to the forensics field, and space/equipment needs (e.g., table size, power, networking, etc.).

Demo or poster proposals must be emailed to eu-demos (at) dfrws (dot) org in PDF or plain text format.

WORKSHOP PROPOSALS: DFRWS EU / IMF 2017 offers an expanded opportunity to present half-day or full-day workshops and vendor-agnostic tutorial sessions. Tutorial/workshop proposals must be emailed to eu-workshops (at) dfrws (dot) org in PDF or plain text format.

LIGHTNING TALKS: Conference attendees are invited to present parts of their ongoing work or open research questions for 5 minutes. Registration for lightning talks is possible at the conference.


DFRWS continues its outreach to students studying digital forensics. This year DFRWS will be offering an award with a cash prize to the best student paper. A student paper is any paper in which the majority of the work was performed and the paper written by full-time students at an accredited university, college, or high school.

A limited number of scholarships may be awarded to students presenting a paper at the conference. The intent is to help alleviate the financial burden due to the cost of hotel expenses and conference registration.


October 6, 2016 Papers/Presentations/Panel Proposals Submission Deadline
October 24, 2016 Workshop/Tutorials Proposals Submission Deadline
December 19, 2016 Papers/Presentations/Panel Proposals Notification
January 16, 2017 Demo/Poster Proposals Submission Deadline
January 23, 2017 Final Paper Draft and Presenter Registration


Organizing Committee

Conference Chair

Holger Morgenstern (Albstadt-Sigmaringen University)

Conference Chair

Felix Freiling (Friedrich-Alexander-University)

Conference Vice-Chair

Mariangela Biasiotti (Italian National Research Council)

Technical Program Committee Chair

Pavel Gladyshev, Ph.D. (University College Dublin)

Technical Program Committee Chair

Klaus-Peter Kossakowski (Hamburg University of Applied Sciences)

Technical Program Committee Vice Chair

Joshua James (Digital Forensic Investigation Research Laboratory, Hallym University)

Keynote Chair

Robert-Jan Mora (Royal Dutch Shell)

Keynote Chair

Eoghan Casey, Ph.D. (University of Lausanne)

Proceedings Chair:

Vassil Roussev, Ph.D. (University of New Orleans)

Local and Registration Chair

Tobias Scheible (Albstadt-Sigmaringen University)


Daryl Pfeif (Digital Forensics Solutions and DFRWS)


David-Olivier Jaquet-Chiffelle (University of Lausanne)


Hans Henseler (University of Applied Sciences Leiden)

Outreach Chair

Hans Henseler (University of Applied Sciences Leiden)

Outreach Chair

Bruce Nikkel (Bern University of Applied Sciences)

Web Chair

Mark Scanlon, Ph.D. (University College Dublin)

Web Chair

Tim Vidas (Carnegie Mellon University)

Demo & Posters Chair

Thomas Gloe (dence)

Workshop Chair

Robert-Jan Mora (Royal Dutch Shell)

Workshop Chair

Eoghan Casey, Ph.D. (University of Lausanne)

Rodeo Creator

Christian Oertle (Albstadt-Sigmaringen University)

Technical Program Committee

Philip Anderson

Cosimo Anglano

Universitá del Piemonte Orientale

Frédéric Baguelin


Harald Baier

University of Applied Sciences, Darmstadt

Endre Bangerter

Bern University of Applied Sciences

Nicole Beebe, Ph.D.


Christiaan Beek

David Billard

University of Applied Sciences in Geneva

Elias Bou-Harb

National Cyber Forensics and Training Alliance / Concordia University

Owen Brady

King's College London

Frank Breitinger

University of New Haven

Eoghan Casey, Ph.D.

University of Lausanne

Ahmad Raza Cheema

National University of Sciences and Technology

Michael Cohen


Patrick De Smet


Mauriella Ditommaso

Jana Dittmann

Universität Magdeburg

Reza Elgalai

Jon Evans

Felix Freiling


Simson Garfinkel, Ph.D.

U.S. Census Bureau

Zeno Geradts

Netherlands Forensic Institute

Pavel Gladyshev, Ph.D.

University College Dublin

Thomas Gloe


Oliver Göbel

Universität Stuttgart

Bernd Grobauer


Michael Gruhn

Friedrich-Alexander-Universität Erlangen-Nürnberg

Detlef Guenther

Volkswagen AG

Hans Henseler

University of Applied Sciences Leiden

Mario Hildebrandt

Universität Magdeburg

Solal Jacob


Joshua James

Digital Forensic Investigation Research Laboratory, Hallym University

David-Olivier Jaquet-Chiffelle

University of Lausanne

Christian Keil


Stefan Kelm


Bruno Kerouanton

Stefan Kiltz

Universität Magdeburg

Matthias Kirchner

Binghamton University

Klaus-Peter Kossakowski

Hamburg University of Applied Sciences

Christian Krätzer

Universität Magdeburg

Volker Krummel

WINCOR Nixdorf

Hanno Langweg

HTWG Konstanz

Nhien An Le Khac

University College Dublin

Timothy Leschke, Ph.D.

Johns Hopkins University

Andrew Marrington

Zayed University

Holger Morgenstern

Albstadt-Sigmaringen University

Bruce Nikkel

Bern University of Applied Sciences

Owen O'Connor

Gilbert Peterson

US Air Force Institute of Technology

Vassil Roussev, Ph.D.

University of New Orleans

Christian Riess

Mark Scanlon, Ph.D.

University College Dublin

Bradley Schatz, Ph.D.

Schatz Forensic

Tobias Scheible

Albstadt-Sigmaringen University

Sebastian Schinzel

Martin Schmiedecker

SBA Research

Thomas Schreck

Marko Schuba

FH Aachen

Ahmed Shosha

University College Dublin

Peter Sommer

Michael Spreitzenbarth

Siemens CERT

Johannes Stüttgen

University of Erlangen-Nuremberg)

Marian Svetlik

Risk Analysis Consultants

Jean-Philippe Teissier

CERT Société Générale

Erik Tews

Christina Thorpe

Institute of Technology Blanchardstown)

Simon Tjoa

Philip Turner

Hewlett Packard

Jeroen van den Bos

Netherlands Forensic Institute

Ronald van der Knijff

Erwin van Eijk

Netherlands Forensic Institute

Wietse Venema, Ph.D.


Claus Vielhauer

FH Brandenburg

Tim Vidas

Carnegie Mellon University


DFRWS EU/IMF 2017 registration includes access to all presentations, a copy of the printed proceedings, breakfasts, a welcome reception, and entrance to the famous rodeo challenge. Additionally, registered attendees may attend a banquet (including presentation of best paper awards).

Group discounts are available. If you have a group larger than four, please contact eu-registration (at) dfrws (dot) org

If you are a student in a third level graduate or postgraduate degree programme, you may qualify for a student grant covering part or all of your registration fee and/or travel expenses. Please note that travel grants are normally reserved for students presenting original research papers at the conference. For more information, please contact eu-registration (at) dfrws (dot) org. The decisions will be made by the organizing committee on a case-by-case basis considering your circumstances, provided evidence, objectives of the conference, and the available/remaining funds.


Sponsors help DFRWS to produce quality events and foster community. Click a logo to learn more about the sponsor.

Information about sponsorship opportunities is available at: http://www.dfrws.org/sponsorship-opportunities

Amazon - Community Leader

At Amazon, we are obsessed with customer trust. Information Security maintains this by guarding the confidentiality and integrity of Amazon and customer data. We assess risk, classify data and systems, detect potential intrusion, and render useless the value of data that may be leaked.Our teams span over 10 countries worldwide, and our focus areas include: security intelligence, application security, incident response, security operations, risk and compliance, acquisitions and subsidiaries, and external partner security. Our mission includes instilling awareness to safeguard all customer and employee data, applications, services, and assets. To accomplish this, we unite with Amazon organizations to build security best practices into enterprise-wide systems. Our guidance and leadership equip our partners to maintain high security standards.”We’re hiring new security talent!

Learn More

Dell - Platinum Sponsor

SecureWorks is a global provider of intelligence-driven information security solutions exclusively focused on protecting its clients from cyberattacks. SecureWorks’ solutions enable organizations to fortify their cyber defenses to prevent security breaches, detect malicious activity in real time, prioritize and respond rapidly to security breaches and predict emerging threats.

Learn More

Our mission is to drive the industry of mobile forensics

MSAB was founded in 1984 and we have a vast experience in mobile technology. Together with pioneering law enforcement organizations we have helped create the mobile forensics industry and we are still committed to driving and leading it forward. Our task is to develop the best possible solutions for mobile forensics and our reason for being is to help our customers do their job for society.

Learn More

Demo Sponsor

Compelson, in the forensics field since 1996, will present their new generation tools. The all-in-one MOBILedit Forensic Express is capable of a wide range of deleted data recovery, advanced application data analysis, multiple-device concurrent extractions, beautiful reports and huge phone base support. Free on-demand application analysis will be introduced.Also to be presented is the pioneering digital photo analysis tool, Camera Ballistics, that matches a photo to a camera or phone, like a bullet to a gun answering the question if a photo was taken by an analyzed device. The tool uses the latest research in mathematics and physics.

Learn More

Arina - Community Builder

We are the main partner in Digital Forensics, eDiscovery and IT-Security in Europe. With our knowledge and experience we support our customers in critical situations and help to make important business decisions. Our company has the necessary resources to professionally implement comprehensive projects promptly, from the evaluation phase until completion. We are anxious to run an internationally known business providing perfect solutions for our customers' needs. It is our daily business to recognize trends early and prepare our customers against potential future risks by suggesting preventative measures to secure your data and IT infrastructure.

Learn More

Student Scholarship Sponsor

BFK edv-consulting GmbH was founded by christoph Fischer in 1990 in Karlsruhe, Germany as a spin off of the university of Karlsruhe‘s micro-Bit virus center. originating from there BFK operated the first cert in Germany and was the first full member from Europe in the First organisation (Forum for incident response and security teams). christoph Fischer was member of the board of directors at First, and co-founder of the european it-security organisation eicar.BFK is providing support in cases of computer emergency, forensic investigation and is consulting companies in topics of it security, malware protection, network security, threat intelligence, and auditing.

Learn More


DomainTools helps security analysts turn threat data into threat intelligence. We take indicators from your network, including domains and IPs, and connect them with nearly every active domain on the Internet. Those connections inform risk assessments, help profile attackers, guide online fraud investigations, and map cyber activity to attacker infrastructure. Fortune 1000 companies, global government agencies, and leading security solution vendors use the DomainTools platform as a critical ingredient in their threat investigation and mitigation work. Learn more about how to connect the dots on malicious activity at https://www.domaintools.com or follow us on Twitter:@domaintools

Learn More

Proud Publishing Partner with DFRWS

Learn More