The 2017 USA DFRWS Conference was held in Austin, TX from August 6-9, 2017.  It was an action packed 4 days with keynotes from Kara Nance and Brian Hay, 13 peer-reviewed papers, 9 presentations from industry, and 4 workshops.  The evenings held the traditional Forensics Rodeo and a river cruise replaced the traditional banquet.

The 2017 Best Paper award went to “Extending The Sleuth Kit and its Underlying Model for Pooled Storage File System Forensic Analysis Paper” by Jan-Niclas Hilgert, Martin Lambertz, and Daniel Plohmann.

The 2017 Best Student Paper went to “Carving Database Storage to Detect and Trace Security Breaches” by James Wagner (DePaul University), Alexander Rasin (DePaul University), Boris Glavic, Karen Heart, Jacob Furst, Lucas Bressan, and Jonathan Grier (Grier Forensics).

Conference Location:

Austin, TX United States

August 6, 2017 to August 9, 2017


Visualizing Forensic Datasets to Develop Mitigation Strategies

Kara Nance | Virginia Tech

ABSTRACT: Mitigating threat is an approachable task after the threat-related behaviors have been identified. The situation is much more challenging when you are not sure what you are looking for. The human mind is highly adept at quickly identifying visual anomalies in large datasets. As part of a defense-in-depth strategy, these human pattern recognition capabilities can be applied to drive the evolution and refinement of threat identification and detection mechanisms. This presentation investigates the application of visualization combined with human abductive reasoning, with the initial goal of identifying some behavioral characteristics associated with a type of card-present fraud. It then demonstrates the behavioral characteristics in a digital forensics context, extends the concepts to other domains, and demonstrates how this knowledge can be used to guide the evolution of analytical tools to help protect our digital assets.

Digital Forensics When Everything is Virtual

Brian Hay |

Virtualization has long been a fundamental part of the IT landscape but is no longer confined to virtual machines running as servers in the data center, or as a tool for developer or researcher workstations. Virtualization is now embedded in almost everything we think of as a computer and is becoming commonplace in networking, storage, and mobile devices. This talk aims to provide an understanding of the scope of modern virtualization, where the challenges lie today, how the technology may evolve in the future, and the implications this has for the digital forensics community.


We invite contributions in five categories: research papers, presentation proposals, panel proposals, workshop proposals, and demo proposals.

RESEARCH PAPERS undergo double-blinded, peer review, and are published by Elsevier in a special issue of Digital Investigation.

PRESENTATIONS, POSTERS, and DEMOS undergo a light review process to select presentations of maximal interest to DFRWS attendees and filter out sales pitches. Presentation proposals must specify their target length from the following options: 20 minutes, 120 minutes (2 hours), or 240 minutes (4 hours). Note, 2-4 hour presentations are referred to as ‘workshops’ described below.

WORKSHOPS can be several hours or full day, and typically include hands-on participation by attendees, allowing for an in-depth, detailed exploration of tools and techniques of interest to DFRWS attendees. Workshops can and they can cover state-of-the-art research projects, useful tips, and techniques for standard tools, or most anything that DFRWS attendees would consider beneficial. While commercial tools can be used, these workshops or tutorials should NOT be thinly-veiled commercial advertisements.

DFRWS will provide one free conference registration for each tutorial and workshop accepted.

Student award and student scholarship program

DFRWS continues its outreach to students studying digital forensics. DFRWS and its sponsors will award one or more Student Travel Scholarships each year. One scholarship will be awarded to the Best Student Research Paper awardee. More travel scholarships may be awarded, depending on sponsorship funding each year. Exact award amounts will vary but are estimated to be between $1,000-$1,500 per award. DFRWS will notify the recipient of the Best Student Research Paper award on or before the conference registration deadline. Other awards (e.g. industry-sponsored awards for research in specific topic areas) may be awarded after the registration deadline and are fully contingent on scholarship sponsorship by industry each year. Refer below for further details regarding eligibility, funding, and selection.

ELIGIBILITY: Students must be co-authors on research paper submissions—presentation session presenters and poster presenters are not eligible. The student recipient of the Best Student Research Paper award must be the lead author on the paper being awarded. Student recipients of other travel scholarships (i.e. research paper awards on specific topics of interest funded by industry sponsors) must be co-authors, but they need not be lead authors. Awarded students must be the presenter of the paper for which the award was given at the conference.

FUNDING: Students must register (and pay the registration fee) for the conference and cover all travel expenses. The travel scholarships will be dispersed at the conference to reimburse student travel costs.

SELECTION: Student travel scholarship recipients will be selected by a student scholarship committee, consisting of DFRWS Organizing Committee members, DFRWS Board of Directors, and/or industry scholarship sponsors. Award recipients will be selected based on research paper quality (contribution and writing), student contribution to the paper (authorship position), and research topic.

APPLY: Write a letter to that includes:
– Which paper they authored
– What their author position is
– Whether they will present their paper
– An explanation of why they should receive a scholarship.

Topics of Interest

  • Memory analysis and snapshot acquisition
  • Storage forensics, including solid state
  • “Big data” forensics, related to the collection, analysis, and visualization
  • Incident response and live analysis
  • Forensics of cloud and virtualized environments
  • Malware and targeted attacks (analysis and attribution)
  • Network and distributed system forensics
  • Event reconstruction methods and tools
  • Mobile and embedded device forensics
  • Digital evidence storage and preservation
  • Data recovery and reconstruction
  • Multimedia analysis
  • Database forensics
  • Tool testing and development
  • Digital evidence and the law
  • Case studies and trend reports
  • Data hiding and discovery
  • Anti-forensics and anti-anti-forensics
  • Interpersonal communications and social network analysis
  • Non-traditional forensic scenarios and approaches (e.g. vehicles, Internet of Things, industrial control systems, and SCADA)
  • Archival preservation & reconstruction

The above list is only suggestive. We welcome new, original ideas from people in academia, industry, government, and law enforcement who are interested in sharing their results, knowledge, and experience. Authors are encouraged to demonstrate the applicability of their work to practical issues. Questions about submission topics can be sent via email to

Click Here For Proposal Requirements


February 1, 2017 Submission Deadline - Research Papers
March 31, 2017 Submission Deadline - Presentations
March 31, 2017 Workshop/Tutorial Proposal Deadline
March 31, 2017 Submission Deadline - Posters/Demos (with abstract to be included in printed proceedings)
April 19, 2017 Presenter Registration - - Research Papers, Presentations & Posters/Demos with abstract
June 15, 2017 Presenter Registration - Workshop Presenter
June 25, 2017 Early Bird Registration
June 10, 2017 Hotel Discount Ends (EXTENDED!)


Organizing Committee

Conference Chair

Elizabeth Schweinsberg (Facebook)

Conference Vice Chair

Frank Adelstein, Ph.D. (NFA Digital)

Program Chair

Bradley Schatz, Ph.D. (Schatz Forensic)

Program Vice Chair

Josiah Dykstra, Ph.D. (National Security Agency)

Event Management/Production

Daryl Pfeif (Digital Forensics Solutions and DFRWS)


Mark Guido (The MITRE Corporation)

Forensic Rodeo

Matthew Geiger (Qintel)


Golden Richard III, Ph.D. (Louisiana State University)


Tim Vidas (Carnegie Mellon University)

Workshop Chair

Vico Marziale, Ph.D. (BlackBag Technologies)

Workshop Vice Chair

Wietse Venema, Ph.D. (Google)


Alex Nelson, Ph.D. (NIST)


Daryl Pfeif (Digital Forensics Solutions and DFRWS)

Industry Outreach

Andrew Case (Volexity)

Academia Outreach

Nicole Beebe, Ph.D. (UTSA)

EU Coordination Chair and Forensic Challenge

Eoghan Casey, Ph.D. (University of Lausanne)


David Baker (DFRWS)


Rick Smith (ATC-NY)


Daryl Pfeif (Digital Forensics Solutions and DFRWS)

Local Host

Matthew Geiger (Qintel)

At Large Member

Vassil Roussev, Ph.D. (University of New Orleans)

Technical Program Committee

Josiah Dykstra, Ph.D.

National Security Agency

Bradley Schatz, Ph.D.

Schatz Forensic

Frank Adelstein

NFA Digital

Ibrahim Baggili

University of New Haven

David Baker


Nicole Beebe, Ph.D.


Robert Beverly, Ph.D.

Naval Postgraduate School

Frank Breitinger

University of New Haven

Florian Buchholz

James Madison University

Lorenzo Cavallaro

Royal Holloway

Michael Cohen


Jedidiah Crandall

University of New Mexico

Rinku Dewri

University of Denver

Sarah Edwards

SANS Institute

Simson Garfinkel, Ph.D.

U.S. Census Bureau

Zeno Geradts

Netherlands Forensic Institute

Paul Giura

AT&T Security Research Center

Cory Hall


Chris Hargreaves

University of Oxford

Andrea Lanzi

Universita` degli studi di Milano

Timothy Leschke, Ph.D.

Johns Hopkins University

Zhiqiang Lin

The Ohio State University

David Loveall


Andrew Marrington

Zayed University

Vico Marziale, Ph.D.

BlackBag Technologies

Alex Nelson, Ph.D.


Erika Noerenberg

Carbon Black

Fernando Perez-Gonzalez

Universidad de Vigo

Gilbert Peterson

US Air Force Institute of Technology

Tu-Tach Quach

Sandia National Laboratories

Golden Richard III, Ph.D.

Louisiana State University

Vassil Roussev, Ph.D.

University of New Orleans

Neil Rowe

Naval Postgraduate School

Andreas Schuster

BFK edv-consulting GmbH

Elizabeth Schweinsberg


Kathryn Seigfried-Spellar

Purdue University

Clay Shields

Georgetown University

Jill Slay

La Trobe University

Joe Sylve, Ph.D.

BlackBag Technologies

Wietse Venema, Ph.D.


Tim Vidas

Carnegie Mellon University

Andrew White

Dell Secureworks

Junyuan Zeng

The University of Texas at Dallas


DFRWS USA 2017 registration includes access to all presentations, a copy of the printed proceedings, breakfasts, a welcome reception, and entrance to the famous rodeo challenge. Additionally, registered attendees may attend a banquet (including presentation of best paper awards).

Group discounts are available. If you have a group larger than four, please contact

If you are a student in a third level graduate or postgraduate degree program, you may qualify for a student grant covering part or all of your registration fee and/or travel expenses. Please note that travel grants are normally reserved for students presenting original research papers at the conference. For more information, please contact The decisions will be made by the organizing committee on a case-by-case basis considering your circumstances, provided evidence, objectives of the conference, and the available/remaining funds.

Early bird registration ends June 25th.


Sponsors help DFRWS to produce quality events and foster community. Click a logo to learn more about the sponsor.

Information about sponsorship opportunities is available at:

Dell - Platinum Sponsor

Secure Works is a global provider of intelligence-driven information security solutions exclusively focused on protecting its clients from cyber attacks. Secure Works’ solutions enable organizations to fortify their cyber defenses to prevent security breaches, detect malicious activity in real time, prioritize and respond rapidly to security breaches and predict emerging threats.

Learn More

Access Data - Silver Sponsor

Whether it’s for investigation, litigation or compliance, AccessData® offers industry-leading solutions that put the power of forensics in your hands. For 30 years, Access Data has worked with more than 130,000 clients in law enforcement, government agencies, corporations and law firms around the world to understand and focus on their unique collection-to-analysis needs. The result? Products that empower faster results, better insights, and more connectivity.

Learn More

No Starch Press - Rodeo Prize Sponsor

San Francisco–based No Starch Press has published the finest in geek entertainment since 1994, covering topics like hacking, open source, Linux, LEGO,​ STEM, and programming for all ages. Our titles have personality and attitude, our authors are passionate about their subjects, and we read and edit every book that bears our name. Our goal is to make computing accessible to technophobe and novice alike, and our readers appreciate our straightforward presentation and fearless approach to the complex world of technology.

Learn More

Google - Student Scholarship Sponsor

Google's mission is to organize the world's information and make it universally accessible and useful. Google is pleased to sponsor scholarships for students to attend DFRWS.

Learn More

Forensic Focus - Media Sponsor

Forensic Focus is the web's leading digital forensics portal for computer forensics and eDiscovery professionals. Founded in 2002, the site encourages open discussion and information sharing in support of best practice development within the digital forensics industry. Although perhaps best known for its busy forums, Forensic Focus also offers breaking industry news, a worldwide directory of computer forensics education courses, interviews with industry thought leaders, job vacancy listings, a growing articles section and a monthly email newsletter with over 16,000 subscribers.

Learn More


DomainTools helps security analysts turn threat data into threat intelligence. We take indicators from your network, including domains and IPs, and connect them with nearly every active domain on the Internet. Those connections inform risk assessments, help profile attackers, guide online fraud investigations, and map cyber activity to attacker infrastructure. Fortune 1000 companies, global government agencies, and leading security solution vendors use the DomainTools platform as a critical ingredient in their threat investigation and mitigation work. Learn more about how to connect the dots on malicious activity at or follow us on Twitter:@domaintools

Learn More