The 7th Annual DFRWS Conference was held from August 13 to 15, 2007 at the Omni William Penn Hotel in Pittsburgh, PA with local assistance from the CERT Coordination Center. Keynote speakers included Greg Hoglund (author of ROOTKITS, Subverting the Windows Kernel) and Ronald van der Knijff (Netherlands Forensic Institute).  17 peer-reviewed papers were presented at the conference.

THE DFRWS 2007 CHALLENGE was about data carving, which is a file recovery technique that is frequently used during digital investigations. Files are “carved” from the unallocated space using file type-specific information, such as footers, headers, and internal structures.

The previous DFRWS 2006 Challenge focused on carving basic file types in basic scenarios. The result was the development of new tools and techniques to carve files using more internal structure than only the header and footer values. This year, DFRWS expanded on that challenge by introducing more file types and more complex fragmentation scenarios. The goal of this challenge was to design and develop automated file carving algorithms that have high true positive and low false positive rates.

Michael Cohen won the 2007 challenge for his work on a theory of fragmentation and file mapping, and developed dedicated validators for PDF, ZIP, MIME, HTML and MPEG. His process involved evaluating possible files against an ideal mapping model, performing interpolation when discontinuities were found, and then performing error checking on the resulting files using his validation utilities. Even though Cohen did not focus on image and office file formats, his results still ended up very high, with the lowest false positive score. The high quality of the results from this approach shows promise.

Conference Location:

Pittsburgh, PA United States

August 13, 2007 to August 15, 2007


Digital Forensics, Covert Monitoring, and Active Methods

Greg Hoglund | HBGary, Inc

Abstract: New methods and capabilities for collecting evidence are emerging that include live memory analysis and ongoing covert monitoring of insider threats. These methods go far beyond the tradition of hard-drive imaging or pulling data from firmware. Advanced attack capabilities such as rootkits and botnets are bringing forensics and incident response together not just for evidence collection, but also for reverse engineering to understand the threat. Software weapons are being developed that include very advanced systems to thwart detection, hide and transmit data, and resist forensics analysis. These are all modern challenges for the next generation of digital forensics. Hoglund will talk about various technology, both offensive and defensive, and share insights into the emerging problems that need to be solved.

Bio: Greg Hoglund has published a great deal of work related to reverse engineering, software exploitation, and rootkit development. He founded the website in the late 1990's to help people understand what may be the most popular and advanced backdoor technology. He has published several best-selling books on computer security. His latest book, Exploiting Online Games, takes the focus away from traditional security and into online game hacking which represents not only fun and games, but also a real underground economy in virtual property. Greg is currently CEO of HBGary, Inc, his third security start-up, and has released the product "HBGary Inspector", a program designed to reverse engineer malware using active methods (

10 Good Reasons Why You Should Shift Focus to Small Scale Digital Device Forensics

Ronald van der Knijff | Netherlands Forensic Institute

Bio: Ronald van der Knijff received his B.Sc. degree on electrical engineering in 1991 from the Rijswijk Institute of Technology. After performing military service as a Signal Officer he obtained his M.Sc. degree on Information Technology in 1996 from the Eindhoven University of Technology. Since then he works at the Digital Technology and Biometrics department of the Netherlands Forensic Institute as a scientific investigator. He is responsible for the embedded systems group and is also court-appointed expert witness in this area. He is author of the (outdated) cards4labs and TULP software and founder of the TULP2G framework. He is a visiting lecturer on ‘Cards & IT’ at the Dutch Police Academy; a visiting lecturer on ‘Smart Cards and Biometrics’ at the Masters Program ‘Information Technology’ of TiasNimbas Business School and a visiting lecturer on ‘Mobile and Embedded Device Forensics’ at the Master’s in ‘Artificial Intelligence’ of the University in Amsterdam (UvA). He wrote a chapter on embedded systems analysis in Eoghan Casey’s Handbook of Computer Crime Investigation - Forensic Tools and Technology.


Organizing Committee

Conference Chair

Brian Carrier (Basis Technology)

Technical Program

Vassil Roussev (University of New Orleans), Frank Adelstein (ATC-NY)


Golden Richard (University of New Orleans)


Wietse Venema (IBM)

Forensics Challenge

Brian Carrier (Basis Technology)

Rodeo Wrangler

Todd Shipley (SEARCH)

Local Arrangements

Matthew Geiger (CERT), Tanya Macrina (Air Force Research Lab)


Eoghan Casey (Stroz Friedberg)


Rick Smith (ATC-NY), Daryl Pfeif (Digital Forensics Solutions)


Marc Rogers (Purdue University), Dan Kalil (AFRL, Assured Information Security)

Breakout Sessions:

David Baker (MITRE)

Technical Program Committee

Florian Buchholz

James Madison University

Tom Daniels

Iowa State University

Olivier De Vel

Defence Science and Technology Organization, Australia)

Knut Eckstein

European Space Agency

Jose Fernandez

Ecole Polytechnique Montreal, Canada

Dario Forte

University of Milano at Crema

Simson Garfinkel

Naval Postgraduate School

Jesse Kornblum

ManTech CFIA

Michael Losavio

University of Louisville

James Lyle


Nasir Memon

Polytechnic University

Judie Mulholland

Florida State University

Andreas Schuster

Deutsche Telekom, Germany

Eugene Spafford

Purdue University - CERIAS

Phil Turner

QinetiQ, UK


Sponsors help DFRWS to produce quality events and foster community. Click a logo to learn more about the sponsor.

Information about sponsorship opportunities is available at:


WetStone software solutions support investigators and analysts engaged in cyber-crime investigations, digital forensics, and incident response activities.

Learn More


A Computer Emergency Response Team is an expert group that handles computer security incidents. Alternative names for such groups include Computer Emergency Readiness Team and Computer Security Incident Response Team

Learn More

Taylor & Francis

Taylor & Francis Group publishes quality peer-reviewed journals under the Routledge and Taylor & Francis imprints. The newest part of the group, Cogent OA, offers a purely open access program. Our journal content is hosted on Taylor & Francis Online, our content platform.

Learn More


Elsevier is a global information analytics business that helps institutions and professionals progress science, advance healthcare and improve performance.

Learn More

Air Force Research Laboratory

The Air Force Research Laboratory is a scientific research organization operated by the United States Air Force Materiel Command dedicated to leading the discovery, development

Learn More

Stroz Freidberg, LLC

Stroz Friedberg is a leading global consulting firm for ... Please visit our website listed below for more services and details.

Learn More