DFRWS is the leading digital forensics research conference and the 9th annual conference was held from August 17 to 19, 2009 in Montreal, Canada. The conference was held at the Delta Centre-ville Hotel and was the week after Usenix Security.  15 peer-reviewer papers were presented as well keynotes by Zeno Geradts and Benoit Ganon.  Day 1 also featured a panel on “Technical Approaches to Large-Scale Digital Forensics” with Vassil Roussev, Golden Richard, Simson Garfinkel, and Michael Cohen.

Congratulations to Simson Garfinkel, Paul Farrell, Vassil Roussev and George Dinolt for winning the Best Paper Award for “Bringing Science to Digital Forensics with Standardized Forensic Corpora”. We would also like to congratulate Wouter van Dongen and Alain Van Hoof for winning the Forensics Challenge. Thanks to the organizing committee, program committee, and sponsors for helping to make the conference go so smoothly.

The DFRWS 2009 Challenge focused on the development of tools and techniques for analyzing Playstation 3’s (PS3s). The Playstation 3 is a powerful, Cell processor-based system that can run both its native OS (which has significant DRM features that also thwart forensic investigation) and modern versions of Linux. This challenge focused on the Linux and network aspects of PS3s, and did not touch the DRM protected data. The challenge scenario required analysis of a physical memory dump, filesystem images, and network traces involving 2 PS3’s and a Playstation Portable (PSP).

The winners of the challenge were Wouter van Dongen and Alain van Hoof at University of Amsterdam System.  Their submission provided a thorough analysis of the file system and network traffic, with some information extracted from the physical memory dump. The careful correlation of information from multiple data sources was a major strength of this submission. The results were presented in a very clear manner, and there is a particularly impressive timeline diagram.

Conference Location:

Montreal, QC Canada

Keynotes

Challenges and Opportunities in Digital and Multimedia Evidence

Zeno Geradts | Netherlands Forensic Institute

Within Digital Evidence and Multimedia sections in forensic institutes there is a wide range of research and casework that is available. Often research for the casework has to be implemented, and validation will be required at the same time, unless it is equipment from other cases in a database. In this presentation an general overview will be given of the fields within digital evidence, such as embedded systems, examinations of phones, media analysis, data analysis, image processing and integrity of the evidence.

Interpretation of digital evidence and multimedia and conclusions that are drawn are discussed also in relation to the report of the National Academy of Sciences "Strengthening Forensic Science in the United States, a path forward". Possible solutions will be discussed such as having double blind cases, collecting databases for statistical analysis, open source software for validation, concluding by Bayes rules and how to communicate these findings to the court.

Bio:Zeno Geradts is a forensic scientist working for the Netherlands Forensic Institute. He started in 1991 in traditional forensic science, becoming an expert in toolmarks and firearms forensics. In 1997 he shifted his attention to digital evidence. He is an expert witness in image analysis and biometrics (face comparison) as well as the R&D coordinator in digital evidence at NFI. In 2002 he received a PhD from the University of Utrecht based on research on computational matching of images from shoe prints, toolmarks, drugs pills and cartridge cases. At the AAFS he has been chairman of the Engineering Section and since 2008 he is chairman of the Digital Evidence and Multimedia section. He is chairman of the ENFSI Forensic IT working group. He has published several papers in forensic journals and is active on casework as an expert witness and working on projects in digital evidence.

Who are they? Understanding computer hackers

Benoît Gagnon | Chaire du Canada en Sécurité, Identité et Technologie

In February 2008, the Sûreté du Quebec uncovered a network of computer hackers from Quebec that were herding botnets for criminal purposes. Called Operation "Basique", this investigation went on for several months and collected an important quantity of information on their modi operandi. What can we learn from the data obtained in this investigation? This presentation will expose the results of our research exploiting this data. We will be able to see how the bot herders operate, how they conceive the World and how personal relationships influence their actions

Bio:Benoît Gagnon is a Ph.D. candidate in Criminology at the University of Montreal. He works as a research fellow at the Chaire du Canada en Sécurité, Identité et Technologie and at the Terrorism and Counter-terrorism Research Group on areas such as cybercrime, terrorism and security. M. Gagnon is a member of the Commission de l'Éthique de la Science et de la Technologie du Québec, the Computer Security Institute, the Canadian Association for Security and Intelligence Studies, the International Association for Counterterrorism and Security Professionals, and the American Society for Industrial Security (ASIS).

Committees

Organizing Committee

Conference Chair

Brian Carrier, PhD (Basis Technology)

Conference Vice Chair

Eoghan Casey (Johns Hopkins University)

Technical Program

Wietse Venema, PhD (IBM) and Andreas Schuster (Deutsche Telekom AG)

Local Arrangements

Jose Fernandez, PhD (Ecole Polytechnique de Montreal)

Registration

Dave Baker (MITRE)

Keynote

Florian Buchholz, PhD (James Madison University)

Proceedings

Vassil Roussev, PhD (University of New Orleans)

Advertising / Sponsorship

Daryl Pfeif (Digital Forensics Solutions)

Finances

Rick Smith (ATC-NY)

Challenge:

Golden Richard, PhD (University of New Orleans)

Workshops:

Frank Adelstein, PhD (ATC-NY)

At Large

Matthew Geiger (CERT)

Technical Program Committee

Frank Adelstein

ATC-NY

Cory Altheide

Mandiant

David Baker

MITRE

Nicole Beebe

University of Texas at San Antonio

Richard Bejtlich

General Electric

Florian Buchholz

James Madison University

Brian Carrier

Basis Technology

Harlan Carvey

IBM ISS

Eoghan Casey

Johns Hopkins University

Michael Cohen

Australian Federal Police

Heather Dussault

State University of New York Institute of Technology

Knut Eckstein

European Space Agency

Jose Fernandez

Ecole Polytechnique de Montreal

Dario Forte

University of milano at Crema

Simson Garfinkel

Naval Postgraduate School

Matthew Geiger

CERT

Grant Gottfried

MITRE

Yong Guan

Iowa State University

Warren Harrison

Portland State University

Rob Joyce

ATC-NY

Erin Kenneally

University of California San Diego

Jesse Kornblum

ManTech

Brian Levine

University of Massachusetts

Michael Losavio

University of Louisville

James Lyle

NIST

Chester Maciag

Air Force Research Lab

Nasir Memon

Polytechnic University

Richard Mislan

Purdue University

Timothy Morgan

Virtual Security Research LLC

Gilbert Peterson

Air Force Institute of Technology

Wei Ren

China University of Geosciences

Golden Richard

University of New Orleans

Marcus Rogers

Purdue University

Vassil Roussev

University of New Orleans

Nicolas Ruff

EADS-IW

Bradley Schatz

Queensland University of Technology

Andreas Schuster

Deutsche Telekom AG

Kulesh Shanmugasundaram

Polytechnic University

Clay Shields

Georgetown University

Eugene Spafford

Purdue University

Philip Turner

QinetiQ

Wietse Venema

IBM Research

AAron Walters

Volatile Systems LLC

Doug White

Roger Williams University

Sponsors

Sponsors help DFRWS to produce quality events and foster community. Please consider supporting our cause. http://www.dfrws.org/sponsorship-opportunities

WetStone

WetStone software solutions support investigators and analysts engaged in cyber-crime investigations, digital forensics, and incident response activities.

Learn More

Access Data

Need to mitigate risk or ensure compliance? AccessData's targeted, forensically sound collection, preservation, hold, processing and data assessment tools .

Learn More

CERT

A Computer Emergency Response Team is an expert group that handles computer security incidents. Alternative names for such groups include Computer Emergency Readiness Team and Computer Security Incident Response Team

Learn More

Taylor & Francis

Taylor & Francis Group publishes quality peer-reviewed journals under the Routledge and Taylor & Francis imprints. The newest part of the group, Cogent OA, offers a purely open access program. Our journal content is hosted on Taylor & Francis Online, our content platform.

Learn More

forensic-validation.com

Validation refers to the process of demonstrating that a laboratory procedure is robust, reliable, and reproducible in the hands of the personnel performing the test in that laboratory. ... All three types of methods are important for techniques performed in forensic laboratories.

Learn More